@lark-project/openclaw-lark-project 2026.3.131

package/dist/src/core/auth-errors.js

@@ -0,0 +1,120 @@
+const LARK_ERROR = {
+  /** 应用 scope 不足（租户维度） */
+  APP_SCOPE_MISSING: 99991672,
+  /** 用户 token scope 不足 */
+  USER_SCOPE_INSUFFICIENT: 99991679,
+  /** access_token 无效 */
+  TOKEN_INVALID: 99991668,
+  /** access_token 已过期 */
+  TOKEN_EXPIRED: 99991669,
+  /** refresh_token 无效 */
+  REFRESH_TOKEN_INVALID: 20003,
+  /** refresh_token 已过期 */
+  REFRESH_TOKEN_EXPIRED: 20004,
+  /** refresh_token 缺失 */
+  REFRESH_TOKEN_MISSING: 20024,
+  /** refresh_token 已被吊销 */
+  REFRESH_TOKEN_REVOKED: 20063,
+  /** 消息已被撤回 */
+  MESSAGE_RECALLED: 230011,
+  /** 消息已被删除 */
+  MESSAGE_DELETED: 231003
+};
+const REFRESH_TOKEN_IRRECOVERABLE = /* @__PURE__ */ new Set([
+  LARK_ERROR.REFRESH_TOKEN_INVALID,
+  LARK_ERROR.REFRESH_TOKEN_EXPIRED,
+  LARK_ERROR.REFRESH_TOKEN_MISSING,
+  LARK_ERROR.REFRESH_TOKEN_REVOKED
+]);
+const MESSAGE_TERMINAL_CODES = /* @__PURE__ */ new Set([
+  LARK_ERROR.MESSAGE_RECALLED,
+  LARK_ERROR.MESSAGE_DELETED
+]);
+const TOKEN_RETRY_CODES = /* @__PURE__ */ new Set([LARK_ERROR.TOKEN_INVALID, LARK_ERROR.TOKEN_EXPIRED]);
+class NeedAuthorizationError extends Error {
+  userOpenId;
+  constructor(userOpenId) {
+    super("need_user_authorization");
+    this.name = "NeedAuthorizationError";
+    this.userOpenId = userOpenId;
+  }
+}
+class AppScopeCheckFailedError extends Error {
+  /** 应用 ID，用于生成开放平台权限管理链接。 */
+  appId;
+  constructor(appId) {
+    super("\u5E94\u7528\u7F3A\u5C11 application:application:self_manage \u6743\u9650\uFF0C\u65E0\u6CD5\u67E5\u8BE2\u5E94\u7528\u6743\u9650\u914D\u7F6E\u3002\u8BF7\u7BA1\u7406\u5458\u5728\u5F00\u653E\u5E73\u53F0\u5F00\u901A\u8BE5\u6743\u9650\u3002");
+    this.name = "AppScopeCheckFailedError";
+    this.appId = appId;
+  }
+}
+class AppScopeMissingError extends Error {
+  apiName;
+  /** OAPI 需要但 APP 未开通的 scope 列表。 */
+  missingScopes;
+  /** 工具的全部所需 scope（含已开通的），用于应用权限完成后一次性发起用户授权。 */
+  allRequiredScopes;
+  /** 应用 ID，用于生成开放平台权限管理链接。 */
+  appId;
+  scopeNeedType;
+  /** 触发此错误时使用的 token 类型，用于保持 card action 二次校验一致。 */
+  tokenType;
+  constructor(info, scopeNeedType, tokenType, allRequiredScopes) {
+    if (scopeNeedType === "one") {
+      super(`\u5E94\u7528\u7F3A\u5C11\u6743\u9650 [${info.scopes.join(", ")}](\u5F00\u542F\u4EFB\u4E00\u6743\u9650\u5373\u53EF)\uFF0C\u8BF7\u7BA1\u7406\u5458\u5728\u5F00\u653E\u5E73\u53F0\u5F00\u901A\u3002`);
+    } else {
+      super(`\u5E94\u7528\u7F3A\u5C11\u6743\u9650 [${info.scopes.join(", ")}]\uFF0C\u8BF7\u7BA1\u7406\u5458\u5728\u5F00\u653E\u5E73\u53F0\u5F00\u901A\u3002`);
+    }
+    this.name = "AppScopeMissingError";
+    this.apiName = info.apiName;
+    this.missingScopes = info.scopes;
+    this.allRequiredScopes = allRequiredScopes;
+    this.appId = info.appId;
+    this.scopeNeedType = scopeNeedType;
+    this.tokenType = tokenType;
+  }
+}
+class UserAuthRequiredError extends Error {
+  userOpenId;
+  apiName;
+  /** APP∩OAPI 交集 scope，传给 OAuth authorize。 */
+  requiredScopes;
+  /** 应用 scope 是否已验证通过。false 时 requiredScopes 可能不准确。 */
+  appScopeVerified;
+  /** 应用 ID，用于生成开放平台权限管理链接。 */
+  appId;
+  constructor(userOpenId, info) {
+    super("need_user_authorization");
+    this.name = "UserAuthRequiredError";
+    this.userOpenId = userOpenId;
+    this.apiName = info.apiName;
+    this.requiredScopes = info.scopes;
+    this.appId = info.appId;
+    this.appScopeVerified = info.appScopeVerified ?? true;
+  }
+}
+class UserScopeInsufficientError extends Error {
+  userOpenId;
+  apiName;
+  /** 缺失的 scope 列表。 */
+  missingScopes;
+  constructor(userOpenId, info) {
+    super("user_scope_insufficient");
+    this.name = "UserScopeInsufficientError";
+    this.userOpenId = userOpenId;
+    this.apiName = info.apiName;
+    this.missingScopes = info.scopes;
+  }
+}
+export {
+  AppScopeCheckFailedError,
+  AppScopeMissingError,
+  LARK_ERROR,
+  MESSAGE_TERMINAL_CODES,
+  NeedAuthorizationError,
+  REFRESH_TOKEN_IRRECOVERABLE,
+  TOKEN_RETRY_CODES,
+  UserAuthRequiredError,
+  UserScopeInsufficientError
+};
+//# sourceMappingURL=auth-errors.js.map

package/dist/src/core/auth-errors.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/core/auth-errors.ts"],
+  "sourcesContent": ["/**\n * Copyright (c) 2026 ByteDance Ltd. and/or its affiliates\n * SPDX-License-Identifier: MIT\n *\n * auth-errors.ts \u2014 \u7EDF\u4E00\u9519\u8BEF\u7C7B\u578B\u5B9A\u4E49\u3002\n *\n * \u6240\u6709\u4E0E\u8BA4\u8BC1/\u6388\u6743/scope \u76F8\u5173\u7684\u9519\u8BEF\u7C7B\u578B\u96C6\u4E2D\u5728\u6B64\u6587\u4EF6\uFF0C\n * \u89E3\u9664 tool-client \u2194 app-scope-checker \u5FAA\u73AF\u4F9D\u8D56\u3002\n *\n * \u5176\u4ED6\u6A21\u5757\u5E94\u76F4\u63A5 import \u6B64\u6587\u4EF6\uFF0C\u6216\u901A\u8FC7 tool-client / uat-client \u7684 re-export \u4F7F\u7528\u3002\n */\n\n// ---------------------------------------------------------------------------\n// Feishu error code constants\n// ---------------------------------------------------------------------------\n\n/** \u98DE\u4E66 OAPI \u9519\u8BEF\u7801\u5E38\u91CF\uFF0C\u66FF\u4EE3\u5404\u5904\u786C\u7F16\u7801\u7684 magic number\u3002 */\nexport const LARK_ERROR = {\n  /** \u5E94\u7528 scope \u4E0D\u8DB3\uFF08\u79DF\u6237\u7EF4\u5EA6\uFF09 */\n  APP_SCOPE_MISSING: 99991672,\n  /** \u7528\u6237 token scope \u4E0D\u8DB3 */\n  USER_SCOPE_INSUFFICIENT: 99991679,\n  /** access_token \u65E0\u6548 */\n  TOKEN_INVALID: 99991668,\n  /** access_token \u5DF2\u8FC7\u671F */\n  TOKEN_EXPIRED: 99991669,\n  /** refresh_token \u65E0\u6548 */\n  REFRESH_TOKEN_INVALID: 20003,\n  /** refresh_token \u5DF2\u8FC7\u671F */\n  REFRESH_TOKEN_EXPIRED: 20004,\n  /** refresh_token \u7F3A\u5931 */\n  REFRESH_TOKEN_MISSING: 20024,\n  /** refresh_token \u5DF2\u88AB\u540A\u9500 */\n  REFRESH_TOKEN_REVOKED: 20063,\n  /** \u6D88\u606F\u5DF2\u88AB\u64A4\u56DE */\n  MESSAGE_RECALLED: 230011,\n  /** \u6D88\u606F\u5DF2\u88AB\u5220\u9664 */\n  MESSAGE_DELETED: 231003,\n} as const;\n\n/** \u4E0D\u53EF\u6062\u590D\u7684 refresh_token \u9519\u8BEF\u7801\u96C6\u5408\uFF0C\u9047\u5230\u540E\u9700\u8981\u91CD\u65B0\u6388\u6743\u3002 */\nexport const REFRESH_TOKEN_IRRECOVERABLE: ReadonlySet<number> = new Set([\n  LARK_ERROR.REFRESH_TOKEN_INVALID,\n  LARK_ERROR.REFRESH_TOKEN_EXPIRED,\n  LARK_ERROR.REFRESH_TOKEN_MISSING,\n  LARK_ERROR.REFRESH_TOKEN_REVOKED,\n]);\n\n/** \u6D88\u606F\u7EC8\u6B62\u9519\u8BEF\u7801\u96C6\u5408\uFF08\u64A4\u56DE/\u5220\u9664\uFF09\uFF0C\u9047\u5230\u540E\u5E94\u505C\u6B62\u5BF9\u8BE5\u6D88\u606F\u7684\u540E\u7EED\u64CD\u4F5C\u3002 */\nexport const MESSAGE_TERMINAL_CODES: ReadonlySet<number> = new Set([\n  LARK_ERROR.MESSAGE_RECALLED,\n  LARK_ERROR.MESSAGE_DELETED,\n]);\n\n/** access_token \u5931\u6548\u76F8\u5173\u7684\u9519\u8BEF\u7801\u96C6\u5408\uFF0C\u9047\u5230\u540E\u53EF\u5C1D\u8BD5\u5237\u65B0\u91CD\u8BD5\u3002 */\nexport const TOKEN_RETRY_CODES: ReadonlySet<number> = new Set([LARK_ERROR.TOKEN_INVALID, LARK_ERROR.TOKEN_EXPIRED]);\n\n// ---------------------------------------------------------------------------\n// Shared types\n// ---------------------------------------------------------------------------\n\n/** invoke() \u9519\u8BEF\u5171\u4EAB\u7684 scope \u4FE1\u606F\u3002 */\nexport interface ScopeErrorInfo {\n  apiName: string;\n  scopes: string[];\n  /** \u5E94\u7528 scope \u662F\u5426\u5DF2\u9A8C\u8BC1\u901A\u8FC7\u3002false \u8868\u793A app scope \u68C0\u67E5\u5931\u8D25\uFF0Cscope \u4FE1\u606F\u53EF\u80FD\u4E0D\u51C6\u786E\u3002 */\n  appScopeVerified?: boolean;\n  /** \u5E94\u7528 ID\uFF0C\u7528\u4E8E\u751F\u6210\u5F00\u653E\u5E73\u53F0\u6743\u9650\u7BA1\u7406\u94FE\u63A5\u3002 */\n  appId?: string;\n}\n\n/** OAuth \u6388\u6743\u63D0\u793A\u4FE1\u606F\uFF0C\u4E0E handleInvokeError \u8FD4\u56DE\u7684\u7ED3\u6784\u4E00\u81F4\u3002 */\nexport interface AuthHint {\n  error: string;\n  api: string;\n  required_scope: string;\n  user_open_id: string;\n  message: string;\n  next_tool_call: {\n    tool: 'feishu_oauth';\n    params: { action: 'authorize'; scope: string };\n  };\n}\n\n/** tryInvoke \u8FD4\u56DE\u503C\u7684\u5224\u522B\u8054\u5408\u4F53\u3002 */\nexport type TryInvokeResult<T> =\n  | { ok: true; data: T }\n  | { ok: false; error: string; authHint: AuthHint }\n  | { ok: false; error: string; authHint?: undefined };\n\n// ---------------------------------------------------------------------------\n// Error classes\n// ---------------------------------------------------------------------------\n\n/**\n * Thrown when no valid UAT exists and the user needs to (re-)authorise.\n * Callers should catch this and trigger the OAuth flow.\n */\nexport class NeedAuthorizationError extends Error {\n  readonly userOpenId: string;\n  constructor(userOpenId: string) {\n    super('need_user_authorization');\n    this.name = 'NeedAuthorizationError';\n    this.userOpenId = userOpenId;\n  }\n}\n\n/**\n * \u5E94\u7528\u7F3A\u5C11 application:application:self_manage \u6743\u9650\uFF0C\u65E0\u6CD5\u67E5\u8BE2\u5E94\u7528\u6743\u9650\u914D\u7F6E\u3002\n *\n * \u9700\u8981\u7BA1\u7406\u5458\u5728\u98DE\u4E66\u5F00\u653E\u5E73\u53F0\u5F00\u901A application:application:self_manage \u6743\u9650\u3002\n */\nexport class AppScopeCheckFailedError extends Error {\n  /** \u5E94\u7528 ID\uFF0C\u7528\u4E8E\u751F\u6210\u5F00\u653E\u5E73\u53F0\u6743\u9650\u7BA1\u7406\u94FE\u63A5\u3002 */\n  readonly appId?: string;\n\n  constructor(appId?: string) {\n    super('\u5E94\u7528\u7F3A\u5C11 application:application:self_manage \u6743\u9650\uFF0C\u65E0\u6CD5\u67E5\u8BE2\u5E94\u7528\u6743\u9650\u914D\u7F6E\u3002\u8BF7\u7BA1\u7406\u5458\u5728\u5F00\u653E\u5E73\u53F0\u5F00\u901A\u8BE5\u6743\u9650\u3002');\n    this.name = 'AppScopeCheckFailedError';\n    this.appId = appId;\n  }\n}\n\n/**\n * \u5E94\u7528\u672A\u5F00\u901A OAPI \u6240\u9700 scope\u3002\n *\n * \u9700\u8981\u7BA1\u7406\u5458\u5728\u98DE\u4E66\u5F00\u653E\u5E73\u53F0\u5F00\u901A\u6743\u9650\u3002\n */\nexport class AppScopeMissingError extends Error {\n  readonly apiName: string;\n  /** OAPI \u9700\u8981\u4F46 APP \u672A\u5F00\u901A\u7684 scope \u5217\u8868\u3002 */\n  readonly missingScopes: string[];\n  /** \u5DE5\u5177\u7684\u5168\u90E8\u6240\u9700 scope\uFF08\u542B\u5DF2\u5F00\u901A\u7684\uFF09\uFF0C\u7528\u4E8E\u5E94\u7528\u6743\u9650\u5B8C\u6210\u540E\u4E00\u6B21\u6027\u53D1\u8D77\u7528\u6237\u6388\u6743\u3002 */\n  readonly allRequiredScopes?: string[];\n  /** \u5E94\u7528 ID\uFF0C\u7528\u4E8E\u751F\u6210\u5F00\u653E\u5E73\u53F0\u6743\u9650\u7BA1\u7406\u94FE\u63A5\u3002 */\n  readonly appId?: string;\n  readonly scopeNeedType?: 'one' | 'all';\n  /** \u89E6\u53D1\u6B64\u9519\u8BEF\u65F6\u4F7F\u7528\u7684 token \u7C7B\u578B\uFF0C\u7528\u4E8E\u4FDD\u6301 card action \u4E8C\u6B21\u6821\u9A8C\u4E00\u81F4\u3002 */\n  readonly tokenType?: 'user' | 'tenant';\n\n  constructor(\n    info: ScopeErrorInfo,\n    scopeNeedType?: 'one' | 'all',\n    tokenType?: 'user' | 'tenant',\n    allRequiredScopes?: string[],\n  ) {\n    if (scopeNeedType === 'one') {\n      super(`\u5E94\u7528\u7F3A\u5C11\u6743\u9650 [${info.scopes.join(', ')}](\u5F00\u542F\u4EFB\u4E00\u6743\u9650\u5373\u53EF)\uFF0C\u8BF7\u7BA1\u7406\u5458\u5728\u5F00\u653E\u5E73\u53F0\u5F00\u901A\u3002`);\n    } else {\n      super(`\u5E94\u7528\u7F3A\u5C11\u6743\u9650 [${info.scopes.join(', ')}]\uFF0C\u8BF7\u7BA1\u7406\u5458\u5728\u5F00\u653E\u5E73\u53F0\u5F00\u901A\u3002`);\n    }\n    this.name = 'AppScopeMissingError';\n    this.apiName = info.apiName;\n    this.missingScopes = info.scopes;\n    this.allRequiredScopes = allRequiredScopes;\n    this.appId = info.appId;\n    this.scopeNeedType = scopeNeedType;\n    this.tokenType = tokenType;\n  }\n}\n\n/**\n * \u7528\u6237\u672A\u6388\u6743\u6216 scope \u4E0D\u8DB3\uFF0C\u9700\u8981\u53D1\u8D77 OAuth \u6388\u6743\u3002\n *\n * `requiredScopes` \u4E3A APP\u2229OAPI \u7684\u6709\u6548 scope\uFF0C\u53EF\u76F4\u63A5\u4F20\u7ED9\n * `feishu_oauth authorize --scope`\u3002\n */\nexport class UserAuthRequiredError extends Error {\n  readonly userOpenId: string;\n  readonly apiName: string;\n  /** APP\u2229OAPI \u4EA4\u96C6 scope\uFF0C\u4F20\u7ED9 OAuth authorize\u3002 */\n  readonly requiredScopes: string[];\n  /** \u5E94\u7528 scope \u662F\u5426\u5DF2\u9A8C\u8BC1\u901A\u8FC7\u3002false \u65F6 requiredScopes \u53EF\u80FD\u4E0D\u51C6\u786E\u3002 */\n  readonly appScopeVerified: boolean;\n\n  /** \u5E94\u7528 ID\uFF0C\u7528\u4E8E\u751F\u6210\u5F00\u653E\u5E73\u53F0\u6743\u9650\u7BA1\u7406\u94FE\u63A5\u3002 */\n  readonly appId?: string;\n\n  constructor(userOpenId: string, info: ScopeErrorInfo) {\n    super('need_user_authorization');\n    this.name = 'UserAuthRequiredError';\n    this.userOpenId = userOpenId;\n    this.apiName = info.apiName;\n    this.requiredScopes = info.scopes;\n    this.appId = info.appId;\n    this.appScopeVerified = info.appScopeVerified ?? true;\n  }\n}\n\n/**\n * \u670D\u52A1\u7AEF\u62A5 99991679 \u2014 \u7528\u6237 token \u7684 scope \u4E0D\u8DB3\u3002\n *\n * \u9700\u8981\u589E\u91CF\u6388\u6743\uFF1A\u7528\u7F3A\u5931\u7684 scope \u53D1\u8D77\u65B0 Device Flow\u3002\n */\nexport class UserScopeInsufficientError extends Error {\n  readonly userOpenId: string;\n  readonly apiName: string;\n  /** \u7F3A\u5931\u7684 scope \u5217\u8868\u3002 */\n  readonly missingScopes: string[];\n\n  constructor(userOpenId: string, info: ScopeErrorInfo) {\n    super('user_scope_insufficient');\n    this.name = 'UserScopeInsufficientError';\n    this.userOpenId = userOpenId;\n    this.apiName = info.apiName;\n    this.missingScopes = info.scopes;\n  }\n}\n"],
+  "mappings": "AAiBO,MAAM,aAAa;AAAA;AAAA,EAExB,mBAAmB;AAAA;AAAA,EAEnB,yBAAyB;AAAA;AAAA,EAEzB,eAAe;AAAA;AAAA,EAEf,eAAe;AAAA;AAAA,EAEf,uBAAuB;AAAA;AAAA,EAEvB,uBAAuB;AAAA;AAAA,EAEvB,uBAAuB;AAAA;AAAA,EAEvB,uBAAuB;AAAA;AAAA,EAEvB,kBAAkB;AAAA;AAAA,EAElB,iBAAiB;AACnB;AAGO,MAAM,8BAAmD,oBAAI,IAAI;AAAA,EACtE,WAAW;AAAA,EACX,WAAW;AAAA,EACX,WAAW;AAAA,EACX,WAAW;AACb,CAAC;AAGM,MAAM,yBAA8C,oBAAI,IAAI;AAAA,EACjE,WAAW;AAAA,EACX,WAAW;AACb,CAAC;AAGM,MAAM,oBAAyC,oBAAI,IAAI,CAAC,WAAW,eAAe,WAAW,aAAa,CAAC;AA2C3G,MAAM,+BAA+B,MAAM;AAAA,EACvC;AAAA,EACT,YAAY,YAAoB;AAC9B,UAAM,yBAAyB;AAC/B,SAAK,OAAO;AACZ,SAAK,aAAa;AAAA,EACpB;AACF;AAOO,MAAM,iCAAiC,MAAM;AAAA;AAAA,EAEzC;AAAA,EAET,YAAY,OAAgB;AAC1B,UAAM,6OAAwE;AAC9E,SAAK,OAAO;AACZ,SAAK,QAAQ;AAAA,EACf;AACF;AAOO,MAAM,6BAA6B,MAAM;AAAA,EACrC;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EAET,YACE,MACA,eACA,WACA,mBACA;AACA,QAAI,kBAAkB,OAAO;AAC3B,YAAM,yCAAW,KAAK,OAAO,KAAK,IAAI,CAAC,mIAA0B;AAAA,IACnE,OAAO;AACL,YAAM,yCAAW,KAAK,OAAO,KAAK,IAAI,CAAC,iFAAgB;AAAA,IACzD;AACA,SAAK,OAAO;AACZ,SAAK,UAAU,KAAK;AACpB,SAAK,gBAAgB,KAAK;AAC1B,SAAK,oBAAoB;AACzB,SAAK,QAAQ,KAAK;AAClB,SAAK,gBAAgB;AACrB,SAAK,YAAY;AAAA,EACnB;AACF;AAQO,MAAM,8BAA8B,MAAM;AAAA,EACtC;AAAA,EACA;AAAA;AAAA,EAEA;AAAA;AAAA,EAEA;AAAA;AAAA,EAGA;AAAA,EAET,YAAY,YAAoB,MAAsB;AACpD,UAAM,yBAAyB;AAC/B,SAAK,OAAO;AACZ,SAAK,aAAa;AAClB,SAAK,UAAU,KAAK;AACpB,SAAK,iBAAiB,KAAK;AAC3B,SAAK,QAAQ,KAAK;AAClB,SAAK,mBAAmB,KAAK,oBAAoB;AAAA,EACnD;AACF;AAOO,MAAM,mCAAmC,MAAM;AAAA,EAC3C;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EAET,YAAY,YAAoB,MAAsB;AACpD,UAAM,yBAAyB;AAC/B,SAAK,OAAO;AACZ,SAAK,aAAa;AAClB,SAAK,UAAU,KAAK;AACpB,SAAK,gBAAgB,KAAK;AAAA,EAC5B;AACF;",
+  "names": []
+}

package/dist/src/core/chat-info-cache.js

@@ -0,0 +1,102 @@
+import { LarkClient } from "./lark-client";
+import { larkLogger } from "./lark-logger";
+const log = larkLogger("core/chat-info-cache");
+const DEFAULT_MAX_SIZE = 500;
+const DEFAULT_TTL_MS = 60 * 60 * 1e3;
+class ChatInfoCache {
+  map = /* @__PURE__ */ new Map();
+  maxSize;
+  ttlMs;
+  constructor(maxSize = DEFAULT_MAX_SIZE, ttlMs = DEFAULT_TTL_MS) {
+    this.maxSize = maxSize;
+    this.ttlMs = ttlMs;
+  }
+  get(chatId) {
+    const entry = this.map.get(chatId);
+    if (!entry) return void 0;
+    if (entry.expireAt <= Date.now()) {
+      this.map.delete(chatId);
+      return void 0;
+    }
+    this.map.delete(chatId);
+    this.map.set(chatId, entry);
+    return entry.info;
+  }
+  set(chatId, info) {
+    this.map.delete(chatId);
+    this.map.set(chatId, { info, expireAt: Date.now() + this.ttlMs });
+    this.evict();
+  }
+  clear() {
+    this.map.clear();
+  }
+  evict() {
+    while (this.map.size > this.maxSize) {
+      const oldest = this.map.keys().next().value;
+      if (oldest !== void 0) this.map.delete(oldest);
+    }
+  }
+}
+const registry = /* @__PURE__ */ new Map();
+function getChatInfoCache(accountId) {
+  let c = registry.get(accountId);
+  if (!c) {
+    c = new ChatInfoCache();
+    registry.set(accountId, c);
+  }
+  return c;
+}
+function clearChatInfoCache(accountId) {
+  if (accountId !== void 0) {
+    registry.get(accountId)?.clear();
+    registry.delete(accountId);
+  } else {
+    for (const c of registry.values()) c.clear();
+    registry.clear();
+  }
+}
+async function isThreadCapableGroup(params) {
+  const { cfg, chatId, accountId } = params;
+  const info = await getChatInfo({ cfg, chatId, accountId });
+  if (!info) return false;
+  return info.chatMode === "topic" || info.groupMessageType === "thread";
+}
+async function getChatInfo(params) {
+  const { cfg, chatId, accountId } = params;
+  const effectiveAccountId = accountId ?? "default";
+  const cache = getChatInfoCache(effectiveAccountId);
+  const cached = cache.get(chatId);
+  if (cached) return cached;
+  try {
+    const sdk = LarkClient.fromCfg(cfg, accountId).sdk;
+    const response = await sdk.im.chat.get({
+      path: { chat_id: chatId }
+    });
+    const data = response?.data;
+    const chatMode = data?.chat_mode ?? "group";
+    const groupMessageType = data?.group_message_type;
+    const info = {
+      chatMode,
+      groupMessageType
+    };
+    cache.set(chatId, info);
+    log.info(`resolved ${chatId} \u2192 chat_mode=${chatMode}, group_message_type=${groupMessageType ?? "N/A"}`);
+    return info;
+  } catch (err) {
+    log.error(`failed to get chat info for ${chatId}: ${String(err)}`);
+    return void 0;
+  }
+}
+async function getChatTypeFeishu(params) {
+  const { cfg, chatId, accountId } = params;
+  const info = await getChatInfo({ cfg, chatId, accountId });
+  if (!info) return "p2p";
+  return info.chatMode === "group" || info.chatMode === "topic" ? "group" : "p2p";
+}
+export {
+  clearChatInfoCache,
+  getChatInfo,
+  getChatTypeFeishu,
+  isThreadCapableGroup
+};
+//# sourceMappingURL=chat-info-cache.js.map

package/dist/src/core/chat-info-cache.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/core/chat-info-cache.ts"],
+  "sourcesContent": ["/**\n * Copyright (c) 2026 ByteDance Ltd. and/or its affiliates\n * SPDX-License-Identifier: MIT\n *\n * Account-scoped LRU cache for Feishu group/chat metadata.\n *\n * Caches the result of `im.chat.get` (chat_mode, group_message_type, etc.)\n * to avoid repeated OAPI calls for every inbound message.\n *\n * Key fields cached:\n * - `chat_mode`: \"group\" | \"topic\" | \"p2p\"\n * - `group_message_type`: \"chat\" | \"thread\" (only for chat_mode=group)\n */\n\nimport type { ClawdbotConfig } from 'openclaw/plugin-sdk';\nimport { LarkClient } from './lark-client';\nimport { larkLogger } from './lark-logger';\n\nconst log = larkLogger('core/chat-info-cache');\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface ChatInfo {\n  chatMode: 'group' | 'topic' | 'p2p';\n  groupMessageType?: 'chat' | 'thread';\n}\n\n// ---------------------------------------------------------------------------\n// Cache implementation\n// ---------------------------------------------------------------------------\n\nconst DEFAULT_MAX_SIZE = 500;\nconst DEFAULT_TTL_MS = 60 * 60 * 1000; // 1 hour\n\ninterface CacheEntry {\n  info: ChatInfo;\n  expireAt: number;\n}\n\nclass ChatInfoCache {\n  private map = new Map<string, CacheEntry>();\n  private maxSize: number;\n  private ttlMs: number;\n\n  constructor(maxSize = DEFAULT_MAX_SIZE, ttlMs = DEFAULT_TTL_MS) {\n    this.maxSize = maxSize;\n    this.ttlMs = ttlMs;\n  }\n\n  get(chatId: string): ChatInfo | undefined {\n    const entry = this.map.get(chatId);\n    if (!entry) return undefined;\n    if (entry.expireAt <= Date.now()) {\n      this.map.delete(chatId);\n      return undefined;\n    }\n    // LRU refresh\n    this.map.delete(chatId);\n    this.map.set(chatId, entry);\n    return entry.info;\n  }\n\n  set(chatId: string, info: ChatInfo): void {\n    this.map.delete(chatId);\n    this.map.set(chatId, { info, expireAt: Date.now() + this.ttlMs });\n    this.evict();\n  }\n\n  clear(): void {\n    this.map.clear();\n  }\n\n  private evict(): void {\n    while (this.map.size > this.maxSize) {\n      const oldest = this.map.keys().next().value;\n      if (oldest !== undefined) this.map.delete(oldest);\n    }\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Account-scoped singleton registry\n// ---------------------------------------------------------------------------\n\nconst registry = new Map<string, ChatInfoCache>();\n\nfunction getChatInfoCache(accountId: string): ChatInfoCache {\n  let c = registry.get(accountId);\n  if (!c) {\n    c = new ChatInfoCache();\n    registry.set(accountId, c);\n  }\n  return c;\n}\n\n/** Clear chat-info caches (called from LarkClient.clearCache). */\nexport function clearChatInfoCache(accountId?: string): void {\n  if (accountId !== undefined) {\n    registry.get(accountId)?.clear();\n    registry.delete(accountId);\n  } else {\n    for (const c of registry.values()) c.clear();\n    registry.clear();\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Public API\n// ---------------------------------------------------------------------------\n\n/**\n * Determine whether a group supports thread sessions.\n *\n * Returns `true` when the group is a topic group (`chat_mode=topic`) or\n * a normal group with thread message mode (`group_message_type=thread`).\n *\n * Results are cached per-account with a 1-hour TTL to minimise OAPI calls.\n */\nexport async function isThreadCapableGroup(params: {\n  cfg: ClawdbotConfig;\n  chatId: string;\n  accountId?: string;\n}): Promise<boolean> {\n  const { cfg, chatId, accountId } = params;\n  const info = await getChatInfo({ cfg, chatId, accountId });\n  if (!info) return false;\n  return info.chatMode === 'topic' || info.groupMessageType === 'thread';\n}\n\n/**\n * Fetch (or read from cache) the chat metadata for a given chat ID.\n *\n * Returns `undefined` when the API call fails (best-effort).\n */\nexport async function getChatInfo(params: {\n  cfg: ClawdbotConfig;\n  chatId: string;\n  accountId?: string;\n}): Promise<ChatInfo | undefined> {\n  const { cfg, chatId, accountId } = params;\n  const effectiveAccountId = accountId ?? 'default';\n  const cache = getChatInfoCache(effectiveAccountId);\n\n  const cached = cache.get(chatId);\n  if (cached) return cached;\n\n  try {\n    const sdk = LarkClient.fromCfg(cfg, accountId).sdk;\n    const response = await sdk.im.chat.get({\n      path: { chat_id: chatId },\n    });\n\n    const data = response?.data as Record<string, unknown> | undefined;\n    const chatMode = (data?.chat_mode as string) ?? 'group';\n    const groupMessageType = data?.group_message_type as string | undefined;\n\n    const info: ChatInfo = {\n      chatMode: chatMode as ChatInfo['chatMode'],\n      groupMessageType: groupMessageType as ChatInfo['groupMessageType'],\n    };\n\n    cache.set(chatId, info);\n    log.info(`resolved ${chatId} \u2192 chat_mode=${chatMode}, group_message_type=${groupMessageType ?? 'N/A'}`);\n    return info;\n  } catch (err) {\n    log.error(`failed to get chat info for ${chatId}: ${String(err)}`);\n    return undefined;\n  }\n}\n\n// ---------------------------------------------------------------------------\n// getChatTypeFeishu\n// ---------------------------------------------------------------------------\n\n/**\n * Determine the chat type (p2p or group) for a given chat ID.\n *\n * Delegates to the shared {@link getChatInfo} cache (account-scoped LRU with\n * 1-hour TTL) so that chat metadata is fetched at most once across all\n * call-sites (dispatch, reaction handler, etc.).\n *\n * Falls back to \"p2p\" if the API call fails.\n */\nexport async function getChatTypeFeishu(params: {\n  cfg: ClawdbotConfig;\n  chatId: string;\n  accountId?: string;\n}): Promise<'p2p' | 'group'> {\n  const { cfg, chatId, accountId } = params;\n  const info = await getChatInfo({ cfg, chatId, accountId });\n  if (!info) return 'p2p';\n  return info.chatMode === 'group' || info.chatMode === 'topic' ? 'group' : 'p2p';\n}\n"],
+  "mappings": "AAeA,SAAS,kBAAkB;AAC3B,SAAS,kBAAkB;AAE3B,MAAM,MAAM,WAAW,sBAAsB;AAe7C,MAAM,mBAAmB;AACzB,MAAM,iBAAiB,KAAK,KAAK;AAOjC,MAAM,cAAc;AAAA,EACV,MAAM,oBAAI,IAAwB;AAAA,EAClC;AAAA,EACA;AAAA,EAER,YAAY,UAAU,kBAAkB,QAAQ,gBAAgB;AAC9D,SAAK,UAAU;AACf,SAAK,QAAQ;AAAA,EACf;AAAA,EAEA,IAAI,QAAsC;AACxC,UAAM,QAAQ,KAAK,IAAI,IAAI,MAAM;AACjC,QAAI,CAAC,MAAO,QAAO;AACnB,QAAI,MAAM,YAAY,KAAK,IAAI,GAAG;AAChC,WAAK,IAAI,OAAO,MAAM;AACtB,aAAO;AAAA,IACT;AAEA,SAAK,IAAI,OAAO,MAAM;AACtB,SAAK,IAAI,IAAI,QAAQ,KAAK;AAC1B,WAAO,MAAM;AAAA,EACf;AAAA,EAEA,IAAI,QAAgB,MAAsB;AACxC,SAAK,IAAI,OAAO,MAAM;AACtB,SAAK,IAAI,IAAI,QAAQ,EAAE,MAAM,UAAU,KAAK,IAAI,IAAI,KAAK,MAAM,CAAC;AAChE,SAAK,MAAM;AAAA,EACb;AAAA,EAEA,QAAc;AACZ,SAAK,IAAI,MAAM;AAAA,EACjB;AAAA,EAEQ,QAAc;AACpB,WAAO,KAAK,IAAI,OAAO,KAAK,SAAS;AACnC,YAAM,SAAS,KAAK,IAAI,KAAK,EAAE,KAAK,EAAE;AACtC,UAAI,WAAW,OAAW,MAAK,IAAI,OAAO,MAAM;AAAA,IAClD;AAAA,EACF;AACF;AAMA,MAAM,WAAW,oBAAI,IAA2B;AAEhD,SAAS,iBAAiB,WAAkC;AAC1D,MAAI,IAAI,SAAS,IAAI,SAAS;AAC9B,MAAI,CAAC,GAAG;AACN,QAAI,IAAI,cAAc;AACtB,aAAS,IAAI,WAAW,CAAC;AAAA,EAC3B;AACA,SAAO;AACT;AAGO,SAAS,mBAAmB,WAA0B;AAC3D,MAAI,cAAc,QAAW;AAC3B,aAAS,IAAI,SAAS,GAAG,MAAM;AAC/B,aAAS,OAAO,SAAS;AAAA,EAC3B,OAAO;AACL,eAAW,KAAK,SAAS,OAAO,EAAG,GAAE,MAAM;AAC3C,aAAS,MAAM;AAAA,EACjB;AACF;AAcA,eAAsB,qBAAqB,QAItB;AACnB,QAAM,EAAE,KAAK,QAAQ,UAAU,IAAI;AACnC,QAAM,OAAO,MAAM,YAAY,EAAE,KAAK,QAAQ,UAAU,CAAC;AACzD,MAAI,CAAC,KAAM,QAAO;AAClB,SAAO,KAAK,aAAa,WAAW,KAAK,qBAAqB;AAChE;AAOA,eAAsB,YAAY,QAIA;AAChC,QAAM,EAAE,KAAK,QAAQ,UAAU,IAAI;AACnC,QAAM,qBAAqB,aAAa;AACxC,QAAM,QAAQ,iBAAiB,kBAAkB;AAEjD,QAAM,SAAS,MAAM,IAAI,MAAM;AAC/B,MAAI,OAAQ,QAAO;AAEnB,MAAI;AACF,UAAM,MAAM,WAAW,QAAQ,KAAK,SAAS,EAAE;AAC/C,UAAM,WAAW,MAAM,IAAI,GAAG,KAAK,IAAI;AAAA,MACrC,MAAM,EAAE,SAAS,OAAO;AAAA,IAC1B,CAAC;AAED,UAAM,OAAO,UAAU;AACvB,UAAM,WAAY,MAAM,aAAwB;AAChD,UAAM,mBAAmB,MAAM;AAE/B,UAAM,OAAiB;AAAA,MACrB;AAAA,MACA;AAAA,IACF;AAEA,UAAM,IAAI,QAAQ,IAAI;AACtB,QAAI,KAAK,YAAY,MAAM,qBAAgB,QAAQ,wBAAwB,oBAAoB,KAAK,EAAE;AACtG,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,QAAI,MAAM,+BAA+B,MAAM,KAAK,OAAO,GAAG,CAAC,EAAE;AACjE,WAAO;AAAA,EACT;AACF;AAeA,eAAsB,kBAAkB,QAIX;AAC3B,QAAM,EAAE,KAAK,QAAQ,UAAU,IAAI;AACnC,QAAM,OAAO,MAAM,YAAY,EAAE,KAAK,QAAQ,UAAU,CAAC;AACzD,MAAI,CAAC,KAAM,QAAO;AAClB,SAAO,KAAK,aAAa,WAAW,KAAK,aAAa,UAAU,UAAU;AAC5E;",
+  "names": []
+}

package/dist/src/core/config-schema.js

@@ -0,0 +1,150 @@
+import { z, toJSONSchema } from "zod";
+const DmPolicyEnum = z.enum(["open", "pairing", "allowlist", "disabled"]);
+const GroupPolicyEnum = z.enum(["open", "allowlist", "disabled"]);
+const ConnectionModeEnum = z.enum(["websocket", "webhook"]);
+const ReplyModeValue = z.enum(["auto", "static", "streaming"]);
+const ReplyModeSchema = z.union([
+  ReplyModeValue,
+  z.object({
+    default: ReplyModeValue.optional(),
+    group: ReplyModeValue.optional(),
+    direct: ReplyModeValue.optional()
+  })
+]).optional();
+const ChunkModeEnum = z.enum(["newline", "paragraph", "none"]);
+const DomainSchema = z.union([z.literal("feishu"), z.literal("lark"), z.string().regex(/^https:\/\//)]).optional();
+const AllowFromSchema = z.union([z.string(), z.array(z.string())]).optional().transform((v) => {
+  if (v === void 0 || v === null) return void 0;
+  return Array.isArray(v) ? v : [v];
+});
+const ToolPolicySchema = z.object({
+  allow: z.array(z.string()).optional(),
+  deny: z.array(z.string()).optional()
+}).optional();
+const FeishuToolsFlagSchema = z.object({
+  doc: z.boolean().optional(),
+  wiki: z.boolean().optional(),
+  drive: z.boolean().optional(),
+  perm: z.boolean().optional(),
+  scopes: z.boolean().optional()
+}).optional();
+const FeishuFooterSchema = z.object({
+  status: z.boolean().optional(),
+  elapsed: z.boolean().optional()
+}).optional();
+const BlockStreamingCoalesceSchema = z.object({
+  minChars: z.number().optional(),
+  maxChars: z.number().optional(),
+  idleMs: z.number().optional()
+}).optional();
+const MarkdownConfigSchema = z.object({
+  tables: z.enum(["off", "bullets", "code"]).optional()
+}).optional();
+const HeartbeatSchema = z.object({
+  every: z.string().optional(),
+  activeHours: z.object({
+    start: z.string().optional(),
+    end: z.string().optional(),
+    timezone: z.string().optional()
+  }).optional(),
+  target: z.string().optional(),
+  to: z.string().optional(),
+  prompt: z.string().optional(),
+  accountId: z.string().optional()
+}).optional();
+const CapabilitiesSchema = z.object({
+  image: z.boolean().optional(),
+  audio: z.boolean().optional(),
+  video: z.boolean().optional()
+}).optional();
+const DedupSchema = z.object({
+  ttlMs: z.number().optional(),
+  // default 43200000 (12h)
+  maxEntries: z.number().optional()
+  // default 5000
+}).optional();
+const ReactionNotificationModeSchema = z.enum(["off", "own", "all"]).optional();
+const UATConfigSchema = z.object({
+  enabled: z.boolean().optional(),
+  allowedScopes: z.array(z.string()).optional(),
+  blockedScopes: z.array(z.string()).optional()
+}).optional();
+const DmConfigSchema = z.object({
+  historyLimit: z.number().optional()
+}).optional();
+const FeishuGroupSchema = z.object({
+  groupPolicy: GroupPolicyEnum.optional(),
+  requireMention: z.boolean().optional(),
+  tools: ToolPolicySchema,
+  skills: z.array(z.string()).optional(),
+  enabled: z.boolean().optional(),
+  allowFrom: AllowFromSchema,
+  systemPrompt: z.string().optional()
+});
+const FeishuAccountConfigSchema = z.object({
+  appId: z.string().optional(),
+  appSecret: z.string().optional(),
+  encryptKey: z.string().optional(),
+  verificationToken: z.string().optional(),
+  name: z.string().optional(),
+  enabled: z.boolean().optional(),
+  domain: DomainSchema,
+  connectionMode: ConnectionModeEnum.optional(),
+  webhookPath: z.string().optional(),
+  webhookPort: z.number().optional(),
+  dmPolicy: DmPolicyEnum.optional(),
+  allowFrom: AllowFromSchema,
+  groupPolicy: GroupPolicyEnum.optional(),
+  groupAllowFrom: AllowFromSchema,
+  requireMention: z.boolean().optional(),
+  groups: z.record(z.string(), FeishuGroupSchema).optional(),
+  historyLimit: z.number().optional(),
+  dmHistoryLimit: z.number().optional(),
+  dms: DmConfigSchema,
+  textChunkLimit: z.number().optional(),
+  chunkMode: ChunkModeEnum.optional(),
+  blockStreamingCoalesce: BlockStreamingCoalesceSchema,
+  mediaMaxMb: z.number().optional(),
+  heartbeat: HeartbeatSchema,
+  replyMode: ReplyModeSchema,
+  streaming: z.boolean().optional(),
+  blockStreaming: z.boolean().optional(),
+  tools: FeishuToolsFlagSchema,
+  footer: FeishuFooterSchema,
+  markdown: MarkdownConfigSchema,
+  configWrites: z.boolean().optional(),
+  capabilities: CapabilitiesSchema,
+  dedup: DedupSchema,
+  reactionNotifications: ReactionNotificationModeSchema,
+  threadSession: z.boolean().optional(),
+  uat: UATConfigSchema
+});
+const FeishuConfigSchema = FeishuAccountConfigSchema.extend({
+  accounts: z.record(z.string(), FeishuAccountConfigSchema).optional()
+}).superRefine((data, ctx) => {
+  if (data.dmPolicy === "open") {
+    const list = data.allowFrom;
+    const hasWildcard = Array.isArray(list) && list.includes("*");
+    if (!hasWildcard) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path: ["allowFrom"],
+        message: 'When dmPolicy is "open", allowFrom must include "*" to permit all senders.'
+      });
+    }
+  }
+});
+const FEISHU_CONFIG_JSON_SCHEMA = toJSONSchema(FeishuConfigSchema, {
+  target: "draft-07",
+  io: "input",
+  unrepresentable: "any"
+});
+export {
+  FEISHU_CONFIG_JSON_SCHEMA,
+  FeishuAccountConfigSchema,
+  FeishuConfigSchema,
+  FeishuGroupSchema,
+  UATConfigSchema,
+  z
+};
+//# sourceMappingURL=config-schema.js.map

package/dist/src/core/config-schema.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/core/config-schema.ts"],
+  "sourcesContent": ["/**\n * Copyright (c) 2026 ByteDance Ltd. and/or its affiliates\n * SPDX-License-Identifier: MIT\n *\n * Zod-based configuration schema for the OpenClaw Lark/Feishu channel plugin.\n *\n * Provides runtime validation, sensible defaults, and cross-field refinements\n * so that every consuming module can rely on well-typed configuration objects.\n */\n\nimport { z, toJSONSchema } from 'zod';\n\nexport { z };\n\n// ---------------------------------------------------------------------------\n// Shared micro-schemas\n// ---------------------------------------------------------------------------\n\nconst DmPolicyEnum = z.enum(['open', 'pairing', 'allowlist', 'disabled']);\nconst GroupPolicyEnum = z.enum(['open', 'allowlist', 'disabled']);\nconst ConnectionModeEnum = z.enum(['websocket', 'webhook']);\nconst ReplyModeValue = z.enum(['auto', 'static', 'streaming']);\nconst ReplyModeSchema = z\n  .union([\n    ReplyModeValue,\n    z.object({\n      default: ReplyModeValue.optional(),\n      group: ReplyModeValue.optional(),\n      direct: ReplyModeValue.optional(),\n    }),\n  ])\n  .optional();\nconst ChunkModeEnum = z.enum(['newline', 'paragraph', 'none']);\n\nconst DomainSchema = z.union([z.literal('feishu'), z.literal('lark'), z.string().regex(/^https:\\/\\//)]).optional();\n\nconst AllowFromSchema = z\n  .union([z.string(), z.array(z.string())])\n  .optional()\n  .transform((v) => {\n    if (v === undefined || v === null) return undefined;\n    return Array.isArray(v) ? v : [v];\n  });\n\nconst ToolPolicySchema = z\n  .object({\n    allow: z.array(z.string()).optional(),\n    deny: z.array(z.string()).optional(),\n  })\n  .optional();\n\nconst FeishuToolsFlagSchema = z\n  .object({\n    doc: z.boolean().optional(),\n    wiki: z.boolean().optional(),\n    drive: z.boolean().optional(),\n    perm: z.boolean().optional(),\n    scopes: z.boolean().optional(),\n  })\n  .optional();\n\nconst FeishuFooterSchema = z\n  .object({\n    status: z.boolean().optional(),\n    elapsed: z.boolean().optional(),\n  })\n  .optional();\n\nconst BlockStreamingCoalesceSchema = z\n  .object({\n    minChars: z.number().optional(),\n    maxChars: z.number().optional(),\n    idleMs: z.number().optional(),\n  })\n  .optional();\n\nconst MarkdownConfigSchema = z\n  .object({\n    tables: z.enum(['off', 'bullets', 'code']).optional(),\n  })\n  .optional();\n\nconst HeartbeatSchema = z\n  .object({\n    every: z.string().optional(),\n    activeHours: z\n      .object({\n        start: z.string().optional(),\n        end: z.string().optional(),\n        timezone: z.string().optional(),\n      })\n      .optional(),\n    target: z.string().optional(),\n    to: z.string().optional(),\n    prompt: z.string().optional(),\n    accountId: z.string().optional(),\n  })\n  .optional();\n\nconst CapabilitiesSchema = z\n  .object({\n    image: z.boolean().optional(),\n    audio: z.boolean().optional(),\n    video: z.boolean().optional(),\n  })\n  .optional();\n\nconst DedupSchema = z\n  .object({\n    ttlMs: z.number().optional(), // default 43200000 (12h)\n    maxEntries: z.number().optional(), // default 5000\n  })\n  .optional();\n\nconst ReactionNotificationModeSchema = z.enum(['off', 'own', 'all']).optional();\n\nexport const UATConfigSchema = z\n  .object({\n    enabled: z.boolean().optional(),\n    allowedScopes: z.array(z.string()).optional(),\n    blockedScopes: z.array(z.string()).optional(),\n  })\n  .optional();\n\nconst DmConfigSchema = z\n  .object({\n    historyLimit: z.number().optional(),\n  })\n  .optional();\n\n// ---------------------------------------------------------------------------\n// Group schema\n// ---------------------------------------------------------------------------\n\nexport const FeishuGroupSchema = z.object({\n  groupPolicy: GroupPolicyEnum.optional(),\n  requireMention: z.boolean().optional(),\n  tools: ToolPolicySchema,\n  skills: z.array(z.string()).optional(),\n  enabled: z.boolean().optional(),\n  allowFrom: AllowFromSchema,\n  systemPrompt: z.string().optional(),\n});\n\n// ---------------------------------------------------------------------------\n// Account config schema (same shape as top-level minus `accounts`)\n// ---------------------------------------------------------------------------\n\nexport const FeishuAccountConfigSchema = z.object({\n  appId: z.string().optional(),\n  appSecret: z.string().optional(),\n  encryptKey: z.string().optional(),\n  verificationToken: z.string().optional(),\n  name: z.string().optional(),\n  enabled: z.boolean().optional(),\n  domain: DomainSchema,\n  connectionMode: ConnectionModeEnum.optional(),\n  webhookPath: z.string().optional(),\n  webhookPort: z.number().optional(),\n  dmPolicy: DmPolicyEnum.optional(),\n  allowFrom: AllowFromSchema,\n  groupPolicy: GroupPolicyEnum.optional(),\n  groupAllowFrom: AllowFromSchema,\n  requireMention: z.boolean().optional(),\n  groups: z.record(z.string(), FeishuGroupSchema).optional(),\n  historyLimit: z.number().optional(),\n  dmHistoryLimit: z.number().optional(),\n  dms: DmConfigSchema,\n  textChunkLimit: z.number().optional(),\n  chunkMode: ChunkModeEnum.optional(),\n  blockStreamingCoalesce: BlockStreamingCoalesceSchema,\n  mediaMaxMb: z.number().optional(),\n  heartbeat: HeartbeatSchema,\n  replyMode: ReplyModeSchema,\n  streaming: z.boolean().optional(),\n  blockStreaming: z.boolean().optional(),\n  tools: FeishuToolsFlagSchema,\n  footer: FeishuFooterSchema,\n  markdown: MarkdownConfigSchema,\n  configWrites: z.boolean().optional(),\n  capabilities: CapabilitiesSchema,\n  dedup: DedupSchema,\n  reactionNotifications: ReactionNotificationModeSchema,\n  threadSession: z.boolean().optional(),\n  uat: UATConfigSchema,\n});\n\n// ---------------------------------------------------------------------------\n// Top-level Feishu config schema\n// ---------------------------------------------------------------------------\n\nexport const FeishuConfigSchema = FeishuAccountConfigSchema.extend({\n  accounts: z.record(z.string(), FeishuAccountConfigSchema).optional(),\n}).superRefine((data, ctx) => {\n  // When dmPolicy is \"open\", allowFrom must contain the wildcard \"*\".\n  if (data.dmPolicy === 'open') {\n    const list = data.allowFrom;\n    const hasWildcard = Array.isArray(list) && list.includes('*');\n\n    if (!hasWildcard) {\n      ctx.addIssue({\n        code: z.ZodIssueCode.custom,\n        path: ['allowFrom'],\n        message: 'When dmPolicy is \"open\", allowFrom must include \"*\" to permit all senders.',\n      });\n    }\n  }\n});\n\n// ---------------------------------------------------------------------------\n// Auto-generated JSON Schema (single source of truth)\n// ---------------------------------------------------------------------------\n\n/**\n * JSON Schema derived from FeishuConfigSchema.\n *\n * - `io: \"input\"` exposes the input type for `.transform()` schemas (e.g. AllowFromSchema).\n * - `unrepresentable: \"any\"` degrades `.superRefine()` constraints to `{}`.\n * - `target: \"draft-07\"` matches the plugin system's expected JSON Schema version.\n */\nexport const FEISHU_CONFIG_JSON_SCHEMA: Record<string, unknown> = toJSONSchema(FeishuConfigSchema, {\n  target: 'draft-07',\n  io: 'input',\n  unrepresentable: 'any',\n});\n"],
+  "mappings": "AAUA,SAAS,GAAG,oBAAoB;AAQhC,MAAM,eAAe,EAAE,KAAK,CAAC,QAAQ,WAAW,aAAa,UAAU,CAAC;AACxE,MAAM,kBAAkB,EAAE,KAAK,CAAC,QAAQ,aAAa,UAAU,CAAC;AAChE,MAAM,qBAAqB,EAAE,KAAK,CAAC,aAAa,SAAS,CAAC;AAC1D,MAAM,iBAAiB,EAAE,KAAK,CAAC,QAAQ,UAAU,WAAW,CAAC;AAC7D,MAAM,kBAAkB,EACrB,MAAM;AAAA,EACL;AAAA,EACA,EAAE,OAAO;AAAA,IACP,SAAS,eAAe,SAAS;AAAA,IACjC,OAAO,eAAe,SAAS;AAAA,IAC/B,QAAQ,eAAe,SAAS;AAAA,EAClC,CAAC;AACH,CAAC,EACA,SAAS;AACZ,MAAM,gBAAgB,EAAE,KAAK,CAAC,WAAW,aAAa,MAAM,CAAC;AAE7D,MAAM,eAAe,EAAE,MAAM,CAAC,EAAE,QAAQ,QAAQ,GAAG,EAAE,QAAQ,MAAM,GAAG,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC,CAAC,EAAE,SAAS;AAEjH,MAAM,kBAAkB,EACrB,MAAM,CAAC,EAAE,OAAO,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,EACvC,SAAS,EACT,UAAU,CAAC,MAAM;AAChB,MAAI,MAAM,UAAa,MAAM,KAAM,QAAO;AAC1C,SAAO,MAAM,QAAQ,CAAC,IAAI,IAAI,CAAC,CAAC;AAClC,CAAC;AAEH,MAAM,mBAAmB,EACtB,OAAO;AAAA,EACN,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACpC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AACrC,CAAC,EACA,SAAS;AAEZ,MAAM,wBAAwB,EAC3B,OAAO;AAAA,EACN,KAAK,EAAE,QAAQ,EAAE,SAAS;AAAA,EAC1B,MAAM,EAAE,QAAQ,EAAE,SAAS;AAAA,EAC3B,OAAO,EAAE,QAAQ,EAAE,SAAS;AAAA,EAC5B,MAAM,EAAE,QAAQ,EAAE,SAAS;AAAA,EAC3B,QAAQ,EAAE,QAAQ,EAAE,SAAS;AAC/B,CAAC,EACA,SAAS;AAEZ,MAAM,qBAAqB,EACxB,OAAO;AAAA,EACN,QAAQ,EAAE,QAAQ,EAAE,SAAS;AAAA,EAC7B,SAAS,EAAE,QAAQ,EAAE,SAAS;AAChC,CAAC,EACA,SAAS;AAEZ,MAAM,+BAA+B,EAClC,OAAO;AAAA,EACN,UAAU,EAAE,OAAO,EAAE,SAAS;AAAA,EAC9B,UAAU,EAAE,OAAO,EAAE,SAAS;AAAA,EAC9B,QAAQ,EAAE,OAAO,EAAE,SAAS;AAC9B,CAAC,EACA,SAAS;AAEZ,MAAM,uBAAuB,EAC1B,OAAO;AAAA,EACN,QAAQ,EAAE,KAAK,CAAC,OAAO,WAAW,MAAM,CAAC,EAAE,SAAS;AACtD,CAAC,EACA,SAAS;AAEZ,MAAM,kBAAkB,EACrB,OAAO;AAAA,EACN,OAAO,EAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,aAAa,EACV,OAAO;AAAA,IACN,OAAO,EAAE,OAAO,EAAE,SAAS;AAAA,IAC3B,KAAK,EAAE,OAAO,EAAE,SAAS;AAAA,IACzB,UAAU,EAAE,OAAO,EAAE,SAAS;AAAA,EAChC,CAAC,EACA,SAAS;AAAA,EACZ,QAAQ,EAAE,OAAO,EAAE,SAAS;AAAA,EAC5B,IAAI,EAAE,OAAO,EAAE,SAAS;AAAA,EACxB,QAAQ,EAAE,OAAO,EAAE,SAAS;AAAA,EAC5B,WAAW,EAAE,OAAO,EAAE,SAAS;AACjC,CAAC,EACA,SAAS;AAEZ,MAAM,qBAAqB,EACxB,OAAO;AAAA,EACN,OAAO,EAAE,QAAQ,EAAE,SAAS;AAAA,EAC5B,OAAO,EAAE,QAAQ,EAAE,SAAS;AAAA,EAC5B,OAAO,EAAE,QAAQ,EAAE,SAAS;AAC9B,CAAC,EACA,SAAS;AAEZ,MAAM,cAAc,EACjB,OAAO;AAAA,EACN,OAAO,EAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAC3B,YAAY,EAAE,OAAO,EAAE,SAAS;AAAA;AAClC,CAAC,EACA,SAAS;AAEZ,MAAM,iCAAiC,EAAE,KAAK,CAAC,OAAO,OAAO,KAAK,CAAC,EAAE,SAAS;AAEvE,MAAM,kBAAkB,EAC5B,OAAO;AAAA,EACN,SAAS,EAAE,QAAQ,EAAE,SAAS;AAAA,EAC9B,eAAe,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAC5C,eAAe,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAC9C,CAAC,EACA,SAAS;AAEZ,MAAM,iBAAiB,EACpB,OAAO;AAAA,EACN,cAAc,EAAE,OAAO,EAAE,SAAS;AACpC,CAAC,EACA,SAAS;AAML,MAAM,oBAAoB,EAAE,OAAO;AAAA,EACxC,aAAa,gBAAgB,SAAS;AAAA,EACtC,gBAAgB,EAAE,QAAQ,EAAE,SAAS;AAAA,EACrC,OAAO;AAAA,EACP,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EACrC,SAAS,EAAE,QAAQ,EAAE,SAAS;AAAA,EAC9B,WAAW;AAAA,EACX,cAAc,EAAE,OAAO,EAAE,SAAS;AACpC,CAAC;AAMM,MAAM,4BAA4B,EAAE,OAAO;AAAA,EAChD,OAAO,EAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,WAAW,EAAE,OAAO,EAAE,SAAS;AAAA,EAC/B,YAAY,EAAE,OAAO,EAAE,SAAS;AAAA,EAChC,mBAAmB,EAAE,OAAO,EAAE,SAAS;AAAA,EACvC,MAAM,EAAE,OAAO,EAAE,SAAS;AAAA,EAC1B,SAAS,EAAE,QAAQ,EAAE,SAAS;AAAA,EAC9B,QAAQ;AAAA,EACR,gBAAgB,mBAAmB,SAAS;AAAA,EAC5C,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACjC,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA,EACjC,UAAU,aAAa,SAAS;AAAA,EAChC,WAAW;AAAA,EACX,aAAa,gBAAgB,SAAS;AAAA,EACtC,gBAAgB;AAAA,EAChB,gBAAgB,EAAE,QAAQ,EAAE,SAAS;AAAA,EACrC,QAAQ,EAAE,OAAO,EAAE,OAAO,GAAG,iBAAiB,EAAE,SAAS;AAAA,EACzD,cAAc,EAAE,OAAO,EAAE,SAAS;AAAA,EAClC,gBAAgB,EAAE,OAAO,EAAE,SAAS;AAAA,EACpC,KAAK;AAAA,EACL,gBAAgB,EAAE,OAAO,EAAE,SAAS;AAAA,EACpC,WAAW,cAAc,SAAS;AAAA,EAClC,wBAAwB;AAAA,EACxB,YAAY,EAAE,OAAO,EAAE,SAAS;AAAA,EAChC,WAAW;AAAA,EACX,WAAW;AAAA,EACX,WAAW,EAAE,QAAQ,EAAE,SAAS;AAAA,EAChC,gBAAgB,EAAE,QAAQ,EAAE,SAAS;AAAA,EACrC,OAAO;AAAA,EACP,QAAQ;AAAA,EACR,UAAU;AAAA,EACV,cAAc,EAAE,QAAQ,EAAE,SAAS;AAAA,EACnC,cAAc;AAAA,EACd,OAAO;AAAA,EACP,uBAAuB;AAAA,EACvB,eAAe,EAAE,QAAQ,EAAE,SAAS;AAAA,EACpC,KAAK;AACP,CAAC;AAMM,MAAM,qBAAqB,0BAA0B,OAAO;AAAA,EACjE,UAAU,EAAE,OAAO,EAAE,OAAO,GAAG,yBAAyB,EAAE,SAAS;AACrE,CAAC,EAAE,YAAY,CAAC,MAAM,QAAQ;AAE5B,MAAI,KAAK,aAAa,QAAQ;AAC5B,UAAM,OAAO,KAAK;AAClB,UAAM,cAAc,MAAM,QAAQ,IAAI,KAAK,KAAK,SAAS,GAAG;AAE5D,QAAI,CAAC,aAAa;AAChB,UAAI,SAAS;AAAA,QACX,MAAM,EAAE,aAAa;AAAA,QACrB,MAAM,CAAC,WAAW;AAAA,QAClB,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAAA,EACF;AACF,CAAC;AAaM,MAAM,4BAAqD,aAAa,oBAAoB;AAAA,EACjG,QAAQ;AAAA,EACR,IAAI;AAAA,EACJ,iBAAiB;AACnB,CAAC;",
+  "names": []
+}

package/dist/src/core/device-flow.js

@@ -0,0 +1,174 @@
+import { larkLogger } from "./lark-logger";
+const log = larkLogger("core/device-flow");
+import { feishuFetch } from "./feishu-fetch";
+function resolveOAuthEndpoints(brand) {
+  if (!brand || brand === "feishu") {
+    return {
+      deviceAuthorization: "https://accounts.feishu.cn/oauth/v1/device_authorization",
+      token: "https://open.feishu.cn/open-apis/authen/v2/oauth/token"
+    };
+  }
+  if (brand === "lark") {
+    return {
+      deviceAuthorization: "https://accounts.larksuite.com/oauth/v1/device_authorization",
+      token: "https://open.larksuite.com/open-apis/authen/v2/oauth/token"
+    };
+  }
+  const base = brand.replace(/\/+$/, "");
+  let accountsBase = base;
+  try {
+    const parsed = new URL(base);
+    if (parsed.hostname.startsWith("open.")) {
+      accountsBase = `${parsed.protocol}//${parsed.hostname.replace(/^open\./, "accounts.")}`;
+    }
+  } catch {
+  }
+  return {
+    deviceAuthorization: `${accountsBase}/oauth/v1/device_authorization`,
+    token: `${base}/open-apis/authen/v2/oauth/token`
+  };
+}
+async function requestDeviceAuthorization(params) {
+  const { appId, appSecret, brand } = params;
+  const endpoints = params.endpoints || resolveOAuthEndpoints(brand);
+  let scope = params.scope ?? "";
+  if (!scope.includes("offline_access")) {
+    scope = scope ? `${scope} offline_access` : "offline_access";
+  }
+  const basicAuth = Buffer.from(`${appId}:${appSecret}`).toString("base64");
+  const body = new URLSearchParams();
+  body.set("client_id", appId);
+  body.set("scope", scope);
+  log.info(
+    `requesting device authorization (scope="${scope}") url=${endpoints.deviceAuthorization} token_url=${endpoints.token}`
+  );
+  const resp = await feishuFetch(endpoints.deviceAuthorization, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Authorization: `Basic ${basicAuth}`
+    },
+    body: body.toString()
+  });
+  const text = await resp.text();
+  log.info(`response status=${resp.status} body=${text.slice(0, 500)}`);
+  let data;
+  try {
+    data = JSON.parse(text);
+  } catch {
+    throw new Error(`Device authorization failed: HTTP ${resp.status} \u2013 ${text.slice(0, 200)}`);
+  }
+  if (!resp.ok || data.error) {
+    const msg = data.error_description ?? data.error ?? "Unknown error";
+    throw new Error(`Device authorization failed: ${msg}`);
+  }
+  const expiresIn = data.expires_in ?? 240;
+  const interval = data.interval ?? 5;
+  log.info(`device_code obtained, expires_in=${expiresIn}s (${Math.round(expiresIn / 60)}min), interval=${interval}s`);
+  return {
+    deviceCode: data.device_code,
+    userCode: data.user_code,
+    verificationUri: data.verification_uri,
+    verificationUriComplete: data.verification_uri_complete ?? data.verification_uri,
+    expiresIn,
+    interval
+  };
+}
+function sleep(ms, signal) {
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(resolve, ms);
+    signal?.addEventListener(
+      "abort",
+      () => {
+        clearTimeout(timer);
+        reject(new DOMException("Aborted", "AbortError"));
+      },
+      { once: true }
+    );
+  });
+}
+async function pollDeviceToken(params) {
+  const MAX_POLL_INTERVAL = 60;
+  const MAX_POLL_ATTEMPTS = 200;
+  const { appId, appSecret, brand, deviceCode, expiresIn, signal } = params;
+  let interval = params.interval;
+  const endpoints = params.endpoints || resolveOAuthEndpoints(brand);
+  const deadline = Date.now() + expiresIn * 1e3;
+  let attempts = 0;
+  while (Date.now() < deadline && attempts < MAX_POLL_ATTEMPTS) {
+    attempts++;
+    if (signal?.aborted) {
+      return { ok: false, error: "expired_token", message: "Polling was cancelled" };
+    }
+    await sleep(interval * 1e3, signal);
+    let data;
+    try {
+      const resp = await feishuFetch(endpoints.token, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+          device_code: deviceCode,
+          client_id: appId,
+          client_secret: appSecret
+        }).toString()
+      });
+      data = await resp.json();
+    } catch (err) {
+      log.warn(`poll network error: ${err}`);
+      interval = Math.min(interval + 1, MAX_POLL_INTERVAL);
+      continue;
+    }
+    const error = data.error;
+    if (!error && data.access_token) {
+      log.info("token obtained successfully");
+      const refreshToken = data.refresh_token ?? "";
+      const expiresIn2 = data.expires_in ?? 7200;
+      let refreshExpiresIn = data.refresh_token_expires_in ?? 604800;
+      if (!refreshToken) {
+        log.warn("no refresh_token in response, token will not be refreshable");
+        refreshExpiresIn = expiresIn2;
+      }
+      return {
+        ok: true,
+        token: {
+          accessToken: data.access_token,
+          refreshToken,
+          expiresIn: expiresIn2,
+          refreshExpiresIn,
+          scope: data.scope ?? ""
+        }
+      };
+    }
+    if (error === "authorization_pending") {
+      log.debug("authorization_pending, retrying...");
+      continue;
+    }
+    if (error === "slow_down") {
+      interval = Math.min(interval + 5, MAX_POLL_INTERVAL);
+      log.info(`slow_down, interval increased to ${interval}s`);
+      continue;
+    }
+    if (error === "access_denied") {
+      log.info("user denied authorization");
+      return { ok: false, error: "access_denied", message: "\u7528\u6237\u62D2\u7EDD\u4E86\u6388\u6743" };
+    }
+    if (error === "expired_token" || error === "invalid_grant") {
+      log.info(`device code expired/invalid (error=${error})`);
+      return { ok: false, error: "expired_token", message: "\u6388\u6743\u7801\u5DF2\u8FC7\u671F\uFF0C\u8BF7\u91CD\u65B0\u53D1\u8D77" };
+    }
+    const desc = data.error_description ?? error ?? "Unknown error";
+    log.warn(`unexpected error: error=${error}, desc=${desc}`);
+    return { ok: false, error: "expired_token", message: desc };
+  }
+  if (attempts >= MAX_POLL_ATTEMPTS) {
+    log.warn(`max poll attempts (${MAX_POLL_ATTEMPTS}) reached`);
+  }
+  return { ok: false, error: "expired_token", message: "\u6388\u6743\u8D85\u65F6\uFF0C\u8BF7\u91CD\u65B0\u53D1\u8D77" };
+}
+export {
+  pollDeviceToken,
+  requestDeviceAuthorization,
+  resolveOAuthEndpoints
+};
+//# sourceMappingURL=device-flow.js.map