@lark-project/openclaw-lark-project 2026.3.131

package/dist/src/tools/oauth.js

@@ -0,0 +1,538 @@
+import { Type } from "@sinclair/typebox";
+import { getLarkAccount } from "../core/accounts";
+import { assertOwnerAccessStrict, OwnerAccessDeniedError } from "../core/owner-policy";
+import { LarkClient } from "../core/lark-client";
+import { getAppGrantedScopes } from "../core/app-scope-checker";
+import { getTicket, withTicket } from "../core/lark-ticket";
+import { larkLogger } from "../core/lark-logger";
+const log = larkLogger("tools/oauth");
+import { handleFeishuMessage } from "../messaging/inbound/handler";
+import { formatLarkError } from "../core/api-error";
+import { enqueueFeishuChatTask } from "../channel/chat-queue";
+import { requestDeviceAuthorization, pollDeviceToken } from "../core/device-flow";
+import { getStoredToken, setStoredToken, tokenStatus } from "../core/token-store";
+import { revokeUAT } from "../core/uat-client";
+import { createCardEntity, sendCardByCardId, updateCardKitCardForAuth } from "../card/cardkit";
+import { buildAuthCard, buildAuthSuccessCard, buildAuthFailedCard, buildAuthIdentityMismatchCard } from "./oauth-cards";
+import { json } from "./oapi/helpers";
+const FeishuOAuthSchema = Type.Object(
+  {
+    action: Type.Union(
+      [
+        // Type.Literal("authorize"),  // 已由 auto-auth 自动处理，不再对外暴露
+        Type.Literal("revoke")
+      ],
+      {
+        description: "revoke: \u64A4\u9500\u5F53\u524D\u7528\u6237\u7684\u6388\u6743"
+      }
+    )
+  },
+  {
+    description: "\u98DE\u4E66\u7528\u6237\u6388\u6743\u7BA1\u7406\u5DE5\u5177\u3002\u3010\u6CE8\u610F\u3011\u6388\u6743\u6D41\u7A0B\u7531\u7CFB\u7EDF\u81EA\u52A8\u53D1\u8D77\uFF0C\u4E0D\u8981\u4E3B\u52A8\u8C03\u7528\u6B64\u5DE5\u5177\u89E6\u53D1\u6388\u6743\uFF01\u6B64\u5DE5\u5177\u4EC5\u7528\u4E8E\u64A4\u9500\u6388\u6743\uFF08revoke\uFF09\u3002\u4E0D\u9700\u8981\u4F20\u5165 user_open_id\uFF0C\u7CFB\u7EDF\u81EA\u52A8\u8BC6\u522B\u5F53\u524D\u7528\u6237\u3002"
+  }
+);
+const pendingFlows = /* @__PURE__ */ new Map();
+async function verifyTokenIdentity(brand, accessToken, expectedOpenId) {
+  const domain = brand === "lark" ? "https://open.larksuite.com" : "https://open.feishu.cn";
+  const url = `${domain}/open-apis/authen/v1/user_info`;
+  try {
+    const res = await fetch(url, {
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+    const data = await res.json();
+    if (data.code !== 0) {
+      log.warn(`user_info API error: code=${data.code}, msg=${data.msg}`);
+      return { valid: false };
+    }
+    const actualOpenId = data.data?.open_id;
+    if (!actualOpenId) {
+      log.warn("user_info API returned no open_id");
+      return { valid: false };
+    }
+    return {
+      valid: actualOpenId === expectedOpenId,
+      actualOpenId
+    };
+  } catch (err) {
+    log.warn(`identity verification request failed: ${err}`);
+    return { valid: false };
+  }
+}
+function registerFeishuOAuthTool(api) {
+  if (!api.config) return;
+  const cfg = api.config;
+  api.registerTool(
+    {
+      name: "feishu_oauth",
+      label: "Feishu OAuth",
+      description: "\u98DE\u4E66\u7528\u6237\u6388\u6743\uFF08OAuth\uFF09\u7BA1\u7406\u5DE5\u5177\u3002\u3010\u6CE8\u610F\u3011\u6388\u6743\u6D41\u7A0B\u7531\u7CFB\u7EDF\u81EA\u52A8\u53D1\u8D77\uFF0C\u4E0D\u8981\u4E3B\u52A8\u8C03\u7528\u6B64\u5DE5\u5177\u89E6\u53D1\u6388\u6743\uFF01\u6B64\u5DE5\u5177\u4EC5\u7528\u4E8E revoke\uFF08\u64A4\u9500\u5F53\u524D\u7528\u6237\u7684\u6388\u6743\uFF09\u3002\u4E0D\u9700\u8981\u4F20\u5165 user_open_id\uFF0C\u7CFB\u7EDF\u81EA\u52A8\u4ECE\u6D88\u606F\u4E0A\u4E0B\u6587\u83B7\u53D6\u5F53\u524D\u7528\u6237\u3002\u3010Token \u8FC7\u671F\u5904\u7406\u3011\u5F53\u8FD4\u56DE token_expired \u9519\u8BEF\u65F6\uFF0C\u8C03\u7528 revoke \u64A4\u9500\u540E\uFF0C\u7CFB\u7EDF\u4F1A\u81EA\u52A8\u91CD\u65B0\u53D1\u8D77\u6388\u6743\u6D41\u7A0B\u3002",
+      parameters: FeishuOAuthSchema,
+      async execute(_toolCallId, params) {
+        const p = params;
+        const ticket = getTicket();
+        const senderOpenId = ticket?.senderOpenId;
+        if (!senderOpenId) {
+          return json({
+            error: "\u65E0\u6CD5\u83B7\u53D6\u5F53\u524D\u7528\u6237\u8EAB\u4EFD\uFF08senderOpenId\uFF09\uFF0C\u8BF7\u5728\u98DE\u4E66\u5BF9\u8BDD\u4E2D\u4F7F\u7528\u6B64\u5DE5\u5177\u3002"
+          });
+        }
+        const acct = getLarkAccount(cfg, ticket.accountId);
+        if (!acct.configured) {
+          return json({
+            error: `\u8D26\u53F7 ${ticket.accountId} \u7F3A\u5C11 appId \u6216 appSecret \u914D\u7F6E`
+          });
+        }
+        const account = acct;
+        try {
+          switch (p.action) {
+            // ---------------------------------------------------------------
+            // AUTHORIZE — 已由 auto-auth 自动处理，此分支不再对外暴露
+            // ---------------------------------------------------------------
+            // case "authorize": {
+            //   return await executeAuthorize({
+            //     account,
+            //     senderOpenId,
+            //     scope: p.scope || "",
+            //     isBatchAuth: false,
+            //     cfg,
+            //     ticket,
+            //   });
+            // }
+            // ---------------------------------------------------------------
+            // STATUS
+            // ---------------------------------------------------------------
+            // case "status": {
+            //   const status = await getUATStatus(account.appId, senderOpenId);
+            //   return json({
+            //     authorized: status.authorized,
+            //     scope: status.scope,
+            //     token_status: status.tokenStatus,
+            //     granted_at: status.grantedAt
+            //       ? new Date(status.grantedAt).toISOString()
+            //       : undefined,
+            //     expires_at: status.expiresAt
+            //       ? new Date(status.expiresAt).toISOString()
+            //       : undefined,
+            //   });
+            // }
+            // ---------------------------------------------------------------
+            // REVOKE
+            // ---------------------------------------------------------------
+            case "revoke": {
+              await revokeUAT(account.appId, senderOpenId);
+              return json({ success: true, message: "\u7528\u6237\u6388\u6743\u5DF2\u64A4\u9500\u3002" });
+            }
+            default:
+              return json({ error: `\u672A\u77E5\u64CD\u4F5C: ${p.action}` });
+          }
+        } catch (err) {
+          log.error(`${p.action} failed: ${err}`);
+          return json({ error: formatLarkError(err) });
+        }
+      }
+    },
+    { name: "feishu_oauth" }
+  );
+  api.logger.info?.("feishu_oauth: Registered feishu_oauth tool");
+}
+async function executeAuthorize(params) {
+  const {
+    account,
+    senderOpenId,
+    scope,
+    isBatchAuth,
+    totalAppScopes,
+    alreadyGranted,
+    batchInfo,
+    skipSyntheticMessage,
+    showBatchAuthHint,
+    forceAuth,
+    onAuthComplete,
+    cfg,
+    ticket
+  } = params;
+  const { appId, appSecret, brand, accountId } = account;
+  const sdk = LarkClient.fromAccount(account).sdk;
+  try {
+    await assertOwnerAccessStrict(account, sdk, senderOpenId);
+  } catch (err) {
+    if (err instanceof OwnerAccessDeniedError) {
+      log.warn(`non-owner user ${senderOpenId} attempted to authorize`);
+      return json({
+        error: "permission_denied",
+        message: "\u5F53\u524D\u5E94\u7528\u4EC5\u9650\u6240\u6709\u8005\uFF08App Owner\uFF09\u4F7F\u7528\u3002\u60A8\u6CA1\u6709\u6743\u9650\u53D1\u8D77\u6388\u6743\uFF0C\u65E0\u6CD5\u4F7F\u7528\u76F8\u5173\u529F\u80FD\u3002"
+      });
+    }
+    throw err;
+  }
+  let effectiveScope = scope;
+  const existing = forceAuth ? null : await getStoredToken(appId, senderOpenId);
+  if (existing && tokenStatus(existing) !== "expired") {
+    if (effectiveScope) {
+      const requestedScopes = effectiveScope.split(/\s+/).filter(Boolean);
+      const grantedScopes = new Set((existing.scope ?? "").split(/\s+/).filter(Boolean));
+      const missingScopes = requestedScopes.filter((s) => !grantedScopes.has(s));
+      if (missingScopes.length > 0) {
+        log.info(`existing token missing scopes [${missingScopes.join(", ")}], starting incremental auth`);
+      } else {
+        if (onAuthComplete) {
+          try {
+            await onAuthComplete();
+          } catch (e) {
+            log.warn(`onAuthComplete failed: ${e}`);
+          }
+        }
+        return json({
+          success: true,
+          message: "\u7528\u6237\u5DF2\u6388\u6743\uFF0Cscope \u5DF2\u8986\u76D6\u3002",
+          authorized: true,
+          scope: existing.scope
+        });
+      }
+    } else {
+      if (onAuthComplete) {
+        try {
+          await onAuthComplete();
+        } catch (e) {
+          log.warn(`onAuthComplete failed: ${e}`);
+        }
+      }
+      return json({
+        success: true,
+        message: "\u7528\u6237\u5DF2\u6388\u6743\uFF0C\u65E0\u9700\u91CD\u590D\u6388\u6743\u3002",
+        authorized: true,
+        scope: existing.scope
+      });
+    }
+  }
+  const flowKey = `${appId}:${senderOpenId}`;
+  let reuseCardId;
+  let reuseSeq = 0;
+  if (pendingFlows.has(flowKey)) {
+    const oldFlow = pendingFlows.get(flowKey);
+    const currentMessageId = ticket?.messageId ?? "";
+    if (oldFlow.messageId === currentMessageId) {
+      oldFlow.superseded = true;
+      oldFlow.controller.abort();
+      reuseCardId = oldFlow.cardId;
+      reuseSeq = oldFlow.sequence;
+      pendingFlows.delete(flowKey);
+      if (oldFlow.scope) {
+        const oldScopes = oldFlow.scope.split(/\s+/).filter(Boolean);
+        const newScopes = effectiveScope?.split(/\s+/).filter(Boolean) ?? [];
+        const merged = /* @__PURE__ */ new Set([...oldScopes, ...newScopes]);
+        effectiveScope = [...merged].join(" ");
+        log.info(`scope merge on reuse: [${[...merged].join(", ")}]`);
+      }
+      log.info(`same message, replacing flow for user=${senderOpenId}, app=${appId}, reusing cardId=${reuseCardId}`);
+    } else {
+      oldFlow.superseded = true;
+      oldFlow.controller.abort();
+      pendingFlows.delete(flowKey);
+      log.info(`new message, cancelling old flow for user=${senderOpenId}, app=${appId}, old cardId=${oldFlow.cardId}`);
+      try {
+        await updateCardKitCardForAuth({
+          cfg,
+          cardId: oldFlow.cardId,
+          card: buildAuthFailedCard("\u65B0\u7684\u6388\u6743\u8BF7\u6C42\u5DF2\u53D1\u8D77"),
+          sequence: oldFlow.sequence + 1,
+          accountId
+        });
+      } catch (e) {
+        log.warn(`failed to update old card to expired: ${e}`);
+      }
+    }
+  }
+  let filteredScope = effectiveScope;
+  let unavailableScopes = [];
+  if (effectiveScope) {
+    try {
+      const sdk2 = LarkClient.fromAccount(account).sdk;
+      const requestedScopes = effectiveScope.split(/\s+/).filter(Boolean);
+      const appScopes = await getAppGrantedScopes(sdk2, appId, "user");
+      const availableScopes = requestedScopes.filter((s) => appScopes.includes(s));
+      unavailableScopes = requestedScopes.filter((s) => !appScopes.includes(s));
+      if (unavailableScopes.length > 0) {
+        log.info(`app has not granted scopes [${unavailableScopes.join(", ")}], filtering them out`);
+        if (availableScopes.length === 0) {
+          const permissionUrl = `https://open.feishu.cn/app/${appId}/permission`;
+          return json({
+            error: "app_scopes_not_granted",
+            message: `\u5E94\u7528\u672A\u5F00\u901A\u4EFB\u4F55\u8BF7\u6C42\u7684\u7528\u6237\u6743\u9650\uFF0C\u65E0\u6CD5\u53D1\u8D77\u6388\u6743\u3002\u8BF7\u5148\u5728\u5F00\u653E\u5E73\u53F0\u5F00\u901A\u4EE5\u4E0B\u6743\u9650\uFF1A
+${unavailableScopes.map((s) => `- ${s}`).join("\n")}
+
+\u6743\u9650\u7BA1\u7406\u5730\u5740\uFF1A${permissionUrl}`,
+            unavailable_scopes: unavailableScopes,
+            app_permission_url: permissionUrl
+          });
+        }
+        filteredScope = availableScopes.join(" ");
+        log.info(`proceeding with available scopes [${availableScopes.join(", ")}]`);
+      }
+    } catch (err) {
+      log.warn(`failed to check app scopes, proceeding anyway: ${err}`);
+    }
+  }
+  const deviceAuth = await requestDeviceAuthorization({
+    appId,
+    appSecret,
+    brand,
+    scope: filteredScope
+  });
+  const authCard = buildAuthCard({
+    verificationUriComplete: deviceAuth.verificationUriComplete,
+    expiresMin: Math.round(deviceAuth.expiresIn / 60),
+    scope: filteredScope,
+    // 使用过滤后的 scope
+    isBatchAuth,
+    totalAppScopes,
+    alreadyGranted,
+    batchInfo,
+    filteredScopes: unavailableScopes.length > 0 ? unavailableScopes : void 0,
+    appId,
+    showBatchAuthHint
+  });
+  let cardId;
+  let seq;
+  const chatId = ticket?.chatId;
+  if (!chatId || !ticket) {
+    return json({ error: "\u65E0\u6CD5\u786E\u5B9A\u53D1\u9001\u76EE\u6807" });
+  }
+  if (reuseCardId) {
+    const newSeq = reuseSeq + 1;
+    try {
+      await updateCardKitCardForAuth({
+        cfg,
+        cardId: reuseCardId,
+        card: authCard,
+        sequence: newSeq,
+        accountId
+      });
+      log.info(`updated existing card ${reuseCardId} with merged scopes, seq=${newSeq}`);
+    } catch (err) {
+      log.warn(`failed to update existing card, creating new one: ${err}`);
+      const newCardId = await createCardEntity({ cfg, card: authCard, accountId });
+      if (!newCardId) return json({ error: "\u521B\u5EFA\u6388\u6743\u5361\u7247\u5931\u8D25" });
+      if (chatId) {
+        await sendCardByCardId({
+          cfg,
+          to: chatId,
+          cardId: newCardId,
+          replyToMessageId: ticket?.messageId?.startsWith("om_") ? ticket.messageId : void 0,
+          replyInThread: Boolean(ticket?.threadId),
+          accountId
+        });
+      }
+      cardId = newCardId;
+      seq = 1;
+      reuseCardId = void 0;
+    }
+    if (reuseCardId) {
+      cardId = reuseCardId;
+      seq = newSeq;
+    } else {
+      cardId = cardId;
+      seq = seq;
+    }
+  } else {
+    const newCardId = await createCardEntity({ cfg, card: authCard, accountId });
+    if (!newCardId) {
+      return json({ error: "\u521B\u5EFA\u6388\u6743\u5361\u7247\u5931\u8D25" });
+    }
+    await sendCardByCardId({
+      cfg,
+      to: chatId,
+      cardId: newCardId,
+      replyToMessageId: ticket?.messageId?.startsWith("om_") ? ticket.messageId : void 0,
+      replyInThread: Boolean(ticket?.threadId),
+      accountId
+    });
+    cardId = newCardId;
+    seq = 1;
+  }
+  const abortController = new AbortController();
+  const currentFlow = {
+    controller: abortController,
+    cardId,
+    sequence: seq,
+    messageId: ticket?.messageId ?? "",
+    superseded: false,
+    scope: effectiveScope
+  };
+  pendingFlows.set(flowKey, currentFlow);
+  let pendingFlowDelete = false;
+  pollDeviceToken({
+    appId,
+    appSecret,
+    brand,
+    deviceCode: deviceAuth.deviceCode,
+    interval: deviceAuth.interval,
+    expiresIn: deviceAuth.expiresIn,
+    signal: abortController.signal
+  }).then(async (result) => {
+    if (currentFlow.superseded) {
+      log.info(`flow superseded, skipping card update for cardId=${cardId}`);
+      return;
+    }
+    if (result.ok) {
+      const identity = await verifyTokenIdentity(brand, result.token.accessToken, senderOpenId);
+      if (!identity.valid) {
+        log.warn(
+          `identity mismatch! expected=${senderOpenId}, actual=${identity.actualOpenId ?? "unknown"}, cardId=${cardId}`
+        );
+        try {
+          await updateCardKitCardForAuth({
+            cfg,
+            cardId,
+            card: buildAuthIdentityMismatchCard(),
+            sequence: ++seq,
+            accountId
+          });
+        } catch (e) {
+          log.warn(`failed to update card for identity mismatch: ${e}`);
+        }
+        pendingFlows.delete(flowKey);
+        pendingFlowDelete = true;
+        return;
+      }
+      const now = Date.now();
+      const storedToken = {
+        userOpenId: senderOpenId,
+        appId,
+        accessToken: result.token.accessToken,
+        refreshToken: result.token.refreshToken,
+        expiresAt: now + result.token.expiresIn * 1e3,
+        refreshExpiresAt: now + result.token.refreshExpiresIn * 1e3,
+        scope: result.token.scope,
+        grantedAt: now
+      };
+      await setStoredToken(storedToken);
+      try {
+        await updateCardKitCardForAuth({
+          cfg,
+          cardId,
+          card: buildAuthSuccessCard(),
+          sequence: ++seq,
+          accountId
+        });
+      } catch (e) {
+        log.warn(`failed to update card to success: ${e}`);
+      }
+      pendingFlows.delete(flowKey);
+      pendingFlowDelete = true;
+      if (onAuthComplete) {
+        try {
+          await onAuthComplete();
+        } catch (e) {
+          log.warn(`onAuthComplete failed: ${e}`);
+        }
+      }
+      if (skipSyntheticMessage) {
+        log.info("skipSyntheticMessage=true, skipping synthetic message");
+      } else
+        try {
+          const syntheticMsgId = `${ticket.messageId}:auth-complete`;
+          const syntheticEvent = {
+            sender: {
+              sender_id: { open_id: senderOpenId }
+            },
+            message: {
+              message_id: syntheticMsgId,
+              chat_id: chatId,
+              chat_type: ticket.chatType ?? "p2p",
+              message_type: "text",
+              content: JSON.stringify({
+                text: "\u6211\u5DF2\u5B8C\u6210\u98DE\u4E66\u8D26\u53F7\u6388\u6743\uFF0C\u8BF7\u7EE7\u7EED\u6267\u884C\u4E4B\u524D\u7684\u64CD\u4F5C\u3002"
+              }),
+              thread_id: ticket.threadId
+            }
+          };
+          const syntheticRuntime = {
+            log: (msg) => log.info(msg),
+            error: (msg) => log.error(msg)
+          };
+          const { status, promise } = enqueueFeishuChatTask({
+            accountId,
+            chatId,
+            threadId: ticket.threadId,
+            task: async () => {
+              await withTicket(
+                {
+                  messageId: syntheticMsgId,
+                  chatId,
+                  accountId,
+                  startTime: Date.now(),
+                  senderOpenId,
+                  chatType: ticket.chatType,
+                  threadId: ticket.threadId
+                },
+                () => handleFeishuMessage({
+                  cfg,
+                  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                  event: syntheticEvent,
+                  accountId,
+                  forceMention: true,
+                  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                  runtime: syntheticRuntime,
+                  replyToMessageId: ticket.messageId
+                })
+              );
+            }
+          });
+          log.info(`synthetic message queued (${status})`);
+          await promise;
+          log.info("synthetic message dispatched after successful auth");
+        } catch (e) {
+          log.warn(`failed to send synthetic message after auth: ${e}`);
+        }
+    } else {
+      try {
+        await updateCardKitCardForAuth({
+          cfg,
+          cardId,
+          card: buildAuthFailedCard(result.message),
+          sequence: ++seq,
+          accountId
+        });
+      } catch (e) {
+        log.warn(`failed to update card to failure: ${e}`);
+      }
+      pendingFlows.delete(flowKey);
+      pendingFlowDelete = true;
+    }
+  }).catch((err) => {
+    log.error(`polling error: ${err}`);
+  }).finally(() => {
+    if (!pendingFlowDelete) {
+      if (pendingFlows.get(flowKey) === currentFlow) {
+        pendingFlows.delete(flowKey);
+      }
+    }
+  });
+  const scopeCount = filteredScope.split(/\s+/).filter(Boolean).length;
+  let message = isBatchAuth ? `\u5DF2\u53D1\u9001\u6279\u91CF\u6388\u6743\u8BF7\u6C42\u5361\u7247\uFF0C\u5171\u9700\u6388\u6743 ${scopeCount} \u4E2A\u6743\u9650\u3002\u8BF7\u5728\u5361\u7247\u4E2D\u5B8C\u6210\u6388\u6743\u3002` : "\u5DF2\u53D1\u9001\u6388\u6743\u8BF7\u6C42\u5361\u7247\uFF0C\u8BF7\u7528\u6237\u5728\u5361\u7247\u4E2D\u70B9\u51FB\u94FE\u63A5\u5B8C\u6210\u6388\u6743\u3002\u6388\u6743\u5B8C\u6210\u540E\u8BF7\u91CD\u65B0\u6267\u884C\u4E4B\u524D\u7684\u64CD\u4F5C\u3002";
+  if (batchInfo) {
+    message += batchInfo;
+  }
+  if (unavailableScopes.length > 0) {
+    const permissionUrl = `https://open.feishu.cn/app/${appId}/permission`;
+    message += `
+
+\u26A0\uFE0F **\u6CE8\u610F**\uFF1A\u4EE5\u4E0B\u6743\u9650\u56E0\u5E94\u7528\u672A\u5F00\u901A\u800C\u88AB\u8DF3\u8FC7\uFF0C\u5982\u9700\u4F7F\u7528\u8BF7\u5148\u5728\u5F00\u653E\u5E73\u53F0\u5F00\u901A\uFF1A
+${unavailableScopes.map((s) => `- ${s}`).join("\n")}
+
+\u6743\u9650\u7BA1\u7406\u5730\u5740\uFF1A${permissionUrl}`;
+  }
+  return json({
+    success: true,
+    message,
+    awaiting_authorization: true,
+    filtered_scopes: unavailableScopes.length > 0 ? unavailableScopes : void 0,
+    app_permission_url: unavailableScopes.length > 0 ? `https://open.feishu.cn/app/${appId}/permission` : void 0
+  });
+}
+export {
+  executeAuthorize,
+  registerFeishuOAuthTool
+};
+//# sourceMappingURL=oauth.js.map

package/dist/src/tools/oauth.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/tools/oauth.ts"],
+  "sourcesContent": ["/**\n * Copyright (c) 2026 ByteDance Ltd. and/or its affiliates\n * SPDX-License-Identifier: MIT\n *\n * feishu_oauth tool \u2014 User OAuth authorisation management.\n *\n * Actions:\n *   - authorize : Initiate Device Flow, send auth card, poll for token.\n *   - status    : Check whether the current user has a valid UAT.\n *   - revoke    : Remove the current user's stored UAT.\n *\n * Security:\n *   - **Does not** accept a `user_open_id` parameter.  The target user is\n *     always the message sender, obtained from the LarkTicket.\n *   - Token values are never included in the return payload (AI cannot see\n *     them).\n */\n\nimport type { OpenClawPluginApi, ClawdbotConfig } from 'openclaw/plugin-sdk';\nimport type { ConfiguredLarkAccount } from '../core/types';\nimport { Type } from '@sinclair/typebox';\nimport { getLarkAccount } from '../core/accounts';\nimport { assertOwnerAccessStrict, OwnerAccessDeniedError } from '../core/owner-policy';\nimport { LarkClient } from '../core/lark-client';\nimport { getAppGrantedScopes } from '../core/app-scope-checker';\nimport type { LarkTicket } from '../core/lark-ticket';\nimport { getTicket, withTicket } from '../core/lark-ticket';\nimport { larkLogger } from '../core/lark-logger';\n\nconst log = larkLogger('tools/oauth');\nimport { handleFeishuMessage } from '../messaging/inbound/handler';\nimport { formatLarkError } from '../core/api-error';\nimport { enqueueFeishuChatTask } from '../channel/chat-queue';\nimport { requestDeviceAuthorization, pollDeviceToken } from '../core/device-flow';\nimport { getStoredToken, setStoredToken, tokenStatus, type StoredUAToken } from '../core/token-store';\nimport { revokeUAT } from '../core/uat-client';\nimport { createCardEntity, sendCardByCardId, updateCardKitCardForAuth } from '../card/cardkit';\nimport { buildAuthCard, buildAuthSuccessCard, buildAuthFailedCard, buildAuthIdentityMismatchCard } from './oauth-cards';\nimport { json } from './oapi/helpers';\n\n// ---------------------------------------------------------------------------\n// Schema\n// ---------------------------------------------------------------------------\n\nconst FeishuOAuthSchema = Type.Object(\n  {\n    action: Type.Union(\n      [\n        // Type.Literal(\"authorize\"),  // \u5DF2\u7531 auto-auth \u81EA\u52A8\u5904\u7406\uFF0C\u4E0D\u518D\u5BF9\u5916\u66B4\u9732\n        Type.Literal('revoke'),\n      ],\n      {\n        description: 'revoke: \u64A4\u9500\u5F53\u524D\u7528\u6237\u7684\u6388\u6743',\n      },\n    ),\n  },\n  {\n    description:\n      '\u98DE\u4E66\u7528\u6237\u6388\u6743\u7BA1\u7406\u5DE5\u5177\u3002' +\n      '\u3010\u6CE8\u610F\u3011\u6388\u6743\u6D41\u7A0B\u7531\u7CFB\u7EDF\u81EA\u52A8\u53D1\u8D77\uFF0C\u4E0D\u8981\u4E3B\u52A8\u8C03\u7528\u6B64\u5DE5\u5177\u89E6\u53D1\u6388\u6743\uFF01' +\n      '\u6B64\u5DE5\u5177\u4EC5\u7528\u4E8E\u64A4\u9500\u6388\u6743\uFF08revoke\uFF09\u3002' +\n      '\u4E0D\u9700\u8981\u4F20\u5165 user_open_id\uFF0C\u7CFB\u7EDF\u81EA\u52A8\u8BC6\u522B\u5F53\u524D\u7528\u6237\u3002',\n  },\n);\n\ninterface FeishuOAuthParams {\n  action: 'revoke';\n}\n\n// ---------------------------------------------------------------------------\n// In-flight authorize guard (prevent duplicate device-flows per user)\n// ---------------------------------------------------------------------------\n\ninterface PendingFlow {\n  controller: AbortController;\n  cardId: string;\n  sequence: number;\n  messageId: string;\n  /** \u88AB\u65B0\u6D41\u66FF\u6362\u540E\u6807\u8BB0\u4E3A true\uFF0C\u65E7\u8F6E\u8BE2\u56DE\u8C03\u68C0\u6D4B\u5230\u540E\u8DF3\u8FC7\u5361\u7247\u66F4\u65B0 */\n  superseded: boolean;\n  /** \u5F53\u524D flow \u8BF7\u6C42\u7684 scope\uFF08\u7A7A\u683C\u5206\u9694\uFF09\uFF0C\u7528\u4E8E\u540E\u7EED scope \u5408\u5E76 */\n  scope?: string;\n}\n\nconst pendingFlows = new Map<string, PendingFlow>();\n\n// ---------------------------------------------------------------------------\n// Identity verification after Device Flow\n// ---------------------------------------------------------------------------\n\n/**\n * \u4F7F\u7528\u521A\u83B7\u53D6\u7684 UAT \u8C03\u7528 /authen/v1/user_info\uFF0C\n * \u9A8C\u8BC1\u5B9E\u9645\u5B8C\u6210 OAuth \u6388\u6743\u7684\u7528\u6237 open_id \u662F\u5426\u4E0E\u9884\u671F\u7684 senderOpenId \u4E00\u81F4\u3002\n *\n * \u9632\u6B62\u7FA4\u804A\u4E2D\u5176\u4ED6\u7528\u6237\u70B9\u51FB\u6388\u6743\u94FE\u63A5\u540E\uFF0C\u9519\u8BEF\u7684 UAT \u88AB\u7ED1\u5B9A\u5230 owner \u7684\u8EAB\u4EFD\u3002\n */\nasync function verifyTokenIdentity(\n  brand: string,\n  accessToken: string,\n  expectedOpenId: string,\n): Promise<{ valid: boolean; actualOpenId?: string }> {\n  const domain = brand === 'lark' ? 'https://open.larksuite.com' : 'https://open.feishu.cn';\n  const url = `${domain}/open-apis/authen/v1/user_info`;\n\n  try {\n    const res = await fetch(url, {\n      headers: { Authorization: `Bearer ${accessToken}` },\n    });\n    const data = (await res.json()) as {\n      code?: number;\n      msg?: string;\n      data?: { open_id?: string };\n    };\n    if (data.code !== 0) {\n      log.warn(`user_info API error: code=${data.code}, msg=${data.msg}`);\n      return { valid: false };\n    }\n    const actualOpenId = data.data?.open_id;\n    if (!actualOpenId) {\n      log.warn('user_info API returned no open_id');\n      return { valid: false };\n    }\n    return {\n      valid: actualOpenId === expectedOpenId,\n      actualOpenId,\n    };\n  } catch (err) {\n    log.warn(`identity verification request failed: ${err}`);\n    return { valid: false };\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Registration\n// ---------------------------------------------------------------------------\n\nexport function registerFeishuOAuthTool(api: OpenClawPluginApi) {\n  if (!api.config) return;\n\n  const cfg = api.config;\n\n  api.registerTool(\n    {\n      name: 'feishu_oauth',\n      label: 'Feishu OAuth',\n      description:\n        '\u98DE\u4E66\u7528\u6237\u6388\u6743\uFF08OAuth\uFF09\u7BA1\u7406\u5DE5\u5177\u3002' +\n        '\u3010\u6CE8\u610F\u3011\u6388\u6743\u6D41\u7A0B\u7531\u7CFB\u7EDF\u81EA\u52A8\u53D1\u8D77\uFF0C\u4E0D\u8981\u4E3B\u52A8\u8C03\u7528\u6B64\u5DE5\u5177\u89E6\u53D1\u6388\u6743\uFF01' +\n        '\u6B64\u5DE5\u5177\u4EC5\u7528\u4E8E revoke\uFF08\u64A4\u9500\u5F53\u524D\u7528\u6237\u7684\u6388\u6743\uFF09\u3002' +\n        '\u4E0D\u9700\u8981\u4F20\u5165 user_open_id\uFF0C\u7CFB\u7EDF\u81EA\u52A8\u4ECE\u6D88\u606F\u4E0A\u4E0B\u6587\u83B7\u53D6\u5F53\u524D\u7528\u6237\u3002' +\n        '\u3010Token \u8FC7\u671F\u5904\u7406\u3011\u5F53\u8FD4\u56DE token_expired \u9519\u8BEF\u65F6\uFF0C\u8C03\u7528 revoke \u64A4\u9500\u540E\uFF0C\u7CFB\u7EDF\u4F1A\u81EA\u52A8\u91CD\u65B0\u53D1\u8D77\u6388\u6743\u6D41\u7A0B\u3002',\n      parameters: FeishuOAuthSchema,\n\n      async execute(_toolCallId: string, params: unknown) {\n        const p = params as FeishuOAuthParams;\n\n        // Resolve identity from trace context (set in monitor.ts).\n        const ticket = getTicket();\n        const senderOpenId = ticket?.senderOpenId;\n        if (!senderOpenId) {\n          return json({\n            error: '\u65E0\u6CD5\u83B7\u53D6\u5F53\u524D\u7528\u6237\u8EAB\u4EFD\uFF08senderOpenId\uFF09\uFF0C\u8BF7\u5728\u98DE\u4E66\u5BF9\u8BDD\u4E2D\u4F7F\u7528\u6B64\u5DE5\u5177\u3002',\n          });\n        }\n\n        // Use the accountId from LarkTicket to resolve the correct account\n        // (important for multi-account setups like prod + boe).\n        const acct = getLarkAccount(cfg, ticket.accountId);\n        if (!acct.configured) {\n          return json({\n            error: `\u8D26\u53F7 ${ticket.accountId} \u7F3A\u5C11 appId \u6216 appSecret \u914D\u7F6E`,\n          });\n        }\n        const account = acct; // Now we know it's ConfiguredLarkAccount\n\n        try {\n          switch (p.action) {\n            // ---------------------------------------------------------------\n            // AUTHORIZE \u2014 \u5DF2\u7531 auto-auth \u81EA\u52A8\u5904\u7406\uFF0C\u6B64\u5206\u652F\u4E0D\u518D\u5BF9\u5916\u66B4\u9732\n            // ---------------------------------------------------------------\n            // case \"authorize\": {\n            //   return await executeAuthorize({\n            //     account,\n            //     senderOpenId,\n            //     scope: p.scope || \"\",\n            //     isBatchAuth: false,\n            //     cfg,\n            //     ticket,\n            //   });\n            // }\n\n            // ---------------------------------------------------------------\n            // STATUS\n            // ---------------------------------------------------------------\n            // case \"status\": {\n            //   const status = await getUATStatus(account.appId, senderOpenId);\n            //   return json({\n            //     authorized: status.authorized,\n            //     scope: status.scope,\n            //     token_status: status.tokenStatus,\n            //     granted_at: status.grantedAt\n            //       ? new Date(status.grantedAt).toISOString()\n            //       : undefined,\n            //     expires_at: status.expiresAt\n            //       ? new Date(status.expiresAt).toISOString()\n            //       : undefined,\n            //   });\n            // }\n\n            // ---------------------------------------------------------------\n            // REVOKE\n            // ---------------------------------------------------------------\n            case 'revoke': {\n              await revokeUAT(account.appId, senderOpenId);\n              return json({ success: true, message: '\u7528\u6237\u6388\u6743\u5DF2\u64A4\u9500\u3002' });\n            }\n\n            default:\n              // eslint-disable-next-line @typescript-eslint/no-explicit-any\n              return json({ error: `\u672A\u77E5\u64CD\u4F5C: ${(p as any).action}` });\n          }\n        } catch (err) {\n          log.error(`${p.action} failed: ${err}`);\n          return json({ error: formatLarkError(err) });\n        }\n      },\n    },\n    { name: 'feishu_oauth' },\n  );\n\n  api.logger.info?.('feishu_oauth: Registered feishu_oauth tool');\n}\n\n// ---------------------------------------------------------------------------\n// Shared authorize logic (used by both feishu_oauth and feishu_oauth_batch_auth)\n// ---------------------------------------------------------------------------\n\nexport interface ExecuteAuthorizeParams {\n  account: ConfiguredLarkAccount;\n  senderOpenId: string;\n  scope: string;\n  isBatchAuth?: boolean;\n  totalAppScopes?: number;\n  alreadyGranted?: number;\n  batchInfo?: string; // \u5206\u6279\u6388\u6743\u63D0\u793A\u4FE1\u606F\n  skipSyntheticMessage?: boolean; // true \u65F6\u8DF3\u8FC7\u5408\u6210\u6D88\u606F\u53D1\u9001\uFF08onboarding \u573A\u666F\uFF09\n  showBatchAuthHint?: boolean; // true \u65F6\u5728\u6388\u6743\u5361\u7247\u5E95\u90E8\u5C55\u793A\"\u6388\u4E88\u6240\u6709\u7528\u6237\u6743\u9650\"\u63D0\u793A\uFF08\u4EC5 auto-auth \u6D41\u7A0B\uFF09\n  forceAuth?: boolean; // true \u65F6\u8DF3\u8FC7\u672C\u5730 token \u7F13\u5B58\u68C0\u67E5\uFF0C\u5F3A\u5236\u53D1\u8D77\u65B0 Device Flow\uFF08AppScopeMissing \u573A\u666F\u4E13\u7528\uFF09\n  onAuthComplete?: () => void | Promise<void>; // \u6388\u6743\u5B8C\u6210\u56DE\u8C03\uFF08\u7528\u4E8E\u6279\u91CF\u6388\u6743\u94FE\u5F0F\u89E6\u53D1\uFF09\n  cfg: ClawdbotConfig;\n  ticket: LarkTicket | undefined;\n}\n\n/**\n * \u6267\u884C OAuth \u6388\u6743\u6D41\u7A0B\uFF08Device Flow\uFF09\n * \u53EF\u88AB feishu_oauth \u548C feishu_oauth_batch_auth \u5171\u4EAB\u8C03\u7528\n */\nexport async function executeAuthorize(\n  params: ExecuteAuthorizeParams,\n): Promise<{ content: Array<{ type: 'text'; text: string }>; details: unknown }> {\n  const {\n    account,\n    senderOpenId,\n    scope,\n    isBatchAuth,\n    totalAppScopes,\n    alreadyGranted,\n    batchInfo,\n    skipSyntheticMessage,\n    showBatchAuthHint,\n    forceAuth,\n    onAuthComplete,\n    cfg,\n    ticket,\n  } = params;\n  const { appId, appSecret, brand, accountId } = account;\n\n  // 0. Check if the user is the app owner (fail-close: \u5B89\u5168\u4F18\u5148).\n  const sdk = LarkClient.fromAccount(account).sdk;\n  try {\n    await assertOwnerAccessStrict(account, sdk, senderOpenId);\n  } catch (err) {\n    if (err instanceof OwnerAccessDeniedError) {\n      log.warn(`non-owner user ${senderOpenId} attempted to authorize`);\n      return json({\n        error: 'permission_denied',\n        message: '\u5F53\u524D\u5E94\u7528\u4EC5\u9650\u6240\u6709\u8005\uFF08App Owner\uFF09\u4F7F\u7528\u3002\u60A8\u6CA1\u6709\u6743\u9650\u53D1\u8D77\u6388\u6743\uFF0C\u65E0\u6CD5\u4F7F\u7528\u76F8\u5173\u529F\u80FD\u3002',\n      });\n    }\n    throw err;\n  }\n\n  // effectiveScope\uFF1A\u53EF\u53D8 scope \u53D8\u91CF\uFF0C\u540E\u7EED\u53EF\u80FD\u56E0 pendingFlow \u5408\u5E76\u800C\u6269\u5927\n  let effectiveScope = scope;\n\n  // 1. Check if user already authorised + scope coverage.\n  // forceAuth=true \u65F6\u8DF3\u8FC7\u7F13\u5B58\u68C0\u67E5\uFF0C\u76F4\u63A5\u53D1\u8D77\u65B0 Device Flow\u3002\n  // \u7528\u4E8E AppScopeMissing \u573A\u666F\uFF1A\u5E94\u7528\u6743\u9650\u521A\u88AB\u79FB\u9664\u518D\u8865\u56DE\uFF0C\u672C\u5730 UAT \u7F13\u5B58\u7684 scope \u72B6\u6001\u4E0D\u53EF\u4FE1\u3002\n  const existing = forceAuth ? null : await getStoredToken(appId, senderOpenId);\n  if (existing && tokenStatus(existing) !== 'expired') {\n    // \u5982\u679C\u8BF7\u6C42\u4E86\u7279\u5B9A scope\uFF0C\u68C0\u67E5\u662F\u5426\u5DF2\u8986\u76D6\n    if (effectiveScope) {\n      const requestedScopes = effectiveScope.split(/\\s+/).filter(Boolean);\n      const grantedScopes = new Set((existing.scope ?? '').split(/\\s+/).filter(Boolean));\n      const missingScopes = requestedScopes.filter((s) => !grantedScopes.has(s));\n\n      if (missingScopes.length > 0) {\n        // scope \u4E0D\u8DB3 \u2192 \u7EE7\u7EED\u8D70 Device Flow\uFF08\u98DE\u4E66 OAuth \u662F\u589E\u91CF\u6388\u6743\uFF09\n        log.info(`existing token missing scopes [${missingScopes.join(', ')}], starting incremental auth`);\n        // \u4E0D revoke \u65E7 token\uFF0C\u76F4\u63A5\u7528\u7F3A\u5931\u7684 scope \u53D1\u8D77\u65B0 Device Flow\n        // \u98DE\u4E66\u4F1A\u7D2F\u79EF\u6388\u6743\uFF0C\u65B0 token \u5305\u542B\u65E7 + \u65B0 scope\n        // \u7EE7\u7EED\u6267\u884C\u4E0B\u9762\u7684 Device Flow \u903B\u8F91\n      } else {\n        if (onAuthComplete) {\n          try {\n            await onAuthComplete();\n          } catch (e) {\n            log.warn(`onAuthComplete failed: ${e}`);\n          }\n        }\n        return json({\n          success: true,\n          message: '\u7528\u6237\u5DF2\u6388\u6743\uFF0Cscope \u5DF2\u8986\u76D6\u3002',\n          authorized: true,\n          scope: existing.scope,\n        });\n      }\n    } else {\n      if (onAuthComplete) {\n        try {\n          await onAuthComplete();\n        } catch (e) {\n          log.warn(`onAuthComplete failed: ${e}`);\n        }\n      }\n      return json({\n        success: true,\n        message: '\u7528\u6237\u5DF2\u6388\u6743\uFF0C\u65E0\u9700\u91CD\u590D\u6388\u6743\u3002',\n        authorized: true,\n        scope: existing!.scope,\n      });\n    }\n  }\n\n  // 2. Guard against duplicate in-flight flows for this user.\n  const flowKey = `${appId}:${senderOpenId}`;\n  let reuseCardId: string | undefined;\n  let reuseSeq = 0;\n\n  if (pendingFlows.has(flowKey)) {\n    const oldFlow = pendingFlows.get(flowKey)!;\n    const currentMessageId = ticket?.messageId ?? '';\n\n    if (oldFlow.messageId === currentMessageId) {\n      // \u540C\u4E00\u8F6E\u5DE5\u5177\u8C03\u7528\uFF08messageId \u76F8\u540C\uFF09\u2192 \u590D\u7528\u65E7\u5361\u7247\n      oldFlow.superseded = true;\n      oldFlow.controller.abort();\n      reuseCardId = oldFlow.cardId;\n      reuseSeq = oldFlow.sequence;\n      pendingFlows.delete(flowKey);\n\n      // scope \u5408\u5E76\uFF1A\u5C06\u65E7 flow \u7684 scope \u4E0E\u65B0\u8BF7\u6C42\u5408\u5E76\n      if (oldFlow.scope) {\n        const oldScopes = oldFlow.scope.split(/\\s+/).filter(Boolean);\n        const newScopes = effectiveScope?.split(/\\s+/).filter(Boolean) ?? [];\n        const merged = new Set([...oldScopes, ...newScopes]);\n        effectiveScope = [...merged].join(' ');\n        log.info(`scope merge on reuse: [${[...merged].join(', ')}]`);\n      }\n\n      log.info(`same message, replacing flow for user=${senderOpenId}, app=${appId}, reusing cardId=${reuseCardId}`);\n    } else {\n      // \u65B0\u5BF9\u8BDD\uFF08messageId \u4E0D\u540C\uFF09\u2192 \u53D6\u6D88\u65E7\u6D41 + \u65E7\u5361\u7247\u6807\u8BB0\"\u6388\u6743\u672A\u5B8C\u6210\" + \u521B\u5EFA\u65B0\u5361\u7247\n      oldFlow.superseded = true;\n      oldFlow.controller.abort();\n      pendingFlows.delete(flowKey);\n      log.info(`new message, cancelling old flow for user=${senderOpenId}, app=${appId}, old cardId=${oldFlow.cardId}`);\n      // \u6807\u8BB0\u65E7\u5361\u7247\u4E3A\"\u6388\u6743\u672A\u5B8C\u6210\"\n      try {\n        await updateCardKitCardForAuth({\n          cfg,\n          cardId: oldFlow.cardId,\n          card: buildAuthFailedCard('\u65B0\u7684\u6388\u6743\u8BF7\u6C42\u5DF2\u53D1\u8D77'),\n          sequence: oldFlow.sequence + 1,\n          accountId,\n        });\n      } catch (e) {\n        log.warn(`failed to update old card to expired: ${e}`);\n      }\n      // reuseCardId \u4FDD\u6301 undefined\uFF0C\u540E\u7EED\u4F1A\u521B\u5EFA\u65B0\u5361\u7247\n    }\n  }\n\n  // 2.5 \u5E94\u7528 scope \u9884\u68C0\uFF1A\u8FC7\u6EE4\u6389\u5E94\u7528\u672A\u5F00\u901A\u7684 scope\n  let filteredScope = effectiveScope;\n  let unavailableScopes: string[] = [];\n\n  if (effectiveScope) {\n    try {\n      const sdk = LarkClient.fromAccount(account).sdk;\n      const requestedScopes = effectiveScope.split(/\\s+/).filter(Boolean);\n      const appScopes = await getAppGrantedScopes(sdk, appId, 'user');\n\n      const availableScopes = requestedScopes.filter((s) => appScopes.includes(s));\n      unavailableScopes = requestedScopes.filter((s) => !appScopes.includes(s));\n\n      if (unavailableScopes.length > 0) {\n        log.info(`app has not granted scopes [${unavailableScopes.join(', ')}], filtering them out`);\n\n        if (availableScopes.length === 0) {\n          // \u6240\u6709 scope \u90FD\u672A\u5F00\u901A\uFF0C\u76F4\u63A5\u8FD4\u56DE\u9519\u8BEF\n          const permissionUrl = `https://open.feishu.cn/app/${appId}/permission`;\n          return json({\n            error: 'app_scopes_not_granted',\n            message: `\u5E94\u7528\u672A\u5F00\u901A\u4EFB\u4F55\u8BF7\u6C42\u7684\u7528\u6237\u6743\u9650\uFF0C\u65E0\u6CD5\u53D1\u8D77\u6388\u6743\u3002\u8BF7\u5148\u5728\u5F00\u653E\u5E73\u53F0\u5F00\u901A\u4EE5\u4E0B\u6743\u9650\uFF1A\\n${unavailableScopes.map((s) => `- ${s}`).join('\\n')}\\n\\n\u6743\u9650\u7BA1\u7406\u5730\u5740\uFF1A${permissionUrl}`,\n            unavailable_scopes: unavailableScopes,\n            app_permission_url: permissionUrl,\n          });\n        }\n\n        // \u90E8\u5206 scope \u672A\u5F00\u901A\uFF0C\u53EA\u6388\u6743\u5DF2\u5F00\u901A\u7684 scope\n        filteredScope = availableScopes.join(' ');\n        log.info(`proceeding with available scopes [${availableScopes.join(', ')}]`);\n      }\n    } catch (err) {\n      // \u5982\u679C scope \u68C0\u67E5\u5931\u8D25\uFF0C\u8BB0\u5F55\u65E5\u5FD7\u4F46\u7EE7\u7EED\u6267\u884C\uFF08\u964D\u7EA7\u5904\u7406\uFF09\n      log.warn(`failed to check app scopes, proceeding anyway: ${err}`);\n    }\n  }\n\n  // 3. Request device authorisation.\n  const deviceAuth = await requestDeviceAuthorization({\n    appId,\n    appSecret,\n    brand,\n    scope: filteredScope,\n  });\n\n  // 4. Build and send authorisation card.\n  const authCard = buildAuthCard({\n    verificationUriComplete: deviceAuth.verificationUriComplete,\n    expiresMin: Math.round(deviceAuth.expiresIn / 60),\n    scope: filteredScope, // \u4F7F\u7528\u8FC7\u6EE4\u540E\u7684 scope\n    isBatchAuth,\n    totalAppScopes,\n    alreadyGranted,\n    batchInfo,\n    filteredScopes: unavailableScopes.length > 0 ? unavailableScopes : undefined,\n    appId,\n    showBatchAuthHint,\n  });\n\n  let cardId: string;\n  let seq: number;\n  const chatId = ticket?.chatId;\n  if (!chatId || !ticket) {\n    return json({ error: '\u65E0\u6CD5\u786E\u5B9A\u53D1\u9001\u76EE\u6807' });\n  }\n\n  if (reuseCardId) {\n    // \u590D\u7528\u65E7\u5361\u7247\uFF1A\u539F\u5730\u66F4\u65B0\u5185\u5BB9\uFF08scope + \u6388\u6743\u94FE\u63A5\uFF09\uFF0C\u4E0D\u521B\u5EFA\u65B0\u5361\u7247\n    const newSeq = reuseSeq + 1;\n    try {\n      await updateCardKitCardForAuth({\n        cfg,\n        cardId: reuseCardId,\n        card: authCard,\n        sequence: newSeq,\n        accountId,\n      });\n      log.info(`updated existing card ${reuseCardId} with merged scopes, seq=${newSeq}`);\n    } catch (err) {\n      log.warn(`failed to update existing card, creating new one: ${err}`);\n      // \u964D\u7EA7\uFF1A\u521B\u5EFA\u65B0\u5361\u7247\n      const newCardId = await createCardEntity({ cfg, card: authCard, accountId });\n      if (!newCardId) return json({ error: '\u521B\u5EFA\u6388\u6743\u5361\u7247\u5931\u8D25' });\n      if (chatId) {\n        await sendCardByCardId({\n          cfg,\n          to: chatId,\n          cardId: newCardId,\n          replyToMessageId: ticket?.messageId?.startsWith('om_') ? ticket.messageId : undefined,\n          replyInThread: Boolean(ticket?.threadId),\n          accountId,\n        });\n      }\n      cardId = newCardId;\n      seq = 1;\n      reuseCardId = undefined;\n    }\n    if (reuseCardId) {\n      cardId = reuseCardId;\n      seq = newSeq;\n    } else {\n      cardId = cardId!;\n      seq = seq!;\n    }\n  } else {\n    // \u9996\u6B21\u521B\u5EFA\u5361\u7247\n    const newCardId = await createCardEntity({ cfg, card: authCard, accountId });\n    if (!newCardId) {\n      return json({ error: '\u521B\u5EFA\u6388\u6743\u5361\u7247\u5931\u8D25' });\n    }\n\n    await sendCardByCardId({\n      cfg,\n      to: chatId,\n      cardId: newCardId,\n      replyToMessageId: ticket?.messageId?.startsWith('om_') ? ticket.messageId : undefined,\n      replyInThread: Boolean(ticket?.threadId),\n      accountId,\n    });\n\n    cardId = newCardId;\n    seq = 1;\n  }\n\n  // 7. Start background polling.\n  const abortController = new AbortController();\n\n  const currentFlow: PendingFlow = {\n    controller: abortController,\n    cardId,\n    sequence: seq,\n    messageId: ticket?.messageId ?? '',\n    superseded: false,\n    scope: effectiveScope,\n  };\n  pendingFlows.set(flowKey, currentFlow);\n  let pendingFlowDelete = false;\n  // Fire-and-forget \u2013 polling happens asynchronously.\n  pollDeviceToken({\n    appId,\n    appSecret,\n    brand,\n    deviceCode: deviceAuth.deviceCode,\n    interval: deviceAuth.interval,\n    expiresIn: deviceAuth.expiresIn,\n    signal: abortController.signal,\n  })\n    .then(async (result) => {\n      // \u88AB\u65B0\u6D41\u66FF\u6362\u540E\uFF0C\u8DF3\u8FC7\u6240\u6709\u5361\u7247\u66F4\u65B0\uFF0C\u907F\u514D\u8986\u76D6\u65B0\u6D41\u7684\u5361\u7247\u5185\u5BB9\n      if (currentFlow.superseded) {\n        log.info(`flow superseded, skipping card update for cardId=${cardId}`);\n        return;\n      }\n      if (result.ok) {\n        // ===== \u8EAB\u4EFD\u6821\u9A8C\uFF1A\u9A8C\u8BC1\u5B9E\u9645\u6388\u6743\u7528\u6237\u4E0E\u53D1\u8D77\u4EBA\u4E00\u81F4 =====\n        const identity = await verifyTokenIdentity(brand, result.token.accessToken, senderOpenId);\n        if (!identity.valid) {\n          log.warn(\n            `identity mismatch! expected=${senderOpenId}, ` +\n              `actual=${identity.actualOpenId ?? 'unknown'}, cardId=${cardId}`,\n          );\n          try {\n            await updateCardKitCardForAuth({\n              cfg,\n              cardId,\n              card: buildAuthIdentityMismatchCard(),\n              sequence: ++seq,\n              accountId,\n            });\n          } catch (e) {\n            log.warn(`failed to update card for identity mismatch: ${e}`);\n          }\n          pendingFlows.delete(flowKey);\n          pendingFlowDelete = true;\n          return;\n        }\n        // ===== \u8EAB\u4EFD\u6821\u9A8C\u901A\u8FC7\uFF0C\u7EE7\u7EED\u4FDD\u5B58 token =====\n\n        // Save token to Keychain.\n        const now = Date.now();\n        const storedToken: StoredUAToken = {\n          userOpenId: senderOpenId,\n          appId,\n          accessToken: result.token.accessToken,\n          refreshToken: result.token.refreshToken,\n          expiresAt: now + result.token.expiresIn * 1000,\n          refreshExpiresAt: now + result.token.refreshExpiresIn * 1000,\n          scope: result.token.scope,\n          grantedAt: now,\n        };\n        await setStoredToken(storedToken);\n\n        // 1. Update card \u2192 success immediately so user sees\n        //    visual confirmation right away.\n        try {\n          await updateCardKitCardForAuth({\n            cfg,\n            cardId,\n            card: buildAuthSuccessCard(),\n            sequence: ++seq,\n            accountId,\n          });\n        } catch (e) {\n          log.warn(`failed to update card to success: ${e}`);\n        }\n        // \u5220\u9664 pending flow\n        pendingFlows.delete(flowKey);\n        pendingFlowDelete = true;\n\n        // 2. Send synthetic message to notify AI that auth is\n        //    complete, so it can automatically retry the operation.\n        //    Skip when called from onboarding (no AI context to retry).\n        // \u8C03\u7528 onAuthComplete \u56DE\u8C03\uFF08\u7528\u4E8E onboarding \u6279\u91CF\u6388\u6743\u94FE\u5F0F\u89E6\u53D1\uFF09\n        if (onAuthComplete) {\n          try {\n            await onAuthComplete();\n          } catch (e) {\n            log.warn(`onAuthComplete failed: ${e}`);\n          }\n        }\n\n        if (skipSyntheticMessage) {\n          log.info('skipSyntheticMessage=true, skipping synthetic message');\n        } else\n          try {\n            // Use a unique message_id for MessageSid (avoids SDK dedup),\n            // but pass the real message ID as replyToMessageId so that\n            // typing indicators, reply-to threading, and delivery work.\n            const syntheticMsgId = `${ticket.messageId}:auth-complete`;\n\n            const syntheticEvent = {\n              sender: {\n                sender_id: { open_id: senderOpenId },\n              },\n              message: {\n                message_id: syntheticMsgId,\n                chat_id: chatId,\n                chat_type: ticket.chatType ?? ('p2p' as const),\n                message_type: 'text',\n                content: JSON.stringify({\n                  text: '\u6211\u5DF2\u5B8C\u6210\u98DE\u4E66\u8D26\u53F7\u6388\u6743\uFF0C\u8BF7\u7EE7\u7EED\u6267\u884C\u4E4B\u524D\u7684\u64CD\u4F5C\u3002',\n                }),\n                thread_id: ticket.threadId,\n              },\n            };\n\n            // Provide a minimal runtime so reply-dispatcher\n            // does not crash on `params.runtime.log?.()`.\n            const syntheticRuntime = {\n              log: (msg: string) => log.info(msg),\n              error: (msg: string) => log.error(msg),\n            };\n\n            const { status, promise } = enqueueFeishuChatTask({\n              accountId,\n              chatId,\n              threadId: ticket.threadId,\n              task: async () => {\n                await withTicket(\n                  {\n                    messageId: syntheticMsgId,\n                    chatId,\n                    accountId,\n                    startTime: Date.now(),\n                    senderOpenId,\n                    chatType: ticket.chatType,\n                    threadId: ticket.threadId,\n                  },\n                  () =>\n                    handleFeishuMessage({\n                      cfg,\n                      // eslint-disable-next-line @typescript-eslint/no-explicit-any\n                      event: syntheticEvent as any,\n                      accountId,\n                      forceMention: true,\n                      // eslint-disable-next-line @typescript-eslint/no-explicit-any\n                      runtime: syntheticRuntime as any,\n                      replyToMessageId: ticket.messageId,\n                    }),\n                );\n              },\n            });\n\n            log.info(`synthetic message queued (${status})`);\n            await promise;\n            log.info('synthetic message dispatched after successful auth');\n          } catch (e) {\n            log.warn(`failed to send synthetic message after auth: ${e}`);\n          }\n      } else {\n        // Update card \u2192 failure.\n        try {\n          await updateCardKitCardForAuth({\n            cfg,\n            cardId,\n            card: buildAuthFailedCard(result.message),\n            sequence: ++seq,\n            accountId,\n          });\n        } catch (e) {\n          log.warn(`failed to update card to failure: ${e}`);\n        }\n        // \u5220\u9664 pending flow\n        pendingFlows.delete(flowKey);\n        pendingFlowDelete = true;\n      }\n    })\n    .catch((err) => {\n      log.error(`polling error: ${err}`);\n    })\n    .finally(() => {\n      if (!pendingFlowDelete) {\n        // \u53EA\u5728\u5F53\u524D flow \u4ECD\u662F\u6CE8\u518C\u7684\u90A3\u4E2A\u65F6\u624D\u5220\u9664\uFF0C\u907F\u514D\u65E7\u6D41\u8BEF\u5220\u65B0\u6D41\u7684 entry\n        if (pendingFlows.get(flowKey) === currentFlow) {\n          pendingFlows.delete(flowKey);\n        }\n      }\n    });\n\n  const scopeCount = filteredScope.split(/\\s+/).filter(Boolean).length;\n  let message = isBatchAuth\n    ? `\u5DF2\u53D1\u9001\u6279\u91CF\u6388\u6743\u8BF7\u6C42\u5361\u7247\uFF0C\u5171\u9700\u6388\u6743 ${scopeCount} \u4E2A\u6743\u9650\u3002\u8BF7\u5728\u5361\u7247\u4E2D\u5B8C\u6210\u6388\u6743\u3002`\n    : '\u5DF2\u53D1\u9001\u6388\u6743\u8BF7\u6C42\u5361\u7247\uFF0C\u8BF7\u7528\u6237\u5728\u5361\u7247\u4E2D\u70B9\u51FB\u94FE\u63A5\u5B8C\u6210\u6388\u6743\u3002\u6388\u6743\u5B8C\u6210\u540E\u8BF7\u91CD\u65B0\u6267\u884C\u4E4B\u524D\u7684\u64CD\u4F5C\u3002';\n\n  if (batchInfo) {\n    message += batchInfo;\n  }\n\n  // \u5982\u679C\u6709\u88AB\u8FC7\u6EE4\u7684 scope\uFF0C\u6DFB\u52A0\u63D0\u793A\u4FE1\u606F\n  if (unavailableScopes.length > 0) {\n    const permissionUrl = `https://open.feishu.cn/app/${appId}/permission`;\n    message += `\\n\\n\u26A0\uFE0F **\u6CE8\u610F**\uFF1A\u4EE5\u4E0B\u6743\u9650\u56E0\u5E94\u7528\u672A\u5F00\u901A\u800C\u88AB\u8DF3\u8FC7\uFF0C\u5982\u9700\u4F7F\u7528\u8BF7\u5148\u5728\u5F00\u653E\u5E73\u53F0\u5F00\u901A\uFF1A\\n${unavailableScopes.map((s) => `- ${s}`).join('\\n')}\\n\\n\u6743\u9650\u7BA1\u7406\u5730\u5740\uFF1A${permissionUrl}`;\n  }\n\n  return json({\n    success: true,\n    message,\n    awaiting_authorization: true,\n    filtered_scopes: unavailableScopes.length > 0 ? unavailableScopes : undefined,\n    app_permission_url: unavailableScopes.length > 0 ? `https://open.feishu.cn/app/${appId}/permission` : undefined,\n  });\n}\n"],
+  "mappings": "AAoBA,SAAS,YAAY;AACrB,SAAS,sBAAsB;AAC/B,SAAS,yBAAyB,8BAA8B;AAChE,SAAS,kBAAkB;AAC3B,SAAS,2BAA2B;AAEpC,SAAS,WAAW,kBAAkB;AACtC,SAAS,kBAAkB;AAE3B,MAAM,MAAM,WAAW,aAAa;AACpC,SAAS,2BAA2B;AACpC,SAAS,uBAAuB;AAChC,SAAS,6BAA6B;AACtC,SAAS,4BAA4B,uBAAuB;AAC5D,SAAS,gBAAgB,gBAAgB,mBAAuC;AAChF,SAAS,iBAAiB;AAC1B,SAAS,kBAAkB,kBAAkB,gCAAgC;AAC7E,SAAS,eAAe,sBAAsB,qBAAqB,qCAAqC;AACxG,SAAS,YAAY;AAMrB,MAAM,oBAAoB,KAAK;AAAA,EAC7B;AAAA,IACE,QAAQ,KAAK;AAAA,MACX;AAAA;AAAA,QAEE,KAAK,QAAQ,QAAQ;AAAA,MACvB;AAAA,MACA;AAAA,QACE,aAAa;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAAA,EACA;AAAA,IACE,aACE;AAAA,EAIJ;AACF;AAqBA,MAAM,eAAe,oBAAI,IAAyB;AAYlD,eAAe,oBACb,OACA,aACA,gBACoD;AACpD,QAAM,SAAS,UAAU,SAAS,+BAA+B;AACjE,QAAM,MAAM,GAAG,MAAM;AAErB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,KAAK;AAAA,MAC3B,SAAS,EAAE,eAAe,UAAU,WAAW,GAAG;AAAA,IACpD,CAAC;AACD,UAAM,OAAQ,MAAM,IAAI,KAAK;AAK7B,QAAI,KAAK,SAAS,GAAG;AACnB,UAAI,KAAK,6BAA6B,KAAK,IAAI,SAAS,KAAK,GAAG,EAAE;AAClE,aAAO,EAAE,OAAO,MAAM;AAAA,IACxB;AACA,UAAM,eAAe,KAAK,MAAM;AAChC,QAAI,CAAC,cAAc;AACjB,UAAI,KAAK,mCAAmC;AAC5C,aAAO,EAAE,OAAO,MAAM;AAAA,IACxB;AACA,WAAO;AAAA,MACL,OAAO,iBAAiB;AAAA,MACxB;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,QAAI,KAAK,yCAAyC,GAAG,EAAE;AACvD,WAAO,EAAE,OAAO,MAAM;AAAA,EACxB;AACF;AAMO,SAAS,wBAAwB,KAAwB;AAC9D,MAAI,CAAC,IAAI,OAAQ;AAEjB,QAAM,MAAM,IAAI;AAEhB,MAAI;AAAA,IACF;AAAA,MACE,MAAM;AAAA,MACN,OAAO;AAAA,MACP,aACE;AAAA,MAKF,YAAY;AAAA,MAEZ,MAAM,QAAQ,aAAqB,QAAiB;AAClD,cAAM,IAAI;AAGV,cAAM,SAAS,UAAU;AACzB,cAAM,eAAe,QAAQ;AAC7B,YAAI,CAAC,cAAc;AACjB,iBAAO,KAAK;AAAA,YACV,OAAO;AAAA,UACT,CAAC;AAAA,QACH;AAIA,cAAM,OAAO,eAAe,KAAK,OAAO,SAAS;AACjD,YAAI,CAAC,KAAK,YAAY;AACpB,iBAAO,KAAK;AAAA,YACV,OAAO,gBAAM,OAAO,SAAS;AAAA,UAC/B,CAAC;AAAA,QACH;AACA,cAAM,UAAU;AAEhB,YAAI;AACF,kBAAQ,EAAE,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,YAoChB,KAAK,UAAU;AACb,oBAAM,UAAU,QAAQ,OAAO,YAAY;AAC3C,qBAAO,KAAK,EAAE,SAAS,MAAM,SAAS,mDAAW,CAAC;AAAA,YACpD;AAAA,YAEA;AAEE,qBAAO,KAAK,EAAE,OAAO,6BAAU,EAAU,MAAM,GAAG,CAAC;AAAA,UACvD;AAAA,QACF,SAAS,KAAK;AACZ,cAAI,MAAM,GAAG,EAAE,MAAM,YAAY,GAAG,EAAE;AACtC,iBAAO,KAAK,EAAE,OAAO,gBAAgB,GAAG,EAAE,CAAC;AAAA,QAC7C;AAAA,MACF;AAAA,IACF;AAAA,IACA,EAAE,MAAM,eAAe;AAAA,EACzB;AAEA,MAAI,OAAO,OAAO,4CAA4C;AAChE;AA0BA,eAAsB,iBACpB,QAC+E;AAC/E,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI;AACJ,QAAM,EAAE,OAAO,WAAW,OAAO,UAAU,IAAI;AAG/C,QAAM,MAAM,WAAW,YAAY,OAAO,EAAE;AAC5C,MAAI;AACF,UAAM,wBAAwB,SAAS,KAAK,YAAY;AAAA,EAC1D,SAAS,KAAK;AACZ,QAAI,eAAe,wBAAwB;AACzC,UAAI,KAAK,kBAAkB,YAAY,yBAAyB;AAChE,aAAO,KAAK;AAAA,QACV,OAAO;AAAA,QACP,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AACA,UAAM;AAAA,EACR;AAGA,MAAI,iBAAiB;AAKrB,QAAM,WAAW,YAAY,OAAO,MAAM,eAAe,OAAO,YAAY;AAC5E,MAAI,YAAY,YAAY,QAAQ,MAAM,WAAW;AAEnD,QAAI,gBAAgB;AAClB,YAAM,kBAAkB,eAAe,MAAM,KAAK,EAAE,OAAO,OAAO;AAClE,YAAM,gBAAgB,IAAI,KAAK,SAAS,SAAS,IAAI,MAAM,KAAK,EAAE,OAAO,OAAO,CAAC;AACjF,YAAM,gBAAgB,gBAAgB,OAAO,CAAC,MAAM,CAAC,cAAc,IAAI,CAAC,CAAC;AAEzE,UAAI,cAAc,SAAS,GAAG;AAE5B,YAAI,KAAK,kCAAkC,cAAc,KAAK,IAAI,CAAC,8BAA8B;AAAA,MAInG,OAAO;AACL,YAAI,gBAAgB;AAClB,cAAI;AACF,kBAAM,eAAe;AAAA,UACvB,SAAS,GAAG;AACV,gBAAI,KAAK,0BAA0B,CAAC,EAAE;AAAA,UACxC;AAAA,QACF;AACA,eAAO,KAAK;AAAA,UACV,SAAS;AAAA,UACT,SAAS;AAAA,UACT,YAAY;AAAA,UACZ,OAAO,SAAS;AAAA,QAClB,CAAC;AAAA,MACH;AAAA,IACF,OAAO;AACL,UAAI,gBAAgB;AAClB,YAAI;AACF,gBAAM,eAAe;AAAA,QACvB,SAAS,GAAG;AACV,cAAI,KAAK,0BAA0B,CAAC,EAAE;AAAA,QACxC;AAAA,MACF;AACA,aAAO,KAAK;AAAA,QACV,SAAS;AAAA,QACT,SAAS;AAAA,QACT,YAAY;AAAA,QACZ,OAAO,SAAU;AAAA,MACnB,CAAC;AAAA,IACH;AAAA,EACF;AAGA,QAAM,UAAU,GAAG,KAAK,IAAI,YAAY;AACxC,MAAI;AACJ,MAAI,WAAW;AAEf,MAAI,aAAa,IAAI,OAAO,GAAG;AAC7B,UAAM,UAAU,aAAa,IAAI,OAAO;AACxC,UAAM,mBAAmB,QAAQ,aAAa;AAE9C,QAAI,QAAQ,cAAc,kBAAkB;AAE1C,cAAQ,aAAa;AACrB,cAAQ,WAAW,MAAM;AACzB,oBAAc,QAAQ;AACtB,iBAAW,QAAQ;AACnB,mBAAa,OAAO,OAAO;AAG3B,UAAI,QAAQ,OAAO;AACjB,cAAM,YAAY,QAAQ,MAAM,MAAM,KAAK,EAAE,OAAO,OAAO;AAC3D,cAAM,YAAY,gBAAgB,MAAM,KAAK,EAAE,OAAO,OAAO,KAAK,CAAC;AACnE,cAAM,SAAS,oBAAI,IAAI,CAAC,GAAG,WAAW,GAAG,SAAS,CAAC;AACnD,yBAAiB,CAAC,GAAG,MAAM,EAAE,KAAK,GAAG;AACrC,YAAI,KAAK,0BAA0B,CAAC,GAAG,MAAM,EAAE,KAAK,IAAI,CAAC,GAAG;AAAA,MAC9D;AAEA,UAAI,KAAK,yCAAyC,YAAY,SAAS,KAAK,oBAAoB,WAAW,EAAE;AAAA,IAC/G,OAAO;AAEL,cAAQ,aAAa;AACrB,cAAQ,WAAW,MAAM;AACzB,mBAAa,OAAO,OAAO;AAC3B,UAAI,KAAK,6CAA6C,YAAY,SAAS,KAAK,gBAAgB,QAAQ,MAAM,EAAE;AAEhH,UAAI;AACF,cAAM,yBAAyB;AAAA,UAC7B;AAAA,UACA,QAAQ,QAAQ;AAAA,UAChB,MAAM,oBAAoB,wDAAW;AAAA,UACrC,UAAU,QAAQ,WAAW;AAAA,UAC7B;AAAA,QACF,CAAC;AAAA,MACH,SAAS,GAAG;AACV,YAAI,KAAK,yCAAyC,CAAC,EAAE;AAAA,MACvD;AAAA,IAEF;AAAA,EACF;AAGA,MAAI,gBAAgB;AACpB,MAAI,oBAA8B,CAAC;AAEnC,MAAI,gBAAgB;AAClB,QAAI;AACF,YAAMA,OAAM,WAAW,YAAY,OAAO,EAAE;AAC5C,YAAM,kBAAkB,eAAe,MAAM,KAAK,EAAE,OAAO,OAAO;AAClE,YAAM,YAAY,MAAM,oBAAoBA,MAAK,OAAO,MAAM;AAE9D,YAAM,kBAAkB,gBAAgB,OAAO,CAAC,MAAM,UAAU,SAAS,CAAC,CAAC;AAC3E,0BAAoB,gBAAgB,OAAO,CAAC,MAAM,CAAC,UAAU,SAAS,CAAC,CAAC;AAExE,UAAI,kBAAkB,SAAS,GAAG;AAChC,YAAI,KAAK,+BAA+B,kBAAkB,KAAK,IAAI,CAAC,uBAAuB;AAE3F,YAAI,gBAAgB,WAAW,GAAG;AAEhC,gBAAM,gBAAgB,8BAA8B,KAAK;AACzD,iBAAO,KAAK;AAAA,YACV,OAAO;AAAA,YACP,SAAS;AAAA,EAAyC,kBAAkB,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,EAAE,KAAK,IAAI,CAAC;AAAA;AAAA,4CAAc,aAAa;AAAA,YAC9H,oBAAoB;AAAA,YACpB,oBAAoB;AAAA,UACtB,CAAC;AAAA,QACH;AAGA,wBAAgB,gBAAgB,KAAK,GAAG;AACxC,YAAI,KAAK,qCAAqC,gBAAgB,KAAK,IAAI,CAAC,GAAG;AAAA,MAC7E;AAAA,IACF,SAAS,KAAK;AAEZ,UAAI,KAAK,kDAAkD,GAAG,EAAE;AAAA,IAClE;AAAA,EACF;AAGA,QAAM,aAAa,MAAM,2BAA2B;AAAA,IAClD;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO;AAAA,EACT,CAAC;AAGD,QAAM,WAAW,cAAc;AAAA,IAC7B,yBAAyB,WAAW;AAAA,IACpC,YAAY,KAAK,MAAM,WAAW,YAAY,EAAE;AAAA,IAChD,OAAO;AAAA;AAAA,IACP;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,gBAAgB,kBAAkB,SAAS,IAAI,oBAAoB;AAAA,IACnE;AAAA,IACA;AAAA,EACF,CAAC;AAED,MAAI;AACJ,MAAI;AACJ,QAAM,SAAS,QAAQ;AACvB,MAAI,CAAC,UAAU,CAAC,QAAQ;AACtB,WAAO,KAAK,EAAE,OAAO,mDAAW,CAAC;AAAA,EACnC;AAEA,MAAI,aAAa;AAEf,UAAM,SAAS,WAAW;AAC1B,QAAI;AACF,YAAM,yBAAyB;AAAA,QAC7B;AAAA,QACA,QAAQ;AAAA,QACR,MAAM;AAAA,QACN,UAAU;AAAA,QACV;AAAA,MACF,CAAC;AACD,UAAI,KAAK,yBAAyB,WAAW,4BAA4B,MAAM,EAAE;AAAA,IACnF,SAAS,KAAK;AACZ,UAAI,KAAK,qDAAqD,GAAG,EAAE;AAEnE,YAAM,YAAY,MAAM,iBAAiB,EAAE,KAAK,MAAM,UAAU,UAAU,CAAC;AAC3E,UAAI,CAAC,UAAW,QAAO,KAAK,EAAE,OAAO,mDAAW,CAAC;AACjD,UAAI,QAAQ;AACV,cAAM,iBAAiB;AAAA,UACrB;AAAA,UACA,IAAI;AAAA,UACJ,QAAQ;AAAA,UACR,kBAAkB,QAAQ,WAAW,WAAW,KAAK,IAAI,OAAO,YAAY;AAAA,UAC5E,eAAe,QAAQ,QAAQ,QAAQ;AAAA,UACvC;AAAA,QACF,CAAC;AAAA,MACH;AACA,eAAS;AACT,YAAM;AACN,oBAAc;AAAA,IAChB;AACA,QAAI,aAAa;AACf,eAAS;AACT,YAAM;AAAA,IACR,OAAO;AACL,eAAS;AACT,YAAM;AAAA,IACR;AAAA,EACF,OAAO;AAEL,UAAM,YAAY,MAAM,iBAAiB,EAAE,KAAK,MAAM,UAAU,UAAU,CAAC;AAC3E,QAAI,CAAC,WAAW;AACd,aAAO,KAAK,EAAE,OAAO,mDAAW,CAAC;AAAA,IACnC;AAEA,UAAM,iBAAiB;AAAA,MACrB;AAAA,MACA,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,kBAAkB,QAAQ,WAAW,WAAW,KAAK,IAAI,OAAO,YAAY;AAAA,MAC5E,eAAe,QAAQ,QAAQ,QAAQ;AAAA,MACvC;AAAA,IACF,CAAC;AAED,aAAS;AACT,UAAM;AAAA,EACR;AAGA,QAAM,kBAAkB,IAAI,gBAAgB;AAE5C,QAAM,cAA2B;AAAA,IAC/B,YAAY;AAAA,IACZ;AAAA,IACA,UAAU;AAAA,IACV,WAAW,QAAQ,aAAa;AAAA,IAChC,YAAY;AAAA,IACZ,OAAO;AAAA,EACT;AACA,eAAa,IAAI,SAAS,WAAW;AACrC,MAAI,oBAAoB;AAExB,kBAAgB;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA,YAAY,WAAW;AAAA,IACvB,UAAU,WAAW;AAAA,IACrB,WAAW,WAAW;AAAA,IACtB,QAAQ,gBAAgB;AAAA,EAC1B,CAAC,EACE,KAAK,OAAO,WAAW;AAEtB,QAAI,YAAY,YAAY;AAC1B,UAAI,KAAK,oDAAoD,MAAM,EAAE;AACrE;AAAA,IACF;AACA,QAAI,OAAO,IAAI;AAEb,YAAM,WAAW,MAAM,oBAAoB,OAAO,OAAO,MAAM,aAAa,YAAY;AACxF,UAAI,CAAC,SAAS,OAAO;AACnB,YAAI;AAAA,UACF,+BAA+B,YAAY,YAC/B,SAAS,gBAAgB,SAAS,YAAY,MAAM;AAAA,QAClE;AACA,YAAI;AACF,gBAAM,yBAAyB;AAAA,YAC7B;AAAA,YACA;AAAA,YACA,MAAM,8BAA8B;AAAA,YACpC,UAAU,EAAE;AAAA,YACZ;AAAA,UACF,CAAC;AAAA,QACH,SAAS,GAAG;AACV,cAAI,KAAK,gDAAgD,CAAC,EAAE;AAAA,QAC9D;AACA,qBAAa,OAAO,OAAO;AAC3B,4BAAoB;AACpB;AAAA,MACF;AAIA,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,cAA6B;AAAA,QACjC,YAAY;AAAA,QACZ;AAAA,QACA,aAAa,OAAO,MAAM;AAAA,QAC1B,cAAc,OAAO,MAAM;AAAA,QAC3B,WAAW,MAAM,OAAO,MAAM,YAAY;AAAA,QAC1C,kBAAkB,MAAM,OAAO,MAAM,mBAAmB;AAAA,QACxD,OAAO,OAAO,MAAM;AAAA,QACpB,WAAW;AAAA,MACb;AACA,YAAM,eAAe,WAAW;AAIhC,UAAI;AACF,cAAM,yBAAyB;AAAA,UAC7B;AAAA,UACA;AAAA,UACA,MAAM,qBAAqB;AAAA,UAC3B,UAAU,EAAE;AAAA,UACZ;AAAA,QACF,CAAC;AAAA,MACH,SAAS,GAAG;AACV,YAAI,KAAK,qCAAqC,CAAC,EAAE;AAAA,MACnD;AAEA,mBAAa,OAAO,OAAO;AAC3B,0BAAoB;AAMpB,UAAI,gBAAgB;AAClB,YAAI;AACF,gBAAM,eAAe;AAAA,QACvB,SAAS,GAAG;AACV,cAAI,KAAK,0BAA0B,CAAC,EAAE;AAAA,QACxC;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB,YAAI,KAAK,uDAAuD;AAAA,MAClE;AACE,YAAI;AAIF,gBAAM,iBAAiB,GAAG,OAAO,SAAS;AAE1C,gBAAM,iBAAiB;AAAA,YACrB,QAAQ;AAAA,cACN,WAAW,EAAE,SAAS,aAAa;AAAA,YACrC;AAAA,YACA,SAAS;AAAA,cACP,YAAY;AAAA,cACZ,SAAS;AAAA,cACT,WAAW,OAAO,YAAa;AAAA,cAC/B,cAAc;AAAA,cACd,SAAS,KAAK,UAAU;AAAA,gBACtB,MAAM;AAAA,cACR,CAAC;AAAA,cACD,WAAW,OAAO;AAAA,YACpB;AAAA,UACF;AAIA,gBAAM,mBAAmB;AAAA,YACvB,KAAK,CAAC,QAAgB,IAAI,KAAK,GAAG;AAAA,YAClC,OAAO,CAAC,QAAgB,IAAI,MAAM,GAAG;AAAA,UACvC;AAEA,gBAAM,EAAE,QAAQ,QAAQ,IAAI,sBAAsB;AAAA,YAChD;AAAA,YACA;AAAA,YACA,UAAU,OAAO;AAAA,YACjB,MAAM,YAAY;AAChB,oBAAM;AAAA,gBACJ;AAAA,kBACE,WAAW;AAAA,kBACX;AAAA,kBACA;AAAA,kBACA,WAAW,KAAK,IAAI;AAAA,kBACpB;AAAA,kBACA,UAAU,OAAO;AAAA,kBACjB,UAAU,OAAO;AAAA,gBACnB;AAAA,gBACA,MACE,oBAAoB;AAAA,kBAClB;AAAA;AAAA,kBAEA,OAAO;AAAA,kBACP;AAAA,kBACA,cAAc;AAAA;AAAA,kBAEd,SAAS;AAAA,kBACT,kBAAkB,OAAO;AAAA,gBAC3B,CAAC;AAAA,cACL;AAAA,YACF;AAAA,UACF,CAAC;AAED,cAAI,KAAK,6BAA6B,MAAM,GAAG;AAC/C,gBAAM;AACN,cAAI,KAAK,oDAAoD;AAAA,QAC/D,SAAS,GAAG;AACV,cAAI,KAAK,gDAAgD,CAAC,EAAE;AAAA,QAC9D;AAAA,IACJ,OAAO;AAEL,UAAI;AACF,cAAM,yBAAyB;AAAA,UAC7B;AAAA,UACA;AAAA,UACA,MAAM,oBAAoB,OAAO,OAAO;AAAA,UACxC,UAAU,EAAE;AAAA,UACZ;AAAA,QACF,CAAC;AAAA,MACH,SAAS,GAAG;AACV,YAAI,KAAK,qCAAqC,CAAC,EAAE;AAAA,MACnD;AAEA,mBAAa,OAAO,OAAO;AAC3B,0BAAoB;AAAA,IACtB;AAAA,EACF,CAAC,EACA,MAAM,CAAC,QAAQ;AACd,QAAI,MAAM,kBAAkB,GAAG,EAAE;AAAA,EACnC,CAAC,EACA,QAAQ,MAAM;AACb,QAAI,CAAC,mBAAmB;AAEtB,UAAI,aAAa,IAAI,OAAO,MAAM,aAAa;AAC7C,qBAAa,OAAO,OAAO;AAAA,MAC7B;AAAA,IACF;AAAA,EACF,CAAC;AAEH,QAAM,aAAa,cAAc,MAAM,KAAK,EAAE,OAAO,OAAO,EAAE;AAC9D,MAAI,UAAU,cACV,oGAAoB,UAAU,0FAC9B;AAEJ,MAAI,WAAW;AACb,eAAW;AAAA,EACb;AAGA,MAAI,kBAAkB,SAAS,GAAG;AAChC,UAAM,gBAAgB,8BAA8B,KAAK;AACzD,eAAW;AAAA;AAAA;AAAA,EAAgD,kBAAkB,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,EAAE,KAAK,IAAI,CAAC;AAAA;AAAA,4CAAc,aAAa;AAAA,EACzI;AAEA,SAAO,KAAK;AAAA,IACV,SAAS;AAAA,IACT;AAAA,IACA,wBAAwB;AAAA,IACxB,iBAAiB,kBAAkB,SAAS,IAAI,oBAAoB;AAAA,IACpE,oBAAoB,kBAAkB,SAAS,IAAI,8BAA8B,KAAK,gBAAgB;AAAA,EACxG,CAAC;AACH;",
+  "names": ["sdk"]
+}