@larksuite/openclaw-lark 2026.4.10 → 2026.5.7-beta.0

package/openclaw.plugin.json

@@ -1,12 +1,59 @@
 {
   "id": "openclaw-lark",
-  "channels": ["feishu"],
-  "skills": ["./skills"],
+  "channels": [
+    "feishu"
+  ],
+  "skills": [
+    "./skills"
+  ],
   "configSchema": {
     "type": "object",
     "additionalProperties": false,
     "properties": {}
   },
+  "contracts": {
+    "tools": [
+      "feishu_bitable_app",
+      "feishu_bitable_app_table",
+      "feishu_bitable_app_table_field",
+      "feishu_bitable_app_table_record",
+      "feishu_bitable_app_table_view",
+      "feishu_calendar_calendar",
+      "feishu_calendar_event",
+      "feishu_calendar_event_attendee",
+      "feishu_calendar_freebusy",
+      "feishu_chat",
+      "feishu_chat_members",
+      "feishu_create_doc",
+      "feishu_doc_comments",
+      "feishu_doc_media",
+      "feishu_drive_file",
+      "feishu_fetch_doc",
+      "feishu_get_user",
+      "feishu_im_bot_image",
+      "feishu_im_user_fetch_resource",
+      "feishu_im_user_get_messages",
+      "feishu_im_user_get_thread_messages",
+      "feishu_im_user_message",
+      "feishu_im_user_search_messages",
+      "feishu_oauth",
+      "feishu_oauth_batch_auth",
+      "feishu_search_doc_wiki",
+      "feishu_search_user",
+      "feishu_sheet",
+      "feishu_task_comment",
+      "feishu_task_subtask",
+      "feishu_task_task",
+      "feishu_task_agent",
+      "feishu_task_attachment",
+      "feishu_task_tasklist",
+      "feishu_update_doc",
+      "feishu_wiki_space",
+      "feishu_wiki_space_node",
+      "feishu_task_section",
+      "feishu_ask_user_question"
+    ]
+  },
   "channelConfigs": {
     "feishu": {
       "schema": {
@@ -14,4 +61,4 @@
       }
     }
   }
-}
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@larksuite/openclaw-lark",
-  "version": "2026.4.10",
+  "version": "2026.5.7-beta.0",
   "description": "OpenClaw Lark/Feishu channel plugin",
   "exports": {
     ".": {

package/src/channel/event-handlers.js

@@ -69,6 +69,21 @@ async function handleMessageEvent(ctx, data) {
     const { accountId, log, error } = ctx;
     try {
         const event = data;
+        // Self-echo hard filter — drop messages authored by this very bot before
+        // dedup and enqueue. Prevents self-reply loops; the primary guardrail
+        // against bot-to-bot ping-pong.
+        //
+        // NOTE: if botOpenId is not yet populated (startup race before probe
+        // resolves), this filter is skipped. The downstream bot-sender gate
+        // (checkBotSenderGate) acts as fallback — bot messages default to
+        // `allowBots='mentions'`, so in groups they require an explicit @-mention
+        // of this bot to pass; DMs are pass-through under the default.
+        const senderOpenId = event.sender?.sender_id?.open_id;
+        const botOpenId = ctx.lark.botOpenId;
+        if (botOpenId && senderOpenId && senderOpenId === botOpenId) {
+            log(`feishu[${accountId}]: drop self-echo message ${event.message?.message_id ?? 'unknown'}`);
+            return;
+        }
         const msgId = event.message?.message_id ?? 'unknown';
         const chatId = event.message?.chat_id ?? '';
         // In topic groups, reply events carry root_id but not thread_id.

package/src/channel/monitor.js

@@ -13,9 +13,9 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.monitorFeishuProvider = monitorFeishuProvider;
 const accounts_1 = require("../core/accounts.js");
 const lark_client_1 = require("../core/lark-client.js");
-const dedup_1 = require("../messaging/inbound/dedup.js");
 const lark_logger_1 = require("../core/lark-logger.js");
 const shutdown_hooks_1 = require("../core/shutdown-hooks.js");
+const dedup_1 = require("../messaging/inbound/dedup.js");
 const event_handlers_1 = require("./event-handlers.js");
 const mlog = (0, lark_logger_1.larkLogger)('channel/monitor');
 // ---------------------------------------------------------------------------

package/src/core/config-schema.d.ts

@@ -30,6 +30,7 @@ export declare const FeishuGroupSchema: z.ZodObject<{
     enabled: z.ZodOptional<z.ZodBoolean>;
     allowFrom: z.ZodPipe<z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>, z.ZodTransform<string[] | undefined, string | string[] | undefined>>;
     systemPrompt: z.ZodOptional<z.ZodString>;
+    allowBots: z.ZodOptional<z.ZodUnion<readonly [z.ZodBoolean, z.ZodLiteral<"mentions">]>>;
 }, z.core.$strip>;
 export declare const FeishuAccountConfigSchema: z.ZodObject<{
     appId: z.ZodOptional<z.ZodString>;
@@ -76,6 +77,7 @@ export declare const FeishuAccountConfigSchema: z.ZodObject<{
         enabled: z.ZodOptional<z.ZodBoolean>;
         allowFrom: z.ZodPipe<z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>, z.ZodTransform<string[] | undefined, string | string[] | undefined>>;
         systemPrompt: z.ZodOptional<z.ZodString>;
+        allowBots: z.ZodOptional<z.ZodUnion<readonly [z.ZodBoolean, z.ZodLiteral<"mentions">]>>;
     }, z.core.$strip>>>;
     historyLimit: z.ZodOptional<z.ZodNumber>;
     dmHistoryLimit: z.ZodOptional<z.ZodNumber>;
@@ -170,6 +172,7 @@ export declare const FeishuAccountConfigSchema: z.ZodObject<{
         all: "all";
     }>>;
     threadSession: z.ZodOptional<z.ZodBoolean>;
+    allowBots: z.ZodOptional<z.ZodUnion<readonly [z.ZodBoolean, z.ZodLiteral<"mentions">]>>;
     uat: z.ZodOptional<z.ZodObject<{
         enabled: z.ZodOptional<z.ZodBoolean>;
         allowedScopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
@@ -221,6 +224,7 @@ export declare const FeishuConfigSchema: z.ZodObject<{
         enabled: z.ZodOptional<z.ZodBoolean>;
         allowFrom: z.ZodPipe<z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>, z.ZodTransform<string[] | undefined, string | string[] | undefined>>;
         systemPrompt: z.ZodOptional<z.ZodString>;
+        allowBots: z.ZodOptional<z.ZodUnion<readonly [z.ZodBoolean, z.ZodLiteral<"mentions">]>>;
     }, z.core.$strip>>>;
     historyLimit: z.ZodOptional<z.ZodNumber>;
     dmHistoryLimit: z.ZodOptional<z.ZodNumber>;
@@ -315,6 +319,7 @@ export declare const FeishuConfigSchema: z.ZodObject<{
         all: "all";
     }>>;
     threadSession: z.ZodOptional<z.ZodBoolean>;
+    allowBots: z.ZodOptional<z.ZodUnion<readonly [z.ZodBoolean, z.ZodLiteral<"mentions">]>>;
     uat: z.ZodOptional<z.ZodObject<{
         enabled: z.ZodOptional<z.ZodBoolean>;
         allowedScopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
@@ -365,6 +370,7 @@ export declare const FeishuConfigSchema: z.ZodObject<{
             enabled: z.ZodOptional<z.ZodBoolean>;
             allowFrom: z.ZodPipe<z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>, z.ZodTransform<string[] | undefined, string | string[] | undefined>>;
             systemPrompt: z.ZodOptional<z.ZodString>;
+            allowBots: z.ZodOptional<z.ZodUnion<readonly [z.ZodBoolean, z.ZodLiteral<"mentions">]>>;
         }, z.core.$strip>>>;
         historyLimit: z.ZodOptional<z.ZodNumber>;
         dmHistoryLimit: z.ZodOptional<z.ZodNumber>;
@@ -459,6 +465,7 @@ export declare const FeishuConfigSchema: z.ZodObject<{
             all: "all";
         }>>;
         threadSession: z.ZodOptional<z.ZodBoolean>;
+        allowBots: z.ZodOptional<z.ZodUnion<readonly [z.ZodBoolean, z.ZodLiteral<"mentions">]>>;
         uat: z.ZodOptional<z.ZodObject<{
             enabled: z.ZodOptional<z.ZodBoolean>;
             allowedScopes: z.ZodOptional<z.ZodArray<z.ZodString>>;

package/src/core/config-schema.js

@@ -105,6 +105,7 @@ const DedupSchema = zod_1.z
     maxEntries: zod_1.z.number().optional(), // default 5000
 })
     .optional();
+const AllowBotsSchema = zod_1.z.union([zod_1.z.boolean(), zod_1.z.literal('mentions')]).optional();
 const ReactionNotificationModeSchema = zod_1.z.enum(['off', 'own', 'all']).optional();
 exports.UATConfigSchema = zod_1.z
     .object({
@@ -130,6 +131,7 @@ exports.FeishuGroupSchema = zod_1.z.object({
     enabled: zod_1.z.boolean().optional(),
     allowFrom: AllowFromSchema,
     systemPrompt: zod_1.z.string().optional(),
+    allowBots: AllowBotsSchema,
 });
 // ---------------------------------------------------------------------------
 // Account config schema (same shape as top-level minus `accounts`)
@@ -176,6 +178,7 @@ exports.FeishuAccountConfigSchema = zod_1.z.object({
     dedup: DedupSchema,
     reactionNotifications: ReactionNotificationModeSchema,
     threadSession: zod_1.z.boolean().optional(),
+    allowBots: AllowBotsSchema,
     uat: exports.UATConfigSchema,
 });
 // ---------------------------------------------------------------------------

package/src/core/tool-scopes.d.ts

@@ -153,4 +153,4 @@ export declare function filterSensitiveScopes(scopes: string[]): string[];
  * 唯一 scope 总数: 74
  * 必需应用权限总数: 20
  * 高敏感权限总数: 4
- */ 
+ */

package/src/core/tool-scopes.js

@@ -341,4 +341,4 @@ function filterSensitiveScopes(scopes) {
  * 唯一 scope 总数: 74
  * 必需应用权限总数: 20
  * 高敏感权限总数: 4
- */ 
+ */

package/src/messaging/inbound/dispatch-builders.js

@@ -35,7 +35,7 @@ function buildMentionAnnotation(ctx) {
     if (mentions.length === 0)
         return undefined;
     const mentionDetails = mentions.map((t) => `${t.name} (open_id: ${t.openId})`).join(', ');
-    return `[System: This message @mentions the following users: ${mentionDetails}. Use these open_ids when performing actions involving these users.]`;
+    return `[System: This message @mentions the following users: ${mentionDetails}. Use these open_ids when performing actions involving these users. To @mention in a reply, use \`<at user_id="ou_xxx">Name</at>\`; plain "@Name" won't notify.]`;
 }
 // ---------------------------------------------------------------------------
 // Message body builders

package/src/messaging/inbound/enrich.js

@@ -44,18 +44,21 @@ const media_resolver_1 = require("./media-resolver.js");
 async function resolveSenderInfo(params) {
     const { account, log } = params;
     let ctx = params.ctx;
-    // Only resolve display name for real users — the contact API
-    // does not return results for app/bot accounts.
-    if (ctx.rawSender?.sender_type !== 'user') {
-        log(`sender_type is "${ctx.rawSender?.sender_type}", skipping name resolution`);
+    // Bots and users have separate name-resolution endpoints. The contact API
+    // does not return bot info, so dispatch on senderIsBot. Both endpoints
+    // populate the same account-scoped cache (keyed by openId).
+    //
+    // Skip resolution for unknown sender_types (e.g. anonymous, missing) — the
+    // contact API would 4xx and the bot API would not match. This preserves the
+    // pre-bot-support behavior of only resolving names for `sender_type === 'user'`.
+    const senderType = ctx.rawSender?.sender_type;
+    if (!ctx.senderIsBot && senderType !== 'user') {
+        log(`sender_type is "${senderType ?? 'undefined'}", skipping name resolution`);
         return { ctx };
     }
-    // Resolve sender display name (best-effort)
-    const senderResult = await (0, user_name_cache_1.resolveUserName)({
-        account,
-        openId: ctx.senderId,
-        log,
-    });
+    const senderResult = ctx.senderIsBot
+        ? await (0, user_name_cache_1.resolveBotName)({ account, openId: ctx.senderId, log })
+        : await (0, user_name_cache_1.resolveUserName)({ account, openId: ctx.senderId, log });
     if (senderResult.name) {
         ctx = { ...ctx, senderName: senderResult.name };
         log(`sender resolved: ${senderResult.name}`);

package/src/messaging/inbound/gate.d.ts

@@ -25,7 +25,7 @@
 import type { ClawdbotConfig } from 'openclaw/plugin-sdk';
 import type { HistoryEntry } from 'openclaw/plugin-sdk/reply-history';
 import type { MessageContext } from '../types';
-import type { FeishuConfig, LarkAccount } from '../../core/types';
+import type { FeishuConfig, FeishuGroupConfig, LarkAccount } from '../../core/types';
 /**
  * Resolve the effective `respondToMentionAll` setting.
  *
@@ -42,6 +42,21 @@ export declare function resolveRespondToMentionAll(params: {
         respondToMentionAll?: boolean;
     };
 }): boolean;
+/**
+ * Resolve the effective allowBots setting.
+ *
+ * Precedence: per-group > default ("*") > account > 'mentions'.
+ *
+ * The `'mentions'` default lets bot-to-bot interaction work out of the box
+ * while still requiring an explicit @-mention in groups; DMs treat it as
+ * pass-through. Operators can opt into fully-open (`true`) or fully-closed
+ * (`false`) explicitly.
+ */
+export declare function resolveAllowBots(params: {
+    groupConfig?: FeishuGroupConfig;
+    defaultConfig?: FeishuGroupConfig;
+    accountFeishuCfg?: FeishuConfig;
+}): boolean | 'mentions';
 /**
  * Read the pairing allowFrom store for the Feishu channel via the SDK runtime.
  */

package/src/messaging/inbound/gate.js

@@ -25,6 +25,7 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.resolveRespondToMentionAll = resolveRespondToMentionAll;
+exports.resolveAllowBots = resolveAllowBots;
 exports.readFeishuAllowFromStore = readAllowFromStore;
 exports.checkMessageGate = checkMessageGate;
 const lark_client_1 = require("../../core/lark-client.js");
@@ -42,6 +43,22 @@ function resolveRespondToMentionAll(params) {
         params.accountFeishuCfg?.respondToMentionAll ??
         false);
 }
+/**
+ * Resolve the effective allowBots setting.
+ *
+ * Precedence: per-group > default ("*") > account > 'mentions'.
+ *
+ * The `'mentions'` default lets bot-to-bot interaction work out of the box
+ * while still requiring an explicit @-mention in groups; DMs treat it as
+ * pass-through. Operators can opt into fully-open (`true`) or fully-closed
+ * (`false`) explicitly.
+ */
+function resolveAllowBots(params) {
+    return (params.groupConfig?.allowBots ??
+        params.defaultConfig?.allowBots ??
+        params.accountFeishuCfg?.allowBots ??
+        'mentions');
+}
 /** Prevent spamming the legacy groupAllowFrom migration warning. */
 let legacyGroupAllowFromWarned = false;
 // ---------------------------------------------------------------------------
@@ -64,23 +81,34 @@ async function readAllowFromStore(accountId) {
  * and send pairing request messages.
  */
 async function checkMessageGate(params) {
-    const { ctx, accountFeishuCfg, account, accountScopedCfg, log } = params;
+    const { ctx } = params;
+    if (ctx.senderIsBot) {
+        return checkBotSenderGate(params);
+    }
     const isGroup = ctx.chatType === 'group';
     if (isGroup) {
-        return checkGroupGate({ ctx, accountFeishuCfg, account, accountScopedCfg, log });
+        return checkGroupGate(params);
     }
-    return checkDmGate({ ctx, accountFeishuCfg, account, accountScopedCfg, log });
+    return checkDmGate(params);
 }
-// ---------------------------------------------------------------------------
-// Internal: group gate
-// ---------------------------------------------------------------------------
-function checkGroupGate(params) {
+/**
+ * Layer 1 group-level admission check, shared between human and bot sender paths.
+ *
+ * Computes:
+ *  - `groupPolicy` access via SDK (`resolveGroupPolicy`)
+ *  - Legacy chat-id-in-`groupAllowFrom` compat
+ *  - Per-group `enabled === false` kill switch
+ *
+ * Returns `rejected` non-null when the caller should reject with that result;
+ * otherwise the resolved per-group config is returned for downstream use.
+ *
+ * Bot senders go through the same Layer 1 as humans — `allowBots` only governs
+ * sender-axis admission, not which groups the account responds in.
+ */
+function resolveFeishuGroupAccess(params) {
     const { ctx, accountFeishuCfg, account, accountScopedCfg, log } = params;
     const core = lark_client_1.LarkClient.runtime;
-    // ---- Legacy compat: groupAllowFrom with chat_id entries ----
-    // Older Feishu configs used groupAllowFrom with chat_ids (oc_xxx) to
-    // control which groups are allowed.  The correct semantic (aligned with
-    // Telegram) is sender_ids.  Detect and split so both layers still work.
+    // Legacy compat: groupAllowFrom with chat_id entries.
     const rawGroupAllowFrom = accountFeishuCfg?.groupAllowFrom ?? [];
     const { legacyChatIds, senderAllowFrom: senderGroupAllowFrom } = (0, policy_1.splitLegacyGroupAllowFrom)(rawGroupAllowFrom);
     if (legacyChatIds.length > 0 && !legacyGroupAllowFromWarned) {
@@ -92,11 +120,9 @@ function checkGroupGate(params) {
             legacyChatIds.map((id) => `    "${id}": {},`).join('\n') +
             `\n  }`);
     }
-    // ---- Layer 1: Group-level access (SDK) ----
-    // The SDK reads `channels.feishu.groups` as an allowlist of group IDs.
-    // - No groups configured + groupPolicy "open" → any group passes
-    // - groupPolicy "allowlist" (or groups configured) → only listed groups pass
-    // - groupPolicy "disabled" → all groups blocked
+    const groupConfig = (0, policy_1.resolveFeishuGroupConfig)({ cfg: accountFeishuCfg, groupId: ctx.chatId });
+    const defaultConfig = accountFeishuCfg?.groups?.['*'];
+    // SDK group-level policy (groupPolicy disabled / allowlist / open).
     const groupAccess = core.channel.groups.resolveGroupPolicy({
         cfg: accountScopedCfg ?? {},
         channel: 'feishu',
@@ -105,33 +131,98 @@ function checkGroupGate(params) {
         groupIdCaseInsensitive: true,
         hasGroupAllowFrom: senderGroupAllowFrom.length > 0,
     });
-    // Legacy compat: if SDK rejects the group but the chat_id is in the
-    // old-style groupAllowFrom, allow it (backward compatibility).
-    // Track whether this group was admitted via legacy path so we can skip
-    // sender filtering below (old semantic: chat_id in groupAllowFrom meant
-    // "allow this group for any sender").
     let legacyGroupAdmit = false;
     if (!groupAccess.allowed) {
         const chatIdLower = ctx.chatId.toLowerCase();
         const legacyMatch = legacyChatIds.some((id) => String(id).toLowerCase() === chatIdLower);
         if (!legacyMatch) {
             log(`feishu[${account.accountId}]: group ${ctx.chatId} blocked by group-level policy`);
-            return { allowed: false, reason: 'group_not_allowed' };
+            return {
+                rejected: { allowed: false, reason: 'group_not_allowed' },
+                legacyGroupAdmit: false,
+                senderGroupAllowFrom,
+                groupConfig,
+                defaultConfig,
+            };
         }
         legacyGroupAdmit = true;
     }
-    // ---- Per-group config (Feishu-specific fields) ----
-    const groupConfig = (0, policy_1.resolveFeishuGroupConfig)({
-        cfg: accountFeishuCfg,
-        groupId: ctx.chatId,
-    });
-    const defaultConfig = accountFeishuCfg?.groups?.['*'];
-    // Per-group enabled flag
     const enabled = groupConfig?.enabled ?? defaultConfig?.enabled;
     if (enabled === false) {
         log(`feishu[${account.accountId}]: group ${ctx.chatId} disabled by per-group config`);
-        return { allowed: false, reason: 'group_disabled' };
+        return {
+            rejected: { allowed: false, reason: 'group_disabled' },
+            legacyGroupAdmit,
+            senderGroupAllowFrom,
+            groupConfig,
+            defaultConfig,
+        };
+    }
+    return { rejected: null, legacyGroupAdmit, senderGroupAllowFrom, groupConfig, defaultConfig };
+}
+// ---------------------------------------------------------------------------
+// Internal: bot sender gate
+// ---------------------------------------------------------------------------
+function checkBotSenderGate(params) {
+    const { ctx, accountFeishuCfg, account, log } = params;
+    const isGroup = ctx.chatType === 'group';
+    // 1. Layer 1 group access — bot senders are subject to the same group-level
+    //    admission as humans. `allowBots` is a sender-axis filter, not a group-axis
+    //    filter; an account configured to ignore a group must ignore bots there too.
+    let groupConfig;
+    let defaultConfig;
+    if (isGroup) {
+        const access = resolveFeishuGroupAccess(params);
+        if (access.rejected)
+            return access.rejected;
+        groupConfig = access.groupConfig;
+        defaultConfig = access.defaultConfig;
     }
+    // 2. Resolve allowBots (per-group > default > account > 'mentions')
+    const allowBots = resolveAllowBots({ groupConfig, defaultConfig, accountFeishuCfg });
+    // 3. allowBots === false → drop
+    if (allowBots === false) {
+        log(`feishu[${account.accountId}]: drop bot sender ${ctx.senderId} in ${ctx.chatId} (allowBots=false)`);
+        return { allowed: false, reason: 'bot_sender_disabled' };
+    }
+    // 4. allowBots === 'mentions' + bot not mentioned → drop (group only;
+    //    DMs have no @-mention concept, so mention-mode is a pass-through there).
+    if (isGroup && allowBots === 'mentions' && !(0, mention_1.mentionedBot)(ctx)) {
+        log(`feishu[${account.accountId}]: drop bot sender ${ctx.senderId} in ${ctx.chatId} (allowBots=mentions, not mentioned)`);
+        return { allowed: false, reason: 'bot_sender_not_mentioned' };
+    }
+    // 5. Group requireMention check — redundant with allowBots='mentions' but
+    //    necessary for the explicit `allowBots=true + requireMention=true` combo.
+    //
+    //    NOTE: this intentionally diverges from the human-sender path (checkGroupGate),
+    //    which delegates to SDK's resolveRequireMention that defaults to true.
+    //    For bot senders, `requireMention` must be explicitly set to true — the
+    //    rationale being: if the operator opts into `allowBots=true`, they want
+    //    bot traffic through by default. Holding bots to a true-default mention
+    //    requirement would silently negate `allowBots=true` in most configs.
+    if (isGroup) {
+        const requireMention = groupConfig?.requireMention ??
+            defaultConfig?.requireMention ??
+            accountFeishuCfg?.requireMention;
+        if (requireMention === true && !(0, mention_1.mentionedBot)(ctx)) {
+            log(`feishu[${account.accountId}]: drop bot sender ${ctx.senderId} (no_mention)`);
+            // Intentionally NO historyEntry — bot messages never enter chat history.
+            return { allowed: false, reason: 'no_mention' };
+        }
+    }
+    return { allowed: true };
+}
+// ---------------------------------------------------------------------------
+// Internal: group gate
+// ---------------------------------------------------------------------------
+function checkGroupGate(params) {
+    const { ctx, accountFeishuCfg, account, accountScopedCfg, log } = params;
+    const core = lark_client_1.LarkClient.runtime;
+    // ---- Layer 1: Group-level admission (shared with bot path) ----
+    const access = resolveFeishuGroupAccess(params);
+    if (access.rejected)
+        return access.rejected;
+    const { legacyGroupAdmit, senderGroupAllowFrom, groupConfig, defaultConfig } = access;
     // ---- Layer 2: Sender-level access ----
     // Per-group groupPolicy overrides the global groupPolicy for sender filtering.
     // senderGroupAllowFrom (global, oc_ entries excluded) + per-group allowFrom.

package/src/messaging/inbound/parse.js

@@ -117,6 +117,10 @@ async function parseMessageEvent(event, botOpenId, expandCtx) {
         resources,
         mentions: mentionList,
         mentionAll,
+        // Per Feishu docs, im.message.receive_v1 sets sender_type to 'user' or
+        // 'bot'. We also accept 'app' defensively for any SDK/legacy variant that
+        // surfaces the older value.
+        senderIsBot: event.sender.sender_type === 'bot' || event.sender.sender_type === 'app',
         createTime: Number.isNaN(createTime) ? undefined : createTime,
         rawMessage: effectiveContent !== event.message.content ? { ...event.message, content: effectiveContent } : event.message,
         rawSender: event.sender,

package/src/messaging/inbound/user-name-cache.d.ts

@@ -41,6 +41,18 @@ export interface ResolveUserNameResult {
     name?: string;
     permissionError?: PermissionError;
 }
+/**
+ * Resolve a single bot's display name via `/open-apis/bot/v3/bots/basic_batch`.
+ *
+ * Bots are not returned by the contact API, so they have their own endpoint.
+ * Names share the same account-scoped cache (keyed by openId) since both
+ * bots and users have `ou_` prefixed openIds and a single display name.
+ */
+export declare function resolveBotName(params: {
+    account: LarkAccount;
+    openId: string;
+    log: (...args: unknown[]) => void;
+}): Promise<ResolveUserNameResult>;
 /**
  * Resolve a single user's display name.
  *

package/src/messaging/inbound/user-name-cache.js

@@ -16,6 +16,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.getUserNameCache = exports.clearUserNameCache = exports.UserNameCache = void 0;
 exports.batchResolveUserNames = batchResolveUserNames;
 exports.createBatchResolveNames = createBatchResolveNames;
+exports.resolveBotName = resolveBotName;
 exports.resolveUserName = resolveUserName;
 const lark_client_1 = require("../../core/lark-client.js");
 const user_name_cache_store_1 = require("./user-name-cache-store.js");
@@ -100,6 +101,51 @@ function createBatchResolveNames(account, log) {
         await batchResolveUserNames({ account, openIds, log });
     };
 }
+/**
+ * Resolve a single bot's display name via `/open-apis/bot/v3/bots/basic_batch`.
+ *
+ * Bots are not returned by the contact API, so they have their own endpoint.
+ * Names share the same account-scoped cache (keyed by openId) since both
+ * bots and users have `ou_` prefixed openIds and a single display name.
+ */
+async function resolveBotName(params) {
+    const { account, openId, log } = params;
+    if (!account.configured || !openId)
+        return {};
+    const cache = (0, user_name_cache_store_1.getUserNameCache)(account.accountId);
+    if (cache.has(openId))
+        return { name: cache.get(openId) ?? '' };
+    try {
+        const client = lark_client_1.LarkClient.fromAccount(account).sdk;
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const res = await client.request({
+            method: 'GET',
+            url: '/open-apis/bot/v3/bots/basic_batch',
+            params: { bot_ids: [openId] },
+        });
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const bot = res?.data?.bots?.[openId];
+        const name = bot?.name || bot?.i18n_names?.zh_cn || bot?.i18n_names?.en_us || '';
+        // Cache even empty names to avoid repeated API calls for bots
+        // whose names we cannot resolve.
+        cache.set(openId, name);
+        return { name: name || undefined };
+    }
+    catch (err) {
+        // Bot name resolution is best-effort: missing `bot:basic_info` scope
+        // should not surface as a permission notification to the agent. Log
+        // and cache an empty name so we don't retry, then fall back to openId.
+        const permErr = (0, permission_1.extractPermissionError)(err);
+        if (permErr) {
+            log(`feishu: permission error resolving bot name (best-effort, ignored): code=${permErr.code}`);
+        }
+        else {
+            log(`feishu: failed to resolve bot name for ${openId}: ${String(err)}`);
+        }
+        cache.set(openId, '');
+        return {};
+    }
+}
 /**
  * Resolve a single user's display name.
  *

package/src/messaging/types.d.ts

@@ -270,6 +270,14 @@ export interface MessageContext {
     mentions: MentionInfo[];
     /** Whether an @all / @所有人 mention was detected in the message. */
     mentionAll: boolean;
+    /**
+     * True when the event sender is a bot/app (sender_type === 'app').
+     *
+     * Set by parseMessageEvent. Optional because synthetic construction sites
+     * (comment / reaction / vc-invited handlers) omit it — absence is treated
+     * as `false` since those paths only originate from human actors today.
+     */
+    senderIsBot?: boolean;
     rootId?: string;
     parentId?: string;
     threadId?: string;

package/src/tools/oapi/task/task.js

@@ -324,7 +324,7 @@ function registerFeishuTaskTaskTool(api) {
                                 page_token: p.page_token,
                                 completed: p.completed,
                                 agent_task_status: p.agent_task_status,
-                                user_id_type: (p.user_id_type || 'open_id'),
+                                user_id_type: p.user_id_type || 'open_id',
                             },
                         }, opts), { as: authType });
                         (0, helpers_1.assertLarkOk)(res);