@nextclaw/channel-plugin-feishu 0.2.13 → 0.2.14

package/src/perm.ts

@@ -0,0 +1,176 @@
+import type * as Lark from "@larksuiteoapi/node-sdk";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk/feishu";
+import { listEnabledFeishuAccounts } from "./accounts.js";
+import { FeishuPermSchema, type FeishuPermParams } from "./perm-schema.js";
+import { createFeishuToolClient, resolveAnyEnabledFeishuToolsConfig } from "./tool-account.js";
+import {
+  jsonToolResult,
+  toolExecutionErrorResult,
+  unknownToolActionResult,
+} from "./tool-result.js";
+
+type ListTokenType =
+  | "doc"
+  | "sheet"
+  | "file"
+  | "wiki"
+  | "bitable"
+  | "docx"
+  | "mindnote"
+  | "minutes"
+  | "slides";
+type CreateTokenType =
+  | "doc"
+  | "sheet"
+  | "file"
+  | "wiki"
+  | "bitable"
+  | "docx"
+  | "folder"
+  | "mindnote"
+  | "minutes"
+  | "slides";
+type MemberType =
+  | "email"
+  | "openid"
+  | "unionid"
+  | "openchat"
+  | "opendepartmentid"
+  | "userid"
+  | "groupid"
+  | "wikispaceid";
+type PermType = "view" | "edit" | "full_access";
+
+// ============ Actions ============
+
+async function listMembers(client: Lark.Client, token: string, type: string) {
+  const res = await client.drive.permissionMember.list({
+    path: { token },
+    params: { type: type as ListTokenType },
+  });
+  if (res.code !== 0) {
+    throw new Error(res.msg);
+  }
+
+  return {
+    members:
+      res.data?.items?.map((m) => ({
+        member_type: m.member_type,
+        member_id: m.member_id,
+        perm: m.perm,
+        name: m.name,
+      })) ?? [],
+  };
+}
+
+async function addMember(
+  client: Lark.Client,
+  token: string,
+  type: string,
+  memberType: string,
+  memberId: string,
+  perm: string,
+) {
+  const res = await client.drive.permissionMember.create({
+    path: { token },
+    params: { type: type as CreateTokenType, need_notification: false },
+    data: {
+      member_type: memberType as MemberType,
+      member_id: memberId,
+      perm: perm as PermType,
+    },
+  });
+  if (res.code !== 0) {
+    throw new Error(res.msg);
+  }
+
+  return {
+    success: true,
+    member: res.data?.member,
+  };
+}
+
+async function removeMember(
+  client: Lark.Client,
+  token: string,
+  type: string,
+  memberType: string,
+  memberId: string,
+) {
+  const res = await client.drive.permissionMember.delete({
+    path: { token, member_id: memberId },
+    params: { type: type as CreateTokenType, member_type: memberType as MemberType },
+  });
+  if (res.code !== 0) {
+    throw new Error(res.msg);
+  }
+
+  return {
+    success: true,
+  };
+}
+
+// ============ Tool Registration ============
+
+export function registerFeishuPermTools(api: OpenClawPluginApi) {
+  if (!api.config) {
+    api.logger.debug?.("feishu_perm: No config available, skipping perm tools");
+    return;
+  }
+
+  const accounts = listEnabledFeishuAccounts(api.config);
+  if (accounts.length === 0) {
+    api.logger.debug?.("feishu_perm: No Feishu accounts configured, skipping perm tools");
+    return;
+  }
+
+  const toolsCfg = resolveAnyEnabledFeishuToolsConfig(accounts);
+  if (!toolsCfg.perm) {
+    api.logger.debug?.("feishu_perm: perm tool disabled in config (default: false)");
+    return;
+  }
+
+  type FeishuPermExecuteParams = FeishuPermParams & { accountId?: string };
+
+  api.registerTool(
+    (ctx) => {
+      const defaultAccountId = ctx.agentAccountId;
+      return {
+        name: "feishu_perm",
+        label: "Feishu Perm",
+        description: "Feishu permission management. Actions: list, add, remove",
+        parameters: FeishuPermSchema,
+        async execute(_toolCallId, params) {
+          const p = params as FeishuPermExecuteParams;
+          try {
+            const client = createFeishuToolClient({
+              api,
+              executeParams: p,
+              defaultAccountId,
+            });
+            switch (p.action) {
+              case "list":
+                return jsonToolResult(await listMembers(client, p.token, p.type));
+              case "add":
+                return jsonToolResult(
+                  await addMember(client, p.token, p.type, p.member_type, p.member_id, p.perm),
+                );
+              case "remove":
+                return jsonToolResult(
+                  await removeMember(client, p.token, p.type, p.member_type, p.member_id),
+                );
+              default:
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any -- exhaustive check fallback
+                return unknownToolActionResult((p as { action?: unknown }).action);
+            }
+          } catch (err) {
+            return toolExecutionErrorResult(err);
+          }
+        },
+      };
+    },
+    { name: "feishu_perm" },
+  );
+
+  api.logger.info?.(`feishu_perm: Registered feishu_perm tool`);
+}

package/src/policy.test.ts

@@ -0,0 +1,154 @@
+import { describe, expect, it } from "vitest";
+import {
+  isFeishuGroupAllowed,
+  resolveFeishuAllowlistMatch,
+  resolveFeishuGroupConfig,
+} from "./policy.js";
+import type { FeishuConfig } from "./types.js";
+
+describe("feishu policy", () => {
+  describe("resolveFeishuGroupConfig", () => {
+    it("falls back to wildcard group config when direct match is missing", () => {
+      const cfg = {
+        groups: {
+          "*": { requireMention: false },
+          "oc-explicit": { requireMention: true },
+        },
+      } as unknown as FeishuConfig;
+
+      const resolved = resolveFeishuGroupConfig({
+        cfg,
+        groupId: "oc-missing",
+      });
+
+      expect(resolved).toEqual({ requireMention: false });
+    });
+
+    it("prefers exact group config over wildcard", () => {
+      const cfg = {
+        groups: {
+          "*": { requireMention: false },
+          "oc-explicit": { requireMention: true },
+        },
+      } as unknown as FeishuConfig;
+
+      const resolved = resolveFeishuGroupConfig({
+        cfg,
+        groupId: "oc-explicit",
+      });
+
+      expect(resolved).toEqual({ requireMention: true });
+    });
+
+    it("keeps case-insensitive matching for explicit group ids", () => {
+      const cfg = {
+        groups: {
+          "*": { requireMention: false },
+          OC_UPPER: { requireMention: true },
+        },
+      } as unknown as FeishuConfig;
+
+      const resolved = resolveFeishuGroupConfig({
+        cfg,
+        groupId: "oc_upper",
+      });
+
+      expect(resolved).toEqual({ requireMention: true });
+    });
+  });
+
+  describe("resolveFeishuAllowlistMatch", () => {
+    it("allows wildcard", () => {
+      expect(
+        resolveFeishuAllowlistMatch({
+          allowFrom: ["*"],
+          senderId: "ou-attacker",
+        }),
+      ).toEqual({ allowed: true, matchKey: "*", matchSource: "wildcard" });
+    });
+
+    it("matches normalized ID entries", () => {
+      expect(
+        resolveFeishuAllowlistMatch({
+          allowFrom: ["feishu:user:OU_ALLOWED"],
+          senderId: "ou_allowed",
+        }),
+      ).toEqual({ allowed: true, matchKey: "ou_allowed", matchSource: "id" });
+    });
+
+    it("supports user_id as an additional immutable sender candidate", () => {
+      expect(
+        resolveFeishuAllowlistMatch({
+          allowFrom: ["on_user_123"],
+          senderId: "ou_other",
+          senderIds: ["on_user_123"],
+        }),
+      ).toEqual({ allowed: true, matchKey: "on_user_123", matchSource: "id" });
+    });
+
+    it("does not authorize based on display-name collision", () => {
+      const victimOpenId = "ou_4f4ec5aa111122223333444455556666";
+
+      expect(
+        resolveFeishuAllowlistMatch({
+          allowFrom: [victimOpenId],
+          senderId: "ou_attacker_real_open_id",
+          senderIds: ["on_attacker_user_id"],
+          senderName: victimOpenId,
+        }),
+      ).toEqual({ allowed: false });
+    });
+  });
+
+  describe("isFeishuGroupAllowed", () => {
+    it("matches group IDs with chat: prefix", () => {
+      expect(
+        isFeishuGroupAllowed({
+          groupPolicy: "allowlist",
+          allowFrom: ["chat:oc_group_123"],
+          senderId: "oc_group_123",
+        }),
+      ).toBe(true);
+    });
+
+    it("allows group when groupPolicy is 'open'", () => {
+      expect(
+        isFeishuGroupAllowed({
+          groupPolicy: "open",
+          allowFrom: [],
+          senderId: "oc_group_999",
+        }),
+      ).toBe(true);
+    });
+
+    it("treats 'allowall' as equivalent to 'open'", () => {
+      expect(
+        isFeishuGroupAllowed({
+          groupPolicy: "allowall",
+          allowFrom: [],
+          senderId: "oc_group_999",
+        }),
+      ).toBe(true);
+    });
+
+    it("rejects group when groupPolicy is 'disabled'", () => {
+      expect(
+        isFeishuGroupAllowed({
+          groupPolicy: "disabled",
+          allowFrom: ["oc_group_999"],
+          senderId: "oc_group_999",
+        }),
+      ).toBe(false);
+    });
+
+    it("rejects group when groupPolicy is 'allowlist' and allowFrom is empty", () => {
+      expect(
+        isFeishuGroupAllowed({
+          groupPolicy: "allowlist",
+          allowFrom: [],
+          senderId: "oc_group_999",
+        }),
+      ).toBe(false);
+    });
+  });
+});

package/src/policy.ts

@@ -0,0 +1,123 @@
+import type {
+  AllowlistMatch,
+  ChannelGroupContext,
+  GroupToolPolicyConfig,
+} from "openclaw/plugin-sdk/feishu";
+import { evaluateSenderGroupAccessForPolicy } from "openclaw/plugin-sdk/feishu";
+import { normalizeFeishuTarget } from "./targets.js";
+import type { FeishuConfig, FeishuGroupConfig } from "./types.js";
+
+export type FeishuAllowlistMatch = AllowlistMatch<"wildcard" | "id">;
+
+function normalizeFeishuAllowEntry(raw: string): string {
+  const trimmed = raw.trim();
+  if (!trimmed) {
+    return "";
+  }
+  if (trimmed === "*") {
+    return "*";
+  }
+  const withoutProviderPrefix = trimmed.replace(/^feishu:/i, "");
+  const normalized = normalizeFeishuTarget(withoutProviderPrefix) ?? withoutProviderPrefix;
+  return normalized.trim().toLowerCase();
+}
+
+export function resolveFeishuAllowlistMatch(params: {
+  allowFrom: Array<string | number>;
+  senderId: string;
+  senderIds?: Array<string | null | undefined>;
+  senderName?: string | null;
+}): FeishuAllowlistMatch {
+  const allowFrom = params.allowFrom
+    .map((entry) => normalizeFeishuAllowEntry(String(entry)))
+    .filter(Boolean);
+  if (allowFrom.length === 0) {
+    return { allowed: false };
+  }
+  if (allowFrom.includes("*")) {
+    return { allowed: true, matchKey: "*", matchSource: "wildcard" };
+  }
+
+  // Feishu allowlists are ID-based; mutable display names must never grant access.
+  const senderCandidates = [params.senderId, ...(params.senderIds ?? [])]
+    .map((entry) => normalizeFeishuAllowEntry(String(entry ?? "")))
+    .filter(Boolean);
+
+  for (const senderId of senderCandidates) {
+    if (allowFrom.includes(senderId)) {
+      return { allowed: true, matchKey: senderId, matchSource: "id" };
+    }
+  }
+
+  return { allowed: false };
+}
+
+export function resolveFeishuGroupConfig(params: {
+  cfg?: FeishuConfig;
+  groupId?: string | null;
+}): FeishuGroupConfig | undefined {
+  const groups = params.cfg?.groups ?? {};
+  const wildcard = groups["*"];
+  const groupId = params.groupId?.trim();
+  if (!groupId) {
+    return undefined;
+  }
+
+  const direct = groups[groupId];
+  if (direct) {
+    return direct;
+  }
+
+  const lowered = groupId.toLowerCase();
+  const matchKey = Object.keys(groups).find((key) => key.toLowerCase() === lowered);
+  if (matchKey) {
+    return groups[matchKey];
+  }
+  return wildcard;
+}
+
+export function resolveFeishuGroupToolPolicy(
+  params: ChannelGroupContext,
+): GroupToolPolicyConfig | undefined {
+  const cfg = params.cfg.channels?.feishu as FeishuConfig | undefined;
+  if (!cfg) {
+    return undefined;
+  }
+
+  const groupConfig = resolveFeishuGroupConfig({
+    cfg,
+    groupId: params.groupId,
+  });
+
+  return groupConfig?.tools;
+}
+
+export function isFeishuGroupAllowed(params: {
+  groupPolicy: "open" | "allowlist" | "disabled" | "allowall";
+  allowFrom: Array<string | number>;
+  senderId: string;
+  senderIds?: Array<string | null | undefined>;
+  senderName?: string | null;
+}): boolean {
+  return evaluateSenderGroupAccessForPolicy({
+    groupPolicy: params.groupPolicy === "allowall" ? "open" : params.groupPolicy,
+    groupAllowFrom: params.allowFrom.map((entry) => String(entry)),
+    senderId: params.senderId,
+    isSenderAllowed: () => resolveFeishuAllowlistMatch(params).allowed,
+  }).allowed;
+}
+
+export function resolveFeishuReplyPolicy(params: {
+  isDirectMessage: boolean;
+  globalConfig?: FeishuConfig;
+  groupConfig?: FeishuGroupConfig;
+}): { requireMention: boolean } {
+  if (params.isDirectMessage) {
+    return { requireMention: false };
+  }
+
+  const requireMention =
+    params.groupConfig?.requireMention ?? params.globalConfig?.requireMention ?? true;
+
+  return { requireMention };
+}

package/src/post.test.ts

@@ -0,0 +1,105 @@
+import { describe, expect, it } from "vitest";
+import { parsePostContent } from "./post.js";
+
+describe("parsePostContent", () => {
+  it("renders title and styled text as markdown", () => {
+    const content = JSON.stringify({
+      title: "Daily *Plan*",
+      content: [
+        [
+          { tag: "text", text: "Bold", style: { bold: true } },
+          { tag: "text", text: " " },
+          { tag: "text", text: "Italic", style: { italic: true } },
+          { tag: "text", text: " " },
+          { tag: "text", text: "Underline", style: { underline: true } },
+          { tag: "text", text: " " },
+          { tag: "text", text: "Strike", style: { strikethrough: true } },
+          { tag: "text", text: " " },
+          { tag: "text", text: "Code", style: { code: true, bold: true } },
+        ],
+      ],
+    });
+
+    const result = parsePostContent(content);
+
+    expect(result.textContent).toBe(
+      "Daily \\*Plan\\*\n\n**Bold** *Italic* <u>Underline</u> ~~Strike~~ `Code`",
+    );
+    expect(result.imageKeys).toEqual([]);
+    expect(result.mentionedOpenIds).toEqual([]);
+  });
+
+  it("renders links and mentions", () => {
+    const content = JSON.stringify({
+      title: "",
+      content: [
+        [
+          { tag: "a", text: "Docs [v2]", href: "https://example.com/guide(a)" },
+          { tag: "text", text: " " },
+          { tag: "at", user_name: "alice_bob" },
+          { tag: "text", text: " " },
+          { tag: "at", open_id: "ou_123" },
+          { tag: "text", text: " " },
+          { tag: "a", href: "https://example.com/no-text" },
+        ],
+      ],
+    });
+
+    const result = parsePostContent(content);
+
+    expect(result.textContent).toBe(
+      "[Docs \\[v2\\]](https://example.com/guide(a)) @alice\\_bob @ou\\_123 [https://example.com/no\\-text](https://example.com/no-text)",
+    );
+    expect(result.mentionedOpenIds).toEqual(["ou_123"]);
+  });
+
+  it("inserts image placeholders and collects image keys", () => {
+    const content = JSON.stringify({
+      title: "",
+      content: [
+        [
+          { tag: "text", text: "Before " },
+          { tag: "img", image_key: "img_1" },
+          { tag: "text", text: " after" },
+        ],
+        [{ tag: "img", image_key: "img_2" }],
+      ],
+    });
+
+    const result = parsePostContent(content);
+
+    expect(result.textContent).toBe("Before ![image] after\n![image]");
+    expect(result.imageKeys).toEqual(["img_1", "img_2"]);
+    expect(result.mentionedOpenIds).toEqual([]);
+  });
+
+  it("supports locale wrappers", () => {
+    const wrappedByPost = JSON.stringify({
+      post: {
+        zh_cn: {
+          title: "标题",
+          content: [[{ tag: "text", text: "内容A" }]],
+        },
+      },
+    });
+    const wrappedByLocale = JSON.stringify({
+      zh_cn: {
+        title: "标题",
+        content: [[{ tag: "text", text: "内容B" }]],
+      },
+    });
+
+    expect(parsePostContent(wrappedByPost)).toEqual({
+      textContent: "标题\n\n内容A",
+      imageKeys: [],
+      mediaKeys: [],
+      mentionedOpenIds: [],
+    });
+    expect(parsePostContent(wrappedByLocale)).toEqual({
+      textContent: "标题\n\n内容B",
+      imageKeys: [],
+      mediaKeys: [],
+      mentionedOpenIds: [],
+    });
+  });
+});