@nextclaw/channel-plugin-feishu 0.2.14 → 0.2.15

package/index.ts

@@ -1,5 +1,5 @@
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/feishu";
-import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/feishu";
+import type { OpenClawPluginApi } from "./src/nextclaw-sdk/feishu.js";
+import { emptyPluginConfigSchema } from "./src/nextclaw-sdk/feishu.js";
 import { registerFeishuBitableTools } from "./src/bitable.js";
 import { feishuPlugin } from "./src/channel.js";
 import { registerFeishuChatTools } from "./src/chat.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nextclaw/channel-plugin-feishu",
-  "version": "0.2.14",
+  "version": "0.2.15",
   "private": false,
   "description": "NextClaw Feishu/Lark channel plugin with doc/wiki/drive tools.",
   "type": "module",
@@ -43,7 +43,6 @@
     "@larksuiteoapi/node-sdk": "^1.59.0",
     "@sinclair/typebox": "0.34.48",
     "https-proxy-agent": "^8.0.0",
-    "openclaw": "2026.3.13",
     "zod": "^4.3.6"
   },
   "scripts": {

package/src/accounts.ts

@@ -1,5 +1,5 @@
-import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "openclaw/plugin-sdk/account-id";
-import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "./nextclaw-sdk/account-id.js";
+import type { ClawdbotConfig } from "./nextclaw-sdk/feishu.js";
 import { normalizeResolvedSecretInputString, normalizeSecretInputString } from "./secret-input.js";
 import type {
   FeishuConfig,

package/src/bitable.ts

@@ -1,6 +1,6 @@
 import type * as Lark from "@larksuiteoapi/node-sdk";
 import { Type } from "@sinclair/typebox";
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/feishu";
+import type { OpenClawPluginApi } from "./nextclaw-sdk/feishu.js";
 import { listEnabledFeishuAccounts } from "./accounts.js";
 import { createFeishuToolClient } from "./tool-account.js";
 

package/src/bot.test.ts

@@ -1,4 +1,4 @@
-import type { ClawdbotConfig, PluginRuntime, RuntimeEnv } from "openclaw/plugin-sdk/feishu";
+import type { ClawdbotConfig, PluginRuntime, RuntimeEnv } from "./nextclaw-sdk/feishu.js";
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import { createPluginRuntimeMock } from "../../test-utils/plugin-runtime-mock.js";
 import type { FeishuMessageEvent } from "./bot.js";

package/src/bot.ts

@@ -1,4 +1,4 @@
-import type { ClawdbotConfig, RuntimeEnv } from "openclaw/plugin-sdk/feishu";
+import type { ClawdbotConfig, RuntimeEnv } from "./nextclaw-sdk/feishu.js";
 import {
   buildAgentMediaPayload,
   buildPendingHistoryContextFromMap,
@@ -12,7 +12,7 @@ import {
   resolveOpenProviderRuntimeGroupPolicy,
   resolveDefaultGroupPolicy,
   warnMissingProviderGroupPolicyFallbackOnce,
-} from "openclaw/plugin-sdk/feishu";
+} from "./nextclaw-sdk/feishu.js";
 import { resolveFeishuAccount } from "./accounts.js";
 import { createFeishuClient } from "./client.js";
 import { finalizeFeishuMessageProcessing, tryRecordMessagePersistent } from "./dedup.js";

package/src/card-action.ts

@@ -1,4 +1,4 @@
-import type { ClawdbotConfig, RuntimeEnv } from "openclaw/plugin-sdk/feishu";
+import type { ClawdbotConfig, RuntimeEnv } from "./nextclaw-sdk/feishu.js";
 import { resolveFeishuAccount } from "./accounts.js";
 import { handleFeishuMessage, type FeishuMessageEvent } from "./bot.js";
 

package/src/channel.test.ts

@@ -1,4 +1,4 @@
-import type { OpenClawConfig } from "openclaw/plugin-sdk/feishu";
+import type { OpenClawConfig } from "./nextclaw-sdk/feishu.js";
 import { describe, expect, it, vi } from "vitest";
 
 const probeFeishuMock = vi.hoisted(() => vi.fn());

package/src/channel.ts

@@ -2,15 +2,15 @@ import {
   collectAllowlistProviderRestrictSendersWarnings,
   formatAllowFromLowercase,
   mapAllowFromEntries,
-} from "openclaw/plugin-sdk/compat";
-import type { ChannelMeta, ChannelPlugin, ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
+} from "./nextclaw-sdk/compat.js";
+import type { ChannelMeta, ChannelPlugin, ClawdbotConfig } from "./nextclaw-sdk/feishu.js";
 import {
   buildProbeChannelStatusSummary,
   buildRuntimeAccountStatusSnapshot,
   createDefaultChannelRuntimeState,
   DEFAULT_ACCOUNT_ID,
   PAIRING_APPROVED_MESSAGE,
-} from "openclaw/plugin-sdk/feishu";
+} from "./nextclaw-sdk/feishu.js";
 import {
   resolveFeishuAccount,
   resolveFeishuCredentials,

package/src/chat.ts

@@ -1,5 +1,5 @@
 import type * as Lark from "@larksuiteoapi/node-sdk";
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/feishu";
+import type { OpenClawPluginApi } from "./nextclaw-sdk/feishu.js";
 import { listEnabledFeishuAccounts } from "./accounts.js";
 import { FeishuChatSchema, type FeishuChatParams } from "./chat-schema.js";
 import { createFeishuClient } from "./client.js";

package/src/config-schema.ts

@@ -1,4 +1,4 @@
-import { normalizeAccountId } from "openclaw/plugin-sdk/account-id";
+import { normalizeAccountId } from "./nextclaw-sdk/account-id.js";
 import { z } from "zod";
 export { z };
 import { buildSecretInputSchema, hasConfiguredSecretInput } from "./secret-input.js";

package/src/dedup.ts

@@ -4,7 +4,7 @@ import {
   createDedupeCache,
   createPersistentDedupe,
   readJsonFileWithFallback,
-} from "openclaw/plugin-sdk/feishu";
+} from "./nextclaw-sdk/feishu.js";
 
 // Persistent TTL: 24 hours — survives restarts & WebSocket reconnects.
 const DEDUP_TTL_MS = 24 * 60 * 60 * 1000;

package/src/directory.test.ts

@@ -1,4 +1,4 @@
-import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
+import type { ClawdbotConfig } from "./nextclaw-sdk/feishu.js";
 import { describe, expect, it, vi } from "vitest";
 
 vi.mock("./accounts.js", () => ({

package/src/directory.ts

@@ -1,8 +1,8 @@
 import {
   listDirectoryGroupEntriesFromMapKeysAndAllowFrom,
   listDirectoryUserEntriesFromAllowFromAndMapKeys,
-} from "openclaw/plugin-sdk/compat";
-import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
+} from "./nextclaw-sdk/compat.js";
+import type { ClawdbotConfig } from "./nextclaw-sdk/feishu.js";
 import { resolveFeishuAccount } from "./accounts.js";
 import { createFeishuClient } from "./client.js";
 import { normalizeFeishuTarget } from "./targets.js";

package/src/docx.account-selection.test.ts

@@ -1,4 +1,4 @@
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/feishu";
+import type { OpenClawPluginApi } from "./nextclaw-sdk/feishu.js";
 import { describe, expect, test, vi } from "vitest";
 import { registerFeishuDocTools } from "./docx.js";
 import { createToolFactoryHarness } from "./tool-factory-test-harness.js";

package/src/docx.ts

@@ -4,7 +4,7 @@ import { isAbsolute } from "node:path";
 import { basename } from "node:path";
 import type * as Lark from "@larksuiteoapi/node-sdk";
 import { Type } from "@sinclair/typebox";
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/feishu";
+import type { OpenClawPluginApi } from "./nextclaw-sdk/feishu.js";
 import { listEnabledFeishuAccounts } from "./accounts.js";
 import { FeishuDocSchema, type FeishuDocParams } from "./doc-schema.js";
 import { BATCH_SIZE, insertBlocksInBatches } from "./docx-batch-insert.js";

package/src/drive.ts

@@ -1,5 +1,5 @@
 import type * as Lark from "@larksuiteoapi/node-sdk";
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/feishu";
+import type { OpenClawPluginApi } from "./nextclaw-sdk/feishu.js";
 import { listEnabledFeishuAccounts } from "./accounts.js";
 import { FeishuDriveSchema, type FeishuDriveParams } from "./drive-schema.js";
 import { createFeishuToolClient, resolveAnyEnabledFeishuToolsConfig } from "./tool-account.js";

package/src/dynamic-agent.ts

@@ -1,7 +1,7 @@
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
-import type { OpenClawConfig, PluginRuntime } from "openclaw/plugin-sdk/feishu";
+import type { OpenClawConfig, PluginRuntime } from "./nextclaw-sdk/feishu.js";
 import type { DynamicAgentCreationConfig } from "./types.js";
 
 export type MaybeCreateDynamicAgentResult = {

package/src/media.ts

@@ -1,7 +1,7 @@
 import fs from "fs";
 import path from "path";
 import { Readable } from "stream";
-import { withTempDownloadPath, type ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
+import { withTempDownloadPath, type ClawdbotConfig } from "./nextclaw-sdk/feishu.js";
 import { resolveFeishuAccount } from "./accounts.js";
 import { createFeishuClient } from "./client.js";
 import { normalizeFeishuExternalKey } from "./external-keys.js";

package/src/monitor.account.ts

@@ -1,6 +1,6 @@
 import * as crypto from "crypto";
 import * as Lark from "@larksuiteoapi/node-sdk";
-import type { ClawdbotConfig, RuntimeEnv, HistoryEntry } from "openclaw/plugin-sdk/feishu";
+import type { ClawdbotConfig, RuntimeEnv, HistoryEntry } from "./nextclaw-sdk/feishu.js";
 import { resolveFeishuAccount } from "./accounts.js";
 import { raceWithTimeoutAndAbort } from "./async.js";
 import {

package/src/monitor.reaction.test.ts

@@ -1,4 +1,4 @@
-import type { ClawdbotConfig, RuntimeEnv } from "openclaw/plugin-sdk/feishu";
+import type { ClawdbotConfig, RuntimeEnv } from "./nextclaw-sdk/feishu.js";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { hasControlCommand } from "../../../src/auto-reply/command-detection.js";
 import {

package/src/monitor.startup.test.ts

@@ -1,4 +1,4 @@
-import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
+import type { ClawdbotConfig } from "./nextclaw-sdk/feishu.js";
 import { afterEach, describe, expect, it, vi } from "vitest";
 import { monitorFeishuProvider, stopFeishuMonitor } from "./monitor.js";
 

package/src/monitor.startup.ts

@@ -1,4 +1,4 @@
-import type { RuntimeEnv } from "openclaw/plugin-sdk/feishu";
+import type { RuntimeEnv } from "./nextclaw-sdk/feishu.js";
 import { probeFeishu } from "./probe.js";
 import type { ResolvedFeishuAccount } from "./types.js";
 

package/src/monitor.state.ts

@@ -6,7 +6,7 @@ import {
   type RuntimeEnv,
   WEBHOOK_ANOMALY_COUNTER_DEFAULTS as WEBHOOK_ANOMALY_COUNTER_DEFAULTS_FROM_SDK,
   WEBHOOK_RATE_LIMIT_DEFAULTS as WEBHOOK_RATE_LIMIT_DEFAULTS_FROM_SDK,
-} from "openclaw/plugin-sdk/feishu";
+} from "./nextclaw-sdk/feishu.js";
 
 export const wsClients = new Map<string, Lark.WSClient>();
 export const httpServers = new Map<string, http.Server>();

package/src/monitor.transport.ts

@@ -6,7 +6,7 @@ import {
   readJsonBodyWithLimit,
   type RuntimeEnv,
   installRequestBodyLimitGuard,
-} from "openclaw/plugin-sdk/feishu";
+} from "./nextclaw-sdk/feishu.js";
 import { createFeishuWSClient } from "./client.js";
 import {
   botNames,

package/src/monitor.ts

@@ -1,4 +1,4 @@
-import type { ClawdbotConfig, RuntimeEnv } from "openclaw/plugin-sdk/feishu";
+import type { ClawdbotConfig, RuntimeEnv } from "./nextclaw-sdk/feishu.js";
 import { listEnabledFeishuAccounts, resolveFeishuAccount } from "./accounts.js";
 import {
   monitorSingleAccount,

package/src/monitor.webhook.test-helpers.ts

@@ -1,6 +1,6 @@
 import { createServer } from "node:http";
 import type { AddressInfo } from "node:net";
-import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
+import type { ClawdbotConfig } from "./nextclaw-sdk/feishu.js";
 import { vi } from "vitest";
 import type { monitorFeishuProvider } from "./monitor.js";
 

package/src/nextclaw-sdk/account-id.ts

@@ -0,0 +1,31 @@
+export const DEFAULT_ACCOUNT_ID = "default";
+
+export function normalizeAccountId(accountId?: string | null): string {
+  const trimmed = accountId?.trim();
+  return trimmed || DEFAULT_ACCOUNT_ID;
+}
+
+export function normalizeOptionalAccountId(accountId?: string | null): string | undefined {
+  const trimmed = accountId?.trim();
+  return trimmed ? normalizeAccountId(trimmed) : undefined;
+}
+
+const VALID_AGENT_ID_RE = /^[a-z0-9][a-z0-9_-]{0,63}$/i;
+const INVALID_AGENT_CHARS_RE = /[^a-z0-9_-]+/g;
+
+export function normalizeAgentId(value?: string | null): string {
+  const trimmed = value?.trim();
+  if (!trimmed) {
+    return "main";
+  }
+  if (VALID_AGENT_ID_RE.test(trimmed)) {
+    return trimmed.toLowerCase();
+  }
+  const normalized = trimmed
+    .toLowerCase()
+    .replace(INVALID_AGENT_CHARS_RE, "-")
+    .replace(/^-+/, "")
+    .replace(/-+$/, "")
+    .slice(0, 64);
+  return normalized || "main";
+}

package/src/nextclaw-sdk/compat.ts

@@ -0,0 +1,8 @@
+export {
+  collectAllowlistProviderRestrictSendersWarnings,
+  formatAllowFromLowercase,
+  listDirectoryGroupEntriesFromMapKeysAndAllowFrom,
+  listDirectoryUserEntriesFromAllowFromAndMapKeys,
+  mapAllowFromEntries,
+} from "./core.js";
+export { createPluginRuntimeStore } from "./runtime-store.js";

package/src/nextclaw-sdk/core-channel.ts

@@ -0,0 +1,296 @@
+import type { GroupPolicy, OpenClawConfig } from "./types.js";
+
+export function emptyPluginConfigSchema(): {
+  type: "object";
+  additionalProperties: false;
+  properties: Record<string, unknown>;
+} {
+  return {
+    type: "object",
+    additionalProperties: false,
+    properties: {},
+  };
+}
+
+const warnedMissingProviderGroupPolicy = new Set<string>();
+
+export function resolveDefaultGroupPolicy(cfg: {
+  channels?: {
+    defaults?: {
+      groupPolicy?: GroupPolicy;
+    };
+  };
+}): GroupPolicy | undefined {
+  return cfg.channels?.defaults?.groupPolicy;
+}
+
+export function resolveOpenProviderRuntimeGroupPolicy(params: {
+  providerConfigPresent: boolean;
+  groupPolicy?: GroupPolicy;
+  defaultGroupPolicy?: GroupPolicy;
+}): {
+  groupPolicy: GroupPolicy;
+  providerMissingFallbackApplied: boolean;
+} {
+  const groupPolicy = params.providerConfigPresent
+    ? (params.groupPolicy ?? params.defaultGroupPolicy ?? "open")
+    : (params.groupPolicy ?? "allowlist");
+  return {
+    groupPolicy,
+    providerMissingFallbackApplied: !params.providerConfigPresent && params.groupPolicy === undefined,
+  };
+}
+
+export function warnMissingProviderGroupPolicyFallbackOnce(params: {
+  providerMissingFallbackApplied: boolean;
+  providerKey: string;
+  accountId?: string;
+  blockedLabel?: string;
+  log: (message: string) => void;
+}): boolean {
+  if (!params.providerMissingFallbackApplied) {
+    return false;
+  }
+  const key = `${params.providerKey}:${params.accountId ?? "*"}`;
+  if (warnedMissingProviderGroupPolicy.has(key)) {
+    return false;
+  }
+  warnedMissingProviderGroupPolicy.add(key);
+  const blockedLabel = params.blockedLabel?.trim() || "group messages";
+  params.log(
+    `${params.providerKey}: channels.${params.providerKey} is missing; defaulting groupPolicy to "allowlist" (${blockedLabel} blocked until explicitly configured).`,
+  );
+  return true;
+}
+
+export function evaluateSenderGroupAccessForPolicy(params: {
+  groupPolicy: GroupPolicy;
+  providerMissingFallbackApplied?: boolean;
+  groupAllowFrom: string[];
+  senderId: string;
+  isSenderAllowed: (senderId: string, allowFrom: string[]) => boolean;
+}): {
+  allowed: boolean;
+  groupPolicy: GroupPolicy;
+  providerMissingFallbackApplied: boolean;
+  reason: "allowed" | "disabled" | "empty_allowlist" | "sender_not_allowlisted";
+} {
+  if (params.groupPolicy === "disabled") {
+    return {
+      allowed: false,
+      groupPolicy: params.groupPolicy,
+      providerMissingFallbackApplied: Boolean(params.providerMissingFallbackApplied),
+      reason: "disabled",
+    };
+  }
+  if (params.groupPolicy === "allowlist") {
+    if (params.groupAllowFrom.length === 0) {
+      return {
+        allowed: false,
+        groupPolicy: params.groupPolicy,
+        providerMissingFallbackApplied: Boolean(params.providerMissingFallbackApplied),
+        reason: "empty_allowlist",
+      };
+    }
+    if (!params.isSenderAllowed(params.senderId, params.groupAllowFrom)) {
+      return {
+        allowed: false,
+        groupPolicy: params.groupPolicy,
+        providerMissingFallbackApplied: Boolean(params.providerMissingFallbackApplied),
+        reason: "sender_not_allowlisted",
+      };
+    }
+  }
+  return {
+    allowed: true,
+    groupPolicy: params.groupPolicy,
+    providerMissingFallbackApplied: Boolean(params.providerMissingFallbackApplied),
+    reason: "allowed",
+  };
+}
+
+export function createDefaultChannelRuntimeState<T extends Record<string, unknown>>(
+  accountId: string,
+  extra?: T,
+): {
+  accountId: string;
+  running: false;
+  lastStartAt: null;
+  lastStopAt: null;
+  lastError: null;
+} & T {
+  return {
+    accountId,
+    running: false,
+    lastStartAt: null,
+    lastStopAt: null,
+    lastError: null,
+    ...(extra ?? ({} as T)),
+  };
+}
+
+export function buildProbeChannelStatusSummary<TExtra extends Record<string, unknown>>(
+  snapshot: {
+    configured?: boolean | null;
+    running?: boolean | null;
+    lastStartAt?: number | null;
+    lastStopAt?: number | null;
+    lastError?: string | null;
+    probe?: unknown;
+    lastProbeAt?: number | null;
+  },
+  extra?: TExtra,
+) {
+  return {
+    configured: snapshot.configured ?? false,
+    running: snapshot.running ?? false,
+    lastStartAt: snapshot.lastStartAt ?? null,
+    lastStopAt: snapshot.lastStopAt ?? null,
+    lastError: snapshot.lastError ?? null,
+    ...(extra ?? ({} as TExtra)),
+    probe: snapshot.probe,
+    lastProbeAt: snapshot.lastProbeAt ?? null,
+  };
+}
+
+export function buildRuntimeAccountStatusSnapshot(params: {
+  runtime?: {
+    running?: boolean | null;
+    lastStartAt?: number | null;
+    lastStopAt?: number | null;
+    lastError?: string | null;
+  } | null;
+  probe?: unknown;
+}) {
+  return {
+    running: params.runtime?.running ?? false,
+    lastStartAt: params.runtime?.lastStartAt ?? null,
+    lastStopAt: params.runtime?.lastStopAt ?? null,
+    lastError: params.runtime?.lastError ?? null,
+    probe: params.probe,
+  };
+}
+
+export function mapAllowFromEntries(
+  allowFrom: Array<string | number> | null | undefined,
+): string[] {
+  return (allowFrom ?? []).map((entry) => String(entry));
+}
+
+export function formatAllowFromLowercase(params: {
+  allowFrom: Array<string | number>;
+  stripPrefixRe?: RegExp;
+}): string[] {
+  return params.allowFrom
+    .map((entry) => String(entry).trim())
+    .filter(Boolean)
+    .map((entry) => (params.stripPrefixRe ? entry.replace(params.stripPrefixRe, "") : entry))
+    .map((entry) => entry.toLowerCase());
+}
+
+function applyDirectoryQueryAndLimit(
+  ids: string[],
+  params: { query?: string | null; limit?: number | null },
+): string[] {
+  const query = params.query?.trim().toLowerCase() || "";
+  const limit = typeof params.limit === "number" && params.limit > 0 ? params.limit : undefined;
+  const filtered = ids.filter((id) => (query ? id.toLowerCase().includes(query) : true));
+  return typeof limit === "number" ? filtered.slice(0, limit) : filtered;
+}
+
+function dedupeIds(ids: string[]): string[] {
+  return Array.from(new Set(ids));
+}
+
+function collectEntryIds(params: {
+  entries?: readonly unknown[];
+  normalizeId?: (entry: string) => string | null | undefined;
+}): string[] {
+  return (params.entries ?? [])
+    .map((entry) => String(entry).trim())
+    .filter((entry) => Boolean(entry) && entry !== "*")
+    .map((entry) => {
+      const normalized = params.normalizeId ? params.normalizeId(entry) : entry;
+      return typeof normalized === "string" ? normalized.trim() : "";
+    })
+    .filter(Boolean);
+}
+
+function collectMapIds(params: {
+  map?: Record<string, unknown>;
+  normalizeId?: (entry: string) => string | null | undefined;
+}): string[] {
+  return collectEntryIds({
+    entries: Object.keys(params.map ?? {}),
+    normalizeId: params.normalizeId,
+  });
+}
+
+export function listDirectoryUserEntriesFromAllowFromAndMapKeys(params: {
+  allowFrom?: readonly unknown[];
+  map?: Record<string, unknown>;
+  query?: string | null;
+  limit?: number | null;
+  normalizeAllowFromId?: (entry: string) => string | null | undefined;
+  normalizeMapKeyId?: (entry: string) => string | null | undefined;
+}): Array<{ kind: "user"; id: string }> {
+  const ids = dedupeIds([
+    ...collectEntryIds({
+      entries: params.allowFrom,
+      normalizeId: params.normalizeAllowFromId,
+    }),
+    ...collectMapIds({
+      map: params.map,
+      normalizeId: params.normalizeMapKeyId,
+    }),
+  ]);
+  return applyDirectoryQueryAndLimit(ids, params).map((id) => ({ kind: "user", id }));
+}
+
+export function listDirectoryGroupEntriesFromMapKeysAndAllowFrom(params: {
+  groups?: Record<string, unknown>;
+  allowFrom?: readonly unknown[];
+  query?: string | null;
+  limit?: number | null;
+  normalizeMapKeyId?: (entry: string) => string | null | undefined;
+  normalizeAllowFromId?: (entry: string) => string | null | undefined;
+}): Array<{ kind: "group"; id: string }> {
+  const ids = dedupeIds([
+    ...collectMapIds({
+      map: params.groups,
+      normalizeId: params.normalizeMapKeyId,
+    }),
+    ...collectEntryIds({
+      entries: params.allowFrom,
+      normalizeId: params.normalizeAllowFromId,
+    }),
+  ]);
+  return applyDirectoryQueryAndLimit(ids, params).map((id) => ({ kind: "group", id }));
+}
+
+export function collectAllowlistProviderRestrictSendersWarnings(params: {
+  cfg: OpenClawConfig;
+  providerConfigPresent: boolean;
+  configuredGroupPolicy?: GroupPolicy | null;
+  surface: string;
+  openScope: string;
+  groupPolicyPath: string;
+  groupAllowFromPath: string;
+  mentionGated?: boolean;
+}): string[] {
+  const defaultGroupPolicy = resolveDefaultGroupPolicy(params.cfg as {
+    channels?: { defaults?: { groupPolicy?: GroupPolicy } };
+  });
+  const { groupPolicy } = resolveOpenProviderRuntimeGroupPolicy({
+    providerConfigPresent: params.providerConfigPresent,
+    groupPolicy: params.configuredGroupPolicy ?? undefined,
+    defaultGroupPolicy,
+  });
+  if (groupPolicy !== "open") {
+    return [];
+  }
+  const mentionSuffix = params.mentionGated === false ? "" : " (mention-gated)";
+  return [
+    `- ${params.surface}: groupPolicy="open" allows ${params.openScope} to trigger${mentionSuffix}. Set ${params.groupPolicyPath}="allowlist" + ${params.groupAllowFromPath} to restrict senders.`,
+  ];
+}