@openclaw/feishu 2026.3.11 → 2026.3.12

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/feishu",
-  "version": "2026.3.11",
+  "version": "2026.3.12",
   "description": "OpenClaw Feishu/Lark channel plugin (community maintained by @m1heng)",
   "type": "module",
   "dependencies": {

package/src/accounts.test.ts

@@ -241,6 +241,25 @@ describe("resolveFeishuCredentials", () => {
       domain: "feishu",
     });
   });
+
+  it("does not resolve encryptKey SecretRefs outside webhook mode", () => {
+    const creds = resolveFeishuCredentials(
+      asConfig({
+        connectionMode: "websocket",
+        appId: "cli_123",
+        appSecret: "secret_456",
+        encryptKey: { source: "file", provider: "default", id: "path/to/secret" } as never,
+      }),
+    );
+
+    expect(creds).toEqual({
+      appId: "cli_123",
+      appSecret: "secret_456", // pragma: allowlist secret
+      encryptKey: undefined,
+      verificationToken: undefined,
+      domain: "feishu",
+    });
+  });
 });
 
 describe("resolveFeishuAccount", () => {

package/src/accounts.ts

@@ -169,10 +169,14 @@ export function resolveFeishuCredentials(
   if (!appId || !appSecret) {
     return null;
   }
+  const connectionMode = cfg?.connectionMode ?? "websocket";
   return {
     appId,
     appSecret,
-    encryptKey: normalizeString(cfg?.encryptKey),
+    encryptKey:
+      connectionMode === "webhook"
+        ? resolveSecretLike(cfg?.encryptKey, "channels.feishu.encryptKey")
+        : normalizeString(cfg?.encryptKey),
     verificationToken: resolveSecretLike(
       cfg?.verificationToken,
       "channels.feishu.verificationToken",

package/src/channel.ts

@@ -129,7 +129,7 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
         defaultAccount: { type: "string" },
         appId: { type: "string" },
         appSecret: secretInputJsonSchema,
-        encryptKey: { type: "string" },
+        encryptKey: secretInputJsonSchema,
         verificationToken: secretInputJsonSchema,
         domain: {
           oneOf: [
@@ -170,7 +170,7 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount> = {
               name: { type: "string" },
               appId: { type: "string" },
               appSecret: secretInputJsonSchema,
-              encryptKey: { type: "string" },
+              encryptKey: secretInputJsonSchema,
               verificationToken: secretInputJsonSchema,
               domain: { type: "string", enum: ["feishu", "lark"] },
               connectionMode: { type: "string", enum: ["websocket", "webhook"] },

package/src/config-schema.test.ts

@@ -47,7 +47,7 @@ describe("FeishuConfigSchema webhook validation", () => {
     }
   });
 
-  it("accepts top-level webhook mode with verificationToken", () => {
+  it("rejects top-level webhook mode without encryptKey", () => {
     const result = FeishuConfigSchema.safeParse({
       connectionMode: "webhook",
       verificationToken: "token_top",
@@ -55,6 +55,21 @@ describe("FeishuConfigSchema webhook validation", () => {
       appSecret: "secret_top", // pragma: allowlist secret
     });
 
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.error.issues.some((issue) => issue.path.join(".") === "encryptKey")).toBe(true);
+    }
+  });
+
+  it("accepts top-level webhook mode with verificationToken and encryptKey", () => {
+    const result = FeishuConfigSchema.safeParse({
+      connectionMode: "webhook",
+      verificationToken: "token_top",
+      encryptKey: "encrypt_top",
+      appId: "cli_top",
+      appSecret: "secret_top", // pragma: allowlist secret
+    });
+
     expect(result.success).toBe(true);
   });
 
@@ -79,9 +94,30 @@ describe("FeishuConfigSchema webhook validation", () => {
     }
   });
 
-  it("accepts account webhook mode inheriting top-level verificationToken", () => {
+  it("rejects account webhook mode without encryptKey", () => {
+    const result = FeishuConfigSchema.safeParse({
+      accounts: {
+        main: {
+          connectionMode: "webhook",
+          verificationToken: "token_main",
+          appId: "cli_main",
+          appSecret: "secret_main", // pragma: allowlist secret
+        },
+      },
+    });
+
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(
+        result.error.issues.some((issue) => issue.path.join(".") === "accounts.main.encryptKey"),
+      ).toBe(true);
+    }
+  });
+
+  it("accepts account webhook mode inheriting top-level verificationToken and encryptKey", () => {
     const result = FeishuConfigSchema.safeParse({
       verificationToken: "token_top",
+      encryptKey: "encrypt_top",
       accounts: {
         main: {
           connectionMode: "webhook",
@@ -102,6 +138,31 @@ describe("FeishuConfigSchema webhook validation", () => {
         provider: "default",
         id: "FEISHU_VERIFICATION_TOKEN",
       },
+      encryptKey: "encrypt_top",
+      appId: "cli_top",
+      appSecret: {
+        source: "env",
+        provider: "default",
+        id: "FEISHU_APP_SECRET",
+      },
+    });
+
+    expect(result.success).toBe(true);
+  });
+
+  it("accepts SecretRef encryptKey in webhook mode", () => {
+    const result = FeishuConfigSchema.safeParse({
+      connectionMode: "webhook",
+      verificationToken: {
+        source: "env",
+        provider: "default",
+        id: "FEISHU_VERIFICATION_TOKEN",
+      },
+      encryptKey: {
+        source: "env",
+        provider: "default",
+        id: "FEISHU_ENCRYPT_KEY",
+      },
       appId: "cli_top",
       appSecret: {
         source: "env",

package/src/config-schema.ts

@@ -186,7 +186,7 @@ export const FeishuAccountConfigSchema = z
     name: z.string().optional(), // Display name for this account
     appId: z.string().optional(),
     appSecret: buildSecretInputSchema().optional(),
-    encryptKey: z.string().optional(),
+    encryptKey: buildSecretInputSchema().optional(),
     verificationToken: buildSecretInputSchema().optional(),
     domain: FeishuDomainSchema.optional(),
     connectionMode: FeishuConnectionModeSchema.optional(),
@@ -204,7 +204,7 @@ export const FeishuConfigSchema = z
     // Top-level credentials (backward compatible for single-account mode)
     appId: z.string().optional(),
     appSecret: buildSecretInputSchema().optional(),
-    encryptKey: z.string().optional(),
+    encryptKey: buildSecretInputSchema().optional(),
     verificationToken: buildSecretInputSchema().optional(),
     domain: FeishuDomainSchema.optional().default("feishu"),
     connectionMode: FeishuConnectionModeSchema.optional().default("websocket"),
@@ -240,13 +240,23 @@ export const FeishuConfigSchema = z
 
     const defaultConnectionMode = value.connectionMode ?? "websocket";
     const defaultVerificationTokenConfigured = hasConfiguredSecretInput(value.verificationToken);
-    if (defaultConnectionMode === "webhook" && !defaultVerificationTokenConfigured) {
-      ctx.addIssue({
-        code: z.ZodIssueCode.custom,
-        path: ["verificationToken"],
-        message:
-          'channels.feishu.connectionMode="webhook" requires channels.feishu.verificationToken',
-      });
+    const defaultEncryptKeyConfigured = hasConfiguredSecretInput(value.encryptKey);
+    if (defaultConnectionMode === "webhook") {
+      if (!defaultVerificationTokenConfigured) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          path: ["verificationToken"],
+          message:
+            'channels.feishu.connectionMode="webhook" requires channels.feishu.verificationToken',
+        });
+      }
+      if (!defaultEncryptKeyConfigured) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          path: ["encryptKey"],
+          message: 'channels.feishu.connectionMode="webhook" requires channels.feishu.encryptKey',
+        });
+      }
     }
 
     for (const [accountId, account] of Object.entries(value.accounts ?? {})) {
@@ -259,6 +269,8 @@ export const FeishuConfigSchema = z
       }
       const accountVerificationTokenConfigured =
         hasConfiguredSecretInput(account.verificationToken) || defaultVerificationTokenConfigured;
+      const accountEncryptKeyConfigured =
+        hasConfiguredSecretInput(account.encryptKey) || defaultEncryptKeyConfigured;
       if (!accountVerificationTokenConfigured) {
         ctx.addIssue({
           code: z.ZodIssueCode.custom,
@@ -268,6 +280,15 @@ export const FeishuConfigSchema = z
             "a verificationToken (account-level or top-level)",
         });
       }
+      if (!accountEncryptKeyConfigured) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          path: ["accounts", accountId, "encryptKey"],
+          message:
+            `channels.feishu.accounts.${accountId}.connectionMode="webhook" requires ` +
+            "an encryptKey (account-level or top-level)",
+        });
+      }
     }
 
     if (value.dmPolicy === "open") {

package/src/monitor.account.ts

@@ -24,14 +24,14 @@ import { botNames, botOpenIds } from "./monitor.state.js";
 import { monitorWebhook, monitorWebSocket } from "./monitor.transport.js";
 import { getFeishuRuntime } from "./runtime.js";
 import { getMessageFeishu } from "./send.js";
-import type { ResolvedFeishuAccount } from "./types.js";
+import type { FeishuChatType, ResolvedFeishuAccount } from "./types.js";
 
 const FEISHU_REACTION_VERIFY_TIMEOUT_MS = 1_500;
 
 export type FeishuReactionCreatedEvent = {
   message_id: string;
   chat_id?: string;
-  chat_type?: "p2p" | "group" | "private";
+  chat_type?: string;
   reaction_type?: { emoji_type?: string };
   operator_type?: string;
   user_id?: { open_id?: string };
@@ -105,10 +105,19 @@ export async function resolveReactionSyntheticEvent(
     return null;
   }
 
+  const fallbackChatType = reactedMsg.chatType;
+  const normalizedEventChatType = normalizeFeishuChatType(event.chat_type);
+  const resolvedChatType = normalizedEventChatType ?? fallbackChatType;
+  if (!resolvedChatType) {
+    logger?.(
+      `feishu[${accountId}]: skipping reaction ${emoji} on ${messageId} without chat type context`,
+    );
+    return null;
+  }
+
   const syntheticChatIdRaw = event.chat_id ?? reactedMsg.chatId;
   const syntheticChatId = syntheticChatIdRaw?.trim() ? syntheticChatIdRaw : `p2p:${senderId}`;
-  const syntheticChatType: "p2p" | "group" | "private" =
-    event.chat_type === "group" ? "group" : "p2p";
+  const syntheticChatType: FeishuChatType = resolvedChatType;
   return {
     sender: {
       sender_id: { open_id: senderId },
@@ -126,6 +135,10 @@ export async function resolveReactionSyntheticEvent(
   };
 }
 
+function normalizeFeishuChatType(value: unknown): FeishuChatType | undefined {
+  return value === "group" || value === "private" || value === "p2p" ? value : undefined;
+}
+
 type RegisterEventHandlersContext = {
   cfg: ClawdbotConfig;
   accountId: string;
@@ -521,6 +534,9 @@ export async function monitorSingleAccount(params: MonitorSingleAccountParams):
   if (connectionMode === "webhook" && !account.verificationToken?.trim()) {
     throw new Error(`Feishu account "${accountId}" webhook mode requires verificationToken`);
   }
+  if (connectionMode === "webhook" && !account.encryptKey?.trim()) {
+    throw new Error(`Feishu account "${accountId}" webhook mode requires encryptKey`);
+  }
 
   const warmupCount = await warmupDedupFromDisk(accountId, log);
   if (warmupCount > 0) {

package/src/monitor.reaction.test.ts

@@ -51,10 +51,11 @@ function makeReactionEvent(
   };
 }
 
-function createFetchedReactionMessage(chatId: string) {
+function createFetchedReactionMessage(chatId: string, chatType?: "p2p" | "group" | "private") {
   return {
     messageId: "om_msg1",
     chatId,
+    chatType,
     senderOpenId: "ou_bot",
     content: "hello",
     contentType: "text",
@@ -64,13 +65,15 @@ function createFetchedReactionMessage(chatId: string) {
 async function resolveReactionWithLookup(params: {
   event?: FeishuReactionCreatedEvent;
   lookupChatId: string;
+  lookupChatType?: "p2p" | "group" | "private";
 }) {
   return await resolveReactionSyntheticEvent({
     cfg,
     accountId: "default",
     event: params.event ?? makeReactionEvent(),
     botOpenId: "ou_bot",
-    fetchMessage: async () => createFetchedReactionMessage(params.lookupChatId),
+    fetchMessage: async () =>
+      createFetchedReactionMessage(params.lookupChatId, params.lookupChatType),
     uuid: () => "fixed-uuid",
   });
 }
@@ -268,6 +271,7 @@ describe("resolveReactionSyntheticEvent", () => {
       fetchMessage: async () => ({
         messageId: "om_msg1",
         chatId: "oc_group",
+        chatType: "group",
         senderOpenId: "ou_other",
         senderType: "user",
         content: "hello",
@@ -293,6 +297,7 @@ describe("resolveReactionSyntheticEvent", () => {
       fetchMessage: async () => ({
         messageId: "om_msg1",
         chatId: "oc_group",
+        chatType: "group",
         senderOpenId: "ou_other",
         senderType: "user",
         content: "hello",
@@ -348,21 +353,43 @@ describe("resolveReactionSyntheticEvent", () => {
   it("falls back to reacted message chat_id when event chat_id is absent", async () => {
     const result = await resolveReactionWithLookup({
       lookupChatId: "oc_group_from_lookup",
+      lookupChatType: "group",
     });
 
     expect(result?.message.chat_id).toBe("oc_group_from_lookup");
-    expect(result?.message.chat_type).toBe("p2p");
+    expect(result?.message.chat_type).toBe("group");
   });
 
   it("falls back to sender p2p chat when lookup returns empty chat_id", async () => {
     const result = await resolveReactionWithLookup({
       lookupChatId: "",
+      lookupChatType: "p2p",
     });
 
     expect(result?.message.chat_id).toBe("p2p:ou_user1");
     expect(result?.message.chat_type).toBe("p2p");
   });
 
+  it("drops reactions without chat context when lookup does not provide chat_type", async () => {
+    const result = await resolveReactionWithLookup({
+      lookupChatId: "oc_group_from_lookup",
+    });
+
+    expect(result).toBeNull();
+  });
+
+  it("drops reactions when event chat_type is invalid and lookup cannot recover it", async () => {
+    const result = await resolveReactionWithLookup({
+      event: makeReactionEvent({
+        chat_id: "oc_group_from_event",
+        chat_type: "bogus" as "group",
+      }),
+      lookupChatId: "oc_group_from_lookup",
+    });
+
+    expect(result).toBeNull();
+  });
+
   it("logs and drops reactions when lookup throws", async () => {
     const log = vi.fn();
     const event = makeReactionEvent();

package/src/monitor.webhook-security.test.ts

@@ -64,6 +64,7 @@ function buildConfig(params: {
   path: string;
   port: number;
   verificationToken?: string;
+  encryptKey?: string;
 }): ClawdbotConfig {
   return {
     channels: {
@@ -78,6 +79,7 @@ function buildConfig(params: {
             webhookHost: "127.0.0.1",
             webhookPort: params.port,
             webhookPath: params.path,
+            encryptKey: params.encryptKey,
             verificationToken: params.verificationToken,
           },
         },
@@ -91,6 +93,7 @@ async function withRunningWebhookMonitor(
     accountId: string;
     path: string;
     verificationToken: string;
+    encryptKey: string;
   },
   run: (url: string) => Promise<void>,
 ) {
@@ -99,6 +102,7 @@ async function withRunningWebhookMonitor(
     accountId: params.accountId,
     path: params.path,
     port,
+    encryptKey: params.encryptKey,
     verificationToken: params.verificationToken,
   });
 
@@ -141,6 +145,19 @@ describe("Feishu webhook security hardening", () => {
     );
   });
 
+  it("rejects webhook mode without encryptKey", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+
+    const cfg = buildConfig({
+      accountId: "missing-encrypt-key",
+      path: "/hook-missing-encrypt",
+      port: await getFreePort(),
+      verificationToken: "verify_token",
+    });
+
+    await expect(monitorFeishuProvider({ config: cfg })).rejects.toThrow(/requires encryptKey/i);
+  });
+
   it("returns 415 for POST requests without json content type", async () => {
     probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
     await withRunningWebhookMonitor(
@@ -148,6 +165,7 @@ describe("Feishu webhook security hardening", () => {
         accountId: "content-type",
         path: "/hook-content-type",
         verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
       },
       async (url) => {
         const response = await fetch(url, {
@@ -169,6 +187,7 @@ describe("Feishu webhook security hardening", () => {
         accountId: "rate-limit",
         path: "/hook-rate-limit",
         verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
       },
       async (url) => {
         let saw429 = false;

package/src/onboarding.ts

@@ -370,6 +370,37 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
           },
         };
       }
+      const currentEncryptKey = (next.channels?.feishu as FeishuConfig | undefined)?.encryptKey;
+      const encryptKeyPromptState = buildSingleChannelSecretPromptState({
+        accountConfigured: hasConfiguredSecretInput(currentEncryptKey),
+        hasConfigToken: hasConfiguredSecretInput(currentEncryptKey),
+        allowEnv: false,
+      });
+      const encryptKeyResult = await promptSingleChannelSecretInput({
+        cfg: next,
+        prompter,
+        providerHint: "feishu-webhook",
+        credentialLabel: "encrypt key",
+        accountConfigured: encryptKeyPromptState.accountConfigured,
+        canUseEnv: encryptKeyPromptState.canUseEnv,
+        hasConfigToken: encryptKeyPromptState.hasConfigToken,
+        envPrompt: "",
+        keepPrompt: "Feishu encrypt key already configured. Keep it?",
+        inputPrompt: "Enter Feishu encrypt key",
+        preferredEnvVar: "FEISHU_ENCRYPT_KEY",
+      });
+      if (encryptKeyResult.action === "set") {
+        next = {
+          ...next,
+          channels: {
+            ...next.channels,
+            feishu: {
+              ...next.channels?.feishu,
+              encryptKey: encryptKeyResult.value,
+            },
+          },
+        };
+      }
       const currentWebhookPath = (next.channels?.feishu as FeishuConfig | undefined)?.webhookPath;
       const webhookPath = String(
         await prompter.text({

package/src/send.ts

@@ -7,7 +7,7 @@ import { parsePostContent } from "./post.js";
 import { getFeishuRuntime } from "./runtime.js";
 import { assertFeishuMessageApiSuccess, toFeishuSendResult } from "./send-result.js";
 import { resolveFeishuSendTarget } from "./send-target.js";
-import type { FeishuSendResult } from "./types.js";
+import type { FeishuChatType, FeishuMessageInfo, FeishuSendResult } from "./types.js";
 
 const WITHDRAWN_REPLY_ERROR_CODES = new Set([230011, 231003]);
 
@@ -74,17 +74,6 @@ async function sendFallbackDirect(
   return toFeishuSendResult(response, params.receiveId);
 }
 
-export type FeishuMessageInfo = {
-  messageId: string;
-  chatId: string;
-  senderId?: string;
-  senderOpenId?: string;
-  senderType?: string;
-  content: string;
-  contentType: string;
-  createTime?: number;
-};
-
 function parseInteractiveCardContent(parsed: unknown): string {
   if (!parsed || typeof parsed !== "object") {
     return "[Interactive Card]";
@@ -184,6 +173,7 @@ export async function getMessageFeishu(params: {
         items?: Array<{
           message_id?: string;
           chat_id?: string;
+          chat_type?: FeishuChatType;
           msg_type?: string;
           body?: { content?: string };
           sender?: {
@@ -195,6 +185,7 @@ export async function getMessageFeishu(params: {
         }>;
         message_id?: string;
         chat_id?: string;
+        chat_type?: FeishuChatType;
         msg_type?: string;
         body?: { content?: string };
         sender?: {
@@ -228,6 +219,10 @@ export async function getMessageFeishu(params: {
     return {
       messageId: item.message_id ?? messageId,
       chatId: item.chat_id ?? "",
+      chatType:
+        item.chat_type === "group" || item.chat_type === "private" || item.chat_type === "p2p"
+          ? item.chat_type
+          : undefined,
       senderId: item.sender?.id,
       senderOpenId: item.sender?.id_type === "open_id" ? item.sender?.id : undefined,
       senderType: item.sender?.sender_type,

package/src/types.ts

@@ -60,6 +60,20 @@ export type FeishuSendResult = {
   chatId: string;
 };
 
+export type FeishuChatType = "p2p" | "group" | "private";
+
+export type FeishuMessageInfo = {
+  messageId: string;
+  chatId: string;
+  chatType?: FeishuChatType;
+  senderId?: string;
+  senderOpenId?: string;
+  senderType?: string;
+  content: string;
+  contentType: string;
+  createTime?: number;
+};
+
 export type FeishuProbeResult = BaseProbeResult<string> & {
   appId?: string;
   botName?: string;