@openclaw/feishu 2026.3.13 → 2026.5.1-beta.1

package/src/perm-schema.ts

@@ -1,4 +1,4 @@
-import { Type, type Static } from "@sinclair/typebox";
+import { Type, type Static } from "typebox";
 
 const TokenType = Type.Union([
   Type.Literal("doc"),

package/src/perm.ts

@@ -1,5 +1,5 @@
 import type * as Lark from "@larksuiteoapi/node-sdk";
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk/feishu";
+import type { OpenClawPluginApi } from "../runtime-api.js";
 import { listEnabledFeishuAccounts } from "./accounts.js";
 import { FeishuPermSchema, type FeishuPermParams } from "./perm-schema.js";
 import { createFeishuToolClient, resolveAnyEnabledFeishuToolsConfig } from "./tool-account.js";
@@ -114,19 +114,16 @@ async function removeMember(
 
 export function registerFeishuPermTools(api: OpenClawPluginApi) {
   if (!api.config) {
-    api.logger.debug?.("feishu_perm: No config available, skipping perm tools");
     return;
   }
 
   const accounts = listEnabledFeishuAccounts(api.config);
   if (accounts.length === 0) {
-    api.logger.debug?.("feishu_perm: No Feishu accounts configured, skipping perm tools");
     return;
   }
 
   const toolsCfg = resolveAnyEnabledFeishuToolsConfig(accounts);
   if (!toolsCfg.perm) {
-    api.logger.debug?.("feishu_perm: perm tool disabled in config (default: false)");
     return;
   }
 
@@ -160,7 +157,6 @@ export function registerFeishuPermTools(api: OpenClawPluginApi) {
                   await removeMember(client, p.token, p.type, p.member_type, p.member_id),
                 );
               default:
-                // eslint-disable-next-line @typescript-eslint/no-explicit-any -- exhaustive check fallback
                 return unknownToolActionResult((p as { action?: unknown }).action);
             }
           } catch (err) {
@@ -171,6 +167,4 @@ export function registerFeishuPermTools(api: OpenClawPluginApi) {
     },
     { name: "feishu_perm" },
   );
-
-  api.logger.info?.(`feishu_perm: Registered feishu_perm tool`);
 }

package/src/pins.ts

@@ -0,0 +1,108 @@
+import type { ClawdbotConfig } from "../runtime-api.js";
+import { resolveFeishuRuntimeAccount } from "./accounts.js";
+import { createFeishuClient } from "./client.js";
+
+type FeishuPin = {
+  messageId: string;
+  chatId?: string;
+  operatorId?: string;
+  operatorIdType?: string;
+  createTime?: string;
+};
+
+function assertFeishuPinApiSuccess(response: { code?: number; msg?: string }, action: string) {
+  if (response.code !== 0) {
+    throw new Error(`Feishu ${action} failed: ${response.msg || `code ${response.code}`}`);
+  }
+}
+
+function normalizePin(pin: {
+  message_id: string;
+  chat_id?: string;
+  operator_id?: string;
+  operator_id_type?: string;
+  create_time?: string;
+}): FeishuPin {
+  return {
+    messageId: pin.message_id,
+    chatId: pin.chat_id,
+    operatorId: pin.operator_id,
+    operatorIdType: pin.operator_id_type,
+    createTime: pin.create_time,
+  };
+}
+
+export async function createPinFeishu(params: {
+  cfg: ClawdbotConfig;
+  messageId: string;
+  accountId?: string;
+}): Promise<FeishuPin | null> {
+  const account = resolveFeishuRuntimeAccount({ cfg: params.cfg, accountId: params.accountId });
+  if (!account.configured) {
+    throw new Error(`Feishu account "${account.accountId}" not configured`);
+  }
+
+  const client = createFeishuClient(account);
+  const response = await client.im.pin.create({
+    data: {
+      message_id: params.messageId,
+    },
+  });
+  assertFeishuPinApiSuccess(response, "pin create");
+  return response.data?.pin ? normalizePin(response.data.pin) : null;
+}
+
+export async function removePinFeishu(params: {
+  cfg: ClawdbotConfig;
+  messageId: string;
+  accountId?: string;
+}): Promise<void> {
+  const account = resolveFeishuRuntimeAccount({ cfg: params.cfg, accountId: params.accountId });
+  if (!account.configured) {
+    throw new Error(`Feishu account "${account.accountId}" not configured`);
+  }
+
+  const client = createFeishuClient(account);
+  const response = await client.im.pin.delete({
+    path: {
+      message_id: params.messageId,
+    },
+  });
+  assertFeishuPinApiSuccess(response, "pin delete");
+}
+
+export async function listPinsFeishu(params: {
+  cfg: ClawdbotConfig;
+  chatId: string;
+  startTime?: string;
+  endTime?: string;
+  pageSize?: number;
+  pageToken?: string;
+  accountId?: string;
+}): Promise<{ chatId: string; pins: FeishuPin[]; hasMore: boolean; pageToken?: string }> {
+  const account = resolveFeishuRuntimeAccount({ cfg: params.cfg, accountId: params.accountId });
+  if (!account.configured) {
+    throw new Error(`Feishu account "${account.accountId}" not configured`);
+  }
+
+  const client = createFeishuClient(account);
+  const response = await client.im.pin.list({
+    params: {
+      chat_id: params.chatId,
+      ...(params.startTime ? { start_time: params.startTime } : {}),
+      ...(params.endTime ? { end_time: params.endTime } : {}),
+      ...(typeof params.pageSize === "number"
+        ? { page_size: Math.max(1, Math.min(100, Math.floor(params.pageSize))) }
+        : {}),
+      ...(params.pageToken ? { page_token: params.pageToken } : {}),
+    },
+  });
+  assertFeishuPinApiSuccess(response, "pin list");
+
+  return {
+    chatId: params.chatId,
+    pins: (response.data?.items ?? []).map(normalizePin),
+    hasMore: response.data?.has_more === true,
+    pageToken: response.data?.page_token,
+  };
+}

package/src/policy.test.ts

@@ -1,154 +1,334 @@
+import type { OpenClawConfig } from "openclaw/plugin-sdk/core";
 import { describe, expect, it } from "vitest";
+import { FeishuConfigSchema } from "./config-schema.js";
 import {
+  hasExplicitFeishuGroupConfig,
   isFeishuGroupAllowed,
   resolveFeishuAllowlistMatch,
   resolveFeishuGroupConfig,
+  resolveFeishuReplyPolicy,
 } from "./policy.js";
 import type { FeishuConfig } from "./types.js";
 
-describe("feishu policy", () => {
-  describe("resolveFeishuGroupConfig", () => {
-    it("falls back to wildcard group config when direct match is missing", () => {
-      const cfg = {
-        groups: {
-          "*": { requireMention: false },
-          "oc-explicit": { requireMention: true },
-        },
-      } as unknown as FeishuConfig;
-
-      const resolved = resolveFeishuGroupConfig({
-        cfg,
-        groupId: "oc-missing",
-      });
-
-      expect(resolved).toEqual({ requireMention: false });
-    });
+function createCfg(feishu: Record<string, unknown>): OpenClawConfig {
+  return {
+    channels: {
+      feishu,
+    },
+  } as OpenClawConfig;
+}
 
-    it("prefers exact group config over wildcard", () => {
-      const cfg = {
-        groups: {
-          "*": { requireMention: false },
-          "oc-explicit": { requireMention: true },
-        },
-      } as unknown as FeishuConfig;
+function createFeishuConfig(overrides: Partial<FeishuConfig>): FeishuConfig {
+  return FeishuConfigSchema.parse(overrides);
+}
 
-      const resolved = resolveFeishuGroupConfig({
-        cfg,
-        groupId: "oc-explicit",
-      });
+describe("resolveFeishuReplyPolicy", () => {
+  it("defaults open groups to no mention when unset", () => {
+    expect(
+      resolveFeishuReplyPolicy({
+        isDirectMessage: false,
+        cfg: createCfg({ groupPolicy: "open" }),
+        groupPolicy: "open",
+        groupId: "oc_1",
+      }),
+    ).toEqual({ requireMention: false });
+  });
 
-      expect(resolved).toEqual({ requireMention: true });
-    });
+  it("keeps explicit top-level mention gating in open groups", () => {
+    expect(
+      resolveFeishuReplyPolicy({
+        isDirectMessage: false,
+        cfg: createCfg({ groupPolicy: "open", requireMention: true }),
+        groupPolicy: "open",
+        groupId: "oc_1",
+      }),
+    ).toEqual({ requireMention: true });
+  });
 
-    it("keeps case-insensitive matching for explicit group ids", () => {
-      const cfg = {
-        groups: {
-          "*": { requireMention: false },
-          OC_UPPER: { requireMention: true },
-        },
-      } as unknown as FeishuConfig;
+  it("keeps explicit account mention gating in open groups", () => {
+    expect(
+      resolveFeishuReplyPolicy({
+        isDirectMessage: false,
+        cfg: createCfg({
+          groupPolicy: "allowlist",
+          requireMention: false,
+          accounts: {
+            work: {
+              groupPolicy: "open",
+              requireMention: true,
+            },
+          },
+        }),
+        accountId: "work",
+        groupPolicy: "open",
+        groupId: "oc_1",
+      }),
+    ).toEqual({ requireMention: true });
+  });
 
-      const resolved = resolveFeishuGroupConfig({
-        cfg,
-        groupId: "oc_upper",
-      });
+  it("keeps explicit per-group mention gating in open groups", () => {
+    expect(
+      resolveFeishuReplyPolicy({
+        isDirectMessage: false,
+        cfg: createCfg({
+          groupPolicy: "open",
+          groups: { oc_1: { requireMention: true } },
+        }),
+        groupPolicy: "open",
+        groupId: "oc_1",
+      }),
+    ).toEqual({ requireMention: true });
+  });
 
-      expect(resolved).toEqual({ requireMention: true });
-    });
+  it("defaults allowlist groups to require mentions", () => {
+    expect(
+      resolveFeishuReplyPolicy({
+        isDirectMessage: false,
+        cfg: createCfg({ groupPolicy: "allowlist" }),
+        groupPolicy: "allowlist",
+        groupId: "oc_1",
+      }),
+    ).toEqual({ requireMention: true });
   });
+});
 
-  describe("resolveFeishuAllowlistMatch", () => {
-    it("allows wildcard", () => {
-      expect(
-        resolveFeishuAllowlistMatch({
-          allowFrom: ["*"],
-          senderId: "ou-attacker",
-        }),
-      ).toEqual({ allowed: true, matchKey: "*", matchSource: "wildcard" });
+describe("resolveFeishuGroupConfig", () => {
+  it("falls back to wildcard group config when direct match is missing", () => {
+    const cfg = createFeishuConfig({
+      groups: {
+        "*": { requireMention: false },
+        "oc-explicit": { requireMention: true },
+      },
     });
 
-    it("matches normalized ID entries", () => {
-      expect(
-        resolveFeishuAllowlistMatch({
-          allowFrom: ["feishu:user:OU_ALLOWED"],
-          senderId: "ou_allowed",
-        }),
-      ).toEqual({ allowed: true, matchKey: "ou_allowed", matchSource: "id" });
+    const resolved = resolveFeishuGroupConfig({
+      cfg,
+      groupId: "oc-missing",
     });
 
-    it("supports user_id as an additional immutable sender candidate", () => {
-      expect(
-        resolveFeishuAllowlistMatch({
-          allowFrom: ["on_user_123"],
-          senderId: "ou_other",
-          senderIds: ["on_user_123"],
-        }),
-      ).toEqual({ allowed: true, matchKey: "on_user_123", matchSource: "id" });
-    });
+    expect(resolved).toEqual({ requireMention: false });
+  });
 
-    it("does not authorize based on display-name collision", () => {
-      const victimOpenId = "ou_4f4ec5aa111122223333444455556666";
+  it("prefers exact group config over wildcard", () => {
+    const cfg = createFeishuConfig({
+      groups: {
+        "*": { requireMention: false },
+        "oc-explicit": { requireMention: true },
+      },
+    });
 
-      expect(
-        resolveFeishuAllowlistMatch({
-          allowFrom: [victimOpenId],
-          senderId: "ou_attacker_real_open_id",
-          senderIds: ["on_attacker_user_id"],
-          senderName: victimOpenId,
-        }),
-      ).toEqual({ allowed: false });
+    const resolved = resolveFeishuGroupConfig({
+      cfg,
+      groupId: "oc-explicit",
     });
+
+    expect(resolved).toEqual({ requireMention: true });
   });
 
-  describe("isFeishuGroupAllowed", () => {
-    it("matches group IDs with chat: prefix", () => {
-      expect(
-        isFeishuGroupAllowed({
-          groupPolicy: "allowlist",
-          allowFrom: ["chat:oc_group_123"],
-          senderId: "oc_group_123",
-        }),
-      ).toBe(true);
+  it("keeps case-insensitive matching for explicit group ids", () => {
+    const cfg = createFeishuConfig({
+      groups: {
+        "*": { requireMention: false },
+        OC_UPPER: { requireMention: true },
+      },
     });
 
-    it("allows group when groupPolicy is 'open'", () => {
-      expect(
-        isFeishuGroupAllowed({
-          groupPolicy: "open",
-          allowFrom: [],
-          senderId: "oc_group_999",
-        }),
-      ).toBe(true);
+    const resolved = resolveFeishuGroupConfig({
+      cfg,
+      groupId: "oc_upper",
     });
 
-    it("treats 'allowall' as equivalent to 'open'", () => {
-      expect(
-        isFeishuGroupAllowed({
-          groupPolicy: "allowall",
-          allowFrom: [],
-          senderId: "oc_group_999",
-        }),
-      ).toBe(true);
+    expect(resolved).toEqual({ requireMention: true });
+  });
+});
+
+describe("hasExplicitFeishuGroupConfig", () => {
+  it("matches direct and case-insensitive group ids", () => {
+    const cfg = createFeishuConfig({
+      groups: {
+        OC_UPPER: { requireMention: true },
+      },
     });
 
-    it("rejects group when groupPolicy is 'disabled'", () => {
-      expect(
-        isFeishuGroupAllowed({
-          groupPolicy: "disabled",
-          allowFrom: ["oc_group_999"],
-          senderId: "oc_group_999",
-        }),
-      ).toBe(false);
+    expect(hasExplicitFeishuGroupConfig({ cfg, groupId: "OC_UPPER" })).toBe(true);
+    expect(hasExplicitFeishuGroupConfig({ cfg, groupId: "oc_upper" })).toBe(true);
+  });
+
+  it("does not treat wildcard group defaults as explicit admission", () => {
+    const cfg = createFeishuConfig({
+      groups: {
+        "*": { requireMention: false },
+      },
     });
 
-    it("rejects group when groupPolicy is 'allowlist' and allowFrom is empty", () => {
+    expect(hasExplicitFeishuGroupConfig({ cfg, groupId: "oc_any" })).toBe(false);
+  });
+});
+
+describe("resolveFeishuAllowlistMatch", () => {
+  it("allows wildcard", () => {
+    expect(
+      resolveFeishuAllowlistMatch({
+        allowFrom: ["*"],
+        senderId: "ou-attacker",
+      }),
+    ).toEqual({ allowed: true, matchKey: "*", matchSource: "wildcard" });
+  });
+
+  it("allows provider-prefixed wildcard entries", () => {
+    expect(
+      resolveFeishuAllowlistMatch({
+        allowFrom: ["feishu:*", "lark:*"],
+        senderId: "ou_anyone",
+      }),
+    ).toEqual({ allowed: true, matchKey: "*", matchSource: "wildcard" });
+  });
+
+  it("treats typed wildcard aliases as bare wildcards", () => {
+    for (const wildcard of [
+      "chat:*",
+      "group:*",
+      "channel:*",
+      "user:*",
+      "dm:*",
+      "open_id:*",
+      "feishu:user:*",
+    ]) {
       expect(
-        isFeishuGroupAllowed({
-          groupPolicy: "allowlist",
-          allowFrom: [],
-          senderId: "oc_group_999",
+        resolveFeishuAllowlistMatch({
+          allowFrom: [wildcard],
+          senderId: "ou_anyone",
         }),
-      ).toBe(false);
-    });
+      ).toEqual({ allowed: true, matchKey: "*", matchSource: "wildcard" });
+    }
+  });
+
+  it("matches normalized ID entries", () => {
+    expect(
+      resolveFeishuAllowlistMatch({
+        allowFrom: ["feishu:user:ou_ALLOWED"],
+        senderId: "ou_ALLOWED",
+      }),
+    ).toEqual({ allowed: true, matchKey: "user:ou_ALLOWED", matchSource: "id" });
+  });
+
+  it("accepts repeated provider prefixes for legacy allowlist entries", () => {
+    expect(
+      resolveFeishuAllowlistMatch({
+        allowFrom: ["feishu:feishu:user:ou_ALLOWED"],
+        senderId: "ou_ALLOWED",
+      }),
+    ).toEqual({ allowed: true, matchKey: "user:ou_ALLOWED", matchSource: "id" });
+  });
+
+  it("does not fold opaque IDs to lowercase", () => {
+    expect(
+      resolveFeishuAllowlistMatch({
+        allowFrom: ["user:OU_ALLOWED"],
+        senderId: "ou_ALLOWED",
+      }),
+    ).toEqual({ allowed: false });
+  });
+
+  it("keeps user and chat allowlist namespaces distinct", () => {
+    expect(
+      resolveFeishuAllowlistMatch({
+        allowFrom: ["user:oc_group_123"],
+        senderId: "oc_group_123",
+      }),
+    ).toEqual({ allowed: false });
+  });
+
+  it("supports user_id as an additional immutable sender candidate", () => {
+    expect(
+      resolveFeishuAllowlistMatch({
+        allowFrom: ["on_user_123"],
+        senderId: "ou_other",
+        senderIds: ["on_user_123"],
+      }),
+    ).toEqual({ allowed: true, matchKey: "user:on_user_123", matchSource: "id" });
+  });
+
+  it("auto-detects bare open_id entries as user allowlist matches", () => {
+    expect(
+      resolveFeishuAllowlistMatch({
+        allowFrom: ["ou_BARE"],
+        senderId: "ou_BARE",
+      }),
+    ).toEqual({ allowed: true, matchKey: "user:ou_BARE", matchSource: "id" });
+  });
+
+  it("auto-detects bare chat_id entries as chat allowlist matches", () => {
+    expect(
+      resolveFeishuAllowlistMatch({
+        allowFrom: ["oc_group_123"],
+        senderId: "oc_group_123",
+      }),
+    ).toEqual({ allowed: true, matchKey: "chat:oc_group_123", matchSource: "id" });
+  });
+
+  it("does not authorize based on display-name collision", () => {
+    const victimOpenId = "ou_4f4ec5aa111122223333444455556666";
+
+    expect(
+      resolveFeishuAllowlistMatch({
+        allowFrom: [victimOpenId],
+        senderId: "ou_attacker_real_open_id",
+        senderIds: ["on_attacker_user_id"],
+        senderName: victimOpenId,
+      }),
+    ).toEqual({ allowed: false });
+  });
+});
+
+describe("isFeishuGroupAllowed", () => {
+  it("matches group IDs with chat: prefix", () => {
+    expect(
+      isFeishuGroupAllowed({
+        groupPolicy: "allowlist",
+        allowFrom: ["chat:oc_group_123"],
+        senderId: "oc_group_123",
+      }),
+    ).toBe(true);
+  });
+
+  it("allows group when groupPolicy is 'open'", () => {
+    expect(
+      isFeishuGroupAllowed({
+        groupPolicy: "open",
+        allowFrom: [],
+        senderId: "oc_group_999",
+      }),
+    ).toBe(true);
+  });
+
+  it("treats 'allowall' as equivalent to 'open'", () => {
+    expect(
+      isFeishuGroupAllowed({
+        groupPolicy: "allowall",
+        allowFrom: [],
+        senderId: "oc_group_999",
+      }),
+    ).toBe(true);
+  });
+
+  it("rejects group when groupPolicy is 'disabled'", () => {
+    expect(
+      isFeishuGroupAllowed({
+        groupPolicy: "disabled",
+        allowFrom: ["oc_group_999"],
+        senderId: "oc_group_999",
+      }),
+    ).toBe(false);
+  });
+
+  it("rejects group when groupPolicy is 'allowlist' and allowFrom is empty", () => {
+    expect(
+      isFeishuGroupAllowed({
+        groupPolicy: "allowlist",
+        allowFrom: [],
+        senderId: "oc_group_999",
+      }),
+    ).toBe(false);
   });
 });