@openclaw/feishu 2026.3.2 → 2026.3.7

package/src/monitor.test-mocks.ts

@@ -1,12 +1,45 @@
 import { vi } from "vitest";
 
-export const probeFeishuMock: ReturnType<typeof vi.fn> = vi.fn();
+export function createFeishuClientMockModule(): {
+  createFeishuWSClient: () => { start: () => void };
+  createEventDispatcher: () => { register: () => void };
+} {
+  return {
+    createFeishuWSClient: vi.fn(() => ({ start: vi.fn() })),
+    createEventDispatcher: vi.fn(() => ({ register: vi.fn() })),
+  };
+}
 
-vi.mock("./probe.js", () => ({
-  probeFeishu: probeFeishuMock,
-}));
-
-vi.mock("./client.js", () => ({
-  createFeishuWSClient: vi.fn(() => ({ start: vi.fn() })),
-  createEventDispatcher: vi.fn(() => ({ register: vi.fn() })),
-}));
+export function createFeishuRuntimeMockModule(): {
+  getFeishuRuntime: () => {
+    channel: {
+      debounce: {
+        resolveInboundDebounceMs: () => number;
+        createInboundDebouncer: () => {
+          enqueue: () => Promise<void>;
+          flushKey: () => Promise<void>;
+        };
+      };
+      text: {
+        hasControlCommand: () => boolean;
+      };
+    };
+  };
+} {
+  return {
+    getFeishuRuntime: () => ({
+      channel: {
+        debounce: {
+          resolveInboundDebounceMs: () => 0,
+          createInboundDebouncer: () => ({
+            enqueue: async () => {},
+            flushKey: async () => {},
+          }),
+        },
+        text: {
+          hasControlCommand: () => false,
+        },
+      },
+    }),
+  };
+}

package/src/monitor.transport.ts

@@ -4,9 +4,10 @@ import {
   applyBasicWebhookRequestGuards,
   type RuntimeEnv,
   installRequestBodyLimitGuard,
-} from "openclaw/plugin-sdk";
+} from "openclaw/plugin-sdk/feishu";
 import { createFeishuWSClient } from "./client.js";
 import {
+  botNames,
   botOpenIds,
   FEISHU_WEBHOOK_BODY_TIMEOUT_MS,
   FEISHU_WEBHOOK_MAX_BODY_BYTES,
@@ -42,6 +43,7 @@ export async function monitorWebSocket({
     const cleanup = () => {
       wsClients.delete(accountId);
       botOpenIds.delete(accountId);
+      botNames.delete(accountId);
     };
 
     const handleAbort = () => {
@@ -134,6 +136,7 @@ export async function monitorWebhook({
       server.close();
       httpServers.delete(accountId);
       botOpenIds.delete(accountId);
+      botNames.delete(accountId);
     };
 
     const handleAbort = () => {

package/src/monitor.ts

@@ -1,11 +1,11 @@
-import type { ClawdbotConfig, RuntimeEnv } from "openclaw/plugin-sdk";
+import type { ClawdbotConfig, RuntimeEnv } from "openclaw/plugin-sdk/feishu";
 import { listEnabledFeishuAccounts, resolveFeishuAccount } from "./accounts.js";
 import {
   monitorSingleAccount,
   resolveReactionSyntheticEvent,
   type FeishuReactionCreatedEvent,
 } from "./monitor.account.js";
-import { fetchBotOpenIdForMonitor } from "./monitor.startup.js";
+import { fetchBotIdentityForMonitor } from "./monitor.startup.js";
 import {
   clearFeishuWebhookRateLimitStateForTest,
   getFeishuWebhookRateLimitStateSizeForTest,
@@ -66,7 +66,7 @@ export async function monitorFeishuProvider(opts: MonitorFeishuOpts = {}): Promi
     }
 
     // Probe sequentially so large multi-account startups do not burst Feishu's bot-info endpoint.
-    const botOpenId = await fetchBotOpenIdForMonitor(account, {
+    const { botOpenId, botName } = await fetchBotIdentityForMonitor(account, {
       runtime: opts.runtime,
       abortSignal: opts.abortSignal,
     });
@@ -82,7 +82,7 @@ export async function monitorFeishuProvider(opts: MonitorFeishuOpts = {}): Promi
         account,
         runtime: opts.runtime,
         abortSignal: opts.abortSignal,
-        botOpenIdSource: { kind: "prefetched", botOpenId },
+        botOpenIdSource: { kind: "prefetched", botOpenId, botName },
       }),
     );
   }

package/src/monitor.webhook-security.test.ts

@@ -1,7 +1,11 @@
 import { createServer } from "node:http";
 import type { AddressInfo } from "node:net";
-import type { ClawdbotConfig } from "openclaw/plugin-sdk";
+import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
 import { afterEach, describe, expect, it, vi } from "vitest";
+import {
+  createFeishuClientMockModule,
+  createFeishuRuntimeMockModule,
+} from "./monitor.test-mocks.js";
 
 const probeFeishuMock = vi.hoisted(() => vi.fn());
 
@@ -9,27 +13,8 @@ vi.mock("./probe.js", () => ({
   probeFeishu: probeFeishuMock,
 }));
 
-vi.mock("./client.js", () => ({
-  createFeishuWSClient: vi.fn(() => ({ start: vi.fn() })),
-  createEventDispatcher: vi.fn(() => ({ register: vi.fn() })),
-}));
-
-vi.mock("./runtime.js", () => ({
-  getFeishuRuntime: () => ({
-    channel: {
-      debounce: {
-        resolveInboundDebounceMs: () => 0,
-        createInboundDebouncer: () => ({
-          enqueue: async () => {},
-          flushKey: async () => {},
-        }),
-      },
-      text: {
-        hasControlCommand: () => false,
-      },
-    },
-  }),
-}));
+vi.mock("./client.js", () => createFeishuClientMockModule());
+vi.mock("./runtime.js", () => createFeishuRuntimeMockModule());
 
 vi.mock("@larksuiteoapi/node-sdk", () => ({
   adaptDefault: vi.fn(
@@ -88,7 +73,7 @@ function buildConfig(params: {
           [params.accountId]: {
             enabled: true,
             appId: "cli_test",
-            appSecret: "secret_test",
+            appSecret: "secret_test", // pragma: allowlist secret
             connectionMode: "webhook",
             webhookHost: "127.0.0.1",
             webhookPort: params.port,

package/src/onboarding.status.test.ts

@@ -1,4 +1,4 @@
-import type { OpenClawConfig } from "openclaw/plugin-sdk";
+import type { OpenClawConfig } from "openclaw/plugin-sdk/feishu";
 import { describe, expect, it } from "vitest";
 import { feishuOnboardingAdapter } from "./onboarding.js";
 

package/src/onboarding.test.ts

@@ -0,0 +1,143 @@
+import { describe, expect, it, vi } from "vitest";
+
+vi.mock("./probe.js", () => ({
+  probeFeishu: vi.fn(async () => ({ ok: false, error: "mocked" })),
+}));
+
+import { feishuOnboardingAdapter } from "./onboarding.js";
+
+const baseConfigureContext = {
+  runtime: {} as never,
+  accountOverrides: {},
+  shouldPromptAccountIds: false,
+  forceAllowFrom: false,
+};
+
+const baseStatusContext = {
+  accountOverrides: {},
+};
+
+async function withEnvVars(values: Record<string, string | undefined>, run: () => Promise<void>) {
+  const previous = new Map<string, string | undefined>();
+  for (const [key, value] of Object.entries(values)) {
+    previous.set(key, process.env[key]);
+    if (value === undefined) {
+      delete process.env[key];
+    } else {
+      process.env[key] = value;
+    }
+  }
+
+  try {
+    await run();
+  } finally {
+    for (const [key, prior] of previous.entries()) {
+      if (prior === undefined) {
+        delete process.env[key];
+      } else {
+        process.env[key] = prior;
+      }
+    }
+  }
+}
+
+async function getStatusWithEnvRefs(params: { appIdKey: string; appSecretKey: string }) {
+  return await feishuOnboardingAdapter.getStatus({
+    cfg: {
+      channels: {
+        feishu: {
+          appId: { source: "env", id: params.appIdKey, provider: "default" },
+          appSecret: { source: "env", id: params.appSecretKey, provider: "default" },
+        },
+      },
+    } as never,
+    ...baseStatusContext,
+  });
+}
+
+describe("feishuOnboardingAdapter.configure", () => {
+  it("does not throw when config appId/appSecret are SecretRef objects", async () => {
+    const text = vi
+      .fn()
+      .mockResolvedValueOnce("cli_from_prompt")
+      .mockResolvedValueOnce("secret_from_prompt")
+      .mockResolvedValueOnce("oc_group_1");
+
+    const prompter = {
+      note: vi.fn(async () => undefined),
+      text,
+      confirm: vi.fn(async () => true),
+      select: vi.fn(
+        async ({ initialValue }: { initialValue?: string }) => initialValue ?? "allowlist",
+      ),
+    } as never;
+
+    await expect(
+      feishuOnboardingAdapter.configure({
+        cfg: {
+          channels: {
+            feishu: {
+              appId: { source: "env", id: "FEISHU_APP_ID", provider: "default" },
+              appSecret: { source: "env", id: "FEISHU_APP_SECRET", provider: "default" },
+            },
+          },
+        } as never,
+        prompter,
+        ...baseConfigureContext,
+      }),
+    ).resolves.toBeTruthy();
+  });
+});
+
+describe("feishuOnboardingAdapter.getStatus", () => {
+  it("does not fallback to top-level appId when account explicitly sets empty appId", async () => {
+    const status = await feishuOnboardingAdapter.getStatus({
+      cfg: {
+        channels: {
+          feishu: {
+            appId: "top_level_app",
+            accounts: {
+              main: {
+                appId: "",
+                appSecret: "sample-app-credential", // pragma: allowlist secret
+              },
+            },
+          },
+        },
+      } as never,
+      ...baseStatusContext,
+    });
+
+    expect(status.configured).toBe(false);
+  });
+
+  it("treats env SecretRef appId as not configured when env var is missing", async () => {
+    const appIdKey = "FEISHU_APP_ID_STATUS_MISSING_TEST";
+    const appSecretKey = "FEISHU_APP_CREDENTIAL_STATUS_MISSING_TEST"; // pragma: allowlist secret
+    await withEnvVars(
+      {
+        [appIdKey]: undefined,
+        [appSecretKey]: "env-credential-456", // pragma: allowlist secret
+      },
+      async () => {
+        const status = await getStatusWithEnvRefs({ appIdKey, appSecretKey });
+        expect(status.configured).toBe(false);
+      },
+    );
+  });
+
+  it("treats env SecretRef appId/appSecret as configured in status", async () => {
+    const appIdKey = "FEISHU_APP_ID_STATUS_TEST";
+    const appSecretKey = "FEISHU_APP_CREDENTIAL_STATUS_TEST"; // pragma: allowlist secret
+    await withEnvVars(
+      {
+        [appIdKey]: "cli_env_123",
+        [appSecretKey]: "env-credential-456", // pragma: allowlist secret
+      },
+      async () => {
+        const status = await getStatusWithEnvRefs({ appIdKey, appSecretKey });
+        expect(status.configured).toBe(true);
+      },
+    );
+  });
+});

package/src/onboarding.ts

@@ -5,56 +5,47 @@ import type {
   DmPolicy,
   SecretInput,
   WizardPrompter,
-} from "openclaw/plugin-sdk";
+} from "openclaw/plugin-sdk/feishu";
 import {
-  addWildcardAllowFrom,
+  buildSingleChannelSecretPromptState,
   DEFAULT_ACCOUNT_ID,
   formatDocsLink,
   hasConfiguredSecretInput,
+  mergeAllowFromEntries,
   promptSingleChannelSecretInput,
-} from "openclaw/plugin-sdk";
+  setTopLevelChannelAllowFrom,
+  setTopLevelChannelDmPolicyWithAllowFrom,
+  setTopLevelChannelGroupPolicy,
+  splitOnboardingEntries,
+} from "openclaw/plugin-sdk/feishu";
 import { resolveFeishuCredentials } from "./accounts.js";
 import { probeFeishu } from "./probe.js";
 import type { FeishuConfig } from "./types.js";
 
 const channel = "feishu" as const;
 
-function setFeishuDmPolicy(cfg: ClawdbotConfig, dmPolicy: DmPolicy): ClawdbotConfig {
-  const allowFrom =
-    dmPolicy === "open"
-      ? addWildcardAllowFrom(cfg.channels?.feishu?.allowFrom)?.map((entry) => String(entry))
-      : undefined;
-  return {
-    ...cfg,
-    channels: {
-      ...cfg.channels,
-      feishu: {
-        ...cfg.channels?.feishu,
-        dmPolicy,
-        ...(allowFrom ? { allowFrom } : {}),
-      },
-    },
-  };
+function normalizeString(value: unknown): string | undefined {
+  if (typeof value !== "string") {
+    return undefined;
+  }
+  const trimmed = value.trim();
+  return trimmed || undefined;
 }
 
-function setFeishuAllowFrom(cfg: ClawdbotConfig, allowFrom: string[]): ClawdbotConfig {
-  return {
-    ...cfg,
-    channels: {
-      ...cfg.channels,
-      feishu: {
-        ...cfg.channels?.feishu,
-        allowFrom,
-      },
-    },
-  };
+function setFeishuDmPolicy(cfg: ClawdbotConfig, dmPolicy: DmPolicy): ClawdbotConfig {
+  return setTopLevelChannelDmPolicyWithAllowFrom({
+    cfg,
+    channel: "feishu",
+    dmPolicy,
+  }) as ClawdbotConfig;
 }
 
-function parseAllowFromInput(raw: string): string[] {
-  return raw
-    .split(/[\n,;]+/g)
-    .map((entry) => entry.trim())
-    .filter(Boolean);
+function setFeishuAllowFrom(cfg: ClawdbotConfig, allowFrom: string[]): ClawdbotConfig {
+  return setTopLevelChannelAllowFrom({
+    cfg,
+    channel: "feishu",
+    allowFrom,
+  }) as ClawdbotConfig;
 }
 
 async function promptFeishuAllowFrom(params: {
@@ -80,18 +71,13 @@ async function promptFeishuAllowFrom(params: {
       initialValue: existing[0] ? String(existing[0]) : undefined,
       validate: (value) => (String(value ?? "").trim() ? undefined : "Required"),
     });
-    const parts = parseAllowFromInput(String(entry));
+    const parts = splitOnboardingEntries(String(entry));
     if (parts.length === 0) {
       await params.prompter.note("Enter at least one user.", "Feishu allowlist");
       continue;
     }
 
-    const unique = [
-      ...new Set([
-        ...existing.map((v: string | number) => String(v).trim()).filter(Boolean),
-        ...parts,
-      ]),
-    ];
+    const unique = mergeAllowFromEntries(existing, parts);
     return setFeishuAllowFrom(params.cfg, unique);
   }
 }
@@ -129,17 +115,12 @@ function setFeishuGroupPolicy(
   cfg: ClawdbotConfig,
   groupPolicy: "open" | "allowlist" | "disabled",
 ): ClawdbotConfig {
-  return {
-    ...cfg,
-    channels: {
-      ...cfg.channels,
-      feishu: {
-        ...cfg.channels?.feishu,
-        enabled: true,
-        groupPolicy,
-      },
-    },
-  };
+  return setTopLevelChannelGroupPolicy({
+    cfg,
+    channel: "feishu",
+    groupPolicy,
+    enabled: true,
+  }) as ClawdbotConfig;
 }
 
 function setFeishuGroupAllowFrom(cfg: ClawdbotConfig, groupAllowFrom: string[]): ClawdbotConfig {
@@ -169,20 +150,43 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
   channel,
   getStatus: async ({ cfg }) => {
     const feishuCfg = cfg.channels?.feishu as FeishuConfig | undefined;
+
+    const isAppIdConfigured = (value: unknown): boolean => {
+      const asString = normalizeString(value);
+      if (asString) {
+        return true;
+      }
+      if (!value || typeof value !== "object") {
+        return false;
+      }
+      const rec = value as Record<string, unknown>;
+      const source = normalizeString(rec.source)?.toLowerCase();
+      const id = normalizeString(rec.id);
+      if (source === "env" && id) {
+        return Boolean(normalizeString(process.env[id]));
+      }
+      return hasConfiguredSecretInput(value);
+    };
+
     const topLevelConfigured = Boolean(
-      feishuCfg?.appId?.trim() && hasConfiguredSecretInput(feishuCfg?.appSecret),
+      isAppIdConfigured(feishuCfg?.appId) && hasConfiguredSecretInput(feishuCfg?.appSecret),
     );
+
     const accountConfigured = Object.values(feishuCfg?.accounts ?? {}).some((account) => {
       if (!account || typeof account !== "object") {
         return false;
       }
-      const accountAppId =
-        typeof account.appId === "string" ? account.appId.trim() : feishuCfg?.appId?.trim();
-      const accountSecretConfigured =
-        hasConfiguredSecretInput(account.appSecret) ||
-        hasConfiguredSecretInput(feishuCfg?.appSecret);
-      return Boolean(accountAppId && accountSecretConfigured);
+      const hasOwnAppId = Object.prototype.hasOwnProperty.call(account, "appId");
+      const hasOwnAppSecret = Object.prototype.hasOwnProperty.call(account, "appSecret");
+      const accountAppIdConfigured = hasOwnAppId
+        ? isAppIdConfigured((account as Record<string, unknown>).appId)
+        : isAppIdConfigured(feishuCfg?.appId);
+      const accountSecretConfigured = hasOwnAppSecret
+        ? hasConfiguredSecretInput((account as Record<string, unknown>).appSecret)
+        : hasConfiguredSecretInput(feishuCfg?.appSecret);
+      return Boolean(accountAppIdConfigured && accountSecretConfigured);
     });
+
     const configured = topLevelConfigured || accountConfigured;
     const resolvedCredentials = resolveFeishuCredentials(feishuCfg, {
       allowUnresolvedSecretRef: true,
@@ -224,10 +228,15 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
       allowUnresolvedSecretRef: true,
     });
     const hasConfigSecret = hasConfiguredSecretInput(feishuCfg?.appSecret);
-    const hasConfigCreds = Boolean(feishuCfg?.appId?.trim() && hasConfigSecret);
-    const canUseEnv = Boolean(
-      !hasConfigCreds && process.env.FEISHU_APP_ID?.trim() && process.env.FEISHU_APP_SECRET?.trim(),
+    const hasConfigCreds = Boolean(
+      typeof feishuCfg?.appId === "string" && feishuCfg.appId.trim() && hasConfigSecret,
     );
+    const appSecretPromptState = buildSingleChannelSecretPromptState({
+      accountConfigured: Boolean(resolved),
+      hasConfigToken: hasConfigSecret,
+      allowEnv: !hasConfigCreds && Boolean(process.env.FEISHU_APP_ID?.trim()),
+      envValue: process.env.FEISHU_APP_SECRET,
+    });
 
     let next = cfg;
     let appId: string | null = null;
@@ -243,9 +252,9 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
       prompter,
       providerHint: "feishu",
       credentialLabel: "App Secret",
-      accountConfigured: Boolean(resolved),
-      canUseEnv,
-      hasConfigToken: hasConfigSecret,
+      accountConfigured: appSecretPromptState.accountConfigured,
+      canUseEnv: appSecretPromptState.canUseEnv,
+      hasConfigToken: appSecretPromptState.hasConfigToken,
       envPrompt: "FEISHU_APP_ID + FEISHU_APP_SECRET detected. Use env vars?",
       keepPrompt: "Feishu App Secret already configured. Keep it?",
       inputPrompt: "Enter Feishu App Secret",
@@ -265,7 +274,8 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
       appSecretProbeValue = appSecretResult.resolvedValue;
       appId = await promptFeishuAppId({
         prompter,
-        initialValue: feishuCfg?.appId?.trim() || process.env.FEISHU_APP_ID?.trim(),
+        initialValue:
+          normalizeString(feishuCfg?.appId) ?? normalizeString(process.env.FEISHU_APP_ID),
       });
     }
 
@@ -330,14 +340,19 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
     if (connectionMode === "webhook") {
       const currentVerificationToken = (next.channels?.feishu as FeishuConfig | undefined)
         ?.verificationToken;
+      const verificationTokenPromptState = buildSingleChannelSecretPromptState({
+        accountConfigured: hasConfiguredSecretInput(currentVerificationToken),
+        hasConfigToken: hasConfiguredSecretInput(currentVerificationToken),
+        allowEnv: false,
+      });
       const verificationTokenResult = await promptSingleChannelSecretInput({
         cfg: next,
         prompter,
         providerHint: "feishu-webhook",
         credentialLabel: "verification token",
-        accountConfigured: hasConfiguredSecretInput(currentVerificationToken),
-        canUseEnv: false,
-        hasConfigToken: hasConfiguredSecretInput(currentVerificationToken),
+        accountConfigured: verificationTokenPromptState.accountConfigured,
+        canUseEnv: verificationTokenPromptState.canUseEnv,
+        hasConfigToken: verificationTokenPromptState.hasConfigToken,
         envPrompt: "",
         keepPrompt: "Feishu verification token already configured. Keep it?",
         inputPrompt: "Enter Feishu verification token",
@@ -421,7 +436,7 @@ export const feishuOnboardingAdapter: ChannelOnboardingAdapter = {
         initialValue: existing.length > 0 ? existing.map(String).join(", ") : undefined,
       });
       if (entry) {
-        const parts = parseAllowFromInput(String(entry));
+        const parts = splitOnboardingEntries(String(entry));
         if (parts.length > 0) {
           next = setFeishuGroupAllowFrom(next, parts);
         }