@openclaw/feishu 2026.5.2-beta.2 → 2026.5.3-beta.1

package/src/secret-contract.ts

@@ -1,145 +0,0 @@
-import {
-  collectConditionalChannelFieldAssignments,
-  collectSimpleChannelFieldAssignments,
-  getChannelSurface,
-  hasOwnProperty,
-  normalizeSecretStringValue,
-  type ResolverContext,
-  type SecretDefaults,
-  type SecretTargetRegistryEntry,
-} from "openclaw/plugin-sdk/channel-secret-basic-runtime";
-
-export const secretTargetRegistryEntries: SecretTargetRegistryEntry[] = [
-  {
-    id: "channels.feishu.accounts.*.appSecret",
-    targetType: "channels.feishu.accounts.*.appSecret",
-    configFile: "openclaw.json",
-    pathPattern: "channels.feishu.accounts.*.appSecret",
-    secretShape: "secret_input",
-    expectedResolvedValue: "string",
-    includeInPlan: true,
-    includeInConfigure: true,
-    includeInAudit: true,
-  },
-  {
-    id: "channels.feishu.accounts.*.encryptKey",
-    targetType: "channels.feishu.accounts.*.encryptKey",
-    configFile: "openclaw.json",
-    pathPattern: "channels.feishu.accounts.*.encryptKey",
-    secretShape: "secret_input",
-    expectedResolvedValue: "string",
-    includeInPlan: true,
-    includeInConfigure: true,
-    includeInAudit: true,
-  },
-  {
-    id: "channels.feishu.accounts.*.verificationToken",
-    targetType: "channels.feishu.accounts.*.verificationToken",
-    configFile: "openclaw.json",
-    pathPattern: "channels.feishu.accounts.*.verificationToken",
-    secretShape: "secret_input",
-    expectedResolvedValue: "string",
-    includeInPlan: true,
-    includeInConfigure: true,
-    includeInAudit: true,
-  },
-  {
-    id: "channels.feishu.appSecret",
-    targetType: "channels.feishu.appSecret",
-    configFile: "openclaw.json",
-    pathPattern: "channels.feishu.appSecret",
-    secretShape: "secret_input",
-    expectedResolvedValue: "string",
-    includeInPlan: true,
-    includeInConfigure: true,
-    includeInAudit: true,
-  },
-  {
-    id: "channels.feishu.encryptKey",
-    targetType: "channels.feishu.encryptKey",
-    configFile: "openclaw.json",
-    pathPattern: "channels.feishu.encryptKey",
-    secretShape: "secret_input",
-    expectedResolvedValue: "string",
-    includeInPlan: true,
-    includeInConfigure: true,
-    includeInAudit: true,
-  },
-  {
-    id: "channels.feishu.verificationToken",
-    targetType: "channels.feishu.verificationToken",
-    configFile: "openclaw.json",
-    pathPattern: "channels.feishu.verificationToken",
-    secretShape: "secret_input",
-    expectedResolvedValue: "string",
-    includeInPlan: true,
-    includeInConfigure: true,
-    includeInAudit: true,
-  },
-];
-
-export function collectRuntimeConfigAssignments(params: {
-  config: { channels?: Record<string, unknown> };
-  defaults?: SecretDefaults;
-  context: ResolverContext;
-}): void {
-  const resolved = getChannelSurface(params.config, "feishu");
-  if (!resolved) {
-    return;
-  }
-  const { channel: feishu, surface } = resolved;
-  collectSimpleChannelFieldAssignments({
-    channelKey: "feishu",
-    field: "appSecret",
-    channel: feishu,
-    surface,
-    defaults: params.defaults,
-    context: params.context,
-    topInactiveReason: "no enabled account inherits this top-level Feishu appSecret.",
-    accountInactiveReason: "Feishu account is disabled.",
-  });
-  const baseConnectionMode =
-    normalizeSecretStringValue(feishu.connectionMode) === "webhook" ? "webhook" : "websocket";
-  const resolveAccountMode = (account: Record<string, unknown>) =>
-    hasOwnProperty(account, "connectionMode")
-      ? normalizeSecretStringValue(account.connectionMode)
-      : baseConnectionMode;
-  collectConditionalChannelFieldAssignments({
-    channelKey: "feishu",
-    field: "encryptKey",
-    channel: feishu,
-    surface,
-    defaults: params.defaults,
-    context: params.context,
-    topLevelActiveWithoutAccounts: baseConnectionMode === "webhook",
-    topLevelInheritedAccountActive: ({ account, enabled }) =>
-      enabled &&
-      !hasOwnProperty(account, "encryptKey") &&
-      resolveAccountMode(account) === "webhook",
-    accountActive: ({ account, enabled }) => enabled && resolveAccountMode(account) === "webhook",
-    topInactiveReason: "no enabled Feishu webhook-mode surface inherits this top-level encryptKey.",
-    accountInactiveReason: "Feishu account is disabled or not running in webhook mode.",
-  });
-  collectConditionalChannelFieldAssignments({
-    channelKey: "feishu",
-    field: "verificationToken",
-    channel: feishu,
-    surface,
-    defaults: params.defaults,
-    context: params.context,
-    topLevelActiveWithoutAccounts: baseConnectionMode === "webhook",
-    topLevelInheritedAccountActive: ({ account, enabled }) =>
-      enabled &&
-      !hasOwnProperty(account, "verificationToken") &&
-      resolveAccountMode(account) === "webhook",
-    accountActive: ({ account, enabled }) => enabled && resolveAccountMode(account) === "webhook",
-    topInactiveReason:
-      "no enabled Feishu webhook-mode surface inherits this top-level verificationToken.",
-    accountInactiveReason: "Feishu account is disabled or not running in webhook mode.",
-  });
-}
-
-export const channelSecrets = {
-  secretTargetRegistryEntries,
-  collectRuntimeConfigAssignments,
-};

package/src/secret-input.ts

@@ -1 +0,0 @@
-export { buildSecretInputSchema, hasConfiguredSecretInput } from "openclaw/plugin-sdk/secret-input";

package/src/security-audit-shared.ts

@@ -1,69 +0,0 @@
-import { hasConfiguredSecretInput } from "openclaw/plugin-sdk/secret-input";
-import type { OpenClawConfig } from "../runtime-api.js";
-
-function asRecord(value: unknown): Record<string, unknown> | undefined {
-  return value && typeof value === "object" && !Array.isArray(value)
-    ? (value as Record<string, unknown>)
-    : undefined;
-}
-
-function hasNonEmptyString(value: unknown): boolean {
-  return typeof value === "string" && value.trim().length > 0;
-}
-
-function isFeishuDocToolEnabled(cfg: OpenClawConfig): boolean {
-  const channels = asRecord(cfg.channels);
-  const feishu = asRecord(channels?.feishu);
-  if (!feishu || feishu.enabled === false) {
-    return false;
-  }
-
-  const baseTools = asRecord(feishu.tools);
-  const baseDocEnabled = baseTools?.doc !== false;
-  const baseAppId = hasNonEmptyString(feishu.appId);
-  const baseAppSecret = hasConfiguredSecretInput(feishu.appSecret, cfg.secrets?.defaults);
-  const baseConfigured = baseAppId && baseAppSecret;
-
-  const accounts = asRecord(feishu.accounts);
-  if (!accounts || Object.keys(accounts).length === 0) {
-    return baseDocEnabled && baseConfigured;
-  }
-
-  for (const accountValue of Object.values(accounts)) {
-    const account = asRecord(accountValue) ?? {};
-    if (account.enabled === false) {
-      continue;
-    }
-    const accountTools = asRecord(account.tools);
-    const effectiveTools = accountTools ?? baseTools;
-    const docEnabled = effectiveTools?.doc !== false;
-    if (!docEnabled) {
-      continue;
-    }
-    const accountConfigured =
-      (hasNonEmptyString(account.appId) || baseAppId) &&
-      (hasConfiguredSecretInput(account.appSecret, cfg.secrets?.defaults) || baseAppSecret);
-    if (accountConfigured) {
-      return true;
-    }
-  }
-
-  return false;
-}
-
-export function collectFeishuSecurityAuditFindings(params: { cfg: OpenClawConfig }) {
-  if (!isFeishuDocToolEnabled(params.cfg)) {
-    return [];
-  }
-  return [
-    {
-      checkId: "channels.feishu.doc_owner_open_id",
-      severity: "warn" as const,
-      title: "Feishu doc create can grant requester permissions",
-      detail:
-        'channels.feishu tools include "doc"; feishu_doc action "create" can grant document access to the trusted requesting Feishu user.',
-      remediation:
-        "Disable channels.feishu.tools.doc when not needed, and restrict tool access for untrusted prompts.",
-    },
-  ];
-}

package/src/security-audit.test.ts

@@ -1,61 +0,0 @@
-import { describe, expect, it } from "vitest";
-import type { OpenClawConfig } from "../runtime-api.js";
-import { collectFeishuSecurityAuditFindings } from "./security-audit.js";
-
-describe("Feishu security audit findings", () => {
-  it.each([
-    {
-      name: "warns when doc tool is enabled because create can grant requester access",
-      cfg: {
-        channels: {
-          feishu: {
-            appId: "cli_test",
-            appSecret: "secret_test",
-          },
-        },
-      } satisfies OpenClawConfig,
-      expectedFinding: "channels.feishu.doc_owner_open_id",
-    },
-    {
-      name: "treats SecretRef appSecret as configured for doc tool risk detection",
-      cfg: {
-        channels: {
-          feishu: {
-            appId: "cli_test",
-            appSecret: {
-              source: "env",
-              provider: "default",
-              id: "FEISHU_APP_SECRET",
-            },
-          },
-        },
-      } satisfies OpenClawConfig,
-      expectedFinding: "channels.feishu.doc_owner_open_id",
-    },
-    {
-      name: "does not warn for doc grant risk when doc tools are disabled",
-      cfg: {
-        channels: {
-          feishu: {
-            appId: "cli_test",
-            appSecret: "secret_test",
-            tools: { doc: false },
-          },
-        },
-      } satisfies OpenClawConfig,
-      expectedNoFinding: "channels.feishu.doc_owner_open_id",
-    },
-  ])("$name", ({ cfg, expectedFinding, expectedNoFinding }) => {
-    const findings = collectFeishuSecurityAuditFindings({ cfg });
-    if (expectedFinding) {
-      expect(
-        findings.some(
-          (finding) => finding.checkId === expectedFinding && finding.severity === "warn",
-        ),
-      ).toBe(true);
-    }
-    if (expectedNoFinding) {
-      expect(findings.some((finding) => finding.checkId === expectedNoFinding)).toBe(false);
-    }
-  });
-});

package/src/security-audit.ts

@@ -1 +0,0 @@
-export { collectFeishuSecurityAuditFindings } from "./security-audit-shared.js";

package/src/send-result.ts

@@ -1,29 +0,0 @@
-type FeishuMessageApiResponse = {
-  code?: number;
-  msg?: string;
-  data?: {
-    message_id?: string;
-  };
-};
-
-export function assertFeishuMessageApiSuccess(
-  response: FeishuMessageApiResponse,
-  errorPrefix: string,
-) {
-  if (response.code !== 0) {
-    throw new Error(`${errorPrefix}: ${response.msg || `code ${response.code}`}`);
-  }
-}
-
-export function toFeishuSendResult(
-  response: FeishuMessageApiResponse,
-  chatId: string,
-): {
-  messageId: string;
-  chatId: string;
-} {
-  return {
-    messageId: response.data?.message_id ?? "unknown",
-    chatId,
-  };
-}

package/src/send-target.test.ts

@@ -1,80 +0,0 @@
-import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
-import type { ClawdbotConfig } from "../runtime-api.js";
-
-const resolveFeishuAccountMock = vi.hoisted(() => vi.fn());
-const createFeishuClientMock = vi.hoisted(() => vi.fn());
-
-vi.mock("./accounts.js", () => ({
-  resolveFeishuAccount: resolveFeishuAccountMock,
-  resolveFeishuRuntimeAccount: resolveFeishuAccountMock,
-}));
-
-vi.mock("./client.js", () => ({
-  createFeishuClient: createFeishuClientMock,
-}));
-
-let resolveFeishuSendTarget: typeof import("./send-target.js").resolveFeishuSendTarget;
-
-describe("resolveFeishuSendTarget", () => {
-  const cfg = {} as ClawdbotConfig;
-  const client = { id: "client" };
-
-  beforeAll(async () => {
-    ({ resolveFeishuSendTarget } = await import("./send-target.js"));
-  });
-
-  beforeEach(() => {
-    resolveFeishuAccountMock.mockReset().mockReturnValue({
-      accountId: "default",
-      enabled: true,
-      configured: true,
-    });
-    createFeishuClientMock.mockReset().mockReturnValue(client);
-  });
-
-  it("keeps explicit group targets as chat_id even when ID shape is ambiguous", () => {
-    const result = resolveFeishuSendTarget({
-      cfg,
-      to: "feishu:group:group_room_alpha",
-    });
-
-    expect(result.receiveId).toBe("group_room_alpha");
-    expect(result.receiveIdType).toBe("chat_id");
-    expect(result.client).toBe(client);
-  });
-
-  it("maps dm-prefixed open IDs to open_id", () => {
-    const result = resolveFeishuSendTarget({
-      cfg,
-      to: "lark:dm:ou_123",
-    });
-
-    expect(result.receiveId).toBe("ou_123");
-    expect(result.receiveIdType).toBe("open_id");
-  });
-
-  it("maps dm-prefixed non-open IDs to user_id", () => {
-    const result = resolveFeishuSendTarget({
-      cfg,
-      to: "  feishu:dm:user_123  ",
-    });
-
-    expect(result.receiveId).toBe("user_123");
-    expect(result.receiveIdType).toBe("user_id");
-  });
-
-  it("throws when target account is not configured", () => {
-    resolveFeishuAccountMock.mockReturnValue({
-      accountId: "default",
-      enabled: true,
-      configured: false,
-    });
-
-    expect(() =>
-      resolveFeishuSendTarget({
-        cfg,
-        to: "feishu:group:oc_123",
-      }),
-    ).toThrow('Feishu account "default" not configured');
-  });
-});

package/src/send-target.ts

@@ -1,35 +0,0 @@
-import type { ClawdbotConfig } from "../runtime-api.js";
-import { resolveFeishuRuntimeAccount } from "./accounts.js";
-import { createFeishuClient } from "./client.js";
-import { resolveReceiveIdType, normalizeFeishuTarget } from "./targets.js";
-
-type FeishuSendTarget = {
-  client: ReturnType<typeof createFeishuClient>;
-  receiveId: string;
-  receiveIdType: ReturnType<typeof resolveReceiveIdType>;
-};
-
-export function resolveFeishuSendTarget(params: {
-  cfg: ClawdbotConfig;
-  to: string;
-  accountId?: string;
-}): FeishuSendTarget {
-  const target = params.to.trim();
-  const account = resolveFeishuRuntimeAccount({ cfg: params.cfg, accountId: params.accountId });
-  if (!account.configured) {
-    throw new Error(`Feishu account "${account.accountId}" not configured`);
-  }
-  const client = createFeishuClient(account);
-  const receiveId = normalizeFeishuTarget(target);
-  if (!receiveId) {
-    throw new Error(`Invalid Feishu target: ${params.to}`);
-  }
-  // Preserve explicit routing prefixes (chat/group/user/dm/open_id) when present.
-  // normalizeFeishuTarget strips these prefixes, so infer type from the raw target first.
-  const withoutProviderPrefix = target.replace(/^(feishu|lark):/i, "");
-  return {
-    client,
-    receiveId,
-    receiveIdType: resolveReceiveIdType(withoutProviderPrefix),
-  };
-}