@openclaw/feishu 2026.5.2 → 2026.5.3-beta.2

package/src/accounts.ts

@@ -1,326 +0,0 @@
-import {
-  DEFAULT_ACCOUNT_ID,
-  type OpenClawConfig as ClawdbotConfig,
-  createAccountListHelpers,
-  normalizeAccountId,
-  normalizeOptionalAccountId,
-  resolveMergedAccountConfig,
-} from "openclaw/plugin-sdk/account-resolution";
-import { coerceSecretRef } from "openclaw/plugin-sdk/provider-auth";
-import { normalizeString } from "./comment-shared.js";
-import type {
-  FeishuConfig,
-  FeishuAccountConfig,
-  FeishuDefaultAccountSelectionSource,
-  FeishuDomain,
-  ResolvedFeishuAccount,
-} from "./types.js";
-
-const { listAccountIds: listFeishuAccountIds, resolveDefaultAccountId } = createAccountListHelpers(
-  "feishu",
-  {
-    allowUnlistedDefaultAccount: true,
-  },
-);
-
-export { listFeishuAccountIds };
-
-type FeishuCredentialResolutionMode = "inspect" | "strict";
-type FeishuResolvedSecretRef = NonNullable<ReturnType<typeof coerceSecretRef>>;
-
-function formatSecretRefLabel(ref: FeishuResolvedSecretRef): string {
-  return `${ref.source}:${ref.provider}:${ref.id}`;
-}
-
-export class FeishuSecretRefUnavailableError extends Error {
-  path: string;
-
-  constructor(path: string, ref: FeishuResolvedSecretRef) {
-    super(
-      `${path}: unresolved SecretRef "${formatSecretRefLabel(ref)}". ` +
-        "Resolve this command against an active gateway runtime snapshot before reading it.",
-    );
-    this.name = "FeishuSecretRefUnavailableError";
-    this.path = path;
-  }
-}
-
-export function isFeishuSecretRefUnavailableError(
-  error: unknown,
-): error is FeishuSecretRefUnavailableError {
-  return error instanceof FeishuSecretRefUnavailableError;
-}
-
-function resolveFeishuSecretLike(params: {
-  value: unknown;
-  path: string;
-  mode: FeishuCredentialResolutionMode;
-  allowEnvSecretRefRead?: boolean;
-}): string | undefined {
-  const asString = normalizeString(params.value);
-  if (asString) {
-    return asString;
-  }
-
-  const ref = coerceSecretRef(params.value);
-  if (!ref) {
-    return undefined;
-  }
-
-  if (params.mode === "inspect") {
-    if (params.allowEnvSecretRefRead && ref.source === "env") {
-      const envValue = normalizeString(process.env[ref.id]);
-      if (envValue) {
-        return envValue;
-      }
-    }
-    return undefined;
-  }
-
-  throw new FeishuSecretRefUnavailableError(params.path, ref);
-}
-
-function resolveFeishuBaseCredentials(
-  cfg: FeishuConfig | undefined,
-  mode: FeishuCredentialResolutionMode,
-): {
-  appId: string;
-  appSecret: string;
-  domain: FeishuDomain;
-} | null {
-  const appId = resolveFeishuSecretLike({
-    value: cfg?.appId,
-    path: "channels.feishu.appId",
-    mode,
-    allowEnvSecretRefRead: true,
-  });
-  const appSecret = resolveFeishuSecretLike({
-    value: cfg?.appSecret,
-    path: "channels.feishu.appSecret",
-    mode,
-    allowEnvSecretRefRead: true,
-  });
-
-  if (!appId || !appSecret) {
-    return null;
-  }
-
-  return {
-    appId,
-    appSecret,
-    domain: cfg?.domain ?? "feishu",
-  };
-}
-
-function resolveFeishuEventSecrets(
-  cfg: FeishuConfig | undefined,
-  mode: FeishuCredentialResolutionMode,
-): {
-  encryptKey?: string;
-  verificationToken?: string;
-} {
-  return {
-    encryptKey:
-      (cfg?.connectionMode ?? "websocket") === "webhook"
-        ? resolveFeishuSecretLike({
-            value: cfg?.encryptKey,
-            path: "channels.feishu.encryptKey",
-            mode,
-            allowEnvSecretRefRead: true,
-          })
-        : normalizeString(cfg?.encryptKey),
-    verificationToken: resolveFeishuSecretLike({
-      value: cfg?.verificationToken,
-      path: "channels.feishu.verificationToken",
-      mode,
-      allowEnvSecretRefRead: true,
-    }),
-  };
-}
-
-/**
- * Resolve the default account selection and its source.
- */
-export function resolveDefaultFeishuAccountSelection(cfg: ClawdbotConfig): {
-  accountId: string;
-  source: FeishuDefaultAccountSelectionSource;
-} {
-  const preferred = normalizeOptionalAccountId(
-    (cfg.channels?.feishu as FeishuConfig | undefined)?.defaultAccount,
-  );
-  if (preferred) {
-    return {
-      accountId: preferred,
-      source: "explicit-default",
-    };
-  }
-  const ids = listFeishuAccountIds(cfg);
-  if (ids.includes(DEFAULT_ACCOUNT_ID)) {
-    return {
-      accountId: DEFAULT_ACCOUNT_ID,
-      source: "mapped-default",
-    };
-  }
-  return {
-    accountId: ids[0] ?? DEFAULT_ACCOUNT_ID,
-    source: "fallback",
-  };
-}
-
-/**
- * Resolve the default account ID.
- */
-export function resolveDefaultFeishuAccountId(cfg: ClawdbotConfig): string {
-  return resolveDefaultAccountId(cfg);
-}
-
-/**
- * Merge top-level config with account-specific config.
- * Account-specific fields override top-level fields.
- */
-function mergeFeishuAccountConfig(cfg: ClawdbotConfig, accountId: string): FeishuConfig {
-  const feishuCfg = cfg.channels?.feishu as FeishuConfig | undefined;
-  return resolveMergedAccountConfig<FeishuConfig>({
-    channelConfig: feishuCfg,
-    accounts: feishuCfg?.accounts as Record<string, Partial<FeishuConfig>> | undefined,
-    accountId,
-    omitKeys: ["defaultAccount"],
-  });
-}
-
-/**
- * Resolve Feishu credentials from a config.
- */
-export function resolveFeishuCredentials(cfg?: FeishuConfig): {
-  appId: string;
-  appSecret: string;
-  encryptKey?: string;
-  verificationToken?: string;
-  domain: FeishuDomain;
-} | null;
-export function resolveFeishuCredentials(
-  cfg: FeishuConfig | undefined,
-  options: {
-    mode?: FeishuCredentialResolutionMode;
-    allowUnresolvedSecretRef?: boolean;
-  },
-): {
-  appId: string;
-  appSecret: string;
-  encryptKey?: string;
-  verificationToken?: string;
-  domain: FeishuDomain;
-} | null;
-export function resolveFeishuCredentials(
-  cfg?: FeishuConfig,
-  options?: {
-    mode?: FeishuCredentialResolutionMode;
-    allowUnresolvedSecretRef?: boolean;
-  },
-): {
-  appId: string;
-  appSecret: string;
-  encryptKey?: string;
-  verificationToken?: string;
-  domain: FeishuDomain;
-} | null {
-  const mode = options?.mode ?? (options?.allowUnresolvedSecretRef ? "inspect" : "strict");
-  const base = resolveFeishuBaseCredentials(cfg, mode);
-  if (!base) {
-    return null;
-  }
-  const eventSecrets = resolveFeishuEventSecrets(cfg, mode);
-
-  return {
-    ...base,
-    ...eventSecrets,
-  };
-}
-
-export function inspectFeishuCredentials(cfg?: FeishuConfig) {
-  return resolveFeishuCredentials(cfg, { mode: "inspect" });
-}
-
-function buildResolvedFeishuAccount(params: {
-  cfg: ClawdbotConfig;
-  accountId?: string | null;
-  baseMode: FeishuCredentialResolutionMode;
-  eventSecretMode: FeishuCredentialResolutionMode;
-}): ResolvedFeishuAccount {
-  const hasExplicitAccountId =
-    typeof params.accountId === "string" && params.accountId.trim() !== "";
-  const defaultSelection = hasExplicitAccountId
-    ? null
-    : resolveDefaultFeishuAccountSelection(params.cfg);
-  const accountId = hasExplicitAccountId
-    ? normalizeAccountId(params.accountId)
-    : (defaultSelection?.accountId ?? DEFAULT_ACCOUNT_ID);
-  const selectionSource = hasExplicitAccountId
-    ? "explicit"
-    : (defaultSelection?.source ?? "fallback");
-  const feishuCfg = params.cfg.channels?.feishu as FeishuConfig | undefined;
-
-  const baseEnabled = feishuCfg?.enabled !== false;
-  const merged = mergeFeishuAccountConfig(params.cfg, accountId);
-  const accountEnabled = merged.enabled !== false;
-  const enabled = baseEnabled && accountEnabled;
-  const baseCreds = resolveFeishuBaseCredentials(merged, params.baseMode);
-  const eventSecrets = resolveFeishuEventSecrets(merged, params.eventSecretMode);
-  const accountName = (merged as FeishuAccountConfig).name;
-
-  return {
-    accountId,
-    selectionSource,
-    enabled,
-    configured: Boolean(baseCreds),
-    name: typeof accountName === "string" ? accountName.trim() || undefined : undefined,
-    appId: baseCreds?.appId,
-    appSecret: baseCreds?.appSecret,
-    encryptKey: eventSecrets.encryptKey,
-    verificationToken: eventSecrets.verificationToken,
-    domain: baseCreds?.domain ?? "feishu",
-    config: merged,
-  };
-}
-
-/**
- * Resolve a read-only Feishu account snapshot for CLI/config surfaces.
- * Unresolved SecretRefs are treated as unavailable instead of throwing.
- */
-export function resolveFeishuAccount(params: {
-  cfg: ClawdbotConfig;
-  accountId?: string | null;
-}): ResolvedFeishuAccount {
-  return buildResolvedFeishuAccount({
-    ...params,
-    baseMode: "inspect",
-    eventSecretMode: "inspect",
-  });
-}
-
-/**
- * Resolve a runtime Feishu account.
- * Required app credentials stay strict; event-only secrets can be required by callers.
- */
-export function resolveFeishuRuntimeAccount(
-  params: {
-    cfg: ClawdbotConfig;
-    accountId?: string | null;
-  },
-  options?: { requireEventSecrets?: boolean },
-): ResolvedFeishuAccount {
-  return buildResolvedFeishuAccount({
-    ...params,
-    baseMode: "strict",
-    eventSecretMode: options?.requireEventSecrets ? "strict" : "inspect",
-  });
-}
-
-/**
- * List all enabled and configured accounts.
- */
-export function listEnabledFeishuAccounts(cfg: ClawdbotConfig): ResolvedFeishuAccount[] {
-  return listFeishuAccountIds(cfg)
-    .map((accountId) => resolveFeishuAccount({ cfg, accountId }))
-    .filter((account) => account.enabled && account.configured);
-}

package/src/app-registration.ts

@@ -1,331 +0,0 @@
-/**
- * Feishu app registration via OAuth device-code flow.
- *
- * Migrated from feishu-plugin-cli's `feishu-auth.ts` and `install-prompts.ts`.
- * Replaces axios with native fetch, removes inquirer/ora/chalk in favor of
- * the openclaw WizardPrompter surface.
- */
-import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
-import { renderQrTerminal } from "./qr-terminal.js";
-import type { FeishuDomain } from "./types.js";
-
-// ---------------------------------------------------------------------------
-// Constants
-// ---------------------------------------------------------------------------
-
-const FEISHU_ACCOUNTS_URL = "https://accounts.feishu.cn";
-const LARK_ACCOUNTS_URL = "https://accounts.larksuite.com";
-
-const REGISTRATION_PATH = "/oauth/v1/app/registration";
-
-const REQUEST_TIMEOUT_MS = 10_000;
-
-// ---------------------------------------------------------------------------
-// Types
-// ---------------------------------------------------------------------------
-
-export interface AppRegistrationResult {
-  appId: string;
-  appSecret: string;
-  domain: FeishuDomain;
-  openId?: string;
-}
-
-interface InitResponse {
-  nonce: string;
-  supported_auth_methods: string[];
-}
-
-export interface BeginResult {
-  deviceCode: string;
-  qrUrl: string;
-  userCode: string;
-  interval: number;
-  expireIn: number;
-}
-
-interface RawBeginResponse {
-  device_code: string;
-  verification_uri: string;
-  user_code: string;
-  verification_uri_complete: string;
-  interval: number;
-  expire_in: number;
-}
-
-interface PollResponse {
-  client_id?: string;
-  client_secret?: string;
-  user_info?: {
-    open_id?: string;
-    tenant_brand?: "feishu" | "lark";
-  };
-  error?: string;
-  error_description?: string;
-}
-
-export type PollOutcome =
-  | { status: "success"; result: AppRegistrationResult }
-  | { status: "access_denied" }
-  | { status: "expired" }
-  | { status: "timeout" }
-  | { status: "error"; message: string };
-
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-
-function accountsBaseUrl(domain: FeishuDomain): string {
-  return domain === "lark" ? LARK_ACCOUNTS_URL : FEISHU_ACCOUNTS_URL;
-}
-
-async function postRegistration<T>(baseUrl: string, body: Record<string, string>): Promise<T> {
-  return await fetchFeishuJson<T>({
-    url: `${baseUrl}${REGISTRATION_PATH}`,
-    init: {
-      method: "POST",
-      headers: { "Content-Type": "application/x-www-form-urlencoded" },
-      body: new URLSearchParams(body).toString(),
-      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
-    },
-    auditContext: "feishu.app-registration.post",
-  });
-}
-
-async function fetchFeishuJson<T>(params: {
-  url: string;
-  init: RequestInit;
-  auditContext: string;
-}): Promise<T> {
-  const { response, release } = await fetchWithSsrFGuard({
-    url: params.url,
-    init: params.init,
-    policy: { allowedHostnames: [new URL(params.url).hostname] },
-    auditContext: params.auditContext,
-  });
-  try {
-    // Registration poll returns 4xx for pending/error states with a JSON body.
-    return (await response.json()) as T;
-  } finally {
-    await release();
-  }
-}
-
-// ---------------------------------------------------------------------------
-// Public API
-// ---------------------------------------------------------------------------
-
-/**
- * Step 1: Initialize registration and verify the environment supports
- * `client_secret` auth.
- *
- * @throws If the environment does not support `client_secret`.
- */
-export async function initAppRegistration(domain: FeishuDomain = "feishu"): Promise<void> {
-  const baseUrl = accountsBaseUrl(domain);
-  const res = await postRegistration<InitResponse>(baseUrl, { action: "init" });
-
-  if (!res.supported_auth_methods?.includes("client_secret")) {
-    throw new Error("Current environment does not support client_secret auth method");
-  }
-}
-
-/**
- * Step 2: Begin the device-code flow. Returns a device code and a QR URL
- * that the user should scan with Feishu/Lark mobile app.
- */
-export async function beginAppRegistration(domain: FeishuDomain = "feishu"): Promise<BeginResult> {
-  const baseUrl = accountsBaseUrl(domain);
-  const res = await postRegistration<RawBeginResponse>(baseUrl, {
-    action: "begin",
-    archetype: "PersonalAgent",
-    auth_method: "client_secret",
-    request_user_info: "open_id",
-  });
-
-  const qrUrl = new URL(res.verification_uri_complete);
-  qrUrl.searchParams.set("from", "oc_onboard");
-  qrUrl.searchParams.set("tp", "ob_cli_app");
-
-  return {
-    deviceCode: res.device_code,
-    qrUrl: qrUrl.toString(),
-    userCode: res.user_code,
-    interval: res.interval || 5,
-    expireIn: res.expire_in || 600,
-  };
-}
-
-/**
- * Step 3: Poll for authorization result until success, denial, expiry, or
- * timeout. Automatically handles domain switching when `tenant_brand` is
- * detected as "lark".
- */
-export async function pollAppRegistration(params: {
-  deviceCode: string;
-  interval: number;
-  expireIn: number;
-  initialDomain?: FeishuDomain;
-  abortSignal?: AbortSignal;
-  /** Registration type parameter: "ob_user" for user mode, "ob_app" for bot mode. */
-  tp?: string;
-}): Promise<PollOutcome> {
-  const { deviceCode, expireIn, initialDomain = "feishu", abortSignal, tp } = params;
-  let currentInterval = params.interval;
-  let domain: FeishuDomain = initialDomain;
-  let domainSwitched = false;
-
-  const deadline = Date.now() + expireIn * 1000;
-
-  while (Date.now() < deadline) {
-    if (abortSignal?.aborted) {
-      return { status: "timeout" };
-    }
-
-    const baseUrl = accountsBaseUrl(domain);
-
-    let pollRes: PollResponse;
-    try {
-      pollRes = await postRegistration<PollResponse>(baseUrl, {
-        action: "poll",
-        device_code: deviceCode,
-        ...(tp ? { tp } : {}),
-      });
-    } catch {
-      // Transient network error — keep polling.
-      await sleep(currentInterval * 1000);
-      continue;
-    }
-
-    // Domain auto-detection: switch to lark if tenant_brand says so.
-    if (pollRes.user_info?.tenant_brand) {
-      const isLark = pollRes.user_info.tenant_brand === "lark";
-      if (!domainSwitched && isLark) {
-        domain = "lark";
-        domainSwitched = true;
-        // Retry poll immediately with the correct domain.
-        continue;
-      }
-    }
-
-    // Success.
-    if (pollRes.client_id && pollRes.client_secret) {
-      return {
-        status: "success",
-        result: {
-          appId: pollRes.client_id,
-          appSecret: pollRes.client_secret,
-          domain,
-          openId: pollRes.user_info?.open_id,
-        },
-      };
-    }
-
-    // Error handling.
-    if (pollRes.error) {
-      if (pollRes.error === "authorization_pending") {
-        // Continue waiting.
-      } else if (pollRes.error === "slow_down") {
-        currentInterval += 5;
-      } else if (pollRes.error === "access_denied") {
-        return { status: "access_denied" };
-      } else if (pollRes.error === "expired_token") {
-        return { status: "expired" };
-      } else {
-        return {
-          status: "error",
-          message: `${pollRes.error}: ${pollRes.error_description ?? "unknown"}`,
-        };
-      }
-    }
-
-    await sleep(currentInterval * 1000);
-  }
-
-  return { status: "timeout" };
-}
-
-/**
- * Print QR code directly to stdout.
- *
- * QR codes must be printed without any surrounding box/border decoration,
- * otherwise the pattern is corrupted and cannot be scanned.
- */
-export async function printQrCode(url: string): Promise<void> {
-  const output = await renderQrTerminal(url, { small: true });
-  process.stdout.write(output.endsWith("\n") ? output : `${output}\n`);
-}
-
-/**
- * Fetch the app owner's open_id using the application.v6.application.get API.
- *
- * Used during setup to auto-populate security policy allowlists.
- * Returns undefined on any failure (fail-open).
- */
-export async function getAppOwnerOpenId(params: {
-  appId: string;
-  appSecret: string;
-  domain?: FeishuDomain;
-}): Promise<string | undefined> {
-  const baseUrl =
-    params.domain === "lark" ? "https://open.larksuite.com" : "https://open.feishu.cn";
-
-  try {
-    // First, get a tenant_access_token.
-    const tokenData = await fetchFeishuJson<{
-      code?: number;
-      tenant_access_token?: string;
-    }>({
-      url: `${baseUrl}/open-apis/auth/v3/tenant_access_token/internal`,
-      init: {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ app_id: params.appId, app_secret: params.appSecret }),
-        signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
-      },
-      auditContext: "feishu.app-registration.owner-token",
-    });
-    if (!tokenData.tenant_access_token) {
-      return undefined;
-    }
-
-    // Query app info for the owner's open_id.
-    const appData = await fetchFeishuJson<{
-      code?: number;
-      data?: {
-        app?: {
-          owner?: { owner_id?: string; owner_type?: number; type?: number };
-          creator_id?: string;
-        };
-      };
-    }>({
-      url: `${baseUrl}/open-apis/application/v6/applications/${params.appId}?user_id_type=open_id`,
-      init: {
-        method: "GET",
-        headers: {
-          Authorization: `Bearer ${tokenData.tenant_access_token}`,
-          "Content-Type": "application/json",
-        },
-        signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
-      },
-      auditContext: "feishu.app-registration.owner-app",
-    });
-    if (appData.code !== 0) {
-      return undefined;
-    }
-
-    const app = appData.data?.app;
-    const owner = app?.owner;
-    const ownerType = owner?.owner_type ?? owner?.type;
-    // owner_type=2 means enterprise member; use owner_id. Otherwise fallback to creator_id.
-    return ownerType === 2 && owner?.owner_id
-      ? owner.owner_id
-      : (app?.creator_id ?? owner?.owner_id);
-  } catch {
-    return undefined;
-  }
-}
-
-function sleep(ms: number): Promise<void> {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}

package/src/approval-auth.test.ts

@@ -1,24 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { feishuApprovalAuth } from "./approval-auth.js";
-
-describe("feishuApprovalAuth", () => {
-  it("authorizes open_id approvers and ignores user_id-only allowlists", () => {
-    expect(
-      feishuApprovalAuth.authorizeActorAction({
-        cfg: { channels: { feishu: { allowFrom: ["ou_owner"] } } },
-        senderId: "ou_owner",
-        action: "approve",
-        approvalKind: "exec",
-      }),
-    ).toEqual({ authorized: true });
-
-    expect(
-      feishuApprovalAuth.authorizeActorAction({
-        cfg: { channels: { feishu: { allowFrom: ["user_123"] } } },
-        senderId: "ou_attacker",
-        action: "approve",
-        approvalKind: "exec",
-      }),
-    ).toEqual({ authorized: true });
-  });
-});

package/src/approval-auth.ts

@@ -1,25 +0,0 @@
-import {
-  createResolvedApproverActionAuthAdapter,
-  resolveApprovalApprovers,
-} from "openclaw/plugin-sdk/approval-auth-runtime";
-import { normalizeOptionalLowercaseString } from "openclaw/plugin-sdk/text-runtime";
-import { resolveFeishuAccount } from "./accounts.js";
-import { normalizeFeishuTarget } from "./targets.js";
-
-function normalizeFeishuApproverId(value: string | number): string | undefined {
-  const normalized = normalizeFeishuTarget(String(value));
-  const trimmed = normalizeOptionalLowercaseString(normalized);
-  return trimmed?.startsWith("ou_") ? trimmed : undefined;
-}
-
-export const feishuApprovalAuth = createResolvedApproverActionAuthAdapter({
-  channelLabel: "Feishu",
-  resolveApprovers: ({ cfg, accountId }) => {
-    const account = resolveFeishuAccount({ cfg, accountId }).config;
-    return resolveApprovalApprovers({
-      allowFrom: account.allowFrom,
-      normalizeApprover: normalizeFeishuApproverId,
-    });
-  },
-  normalizeSenderId: (value) => normalizeFeishuApproverId(value),
-});