@openclaw/feishu 2026.5.2 → 2026.5.3-beta.2

package/src/monitor.webhook-e2e.test.ts

@@ -1,272 +0,0 @@
-import crypto from "node:crypto";
-import { afterEach, describe, expect, it, vi } from "vitest";
-import { createFeishuRuntimeMockModule } from "./monitor.test-mocks.js";
-import { withRunningWebhookMonitor } from "./monitor.webhook.test-helpers.js";
-
-const probeFeishuMock = vi.hoisted(() => vi.fn());
-
-vi.mock("./probe.js", () => ({
-  probeFeishu: probeFeishuMock,
-}));
-
-vi.mock("./client.js", async () => {
-  const actual = await vi.importActual<typeof import("./client.js")>("./client.js");
-  return {
-    ...actual,
-    createFeishuWSClient: vi.fn(() => ({ start: vi.fn() })),
-  };
-});
-
-vi.mock("./runtime.js", () => createFeishuRuntimeMockModule());
-
-import { monitorFeishuProvider, stopFeishuMonitor } from "./monitor.js";
-
-function signFeishuPayload(params: {
-  encryptKey: string;
-  rawBody: string;
-  timestamp?: string;
-  nonce?: string;
-}): Record<string, string> {
-  const timestamp = params.timestamp ?? "1711111111";
-  const nonce = params.nonce ?? "nonce-test";
-  const signature = crypto
-    .createHash("sha256")
-    .update(timestamp + nonce + params.encryptKey + params.rawBody)
-    .digest("hex");
-  return {
-    "content-type": "application/json",
-    "x-lark-request-timestamp": timestamp,
-    "x-lark-request-nonce": nonce,
-    "x-lark-signature": signature,
-  };
-}
-
-function encryptFeishuPayload(encryptKey: string, payload: Record<string, unknown>): string {
-  const iv = crypto.randomBytes(16);
-  const key = crypto.createHash("sha256").update(encryptKey).digest();
-  const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
-  const plaintext = Buffer.from(JSON.stringify(payload), "utf8");
-  const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
-  return Buffer.concat([iv, encrypted]).toString("base64");
-}
-
-async function postSignedPayload(url: string, payload: Record<string, unknown>) {
-  const rawBody = JSON.stringify(payload);
-  return await fetch(url, {
-    method: "POST",
-    headers: signFeishuPayload({ encryptKey: "encrypt_key", rawBody }),
-    body: rawBody,
-  });
-}
-
-afterEach(() => {
-  stopFeishuMonitor();
-});
-
-describe("Feishu webhook signed-request e2e", () => {
-  it("rejects invalid signatures with 401 instead of empty 200", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "invalid-signature",
-        path: "/hook-e2e-invalid-signature",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const payload = { type: "url_verification", challenge: "challenge-token" };
-        const rawBody = JSON.stringify(payload);
-        const response = await fetch(url, {
-          method: "POST",
-          headers: {
-            ...signFeishuPayload({ encryptKey: "wrong_key", rawBody }),
-          },
-          body: rawBody,
-        });
-
-        expect(response.status).toBe(401);
-        expect(await response.text()).toBe("Invalid signature");
-      },
-    );
-  });
-
-  it("rejects missing signature headers with 401", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "missing-signature",
-        path: "/hook-e2e-missing-signature",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const response = await fetch(url, {
-          method: "POST",
-          headers: { "content-type": "application/json" },
-          body: JSON.stringify({ type: "url_verification", challenge: "challenge-token" }),
-        });
-
-        expect(response.status).toBe(401);
-        expect(await response.text()).toBe("Invalid signature");
-      },
-    );
-  });
-
-  it("rejects malformed short signatures with 401", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "short-signature",
-        path: "/hook-e2e-short-signature",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const payload = { type: "url_verification", challenge: "challenge-token" };
-        const headers = signFeishuPayload({
-          encryptKey: "encrypt_key",
-          rawBody: JSON.stringify(payload),
-        });
-        headers["x-lark-signature"] = headers["x-lark-signature"].slice(0, 12);
-
-        const response = await fetch(url, {
-          method: "POST",
-          headers,
-          body: JSON.stringify(payload),
-        });
-
-        expect(response.status).toBe(401);
-        expect(await response.text()).toBe("Invalid signature");
-      },
-    );
-  });
-
-  it("returns 401 for unsigned invalid json before parsing", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "invalid-json",
-        path: "/hook-e2e-invalid-json",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const response = await fetch(url, {
-          method: "POST",
-          headers: { "content-type": "application/json" },
-          body: "{not-json",
-        });
-
-        expect(response.status).toBe(401);
-        expect(await response.text()).toBe("Invalid signature");
-      },
-    );
-  });
-
-  it("returns 400 for signed invalid json after signature validation", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "signed-invalid-json",
-        path: "/hook-e2e-signed-invalid-json",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const rawBody = "{not-json";
-        const response = await fetch(url, {
-          method: "POST",
-          headers: signFeishuPayload({ encryptKey: "encrypt_key", rawBody }),
-          body: rawBody,
-        });
-
-        expect(response.status).toBe(400);
-        expect(await response.text()).toBe("Invalid JSON");
-      },
-    );
-  });
-
-  it("accepts signed plaintext url_verification challenges end-to-end", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "signed-challenge",
-        path: "/hook-e2e-signed-challenge",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const payload = { type: "url_verification", challenge: "challenge-token" };
-        const response = await postSignedPayload(url, payload);
-
-        expect(response.status).toBe(200);
-        await expect(response.json()).resolves.toEqual({ challenge: "challenge-token" });
-      },
-    );
-  });
-
-  it("accepts signed non-challenge events and reaches the dispatcher", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "signed-dispatch",
-        path: "/hook-e2e-signed-dispatch",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const payload = {
-          schema: "2.0",
-          header: { event_type: "unknown.event" },
-          event: {},
-        };
-        const response = await postSignedPayload(url, payload);
-
-        expect(response.status).toBe(200);
-        expect(await response.text()).toContain("no unknown.event event handle");
-      },
-    );
-  });
-
-  it("accepts signed encrypted url_verification challenges end-to-end", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "encrypted-challenge",
-        path: "/hook-e2e-encrypted-challenge",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const payload = {
-          encrypt: encryptFeishuPayload("encrypt_key", {
-            type: "url_verification",
-            challenge: "encrypted-challenge-token",
-          }),
-        };
-        const response = await postSignedPayload(url, payload);
-
-        expect(response.status).toBe(200);
-        await expect(response.json()).resolves.toEqual({
-          challenge: "encrypted-challenge-token",
-        });
-      },
-    );
-  });
-});

package/src/monitor.webhook-security.test.ts

@@ -1,264 +0,0 @@
-import { createConnection } from "node:net";
-import { afterEach, describe, expect, it, vi } from "vitest";
-import {
-  createFeishuClientMockModule,
-  createFeishuRuntimeMockModule,
-} from "./monitor.test-mocks.js";
-import {
-  buildWebhookConfig,
-  getFreePort,
-  withRunningWebhookMonitor,
-} from "./monitor.webhook.test-helpers.js";
-
-const probeFeishuMock = vi.hoisted(() => vi.fn());
-
-vi.mock("./probe.js", () => ({
-  probeFeishu: probeFeishuMock,
-}));
-
-vi.mock("./client.js", () => createFeishuClientMockModule());
-vi.mock("./runtime.js", () => createFeishuRuntimeMockModule());
-
-vi.mock("@larksuiteoapi/node-sdk", () => ({
-  adaptDefault: vi.fn(
-    () => (_req: unknown, res: { statusCode?: number; end: (s: string) => void }) => {
-      res.statusCode = 200;
-      res.end("ok");
-    },
-  ),
-}));
-
-vi.mock("./monitor.state.js", async (importOriginal) => {
-  const actual = await importOriginal<typeof import("./monitor.state.js")>();
-  return {
-    ...actual,
-    FEISHU_WEBHOOK_BODY_TIMEOUT_MS: 50,
-  };
-});
-
-import type { RuntimeEnv } from "../runtime-api.js";
-import {
-  clearFeishuWebhookRateLimitStateForTest,
-  getFeishuWebhookRateLimitStateSizeForTest,
-  isWebhookRateLimitedForTest,
-  monitorFeishuProvider,
-  stopFeishuMonitor,
-} from "./monitor.js";
-import { monitorWebhook } from "./monitor.transport.js";
-import type { ResolvedFeishuAccount } from "./types.js";
-
-async function waitForSlowBodyTimeoutResponse(
-  url: string,
-  timeoutMs: number,
-): Promise<{ body: string; elapsedMs: number }> {
-  return await new Promise<{ body: string; elapsedMs: number }>((resolve, reject) => {
-    const target = new URL(url);
-    const startedAt = Date.now();
-    let response = "";
-    const socket = createConnection(
-      {
-        host: target.hostname,
-        port: Number(target.port),
-      },
-      () => {
-        socket.write(`POST ${target.pathname} HTTP/1.1\r\n`);
-        socket.write(`Host: ${target.hostname}\r\n`);
-        socket.write("Content-Type: application/json\r\n");
-        socket.write("Content-Length: 65536\r\n");
-        socket.write("\r\n");
-        socket.write('{"type":"url_verification"');
-      },
-    );
-
-    socket.setEncoding("utf8");
-    socket.on("error", () => {});
-    socket.on("data", (chunk) => {
-      response += chunk;
-      if (response.includes("Request body timeout")) {
-        clearTimeout(failTimer);
-        socket.destroy();
-        resolve({ body: response, elapsedMs: Date.now() - startedAt });
-      }
-    });
-
-    const failTimer = setTimeout(() => {
-      socket.destroy();
-      reject(new Error(`timeout response did not arrive within ${timeoutMs}ms`));
-    }, timeoutMs);
-  });
-}
-
-afterEach(() => {
-  clearFeishuWebhookRateLimitStateForTest();
-  stopFeishuMonitor();
-});
-
-describe("Feishu webhook security hardening", () => {
-  it("rejects webhook mode without verificationToken", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    const cfg = buildWebhookConfig({
-      accountId: "missing-token",
-      path: "/hook-missing-token",
-      port: await getFreePort(),
-    });
-
-    await expect(monitorFeishuProvider({ config: cfg })).rejects.toThrow(
-      /requires verificationToken/i,
-    );
-  });
-
-  it("rejects webhook mode without encryptKey", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    const cfg = buildWebhookConfig({
-      accountId: "missing-encrypt-key",
-      path: "/hook-missing-encrypt",
-      port: await getFreePort(),
-      verificationToken: "verify_token",
-    });
-
-    await expect(monitorFeishuProvider({ config: cfg })).rejects.toThrow(/requires encryptKey/i);
-  });
-
-  it("refuses to start the webhook transport without encryptKey", async () => {
-    const account = {
-      accountId: "transport-missing-encrypt-key",
-      config: {
-        enabled: true,
-        connectionMode: "webhook",
-        webhookHost: "127.0.0.1",
-        webhookPort: await getFreePort(),
-        webhookPath: "/hook-transport-missing-encrypt",
-      },
-    } as ResolvedFeishuAccount;
-
-    await expect(
-      monitorWebhook({
-        account,
-        accountId: account.accountId,
-        runtime: {
-          log: vi.fn(),
-          error: vi.fn(),
-          exit: vi.fn(),
-        } as RuntimeEnv,
-        abortSignal: new AbortController().signal,
-        eventDispatcher: {} as never,
-      }),
-    ).rejects.toThrow(/requires encryptKey/i);
-  });
-
-  it("returns 415 for POST requests without json content type", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-    await withRunningWebhookMonitor(
-      {
-        accountId: "content-type",
-        path: "/hook-content-type",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const response = await fetch(url, {
-          method: "POST",
-          headers: { "content-type": "text/plain" },
-          body: "{}",
-        });
-
-        expect(response.status).toBe(415);
-        expect(await response.text()).toBe("Unsupported Media Type");
-      },
-    );
-  });
-
-  it("rejects oversized unsigned webhook bodies with 413 before signature verification", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-    await withRunningWebhookMonitor(
-      {
-        accountId: "payload-too-large",
-        path: "/hook-payload-too-large",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const response = await fetch(url, {
-          method: "POST",
-          headers: { "content-type": "application/json" },
-          body: JSON.stringify({ payload: "x".repeat(70 * 1024) }),
-        });
-
-        expect(response.status).toBe(413);
-        expect(await response.text()).toBe("Payload too large");
-      },
-    );
-  });
-
-  it("drops slow-body webhook requests within the tightened pre-auth timeout", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-    await withRunningWebhookMonitor(
-      {
-        accountId: "slow-body-timeout",
-        path: "/hook-slow-body-timeout",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const result = await waitForSlowBodyTimeoutResponse(url, 1_000);
-        expect(result.body).toContain("408 Request Timeout");
-        expect(result.body).toContain("Request body timeout");
-        expect(result.elapsedMs).toBeLessThan(500);
-      },
-    );
-  });
-
-  it("rate limits webhook burst traffic with 429", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-    await withRunningWebhookMonitor(
-      {
-        accountId: "rate-limit",
-        path: "/hook-rate-limit",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        let saw429 = false;
-        for (let i = 0; i < 130; i += 1) {
-          const response = await fetch(url, {
-            method: "POST",
-            headers: { "content-type": "text/plain" },
-            body: "{}",
-          });
-          if (response.status === 429) {
-            saw429 = true;
-            expect(await response.text()).toBe("Too Many Requests");
-            break;
-          }
-        }
-
-        expect(saw429).toBe(true);
-      },
-    );
-  });
-
-  it("caps tracked webhook rate-limit keys to prevent unbounded growth", () => {
-    const now = 1_000_000;
-    for (let i = 0; i < 4_500; i += 1) {
-      isWebhookRateLimitedForTest(`/feishu-rate-limit:key-${i}`, now);
-    }
-    expect(getFeishuWebhookRateLimitStateSizeForTest()).toBeLessThanOrEqual(4_096);
-  });
-
-  it("prunes stale webhook rate-limit state after window elapses", () => {
-    const now = 2_000_000;
-    for (let i = 0; i < 100; i += 1) {
-      isWebhookRateLimitedForTest(`/feishu-rate-limit-stale:key-${i}`, now);
-    }
-    expect(getFeishuWebhookRateLimitStateSizeForTest()).toBe(100);
-
-    isWebhookRateLimitedForTest("/feishu-rate-limit-stale:fresh", now + 60_001);
-    expect(getFeishuWebhookRateLimitStateSizeForTest()).toBe(1);
-  });
-});

package/src/monitor.webhook.test-helpers.ts

@@ -1,116 +0,0 @@
-import { createServer } from "node:http";
-import type { AddressInfo } from "node:net";
-import { vi } from "vitest";
-import type { ClawdbotConfig } from "../runtime-api.js";
-import type { monitorFeishuProvider } from "./monitor.js";
-
-const WEBHOOK_READY_MAX_ATTEMPTS = 200;
-const WEBHOOK_READY_RETRY_DELAY_MS = 50;
-const WEBHOOK_MONITOR_START_MAX_ATTEMPTS = 4;
-
-export async function getFreePort(): Promise<number> {
-  const server = createServer();
-  await new Promise<void>((resolve) => server.listen(0, "127.0.0.1", () => resolve()));
-  const address = server.address() as AddressInfo | null;
-  if (!address) {
-    throw new Error("missing server address");
-  }
-  await new Promise<void>((resolve) => server.close(() => resolve()));
-  return address.port;
-}
-
-async function waitUntilServerReady(url: string): Promise<void> {
-  for (let i = 0; i < WEBHOOK_READY_MAX_ATTEMPTS; i += 1) {
-    try {
-      const response = await fetch(url, { method: "GET" });
-      if (response.status >= 200 && response.status < 500) {
-        return;
-      }
-    } catch {
-      // retry
-    }
-    await new Promise((resolve) => setTimeout(resolve, WEBHOOK_READY_RETRY_DELAY_MS));
-  }
-  throw new Error(`server did not start: ${url}`);
-}
-
-export function buildWebhookConfig(params: {
-  accountId: string;
-  path: string;
-  port: number;
-  verificationToken?: string;
-  encryptKey?: string;
-}): ClawdbotConfig {
-  return {
-    channels: {
-      feishu: {
-        enabled: true,
-        accounts: {
-          [params.accountId]: {
-            enabled: true,
-            appId: "cli_test",
-            appSecret: "secret_test", // pragma: allowlist secret
-            connectionMode: "webhook",
-            webhookHost: "127.0.0.1",
-            webhookPort: params.port,
-            webhookPath: params.path,
-            encryptKey: params.encryptKey,
-            verificationToken: params.verificationToken,
-          },
-        },
-      },
-    },
-  } as ClawdbotConfig;
-}
-
-export async function withRunningWebhookMonitor(
-  params: {
-    accountId: string;
-    path: string;
-    verificationToken: string;
-    encryptKey: string;
-  },
-  monitor: typeof monitorFeishuProvider,
-  run: (url: string) => Promise<void>,
-) {
-  let startupError: unknown;
-  for (let attempt = 1; attempt <= WEBHOOK_MONITOR_START_MAX_ATTEMPTS; attempt += 1) {
-    const port = await getFreePort();
-    const cfg = buildWebhookConfig({
-      accountId: params.accountId,
-      path: params.path,
-      port,
-      encryptKey: params.encryptKey,
-      verificationToken: params.verificationToken,
-    });
-
-    const abortController = new AbortController();
-    const runtime = { log: vi.fn(), error: vi.fn(), exit: vi.fn() };
-    const monitorPromise = monitor({
-      config: cfg,
-      runtime,
-      abortSignal: abortController.signal,
-      accountId: params.accountId,
-    });
-
-    const url = `http://127.0.0.1:${port}${params.path}`;
-    try {
-      await waitUntilServerReady(url);
-      try {
-        await run(url);
-      } finally {
-        abortController.abort();
-        await monitorPromise.catch(() => undefined);
-      }
-      return;
-    } catch (error) {
-      startupError = error;
-      abortController.abort();
-      await monitorPromise.catch(() => undefined);
-      if (attempt < WEBHOOK_MONITOR_START_MAX_ATTEMPTS) {
-        await new Promise((resolve) => setTimeout(resolve, attempt * WEBHOOK_READY_RETRY_DELAY_MS));
-      }
-    }
-  }
-  throw startupError instanceof Error ? startupError : new Error("failed to start webhook monitor");
-}

package/src/outbound-runtime-api.ts

@@ -1 +0,0 @@
-export { chunkTextForOutbound, type ChannelOutboundAdapter } from "../runtime-api.js";