@openclaw/feishu 2026.6.6 → 2026.6.8-beta.2

package/dist/{monitor.account-Cl-QnhPV.js → monitor.account-BhoLA1Y0.js}

@@ -1,6 +1,6 @@
-import { _ as normalizeCommentFileType, c as encodeQuery, d as isRecord$1, f as normalizeString, g as buildFeishuCommentTarget, h as requestFeishuApi, l as extractReplyText, m as readString, p as parseCommentContentElements, s as resolveFeishuRuntimeAccount } from "./accounts-Cfzht2Hc.js";
+import { _ as normalizeCommentFileType, c as encodeQuery, d as isRecord$1, f as normalizeString, g as buildFeishuCommentTarget, h as requestFeishuApi, l as extractReplyText, m as readString, o as resolveFeishuAccount, p as parseCommentContentElements, s as resolveFeishuRuntimeAccount } from "./accounts-Cfzht2Hc.js";
 import { i as resolveReceiveIdType } from "./targets-BUjQ1TcA.js";
-import { c as normalizeFeishuAllowEntry, d as resolveFeishuGroupConversationIngressAccess, f as resolveFeishuGroupSenderActivationIngressAccess, l as resolveFeishuDmIngressAccess, p as resolveFeishuReplyPolicy, s as hasExplicitFeishuGroupConfig, u as resolveFeishuGroupConfig } from "./channel-BYCCZN1h.js";
+import { c as normalizeFeishuAllowEntry, d as resolveFeishuGroupConversationIngressAccess, f as resolveFeishuGroupSenderActivationIngressAccess, l as resolveFeishuDmIngressAccess, p as resolveFeishuReplyPolicy, s as hasExplicitFeishuGroupConfig, u as resolveFeishuGroupConfig } from "./channel-DwygSth-.js";
 import { c as decodeFeishuCardAction, o as buildFeishuCardActionTextFallback, s as createFeishuCardInteractionEnvelope } from "./send-result-DSsIa4-p.js";
 import { t as buildFeishuConversationId } from "./conversation-id-DuL575sn.js";
 import { t as getFeishuRuntime } from "./runtime-C5JxBWZp.js";
@@ -10,7 +10,7 @@ import { t as createFeishuThreadBindingManager } from "./thread-bindings-V0bwk0A
 import { createReplyPrefixContext, evaluateSupplementalContextVisibility, loadSessionStore, normalizeAgentId as normalizeAgentId$2, resolveChannelContextVisibilityMode, resolveSessionStoreEntry } from "./runtime-api.js";
 import { _ as normalizeFeishuExternalKey, a as sendCardFeishu, c as sendStructuredCardFeishu, d as isFeishuBroadcastMention, f as isMentionForwardRequest, g as shouldSuppressFeishuTextForVoiceMedia, h as sendMediaFeishu, i as resolveFeishuCardTemplate, l as parsePostContent, m as saveMessageResourceFeishu, n as getMessageFeishu, p as isFeishuGroupChatType, r as listFeishuThreadMessages, s as sendMessageFeishu, u as extractMentionTargets } from "./send-B3kteMF8.js";
 import { i as waitForAbortableDelay, r as raceWithTimeoutAndAbort } from "./probe-BjKRV7em.js";
-import { a as feishuWebhookRateLimiter, c as wsClients, i as botOpenIds, l as fetchBotIdentityForMonitor, n as FEISHU_WEBHOOK_MAX_BODY_BYTES, o as httpServers, r as botNames, s as recordWebhookStatus, t as FEISHU_WEBHOOK_BODY_TIMEOUT_MS } from "./monitor.state-r4OLFBfg.js";
+import { a as clearFeishuBotIdentityState, c as httpServers, d as wsClients, f as fetchBotIdentityForMonitor, i as botOpenIds, l as recordWebhookStatus, n as FEISHU_WEBHOOK_MAX_BODY_BYTES, o as closeTrackedFeishuHttpServer, r as botNames, s as feishuWebhookRateLimiter, t as FEISHU_WEBHOOK_BODY_TIMEOUT_MS, u as setFeishuBotIdentityState } from "./monitor.state-QV66eUNA.js";
 import { createChannelMessageReplyPipeline, formatChannelProgressDraftLineForEntry, isChannelProgressDraftWorkToolName, resolveAgentOutboundIdentity } from "openclaw/plugin-sdk/channel-outbound";
 import { createChannelPairingController, createChannelPairingController as createChannelPairingController$1 } from "openclaw/plugin-sdk/channel-pairing";
 import { ensureConfiguredBindingRouteReady, resolveConfiguredBindingRoute, resolveRuntimeConversationBindingRoute } from "openclaw/plugin-sdk/conversation-runtime";
@@ -20,7 +20,7 @@ import { stripReasoningTagsFromText } from "openclaw/plugin-sdk/text-chunking";
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
-import { resolveInboundLastRouteSessionKey } from "openclaw/plugin-sdk/routing";
+import { normalizeAccountId, resolveAgentRoute, resolveInboundLastRouteSessionKey } from "openclaw/plugin-sdk/routing";
 import { formatErrorMessage } from "openclaw/plugin-sdk/error-runtime";
 import * as Lark from "@larksuiteoapi/node-sdk";
 import * as crypto$1 from "node:crypto";
@@ -29,10 +29,10 @@ import { applyBasicWebhookRequestGuards, resolveRequestClientIp } from "openclaw
 import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
 import { resolveSendableOutboundReplyParts, resolveTextChunksWithFallback, sendMediaWithLeadingCaption } from "openclaw/plugin-sdk/reply-payload";
 import { resolvePinnedMainDmOwnerFromAllowlist, safeEqualSecret } from "openclaw/plugin-sdk/security-runtime";
-import { resolveChannelConfigWrites } from "openclaw/plugin-sdk/channel-config-writes";
 import { buildChannelInboundEventContext, toInboundMediaFacts } from "openclaw/plugin-sdk/channel-inbound";
 import { DEFAULT_GROUP_HISTORY_LIMIT, createChannelHistoryWindow } from "openclaw/plugin-sdk/reply-history";
 import { resolveDefaultGroupPolicy, resolveOpenProviderRuntimeGroupPolicy, warnMissingProviderGroupPolicyFallbackOnce } from "openclaw/plugin-sdk/runtime-group-policy";
+import { resolveChannelConfigWrites } from "openclaw/plugin-sdk/channel-config-writes";
 import { formatReasoningMessage } from "openclaw/plugin-sdk/agent-runtime";
 import { logTypingFailure } from "openclaw/plugin-sdk/channel-feedback";
 import * as http from "node:http";
@@ -654,97 +654,150 @@ function resolveFeishuMessageDedupeKey(event) {
 }
 //#endregion
 //#region extensions/feishu/src/dynamic-agent.ts
+var DynamicAgentMutationSkipped = class extends Error {
+	constructor(cfg) {
+		super("dynamic agent mutation skipped");
+		this.cfg = cfg;
+	}
+};
+function hasDefaultDirectRoute(cfg, accountId, senderOpenId) {
+	return resolveAgentRoute({
+		cfg,
+		channel: "feishu",
+		accountId,
+		peer: {
+			kind: "direct",
+			id: senderOpenId
+		}
+	}).matchedBy === "default";
+}
+function resolveDynamicAgentConfig(cfg, accountId) {
+	return resolveFeishuAccount({
+		cfg,
+		accountId
+	}).config.dynamicAgentCreation;
+}
+function isAtDynamicAgentLimit(cfg, dynamicCfg) {
+	if (dynamicCfg.maxAgents === void 0) return false;
+	return (cfg.agents?.list ?? []).filter((agent) => agent.id.startsWith("feishu-")).length >= dynamicCfg.maxAgents;
+}
+function resolveDynamicAgentId(accountId, senderOpenId) {
+	if (accountId === "default") return `feishu-${senderOpenId}`;
+	const identityDigest = createHash("sha256").update(accountId).update("\0").update(senderOpenId).digest("hex").slice(0, 32);
+	return `feishu-${accountId.slice(0, 12)}-${identityDigest}`;
+}
 /**
-* Check if a dynamic agent should be created for a DM user and create it if needed.
-* This creates a unique agent instance with its own workspace for each DM user.
+* Refresh an existing DM binding or create its dynamic agent when current
+* account policy permits config writes.
 */
 async function maybeCreateDynamicAgent(params) {
-	const { cfg, runtime, senderOpenId, dynamicCfg, configWritesAllowed, log } = params;
-	if (!configWritesAllowed) {
+	const { cfg, runtime, senderOpenId, canCreateForConfig, log } = params;
+	const accountId = normalizeAccountId(params.accountId);
+	if (!hasDefaultDirectRoute(cfg, accountId, senderOpenId)) return {
+		created: false,
+		updatedCfg: cfg
+	};
+	const currentCfg = runtime.config.current();
+	if (!hasDefaultDirectRoute(currentCfg, accountId, senderOpenId)) return {
+		created: false,
+		updatedCfg: currentCfg
+	};
+	const currentDynamicCfg = resolveDynamicAgentConfig(currentCfg, accountId);
+	if (!currentDynamicCfg?.enabled) return {
+		created: false,
+		updatedCfg: currentCfg
+	};
+	if (!resolveChannelConfigWrites({
+		cfg: currentCfg,
+		channelId: "feishu",
+		accountId
+	})) {
 		log(`feishu: config writes disabled, not creating agent for ${senderOpenId}`);
 		return {
 			created: false,
-			updatedCfg: cfg
+			updatedCfg: currentCfg
+		};
+	}
+	const agentId = resolveDynamicAgentId(accountId, senderOpenId);
+	if (!(currentCfg.agents?.list ?? []).some((agent) => agent.id === agentId) && isAtDynamicAgentLimit(currentCfg, currentDynamicCfg)) {
+		log(`feishu: maxAgents limit (${currentDynamicCfg.maxAgents}) reached, not creating agent for ${senderOpenId}`);
+		return {
+			created: false,
+			updatedCfg: currentCfg
 		};
 	}
-	const existingBindings = cfg.bindings ?? [];
-	if (existingBindings.some((b) => b.match?.channel === "feishu" && b.match?.peer?.kind === "direct" && b.match?.peer?.id === senderOpenId)) return {
+	if (!await canCreateForConfig(currentCfg)) return {
 		created: false,
-		updatedCfg: cfg
+		updatedCfg: currentCfg
 	};
-	if (dynamicCfg.maxAgents !== void 0) {
-		if ((cfg.agents?.list ?? []).filter((a) => a.id.startsWith("feishu-")).length >= dynamicCfg.maxAgents) {
-			log(`feishu: maxAgents limit (${dynamicCfg.maxAgents}) reached, not creating agent for ${senderOpenId}`);
-			return {
-				created: false,
-				updatedCfg: cfg
-			};
-		}
-	}
-	const agentId = `feishu-${senderOpenId}`;
-	if ((cfg.agents?.list ?? []).find((a) => a.id === agentId)) {
-		log(`feishu: agent "${agentId}" exists, adding missing binding for ${senderOpenId}`);
-		const updatedCfg = {
-			...cfg,
-			bindings: [...existingBindings, {
+	let skippedCfg;
+	const committed = await runtime.config.mutateConfigFile({
+		base: "runtime",
+		afterWrite: { mode: "auto" },
+		mutate: async (draft) => {
+			if (!hasDefaultDirectRoute(draft, accountId, senderOpenId)) throw new DynamicAgentMutationSkipped(draft);
+			const dynamicCfg = resolveDynamicAgentConfig(draft, accountId);
+			if (!dynamicCfg?.enabled || !resolveChannelConfigWrites({
+				cfg: draft,
+				channelId: "feishu",
+				accountId
+			})) throw new DynamicAgentMutationSkipped(draft);
+			const agentExists = (draft.agents?.list ?? []).some((agent) => agent.id === agentId);
+			if (!agentExists && isAtDynamicAgentLimit(draft, dynamicCfg)) {
+				log(`feishu: maxAgents limit (${dynamicCfg.maxAgents}) reached, not creating agent for ${senderOpenId}`);
+				throw new DynamicAgentMutationSkipped(draft);
+			}
+			if (!await canCreateForConfig(draft)) throw new DynamicAgentMutationSkipped(draft);
+			if (!agentExists) {
+				const workspaceTemplate = dynamicCfg.workspaceTemplate ?? "~/.openclaw/workspace-{agentId}";
+				const agentDirTemplate = dynamicCfg.agentDirTemplate ?? "~/.openclaw/agents/{agentId}/agent";
+				const workspace = resolveUserPath(workspaceTemplate.replace("{userId}", senderOpenId).replace("{agentId}", agentId));
+				const agentDir = resolveUserPath(agentDirTemplate.replace("{userId}", senderOpenId).replace("{agentId}", agentId));
+				log(`feishu: creating dynamic agent "${agentId}" for user ${senderOpenId}`);
+				log(`  workspace: ${workspace}`);
+				log(`  agentDir: ${agentDir}`);
+				await fs.promises.mkdir(workspace, { recursive: true });
+				await fs.promises.mkdir(agentDir, { recursive: true });
+				draft.agents = {
+					...draft.agents,
+					list: [...draft.agents?.list ?? [], {
+						id: agentId,
+						workspace,
+						agentDir
+					}]
+				};
+			} else log(`feishu: agent "${agentId}" exists, adding missing binding for ${senderOpenId}`);
+			draft.bindings = [...draft.bindings ?? [], {
 				agentId,
 				match: {
 					channel: "feishu",
+					accountId,
 					peer: {
 						kind: "direct",
 						id: senderOpenId
 					}
 				}
-			}]
-		};
-		await runtime.config.replaceConfigFile({
-			nextConfig: updatedCfg,
-			afterWrite: { mode: "auto" }
-		});
-		return {
-			created: true,
-			updatedCfg,
-			agentId
-		};
-	}
-	const workspaceTemplate = dynamicCfg.workspaceTemplate ?? "~/.openclaw/workspace-{agentId}";
-	const agentDirTemplate = dynamicCfg.agentDirTemplate ?? "~/.openclaw/agents/{agentId}/agent";
-	const workspace = resolveUserPath(workspaceTemplate.replace("{userId}", senderOpenId).replace("{agentId}", agentId));
-	const agentDir = resolveUserPath(agentDirTemplate.replace("{userId}", senderOpenId).replace("{agentId}", agentId));
-	log(`feishu: creating dynamic agent "${agentId}" for user ${senderOpenId}`);
-	log(`  workspace: ${workspace}`);
-	log(`  agentDir: ${agentDir}`);
-	await fs.promises.mkdir(workspace, { recursive: true });
-	await fs.promises.mkdir(agentDir, { recursive: true });
-	const updatedCfg = {
-		...cfg,
-		agents: {
-			...cfg.agents,
-			list: [...cfg.agents?.list ?? [], {
-				id: agentId,
-				workspace,
-				agentDir
-			}]
-		},
-		bindings: [...existingBindings, {
-			agentId,
-			match: {
-				channel: "feishu",
-				peer: {
-					kind: "direct",
-					id: senderOpenId
-				}
-			}
-		}]
-	};
-	await runtime.config.replaceConfigFile({
-		nextConfig: updatedCfg,
-		afterWrite: { mode: "auto" }
+			}];
+			return {
+				created: true,
+				agentId
+			};
+		}
+	}).catch((error) => {
+		if (error instanceof DynamicAgentMutationSkipped) {
+			skippedCfg = error.cfg;
+			return null;
+		}
+		throw error;
 	});
+	if (!committed) return {
+		created: false,
+		updatedCfg: skippedCfg ?? currentCfg
+	};
 	return {
-		created: true,
-		updatedCfg,
-		agentId
+		created: committed.result?.created ?? false,
+		updatedCfg: runtime.config.current(),
+		agentId: committed.result?.agentId
 	};
 }
 /**
@@ -1392,8 +1445,9 @@ function resolveCardNote(agentId, identity, prefixCtx) {
 }
 function createFeishuReplyDispatcher(params) {
 	const core = getFeishuRuntime();
-	const { cfg, agentId, chatId, replyToMessageId, skipReplyToInMessages, replyInThread, threadReply, rootId, accountId, identity } = params;
+	const { cfg, agentId, chatId, replyToMessageId, typingTargetMessageId: explicitTypingTargetMessageId, skipReplyToInMessages, replyInThread, threadReply, rootId, accountId, identity } = params;
 	const sendReplyToMessageId = skipReplyToInMessages ? void 0 : replyToMessageId;
+	const typingTargetMessageId = explicitTypingTargetMessageId?.trim() || replyToMessageId;
 	const threadReplyMode = threadReply === true;
 	const effectiveReplyInThread = threadReplyMode ? true : replyInThread;
 	const allowTopLevelReplyFallback = effectiveReplyInThread === true && threadReplyMode && rootId !== void 0 && sendReplyToMessageId !== void 0 && sendReplyToMessageId !== rootId;
@@ -1414,13 +1468,13 @@ function createFeishuReplyDispatcher(params) {
 		typing: {
 			start: async () => {
 				if (!(account.config.typingIndicator ?? true)) return;
-				if (!replyToMessageId) return;
+				if (!typingTargetMessageId) return;
 				const messageCreateTimeMs = normalizeEpochMs(params.messageCreateTimeMs);
 				if (messageCreateTimeMs !== void 0 && Date.now() - messageCreateTimeMs > TYPING_INDICATOR_MAX_AGE_MS) return;
 				if (typingState?.reactionId) return;
 				typingState = await addTypingIndicator({
 					cfg,
-					messageId: replyToMessageId,
+					messageId: typingTargetMessageId,
 					accountId,
 					runtime: params.runtime
 				});
@@ -1989,6 +2043,7 @@ function parseFeishuMessageEvent(event, botOpenId, _botName) {
 		chatId: event.message.chat_id,
 		messageId: event.message.message_id,
 		replyTargetMessageId: event.message.reply_target_message_id?.trim() || void 0,
+		typingTargetMessageId: event.message.typing_target_message_id?.trim() || void 0,
 		suppressReplyTarget: event.message.suppress_reply_target === true,
 		senderId: senderUserId || senderOpenId || "",
 		senderOpenId: senderFallbackId,
@@ -2269,20 +2324,34 @@ async function handleFeishuMessage(params) {
 		});
 		const commandProbeBody = isGroup ? normalizeFeishuCommandProbeBody(ctx.content) : ctx.content;
 		const shouldComputeCommandAuthorized = core.channel.commands.shouldComputeCommandAuthorized(commandProbeBody, cfg);
-		const dmIngress = isDirect ? await resolveFeishuDmIngressAccess({
-			cfg,
-			accountId: account.accountId,
-			dmPolicy,
-			allowFrom: configAllowFrom,
-			readAllowFromStore: pairing.readAllowFromStore,
-			senderOpenId: ctx.senderOpenId,
-			senderUserId,
-			conversationId: ctx.senderOpenId,
-			mayPair: true,
-			...shouldComputeCommandAuthorized ? { command: { hasControlCommand: true } } : {}
-		}) : null;
-		if (isDirect && dmIngress?.ingress.admission !== "dispatch") {
-			if (dmIngress?.ingress.admission === "pairing-required") await pairing.issueChallenge({
+		const resolveDirectAuthorization = async (candidateCfg, mayPair, shouldComputeCommand = core.channel.commands.shouldComputeCommandAuthorized(commandProbeBody, candidateCfg)) => {
+			const candidateAccount = resolveFeishuRuntimeAccount({
+				cfg: candidateCfg,
+				accountId: account.accountId
+			});
+			const candidateDmPolicy = candidateAccount.config.dmPolicy ?? "pairing";
+			const candidateConfigAllowFrom = candidateAccount.config.allowFrom ?? [];
+			return {
+				cfg: candidateCfg,
+				dmPolicy: candidateDmPolicy,
+				configAllowFrom: candidateConfigAllowFrom,
+				ingress: await resolveFeishuDmIngressAccess({
+					cfg: candidateCfg,
+					accountId: candidateAccount.accountId,
+					dmPolicy: candidateDmPolicy,
+					allowFrom: candidateConfigAllowFrom,
+					readAllowFromStore: pairing.readAllowFromStore,
+					senderOpenId: ctx.senderOpenId,
+					senderUserId,
+					conversationId: ctx.senderOpenId,
+					mayPair,
+					...shouldComputeCommand ? { command: { hasControlCommand: true } } : {}
+				}),
+				shouldComputeCommandAuthorized: shouldComputeCommand
+			};
+		};
+		const rejectDirectAuthorization = async (authorization) => {
+			if (authorization.ingress.ingress.admission === "pairing-required") await pairing.issueChallenge({
 				senderId: ctx.senderOpenId,
 				senderIdLine: `Your Feishu user id: ${ctx.senderOpenId}`,
 				meta: { name: ctx.senderName },
@@ -2291,7 +2360,7 @@ async function handleFeishuMessage(params) {
 				},
 				sendPairingReply: async (text) => {
 					await sendMessageFeishu({
-						cfg,
+						cfg: authorization.cfg,
 						to: `chat:${ctx.chatId}`,
 						text,
 						accountId: account.accountId
@@ -2301,10 +2370,34 @@ async function handleFeishuMessage(params) {
 					log(`feishu[${account.accountId}]: pairing reply failed for ${ctx.senderOpenId}: ${String(err)}`);
 				}
 			});
-			else log(`feishu[${account.accountId}]: blocked unauthorized sender ${ctx.senderOpenId} (dmPolicy=${dmPolicy})`);
+			else log(`feishu[${account.accountId}]: blocked unauthorized sender ${ctx.senderOpenId} (dmPolicy=${authorization.dmPolicy})`);
+		};
+		const directAuthorization = isDirect ? await resolveDirectAuthorization(cfg, true, shouldComputeCommandAuthorized) : null;
+		const dmIngress = directAuthorization?.ingress ?? null;
+		if (isDirect && dmIngress?.ingress.admission !== "dispatch") {
+			if (directAuthorization) await rejectDirectAuthorization(directAuthorization);
 			return;
 		}
-		const commandAllowFrom = isGroup ? groupConfig?.allowFrom ?? configAllowFrom : dmIngress?.senderAccess.effectiveAllowFrom ?? configAllowFrom;
+		let effectiveDmPolicy = directAuthorization?.dmPolicy ?? dmPolicy;
+		let effectiveConfigAllowFrom = directAuthorization?.configAllowFrom ?? configAllowFrom;
+		let effectiveDmIngress = dmIngress;
+		let effectiveShouldComputeCommandAuthorized = directAuthorization?.shouldComputeCommandAuthorized ?? shouldComputeCommandAuthorized;
+		let effectiveCfg = cfg;
+		if (isDirect) {
+			const currentCfg = getFeishuRuntime().config.current();
+			if (currentCfg !== effectiveCfg) {
+				const currentAuthorization = await resolveDirectAuthorization(currentCfg, true);
+				if (currentAuthorization.ingress.ingress.admission !== "dispatch") {
+					await rejectDirectAuthorization(currentAuthorization);
+					return;
+				}
+				effectiveCfg = currentCfg;
+				effectiveDmPolicy = currentAuthorization.dmPolicy;
+				effectiveConfigAllowFrom = currentAuthorization.configAllowFrom;
+				effectiveDmIngress = currentAuthorization.ingress;
+				effectiveShouldComputeCommandAuthorized = currentAuthorization.shouldComputeCommandAuthorized;
+			}
+		}
 		const feishuFrom = `feishu:${ctx.senderOpenId}`;
 		const feishuTo = isGroup ? `chat:${ctx.chatId}` : `user:${ctx.senderOpenId}`;
 		const peerId = isGroup ? groupSession?.peerId ?? ctx.chatId : ctx.senderOpenId;
@@ -2317,7 +2410,7 @@ async function handleFeishuMessage(params) {
 		const feishuAcpConversationSupported = !isGroup || groupSession?.groupSessionScope === "group_topic" || groupSession?.groupSessionScope === "group_topic_sender";
 		if (isGroup && groupSession) log(`feishu[${account.accountId}]: group session scope=${groupSession.groupSessionScope}, peer=${peerId}`);
 		let route = core.channel.routing.resolveAgentRoute({
-			cfg,
+			cfg: effectiveCfg,
 			channel: "feishu",
 			accountId: account.accountId,
 			peer: {
@@ -2326,37 +2419,42 @@ async function handleFeishuMessage(params) {
 			},
 			parentPeer
 		});
-		let effectiveCfg = cfg;
 		if (!isGroup && route.matchedBy === "default") {
-			const dynamicCfg = feishuCfg?.dynamicAgentCreation;
-			if (dynamicCfg?.enabled) {
-				const result = await maybeCreateDynamicAgent({
-					cfg,
-					runtime: getFeishuRuntime(),
-					senderOpenId: ctx.senderOpenId,
-					dynamicCfg,
-					configWritesAllowed: resolveChannelConfigWrites({
-						cfg,
-						channelId: "feishu",
-						accountId: account.accountId
-					}),
-					log: (msg) => log(msg)
-				});
-				if (result.created) {
-					effectiveCfg = result.updatedCfg;
-					route = core.channel.routing.resolveAgentRoute({
-						cfg: result.updatedCfg,
-						channel: "feishu",
-						accountId: account.accountId,
-						peer: {
-							kind: "direct",
-							id: ctx.senderOpenId
-						}
-					});
-					log(`feishu[${account.accountId}]: dynamic agent created, new route: ${route.sessionKey}`);
+			const runtimeLocal = getFeishuRuntime();
+			const result = await maybeCreateDynamicAgent({
+				cfg: effectiveCfg,
+				runtime: runtimeLocal,
+				accountId: account.accountId,
+				senderOpenId: ctx.senderOpenId,
+				canCreateForConfig: async (candidateCfg) => {
+					return (await resolveDirectAuthorization(candidateCfg, false)).ingress.ingress.admission === "dispatch";
+				},
+				log: (msg) => log(msg)
+			});
+			if (result.created || result.updatedCfg !== effectiveCfg) {
+				const refreshedAuthorization = await resolveDirectAuthorization(result.updatedCfg, false);
+				if (refreshedAuthorization.ingress.ingress.admission !== "dispatch") {
+					log(`feishu[${account.accountId}]: current policy rejected stale DM from ${ctx.senderOpenId} before adopting refreshed dynamic route (dmPolicy=${refreshedAuthorization.dmPolicy})`);
+					return;
 				}
+				effectiveCfg = result.updatedCfg;
+				effectiveDmPolicy = refreshedAuthorization.dmPolicy;
+				effectiveConfigAllowFrom = refreshedAuthorization.configAllowFrom;
+				effectiveDmIngress = refreshedAuthorization.ingress;
+				effectiveShouldComputeCommandAuthorized = refreshedAuthorization.shouldComputeCommandAuthorized;
+				route = core.channel.routing.resolveAgentRoute({
+					cfg: result.updatedCfg,
+					channel: "feishu",
+					accountId: account.accountId,
+					peer: {
+						kind: "direct",
+						id: ctx.senderOpenId
+					}
+				});
+				if (result.created) log(`feishu[${account.accountId}]: dynamic agent created, new route: ${route.sessionKey}`);
 			}
 		}
+		const commandAllowFrom = isGroup ? groupConfig?.allowFrom ?? effectiveConfigAllowFrom : effectiveDmIngress?.senderAccess.effectiveAllowFrom ?? effectiveConfigAllowFrom;
 		const currentConversationId = peerId;
 		const parentConversationId = isGroup ? parentPeer?.id ?? ctx.chatId : void 0;
 		let configuredBinding = null;
@@ -2446,8 +2544,8 @@ async function handleFeishuMessage(params) {
 			content: audioTranscript
 		};
 		const effectiveCommandProbeBody = audioTranscript === void 0 ? commandProbeBody : isGroup ? normalizeFeishuCommandProbeBody(audioTranscript) : audioTranscript;
-		const commandAuthorized = (audioTranscript === void 0 ? shouldComputeCommandAuthorized : core.channel.commands.shouldComputeCommandAuthorized(effectiveCommandProbeBody, cfg)) ? isDirect && audioTranscript === void 0 && dmIngress ? dmIngress.commandAccess.authorized : isGroup ? (await resolveFeishuGroupSenderActivationIngressAccess({
-			cfg,
+		const commandAuthorized = (audioTranscript === void 0 ? effectiveShouldComputeCommandAuthorized : core.channel.commands.shouldComputeCommandAuthorized(effectiveCommandProbeBody, effectiveCfg)) ? isDirect && audioTranscript === void 0 && effectiveDmIngress ? effectiveDmIngress.commandAccess.authorized : isGroup ? (await resolveFeishuGroupSenderActivationIngressAccess({
+			cfg: effectiveCfg,
 			accountId: account.accountId,
 			chatId: ctx.chatId,
 			allowFrom: commandAllowFrom,
@@ -2457,10 +2555,10 @@ async function handleFeishuMessage(params) {
 			mentionedBot: true,
 			command: { hasControlCommand: true }
 		})).commandAccess.authorized : (await resolveFeishuDmIngressAccess({
-			cfg,
+			cfg: effectiveCfg,
 			accountId: account.accountId,
-			dmPolicy,
-			allowFrom: configAllowFrom,
+			dmPolicy: effectiveDmPolicy,
+			allowFrom: effectiveConfigAllowFrom,
 			readAllowFromStore: pairing.readAllowFromStore,
 			senderOpenId: ctx.senderOpenId,
 			senderUserId,
@@ -2708,11 +2806,12 @@ async function handleFeishuMessage(params) {
 		const configReplyInThread = isGroup && (groupConfig?.replyInThread ?? feishuCfg?.replyInThread ?? "disabled") === "enabled";
 		const topicReplyTargetMessageId = ctx.rootId ?? defaultReplyTargetMessageId;
 		const replyTargetMessageId = directThreadReply ? directThreadReplyTargetMessageId : isTopicSession || configReplyInThread ? topicReplyTargetMessageId : defaultReplyTargetMessageId;
+		const typingTargetMessageId = ctx.typingTargetMessageId ?? (ctx.suppressReplyTarget ? void 0 : ctx.messageId);
 		const threadReply = isGroup ? groupSession?.threadReply ?? false : directThreadReply;
 		const lastRouteThreadId = isGroup && (isTopicSession || configReplyInThread || threadReply) ? replyTargetMessageId : void 0;
 		const pinnedMainDmOwner = !isGroup ? resolvePinnedMainDmOwnerFromAllowlist({
-			dmScope: cfg.session?.dmScope,
-			allowFrom: configAllowFrom,
+			dmScope: effectiveCfg.session?.dmScope,
+			allowFrom: effectiveConfigAllowFrom,
 			normalizeEntry: normalizeFeishuAllowEntry
 		}) : null;
 		const pinnedMainDmSenderRecipient = pinnedMainDmOwner ? [ctx.senderOpenId, senderUserId].map((id) => id ? normalizeFeishuAllowEntry(id) : "").find((recipient) => recipient === pinnedMainDmOwner) : void 0;
@@ -2778,6 +2877,7 @@ async function handleFeishuMessage(params) {
 						chatId: ctx.chatId,
 						allowReasoningPreview,
 						replyToMessageId: replyTargetMessageId,
+						typingTargetMessageId,
 						skipReplyToInMessages: !isGroup && !directThreadReply,
 						replyInThread,
 						rootId: ctx.rootId,
@@ -2904,21 +3004,22 @@ async function handleFeishuMessage(params) {
 			log(`feishu[${account.accountId}]: broadcast dispatch complete for ${broadcastAgents.length} agents`);
 		} else {
 			const ctxPayload = await buildCtxPayloadForAgent(route.agentId, route.sessionKey, route.accountId, ctx.mentionedBot);
-			const identity = resolveAgentOutboundIdentity(cfg, route.agentId);
-			const storePath = core.channel.session.resolveStorePath(cfg.session?.store, { agentId: route.agentId });
+			const identity = resolveAgentOutboundIdentity(effectiveCfg, route.agentId);
+			const storePath = core.channel.session.resolveStorePath(effectiveCfg.session?.store, { agentId: route.agentId });
 			const allowReasoningPreview = resolveFeishuReasoningPreviewEnabled({
-				cfg,
+				cfg: effectiveCfg,
 				agentId: route.agentId,
 				storePath,
 				sessionKey: route.sessionKey
 			});
 			const { dispatcher, replyOptions, markDispatchIdle, ensureNoVisibleReplyFallback } = createFeishuReplyDispatcher({
-				cfg,
+				cfg: effectiveCfg,
 				agentId: route.agentId,
 				runtime,
 				chatId: ctx.chatId,
 				allowReasoningPreview,
 				replyToMessageId: replyTargetMessageId,
+				typingTargetMessageId,
 				skipReplyToInMessages: !isGroup && !directThreadReply,
 				replyInThread,
 				rootId: ctx.rootId,
@@ -2975,7 +3076,7 @@ async function handleFeishuMessage(params) {
 							},
 							run: () => core.channel.reply.dispatchReplyFromConfig({
 								ctx: ctxPayload,
-								cfg,
+								cfg: effectiveCfg,
 								dispatcher,
 								replyOptions
 							})
@@ -3133,6 +3234,7 @@ function buildSyntheticMessageEvent(event, content, chatType) {
 		message: {
 			message_id: `card-action-${event.token}`,
 			...replyTargetMessageId ? { reply_target_message_id: replyTargetMessageId } : {},
+			...replyTargetMessageId ? { typing_target_message_id: replyTargetMessageId } : {},
 			...!replyTargetMessageId ? { suppress_reply_target: true } : {},
 			chat_id: event.context.chat_id || event.operator.open_id,
 			chat_type: chatType,
@@ -3430,9 +3532,10 @@ const BOT_IDENTITY_RETRY_DELAYS_MS = [
 function applyBotIdentityState(accountId, identity) {
 	const botOpenId = normalizeOptionalString(identity.botOpenId);
 	const botName = normalizeOptionalString(identity.botName);
-	botOpenIds.set(accountId, botOpenId ?? "");
-	if (botName) botNames.set(accountId, botName);
-	else botNames.delete(accountId);
+	setFeishuBotIdentityState(accountId, {
+		botOpenId: botOpenId ?? "",
+		botName
+	});
 	return {
 		botOpenId,
 		botName
@@ -4381,7 +4484,6 @@ async function handleFeishuCommentEvent(params) {
 		cfg: params.cfg,
 		accountId: params.accountId
 	});
-	const feishuCfg = account.config;
 	const core = getFeishuRuntime();
 	const log = params.runtime?.log ?? console.log;
 	const error = params.runtime?.error ?? console.error;
@@ -4405,27 +4507,37 @@ async function handleFeishuCommentEvent(params) {
 		fileToken: turn.fileToken,
 		commentId: turn.commentId
 	});
-	const dmPolicy = feishuCfg?.dmPolicy ?? "pairing";
-	const configAllowFrom = feishuCfg?.allowFrom ?? [];
 	const pairing = createChannelPairingController$1({
 		core,
 		channel: "feishu",
 		accountId: account.accountId
 	});
-	const dmIngress = await resolveFeishuDmIngressAccess({
-		cfg: params.cfg,
-		accountId: account.accountId,
-		dmPolicy,
-		allowFrom: configAllowFrom,
-		readAllowFromStore: pairing.readAllowFromStore,
-		senderOpenId: turn.senderId,
-		senderUserId: turn.senderUserId,
-		conversationId: turn.senderId,
-		mayPair: true
-	});
-	if (dmIngress.ingress.admission !== "dispatch") {
-		if (dmIngress.ingress.admission === "pairing-required") {
-			const client = createFeishuClient(account);
+	const resolveCommentAuthorization = async (candidateCfg, mayPair) => {
+		const candidateAccount = resolveFeishuRuntimeAccount({
+			cfg: candidateCfg,
+			accountId: account.accountId
+		});
+		const candidateDmPolicy = candidateAccount.config.dmPolicy ?? "pairing";
+		return {
+			account: candidateAccount,
+			cfg: candidateCfg,
+			dmPolicy: candidateDmPolicy,
+			ingress: await resolveFeishuDmIngressAccess({
+				cfg: candidateCfg,
+				accountId: candidateAccount.accountId,
+				dmPolicy: candidateDmPolicy,
+				allowFrom: candidateAccount.config.allowFrom ?? [],
+				readAllowFromStore: pairing.readAllowFromStore,
+				senderOpenId: turn.senderId,
+				senderUserId: turn.senderUserId,
+				conversationId: turn.senderId,
+				mayPair
+			})
+		};
+	};
+	const rejectCommentAuthorization = async (authorization) => {
+		if (authorization.ingress.ingress.admission === "pairing-required") {
+			const client = createFeishuClient(authorization.account);
 			await pairing.issueChallenge({
 				senderId: turn.senderId,
 				senderIdLine: `Your Feishu user id: ${turn.senderId}`,
@@ -4446,12 +4558,25 @@ async function handleFeishuCommentEvent(params) {
 					log(`feishu[${account.accountId}]: comment pairing reply failed for ${turn.senderId}: ${String(err)}`);
 				}
 			});
-		} else log(`feishu[${account.accountId}]: blocked unauthorized comment sender ${turn.senderId} (dmPolicy=${dmPolicy}, comment=${turn.commentId})`);
+		} else log(`feishu[${account.accountId}]: blocked unauthorized comment sender ${turn.senderId} (dmPolicy=${authorization.dmPolicy}, comment=${turn.commentId})`);
+	};
+	const commentAuthorization = await resolveCommentAuthorization(params.cfg, true);
+	if (commentAuthorization.ingress.ingress.admission !== "dispatch") {
+		await rejectCommentAuthorization(commentAuthorization);
 		return;
 	}
 	let effectiveCfg = params.cfg;
+	const currentCfg = core.config.current();
+	if (currentCfg !== effectiveCfg) {
+		const currentAuthorization = await resolveCommentAuthorization(currentCfg, true);
+		if (currentAuthorization.ingress.ingress.admission !== "dispatch") {
+			await rejectCommentAuthorization(currentAuthorization);
+			return;
+		}
+		effectiveCfg = currentCfg;
+	}
 	let route = core.channel.routing.resolveAgentRoute({
-		cfg: params.cfg,
+		cfg: effectiveCfg,
 		channel: "feishu",
 		accountId: account.accountId,
 		peer: {
@@ -4460,33 +4585,33 @@ async function handleFeishuCommentEvent(params) {
 		}
 	});
 	if (route.matchedBy === "default") {
-		const dynamicCfg = feishuCfg?.dynamicAgentCreation;
-		if (dynamicCfg?.enabled) {
-			const dynamicResult = await maybeCreateDynamicAgent({
-				cfg: params.cfg,
-				runtime: core,
-				senderOpenId: turn.senderId,
-				dynamicCfg,
-				configWritesAllowed: resolveChannelConfigWrites({
-					cfg: params.cfg,
-					channelId: "feishu",
-					accountId: account.accountId
-				}),
-				log: (message) => log(message)
-			});
-			if (dynamicResult.created) {
-				effectiveCfg = dynamicResult.updatedCfg;
-				route = core.channel.routing.resolveAgentRoute({
-					cfg: dynamicResult.updatedCfg,
-					channel: "feishu",
-					accountId: account.accountId,
-					peer: {
-						kind: "direct",
-						id: turn.senderId
-					}
-				});
-				log(`feishu[${account.accountId}]: dynamic agent created for comment flow, route=${route.sessionKey}`);
+		const dynamicResult = await maybeCreateDynamicAgent({
+			cfg: effectiveCfg,
+			runtime: core,
+			accountId: account.accountId,
+			senderOpenId: turn.senderId,
+			canCreateForConfig: async (candidateCfg) => {
+				return (await resolveCommentAuthorization(candidateCfg, false)).ingress.ingress.admission === "dispatch";
+			},
+			log: (message) => log(message)
+		});
+		if (dynamicResult.created || dynamicResult.updatedCfg !== effectiveCfg) {
+			const refreshedAuthorization = await resolveCommentAuthorization(dynamicResult.updatedCfg, false);
+			if (refreshedAuthorization.ingress.ingress.admission !== "dispatch") {
+				log(`feishu[${account.accountId}]: current policy rejected stale comment sender ${turn.senderId} before adopting refreshed dynamic route (dmPolicy=${refreshedAuthorization.dmPolicy}, comment=${turn.commentId})`);
+				return;
 			}
+			effectiveCfg = dynamicResult.updatedCfg;
+			route = core.channel.routing.resolveAgentRoute({
+				cfg: dynamicResult.updatedCfg,
+				channel: "feishu",
+				accountId: account.accountId,
+				peer: {
+					kind: "direct",
+					id: turn.senderId
+				}
+			});
+			if (dynamicResult.created) log(`feishu[${account.accountId}]: dynamic agent created for comment flow, route=${route.sessionKey}`);
 		}
 	}
 	const commentSessionKey = buildCommentSessionKey({
@@ -4972,10 +5097,7 @@ function cleanupFeishuWsClient(params) {
 		error(`feishu[${accountId}]: error closing WebSocket client: ${formatFeishuWsErrorForLog(err)}`);
 	}
 	wsClients.delete(accountId);
-	if (clearIdentity) {
-		botOpenIds.delete(accountId);
-		botNames.delete(accountId);
-	}
+	if (clearIdentity) clearFeishuBotIdentityState(accountId);
 }
 function waitForFeishuWsCycleEnd(params) {
 	if (params.abortSignal?.aborted) return Promise.resolve("abort");
@@ -5155,21 +5277,19 @@ async function monitorWebhook({ account, accountId, runtime, abortSignal, eventD
 		})();
 	});
 	httpServers.set(accountId, server);
-	return new Promise((resolve, reject) => {
-		const cleanup = () => {
-			server.close();
-			httpServers.delete(accountId);
-			botOpenIds.delete(accountId);
-			botNames.delete(accountId);
+	return await new Promise((resolve, reject) => {
+		let cleanupStarted = false;
+		const cleanup = async () => {
+			if (cleanupStarted) return;
+			cleanupStarted = true;
+			await closeTrackedFeishuHttpServer(accountId, server);
 		};
 		const handleAbort = () => {
 			log(`feishu[${accountId}]: abort signal received, stopping Webhook server`);
-			cleanup();
-			resolve();
+			cleanup().then(resolve, reject);
 		};
 		if (abortSignal?.aborted) {
-			cleanup();
-			resolve();
+			cleanup().then(resolve, reject);
 			return;
 		}
 		abortSignal?.addEventListener("abort", handleAbort, { once: true });
@@ -5244,6 +5364,7 @@ async function resolveReactionSyntheticEvent(params) {
 		},
 		message: {
 			message_id: `${messageId}:reaction:${emoji}:${uuid()}`,
+			typing_target_message_id: messageId,
 			chat_id: syntheticChatId,
 			chat_type: syntheticChatType,
 			message_type: "text",