@openclaw/msteams 2026.2.21 → 2026.2.23

package/src/channel.ts

@@ -6,6 +6,8 @@ import {
   DEFAULT_ACCOUNT_ID,
   MSTeamsConfigSchema,
   PAIRING_APPROVED_MESSAGE,
+  resolveAllowlistProviderRuntimeGroupPolicy,
+  resolveDefaultGroupPolicy,
 } from "openclaw/plugin-sdk";
 import { listMSTeamsDirectoryGroupsLive, listMSTeamsDirectoryPeersLive } from "./directory-live.js";
 import { msteamsOnboardingAdapter } from "./onboarding.js";
@@ -127,8 +129,12 @@ export const msteamsPlugin: ChannelPlugin<ResolvedMSTeamsAccount> = {
   },
   security: {
     collectWarnings: ({ cfg }) => {
-      const defaultGroupPolicy = cfg.channels?.defaults?.groupPolicy;
-      const groupPolicy = cfg.channels?.msteams?.groupPolicy ?? defaultGroupPolicy ?? "allowlist";
+      const defaultGroupPolicy = resolveDefaultGroupPolicy(cfg);
+      const { groupPolicy } = resolveAllowlistProviderRuntimeGroupPolicy({
+        providerConfigPresent: cfg.channels?.msteams !== undefined,
+        groupPolicy: cfg.channels?.msteams?.groupPolicy,
+        defaultGroupPolicy,
+      });
       if (groupPolicy !== "open") {
         return [];
       }

package/src/directory-live.ts

@@ -1,11 +1,8 @@
 import type { ChannelDirectoryEntry } from "openclaw/plugin-sdk";
+import { searchGraphUsers } from "./graph-users.js";
 import {
-  escapeOData,
-  fetchGraphJson,
   type GraphChannel,
   type GraphGroup,
-  type GraphResponse,
-  type GraphUser,
   listChannelsForTeam,
   listTeamsByName,
   normalizeQuery,
@@ -24,22 +21,7 @@ export async function listMSTeamsDirectoryPeersLive(params: {
   const token = await resolveGraphToken(params.cfg);
   const limit = typeof params.limit === "number" && params.limit > 0 ? params.limit : 20;
 
-  let users: GraphUser[] = [];
-  if (query.includes("@")) {
-    const escaped = escapeOData(query);
-    const filter = `(mail eq '${escaped}' or userPrincipalName eq '${escaped}')`;
-    const path = `/users?$filter=${encodeURIComponent(filter)}&$select=id,displayName,mail,userPrincipalName`;
-    const res = await fetchGraphJson<GraphResponse<GraphUser>>({ token, path });
-    users = res.value ?? [];
-  } else {
-    const path = `/users?$search=${encodeURIComponent(`"displayName:${query}"`)}&$select=id,displayName,mail,userPrincipalName&$top=${limit}`;
-    const res = await fetchGraphJson<GraphResponse<GraphUser>>({
-      token,
-      path,
-      headers: { ConsistencyLevel: "eventual" },
-    });
-    users = res.value ?? [];
-  }
+  const users = await searchGraphUsers({ token, query, top: limit });
 
   return users
     .map((user) => {

package/src/graph-users.test.ts

@@ -0,0 +1,66 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { searchGraphUsers } from "./graph-users.js";
+import { fetchGraphJson } from "./graph.js";
+
+vi.mock("./graph.js", () => ({
+  escapeOData: vi.fn((value: string) => value.replace(/'/g, "''")),
+  fetchGraphJson: vi.fn(),
+}));
+
+describe("searchGraphUsers", () => {
+  beforeEach(() => {
+    vi.mocked(fetchGraphJson).mockReset();
+  });
+
+  it("returns empty array for blank queries", async () => {
+    await expect(searchGraphUsers({ token: "token-1", query: "   " })).resolves.toEqual([]);
+    expect(fetchGraphJson).not.toHaveBeenCalled();
+  });
+
+  it("uses exact mail/upn filter lookup for email-like queries", async () => {
+    vi.mocked(fetchGraphJson).mockResolvedValueOnce({
+      value: [{ id: "user-1", displayName: "User One" }],
+    } as never);
+
+    const result = await searchGraphUsers({
+      token: "token-2",
+      query: "alice.o'hara@example.com",
+    });
+
+    expect(fetchGraphJson).toHaveBeenCalledWith({
+      token: "token-2",
+      path: "/users?$filter=(mail%20eq%20'alice.o''hara%40example.com'%20or%20userPrincipalName%20eq%20'alice.o''hara%40example.com')&$select=id,displayName,mail,userPrincipalName",
+    });
+    expect(result).toEqual([{ id: "user-1", displayName: "User One" }]);
+  });
+
+  it("uses displayName search with eventual consistency and custom top", async () => {
+    vi.mocked(fetchGraphJson).mockResolvedValueOnce({
+      value: [{ id: "user-2", displayName: "Bob" }],
+    } as never);
+
+    const result = await searchGraphUsers({
+      token: "token-3",
+      query: "bob",
+      top: 25,
+    });
+
+    expect(fetchGraphJson).toHaveBeenCalledWith({
+      token: "token-3",
+      path: "/users?$search=%22displayName%3Abob%22&$select=id,displayName,mail,userPrincipalName&$top=25",
+      headers: { ConsistencyLevel: "eventual" },
+    });
+    expect(result).toEqual([{ id: "user-2", displayName: "Bob" }]);
+  });
+
+  it("falls back to default top and empty value handling", async () => {
+    vi.mocked(fetchGraphJson).mockResolvedValueOnce({} as never);
+
+    await expect(searchGraphUsers({ token: "token-4", query: "carol" })).resolves.toEqual([]);
+    expect(fetchGraphJson).toHaveBeenCalledWith({
+      token: "token-4",
+      path: "/users?$search=%22displayName%3Acarol%22&$select=id,displayName,mail,userPrincipalName&$top=10",
+      headers: { ConsistencyLevel: "eventual" },
+    });
+  });
+});

package/src/graph-users.ts

@@ -0,0 +1,29 @@
+import { escapeOData, fetchGraphJson, type GraphResponse, type GraphUser } from "./graph.js";
+
+export async function searchGraphUsers(params: {
+  token: string;
+  query: string;
+  top?: number;
+}): Promise<GraphUser[]> {
+  const query = params.query.trim();
+  if (!query) {
+    return [];
+  }
+
+  if (query.includes("@")) {
+    const escaped = escapeOData(query);
+    const filter = `(mail eq '${escaped}' or userPrincipalName eq '${escaped}')`;
+    const path = `/users?$filter=${encodeURIComponent(filter)}&$select=id,displayName,mail,userPrincipalName`;
+    const res = await fetchGraphJson<GraphResponse<GraphUser>>({ token: params.token, path });
+    return res.value ?? [];
+  }
+
+  const top = typeof params.top === "number" && params.top > 0 ? params.top : 10;
+  const path = `/users?$search=${encodeURIComponent(`"displayName:${query}"`)}&$select=id,displayName,mail,userPrincipalName&$top=${top}`;
+  const res = await fetchGraphJson<GraphResponse<GraphUser>>({
+    token: params.token,
+    path,
+    headers: { ConsistencyLevel: "eventual" },
+  });
+  return res.value ?? [];
+}

package/src/graph.ts

@@ -1,6 +1,7 @@
 import type { MSTeamsConfig } from "openclaw/plugin-sdk";
 import { GRAPH_ROOT } from "./attachments/shared.js";
 import { loadMSTeamsSdkWithAuth } from "./sdk.js";
+import { readAccessToken } from "./token-response.js";
 import { resolveMSTeamsCredentials } from "./token.js";
 
 export type GraphUser = {
@@ -22,18 +23,6 @@ export type GraphChannel = {
 
 export type GraphResponse<T> = { value?: T[] };
 
-function readAccessToken(value: unknown): string | null {
-  if (typeof value === "string") {
-    return value;
-  }
-  if (value && typeof value === "object") {
-    const token =
-      (value as { accessToken?: unknown }).accessToken ?? (value as { token?: unknown }).token;
-    return typeof token === "string" ? token : null;
-  }
-  return null;
-}
-
 export function normalizeQuery(value?: string | null): string {
   return value?.trim() ?? "";
 }

package/src/messenger.test.ts

@@ -49,6 +49,28 @@ const runtimeStub = {
   },
 } as unknown as PluginRuntime;
 
+const createNoopAdapter = (): MSTeamsAdapter => ({
+  continueConversation: async () => {},
+  process: async () => {},
+});
+
+const createRecordedSendActivity = (
+  sink: string[],
+  failFirstWithStatusCode?: number,
+): ((activity: unknown) => Promise<{ id: string }>) => {
+  let attempts = 0;
+  return async (activity: unknown) => {
+    const { text } = activity as { text?: string };
+    const content = text ?? "";
+    sink.push(content);
+    attempts += 1;
+    if (failFirstWithStatusCode !== undefined && attempts === 1) {
+      throw Object.assign(new Error("send failed"), { statusCode: failFirstWithStatusCode });
+    }
+    return { id: `id:${content}` };
+  };
+};
+
 describe("msteams messenger", () => {
   beforeEach(() => {
     setMSTeamsRuntime(runtimeStub);
@@ -117,17 +139,9 @@ describe("msteams messenger", () => {
     it("sends thread messages via the provided context", async () => {
       const sent: string[] = [];
       const ctx = {
-        sendActivity: async (activity: unknown) => {
-          const { text } = activity as { text?: string };
-          sent.push(text ?? "");
-          return { id: `id:${text ?? ""}` };
-        },
-      };
-
-      const adapter: MSTeamsAdapter = {
-        continueConversation: async () => {},
-        process: async () => {},
+        sendActivity: createRecordedSendActivity(sent),
       };
+      const adapter = createNoopAdapter();
 
       const ids = await sendMSTeamsMessages({
         replyStyle: "thread",
@@ -149,11 +163,7 @@ describe("msteams messenger", () => {
         continueConversation: async (_appId, reference, logic) => {
           seen.reference = reference;
           await logic({
-            sendActivity: async (activity: unknown) => {
-              const { text } = activity as { text?: string };
-              seen.texts.push(text ?? "");
-              return { id: `id:${text ?? ""}` };
-            },
+            sendActivity: createRecordedSendActivity(seen.texts),
           });
         },
         process: async () => {},
@@ -192,10 +202,7 @@ describe("msteams messenger", () => {
           },
         };
 
-        const adapter: MSTeamsAdapter = {
-          continueConversation: async () => {},
-          process: async () => {},
-        };
+        const adapter = createNoopAdapter();
 
         const ids = await sendMSTeamsMessages({
           replyStyle: "thread",
@@ -242,20 +249,9 @@ describe("msteams messenger", () => {
       const retryEvents: Array<{ nextAttempt: number; delayMs: number }> = [];
 
       const ctx = {
-        sendActivity: async (activity: unknown) => {
-          const { text } = activity as { text?: string };
-          attempts.push(text ?? "");
-          if (attempts.length === 1) {
-            throw Object.assign(new Error("throttled"), { statusCode: 429 });
-          }
-          return { id: `id:${text ?? ""}` };
-        },
-      };
-
-      const adapter: MSTeamsAdapter = {
-        continueConversation: async () => {},
-        process: async () => {},
+        sendActivity: createRecordedSendActivity(attempts, 429),
       };
+      const adapter = createNoopAdapter();
 
       const ids = await sendMSTeamsMessages({
         replyStyle: "thread",
@@ -280,10 +276,7 @@ describe("msteams messenger", () => {
         },
       };
 
-      const adapter: MSTeamsAdapter = {
-        continueConversation: async () => {},
-        process: async () => {},
-      };
+      const adapter = createNoopAdapter();
 
       await expect(
         sendMSTeamsMessages({
@@ -303,18 +296,7 @@ describe("msteams messenger", () => {
 
       const adapter: MSTeamsAdapter = {
         continueConversation: async (_appId, _reference, logic) => {
-          await logic({
-            sendActivity: async (activity: unknown) => {
-              const { text } = activity as { text?: string };
-              attempts.push(text ?? "");
-              if (attempts.length === 1) {
-                throw Object.assign(new Error("server error"), {
-                  statusCode: 503,
-                });
-              }
-              return { id: `id:${text ?? ""}` };
-            },
-          });
+          await logic({ sendActivity: createRecordedSendActivity(attempts, 503) });
         },
         process: async () => {},
       };

package/src/messenger.ts

@@ -441,11 +441,7 @@ export async function sendMSTeamsMessages(params: {
     }
   };
 
-  if (params.replyStyle === "thread") {
-    const ctx = params.context;
-    if (!ctx) {
-      throw new Error("Missing context for replyStyle=thread");
-    }
+  const sendMessagesInContext = async (ctx: SendContext): Promise<string[]> => {
     const messageIds: string[] = [];
     for (const [idx, message] of messages.entries()) {
       const response = await sendWithRetry(
@@ -464,6 +460,14 @@ export async function sendMSTeamsMessages(params: {
       messageIds.push(extractMessageId(response) ?? "unknown");
     }
     return messageIds;
+  };
+
+  if (params.replyStyle === "thread") {
+    const ctx = params.context;
+    if (!ctx) {
+      throw new Error("Missing context for replyStyle=thread");
+    }
+    return await sendMessagesInContext(ctx);
   }
 
   const baseRef = buildConversationReference(params.conversationRef);
@@ -474,22 +478,7 @@ export async function sendMSTeamsMessages(params: {
 
   const messageIds: string[] = [];
   await params.adapter.continueConversation(params.appId, proactiveRef, async (ctx) => {
-    for (const [idx, message] of messages.entries()) {
-      const response = await sendWithRetry(
-        async () =>
-          await ctx.sendActivity(
-            await buildActivity(
-              message,
-              params.conversationRef,
-              params.tokenProvider,
-              params.sharePointSiteId,
-              params.mediaMaxBytes,
-            ),
-          ),
-        { messageIndex: idx, messageCount: messages.length },
-      );
-      messageIds.push(extractMessageId(response) ?? "unknown");
-    }
+    messageIds.push(...(await sendMessagesInContext(ctx)));
   });
   return messageIds;
 }

package/src/monitor-handler/message-handler.ts

@@ -5,6 +5,8 @@ import {
   logInboundDrop,
   recordPendingHistoryEntryIfEnabled,
   resolveControlCommandGate,
+  resolveDefaultGroupPolicy,
+  isDangerousNameMatchingEnabled,
   resolveMentionGating,
   formatAllowlistMatchMeta,
   type HistoryEntry,
@@ -124,16 +126,17 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
 
     const senderName = from.name ?? from.id;
     const senderId = from.aadObjectId ?? from.id;
-    const storedAllowFrom = await core.channel.pairing
-      .readAllowFromStore("msteams")
-      .catch(() => []);
+    const dmPolicy = msteamsCfg?.dmPolicy ?? "pairing";
+    const storedAllowFrom =
+      dmPolicy === "allowlist"
+        ? []
+        : await core.channel.pairing.readAllowFromStore("msteams").catch(() => []);
     const useAccessGroups = cfg.commands?.useAccessGroups !== false;
 
     // Check DM policy for direct messages.
     const dmAllowFrom = msteamsCfg?.allowFrom ?? [];
     const effectiveDmAllowFrom = [...dmAllowFrom.map((v) => String(v)), ...storedAllowFrom];
     if (isDirectMessage && msteamsCfg) {
-      const dmPolicy = msteamsCfg.dmPolicy ?? "pairing";
       const allowFrom = dmAllowFrom;
 
       if (dmPolicy === "disabled") {
@@ -143,10 +146,12 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
 
       if (dmPolicy !== "open") {
         const effectiveAllowFrom = [...allowFrom.map((v) => String(v)), ...storedAllowFrom];
+        const allowNameMatching = isDangerousNameMatchingEnabled(msteamsCfg);
         const allowMatch = resolveMSTeamsAllowlistMatch({
           allowFrom: effectiveAllowFrom,
           senderId,
           senderName,
+          allowNameMatching,
         });
 
         if (!allowMatch.allowed) {
@@ -173,7 +178,7 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
       }
     }
 
-    const defaultGroupPolicy = cfg.channels?.defaults?.groupPolicy;
+    const defaultGroupPolicy = resolveDefaultGroupPolicy(cfg);
     const groupPolicy =
       !isDirectMessage && msteamsCfg
         ? (msteamsCfg.groupPolicy ?? defaultGroupPolicy ?? "allowlist")
@@ -224,10 +229,12 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
           return;
         }
         if (effectiveGroupAllowFrom.length > 0) {
+          const allowNameMatching = isDangerousNameMatchingEnabled(msteamsCfg);
           const allowMatch = resolveMSTeamsAllowlistMatch({
             allowFrom: effectiveGroupAllowFrom,
             senderId,
             senderName,
+            allowNameMatching,
           });
           if (!allowMatch.allowed) {
             log.debug?.("dropping group message (not in groupAllowFrom)", {
@@ -246,12 +253,14 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
       allowFrom: effectiveDmAllowFrom,
       senderId,
       senderName,
+      allowNameMatching: isDangerousNameMatchingEnabled(msteamsCfg),
     });
     const groupAllowedForCommands = isMSTeamsGroupAllowed({
       groupPolicy: "allowlist",
       allowFrom: effectiveGroupAllowFrom,
       senderId,
       senderName,
+      allowNameMatching: isDangerousNameMatchingEnabled(msteamsCfg),
     });
     const hasControlCommandInMessage = core.channel.text.hasControlCommand(text, cfg);
     const commandGate = resolveControlCommandGate({

package/src/policy.test.ts

@@ -184,7 +184,7 @@ describe("msteams policy", () => {
       ).toBe(true);
     });
 
-    it("allows allowlist when sender name matches", () => {
+    it("blocks sender-name allowlist matches by default", () => {
       expect(
         isMSTeamsGroupAllowed({
           groupPolicy: "allowlist",
@@ -192,6 +192,18 @@ describe("msteams policy", () => {
           senderId: "other",
           senderName: "User",
         }),
+      ).toBe(false);
+    });
+
+    it("allows sender-name allowlist matches when explicitly enabled", () => {
+      expect(
+        isMSTeamsGroupAllowed({
+          groupPolicy: "allowlist",
+          allowFrom: ["user"],
+          senderId: "other",
+          senderName: "User",
+          allowNameMatching: true,
+        }),
       ).toBe(true);
     });
 

package/src/policy.ts

@@ -209,6 +209,7 @@ export function resolveMSTeamsAllowlistMatch(params: {
   allowFrom: Array<string | number>;
   senderId: string;
   senderName?: string | null;
+  allowNameMatching?: boolean;
 }): MSTeamsAllowlistMatch {
   return resolveAllowlistMatchSimple(params);
 }
@@ -245,6 +246,7 @@ export function isMSTeamsGroupAllowed(params: {
   allowFrom: Array<string | number>;
   senderId: string;
   senderName?: string | null;
+  allowNameMatching?: boolean;
 }): boolean {
   const { groupPolicy } = params;
   if (groupPolicy === "disabled") {

package/src/probe.ts

@@ -1,6 +1,7 @@
 import type { BaseProbeResult, MSTeamsConfig } from "openclaw/plugin-sdk";
 import { formatUnknownError } from "./errors.js";
 import { loadMSTeamsSdkWithAuth } from "./sdk.js";
+import { readAccessToken } from "./token-response.js";
 import { resolveMSTeamsCredentials } from "./token.js";
 
 export type ProbeMSTeamsResult = BaseProbeResult<string> & {
@@ -13,18 +14,6 @@ export type ProbeMSTeamsResult = BaseProbeResult<string> & {
   };
 };
 
-function readAccessToken(value: unknown): string | null {
-  if (typeof value === "string") {
-    return value;
-  }
-  if (value && typeof value === "object") {
-    const token =
-      (value as { accessToken?: unknown }).accessToken ?? (value as { token?: unknown }).token;
-    return typeof token === "string" ? token : null;
-  }
-  return null;
-}
-
 function decodeJwtPayload(token: string): Record<string, unknown> | null {
   const parts = token.split(".");
   if (parts.length < 2) {

package/src/resolve-allowlist.ts

@@ -1,8 +1,5 @@
+import { searchGraphUsers } from "./graph-users.js";
 import {
-  escapeOData,
-  fetchGraphJson,
-  type GraphResponse,
-  type GraphUser,
   listChannelsForTeam,
   listTeamsByName,
   normalizeQuery,
@@ -182,22 +179,7 @@ export async function resolveMSTeamsUserAllowlist(params: {
       results.push({ input, resolved: true, id: query });
       continue;
     }
-    let users: GraphUser[] = [];
-    if (query.includes("@")) {
-      const escaped = escapeOData(query);
-      const filter = `(mail eq '${escaped}' or userPrincipalName eq '${escaped}')`;
-      const path = `/users?$filter=${encodeURIComponent(filter)}&$select=id,displayName,mail,userPrincipalName`;
-      const res = await fetchGraphJson<GraphResponse<GraphUser>>({ token, path });
-      users = res.value ?? [];
-    } else {
-      const path = `/users?$search=${encodeURIComponent(`"displayName:${query}"`)}&$select=id,displayName,mail,userPrincipalName&$top=10`;
-      const res = await fetchGraphJson<GraphResponse<GraphUser>>({
-        token,
-        path,
-        headers: { ConsistencyLevel: "eventual" },
-      });
-      users = res.value ?? [];
-    }
+    const users = await searchGraphUsers({ token, query, top: 10 });
     const match = users[0];
     if (!match?.id) {
       results.push({ input, resolved: false });

package/src/token-response.test.ts

@@ -0,0 +1,23 @@
+import { describe, expect, it } from "vitest";
+import { readAccessToken } from "./token-response.js";
+
+describe("readAccessToken", () => {
+  it("returns raw string token values", () => {
+    expect(readAccessToken("abc")).toBe("abc");
+  });
+
+  it("returns accessToken from object value", () => {
+    expect(readAccessToken({ accessToken: "access-token" })).toBe("access-token");
+  });
+
+  it("returns token fallback from object value", () => {
+    expect(readAccessToken({ token: "fallback-token" })).toBe("fallback-token");
+  });
+
+  it("returns null for unsupported values", () => {
+    expect(readAccessToken({ accessToken: 123 })).toBeNull();
+    expect(readAccessToken({ token: false })).toBeNull();
+    expect(readAccessToken(null)).toBeNull();
+    expect(readAccessToken(undefined)).toBeNull();
+  });
+});

package/src/token-response.ts

@@ -0,0 +1,11 @@
+export function readAccessToken(value: unknown): string | null {
+  if (typeof value === "string") {
+    return value;
+  }
+  if (value && typeof value === "object") {
+    const token =
+      (value as { accessToken?: unknown }).accessToken ?? (value as { token?: unknown }).token;
+    return typeof token === "string" ? token : null;
+  }
+  return null;
+}