@openclaw/msteams 2026.3.13 → 2026.5.1-beta.1

package/src/attachments/graph.ts

@@ -1,14 +1,24 @@
-import { fetchWithSsrFGuard, type SsrFPolicy } from "openclaw/plugin-sdk/msteams";
+import { fetchWithSsrFGuard, type SsrFPolicy } from "openclaw/plugin-sdk/ssrf-runtime";
+import {
+  normalizeLowercaseStringOrEmpty,
+  normalizeOptionalLowercaseString,
+  normalizeOptionalString,
+} from "openclaw/plugin-sdk/text-runtime";
 import { getMSTeamsRuntime } from "../runtime.js";
+import { ensureUserAgentHeader } from "../user-agent.js";
 import { downloadMSTeamsAttachments } from "./download.js";
 import { downloadAndStoreMSTeamsRemoteMedia } from "./remote-media.js";
 import {
   applyAuthorizationHeaderForUrl,
+  encodeGraphShareId,
   GRAPH_ROOT,
+  estimateBase64DecodedBytes,
   inferPlaceholder,
-  isRecord,
+  readNestedString,
   isUrlAllowed,
+  type MSTeamsAttachmentDownloadLogger,
   type MSTeamsAttachmentFetchPolicy,
+  type MSTeamsAttachmentResolveFn,
   normalizeContentType,
   resolveMediaSsrfPolicy,
   resolveAttachmentFetchPolicy,
@@ -18,6 +28,7 @@ import {
 import type {
   MSTeamsAccessTokenProvider,
   MSTeamsAttachmentLike,
+  MSTeamsGraphMediaLogger,
   MSTeamsGraphMediaResult,
   MSTeamsInboundMedia,
 } from "./types.js";
@@ -37,17 +48,6 @@ type GraphAttachment = {
   content?: unknown;
 };
 
-function readNestedString(value: unknown, keys: Array<string | number>): string | undefined {
-  let current: unknown = value;
-  for (const key of keys) {
-    if (!isRecord(current)) {
-      return undefined;
-    }
-    current = current[key as keyof typeof current];
-  }
-  return typeof current === "string" && current.trim() ? current.trim() : undefined;
-}
-
 export function buildMSTeamsGraphMessageUrls(params: {
   conversationType?: string | null;
   conversationId?: string | null;
@@ -56,10 +56,10 @@ export function buildMSTeamsGraphMessageUrls(params: {
   conversationMessageId?: string | null;
   channelData?: unknown;
 }): string[] {
-  const conversationType = params.conversationType?.trim().toLowerCase() ?? "";
+  const conversationType = normalizeLowercaseStringOrEmpty(params.conversationType ?? "");
   const messageIdCandidates = new Set<string>();
   const pushCandidate = (value: string | null | undefined) => {
-    const trimmed = typeof value === "string" ? value.trim() : "";
+    const trimmed = normalizeOptionalString(value) ?? "";
     if (trimmed) {
       messageIdCandidates.add(trimmed);
     }
@@ -70,7 +70,7 @@ export function buildMSTeamsGraphMessageUrls(params: {
   pushCandidate(readNestedString(params.channelData, ["messageId"]));
   pushCandidate(readNestedString(params.channelData, ["teamsMessageId"]));
 
-  const replyToId = typeof params.replyToId === "string" ? params.replyToId.trim() : "";
+  const replyToId = normalizeOptionalString(params.replyToId) ?? "";
 
   if (conversationType === "channel") {
     const teamId =
@@ -119,18 +119,18 @@ export function buildMSTeamsGraphMessageUrls(params: {
   return Array.from(new Set(urls));
 }
 
-async function fetchGraphCollection<T>(params: {
+async function fetchGraphCollection(params: {
   url: string;
   accessToken: string;
   fetchFn?: typeof fetch;
   ssrfPolicy?: SsrFPolicy;
-}): Promise<{ status: number; items: T[] }> {
+}): Promise<{ status: number; items: unknown[] }> {
   const fetchFn = params.fetchFn ?? fetch;
   const { response, release } = await fetchWithSsrFGuard({
     url: params.url,
     fetchImpl: fetchFn,
     init: {
-      headers: { Authorization: `Bearer ${params.accessToken}` },
+      headers: ensureUserAgentHeader({ Authorization: `Bearer ${params.accessToken}` }),
     },
     policy: params.ssrfPolicy,
     auditContext: "msteams.graph.collection",
@@ -141,7 +141,7 @@ async function fetchGraphCollection<T>(params: {
       return { status, items: [] };
     }
     try {
-      const data = (await response.json()) as { value?: T[] };
+      const data = (await response.json()) as { value?: unknown[] };
       return { status, items: Array.isArray(data.value) ? data.value : [] };
     } catch {
       return { status, items: [] };
@@ -180,13 +180,14 @@ async function downloadGraphHostedContent(params: {
   fetchFn?: typeof fetch;
   preserveFilenames?: boolean;
   ssrfPolicy?: SsrFPolicy;
+  logger?: MSTeamsAttachmentDownloadLogger;
 }): Promise<{ media: MSTeamsInboundMedia[]; status: number; count: number }> {
-  const hosted = await fetchGraphCollection<GraphHostedContent>({
+  const hosted = (await fetchGraphCollection({
     url: `${params.messageUrl}/hostedContents`,
     accessToken: params.accessToken,
     fetchFn: params.fetchFn,
     ssrfPolicy: params.ssrfPolicy,
-  });
+  })) as { status: number; items: GraphHostedContent[] };
   if (hosted.items.length === 0) {
     return { media: [], status: hosted.status, count: 0 };
   }
@@ -194,13 +195,53 @@ async function downloadGraphHostedContent(params: {
   const out: MSTeamsInboundMedia[] = [];
   for (const item of hosted.items) {
     const contentBytes = typeof item.contentBytes === "string" ? item.contentBytes : "";
-    if (!contentBytes) {
-      continue;
-    }
     let buffer: Buffer;
-    try {
-      buffer = Buffer.from(contentBytes, "base64");
-    } catch {
+    if (contentBytes) {
+      if (estimateBase64DecodedBytes(contentBytes) > params.maxBytes) {
+        continue;
+      }
+      try {
+        buffer = Buffer.from(contentBytes, "base64");
+      } catch (err) {
+        params.logger?.warn?.("msteams graph hostedContent base64 decode failed", {
+          error: err instanceof Error ? err.message : String(err),
+        });
+        continue;
+      }
+    } else if (item.id) {
+      // contentBytes not inline — fetch from the individual $value endpoint.
+      try {
+        const valueUrl = `${params.messageUrl}/hostedContents/${encodeURIComponent(item.id)}/$value`;
+        const { response: valRes, release } = await fetchWithSsrFGuard({
+          url: valueUrl,
+          fetchImpl: params.fetchFn ?? fetch,
+          init: {
+            headers: ensureUserAgentHeader({ Authorization: `Bearer ${params.accessToken}` }),
+          },
+          policy: params.ssrfPolicy,
+          auditContext: "msteams.graph.hostedContent.value",
+        });
+        try {
+          if (!valRes.ok) {
+            continue;
+          }
+          // Check Content-Length before buffering to avoid RSS spikes on large files.
+          const cl = valRes.headers.get("content-length");
+          if (cl && Number(cl) > params.maxBytes) {
+            continue;
+          }
+          const ab = await valRes.arrayBuffer();
+          buffer = Buffer.from(ab);
+        } finally {
+          await release();
+        }
+      } catch (err) {
+        params.logger?.warn?.("msteams graph hostedContent value fetch failed", {
+          error: err instanceof Error ? err.message : String(err),
+        });
+        continue;
+      }
+    } else {
       continue;
     }
     if (buffer.byteLength > params.maxBytes) {
@@ -223,8 +264,10 @@ async function downloadGraphHostedContent(params: {
         contentType: saved.contentType,
         placeholder: inferPlaceholder({ contentType: saved.contentType }),
       });
-    } catch {
-      // Ignore save failures.
+    } catch (err) {
+      params.logger?.warn?.("msteams graph hostedContent save failed", {
+        error: err instanceof Error ? err.message : String(err),
+      });
     }
   }
 
@@ -238,8 +281,13 @@ export async function downloadMSTeamsGraphMedia(params: {
   allowHosts?: string[];
   authAllowHosts?: string[];
   fetchFn?: typeof fetch;
+  resolveFn?: MSTeamsAttachmentResolveFn;
   /** When true, embeds original filename in stored path for later extraction. */
   preserveFilenames?: boolean;
+  /** Optional logger used to surface Graph/SharePoint fetch errors. */
+  logger?: MSTeamsAttachmentDownloadLogger;
+  /** Back-compat diagnostic logger used by older tests/callers. */
+  log?: MSTeamsGraphMediaLogger;
 }): Promise<MSTeamsGraphMediaResult> {
   if (!params.messageUrl || !params.tokenProvider) {
     return { media: [] };
@@ -250,55 +298,78 @@ export async function downloadMSTeamsGraphMedia(params: {
   });
   const ssrfPolicy = resolveMediaSsrfPolicy(policy.allowHosts);
   const messageUrl = params.messageUrl;
+  const debugLog =
+    params.log ?? (params.logger as MSTeamsGraphMediaLogger | undefined) ?? undefined;
   let accessToken: string;
   try {
     accessToken = await params.tokenProvider.getAccessToken("https://graph.microsoft.com");
-  } catch {
+  } catch (err) {
+    debugLog?.debug?.("graph media token acquisition failed", {
+      messageUrl,
+      error: err instanceof Error ? err.message : String(err),
+    });
+    params.logger?.warn?.("msteams graph token acquisition failed", {
+      error: err instanceof Error ? err.message : String(err),
+    });
     return { media: [], messageUrl, tokenError: true };
   }
 
-  // Fetch the full message to get SharePoint file attachments (for group chats)
   const fetchFn = params.fetchFn ?? fetch;
   const sharePointMedia: MSTeamsInboundMedia[] = [];
   const downloadedReferenceUrls = new Set<string>();
+  let messageAttachments: GraphAttachment[] = [];
+  let messageStatus: number | undefined;
   try {
     const { response: msgRes, release } = await fetchWithSsrFGuard({
       url: messageUrl,
       fetchImpl: fetchFn,
       init: {
-        headers: { Authorization: `Bearer ${accessToken}` },
+        headers: ensureUserAgentHeader({ Authorization: `Bearer ${accessToken}` }),
       },
       policy: ssrfPolicy,
       auditContext: "msteams.graph.message",
     });
     try {
+      messageStatus = msgRes.status;
       if (msgRes.ok) {
-        const msgData = (await msgRes.json()) as {
+        let msgData: {
           body?: { content?: string; contentType?: string };
-          attachments?: Array<{
-            id?: string;
-            contentUrl?: string;
-            contentType?: string;
-            name?: string;
-          }>;
+          attachments?: GraphAttachment[];
         };
+        try {
+          msgData = (await msgRes.json()) as typeof msgData;
+        } catch (err) {
+          debugLog?.debug?.("graph media message parse failed", {
+            messageUrl,
+            error: err instanceof Error ? err.message : String(err),
+          });
+          params.logger?.warn?.("msteams graph message parse failed", {
+            error: err instanceof Error ? err.message : String(err),
+            messageUrl,
+          });
+          msgData = {};
+        }
+        messageAttachments = Array.isArray(msgData.attachments) ? msgData.attachments : [];
 
-        // Extract SharePoint file attachments (contentType: "reference")
-        // Download any file type, not just images
-        const spAttachments = (msgData.attachments ?? []).filter(
+        const spAttachments = messageAttachments.filter(
           (a) => a.contentType === "reference" && a.contentUrl && a.name,
         );
         for (const att of spAttachments) {
           const name = att.name ?? "file";
+          const shareUrl = att.contentUrl ?? "";
+          if (!shareUrl) {
+            continue;
+          }
 
           try {
-            // SharePoint URLs need to be accessed via Graph shares API
-            const shareUrl = att.contentUrl!;
-            if (!isUrlAllowed(shareUrl, policy.allowHosts)) {
+            const sharesUrl = `${GRAPH_ROOT}/shares/${encodeGraphShareId(shareUrl)}/driveItem/content`;
+            if (!isUrlAllowed(sharesUrl, policy.allowHosts)) {
+              debugLog?.debug?.("graph media sharepoint url not in allowHosts", {
+                messageUrl,
+                sharesUrl,
+              });
               continue;
             }
-            const encodedUrl = Buffer.from(shareUrl).toString("base64url");
-            const sharesUrl = `${GRAPH_ROOT}/shares/u!${encodedUrl}/driveItem/content`;
 
             const media = await downloadAndStoreMSTeamsRemoteMedia({
               url: sharesUrl,
@@ -307,9 +378,10 @@ export async function downloadMSTeamsGraphMedia(params: {
               contentTypeHint: "application/octet-stream",
               preserveFilenames: params.preserveFilenames,
               ssrfPolicy,
+              useDirectFetch: true,
               fetchImpl: async (input, init) => {
                 const requestUrl = resolveRequestUrl(input);
-                const headers = new Headers(init?.headers);
+                const headers = ensureUserAgentHeader(init?.headers);
                 applyAuthorizationHeaderForUrl({
                   headers,
                   url: requestUrl,
@@ -324,21 +396,36 @@ export async function downloadMSTeamsGraphMedia(params: {
                     ...init,
                     headers,
                   },
+                  resolveFn: params.resolveFn,
                 });
               },
             });
             sharePointMedia.push(media);
             downloadedReferenceUrls.add(shareUrl);
-          } catch {
-            // Ignore SharePoint download failures.
+          } catch (err) {
+            params.logger?.warn?.("msteams SharePoint reference download failed", {
+              error: err instanceof Error ? err.message : String(err),
+              name,
+            });
           }
         }
+      } else {
+        debugLog?.debug?.("graph media message fetch not ok", {
+          messageUrl,
+          status: messageStatus,
+        });
       }
     } finally {
       await release();
     }
-  } catch {
-    // Ignore message fetch failures.
+  } catch (err) {
+    debugLog?.debug?.("graph media message fetch failed", {
+      messageUrl,
+      error: err instanceof Error ? err.message : String(err),
+    });
+    params.logger?.warn?.("msteams graph message fetch failed", {
+      error: err instanceof Error ? err.message : String(err),
+    });
   }
 
   const hosted = await downloadGraphHostedContent({
@@ -348,20 +435,14 @@ export async function downloadMSTeamsGraphMedia(params: {
     fetchFn: params.fetchFn,
     preserveFilenames: params.preserveFilenames,
     ssrfPolicy,
+    logger: params.logger,
   });
 
-  const attachments = await fetchGraphCollection<GraphAttachment>({
-    url: `${messageUrl}/attachments`,
-    accessToken,
-    fetchFn: params.fetchFn,
-    ssrfPolicy,
-  });
-
-  const normalizedAttachments = attachments.items.map(normalizeGraphAttachment);
+  const normalizedAttachments = messageAttachments.map(normalizeGraphAttachment);
   const filteredAttachments =
     sharePointMedia.length > 0
       ? normalizedAttachments.filter((att) => {
-          const contentType = att.contentType?.toLowerCase();
+          const contentType = normalizeOptionalLowercaseString(att.contentType);
           if (contentType !== "reference") {
             return true;
           }
@@ -372,22 +453,32 @@ export async function downloadMSTeamsGraphMedia(params: {
           return !downloadedReferenceUrls.has(url);
         })
       : normalizedAttachments;
-  const attachmentMedia = await downloadMSTeamsAttachments({
-    attachments: filteredAttachments,
-    maxBytes: params.maxBytes,
-    tokenProvider: params.tokenProvider,
-    allowHosts: policy.allowHosts,
-    authAllowHosts: policy.authAllowHosts,
-    fetchFn: params.fetchFn,
-    preserveFilenames: params.preserveFilenames,
-  });
+  let attachmentMedia: MSTeamsInboundMedia[] = [];
+  try {
+    attachmentMedia = await downloadMSTeamsAttachments({
+      attachments: filteredAttachments,
+      maxBytes: params.maxBytes,
+      tokenProvider: params.tokenProvider,
+      allowHosts: policy.allowHosts,
+      authAllowHosts: policy.authAllowHosts,
+      fetchFn: params.fetchFn,
+      resolveFn: params.resolveFn,
+      preserveFilenames: params.preserveFilenames,
+      logger: params.logger,
+    });
+  } catch (err) {
+    params.logger?.warn?.("msteams graph attachment download failed", {
+      error: err instanceof Error ? err.message : String(err),
+      messageUrl,
+    });
+  }
 
   return {
     media: [...sharePointMedia, ...hosted.media, ...attachmentMedia],
     hostedCount: hosted.count,
     attachmentCount: filteredAttachments.length + sharePointMedia.length,
     hostedStatus: hosted.status,
-    attachmentStatus: attachments.status,
+    attachmentStatus: messageStatus,
     messageUrl,
   };
 }

package/src/attachments/html.ts

@@ -8,6 +8,37 @@ import {
 } from "./shared.js";
 import type { MSTeamsAttachmentLike, MSTeamsHtmlAttachmentSummary } from "./types.js";
 
+/**
+ * Extract every `<attachment id="...">` reference from the HTML attachments in
+ * the inbound activity. Returns the complete (non-sliced) list; callers that
+ * need a capped diagnostic summary can truncate after calling this helper.
+ */
+export function extractMSTeamsHtmlAttachmentIds(
+  attachments: MSTeamsAttachmentLike[] | undefined,
+): string[] {
+  const list = Array.isArray(attachments) ? attachments : [];
+  if (list.length === 0) {
+    return [];
+  }
+  const ids = new Set<string>();
+  for (const att of list) {
+    const html = extractHtmlFromAttachment(att);
+    if (!html) {
+      continue;
+    }
+    ATTACHMENT_TAG_RE.lastIndex = 0;
+    let match: RegExpExecArray | null = ATTACHMENT_TAG_RE.exec(html);
+    while (match) {
+      const id = match[1]?.trim();
+      if (id) {
+        ids.add(id);
+      }
+      match = ATTACHMENT_TAG_RE.exec(html);
+    }
+  }
+  return Array.from(ids);
+}
+
 export function summarizeMSTeamsHtmlAttachments(
   attachments: MSTeamsAttachmentLike[] | undefined,
 ): MSTeamsHtmlAttachmentSummary | undefined {
@@ -74,13 +105,14 @@ export function summarizeMSTeamsHtmlAttachments(
 
 export function buildMSTeamsAttachmentPlaceholder(
   attachments: MSTeamsAttachmentLike[] | undefined,
+  limits?: { maxInlineBytes?: number; maxInlineTotalBytes?: number },
 ): string {
   const list = Array.isArray(attachments) ? attachments : [];
   if (list.length === 0) {
     return "";
   }
   const imageCount = list.filter(isLikelyImageAttachment).length;
-  const inlineCount = extractInlineImageCandidates(list).length;
+  const inlineCount = extractInlineImageCandidates(list, limits).length;
   const totalImages = imageCount + inlineCount;
   if (totalImages > 0) {
     return `<media:image>${totalImages > 1 ? ` (${totalImages} images)` : ""}`;

package/src/attachments/payload.ts

@@ -1,4 +1,4 @@
-import { buildMediaPayload } from "openclaw/plugin-sdk/msteams";
+import { buildMediaPayload } from "../../runtime-api.js";
 
 export function buildMSTeamsMediaPayload(
   mediaList: Array<{ path: string; contentType?: string }>,

package/src/attachments/remote-media.test.ts

@@ -0,0 +1,137 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+// Mock the runtime so we can assert whether the strict-dispatcher path
+// (`fetchRemoteMedia`) was invoked versus the new direct-fetch path added
+// for issue #63396 (Node 24+ / undici v7 compat).
+const runtimeFetchRemoteMediaMock = vi.fn();
+const runtimeDetectMimeMock = vi.fn(async () => "image/png");
+const runtimeSaveMediaBufferMock = vi.fn(async (_buf: Buffer, contentType?: string) => ({
+  id: "saved",
+  path: "/tmp/saved.png",
+  size: 42,
+  contentType: contentType ?? "image/png",
+}));
+
+vi.mock("../runtime.js", () => ({
+  getMSTeamsRuntime: () => ({
+    media: { detectMime: runtimeDetectMimeMock },
+    channel: {
+      media: {
+        fetchRemoteMedia: runtimeFetchRemoteMediaMock,
+        saveMediaBuffer: runtimeSaveMediaBufferMock,
+      },
+    },
+  }),
+}));
+
+import { downloadAndStoreMSTeamsRemoteMedia } from "./remote-media.js";
+
+const PNG_BYTES = Buffer.from([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a]);
+
+function jsonResponse(body: BodyInit, init?: ResponseInit): Response {
+  return new Response(body, init);
+}
+
+describe("downloadAndStoreMSTeamsRemoteMedia", () => {
+  beforeEach(() => {
+    runtimeFetchRemoteMediaMock.mockReset();
+    runtimeDetectMimeMock.mockClear();
+    runtimeSaveMediaBufferMock.mockClear();
+  });
+
+  describe("useDirectFetch: true (Node 24+ / undici v7 path for issue #63396)", () => {
+    it("bypasses fetchRemoteMedia and calls the supplied fetchImpl directly", async () => {
+      // `fetchImpl` here simulates the "pre-validated hostname" contract from
+      // `safeFetchWithPolicy`: the caller has already enforced the allowlist,
+      // so the strict SSRF dispatcher is not needed.
+      const fetchImpl = vi.fn(async (_input: RequestInfo | URL, _init?: RequestInit) =>
+        jsonResponse(PNG_BYTES, { status: 200, headers: { "content-type": "image/png" } }),
+      );
+
+      const result = await downloadAndStoreMSTeamsRemoteMedia({
+        url: "https://graph.microsoft.com/v1.0/shares/abc/driveItem/content",
+        filePathHint: "file.png",
+        maxBytes: 1024,
+        useDirectFetch: true,
+        fetchImpl,
+      });
+
+      expect(fetchImpl).toHaveBeenCalledTimes(1);
+      const [calledUrl] = fetchImpl.mock.calls[0] ?? [];
+      expect(calledUrl).toBe("https://graph.microsoft.com/v1.0/shares/abc/driveItem/content");
+      expect(runtimeFetchRemoteMediaMock).not.toHaveBeenCalled();
+      expect(result.path).toBe("/tmp/saved.png");
+    });
+
+    it("surfaces HTTP errors as exceptions (no silent drop)", async () => {
+      const fetchImpl = vi.fn(async () => jsonResponse("nope", { status: 403 }));
+
+      await expect(
+        downloadAndStoreMSTeamsRemoteMedia({
+          url: "https://graph.microsoft.com/v1.0/shares/abc/driveItem/content",
+          filePathHint: "file.png",
+          maxBytes: 1024,
+          useDirectFetch: true,
+          fetchImpl,
+        }),
+      ).rejects.toThrow(/HTTP 403/);
+      expect(runtimeFetchRemoteMediaMock).not.toHaveBeenCalled();
+    });
+
+    it("rejects a response whose Content-Length exceeds maxBytes", async () => {
+      const fetchImpl = vi.fn(async () =>
+        jsonResponse(PNG_BYTES, {
+          status: 200,
+          headers: { "content-length": "999999" },
+        }),
+      );
+
+      await expect(
+        downloadAndStoreMSTeamsRemoteMedia({
+          url: "https://graph.microsoft.com/v1.0/shares/abc/driveItem/content",
+          filePathHint: "file.png",
+          maxBytes: 1024,
+          useDirectFetch: true,
+          fetchImpl,
+        }),
+      ).rejects.toThrow(/exceeds maxBytes/);
+      expect(runtimeFetchRemoteMediaMock).not.toHaveBeenCalled();
+    });
+
+    it("falls back to the runtime fetchRemoteMedia path when useDirectFetch is omitted", async () => {
+      // Non-SharePoint caller, no pre-validated fetchImpl: make sure the strict
+      // SSRF dispatcher path is still used.
+      runtimeFetchRemoteMediaMock.mockResolvedValueOnce({
+        buffer: PNG_BYTES,
+        contentType: "image/png",
+        fileName: "file.png",
+      });
+
+      await downloadAndStoreMSTeamsRemoteMedia({
+        url: "https://tenant.sharepoint.com/file.png",
+        filePathHint: "file.png",
+        maxBytes: 1024,
+      });
+
+      expect(runtimeFetchRemoteMediaMock).toHaveBeenCalledTimes(1);
+    });
+
+    it("does not use the direct path when useDirectFetch is true but fetchImpl is missing", async () => {
+      runtimeFetchRemoteMediaMock.mockResolvedValueOnce({
+        buffer: PNG_BYTES,
+        contentType: "image/png",
+      });
+
+      await downloadAndStoreMSTeamsRemoteMedia({
+        url: "https://graph.microsoft.com/v1.0/shares/abc/driveItem/content",
+        filePathHint: "file.png",
+        maxBytes: 1024,
+        useDirectFetch: true,
+      });
+
+      // Without a fetchImpl to delegate to, we must fall back to the runtime
+      // path rather than crashing.
+      expect(runtimeFetchRemoteMediaMock).toHaveBeenCalledTimes(1);
+    });
+  });
+});