@openclaw/msteams 2026.3.13 → 2026.5.2-beta.1

package/src/setup-surface.test.ts

@@ -0,0 +1,202 @@
+import { EventEmitter } from "node:events";
+import { DEFAULT_ACCOUNT_ID } from "openclaw/plugin-sdk/setup";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { createMSTeamsSetupWizardBase, msteamsSetupAdapter } from "./setup-core.js";
+import { openDelegatedOAuthUrl } from "./setup-surface.js";
+
+const spawn = vi.hoisted(() => vi.fn());
+const resolveMSTeamsUserAllowlist = vi.hoisted(() => vi.fn());
+const resolveMSTeamsChannelAllowlist = vi.hoisted(() => vi.fn());
+const normalizeSecretInputString = vi.hoisted(() =>
+  vi.fn((value: unknown) => (typeof value === "string" ? value.trim() || undefined : undefined)),
+);
+const hasConfiguredMSTeamsCredentials = vi.hoisted(() => vi.fn());
+const resolveMSTeamsCredentials = vi.hoisted(() => vi.fn());
+
+vi.mock("./resolve-allowlist.js", () => ({
+  parseMSTeamsTeamEntry: vi.fn(),
+  resolveMSTeamsChannelAllowlist,
+  resolveMSTeamsUserAllowlist,
+}));
+
+vi.mock("./secret-input.js", () => ({
+  normalizeSecretInputString,
+}));
+
+vi.mock("./token.js", () => ({
+  hasConfiguredMSTeamsCredentials,
+  resolveMSTeamsCredentials,
+}));
+
+vi.mock("node:child_process", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("node:child_process")>();
+  return {
+    ...actual,
+    spawn,
+  };
+});
+
+describe("msteams setup surface", () => {
+  const msteamsSetupWizard = createMSTeamsSetupWizardBase();
+
+  beforeEach(() => {
+    spawn.mockReset();
+    resolveMSTeamsUserAllowlist.mockReset();
+    resolveMSTeamsChannelAllowlist.mockReset();
+    normalizeSecretInputString.mockClear();
+    hasConfiguredMSTeamsCredentials.mockReset();
+    resolveMSTeamsCredentials.mockReset();
+  });
+
+  afterEach(() => {
+    vi.unstubAllEnvs();
+  });
+
+  it("always resolves to the default account", () => {
+    expect(msteamsSetupAdapter.resolveAccountId?.({ accountId: "work" } as never)).toBe(
+      DEFAULT_ACCOUNT_ID,
+    );
+  });
+
+  it("opens delegated OAuth URLs without invoking a shell", async () => {
+    const url = "https://login.microsoftonline.com/auth?state=$(touch pwned)";
+    const child = new EventEmitter();
+    spawn.mockReturnValue(child);
+
+    const result = openDelegatedOAuthUrl(url);
+    child.emit("exit", 0, null);
+
+    await expect(result).resolves.toBeUndefined();
+    expect(spawn).toHaveBeenCalledWith(process.platform === "darwin" ? "open" : "xdg-open", [url], {
+      stdio: "ignore",
+      shell: false,
+    });
+  });
+
+  it("enables the msteams channel without dropping existing config", () => {
+    expect(
+      msteamsSetupAdapter.applyAccountConfig?.({
+        cfg: {
+          channels: {
+            msteams: {
+              appId: "existing-app",
+            },
+          },
+        },
+        accountId: DEFAULT_ACCOUNT_ID,
+        input: {},
+      } as never),
+    ).toEqual({
+      channels: {
+        msteams: {
+          appId: "existing-app",
+          enabled: true,
+        },
+      },
+    });
+  });
+
+  it("reports configured status from resolved credentials", async () => {
+    resolveMSTeamsCredentials.mockReturnValue({
+      appId: "app",
+    });
+    hasConfiguredMSTeamsCredentials.mockReturnValue(false);
+
+    expect(
+      msteamsSetupWizard.status.resolveConfigured({
+        cfg: { channels: { msteams: {} } },
+      } as never),
+    ).toBe(true);
+  });
+
+  it("reports configured status from configured credentials and renders status lines", async () => {
+    resolveMSTeamsCredentials.mockReturnValue(null);
+    hasConfiguredMSTeamsCredentials.mockReturnValue(true);
+
+    expect(
+      msteamsSetupWizard.status.resolveConfigured({
+        cfg: { channels: { msteams: {} } },
+      } as never),
+    ).toBe(true);
+
+    hasConfiguredMSTeamsCredentials.mockReturnValue(false);
+    expect(msteamsSetupWizard.status.resolveStatusLines).toBeTypeOf("function");
+    await expect(
+      msteamsSetupWizard.status.resolveStatusLines?.({
+        cfg: { channels: { msteams: {} } },
+      } as never),
+    ).resolves.toEqual(["MS Teams: needs app credentials"]);
+  });
+
+  it("finalize keeps env credentials when available and accepted", async () => {
+    vi.stubEnv("MSTEAMS_APP_ID", "env-app");
+    vi.stubEnv("MSTEAMS_APP_PASSWORD", "env-secret");
+    vi.stubEnv("MSTEAMS_TENANT_ID", "env-tenant");
+    resolveMSTeamsCredentials.mockReturnValue(null);
+    hasConfiguredMSTeamsCredentials.mockReturnValue(false);
+
+    const result = await msteamsSetupWizard.finalize?.({
+      cfg: { channels: { msteams: { existing: true } } },
+      prompter: {
+        confirm: vi.fn(async () => true),
+        note: vi.fn(async () => {}),
+        text: vi.fn(),
+      },
+    } as never);
+
+    expect(result).toEqual({
+      accountId: "default",
+      cfg: {
+        channels: {
+          msteams: {
+            existing: true,
+            enabled: true,
+          },
+        },
+      },
+    });
+  });
+
+  it("finalize prompts for manual credentials when env/config creds are unavailable", async () => {
+    resolveMSTeamsCredentials.mockReturnValue(null);
+    hasConfiguredMSTeamsCredentials.mockReturnValue(false);
+    const note = vi.fn(async () => {});
+    const confirm = vi.fn(async () => false);
+    const text = vi.fn(async ({ message }: { message: string }) => {
+      if (message === "Enter MS Teams App ID") {
+        return "app-id";
+      }
+      if (message === "Enter MS Teams App Password") {
+        return "app-password";
+      }
+      if (message === "Enter MS Teams Tenant ID") {
+        return "tenant-id";
+      }
+      throw new Error(`Unexpected prompt: ${message}`);
+    });
+
+    const result = await msteamsSetupWizard.finalize?.({
+      cfg: { channels: { msteams: {} } },
+      prompter: {
+        confirm,
+        note,
+        text,
+      },
+    } as never);
+
+    expect(note).toHaveBeenCalled();
+    expect(result).toEqual({
+      accountId: "default",
+      cfg: {
+        channels: {
+          msteams: {
+            enabled: true,
+            appId: "app-id",
+            appPassword: "app-password",
+            tenantId: "tenant-id",
+          },
+        },
+      },
+    });
+  });
+});

package/src/setup-surface.ts

@@ -0,0 +1,320 @@
+import { spawn } from "node:child_process";
+import {
+  createTopLevelChannelAllowFromSetter,
+  createTopLevelChannelDmPolicy,
+  createTopLevelChannelGroupPolicySetter,
+  mergeAllowFromEntries,
+  splitSetupEntries,
+  type ChannelSetupDmPolicy,
+  type ChannelSetupWizard,
+  type OpenClawConfig,
+  type WizardPrompter,
+} from "openclaw/plugin-sdk/setup";
+import type { MSTeamsTeamConfig } from "../runtime-api.js";
+import { formatUnknownError } from "./errors.js";
+import {
+  parseMSTeamsTeamEntry,
+  resolveMSTeamsChannelAllowlist,
+  resolveMSTeamsUserAllowlist,
+} from "./resolve-allowlist.js";
+import { createMSTeamsSetupWizardBase } from "./setup-core.js";
+import { resolveMSTeamsCredentials, saveDelegatedTokens } from "./token.js";
+
+const channel = "msteams" as const;
+const setMSTeamsAllowFrom = createTopLevelChannelAllowFromSetter({
+  channel,
+});
+const setMSTeamsGroupPolicy = createTopLevelChannelGroupPolicySetter({
+  channel,
+  enabled: true,
+});
+
+export function openDelegatedOAuthUrl(url: string): Promise<void> {
+  return new Promise<void>((resolve, reject) => {
+    const cmd = process.platform === "darwin" ? "open" : "xdg-open";
+    const child = spawn(cmd, [url], { stdio: "ignore", shell: false });
+    child.once("error", reject);
+    child.once("exit", (code, signal) => {
+      if (code === 0) {
+        resolve();
+        return;
+      }
+      const reason = signal ? `signal ${signal}` : `code ${code ?? "unknown"}`;
+      reject(new Error(`${cmd} failed with ${reason}`));
+    });
+  });
+}
+
+function looksLikeGuid(value: string): boolean {
+  return /^[0-9a-fA-F-]{16,}$/.test(value);
+}
+
+async function promptMSTeamsAllowFrom(params: {
+  cfg: OpenClawConfig;
+  prompter: WizardPrompter;
+}): Promise<OpenClawConfig> {
+  const existing = params.cfg.channels?.msteams?.allowFrom ?? [];
+  await params.prompter.note(
+    [
+      "Allowlist MS Teams DMs by display name, UPN/email, or user id.",
+      "We resolve names to user IDs via Microsoft Graph when credentials allow.",
+      "Examples:",
+      "- alex@example.com",
+      "- Alex Johnson",
+      "- 00000000-0000-0000-0000-000000000000",
+    ].join("\n"),
+    "MS Teams allowlist",
+  );
+
+  while (true) {
+    const entry = await params.prompter.text({
+      message: "MS Teams allowFrom (usernames or ids)",
+      placeholder: "alex@example.com, Alex Johnson",
+      initialValue: existing[0] ? existing[0] : undefined,
+      validate: (value) => (value.trim() ? undefined : "Required"),
+    });
+    const parts = splitSetupEntries(entry);
+    if (parts.length === 0) {
+      await params.prompter.note("Enter at least one user.", "MS Teams allowlist");
+      continue;
+    }
+
+    const resolved = await resolveMSTeamsUserAllowlist({
+      cfg: params.cfg,
+      entries: parts,
+    }).catch(() => null);
+
+    if (!resolved) {
+      const ids = parts.filter((part) => looksLikeGuid(part));
+      if (ids.length !== parts.length) {
+        await params.prompter.note(
+          "Graph lookup unavailable. Use user IDs only.",
+          "MS Teams allowlist",
+        );
+        continue;
+      }
+      const unique = mergeAllowFromEntries(existing, ids);
+      return setMSTeamsAllowFrom(params.cfg, unique);
+    }
+
+    const unresolved = resolved.filter((item) => !item.resolved || !item.id);
+    if (unresolved.length > 0) {
+      await params.prompter.note(
+        `Could not resolve: ${unresolved.map((item) => item.input).join(", ")}`,
+        "MS Teams allowlist",
+      );
+      continue;
+    }
+
+    const ids = resolved.map((item) => item.id as string);
+    const unique = mergeAllowFromEntries(existing, ids);
+    return setMSTeamsAllowFrom(params.cfg, unique);
+  }
+}
+
+function setMSTeamsTeamsAllowlist(
+  cfg: OpenClawConfig,
+  entries: Array<{ teamKey: string; channelKey?: string }>,
+): OpenClawConfig {
+  const baseTeams = cfg.channels?.msteams?.teams ?? {};
+  const teams: Record<string, { channels?: Record<string, unknown> }> = { ...baseTeams };
+  for (const entry of entries) {
+    const teamKey = entry.teamKey;
+    if (!teamKey) {
+      continue;
+    }
+    const existing = teams[teamKey] ?? {};
+    if (entry.channelKey) {
+      const channels = { ...existing.channels };
+      channels[entry.channelKey] = channels[entry.channelKey] ?? {};
+      teams[teamKey] = { ...existing, channels };
+    } else {
+      teams[teamKey] = existing;
+    }
+  }
+  return {
+    ...cfg,
+    channels: {
+      ...cfg.channels,
+      msteams: {
+        ...cfg.channels?.msteams,
+        enabled: true,
+        teams: teams as Record<string, MSTeamsTeamConfig>,
+      },
+    },
+  };
+}
+
+function listMSTeamsGroupEntries(cfg: OpenClawConfig): string[] {
+  return Object.entries(cfg.channels?.msteams?.teams ?? {}).flatMap(([teamKey, value]) => {
+    const channels = value?.channels ?? {};
+    const channelKeys = Object.keys(channels);
+    if (channelKeys.length === 0) {
+      return [teamKey];
+    }
+    return channelKeys.map((channelKey) => `${teamKey}/${channelKey}`);
+  });
+}
+
+async function resolveMSTeamsGroupAllowlist(params: {
+  cfg: OpenClawConfig;
+  entries: string[];
+  prompter: Pick<WizardPrompter, "note">;
+}): Promise<Array<{ teamKey: string; channelKey?: string }>> {
+  let resolvedEntries = params.entries
+    .map((entry) => parseMSTeamsTeamEntry(entry))
+    .filter(Boolean) as Array<{ teamKey: string; channelKey?: string }>;
+  if (params.entries.length === 0 || !resolveMSTeamsCredentials(params.cfg.channels?.msteams)) {
+    return resolvedEntries;
+  }
+  try {
+    const lookups = await resolveMSTeamsChannelAllowlist({
+      cfg: params.cfg,
+      entries: params.entries,
+    });
+    const resolvedChannels = lookups.filter(
+      (entry) => entry.resolved && entry.teamId && entry.channelId,
+    );
+    const resolvedTeams = lookups.filter(
+      (entry) => entry.resolved && entry.teamId && !entry.channelId,
+    );
+    const unresolved = lookups.filter((entry) => !entry.resolved).map((entry) => entry.input);
+    resolvedEntries = [
+      ...resolvedChannels.map((entry) => ({
+        teamKey: entry.teamId as string,
+        channelKey: entry.channelId as string,
+      })),
+      ...resolvedTeams.map((entry) => ({
+        teamKey: entry.teamId as string,
+      })),
+      ...unresolved.map((entry) => parseMSTeamsTeamEntry(entry)).filter(Boolean),
+    ] as Array<{ teamKey: string; channelKey?: string }>;
+    const summary: string[] = [];
+    if (resolvedChannels.length > 0) {
+      summary.push(
+        `Resolved channels: ${resolvedChannels
+          .map((entry) => entry.channelId)
+          .filter(Boolean)
+          .join(", ")}`,
+      );
+    }
+    if (resolvedTeams.length > 0) {
+      summary.push(
+        `Resolved teams: ${resolvedTeams
+          .map((entry) => entry.teamId)
+          .filter(Boolean)
+          .join(", ")}`,
+      );
+    }
+    if (unresolved.length > 0) {
+      summary.push(`Unresolved (kept as typed): ${unresolved.join(", ")}`);
+    }
+    if (summary.length > 0) {
+      await params.prompter.note(summary.join("\n"), "MS Teams channels");
+    }
+    return resolvedEntries;
+  } catch (err) {
+    await params.prompter.note(
+      `Channel lookup failed; keeping entries as typed. ${formatUnknownError(err)}`,
+      "MS Teams channels",
+    );
+    return resolvedEntries;
+  }
+}
+
+const msteamsGroupAccess: NonNullable<ChannelSetupWizard["groupAccess"]> = {
+  label: "MS Teams channels",
+  placeholder: "Team Name/Channel Name, teamId/conversationId",
+  currentPolicy: ({ cfg }) => cfg.channels?.msteams?.groupPolicy ?? "allowlist",
+  currentEntries: ({ cfg }) => listMSTeamsGroupEntries(cfg),
+  updatePrompt: ({ cfg }) => Boolean(cfg.channels?.msteams?.teams),
+  setPolicy: ({ cfg, policy }) => setMSTeamsGroupPolicy(cfg, policy),
+  resolveAllowlist: async ({ cfg, entries, prompter }) =>
+    await resolveMSTeamsGroupAllowlist({ cfg, entries, prompter }),
+  applyAllowlist: ({ cfg, resolved }) =>
+    setMSTeamsTeamsAllowlist(cfg, resolved as Array<{ teamKey: string; channelKey?: string }>),
+};
+
+const msteamsDmPolicy: ChannelSetupDmPolicy = createTopLevelChannelDmPolicy({
+  label: "MS Teams",
+  channel,
+  policyKey: "channels.msteams.dmPolicy",
+  allowFromKey: "channels.msteams.allowFrom",
+  getCurrent: (cfg) => cfg.channels?.msteams?.dmPolicy ?? "pairing",
+  promptAllowFrom: promptMSTeamsAllowFrom,
+});
+
+const msteamsSetupWizardBase = createMSTeamsSetupWizardBase();
+
+export const msteamsSetupWizard: ChannelSetupWizard = {
+  ...msteamsSetupWizardBase,
+  // Override finalize to layer on the optional delegated-auth bootstrap after
+  // the base wizard collects app credentials. This preserves main's shared
+  // setup-core flow while keeping the delegated OAuth step from this PR.
+  finalize: async (params) => {
+    // setup-core always provides a finalize; the type is optional only because
+    // ChannelSetupWizard.finalize is generally optional. Fall back to the
+    // incoming cfg if the base ever returns void for forward-compat.
+    const baseFinalize = msteamsSetupWizardBase.finalize;
+    const baseResult = baseFinalize ? await baseFinalize(params) : undefined;
+    let next = baseResult?.cfg ?? params.cfg;
+    const finalCreds = resolveMSTeamsCredentials(next.channels?.msteams);
+    if (finalCreds?.type === "secret") {
+      const enableDelegated = await params.prompter.confirm({
+        message: "Enable delegated auth? (required for reactions and write operations)",
+        initialValue: false,
+      });
+      if (enableDelegated) {
+        next = {
+          ...next,
+          channels: {
+            ...next.channels,
+            msteams: {
+              ...next.channels?.msteams,
+              delegatedAuth: { enabled: true },
+            },
+          },
+        };
+        try {
+          const { loginMSTeamsDelegated } = await import("./oauth.js");
+          const { shouldUseManualOAuthFlow } = await import("./oauth.flow.js");
+          const isRemote = Boolean(process.env.SSH_TTY || process.env.SSH_CONNECTION);
+          const progress = params.prompter.progress("MSTeams Delegated OAuth");
+          const tokens = await loginMSTeamsDelegated(
+            {
+              isRemote: shouldUseManualOAuthFlow(isRemote),
+              openUrl: openDelegatedOAuthUrl,
+              log: (msg) => params.prompter.note(msg),
+              note: (msg, title) => params.prompter.note(msg, title),
+              prompt: (msg) => params.prompter.text({ message: msg }),
+              progress,
+            },
+            {
+              tenantId: finalCreds.tenantId,
+              clientId: finalCreds.appId,
+              clientSecret: finalCreds.appPassword,
+            },
+          );
+          saveDelegatedTokens(tokens);
+          progress.stop("Delegated auth configured");
+        } catch (err) {
+          await params.prompter.note(
+            `Delegated auth setup failed: ${formatUnknownError(err)}\n` +
+              "You can retry later via the setup wizard.",
+            "MS Teams delegated auth",
+          );
+        }
+      }
+    }
+    return { ...baseResult, cfg: next };
+  },
+  dmPolicy: msteamsDmPolicy,
+  groupAccess: msteamsGroupAccess,
+  disable: (cfg) => ({
+    ...cfg,
+    channels: {
+      ...cfg.channels,
+      msteams: { ...cfg.channels?.msteams, enabled: false },
+    },
+  }),
+};

package/src/sso-token-store.test.ts

@@ -0,0 +1,72 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { describe, expect, it } from "vitest";
+import { createMSTeamsSsoTokenStoreFs } from "./sso-token-store.js";
+
+describe("msteams sso token store (fs)", () => {
+  it("keeps distinct tokens when connectionName and userId contain the legacy delimiter", async () => {
+    const stateDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-msteams-sso-"));
+    const storePath = path.join(stateDir, "msteams-sso-tokens.json");
+    const store = createMSTeamsSsoTokenStoreFs({ storePath });
+
+    const first = {
+      connectionName: "conn::alpha",
+      userId: "user",
+      token: "token-a",
+      updatedAt: "2026-04-10T00:00:00.000Z",
+    } as const;
+    const second = {
+      connectionName: "conn",
+      userId: "alpha::user",
+      token: "token-b",
+      updatedAt: "2026-04-10T00:00:01.000Z",
+    } as const;
+
+    await store.save(first);
+    await store.save(second);
+
+    expect(await store.get(first)).toEqual(first);
+    expect(await store.get(second)).toEqual(second);
+
+    const raw = JSON.parse(await fs.readFile(storePath, "utf8")) as {
+      tokens: Record<string, unknown>;
+    };
+    expect(Object.keys(raw.tokens)).toHaveLength(2);
+  });
+
+  it("loads legacy flat-key files by rebuilding keys from stored token payloads", async () => {
+    const stateDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-msteams-sso-legacy-"));
+    const storePath = path.join(stateDir, "msteams-sso-tokens.json");
+    await fs.writeFile(
+      storePath,
+      `${JSON.stringify(
+        {
+          version: 1,
+          tokens: {
+            "legacy::wrong-key": {
+              connectionName: "conn",
+              userId: "user-1",
+              token: "token-1",
+              updatedAt: "2026-04-10T00:00:00.000Z",
+            },
+          },
+        },
+        null,
+        2,
+      )}\n`,
+      "utf8",
+    );
+
+    const store = createMSTeamsSsoTokenStoreFs({ storePath });
+    expect(
+      await store.get({
+        connectionName: "conn",
+        userId: "user-1",
+      }),
+    ).toMatchObject({
+      token: "token-1",
+      updatedAt: "2026-04-10T00:00:00.000Z",
+    });
+  });
+});