@openclaw/msteams 2026.3.13 → 2026.5.2-beta.1

package/src/thread-parent-context.test.ts

@@ -0,0 +1,224 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import type { GraphThreadMessage } from "./graph-thread.js";
+import {
+  _resetThreadParentContextCachesForTest,
+  fetchParentMessageCached,
+  formatParentContextEvent,
+  markParentContextInjected,
+  shouldInjectParentContext,
+  summarizeParentMessage,
+} from "./thread-parent-context.js";
+
+describe("summarizeParentMessage", () => {
+  it("returns undefined for missing message", () => {
+    expect(summarizeParentMessage(undefined)).toBeUndefined();
+  });
+
+  it("returns undefined when body is blank", () => {
+    const msg: GraphThreadMessage = {
+      id: "p1",
+      from: { user: { displayName: "Alice" } },
+      body: { content: "   ", contentType: "text" },
+    };
+    expect(summarizeParentMessage(msg)).toBeUndefined();
+  });
+
+  it("extracts sender + plain text", () => {
+    const msg: GraphThreadMessage = {
+      id: "p1",
+      from: { user: { displayName: "Alice" } },
+      body: { content: "Hello world", contentType: "text" },
+    };
+    expect(summarizeParentMessage(msg)).toEqual({ sender: "Alice", text: "Hello world" });
+  });
+
+  it("strips HTML for html contentType", () => {
+    const msg: GraphThreadMessage = {
+      id: "p1",
+      from: { user: { displayName: "Bob" } },
+      body: { content: "<p>Hi <b>there</b></p>", contentType: "html" },
+    };
+    expect(summarizeParentMessage(msg)).toEqual({ sender: "Bob", text: "Hi there" });
+  });
+
+  it("collapses whitespace in text contentType", () => {
+    const msg: GraphThreadMessage = {
+      id: "p1",
+      from: { user: { displayName: "Carol" } },
+      body: { content: "line one\n  line two\t\ttrailing", contentType: "text" },
+    };
+    expect(summarizeParentMessage(msg)).toEqual({
+      sender: "Carol",
+      text: "line one line two trailing",
+    });
+  });
+
+  it("falls back to application displayName", () => {
+    const msg: GraphThreadMessage = {
+      id: "p1",
+      from: { application: { displayName: "BotApp" } },
+      body: { content: "heads up", contentType: "text" },
+    };
+    expect(summarizeParentMessage(msg)).toEqual({ sender: "BotApp", text: "heads up" });
+  });
+
+  it("falls back to unknown when sender is missing", () => {
+    const msg: GraphThreadMessage = {
+      id: "p1",
+      body: { content: "orphan", contentType: "text" },
+    };
+    expect(summarizeParentMessage(msg)).toEqual({ sender: "unknown", text: "orphan" });
+  });
+
+  it("truncates overly long parent text", () => {
+    const msg: GraphThreadMessage = {
+      id: "p1",
+      from: { user: { displayName: "Dana" } },
+      body: { content: "x".repeat(1000), contentType: "text" },
+    };
+    const summary = summarizeParentMessage(msg);
+    expect(summary?.text.length).toBeLessThanOrEqual(400);
+    expect(summary?.text.endsWith("…")).toBe(true);
+  });
+});
+
+describe("formatParentContextEvent", () => {
+  it("formats as Replying to @sender: body", () => {
+    expect(formatParentContextEvent({ sender: "Alice", text: "hello there" })).toBe(
+      "Replying to @Alice: hello there",
+    );
+  });
+});
+
+describe("fetchParentMessageCached", () => {
+  beforeEach(() => {
+    _resetThreadParentContextCachesForTest();
+  });
+
+  it("invokes the fetcher on first call", async () => {
+    const mockMsg: GraphThreadMessage = {
+      id: "p1",
+      body: { content: "hi", contentType: "text" },
+    };
+    const fetcher = vi.fn(async () => mockMsg);
+
+    const result = await fetchParentMessageCached("tok", "g1", "c1", "p1", fetcher);
+
+    expect(result).toEqual(mockMsg);
+    expect(fetcher).toHaveBeenCalledTimes(1);
+    expect(fetcher).toHaveBeenCalledWith("tok", "g1", "c1", "p1");
+  });
+
+  it("returns cached value on repeat fetch without invoking fetcher", async () => {
+    const mockMsg: GraphThreadMessage = {
+      id: "p1",
+      body: { content: "hi", contentType: "text" },
+    };
+    const fetcher = vi.fn(async () => mockMsg);
+
+    await fetchParentMessageCached("tok", "g1", "c1", "p1", fetcher);
+    await fetchParentMessageCached("tok", "g1", "c1", "p1", fetcher);
+    const third = await fetchParentMessageCached("tok", "g1", "c1", "p1", fetcher);
+
+    expect(fetcher).toHaveBeenCalledTimes(1);
+    expect(third).toEqual(mockMsg);
+  });
+
+  it("caches undefined (Graph error) so failures do not re-fetch on burst", async () => {
+    const fetcher = vi.fn(async () => undefined);
+
+    const first = await fetchParentMessageCached("tok", "g1", "c1", "p1", fetcher);
+    const second = await fetchParentMessageCached("tok", "g1", "c1", "p1", fetcher);
+
+    expect(first).toBeUndefined();
+    expect(second).toBeUndefined();
+    expect(fetcher).toHaveBeenCalledTimes(1);
+  });
+
+  it("scopes cache by groupId/channelId/parentId", async () => {
+    const fetcher = vi.fn(async (_tok, _g, _c, parentId) => ({
+      id: parentId,
+      body: { content: `content-${parentId}`, contentType: "text" },
+    }));
+
+    await fetchParentMessageCached("tok", "g1", "c1", "p1", fetcher);
+    await fetchParentMessageCached("tok", "g1", "c1", "p2", fetcher);
+    await fetchParentMessageCached("tok", "g2", "c1", "p1", fetcher);
+
+    expect(fetcher).toHaveBeenCalledTimes(3);
+  });
+
+  it("re-fetches after TTL expires", async () => {
+    vi.useFakeTimers();
+    try {
+      const fetcher = vi.fn(async () => ({
+        id: "p1",
+        body: { content: "hi", contentType: "text" },
+      }));
+
+      await fetchParentMessageCached("tok", "g1", "c1", "p1", fetcher);
+      // 5 min TTL: advance just beyond.
+      vi.advanceTimersByTime(5 * 60 * 1000 + 1);
+      await fetchParentMessageCached("tok", "g1", "c1", "p1", fetcher);
+
+      expect(fetcher).toHaveBeenCalledTimes(2);
+    } finally {
+      vi.useRealTimers();
+    }
+  });
+
+  it("evicts oldest entries when exceeding the 100-entry cap", async () => {
+    const fetcher = vi.fn(async (_tok, _g, _c, parentId) => ({
+      id: String(parentId),
+      body: { content: `v-${parentId}`, contentType: "text" },
+    }));
+
+    // Fill cache with 100 distinct parents.
+    for (let i = 0; i < 100; i += 1) {
+      await fetchParentMessageCached("tok", "g1", "c1", `p${i}`, fetcher);
+    }
+    expect(fetcher).toHaveBeenCalledTimes(100);
+
+    // First entry should still be cached (no evictions yet).
+    await fetchParentMessageCached("tok", "g1", "c1", "p0", fetcher);
+    expect(fetcher).toHaveBeenCalledTimes(100);
+
+    // Push one more distinct parent to trigger an eviction.
+    // The just-touched p0 is now the newest; the next-oldest (p1) should be evicted.
+    await fetchParentMessageCached("tok", "g1", "c1", "p100", fetcher);
+    expect(fetcher).toHaveBeenCalledTimes(101);
+
+    // Fetching p1 again should miss the cache.
+    await fetchParentMessageCached("tok", "g1", "c1", "p1", fetcher);
+    expect(fetcher).toHaveBeenCalledTimes(102);
+
+    // p0 is still cached because we refreshed it.
+    await fetchParentMessageCached("tok", "g1", "c1", "p0", fetcher);
+    expect(fetcher).toHaveBeenCalledTimes(102);
+  });
+});
+
+describe("shouldInjectParentContext / markParentContextInjected", () => {
+  beforeEach(() => {
+    _resetThreadParentContextCachesForTest();
+  });
+
+  it("returns true for first observation", () => {
+    expect(shouldInjectParentContext("session-1", "parent-1")).toBe(true);
+  });
+
+  it("returns false after marking the same parent", () => {
+    markParentContextInjected("session-1", "parent-1");
+    expect(shouldInjectParentContext("session-1", "parent-1")).toBe(false);
+  });
+
+  it("returns true again when a different parent appears in the session", () => {
+    markParentContextInjected("session-1", "parent-1");
+    expect(shouldInjectParentContext("session-1", "parent-2")).toBe(true);
+  });
+
+  it("dedupe is scoped per session key", () => {
+    markParentContextInjected("session-1", "parent-1");
+    expect(shouldInjectParentContext("session-2", "parent-1")).toBe(true);
+  });
+});

package/src/thread-parent-context.ts

@@ -0,0 +1,159 @@
+// Parent-message context injection for Teams channel thread replies.
+//
+// When an inbound message arrives as a reply inside a Teams channel thread,
+// the triggering message often makes no sense on its own (for example, a
+// one-word "yes" or "go ahead"). Per-thread session isolation (PR #62713)
+// gives each thread its own session, but the first message in a brand-new
+// thread session still has no parent context.
+//
+// This module fetches the parent message via Graph and prepends a compact
+// `Replying to @sender: …` system event to the next agent turn so the agent
+// knows what is being responded to. Fetches are cached to avoid repeated
+// Graph calls within the same active thread, and per-session dedupe ensures
+// the same parent is not re-injected on every subsequent reply in the
+// thread.
+
+import { fetchChannelMessage, stripHtmlFromTeamsMessage } from "./graph-thread.js";
+import type { GraphThreadMessage } from "./graph-thread.js";
+
+// LRU cache for parent message fetches. Keyed by `teamId:channelId:parentId`.
+// 5-minute TTL and 100-entry cap keep active-thread chatter fast without
+// holding stale data when a thread goes quiet. Eviction uses Map insertion
+// order for LRU semantics (get() re-inserts on hit).
+const PARENT_CACHE_TTL_MS = 5 * 60 * 1000;
+const PARENT_CACHE_MAX = 100;
+
+type ParentCacheEntry = {
+  message: GraphThreadMessage | undefined;
+  expiresAt: number;
+};
+
+const parentCache = new Map<string, ParentCacheEntry>();
+
+// Per-session dedupe: remembers the most recent parent id we injected for a
+// given session key. When the same thread session sees another reply against
+// the same parent, we skip re-enqueueing the identical system event. We keep
+// a small LRU so idle sessions eventually drop out.
+const INJECTED_MAX = 200;
+const injectedParents = new Map<string, string>();
+
+type ThreadParentContextFetcher = (
+  token: string,
+  groupId: string,
+  channelId: string,
+  messageId: string,
+) => Promise<GraphThreadMessage | undefined>;
+
+function touchLru<K, V>(map: Map<K, V>, key: K, value: V, max: number): void {
+  if (map.has(key)) {
+    map.delete(key);
+  } else if (map.size >= max) {
+    // Drop the oldest (first-inserted) entry.
+    const firstKey = map.keys().next().value;
+    if (firstKey !== undefined) {
+      map.delete(firstKey);
+    }
+  }
+  map.set(key, value);
+}
+
+function buildParentCacheKey(groupId: string, channelId: string, parentId: string): string {
+  return `${groupId}\u0000${channelId}\u0000${parentId}`;
+}
+
+/**
+ * Fetch a channel parent message with an LRU+TTL cache.
+ *
+ * Uses the injected `fetchParent` (defaults to `fetchChannelMessage`) so
+ * tests can swap in a stub without mocking the Graph transport.
+ */
+export async function fetchParentMessageCached(
+  token: string,
+  groupId: string,
+  channelId: string,
+  parentId: string,
+  fetchParent: ThreadParentContextFetcher = fetchChannelMessage,
+): Promise<GraphThreadMessage | undefined> {
+  const key = buildParentCacheKey(groupId, channelId, parentId);
+  const now = Date.now();
+  const cached = parentCache.get(key);
+  if (cached && cached.expiresAt > now) {
+    // Refresh LRU ordering on hit.
+    parentCache.delete(key);
+    parentCache.set(key, cached);
+    return cached.message;
+  }
+  const message = await fetchParent(token, groupId, channelId, parentId);
+  touchLru(parentCache, key, { message, expiresAt: now + PARENT_CACHE_TTL_MS }, PARENT_CACHE_MAX);
+  return message;
+}
+
+type ParentContextSummary = {
+  /** Display name of the parent message author, or "unknown". */
+  sender: string;
+  /** Stripped, single-line parent body text (or empty if unresolved). */
+  text: string;
+};
+
+const PARENT_TEXT_MAX_CHARS = 400;
+
+/**
+ * Extract a compact summary (sender + plain-text body) from a Graph parent
+ * message. Returns undefined when the parent cannot be summarized (missing
+ * or blank body).
+ */
+export function summarizeParentMessage(
+  message: GraphThreadMessage | undefined,
+): ParentContextSummary | undefined {
+  if (!message) {
+    return undefined;
+  }
+  const sender =
+    message.from?.user?.displayName ?? message.from?.application?.displayName ?? "unknown";
+  const contentType = message.body?.contentType ?? "text";
+  const raw = message.body?.content ?? "";
+  const text =
+    contentType === "html" ? stripHtmlFromTeamsMessage(raw) : raw.replace(/\s+/g, " ").trim();
+  if (!text) {
+    return undefined;
+  }
+  return {
+    sender,
+    text:
+      text.length > PARENT_TEXT_MAX_CHARS ? `${text.slice(0, PARENT_TEXT_MAX_CHARS - 1)}…` : text,
+  };
+}
+
+/**
+ * Build the single-line `Replying to @sender: body` system event text.
+ * Callers should pass this text to `enqueueSystemEvent` together with a
+ * stable contextKey derived from the parent id.
+ */
+export function formatParentContextEvent(summary: ParentContextSummary): string {
+  return `Replying to @${summary.sender}: ${summary.text}`;
+}
+
+/**
+ * Decide whether a parent context event should be enqueued for the current
+ * session. Returns `false` when we already injected the same parent for this
+ * session recently (prevents re-prepending identical context on every reply
+ * in the thread).
+ */
+export function shouldInjectParentContext(sessionKey: string, parentId: string): boolean {
+  const key = sessionKey;
+  return injectedParents.get(key) !== parentId;
+}
+
+/**
+ * Record that `parentId` was just injected for `sessionKey` so subsequent
+ * replies with the same parent can short-circuit via `shouldInjectParentContext`.
+ */
+export function markParentContextInjected(sessionKey: string, parentId: string): void {
+  touchLru(injectedParents, sessionKey, parentId, INJECTED_MAX);
+}
+
+// Exported for test isolation.
+export function _resetThreadParentContextCachesForTest(): void {
+  parentCache.clear();
+  injectedParents.clear();
+}

package/src/token.test.ts

@@ -1,72 +1,259 @@
-import { afterEach, describe, expect, it } from "vitest";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { readAccessToken } from "./token-response.js";
 import { hasConfiguredMSTeamsCredentials, resolveMSTeamsCredentials } from "./token.js";
 
-const ORIGINAL_ENV = {
-  appId: process.env.MSTEAMS_APP_ID,
-  appPassword: process.env.MSTEAMS_APP_PASSWORD,
-  tenantId: process.env.MSTEAMS_TENANT_ID,
-};
-
-afterEach(() => {
-  if (ORIGINAL_ENV.appId === undefined) {
-    delete process.env.MSTEAMS_APP_ID;
-  } else {
-    process.env.MSTEAMS_APP_ID = ORIGINAL_ENV.appId;
-  }
-  if (ORIGINAL_ENV.appPassword === undefined) {
-    delete process.env.MSTEAMS_APP_PASSWORD;
-  } else {
-    process.env.MSTEAMS_APP_PASSWORD = ORIGINAL_ENV.appPassword;
+vi.mock("./secret-input.js", () => ({
+  normalizeSecretInputString: (v: unknown) =>
+    typeof v === "string" && v.trim() ? v.trim() : undefined,
+  normalizeResolvedSecretInputString: (opts: { value: unknown; path: string }) =>
+    typeof opts.value === "string" && opts.value.trim() ? opts.value.trim() : undefined,
+  hasConfiguredSecretInput: (v: unknown) => typeof v === "string" && v.trim().length > 0,
+}));
+
+const ENV_KEYS = [
+  "MSTEAMS_APP_ID",
+  "MSTEAMS_APP_PASSWORD",
+  "MSTEAMS_TENANT_ID",
+  "MSTEAMS_AUTH_TYPE",
+  "MSTEAMS_CERTIFICATE_PATH",
+  "MSTEAMS_CERTIFICATE_THUMBPRINT",
+  "MSTEAMS_USE_MANAGED_IDENTITY",
+  "MSTEAMS_MANAGED_IDENTITY_CLIENT_ID",
+] as const;
+
+let savedEnv: Record<string, string | undefined> = {};
+
+function saveAndClearEnv() {
+  savedEnv = {};
+  for (const key of ENV_KEYS) {
+    savedEnv[key] = process.env[key];
+    delete process.env[key];
   }
-  if (ORIGINAL_ENV.tenantId === undefined) {
-    delete process.env.MSTEAMS_TENANT_ID;
-  } else {
-    process.env.MSTEAMS_TENANT_ID = ORIGINAL_ENV.tenantId;
+}
+
+function restoreEnv() {
+  for (const key of ENV_KEYS) {
+    if (savedEnv[key] !== undefined) {
+      process.env[key] = savedEnv[key];
+    } else {
+      delete process.env[key];
+    }
   }
+}
+
+describe("token – secret credentials", () => {
+  beforeEach(saveAndClearEnv);
+  afterEach(restoreEnv);
+
+  it("returns true when appId + appPassword + tenantId are provided in config", () => {
+    const cfg = { appId: "app-id", appPassword: "app-pw", tenantId: "tenant-id" } as any;
+    expect(hasConfiguredMSTeamsCredentials(cfg)).toBe(true);
+  });
+
+  it("returns false when appPassword is missing", () => {
+    const cfg = { appId: "app-id", tenantId: "tenant-id" } as any;
+    expect(hasConfiguredMSTeamsCredentials(cfg)).toBe(false);
+  });
+
+  it("returns false when no config is given and no env vars set", () => {
+    expect(hasConfiguredMSTeamsCredentials(undefined)).toBe(false);
+  });
+
+  it("resolves secret credentials from config", () => {
+    const cfg = { appId: "app-id", appPassword: "app-pw", tenantId: "tenant-id" } as any;
+    const result = resolveMSTeamsCredentials(cfg);
+    expect(result).toEqual({
+      type: "secret",
+      appId: "app-id",
+      appPassword: "app-pw",
+      tenantId: "tenant-id",
+    });
+  });
+
+  it("resolves secret credentials from env vars", () => {
+    process.env.MSTEAMS_APP_ID = "env-app-id";
+    process.env.MSTEAMS_APP_PASSWORD = "env-app-pw";
+    process.env.MSTEAMS_TENANT_ID = "env-tenant-id";
+    const result = resolveMSTeamsCredentials(undefined);
+    expect(result).toEqual({
+      type: "secret",
+      appId: "env-app-id",
+      appPassword: "env-app-pw",
+      tenantId: "env-tenant-id",
+    });
+  });
+
+  it("returns undefined when appPassword is missing", () => {
+    const cfg = { appId: "app-id", tenantId: "tenant-id" } as any;
+    expect(resolveMSTeamsCredentials(cfg)).toBeUndefined();
+  });
 });
 
-describe("resolveMSTeamsCredentials", () => {
-  it("returns configured credentials for plaintext values", () => {
-    const resolved = resolveMSTeamsCredentials({
-      appId: " app-id ",
-      appPassword: " app-password ",
-      tenantId: " tenant-id ",
+describe("token – federated credentials (certificate)", () => {
+  beforeEach(saveAndClearEnv);
+  afterEach(restoreEnv);
+
+  it("hasConfigured returns true when certificate path is provided", () => {
+    const cfg = {
+      appId: "app-id",
+      tenantId: "tenant-id",
+      authType: "federated",
+      certificatePath: "/cert.pem",
+    } as any;
+    expect(hasConfiguredMSTeamsCredentials(cfg)).toBe(true);
+  });
+
+  it("hasConfigured returns false when neither cert nor MI is provided", () => {
+    const cfg = { appId: "app-id", tenantId: "tenant-id", authType: "federated" } as any;
+    expect(hasConfiguredMSTeamsCredentials(cfg)).toBe(false);
+  });
+
+  it("resolves federated credentials with certificate from config", () => {
+    const cfg = {
+      appId: "app-id",
+      tenantId: "tenant-id",
+      authType: "federated",
+      certificatePath: "/cert.pem",
+      certificateThumbprint: "AABBCCDD",
+    } as any;
+    const result = resolveMSTeamsCredentials(cfg);
+    expect(result).toEqual({
+      type: "federated",
+      appId: "app-id",
+      tenantId: "tenant-id",
+      certificatePath: "/cert.pem",
+      certificateThumbprint: "AABBCCDD",
+      useManagedIdentity: undefined,
+      managedIdentityClientId: undefined,
+    });
+  });
+
+  it("resolves federated credentials from env vars", () => {
+    process.env.MSTEAMS_AUTH_TYPE = "federated";
+    process.env.MSTEAMS_APP_ID = "env-app-id";
+    process.env.MSTEAMS_TENANT_ID = "env-tenant-id";
+    process.env.MSTEAMS_CERTIFICATE_PATH = "/env/cert.pem";
+    process.env.MSTEAMS_CERTIFICATE_THUMBPRINT = "EEFF0011";
+    const result = resolveMSTeamsCredentials(undefined);
+    expect(result).toEqual({
+      type: "federated",
+      appId: "env-app-id",
+      tenantId: "env-tenant-id",
+      certificatePath: "/env/cert.pem",
+      certificateThumbprint: "EEFF0011",
+      useManagedIdentity: undefined,
+      managedIdentityClientId: undefined,
     });
+  });
+});
+
+describe("token – federated credentials (managed identity)", () => {
+  beforeEach(saveAndClearEnv);
+  afterEach(restoreEnv);
+
+  it("resolves managed identity from config", () => {
+    const cfg = {
+      appId: "app-id",
+      tenantId: "tenant-id",
+      authType: "federated",
+      useManagedIdentity: true,
+      managedIdentityClientId: "mi-client-id",
+    } as any;
+    const result = resolveMSTeamsCredentials(cfg);
+    expect(result).toEqual({
+      type: "federated",
+      appId: "app-id",
+      tenantId: "tenant-id",
+      certificatePath: undefined,
+      certificateThumbprint: undefined,
+      useManagedIdentity: true,
+      managedIdentityClientId: "mi-client-id",
+    });
+  });
 
-    expect(resolved).toEqual({
+  it("resolves system-assigned managed identity (no clientId)", () => {
+    const cfg = {
       appId: "app-id",
-      appPassword: "app-password", // pragma: allowlist secret
       tenantId: "tenant-id",
+      authType: "federated",
+      useManagedIdentity: true,
+    } as any;
+    const result = resolveMSTeamsCredentials(cfg);
+    expect(result).toEqual({
+      type: "federated",
+      appId: "app-id",
+      tenantId: "tenant-id",
+      certificatePath: undefined,
+      certificateThumbprint: undefined,
+      useManagedIdentity: true,
+      managedIdentityClientId: undefined,
     });
   });
 
-  it("throws when appPassword remains an unresolved SecretRef object", () => {
-    expect(() =>
-      resolveMSTeamsCredentials({
-        appId: "app-id",
-        appPassword: {
-          source: "env",
-          provider: "default",
-          id: "MSTEAMS_APP_PASSWORD",
-        },
-        tenantId: "tenant-id",
-      }),
-    ).toThrow(/channels\.msteams\.appPassword: unresolved SecretRef/i);
+  it("hasConfigured returns true for managed identity via env", () => {
+    process.env.MSTEAMS_AUTH_TYPE = "federated";
+    process.env.MSTEAMS_APP_ID = "env-app-id";
+    process.env.MSTEAMS_TENANT_ID = "env-tenant-id";
+    process.env.MSTEAMS_USE_MANAGED_IDENTITY = "true";
+    expect(hasConfiguredMSTeamsCredentials(undefined)).toBe(true);
+  });
+
+  it("config useManagedIdentity=false overrides env MSTEAMS_USE_MANAGED_IDENTITY=true", () => {
+    process.env.MSTEAMS_USE_MANAGED_IDENTITY = "true";
+    const cfg = {
+      appId: "app-id",
+      tenantId: "tenant-id",
+      authType: "federated",
+      certificatePath: "/cert.pem",
+      useManagedIdentity: false,
+    } as any;
+    const result = resolveMSTeamsCredentials(cfg);
+    expect(result).toBeDefined();
+    expect(result!.type).toBe("federated");
+    expect((result as any).useManagedIdentity).toBeUndefined();
+    expect((result as any).certificatePath).toBe("/cert.pem");
   });
 });
 
-describe("hasConfiguredMSTeamsCredentials", () => {
-  it("treats SecretRef appPassword as configured", () => {
-    const configured = hasConfiguredMSTeamsCredentials({
+describe("token – backward compatibility", () => {
+  beforeEach(saveAndClearEnv);
+  afterEach(restoreEnv);
+
+  it("defaults to secret when authType is absent", () => {
+    const cfg = { appId: "app-id", appPassword: "pw", tenantId: "tenant-id" } as any;
+    const result = resolveMSTeamsCredentials(cfg);
+    expect(result).toBeDefined();
+    expect(result!.type).toBe("secret");
+  });
+
+  it("explicit authType=secret behaves same as absent", () => {
+    const cfg = {
+      appId: "app-id",
+      appPassword: "pw",
+      tenantId: "tenant-id",
+      authType: "secret",
+    } as any;
+    const result = resolveMSTeamsCredentials(cfg);
+    expect(result).toEqual({
+      type: "secret",
       appId: "app-id",
-      appPassword: {
-        source: "env",
-        provider: "default",
-        id: "MSTEAMS_APP_PASSWORD",
-      },
+      appPassword: "pw",
       tenantId: "tenant-id",
     });
+  });
+});
+
+describe("readAccessToken", () => {
+  it("reads string and object token forms", () => {
+    expect(readAccessToken("abc")).toBe("abc");
+    expect(readAccessToken({ accessToken: "access-token" })).toBe("access-token");
+    expect(readAccessToken({ token: "fallback-token" })).toBe("fallback-token");
+  });
 
-    expect(configured).toBe(true);
+  it("returns null for unsupported token payloads", () => {
+    expect(readAccessToken({ accessToken: 123 })).toBeNull();
+    expect(readAccessToken({ token: false })).toBeNull();
+    expect(readAccessToken(null)).toBeNull();
+    expect(readAccessToken(undefined)).toBeNull();
   });
 });