@openclaw/msteams 2026.3.2 → 2026.3.8-beta.1

package/CHANGELOG.md

@@ -1,5 +1,29 @@
 # Changelog
 
+## 2026.3.8-beta.1
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
+## 2026.3.8
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
+## 2026.3.7
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
+## 2026.3.3
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
 ## 2026.3.2
 
 ### Changes

package/index.ts

@@ -1,5 +1,5 @@
-import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
-import { emptyPluginConfigSchema } from "openclaw/plugin-sdk";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk/msteams";
+import { emptyPluginConfigSchema } from "openclaw/plugin-sdk/msteams";
 import { msteamsPlugin } from "./src/channel.js";
 import { setMSTeamsRuntime } from "./src/runtime.js";
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/msteams",
-  "version": "2026.3.2",
+  "version": "2026.3.8-beta.1",
   "description": "OpenClaw Microsoft Teams channel plugin",
   "type": "module",
   "dependencies": {
@@ -27,6 +27,11 @@
       "npmSpec": "@openclaw/msteams",
       "localPath": "extensions/msteams",
       "defaultChoice": "npm"
+    },
+    "releaseChecks": {
+      "rootDependencyMirrorAllowlist": [
+        "@microsoft/agents-hosting"
+      ]
     }
   }
 }

package/src/attachments/graph.ts

@@ -1,4 +1,4 @@
-import { fetchWithSsrFGuard, type SsrFPolicy } from "openclaw/plugin-sdk";
+import { fetchWithSsrFGuard, type SsrFPolicy } from "openclaw/plugin-sdk/msteams";
 import { getMSTeamsRuntime } from "../runtime.js";
 import { downloadMSTeamsAttachments } from "./download.js";
 import { downloadAndStoreMSTeamsRemoteMedia } from "./remote-media.js";

package/src/attachments/payload.ts

@@ -1,4 +1,4 @@
-import { buildMediaPayload } from "openclaw/plugin-sdk";
+import { buildMediaPayload } from "openclaw/plugin-sdk/msteams";
 
 export function buildMSTeamsMediaPayload(
   mediaList: Array<{ path: string; contentType?: string }>,

package/src/attachments/remote-media.ts

@@ -1,4 +1,4 @@
-import type { SsrFPolicy } from "openclaw/plugin-sdk";
+import type { SsrFPolicy } from "openclaw/plugin-sdk/msteams";
 import { getMSTeamsRuntime } from "../runtime.js";
 import { inferPlaceholder } from "./shared.js";
 import type { MSTeamsInboundMedia } from "./types.js";

package/src/attachments/shared.ts

@@ -4,8 +4,8 @@ import {
   isHttpsUrlAllowedByHostnameSuffixAllowlist,
   isPrivateIpAddress,
   normalizeHostnameSuffixAllowlist,
-} from "openclaw/plugin-sdk";
-import type { SsrFPolicy } from "openclaw/plugin-sdk";
+} from "openclaw/plugin-sdk/msteams";
+import type { SsrFPolicy } from "openclaw/plugin-sdk/msteams";
 import type { MSTeamsAttachmentLike } from "./types.js";
 
 type InlineImageCandidate =

package/src/attachments.test.ts

@@ -1,4 +1,4 @@
-import type { PluginRuntime, SsrFPolicy } from "openclaw/plugin-sdk";
+import type { PluginRuntime, SsrFPolicy } from "openclaw/plugin-sdk/msteams";
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import { createPluginRuntimeMock } from "../../test-utils/plugin-runtime-mock.js";
 import {

package/src/channel.directory.test.ts

@@ -1,4 +1,4 @@
-import type { OpenClawConfig, RuntimeEnv } from "openclaw/plugin-sdk";
+import type { OpenClawConfig, RuntimeEnv } from "openclaw/plugin-sdk/msteams";
 import { describe, expect, it } from "vitest";
 import { msteamsPlugin } from "./channel.js";
 

package/src/channel.ts

@@ -1,14 +1,21 @@
-import type { ChannelMessageActionName, ChannelPlugin, OpenClawConfig } from "openclaw/plugin-sdk";
 import {
-  buildBaseChannelStatusSummary,
+  collectAllowlistProviderRestrictSendersWarnings,
+  formatAllowFromLowercase,
+} from "openclaw/plugin-sdk/compat";
+import type {
+  ChannelMessageActionName,
+  ChannelPlugin,
+  OpenClawConfig,
+} from "openclaw/plugin-sdk/msteams";
+import {
+  buildProbeChannelStatusSummary,
+  buildRuntimeAccountStatusSnapshot,
   buildChannelConfigSchema,
   createDefaultChannelRuntimeState,
   DEFAULT_ACCOUNT_ID,
   MSTeamsConfigSchema,
   PAIRING_APPROVED_MESSAGE,
-  resolveAllowlistProviderRuntimeGroupPolicy,
-  resolveDefaultGroupPolicy,
-} from "openclaw/plugin-sdk";
+} from "openclaw/plugin-sdk/msteams";
 import { listMSTeamsDirectoryGroupsLive, listMSTeamsDirectoryPeersLive } from "./directory-live.js";
 import { msteamsOnboardingAdapter } from "./onboarding.js";
 import { msteamsOutbound } from "./outbound.js";
@@ -120,27 +127,20 @@ export const msteamsPlugin: ChannelPlugin<ResolvedMSTeamsAccount> = {
       configured: account.configured,
     }),
     resolveAllowFrom: ({ cfg }) => cfg.channels?.msteams?.allowFrom ?? [],
-    formatAllowFrom: ({ allowFrom }) =>
-      allowFrom
-        .map((entry) => String(entry).trim())
-        .filter(Boolean)
-        .map((entry) => entry.toLowerCase()),
+    formatAllowFrom: ({ allowFrom }) => formatAllowFromLowercase({ allowFrom }),
     resolveDefaultTo: ({ cfg }) => cfg.channels?.msteams?.defaultTo?.trim() || undefined,
   },
   security: {
     collectWarnings: ({ cfg }) => {
-      const defaultGroupPolicy = resolveDefaultGroupPolicy(cfg);
-      const { groupPolicy } = resolveAllowlistProviderRuntimeGroupPolicy({
+      return collectAllowlistProviderRestrictSendersWarnings({
+        cfg,
         providerConfigPresent: cfg.channels?.msteams !== undefined,
-        groupPolicy: cfg.channels?.msteams?.groupPolicy,
-        defaultGroupPolicy,
+        configuredGroupPolicy: cfg.channels?.msteams?.groupPolicy,
+        surface: "MS Teams groups",
+        openScope: "any member",
+        groupPolicyPath: "channels.msteams.groupPolicy",
+        groupAllowFromPath: "channels.msteams.groupAllowFrom",
       });
-      if (groupPolicy !== "open") {
-        return [];
-      }
-      return [
-        `- MS Teams groups: groupPolicy="open" allows any member to trigger (mention-gated). Set channels.msteams.groupPolicy="allowlist" + channels.msteams.groupAllowFrom to restrict senders.`,
-      ];
     },
   },
   setup: {
@@ -246,11 +246,43 @@ export const msteamsPlugin: ChannelPlugin<ResolvedMSTeamsAccount> = {
         name: undefined as string | undefined,
         note: undefined as string | undefined,
       }));
+      type ResolveTargetResultEntry = (typeof results)[number];
+      type PendingTargetEntry = { input: string; query: string; index: number };
 
       const stripPrefix = (value: string) => normalizeMSTeamsUserInput(value);
+      const markPendingLookupFailed = (pending: PendingTargetEntry[]) => {
+        pending.forEach(({ index }) => {
+          const entry = results[index];
+          if (entry) {
+            entry.note = "lookup failed";
+          }
+        });
+      };
+      const resolvePending = async <T>(
+        pending: PendingTargetEntry[],
+        resolveEntries: (entries: string[]) => Promise<T[]>,
+        applyResolvedEntry: (target: ResolveTargetResultEntry, entry: T) => void,
+      ) => {
+        if (pending.length === 0) {
+          return;
+        }
+        try {
+          const resolved = await resolveEntries(pending.map((entry) => entry.query));
+          resolved.forEach((entry, idx) => {
+            const target = results[pending[idx]?.index ?? -1];
+            if (!target) {
+              return;
+            }
+            applyResolvedEntry(target, entry);
+          });
+        } catch (err) {
+          runtime.error?.(`msteams resolve failed: ${String(err)}`);
+          markPendingLookupFailed(pending);
+        }
+      };
 
       if (kind === "user") {
-        const pending: Array<{ input: string; query: string; index: number }> = [];
+        const pending: PendingTargetEntry[] = [];
         results.forEach((entry, index) => {
           const trimmed = entry.input.trim();
           if (!trimmed) {
@@ -266,37 +298,21 @@ export const msteamsPlugin: ChannelPlugin<ResolvedMSTeamsAccount> = {
           pending.push({ input: entry.input, query: cleaned, index });
         });
 
-        if (pending.length > 0) {
-          try {
-            const resolved = await resolveMSTeamsUserAllowlist({
-              cfg,
-              entries: pending.map((entry) => entry.query),
-            });
-            resolved.forEach((entry, idx) => {
-              const target = results[pending[idx]?.index ?? -1];
-              if (!target) {
-                return;
-              }
-              target.resolved = entry.resolved;
-              target.id = entry.id;
-              target.name = entry.name;
-              target.note = entry.note;
-            });
-          } catch (err) {
-            runtime.error?.(`msteams resolve failed: ${String(err)}`);
-            pending.forEach(({ index }) => {
-              const entry = results[index];
-              if (entry) {
-                entry.note = "lookup failed";
-              }
-            });
-          }
-        }
+        await resolvePending(
+          pending,
+          (entries) => resolveMSTeamsUserAllowlist({ cfg, entries }),
+          (target, entry) => {
+            target.resolved = entry.resolved;
+            target.id = entry.id;
+            target.name = entry.name;
+            target.note = entry.note;
+          },
+        );
 
         return results;
       }
 
-      const pending: Array<{ input: string; query: string; index: number }> = [];
+      const pending: PendingTargetEntry[] = [];
       results.forEach((entry, index) => {
         const trimmed = entry.input.trim();
         if (!trimmed) {
@@ -319,48 +335,32 @@ export const msteamsPlugin: ChannelPlugin<ResolvedMSTeamsAccount> = {
         pending.push({ input: entry.input, query, index });
       });
 
-      if (pending.length > 0) {
-        try {
-          const resolved = await resolveMSTeamsChannelAllowlist({
-            cfg,
-            entries: pending.map((entry) => entry.query),
-          });
-          resolved.forEach((entry, idx) => {
-            const target = results[pending[idx]?.index ?? -1];
-            if (!target) {
-              return;
-            }
-            if (!entry.resolved || !entry.teamId) {
-              target.resolved = false;
-              target.note = entry.note;
-              return;
-            }
-            target.resolved = true;
-            if (entry.channelId) {
-              target.id = `${entry.teamId}/${entry.channelId}`;
-              target.name =
-                entry.channelName && entry.teamName
-                  ? `${entry.teamName}/${entry.channelName}`
-                  : (entry.channelName ?? entry.teamName);
-            } else {
-              target.id = entry.teamId;
-              target.name = entry.teamName;
-              target.note = "team id";
-            }
-            if (entry.note) {
-              target.note = entry.note;
-            }
-          });
-        } catch (err) {
-          runtime.error?.(`msteams resolve failed: ${String(err)}`);
-          pending.forEach(({ index }) => {
-            const entry = results[index];
-            if (entry) {
-              entry.note = "lookup failed";
-            }
-          });
-        }
-      }
+      await resolvePending(
+        pending,
+        (entries) => resolveMSTeamsChannelAllowlist({ cfg, entries }),
+        (target, entry) => {
+          if (!entry.resolved || !entry.teamId) {
+            target.resolved = false;
+            target.note = entry.note;
+            return;
+          }
+          target.resolved = true;
+          if (entry.channelId) {
+            target.id = `${entry.teamId}/${entry.channelId}`;
+            target.name =
+              entry.channelName && entry.teamName
+                ? `${entry.teamName}/${entry.channelName}`
+                : (entry.channelName ?? entry.teamName);
+          } else {
+            target.id = entry.teamId;
+            target.name = entry.teamName;
+            target.note = "team id";
+          }
+          if (entry.note) {
+            target.note = entry.note;
+          }
+        },
+      );
 
       return results;
     },
@@ -425,23 +425,17 @@ export const msteamsPlugin: ChannelPlugin<ResolvedMSTeamsAccount> = {
   outbound: msteamsOutbound,
   status: {
     defaultRuntime: createDefaultChannelRuntimeState(DEFAULT_ACCOUNT_ID, { port: null }),
-    buildChannelSummary: ({ snapshot }) => ({
-      ...buildBaseChannelStatusSummary(snapshot),
-      port: snapshot.port ?? null,
-      probe: snapshot.probe,
-      lastProbeAt: snapshot.lastProbeAt ?? null,
-    }),
+    buildChannelSummary: ({ snapshot }) =>
+      buildProbeChannelStatusSummary(snapshot, {
+        port: snapshot.port ?? null,
+      }),
     probeAccount: async ({ cfg }) => await probeMSTeams(cfg.channels?.msteams),
     buildAccountSnapshot: ({ account, runtime, probe }) => ({
       accountId: account.accountId,
       enabled: account.enabled,
       configured: account.configured,
-      running: runtime?.running ?? false,
-      lastStartAt: runtime?.lastStartAt ?? null,
-      lastStopAt: runtime?.lastStopAt ?? null,
-      lastError: runtime?.lastError ?? null,
+      ...buildRuntimeAccountStatusSnapshot({ runtime, probe }),
       port: runtime?.port ?? null,
-      probe,
     }),
   },
   gateway: {

package/src/directory-live.ts

@@ -1,4 +1,4 @@
-import type { ChannelDirectoryEntry } from "openclaw/plugin-sdk";
+import type { ChannelDirectoryEntry } from "openclaw/plugin-sdk/msteams";
 import { searchGraphUsers } from "./graph-users.js";
 import {
   type GraphChannel,

package/src/file-lock.ts

@@ -1 +1 @@
-export { withFileLock } from "openclaw/plugin-sdk";
+export { withFileLock } from "openclaw/plugin-sdk/msteams";

package/src/graph.ts

@@ -1,4 +1,4 @@
-import type { MSTeamsConfig } from "openclaw/plugin-sdk";
+import type { MSTeamsConfig } from "openclaw/plugin-sdk/msteams";
 import { GRAPH_ROOT } from "./attachments/shared.js";
 import { loadMSTeamsSdkWithAuth } from "./sdk.js";
 import { readAccessToken } from "./token-response.js";

package/src/media-helpers.ts

@@ -8,7 +8,7 @@ import {
   extensionForMime,
   extractOriginalFilename,
   getFileExtension,
-} from "openclaw/plugin-sdk";
+} from "openclaw/plugin-sdk/msteams";
 
 /**
  * Detect MIME type from URL extension or data URL.

package/src/messenger.test.ts

@@ -1,7 +1,7 @@
 import { mkdtemp, rm, writeFile } from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
-import { SILENT_REPLY_TOKEN, type PluginRuntime } from "openclaw/plugin-sdk";
+import { SILENT_REPLY_TOKEN, type PluginRuntime } from "openclaw/plugin-sdk/msteams";
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import { createPluginRuntimeMock } from "../../test-utils/plugin-runtime-mock.js";
 import type { StoredConversationReference } from "./conversation-store.js";
@@ -72,6 +72,17 @@ const createRecordedSendActivity = (
   };
 };
 
+const REVOCATION_ERROR = "Cannot perform 'set' on a proxy that has been revoked";
+
+const createFallbackAdapter = (proactiveSent: string[]): MSTeamsAdapter => ({
+  continueConversation: async (_appId, _reference, logic) => {
+    await logic({
+      sendActivity: createRecordedSendActivity(proactiveSent),
+    });
+  },
+  process: async () => {},
+});
+
 describe("msteams messenger", () => {
   beforeEach(() => {
     setMSTeamsRuntime(runtimeStub);
@@ -297,18 +308,11 @@ describe("msteams messenger", () => {
 
       const ctx = {
         sendActivity: async () => {
-          throw new TypeError("Cannot perform 'set' on a proxy that has been revoked");
+          throw new TypeError(REVOCATION_ERROR);
         },
       };
 
-      const adapter: MSTeamsAdapter = {
-        continueConversation: async (_appId, _reference, logic) => {
-          await logic({
-            sendActivity: createRecordedSendActivity(proactiveSent),
-          });
-        },
-        process: async () => {},
-      };
+      const adapter = createFallbackAdapter(proactiveSent);
 
       const ids = await sendMSTeamsMessages({
         replyStyle: "thread",
@@ -338,18 +342,11 @@ describe("msteams messenger", () => {
             threadSent.push(content);
             return { id: `id:${content}` };
           }
-          throw new TypeError("Cannot perform 'set' on a proxy that has been revoked");
+          throw new TypeError(REVOCATION_ERROR);
         },
       };
 
-      const adapter: MSTeamsAdapter = {
-        continueConversation: async (_appId, _reference, logic) => {
-          await logic({
-            sendActivity: createRecordedSendActivity(proactiveSent),
-          });
-        },
-        process: async () => {},
-      };
+      const adapter = createFallbackAdapter(proactiveSent);
 
       const ids = await sendMSTeamsMessages({
         replyStyle: "thread",

package/src/messenger.ts

@@ -7,7 +7,7 @@ import {
   type ReplyPayload,
   SILENT_REPLY_TOKEN,
   sleep,
-} from "openclaw/plugin-sdk";
+} from "openclaw/plugin-sdk/msteams";
 import type { MSTeamsAccessTokenProvider } from "./attachments/types.js";
 import type { StoredConversationReference } from "./conversation-store.js";
 import { classifyMSTeamsSendError } from "./errors.js";

package/src/monitor-handler/message-handler.authz.test.ts

@@ -1,11 +1,11 @@
-import type { OpenClawConfig, PluginRuntime, RuntimeEnv } from "openclaw/plugin-sdk";
+import type { OpenClawConfig, PluginRuntime, RuntimeEnv } from "openclaw/plugin-sdk/msteams";
 import { describe, expect, it, vi } from "vitest";
 import type { MSTeamsMessageHandlerDeps } from "../monitor-handler.js";
 import { setMSTeamsRuntime } from "../runtime.js";
 import { createMSTeamsMessageHandler } from "./message-handler.js";
 
 describe("msteams monitor handler authz", () => {
-  it("does not treat DM pairing-store entries as group allowlist entries", async () => {
+  function createDeps(cfg: OpenClawConfig) {
     const readAllowFromStore = vi.fn(async () => ["attacker-aad"]);
     setMSTeamsRuntime({
       logging: { shouldLogVerbose: () => false },
@@ -35,16 +35,7 @@ describe("msteams monitor handler authz", () => {
     };
 
     const deps: MSTeamsMessageHandlerDeps = {
-      cfg: {
-        channels: {
-          msteams: {
-            dmPolicy: "pairing",
-            allowFrom: [],
-            groupPolicy: "allowlist",
-            groupAllowFrom: [],
-          },
-        },
-      } as OpenClawConfig,
+      cfg,
       runtime: { error: vi.fn() } as unknown as RuntimeEnv,
       appId: "test-app",
       adapter: {} as MSTeamsMessageHandlerDeps["adapter"],
@@ -65,6 +56,21 @@ describe("msteams monitor handler authz", () => {
       } as unknown as MSTeamsMessageHandlerDeps["log"],
     };
 
+    return { conversationStore, deps, readAllowFromStore };
+  }
+
+  it("does not treat DM pairing-store entries as group allowlist entries", async () => {
+    const { conversationStore, deps, readAllowFromStore } = createDeps({
+      channels: {
+        msteams: {
+          dmPolicy: "pairing",
+          allowFrom: [],
+          groupPolicy: "allowlist",
+          groupAllowFrom: [],
+        },
+      },
+    } as OpenClawConfig);
+
     const handler = createMSTeamsMessageHandler(deps);
     await handler({
       activity: {
@@ -96,4 +102,54 @@ describe("msteams monitor handler authz", () => {
     });
     expect(conversationStore.upsert).not.toHaveBeenCalled();
   });
+
+  it("does not widen sender auth when only a teams route allowlist is configured", async () => {
+    const { conversationStore, deps } = createDeps({
+      channels: {
+        msteams: {
+          dmPolicy: "pairing",
+          allowFrom: [],
+          groupPolicy: "allowlist",
+          groupAllowFrom: [],
+          teams: {
+            team123: {
+              channels: {
+                "19:group@thread.tacv2": { requireMention: false },
+              },
+            },
+          },
+        },
+      },
+    } as OpenClawConfig);
+
+    const handler = createMSTeamsMessageHandler(deps);
+    await handler({
+      activity: {
+        id: "msg-1",
+        type: "message",
+        text: "hello",
+        from: {
+          id: "attacker-id",
+          aadObjectId: "attacker-aad",
+          name: "Attacker",
+        },
+        recipient: {
+          id: "bot-id",
+          name: "Bot",
+        },
+        conversation: {
+          id: "19:group@thread.tacv2",
+          conversationType: "groupChat",
+        },
+        channelData: {
+          team: { id: "team123", name: "Team 123" },
+          channel: { name: "General" },
+        },
+        attachments: [],
+      },
+      sendActivity: vi.fn(async () => undefined),
+    } as unknown as Parameters<typeof handler>[0]);
+
+    expect(conversationStore.upsert).not.toHaveBeenCalled();
+  });
 });