@openclaw/msteams 2026.3.7 → 2026.3.10

package/CHANGELOG.md

@@ -1,5 +1,29 @@
 # Changelog
 
+## 2026.3.10
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
+## 2026.3.9
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
+## 2026.3.8-beta.1
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
+## 2026.3.8
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
 ## 2026.3.7
 
 ### Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/msteams",
-  "version": "2026.3.7",
+  "version": "2026.3.10",
   "description": "OpenClaw Microsoft Teams channel plugin",
   "type": "module",
   "dependencies": {
@@ -27,6 +27,11 @@
       "npmSpec": "@openclaw/msteams",
       "localPath": "extensions/msteams",
       "defaultChoice": "npm"
+    },
+    "releaseChecks": {
+      "rootDependencyMirrorAllowlist": [
+        "@microsoft/agents-hosting"
+      ]
     }
   }
 }

package/src/monitor-handler/message-handler.authz.test.ts

@@ -5,7 +5,7 @@ import { setMSTeamsRuntime } from "../runtime.js";
 import { createMSTeamsMessageHandler } from "./message-handler.js";
 
 describe("msteams monitor handler authz", () => {
-  it("does not treat DM pairing-store entries as group allowlist entries", async () => {
+  function createDeps(cfg: OpenClawConfig) {
     const readAllowFromStore = vi.fn(async () => ["attacker-aad"]);
     setMSTeamsRuntime({
       logging: { shouldLogVerbose: () => false },
@@ -35,16 +35,7 @@ describe("msteams monitor handler authz", () => {
     };
 
     const deps: MSTeamsMessageHandlerDeps = {
-      cfg: {
-        channels: {
-          msteams: {
-            dmPolicy: "pairing",
-            allowFrom: [],
-            groupPolicy: "allowlist",
-            groupAllowFrom: [],
-          },
-        },
-      } as OpenClawConfig,
+      cfg,
       runtime: { error: vi.fn() } as unknown as RuntimeEnv,
       appId: "test-app",
       adapter: {} as MSTeamsMessageHandlerDeps["adapter"],
@@ -65,6 +56,21 @@ describe("msteams monitor handler authz", () => {
       } as unknown as MSTeamsMessageHandlerDeps["log"],
     };
 
+    return { conversationStore, deps, readAllowFromStore };
+  }
+
+  it("does not treat DM pairing-store entries as group allowlist entries", async () => {
+    const { conversationStore, deps, readAllowFromStore } = createDeps({
+      channels: {
+        msteams: {
+          dmPolicy: "pairing",
+          allowFrom: [],
+          groupPolicy: "allowlist",
+          groupAllowFrom: [],
+        },
+      },
+    } as OpenClawConfig);
+
     const handler = createMSTeamsMessageHandler(deps);
     await handler({
       activity: {
@@ -96,4 +102,54 @@ describe("msteams monitor handler authz", () => {
     });
     expect(conversationStore.upsert).not.toHaveBeenCalled();
   });
+
+  it("does not widen sender auth when only a teams route allowlist is configured", async () => {
+    const { conversationStore, deps } = createDeps({
+      channels: {
+        msteams: {
+          dmPolicy: "pairing",
+          allowFrom: [],
+          groupPolicy: "allowlist",
+          groupAllowFrom: [],
+          teams: {
+            team123: {
+              channels: {
+                "19:group@thread.tacv2": { requireMention: false },
+              },
+            },
+          },
+        },
+      },
+    } as OpenClawConfig);
+
+    const handler = createMSTeamsMessageHandler(deps);
+    await handler({
+      activity: {
+        id: "msg-1",
+        type: "message",
+        text: "hello",
+        from: {
+          id: "attacker-id",
+          aadObjectId: "attacker-aad",
+          name: "Attacker",
+        },
+        recipient: {
+          id: "bot-id",
+          name: "Bot",
+        },
+        conversation: {
+          id: "19:group@thread.tacv2",
+          conversationType: "groupChat",
+        },
+        channelData: {
+          team: { id: "team123", name: "Team 123" },
+          channel: { name: "General" },
+        },
+        attachments: [],
+      },
+      sendActivity: vi.fn(async () => undefined),
+    } as unknown as Parameters<typeof handler>[0]);
+
+    expect(conversationStore.upsert).not.toHaveBeenCalled();
+  });
 });

package/src/monitor-handler/message-handler.ts

@@ -242,10 +242,7 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
       }
       const senderGroupAccess = evaluateSenderGroupAccessForPolicy({
         groupPolicy,
-        groupAllowFrom:
-          effectiveGroupAllowFrom.length > 0 || !channelGate.allowlistConfigured
-            ? effectiveGroupAllowFrom
-            : ["*"],
+        groupAllowFrom: effectiveGroupAllowFrom,
         senderId,
         isSenderAllowed: (_senderId, allowFrom) =>
           resolveMSTeamsAllowlistMatch({

package/src/resolve-allowlist.test.ts

@@ -54,10 +54,12 @@ describe("resolveMSTeamsUserAllowlist", () => {
 
 describe("resolveMSTeamsChannelAllowlist", () => {
   it("resolves team/channel by team name + channel display name", async () => {
-    listTeamsByName.mockResolvedValueOnce([{ id: "team-1", displayName: "Product Team" }]);
+    // After the fix, listChannelsForTeam is called once and reused for both
+    // General channel resolution and channel matching.
+    listTeamsByName.mockResolvedValueOnce([{ id: "team-guid-1", displayName: "Product Team" }]);
     listChannelsForTeam.mockResolvedValueOnce([
-      { id: "channel-1", displayName: "General" },
-      { id: "channel-2", displayName: "Roadmap" },
+      { id: "19:general-conv-id@thread.tacv2", displayName: "General" },
+      { id: "19:roadmap-conv-id@thread.tacv2", displayName: "Roadmap" },
     ]);
 
     const [result] = await resolveMSTeamsChannelAllowlist({
@@ -65,14 +67,80 @@ describe("resolveMSTeamsChannelAllowlist", () => {
       entries: ["Product Team/Roadmap"],
     });
 
+    // teamId is now the General channel's conversation ID — not the Graph GUID —
+    // because that's what Bot Framework sends as channelData.team.id at runtime.
     expect(result).toEqual({
       input: "Product Team/Roadmap",
       resolved: true,
-      teamId: "team-1",
+      teamId: "19:general-conv-id@thread.tacv2",
       teamName: "Product Team",
-      channelId: "channel-2",
+      channelId: "19:roadmap-conv-id@thread.tacv2",
       channelName: "Roadmap",
       note: "multiple channels; chose first",
     });
   });
+
+  it("uses General channel conversation ID as team key for team-only entry", async () => {
+    // When no channel is specified we still resolve the General channel so the
+    // stored key matches what Bot Framework sends as channelData.team.id.
+    listTeamsByName.mockResolvedValueOnce([{ id: "guid-engineering", displayName: "Engineering" }]);
+    listChannelsForTeam.mockResolvedValueOnce([
+      { id: "19:eng-general@thread.tacv2", displayName: "General" },
+      { id: "19:eng-standups@thread.tacv2", displayName: "Standups" },
+    ]);
+
+    const [result] = await resolveMSTeamsChannelAllowlist({
+      cfg: {},
+      entries: ["Engineering"],
+    });
+
+    expect(result).toEqual({
+      input: "Engineering",
+      resolved: true,
+      teamId: "19:eng-general@thread.tacv2",
+      teamName: "Engineering",
+    });
+  });
+
+  it("falls back to Graph GUID when listChannelsForTeam throws", async () => {
+    // Edge case: API call fails (rate limit, network error). We fall back to
+    // the Graph GUID as the team key — the pre-fix behavior — so resolution
+    // still succeeds instead of propagating the error.
+    listTeamsByName.mockResolvedValueOnce([{ id: "guid-flaky", displayName: "Flaky Team" }]);
+    listChannelsForTeam.mockRejectedValueOnce(new Error("429 Too Many Requests"));
+
+    const [result] = await resolveMSTeamsChannelAllowlist({
+      cfg: {},
+      entries: ["Flaky Team"],
+    });
+
+    expect(result).toEqual({
+      input: "Flaky Team",
+      resolved: true,
+      teamId: "guid-flaky",
+      teamName: "Flaky Team",
+    });
+  });
+
+  it("falls back to Graph GUID when General channel is not found", async () => {
+    // Edge case: General channel was renamed or deleted. We fall back to the
+    // Graph GUID so resolution still succeeds rather than silently breaking.
+    listTeamsByName.mockResolvedValueOnce([{ id: "guid-ops", displayName: "Operations" }]);
+    listChannelsForTeam.mockResolvedValueOnce([
+      { id: "19:ops-announce@thread.tacv2", displayName: "Announcements" },
+      { id: "19:ops-random@thread.tacv2", displayName: "Random" },
+    ]);
+
+    const [result] = await resolveMSTeamsChannelAllowlist({
+      cfg: {},
+      entries: ["Operations"],
+    });
+
+    expect(result).toEqual({
+      input: "Operations",
+      resolved: true,
+      teamId: "guid-ops",
+      teamName: "Operations",
+    });
+  });
 });

package/src/resolve-allowlist.ts

@@ -120,11 +120,26 @@ export async function resolveMSTeamsChannelAllowlist(params: {
         return { input, resolved: false, note: "team not found" };
       }
       const teamMatch = teams[0];
-      const teamId = teamMatch.id?.trim();
+      const graphTeamId = teamMatch.id?.trim();
       const teamName = teamMatch.displayName?.trim() || team;
-      if (!teamId) {
+      if (!graphTeamId) {
         return { input, resolved: false, note: "team id missing" };
       }
+      // Bot Framework sends the General channel's conversation ID as
+      // channelData.team.id at runtime, NOT the Graph API group GUID.
+      // Fetch channels upfront so we can resolve the correct key format for
+      // runtime matching and reuse the list for channel lookups.
+      let teamChannels: Awaited<ReturnType<typeof listChannelsForTeam>> = [];
+      try {
+        teamChannels = await listChannelsForTeam(token, graphTeamId);
+      } catch {
+        // API failure (rate limit, network error) — fall back to Graph GUID as team key
+      }
+      const generalChannel = teamChannels.find((ch) => ch.displayName?.toLowerCase() === "general");
+      // Use the General channel's conversation ID as the team key — this
+      // matches what Bot Framework sends at runtime. Fall back to the Graph
+      // GUID if the General channel isn't found (renamed or deleted).
+      const teamId = generalChannel?.id?.trim() || graphTeamId;
       if (!channel) {
         return {
           input,
@@ -134,11 +149,11 @@ export async function resolveMSTeamsChannelAllowlist(params: {
           note: teams.length > 1 ? "multiple teams; chose first" : undefined,
         };
       }
-      const channels = await listChannelsForTeam(token, teamId);
+      // Reuse teamChannels — already fetched above
       const channelMatch =
-        channels.find((item) => item.id === channel) ??
-        channels.find((item) => item.displayName?.toLowerCase() === channel.toLowerCase()) ??
-        channels.find((item) =>
+        teamChannels.find((item) => item.id === channel) ??
+        teamChannels.find((item) => item.displayName?.toLowerCase() === channel.toLowerCase()) ??
+        teamChannels.find((item) =>
           item.displayName?.toLowerCase().includes(channel.toLowerCase() ?? ""),
         );
       if (!channelMatch?.id) {
@@ -151,7 +166,7 @@ export async function resolveMSTeamsChannelAllowlist(params: {
         teamName,
         channelId: channelMatch.id,
         channelName: channelMatch.displayName ?? channel,
-        note: channels.length > 1 ? "multiple channels; chose first" : undefined,
+        note: teamChannels.length > 1 ? "multiple channels; chose first" : undefined,
       };
     },
   });

package/src/runtime.ts

@@ -1,14 +1,6 @@
+import { createPluginRuntimeStore } from "openclaw/plugin-sdk/compat";
 import type { PluginRuntime } from "openclaw/plugin-sdk/msteams";
 
-let runtime: PluginRuntime | null = null;
-
-export function setMSTeamsRuntime(next: PluginRuntime) {
-  runtime = next;
-}
-
-export function getMSTeamsRuntime(): PluginRuntime {
-  if (!runtime) {
-    throw new Error("MSTeams runtime not initialized");
-  }
-  return runtime;
-}
+const { setRuntime: setMSTeamsRuntime, getRuntime: getMSTeamsRuntime } =
+  createPluginRuntimeStore<PluginRuntime>("MSTeams runtime not initialized");
+export { getMSTeamsRuntime, setMSTeamsRuntime };