@openclaw/msteams 2026.5.2-beta.2 → 2026.5.3-beta.1

package/src/setup-surface.ts

@@ -1,320 +0,0 @@
-import { spawn } from "node:child_process";
-import {
-  createTopLevelChannelAllowFromSetter,
-  createTopLevelChannelDmPolicy,
-  createTopLevelChannelGroupPolicySetter,
-  mergeAllowFromEntries,
-  splitSetupEntries,
-  type ChannelSetupDmPolicy,
-  type ChannelSetupWizard,
-  type OpenClawConfig,
-  type WizardPrompter,
-} from "openclaw/plugin-sdk/setup";
-import type { MSTeamsTeamConfig } from "../runtime-api.js";
-import { formatUnknownError } from "./errors.js";
-import {
-  parseMSTeamsTeamEntry,
-  resolveMSTeamsChannelAllowlist,
-  resolveMSTeamsUserAllowlist,
-} from "./resolve-allowlist.js";
-import { createMSTeamsSetupWizardBase } from "./setup-core.js";
-import { resolveMSTeamsCredentials, saveDelegatedTokens } from "./token.js";
-
-const channel = "msteams" as const;
-const setMSTeamsAllowFrom = createTopLevelChannelAllowFromSetter({
-  channel,
-});
-const setMSTeamsGroupPolicy = createTopLevelChannelGroupPolicySetter({
-  channel,
-  enabled: true,
-});
-
-export function openDelegatedOAuthUrl(url: string): Promise<void> {
-  return new Promise<void>((resolve, reject) => {
-    const cmd = process.platform === "darwin" ? "open" : "xdg-open";
-    const child = spawn(cmd, [url], { stdio: "ignore", shell: false });
-    child.once("error", reject);
-    child.once("exit", (code, signal) => {
-      if (code === 0) {
-        resolve();
-        return;
-      }
-      const reason = signal ? `signal ${signal}` : `code ${code ?? "unknown"}`;
-      reject(new Error(`${cmd} failed with ${reason}`));
-    });
-  });
-}
-
-function looksLikeGuid(value: string): boolean {
-  return /^[0-9a-fA-F-]{16,}$/.test(value);
-}
-
-async function promptMSTeamsAllowFrom(params: {
-  cfg: OpenClawConfig;
-  prompter: WizardPrompter;
-}): Promise<OpenClawConfig> {
-  const existing = params.cfg.channels?.msteams?.allowFrom ?? [];
-  await params.prompter.note(
-    [
-      "Allowlist MS Teams DMs by display name, UPN/email, or user id.",
-      "We resolve names to user IDs via Microsoft Graph when credentials allow.",
-      "Examples:",
-      "- alex@example.com",
-      "- Alex Johnson",
-      "- 00000000-0000-0000-0000-000000000000",
-    ].join("\n"),
-    "MS Teams allowlist",
-  );
-
-  while (true) {
-    const entry = await params.prompter.text({
-      message: "MS Teams allowFrom (usernames or ids)",
-      placeholder: "alex@example.com, Alex Johnson",
-      initialValue: existing[0] ? existing[0] : undefined,
-      validate: (value) => (value.trim() ? undefined : "Required"),
-    });
-    const parts = splitSetupEntries(entry);
-    if (parts.length === 0) {
-      await params.prompter.note("Enter at least one user.", "MS Teams allowlist");
-      continue;
-    }
-
-    const resolved = await resolveMSTeamsUserAllowlist({
-      cfg: params.cfg,
-      entries: parts,
-    }).catch(() => null);
-
-    if (!resolved) {
-      const ids = parts.filter((part) => looksLikeGuid(part));
-      if (ids.length !== parts.length) {
-        await params.prompter.note(
-          "Graph lookup unavailable. Use user IDs only.",
-          "MS Teams allowlist",
-        );
-        continue;
-      }
-      const unique = mergeAllowFromEntries(existing, ids);
-      return setMSTeamsAllowFrom(params.cfg, unique);
-    }
-
-    const unresolved = resolved.filter((item) => !item.resolved || !item.id);
-    if (unresolved.length > 0) {
-      await params.prompter.note(
-        `Could not resolve: ${unresolved.map((item) => item.input).join(", ")}`,
-        "MS Teams allowlist",
-      );
-      continue;
-    }
-
-    const ids = resolved.map((item) => item.id as string);
-    const unique = mergeAllowFromEntries(existing, ids);
-    return setMSTeamsAllowFrom(params.cfg, unique);
-  }
-}
-
-function setMSTeamsTeamsAllowlist(
-  cfg: OpenClawConfig,
-  entries: Array<{ teamKey: string; channelKey?: string }>,
-): OpenClawConfig {
-  const baseTeams = cfg.channels?.msteams?.teams ?? {};
-  const teams: Record<string, { channels?: Record<string, unknown> }> = { ...baseTeams };
-  for (const entry of entries) {
-    const teamKey = entry.teamKey;
-    if (!teamKey) {
-      continue;
-    }
-    const existing = teams[teamKey] ?? {};
-    if (entry.channelKey) {
-      const channels = { ...existing.channels };
-      channels[entry.channelKey] = channels[entry.channelKey] ?? {};
-      teams[teamKey] = { ...existing, channels };
-    } else {
-      teams[teamKey] = existing;
-    }
-  }
-  return {
-    ...cfg,
-    channels: {
-      ...cfg.channels,
-      msteams: {
-        ...cfg.channels?.msteams,
-        enabled: true,
-        teams: teams as Record<string, MSTeamsTeamConfig>,
-      },
-    },
-  };
-}
-
-function listMSTeamsGroupEntries(cfg: OpenClawConfig): string[] {
-  return Object.entries(cfg.channels?.msteams?.teams ?? {}).flatMap(([teamKey, value]) => {
-    const channels = value?.channels ?? {};
-    const channelKeys = Object.keys(channels);
-    if (channelKeys.length === 0) {
-      return [teamKey];
-    }
-    return channelKeys.map((channelKey) => `${teamKey}/${channelKey}`);
-  });
-}
-
-async function resolveMSTeamsGroupAllowlist(params: {
-  cfg: OpenClawConfig;
-  entries: string[];
-  prompter: Pick<WizardPrompter, "note">;
-}): Promise<Array<{ teamKey: string; channelKey?: string }>> {
-  let resolvedEntries = params.entries
-    .map((entry) => parseMSTeamsTeamEntry(entry))
-    .filter(Boolean) as Array<{ teamKey: string; channelKey?: string }>;
-  if (params.entries.length === 0 || !resolveMSTeamsCredentials(params.cfg.channels?.msteams)) {
-    return resolvedEntries;
-  }
-  try {
-    const lookups = await resolveMSTeamsChannelAllowlist({
-      cfg: params.cfg,
-      entries: params.entries,
-    });
-    const resolvedChannels = lookups.filter(
-      (entry) => entry.resolved && entry.teamId && entry.channelId,
-    );
-    const resolvedTeams = lookups.filter(
-      (entry) => entry.resolved && entry.teamId && !entry.channelId,
-    );
-    const unresolved = lookups.filter((entry) => !entry.resolved).map((entry) => entry.input);
-    resolvedEntries = [
-      ...resolvedChannels.map((entry) => ({
-        teamKey: entry.teamId as string,
-        channelKey: entry.channelId as string,
-      })),
-      ...resolvedTeams.map((entry) => ({
-        teamKey: entry.teamId as string,
-      })),
-      ...unresolved.map((entry) => parseMSTeamsTeamEntry(entry)).filter(Boolean),
-    ] as Array<{ teamKey: string; channelKey?: string }>;
-    const summary: string[] = [];
-    if (resolvedChannels.length > 0) {
-      summary.push(
-        `Resolved channels: ${resolvedChannels
-          .map((entry) => entry.channelId)
-          .filter(Boolean)
-          .join(", ")}`,
-      );
-    }
-    if (resolvedTeams.length > 0) {
-      summary.push(
-        `Resolved teams: ${resolvedTeams
-          .map((entry) => entry.teamId)
-          .filter(Boolean)
-          .join(", ")}`,
-      );
-    }
-    if (unresolved.length > 0) {
-      summary.push(`Unresolved (kept as typed): ${unresolved.join(", ")}`);
-    }
-    if (summary.length > 0) {
-      await params.prompter.note(summary.join("\n"), "MS Teams channels");
-    }
-    return resolvedEntries;
-  } catch (err) {
-    await params.prompter.note(
-      `Channel lookup failed; keeping entries as typed. ${formatUnknownError(err)}`,
-      "MS Teams channels",
-    );
-    return resolvedEntries;
-  }
-}
-
-const msteamsGroupAccess: NonNullable<ChannelSetupWizard["groupAccess"]> = {
-  label: "MS Teams channels",
-  placeholder: "Team Name/Channel Name, teamId/conversationId",
-  currentPolicy: ({ cfg }) => cfg.channels?.msteams?.groupPolicy ?? "allowlist",
-  currentEntries: ({ cfg }) => listMSTeamsGroupEntries(cfg),
-  updatePrompt: ({ cfg }) => Boolean(cfg.channels?.msteams?.teams),
-  setPolicy: ({ cfg, policy }) => setMSTeamsGroupPolicy(cfg, policy),
-  resolveAllowlist: async ({ cfg, entries, prompter }) =>
-    await resolveMSTeamsGroupAllowlist({ cfg, entries, prompter }),
-  applyAllowlist: ({ cfg, resolved }) =>
-    setMSTeamsTeamsAllowlist(cfg, resolved as Array<{ teamKey: string; channelKey?: string }>),
-};
-
-const msteamsDmPolicy: ChannelSetupDmPolicy = createTopLevelChannelDmPolicy({
-  label: "MS Teams",
-  channel,
-  policyKey: "channels.msteams.dmPolicy",
-  allowFromKey: "channels.msteams.allowFrom",
-  getCurrent: (cfg) => cfg.channels?.msteams?.dmPolicy ?? "pairing",
-  promptAllowFrom: promptMSTeamsAllowFrom,
-});
-
-const msteamsSetupWizardBase = createMSTeamsSetupWizardBase();
-
-export const msteamsSetupWizard: ChannelSetupWizard = {
-  ...msteamsSetupWizardBase,
-  // Override finalize to layer on the optional delegated-auth bootstrap after
-  // the base wizard collects app credentials. This preserves main's shared
-  // setup-core flow while keeping the delegated OAuth step from this PR.
-  finalize: async (params) => {
-    // setup-core always provides a finalize; the type is optional only because
-    // ChannelSetupWizard.finalize is generally optional. Fall back to the
-    // incoming cfg if the base ever returns void for forward-compat.
-    const baseFinalize = msteamsSetupWizardBase.finalize;
-    const baseResult = baseFinalize ? await baseFinalize(params) : undefined;
-    let next = baseResult?.cfg ?? params.cfg;
-    const finalCreds = resolveMSTeamsCredentials(next.channels?.msteams);
-    if (finalCreds?.type === "secret") {
-      const enableDelegated = await params.prompter.confirm({
-        message: "Enable delegated auth? (required for reactions and write operations)",
-        initialValue: false,
-      });
-      if (enableDelegated) {
-        next = {
-          ...next,
-          channels: {
-            ...next.channels,
-            msteams: {
-              ...next.channels?.msteams,
-              delegatedAuth: { enabled: true },
-            },
-          },
-        };
-        try {
-          const { loginMSTeamsDelegated } = await import("./oauth.js");
-          const { shouldUseManualOAuthFlow } = await import("./oauth.flow.js");
-          const isRemote = Boolean(process.env.SSH_TTY || process.env.SSH_CONNECTION);
-          const progress = params.prompter.progress("MSTeams Delegated OAuth");
-          const tokens = await loginMSTeamsDelegated(
-            {
-              isRemote: shouldUseManualOAuthFlow(isRemote),
-              openUrl: openDelegatedOAuthUrl,
-              log: (msg) => params.prompter.note(msg),
-              note: (msg, title) => params.prompter.note(msg, title),
-              prompt: (msg) => params.prompter.text({ message: msg }),
-              progress,
-            },
-            {
-              tenantId: finalCreds.tenantId,
-              clientId: finalCreds.appId,
-              clientSecret: finalCreds.appPassword,
-            },
-          );
-          saveDelegatedTokens(tokens);
-          progress.stop("Delegated auth configured");
-        } catch (err) {
-          await params.prompter.note(
-            `Delegated auth setup failed: ${formatUnknownError(err)}\n` +
-              "You can retry later via the setup wizard.",
-            "MS Teams delegated auth",
-          );
-        }
-      }
-    }
-    return { ...baseResult, cfg: next };
-  },
-  dmPolicy: msteamsDmPolicy,
-  groupAccess: msteamsGroupAccess,
-  disable: (cfg) => ({
-    ...cfg,
-    channels: {
-      ...cfg.channels,
-      msteams: { ...cfg.channels?.msteams, enabled: false },
-    },
-  }),
-};

package/src/sso-token-store.test.ts

@@ -1,72 +0,0 @@
-import fs from "node:fs/promises";
-import os from "node:os";
-import path from "node:path";
-import { describe, expect, it } from "vitest";
-import { createMSTeamsSsoTokenStoreFs } from "./sso-token-store.js";
-
-describe("msteams sso token store (fs)", () => {
-  it("keeps distinct tokens when connectionName and userId contain the legacy delimiter", async () => {
-    const stateDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-msteams-sso-"));
-    const storePath = path.join(stateDir, "msteams-sso-tokens.json");
-    const store = createMSTeamsSsoTokenStoreFs({ storePath });
-
-    const first = {
-      connectionName: "conn::alpha",
-      userId: "user",
-      token: "token-a",
-      updatedAt: "2026-04-10T00:00:00.000Z",
-    } as const;
-    const second = {
-      connectionName: "conn",
-      userId: "alpha::user",
-      token: "token-b",
-      updatedAt: "2026-04-10T00:00:01.000Z",
-    } as const;
-
-    await store.save(first);
-    await store.save(second);
-
-    expect(await store.get(first)).toEqual(first);
-    expect(await store.get(second)).toEqual(second);
-
-    const raw = JSON.parse(await fs.readFile(storePath, "utf8")) as {
-      tokens: Record<string, unknown>;
-    };
-    expect(Object.keys(raw.tokens)).toHaveLength(2);
-  });
-
-  it("loads legacy flat-key files by rebuilding keys from stored token payloads", async () => {
-    const stateDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-msteams-sso-legacy-"));
-    const storePath = path.join(stateDir, "msteams-sso-tokens.json");
-    await fs.writeFile(
-      storePath,
-      `${JSON.stringify(
-        {
-          version: 1,
-          tokens: {
-            "legacy::wrong-key": {
-              connectionName: "conn",
-              userId: "user-1",
-              token: "token-1",
-              updatedAt: "2026-04-10T00:00:00.000Z",
-            },
-          },
-        },
-        null,
-        2,
-      )}\n`,
-      "utf8",
-    );
-
-    const store = createMSTeamsSsoTokenStoreFs({ storePath });
-    expect(
-      await store.get({
-        connectionName: "conn",
-        userId: "user-1",
-      }),
-    ).toMatchObject({
-      token: "token-1",
-      updatedAt: "2026-04-10T00:00:00.000Z",
-    });
-  });
-});

package/src/sso-token-store.ts

@@ -1,166 +0,0 @@
-/**
- * File-backed store for Bot Framework OAuth SSO tokens.
- *
- * Tokens are keyed by (connectionName, userId). `userId` should be the
- * stable AAD object ID (`activity.from.aadObjectId`) when available,
- * falling back to the Bot Framework `activity.from.id`.
- *
- * The store is intentionally minimal: it persists the exchanged user
- * token plus its expiration so consumers (for example tool handlers
- * that call Microsoft Graph with delegated permissions) can fetch a
- * valid token without reaching back into Bot Framework every turn.
- */
-
-import { resolveMSTeamsStorePath } from "./storage.js";
-import { readJsonFile, withFileLock, writeJsonFile } from "./store-fs.js";
-
-type MSTeamsSsoStoredToken = {
-  /** Connection name from the Bot Framework OAuth connection setting. */
-  connectionName: string;
-  /** Stable user identifier (AAD object ID preferred). */
-  userId: string;
-  /** Exchanged user access token. */
-  token: string;
-  /** Expiration (ISO 8601) when the Bot Framework user token service reports one. */
-  expiresAt?: string;
-  /** ISO 8601 timestamp for the last successful exchange. */
-  updatedAt: string;
-};
-
-export type MSTeamsSsoTokenStore = {
-  get(params: { connectionName: string; userId: string }): Promise<MSTeamsSsoStoredToken | null>;
-  save(token: MSTeamsSsoStoredToken): Promise<void>;
-  remove(params: { connectionName: string; userId: string }): Promise<boolean>;
-};
-
-type SsoStoreData = {
-  version: 1;
-  // Keyed by `${connectionName}::${userId}` for a simple flat map on disk.
-  tokens: Record<string, MSTeamsSsoStoredToken>;
-};
-
-const STORE_FILENAME = "msteams-sso-tokens.json";
-const STORE_KEY_VERSION_PREFIX = "v2:";
-
-function makeKey(connectionName: string, userId: string): string {
-  return `${STORE_KEY_VERSION_PREFIX}${Buffer.from(
-    JSON.stringify([connectionName, userId]),
-    "utf8",
-  ).toString("base64url")}`;
-}
-
-function normalizeStoredToken(value: unknown): MSTeamsSsoStoredToken | null {
-  if (!value || typeof value !== "object") {
-    return null;
-  }
-  const token = value as Partial<MSTeamsSsoStoredToken>;
-  if (
-    typeof token.connectionName !== "string" ||
-    !token.connectionName ||
-    typeof token.userId !== "string" ||
-    !token.userId ||
-    typeof token.token !== "string" ||
-    !token.token ||
-    typeof token.updatedAt !== "string" ||
-    !token.updatedAt
-  ) {
-    return null;
-  }
-  return {
-    connectionName: token.connectionName,
-    userId: token.userId,
-    token: token.token,
-    ...(typeof token.expiresAt === "string" ? { expiresAt: token.expiresAt } : {}),
-    updatedAt: token.updatedAt,
-  };
-}
-
-function isSsoStoreData(value: unknown): value is SsoStoreData {
-  if (!value || typeof value !== "object") {
-    return false;
-  }
-  const obj = value as Record<string, unknown>;
-  return obj.version === 1 && typeof obj.tokens === "object" && obj.tokens !== null;
-}
-
-export function createMSTeamsSsoTokenStoreFs(params?: {
-  env?: NodeJS.ProcessEnv;
-  homedir?: () => string;
-  stateDir?: string;
-  storePath?: string;
-}): MSTeamsSsoTokenStore {
-  const filePath = resolveMSTeamsStorePath({
-    filename: STORE_FILENAME,
-    env: params?.env,
-    homedir: params?.homedir,
-    stateDir: params?.stateDir,
-    storePath: params?.storePath,
-  });
-
-  const empty: SsoStoreData = { version: 1, tokens: {} };
-
-  const readStore = async (): Promise<SsoStoreData> => {
-    const { value } = await readJsonFile(filePath, empty);
-    if (!isSsoStoreData(value)) {
-      return { version: 1, tokens: {} };
-    }
-    const tokens: Record<string, MSTeamsSsoStoredToken> = {};
-    for (const stored of Object.values(value.tokens)) {
-      const normalized = normalizeStoredToken(stored);
-      if (!normalized) {
-        continue;
-      }
-      tokens[makeKey(normalized.connectionName, normalized.userId)] = normalized;
-    }
-    return {
-      version: 1,
-      tokens,
-    };
-  };
-
-  return {
-    async get({ connectionName, userId }) {
-      const store = await readStore();
-      return store.tokens[makeKey(connectionName, userId)] ?? null;
-    },
-
-    async save(token) {
-      await withFileLock(filePath, empty, async () => {
-        const store = await readStore();
-        const key = makeKey(token.connectionName, token.userId);
-        store.tokens[key] = { ...token };
-        await writeJsonFile(filePath, store);
-      });
-    },
-
-    async remove({ connectionName, userId }) {
-      let removed = false;
-      await withFileLock(filePath, empty, async () => {
-        const store = await readStore();
-        const key = makeKey(connectionName, userId);
-        if (store.tokens[key]) {
-          delete store.tokens[key];
-          removed = true;
-          await writeJsonFile(filePath, store);
-        }
-      });
-      return removed;
-    },
-  };
-}
-
-/** In-memory store, primarily useful for tests. */
-export function createMSTeamsSsoTokenStoreMemory(): MSTeamsSsoTokenStore {
-  const tokens = new Map<string, MSTeamsSsoStoredToken>();
-  return {
-    async get({ connectionName, userId }) {
-      return tokens.get(makeKey(connectionName, userId)) ?? null;
-    },
-    async save(token) {
-      tokens.set(makeKey(token.connectionName, token.userId), { ...token });
-    },
-    async remove({ connectionName, userId }) {
-      return tokens.delete(makeKey(connectionName, userId));
-    },
-  };
-}