@openclaw/msteams 2026.5.2 → 2026.5.3-beta.1

package/dist/index.js

@@ -0,0 +1,22 @@
+import { defineBundledChannelEntry } from "openclaw/plugin-sdk/channel-entry-contract";
+//#region extensions/msteams/index.ts
+var msteams_default = defineBundledChannelEntry({
+	id: "msteams",
+	name: "Microsoft Teams",
+	description: "Microsoft Teams channel plugin (Bot Framework)",
+	importMetaUrl: import.meta.url,
+	plugin: {
+		specifier: "./channel-plugin-api.js",
+		exportName: "msteamsPlugin"
+	},
+	secrets: {
+		specifier: "./secret-contract-api.js",
+		exportName: "channelSecrets"
+	},
+	runtime: {
+		specifier: "./runtime-api.js",
+		exportName: "setMSTeamsRuntime"
+	}
+});
+//#endregion
+export { msteams_default as default };

package/dist/oauth-BWJyilR1.js

@@ -0,0 +1,114 @@
+import { a as MSTEAMS_OAUTH_CALLBACK_PORT, i as MSTEAMS_OAUTH_CALLBACK_PATH, o as MSTEAMS_OAUTH_REDIRECT_URI, r as MSTEAMS_DEFAULT_DELEGATED_SCOPES, s as buildMSTeamsAuthEndpoint, t as exchangeMSTeamsCodeForTokens } from "./oauth.token-xxpoLWy5.js";
+import { generateHexPkceVerifierChallenge } from "openclaw/plugin-sdk/provider-auth";
+import { generateOAuthState, parseOAuthCallbackInput, waitForLocalOAuthCallback } from "openclaw/plugin-sdk/provider-auth-runtime";
+import { isWSL2Sync } from "openclaw/plugin-sdk/runtime-env";
+//#region extensions/msteams/src/oauth.flow.ts
+function shouldUseManualOAuthFlow(isRemote) {
+	return isRemote || isWSL2Sync();
+}
+function generatePkce() {
+	return generateHexPkceVerifierChallenge();
+}
+function buildMSTeamsAuthUrl(params) {
+	const scopes = params.scopes ?? MSTEAMS_DEFAULT_DELEGATED_SCOPES;
+	return `${buildMSTeamsAuthEndpoint(params.tenantId)}?${new URLSearchParams({
+		client_id: params.clientId,
+		response_type: "code",
+		redirect_uri: MSTEAMS_OAUTH_REDIRECT_URI,
+		scope: scopes.join(" "),
+		code_challenge: params.challenge,
+		code_challenge_method: "S256",
+		state: params.state,
+		prompt: "consent"
+	}).toString()}`;
+}
+function parseCallbackInput(input, _expectedState) {
+	return parseOAuthCallbackInput(input, {
+		missingState: "Missing 'state' parameter in URL. Paste the full redirect URL.",
+		invalidInput: "Paste the full redirect URL (including code and state parameters), not just the authorization code."
+	});
+}
+async function waitForLocalCallback(params) {
+	return await waitForLocalOAuthCallback({
+		expectedState: params.expectedState,
+		timeoutMs: params.timeoutMs,
+		port: MSTEAMS_OAUTH_CALLBACK_PORT,
+		callbackPath: MSTEAMS_OAUTH_CALLBACK_PATH,
+		redirectUri: MSTEAMS_OAUTH_REDIRECT_URI,
+		successTitle: "MSTeams Delegated OAuth complete",
+		progressMessage: `Waiting for OAuth callback on ${MSTEAMS_OAUTH_REDIRECT_URI}...`,
+		onProgress: params.onProgress
+	});
+}
+//#endregion
+//#region extensions/msteams/src/oauth.ts
+async function loginMSTeamsDelegated(ctx, params) {
+	const scopes = params.scopes ?? MSTEAMS_DEFAULT_DELEGATED_SCOPES;
+	const needsManual = shouldUseManualOAuthFlow(ctx.isRemote);
+	await ctx.note(needsManual ? [
+		"You are running in a remote/VPS environment.",
+		"A URL will be shown for you to open in your LOCAL browser.",
+		"After signing in, copy the redirect URL and paste it back here."
+	].join("\n") : [
+		"Browser will open for Microsoft authentication.",
+		`Sign in to grant delegated permissions for MSTeams.`,
+		`The callback will be captured automatically on localhost:${MSTEAMS_OAUTH_CALLBACK_PORT}.`
+	].join("\n"), "MSTeams Delegated OAuth");
+	const { verifier, challenge } = generatePkce();
+	const state = generateOAuthState();
+	const authUrl = buildMSTeamsAuthUrl({
+		tenantId: params.tenantId,
+		clientId: params.clientId,
+		challenge,
+		state,
+		scopes
+	});
+	if (needsManual) return manualFlow(ctx, authUrl, state, verifier, params);
+	ctx.progress.update("Complete sign-in in browser...");
+	try {
+		await ctx.openUrl(authUrl);
+	} catch {
+		ctx.log(`\nOpen this URL in your browser:\n\n${authUrl}\n`);
+	}
+	try {
+		const { code } = await waitForLocalCallback({
+			expectedState: state,
+			timeoutMs: 300 * 1e3,
+			onProgress: (msg) => ctx.progress.update(msg)
+		});
+		ctx.progress.update("Exchanging authorization code for tokens...");
+		return await exchangeMSTeamsCodeForTokens({
+			tenantId: params.tenantId,
+			clientId: params.clientId,
+			clientSecret: params.clientSecret,
+			code,
+			verifier,
+			scopes
+		});
+	} catch (err) {
+		if (err instanceof Error && (err.message.includes("EADDRINUSE") || err.message.includes("port") || err.message.includes("listen"))) {
+			ctx.progress.update("Local callback server failed. Switching to manual mode...");
+			return manualFlow(ctx, authUrl, state, verifier, params, err);
+		}
+		throw err;
+	}
+}
+async function manualFlow(ctx, authUrl, state, verifier, params, cause) {
+	ctx.progress.update("OAuth URL ready");
+	ctx.log(`\nOpen this URL in your LOCAL browser:\n\n${authUrl}\n`);
+	ctx.progress.update("Waiting for you to paste the callback URL...");
+	const parsed = parseCallbackInput(await ctx.prompt("Paste the redirect URL here: "), state);
+	if ("error" in parsed) throw new Error(parsed.error, cause ? { cause } : void 0);
+	if (parsed.state !== state) throw new Error("OAuth state mismatch - please try again", cause ? { cause } : void 0);
+	ctx.progress.update("Exchanging authorization code for tokens...");
+	return exchangeMSTeamsCodeForTokens({
+		tenantId: params.tenantId,
+		clientId: params.clientId,
+		clientSecret: params.clientSecret,
+		code: parsed.code,
+		verifier,
+		scopes: params.scopes
+	});
+}
+//#endregion
+export { loginMSTeamsDelegated };

package/dist/oauth.token-xxpoLWy5.js

@@ -0,0 +1,115 @@
+import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
+//#region extensions/msteams/src/oauth.shared.ts
+const MSTEAMS_OAUTH_REDIRECT_URI = "http://localhost:8086/oauth2callback";
+const MSTEAMS_OAUTH_CALLBACK_PORT = 8086;
+const MSTEAMS_OAUTH_CALLBACK_PATH = "/oauth2callback";
+const MSTEAMS_DEFAULT_TOKEN_FETCH_TIMEOUT_MS = 1e4;
+const MSTEAMS_DEFAULT_DELEGATED_SCOPES = [
+	"ChatMessage.Send",
+	"ChannelMessage.Send",
+	"Chat.ReadWrite",
+	"offline_access"
+];
+function buildMSTeamsAuthEndpoint(tenantId) {
+	return `https://login.microsoftonline.com/${encodeURIComponent(tenantId)}/oauth2/v2.0/authorize`;
+}
+function buildMSTeamsTokenEndpoint(tenantId) {
+	return `https://login.microsoftonline.com/${encodeURIComponent(tenantId)}/oauth2/v2.0/token`;
+}
+//#endregion
+//#region extensions/msteams/src/oauth.token.ts
+/** Five-minute buffer subtracted from token expiry to avoid edge-case clock drift. */
+const EXPIRY_BUFFER_MS = 300 * 1e3;
+function createMSTeamsTokenBody(params) {
+	const body = new URLSearchParams({
+		client_id: params.clientId,
+		client_secret: params.clientSecret,
+		grant_type: params.grantType,
+		scope: [...params.scopes].join(" ")
+	});
+	for (const [key, value] of Object.entries(params.values ?? {})) body.set(key, value);
+	return body;
+}
+async function fetchMSTeamsTokens(params) {
+	const currentFetch = globalThis.fetch;
+	const { response, release } = await fetchWithSsrFGuard({
+		url: params.tokenUrl,
+		fetchImpl: async (input, guardedInit) => await currentFetch(input, guardedInit),
+		init: {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
+				Accept: "application/json"
+			},
+			body: params.body,
+			signal: AbortSignal.timeout(MSTEAMS_DEFAULT_TOKEN_FETCH_TIMEOUT_MS)
+		},
+		auditContext: params.auditContext
+	});
+	try {
+		if (!response.ok) {
+			const errorText = await response.text();
+			throw new Error(`MSTeams ${params.failureLabel} failed (${response.status}): ${errorText}`);
+		}
+		return await response.json();
+	} finally {
+		await release();
+	}
+}
+async function requestMSTeamsDelegatedTokens(params) {
+	const scopes = params.scopes ?? MSTEAMS_DEFAULT_DELEGATED_SCOPES;
+	const body = createMSTeamsTokenBody({
+		clientId: params.clientId,
+		clientSecret: params.clientSecret,
+		grantType: params.grantType,
+		scopes,
+		values: params.values
+	});
+	const data = await fetchMSTeamsTokens({
+		tokenUrl: buildMSTeamsTokenEndpoint(params.tenantId),
+		body,
+		auditContext: params.auditContext,
+		failureLabel: params.failureLabel
+	});
+	return {
+		accessToken: data.access_token,
+		refreshToken: params.resolveRefreshToken(data),
+		expiresAt: Date.now() + data.expires_in * 1e3 - EXPIRY_BUFFER_MS,
+		scopes: data.scope ? data.scope.split(" ") : [...scopes]
+	};
+}
+async function exchangeMSTeamsCodeForTokens(params) {
+	return await requestMSTeamsDelegatedTokens({
+		tenantId: params.tenantId,
+		clientId: params.clientId,
+		clientSecret: params.clientSecret,
+		grantType: "authorization_code",
+		scopes: params.scopes,
+		values: {
+			code: params.code,
+			redirect_uri: MSTEAMS_OAUTH_REDIRECT_URI,
+			code_verifier: params.verifier
+		},
+		auditContext: "msteams-oauth-token-exchange",
+		failureLabel: "token exchange",
+		resolveRefreshToken: (data) => {
+			if (!data.refresh_token) throw new Error("No refresh token received from Azure AD. Please try again.");
+			return data.refresh_token;
+		}
+	});
+}
+async function refreshMSTeamsDelegatedTokens(params) {
+	return await requestMSTeamsDelegatedTokens({
+		tenantId: params.tenantId,
+		clientId: params.clientId,
+		clientSecret: params.clientSecret,
+		grantType: "refresh_token",
+		scopes: params.scopes,
+		values: { refresh_token: params.refreshToken },
+		auditContext: "msteams-oauth-token-refresh",
+		failureLabel: "token refresh",
+		resolveRefreshToken: (data) => data.refresh_token ?? params.refreshToken
+	});
+}
+//#endregion
+export { MSTEAMS_OAUTH_CALLBACK_PORT as a, MSTEAMS_OAUTH_CALLBACK_PATH as i, refreshMSTeamsDelegatedTokens as n, MSTEAMS_OAUTH_REDIRECT_URI as o, MSTEAMS_DEFAULT_DELEGATED_SCOPES as r, buildMSTeamsAuthEndpoint as s, exchangeMSTeamsCodeForTokens as t };

package/dist/policy-DTnU2GR7.js

@@ -0,0 +1,142 @@
+import { C as normalizeChannelSlug, D as resolveChannelEntryMatchWithFallback, E as resolveAllowlistMatchSimple, M as resolveNestedAllowlistDecision, P as resolveToolsBySender, i as buildChannelKeyCandidates, p as evaluateSenderGroupAccessForPolicy, v as isDangerousNameMatchingEnabled } from "./runtime-api-DV1iVMn1.js";
+//#region extensions/msteams/src/policy.ts
+function resolveMSTeamsRouteConfig(params) {
+	const teamId = params.teamId?.trim();
+	const teamName = params.teamName?.trim();
+	const conversationId = params.conversationId?.trim();
+	const channelName = params.channelName?.trim();
+	const teams = params.cfg?.teams ?? {};
+	const allowlistConfigured = Object.keys(teams).length > 0;
+	const teamMatch = resolveChannelEntryMatchWithFallback({
+		entries: teams,
+		keys: buildChannelKeyCandidates(teamId, params.allowNameMatching ? teamName : void 0, params.allowNameMatching && teamName ? normalizeChannelSlug(teamName) : void 0),
+		wildcardKey: "*",
+		normalizeKey: normalizeChannelSlug
+	});
+	const teamConfig = teamMatch.entry;
+	const channels = teamConfig?.channels ?? {};
+	const channelAllowlistConfigured = Object.keys(channels).length > 0;
+	const channelMatch = resolveChannelEntryMatchWithFallback({
+		entries: channels,
+		keys: buildChannelKeyCandidates(conversationId, params.allowNameMatching ? channelName : void 0, params.allowNameMatching && channelName ? normalizeChannelSlug(channelName) : void 0),
+		wildcardKey: "*",
+		normalizeKey: normalizeChannelSlug
+	});
+	const channelConfig = channelMatch.entry;
+	return {
+		teamConfig,
+		channelConfig,
+		allowlistConfigured,
+		allowed: resolveNestedAllowlistDecision({
+			outerConfigured: allowlistConfigured,
+			outerMatched: Boolean(teamConfig),
+			innerConfigured: channelAllowlistConfigured,
+			innerMatched: Boolean(channelConfig)
+		}),
+		teamKey: teamMatch.matchKey ?? teamMatch.key,
+		channelKey: channelMatch.matchKey ?? channelMatch.key,
+		channelMatchKey: channelMatch.matchKey,
+		channelMatchSource: channelMatch.matchSource === "direct" || channelMatch.matchSource === "wildcard" ? channelMatch.matchSource : void 0
+	};
+}
+function resolveMSTeamsGroupToolPolicy(params) {
+	const cfg = params.cfg.channels?.msteams;
+	if (!cfg) return;
+	const groupId = params.groupId?.trim();
+	const groupChannel = params.groupChannel?.trim();
+	const groupSpace = params.groupSpace?.trim();
+	const allowNameMatching = isDangerousNameMatchingEnabled(cfg);
+	const resolved = resolveMSTeamsRouteConfig({
+		cfg,
+		teamId: groupSpace,
+		teamName: groupSpace,
+		conversationId: groupId,
+		channelName: groupChannel,
+		allowNameMatching
+	});
+	if (resolved.channelConfig) {
+		const senderPolicy = resolveToolsBySender({
+			toolsBySender: resolved.channelConfig.toolsBySender,
+			senderId: params.senderId,
+			senderName: params.senderName,
+			senderUsername: params.senderUsername,
+			senderE164: params.senderE164
+		});
+		if (senderPolicy) return senderPolicy;
+		if (resolved.channelConfig.tools) return resolved.channelConfig.tools;
+		const teamSenderPolicy = resolveToolsBySender({
+			toolsBySender: resolved.teamConfig?.toolsBySender,
+			senderId: params.senderId,
+			senderName: params.senderName,
+			senderUsername: params.senderUsername,
+			senderE164: params.senderE164
+		});
+		if (teamSenderPolicy) return teamSenderPolicy;
+		return resolved.teamConfig?.tools;
+	}
+	if (resolved.teamConfig) {
+		const teamSenderPolicy = resolveToolsBySender({
+			toolsBySender: resolved.teamConfig.toolsBySender,
+			senderId: params.senderId,
+			senderName: params.senderName,
+			senderUsername: params.senderUsername,
+			senderE164: params.senderE164
+		});
+		if (teamSenderPolicy) return teamSenderPolicy;
+		if (resolved.teamConfig.tools) return resolved.teamConfig.tools;
+	}
+	if (!groupId) return;
+	const channelCandidates = buildChannelKeyCandidates(groupId, allowNameMatching ? groupChannel : void 0, allowNameMatching && groupChannel ? normalizeChannelSlug(groupChannel) : void 0);
+	for (const teamConfig of Object.values(cfg.teams ?? {})) {
+		const match = resolveChannelEntryMatchWithFallback({
+			entries: teamConfig?.channels ?? {},
+			keys: channelCandidates,
+			wildcardKey: "*",
+			normalizeKey: normalizeChannelSlug
+		});
+		if (match.entry) {
+			const senderPolicy = resolveToolsBySender({
+				toolsBySender: match.entry.toolsBySender,
+				senderId: params.senderId,
+				senderName: params.senderName,
+				senderUsername: params.senderUsername,
+				senderE164: params.senderE164
+			});
+			if (senderPolicy) return senderPolicy;
+			if (match.entry.tools) return match.entry.tools;
+			const teamSenderPolicy = resolveToolsBySender({
+				toolsBySender: teamConfig?.toolsBySender,
+				senderId: params.senderId,
+				senderName: params.senderName,
+				senderUsername: params.senderUsername,
+				senderE164: params.senderE164
+			});
+			if (teamSenderPolicy) return teamSenderPolicy;
+			return teamConfig?.tools;
+		}
+	}
+}
+function resolveMSTeamsAllowlistMatch(params) {
+	return resolveAllowlistMatchSimple(params);
+}
+function resolveMSTeamsReplyPolicy(params) {
+	if (params.isDirectMessage) return {
+		requireMention: false,
+		replyStyle: "thread"
+	};
+	const requireMention = params.channelConfig?.requireMention ?? params.teamConfig?.requireMention ?? params.globalConfig?.requireMention ?? true;
+	return {
+		requireMention,
+		replyStyle: params.channelConfig?.replyStyle ?? params.teamConfig?.replyStyle ?? params.globalConfig?.replyStyle ?? (requireMention ? "thread" : "top-level")
+	};
+}
+function isMSTeamsGroupAllowed(params) {
+	return evaluateSenderGroupAccessForPolicy({
+		groupPolicy: params.groupPolicy,
+		groupAllowFrom: params.allowFrom.map((entry) => String(entry)),
+		senderId: params.senderId,
+		isSenderAllowed: () => resolveMSTeamsAllowlistMatch(params).allowed
+	}).allowed;
+}
+//#endregion
+export { resolveMSTeamsRouteConfig as a, resolveMSTeamsReplyPolicy as i, resolveMSTeamsAllowlistMatch as n, resolveMSTeamsGroupToolPolicy as r, isMSTeamsGroupAllowed as t };