@openclaw/msteams 2026.5.28-beta.1 → 2026.5.28-beta.2

package/dist/api.js

@@ -1,3 +1,3 @@
-import { i as msteamsSetupAdapter, n as openDelegatedOAuthUrl, r as createMSTeamsSetupWizardBase, t as msteamsSetupWizard } from "./setup-surface-Byk8kgPH.js";
-import { t as msteamsPlugin } from "./channel-C4ifQ0RF.js";
+import { i as msteamsSetupAdapter, n as openDelegatedOAuthUrl, r as createMSTeamsSetupWizardBase, t as msteamsSetupWizard } from "./setup-surface-C-uCiIKh.js";
+import { t as msteamsPlugin } from "./channel-C_AMaSpi.js";
 export { createMSTeamsSetupWizardBase, msteamsPlugin, msteamsSetupAdapter, msteamsSetupWizard, openDelegatedOAuthUrl };

package/dist/{channel-C4ifQ0RF.js → channel-C_AMaSpi.js}

@@ -1,6 +1,6 @@
 import { O as resolveNestedAllowlistDecision, S as normalizeChannelSlug, T as resolveChannelEntryMatchWithFallback, _ as isDangerousNameMatchingEnabled, i as buildChannelKeyCandidates, k as resolveToolsBySender, o as buildProbeChannelStatusSummary, r as PAIRING_APPROVED_MESSAGE, s as chunkTextForOutbound, t as DEFAULT_ACCOUNT_ID, u as createDefaultChannelRuntimeState, w as resolveAllowlistMatchSimple } from "./runtime-api-BlvMnDKz.js";
-import { y as resolveMSTeamsCredentials } from "./errors-BevpsEsu.js";
-import { a as looksLikeMSTeamsTargetId, c as parseMSTeamsConversationId, d as resolveMSTeamsUserAllowlist, i as msteamsSetupAdapter, l as parseMSTeamsTeamChannelInput, o as normalizeMSTeamsMessagingTarget, s as normalizeMSTeamsUserInput, t as msteamsSetupWizard, u as resolveMSTeamsChannelAllowlist } from "./setup-surface-Byk8kgPH.js";
+import { y as resolveMSTeamsCredentials } from "./errors-B4snzfP5.js";
+import { a as looksLikeMSTeamsTargetId, c as parseMSTeamsConversationId, d as resolveMSTeamsUserAllowlist, i as msteamsSetupAdapter, l as parseMSTeamsTeamChannelInput, o as normalizeMSTeamsMessagingTarget, s as normalizeMSTeamsUserInput, t as msteamsSetupWizard, u as resolveMSTeamsChannelAllowlist } from "./setup-surface-C-uCiIKh.js";
 import { t as MSTeamsChannelConfigSchema } from "./config-schema-BL4qQZiA.js";
 import { describeAccountSnapshot } from "openclaw/plugin-sdk/account-helpers";
 import { formatAllowFromLowercase } from "openclaw/plugin-sdk/allow-from";
@@ -330,7 +330,7 @@ const collectMSTeamsSecurityWarnings = createAllowlistProviderGroupPolicyWarning
 	resolveGroupPolicy: ({ cfg }) => cfg.channels?.msteams?.groupPolicy,
 	collect: ({ groupPolicy }) => groupPolicy === "open" ? ["- MS Teams groups: groupPolicy=\"open\" allows any member to trigger (mention-gated). Set channels.msteams.groupPolicy=\"allowlist\" + channels.msteams.groupAllowFrom to restrict senders."] : []
 });
-const loadMSTeamsChannelRuntime = createLazyRuntimeNamedExport(() => import("./channel.runtime-Cl_OVKBH.js"), "msTeamsChannelRuntime");
+const loadMSTeamsChannelRuntime = createLazyRuntimeNamedExport(() => import("./channel.runtime-BJJ1R1iY.js"), "msTeamsChannelRuntime");
 const resolveMSTeamsChannelConfig = (cfg) => ({
 	allowFrom: cfg.channels?.msteams?.allowFrom,
 	defaultTo: cfg.channels?.msteams?.defaultTo
@@ -1116,7 +1116,7 @@ const msteamsPlugin = createChatChannelPlugin({
 			})
 		}),
 		gateway: { startAccount: async (ctx) => {
-			const { monitorMSTeamsProvider } = await import("./src-W5GVJcCN.js");
+			const { monitorMSTeamsProvider } = await import("./src-Cc3f8Zi2.js");
 			const port = ctx.cfg.channels?.msteams?.webhook?.port ?? 3978;
 			ctx.setStatus({
 				accountId: ctx.accountId,

package/dist/channel-plugin-api.js

@@ -1,2 +1,2 @@
-import { t as msteamsPlugin } from "./channel-C4ifQ0RF.js";
+import { t as msteamsPlugin } from "./channel-C_AMaSpi.js";
 export { msteamsPlugin };

package/dist/{channel.runtime-Cl_OVKBH.js → channel.runtime-BJJ1R1iY.js}

@@ -1,7 +1,7 @@
 import { C as normalizeStringEntries$1, s as chunkTextForOutbound } from "./runtime-api-BlvMnDKz.js";
-import { a as searchGraphUsers, c as fetchGraphAbsoluteUrl, d as listTeamsByName, f as normalizeQuery, g as resolveGraphToken, h as postGraphJson, l as fetchGraphJson, m as postGraphBetaJson, o as deleteGraphRequest, p as patchGraphJson, s as escapeOData, u as listChannelsForTeam } from "./errors-BevpsEsu.js";
-import { n as MSTEAMS_PRESENTATION_CAPABILITIES, r as buildMSTeamsPresentationCard } from "./channel-C4ifQ0RF.js";
-import { S as createMSTeamsConversationStoreFs, a as sendMessageMSTeams, b as createMSTeamsPollStoreFs, i as sendAdaptiveCardMSTeams, n as deleteMessageMSTeams, o as sendPollMSTeams, r as editMessageMSTeams, t as probeMSTeams } from "./probe-C9cvgEV9.js";
+import { a as searchGraphUsers, c as fetchGraphAbsoluteUrl, d as listTeamsByName, f as normalizeQuery, g as resolveGraphToken, h as postGraphJson, l as fetchGraphJson, m as postGraphBetaJson, o as deleteGraphRequest, p as patchGraphJson, s as escapeOData, u as listChannelsForTeam } from "./errors-B4snzfP5.js";
+import { n as MSTEAMS_PRESENTATION_CAPABILITIES, r as buildMSTeamsPresentationCard } from "./channel-C_AMaSpi.js";
+import { S as createMSTeamsConversationStoreFs, a as sendMessageMSTeams, b as createMSTeamsPollStoreFs, i as sendAdaptiveCardMSTeams, n as deleteMessageMSTeams, o as sendPollMSTeams, r as editMessageMSTeams, t as probeMSTeams } from "./probe-DRwI-ZqW.js";
 import { resolveOutboundSendDep } from "openclaw/plugin-sdk/channel-outbound";
 import { normalizeLowercaseStringOrEmpty, normalizeStringEntries } from "openclaw/plugin-sdk/string-coerce-runtime";
 import { resolvePayloadMediaUrls, resolveTextChunksWithFallback, sendPayloadMediaSequence } from "openclaw/plugin-sdk/reply-payload";

package/dist/{errors-BevpsEsu.js → errors-B4snzfP5.js}

@@ -1,7 +1,8 @@
-import { M as getMSTeamsRuntime, h as fetchWithSsrFGuard } from "./runtime-api-BlvMnDKz.js";
+import { M as getMSTeamsRuntime, h as fetchWithSsrFGuard$1 } from "./runtime-api-BlvMnDKz.js";
 import { c as createMSTeamsHttpError, n as refreshMSTeamsDelegatedTokens } from "./oauth.token-5ygi8ycy.js";
 import { createRequire } from "node:module";
 import { isRecord, isRecord as isRecord$1, normalizeLowercaseStringOrEmpty, normalizeOptionalString } from "openclaw/plugin-sdk/string-coerce-runtime";
+import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
 import { readProviderJsonResponse } from "openclaw/plugin-sdk/provider-http";
 import { Buffer } from "node:buffer";
 import { lookup } from "node:dns/promises";
@@ -292,6 +293,20 @@ function resolveAllowedHosts(input) {
 function resolveAuthAllowedHosts(input) {
 	return normalizeHostnameSuffixAllowlist(input, DEFAULT_MEDIA_AUTH_HOST_ALLOWLIST);
 }
+function isMockFetchFn(fetchFn) {
+	const candidate = fetchFn;
+	return Boolean(candidate.mock || Object.prototype.hasOwnProperty.call(candidate, "_isMockFunction"));
+}
+function resolveGuardedFetchImpl(params) {
+	if (!params.fetchFn) return;
+	if (params.fetchFnSupportsDispatcher === true || params.fetchFn === fetch || params.fetchFn === globalThis.fetch || isMockFetchFn(params.fetchFn)) return params.fetchFn;
+	throw new Error("MSTeams attachment fetchFn must set fetchFnSupportsDispatcher to use guarded DNS pinning");
+}
+function resolveRetainedAuthorizationRedirectHostnameAllowlist(input) {
+	if (!input) return;
+	if (input.includes("*")) return ["*"];
+	return resolveMediaSsrfPolicy(input)?.hostnameAllowlist;
+}
 function resolveAttachmentFetchPolicy(params) {
 	return {
 		allowHosts: resolveAllowedHosts(params?.allowHosts),
@@ -341,6 +356,50 @@ async function resolveAndValidateIP(hostname, resolveFn) {
 }
 /** Maximum number of redirects to follow in safeFetch. */
 const MAX_SAFE_REDIRECTS = 5;
+const NULL_BODY_STATUSES$1 = new Set([
+	101,
+	204,
+	205,
+	304
+]);
+function responseWithRelease(response, release) {
+	let released = false;
+	const releaseOnce = async () => {
+		if (released) return;
+		released = true;
+		await release();
+	};
+	if (!response.body || NULL_BODY_STATUSES$1.has(response.status)) {
+		releaseOnce();
+		return response;
+	}
+	const reader = response.body.getReader();
+	const body = new ReadableStream({
+		async pull(controller) {
+			try {
+				const next = await reader.read();
+				if (next.done) {
+					controller.close();
+					await releaseOnce();
+					return;
+				}
+				controller.enqueue(next.value);
+			} catch (err) {
+				await releaseOnce();
+				throw err;
+			}
+		},
+		async cancel(reason) {
+			reader.cancel(reason).catch(() => {});
+			await releaseOnce();
+		}
+	});
+	return new Response(body, {
+		status: response.status,
+		statusText: response.statusText,
+		headers: response.headers
+	});
+}
 /**
 * Fetch a URL with redirect: "manual", validating each redirect target
 * against the hostname allowlist and optional DNS-resolved IP (anti-SSRF).
@@ -350,13 +409,32 @@ const MAX_SAFE_REDIRECTS = 5;
 * - DNS rebinding attacks when a lookup function is provided
 */
 async function safeFetch(params) {
-	const fetchFn = params.fetchFn ?? fetch;
 	const resolveFn = params.resolveFn ?? lookup;
 	const hasDispatcher = Boolean(params.requestInit && typeof params.requestInit === "object" && "dispatcher" in params.requestInit);
 	const currentHeaders = new Headers(params.requestInit?.headers);
 	let currentUrl = params.url;
 	if (!isUrlAllowed(currentUrl, params.allowHosts)) throw new Error(`Initial download URL blocked: ${currentUrl}`);
 	if (currentHeaders.has("authorization") && params.authorizationAllowHosts && !isUrlAllowed(currentUrl, params.authorizationAllowHosts)) currentHeaders.delete("authorization");
+	if (!hasDispatcher) {
+		const guarded = await fetchWithSsrFGuard({
+			url: currentUrl,
+			fetchImpl: resolveGuardedFetchImpl({
+				fetchFn: params.fetchFn,
+				fetchFnSupportsDispatcher: params.fetchFnSupportsDispatcher
+			}),
+			init: {
+				...params.requestInit,
+				headers: currentHeaders
+			},
+			maxRedirects: MAX_SAFE_REDIRECTS,
+			requireHttps: true,
+			policy: resolveMediaSsrfPolicy(params.allowHosts),
+			lookupFn: resolveFn,
+			retainAuthorizationRedirectHostnameAllowlist: resolveRetainedAuthorizationRedirectHostnameAllowlist(params.authorizationAllowHosts),
+			auditContext: "msteams.attachment"
+		});
+		return responseWithRelease(guarded.response, guarded.release);
+	}
 	if (resolveFn) try {
 		const initialHost = new URL(currentUrl).hostname;
 		await resolveAndValidateIP(initialHost, resolveFn);
@@ -364,7 +442,7 @@ async function safeFetch(params) {
 		throw new Error(`Initial download URL blocked: ${currentUrl}`);
 	}
 	for (let i = 0; i <= MAX_SAFE_REDIRECTS; i++) {
-		const res = await fetchFn(currentUrl, {
+		const res = await (params.fetchFn ?? fetch)(currentUrl, {
 			...params.requestInit,
 			headers: currentHeaders,
 			redirect: "manual"
@@ -401,6 +479,7 @@ async function safeFetchWithPolicy(params) {
 		allowHosts: params.policy.allowHosts,
 		authorizationAllowHosts: params.policy.authAllowHosts,
 		fetchFn: params.fetchFn,
+		fetchFnSupportsDispatcher: params.fetchFnSupportsDispatcher,
 		requestInit: params.requestInit,
 		resolveFn: params.resolveFn
 	});
@@ -761,7 +840,7 @@ async function requestGraph(params) {
 	const hasBody = params.body !== void 0;
 	const url = `${params.root ?? "https://graph.microsoft.com/v1.0"}${params.path}`;
 	const currentFetch = globalThis.fetch;
-	const { response, release } = await fetchWithSsrFGuard({
+	const { response, release } = await fetchWithSsrFGuard$1({
 		url,
 		fetchImpl: async (input, guardedInit) => await currentFetch(input, guardedInit),
 		init: {
@@ -806,7 +885,7 @@ async function fetchGraphJson(params) {
 * pagination URLs) without prepending GRAPH_ROOT.
 */
 async function fetchGraphAbsoluteUrl(params) {
-	const { response, release } = await fetchWithSsrFGuard({
+	const { response, release } = await fetchWithSsrFGuard$1({
 		url: params.url,
 		init: { headers: {
 			"User-Agent": buildUserAgent(),

package/dist/{probe-C9cvgEV9.js → probe-DRwI-ZqW.js}

@@ -1,7 +1,7 @@
 import { C as normalizeStringEntries$1, E as resolveChannelMediaMaxBytes, M as getMSTeamsRuntime, d as detectMime, g as getFileExtension, m as extractOriginalFilename, p as extensionForMime, y as loadOutboundMediaFromUrl } from "./runtime-api-BlvMnDKz.js";
-import { A as isAllowedBotFrameworkServiceUrl, C as readAccessToken, D as buildUserAgent, E as loadMSTeamsSdkWithAuth, N as resolveMSTeamsSdkCloudOptions, P as validateMSTeamsProactiveServiceUrlBoundary, T as createMSTeamsTokenProvider, i as isRevokedProxyError, j as normalizeBotFrameworkServiceUrl, k as describeBotFrameworkServiceUrlHost, n as formatMSTeamsSendErrorHint, r as formatUnknownError, t as classifyMSTeamsSendError, v as loadDelegatedTokens, x as resolveMSTeamsStorePath, y as resolveMSTeamsCredentials } from "./errors-BevpsEsu.js";
+import { A as isAllowedBotFrameworkServiceUrl, C as readAccessToken, D as buildUserAgent, E as loadMSTeamsSdkWithAuth, N as resolveMSTeamsSdkCloudOptions, P as validateMSTeamsProactiveServiceUrlBoundary, T as createMSTeamsTokenProvider, i as isRevokedProxyError, j as normalizeBotFrameworkServiceUrl, k as describeBotFrameworkServiceUrlHost, n as formatMSTeamsSendErrorHint, r as formatUnknownError, t as classifyMSTeamsSendError, v as loadDelegatedTokens, x as resolveMSTeamsStorePath, y as resolveMSTeamsCredentials } from "./errors-B4snzfP5.js";
 import { c as createMSTeamsHttpError } from "./oauth.token-5ygi8ycy.js";
-import { a as resolveMSTeamsReplyPolicy, o as resolveMSTeamsRouteConfig } from "./channel-C4ifQ0RF.js";
+import { a as resolveMSTeamsReplyPolicy, o as resolveMSTeamsRouteConfig } from "./channel-C_AMaSpi.js";
 import { createMessageReceiptFromOutboundResults } from "openclaw/plugin-sdk/channel-outbound";
 import { isRecord, normalizeLowercaseStringOrEmpty, normalizeOptionalLowercaseString, normalizeOptionalString, normalizeStringEntries, uniqueStrings } from "openclaw/plugin-sdk/string-coerce-runtime";
 import { withFileLock } from "openclaw/plugin-sdk/file-lock";

package/dist/setup-plugin-api.js

@@ -1,5 +1,5 @@
-import { y as resolveMSTeamsCredentials } from "./errors-BevpsEsu.js";
-import { i as msteamsSetupAdapter, t as msteamsSetupWizard } from "./setup-surface-Byk8kgPH.js";
+import { y as resolveMSTeamsCredentials } from "./errors-B4snzfP5.js";
+import { i as msteamsSetupAdapter, t as msteamsSetupWizard } from "./setup-surface-C-uCiIKh.js";
 import { t as MSTeamsChannelConfigSchema } from "./config-schema-BL4qQZiA.js";
 import { describeAccountSnapshot } from "openclaw/plugin-sdk/account-helpers";
 import { formatAllowFromLowercase } from "openclaw/plugin-sdk/allow-from";

package/dist/{setup-surface-Byk8kgPH.js → setup-surface-C-uCiIKh.js}

@@ -1,4 +1,4 @@
-import { S as normalizeSecretInputString, _ as hasConfiguredMSTeamsCredentials, a as searchGraphUsers, b as saveDelegatedTokens, d as listTeamsByName, f as normalizeQuery, g as resolveGraphToken, r as formatUnknownError, u as listChannelsForTeam, y as resolveMSTeamsCredentials } from "./errors-BevpsEsu.js";
+import { S as normalizeSecretInputString, _ as hasConfiguredMSTeamsCredentials, a as searchGraphUsers, b as saveDelegatedTokens, d as listTeamsByName, f as normalizeQuery, g as resolveGraphToken, r as formatUnknownError, u as listChannelsForTeam, y as resolveMSTeamsCredentials } from "./errors-B4snzfP5.js";
 import { mapAllowlistResolutionInputs } from "openclaw/plugin-sdk/allow-from";
 import { normalizeLowercaseStringOrEmpty, normalizeOptionalLowercaseString } from "openclaw/plugin-sdk/string-coerce-runtime";
 import { DEFAULT_ACCOUNT_ID, createSetupTranslator, createStandardChannelSetupStatus, createTopLevelChannelAllowFromSetter, createTopLevelChannelDmPolicy, createTopLevelChannelGroupPolicySetter, mergeAllowFromEntries, splitSetupEntries } from "openclaw/plugin-sdk/setup";

package/dist/{src-W5GVJcCN.js → src-Cc3f8Zi2.js}

@@ -1,8 +1,8 @@
 import { A as summarizeMapping, D as resolveDefaultGroupPolicy, E as resolveChannelMediaMaxBytes, M as getMSTeamsRuntime, N as getOptionalMSTeamsRuntime, _ as isDangerousNameMatchingEnabled, a as buildMediaPayload, b as logTypingFailure, c as createChannelMessageReplyPipeline, f as dispatchReplyFromConfigWithSettledDispatcher$1, l as createChannelPairingController, n as DEFAULT_WEBHOOK_MAX_BODY_BYTES, t as DEFAULT_ACCOUNT_ID, v as keepHttpServerTaskAlive, x as mergeAllowlist } from "./runtime-api-BlvMnDKz.js";
-import { $ as safeFetchWithPolicy, B as estimateBase64DecodedBytes, E as loadMSTeamsSdkWithAuth, F as ATTACHMENT_TAG_RE, G as isLikelyImageAttachment, H as extractInlineImageCandidates, I as GRAPH_ROOT, J as normalizeContentType, K as isRecord$1, L as IMG_SRC_RE, M as tryNormalizeBotFrameworkServiceUrl, N as resolveMSTeamsSdkCloudOptions, O as ensureUserAgentHeader, Q as resolveRequestUrl, R as applyAuthorizationHeaderForUrl, T as createMSTeamsTokenProvider, U as inferPlaceholder, V as extractHtmlFromAttachment, W as isDownloadableAttachment, X as resolveAttachmentFetchPolicy, Y as readNestedString, Z as resolveMediaSsrfPolicy, et as safeHostForUrl, l as fetchGraphJson, n as formatMSTeamsSendErrorHint, q as isUrlAllowed, r as formatUnknownError, t as classifyMSTeamsSendError, tt as tryBuildGraphSharesUrlForSharedLink, w as createMSTeamsExpressAdapter, x as resolveMSTeamsStorePath, y as resolveMSTeamsCredentials, z as encodeGraphShareId } from "./errors-BevpsEsu.js";
-import { d as resolveMSTeamsUserAllowlist, u as resolveMSTeamsChannelAllowlist } from "./setup-surface-Byk8kgPH.js";
-import { a as resolveMSTeamsReplyPolicy, i as resolveMSTeamsAllowlistMatch, o as resolveMSTeamsRouteConfig } from "./channel-C4ifQ0RF.js";
-import { C as readJsonFile, S as createMSTeamsConversationStoreFs, T as writeJsonFile, _ as buildFileInfoCard, b as createMSTeamsPollStoreFs, c as renderReplyPayloadsToMessages, d as withRevokedProxyFallback, f as resolveGraphChatId, g as removePendingUploadFs, h as getPendingUploadFs, l as sendMSTeamsMessages, m as removePendingUpload, p as getPendingUpload, s as buildConversationReference, u as sendMSTeamsActivityWithReference, v as parseFileConsentInvoke, w as withFileLock, x as extractMSTeamsPollVote, y as uploadToConsentUrl } from "./probe-C9cvgEV9.js";
+import { $ as safeFetchWithPolicy, B as estimateBase64DecodedBytes, E as loadMSTeamsSdkWithAuth, F as ATTACHMENT_TAG_RE, G as isLikelyImageAttachment, H as extractInlineImageCandidates, I as GRAPH_ROOT, J as normalizeContentType, K as isRecord$1, L as IMG_SRC_RE, M as tryNormalizeBotFrameworkServiceUrl, N as resolveMSTeamsSdkCloudOptions, O as ensureUserAgentHeader, Q as resolveRequestUrl, R as applyAuthorizationHeaderForUrl, T as createMSTeamsTokenProvider, U as inferPlaceholder, V as extractHtmlFromAttachment, W as isDownloadableAttachment, X as resolveAttachmentFetchPolicy, Y as readNestedString, Z as resolveMediaSsrfPolicy, et as safeHostForUrl, l as fetchGraphJson, n as formatMSTeamsSendErrorHint, q as isUrlAllowed, r as formatUnknownError, t as classifyMSTeamsSendError, tt as tryBuildGraphSharesUrlForSharedLink, w as createMSTeamsExpressAdapter, x as resolveMSTeamsStorePath, y as resolveMSTeamsCredentials, z as encodeGraphShareId } from "./errors-B4snzfP5.js";
+import { d as resolveMSTeamsUserAllowlist, u as resolveMSTeamsChannelAllowlist } from "./setup-surface-C-uCiIKh.js";
+import { a as resolveMSTeamsReplyPolicy, i as resolveMSTeamsAllowlistMatch, o as resolveMSTeamsRouteConfig } from "./channel-C_AMaSpi.js";
+import { C as readJsonFile, S as createMSTeamsConversationStoreFs, T as writeJsonFile, _ as buildFileInfoCard, b as createMSTeamsPollStoreFs, c as renderReplyPayloadsToMessages, d as withRevokedProxyFallback, f as resolveGraphChatId, g as removePendingUploadFs, h as getPendingUploadFs, l as sendMSTeamsMessages, m as removePendingUpload, p as getPendingUpload, s as buildConversationReference, u as sendMSTeamsActivityWithReference, v as parseFileConsentInvoke, w as withFileLock, x as extractMSTeamsPollVote, y as uploadToConsentUrl } from "./probe-DRwI-ZqW.js";
 import { formatAllowlistMatchMeta } from "openclaw/plugin-sdk/allow-from";
 import { buildChannelProgressDraftLine, buildChannelProgressDraftLineForEntry, createChannelProgressDraftGate, formatChannelProgressDraftText, isChannelProgressDraftWorkToolName, mergeChannelProgressDraftLine, normalizeChannelProgressDraftLineIdentity, resolveChannelPreviewStreamMode, resolveChannelProgressDraftMaxLines, resolveChannelStreamingBlockEnabled, resolveChannelStreamingPreviewToolProgress, resolveChannelStreamingSuppressDefaultToolProgressMessages } from "openclaw/plugin-sdk/channel-outbound";
 import { normalizeLowercaseStringOrEmpty, normalizeOptionalLowercaseString, normalizeOptionalString, uniqueStrings } from "openclaw/plugin-sdk/string-coerce-runtime";
@@ -499,6 +499,7 @@ async function fetchBotFrameworkAttachmentInfo(params) {
 			url,
 			policy: params.policy,
 			fetchFn: params.fetchFn,
+			fetchFnSupportsDispatcher: params.fetchFnSupportsDispatcher,
 			resolveFn: params.resolveFn,
 			requestInit: { headers: buildBotFrameworkAttachmentHeaders({
 				url,
@@ -511,6 +512,7 @@ async function fetchBotFrameworkAttachmentInfo(params) {
 		return;
 	}
 	if (!response.ok) {
+		await response.body?.cancel();
 		params.logger?.warn?.("msteams botFramework attachmentInfo non-ok", { status: response.status });
 		return;
 	}
@@ -529,6 +531,7 @@ async function saveBotFrameworkAttachmentView(params) {
 			url,
 			policy: params.policy,
 			fetchFn: params.fetchFn,
+			fetchFnSupportsDispatcher: params.fetchFnSupportsDispatcher,
 			resolveFn: params.resolveFn,
 			requestInit: { headers: buildBotFrameworkAttachmentHeaders({
 				url,
@@ -541,11 +544,15 @@ async function saveBotFrameworkAttachmentView(params) {
 		return;
 	}
 	if (!response.ok) {
+		await response.body?.cancel();
 		params.logger?.warn?.("msteams botFramework attachmentView non-ok", { status: response.status });
 		return;
 	}
 	const contentLength = response.headers.get("content-length");
-	if (contentLength && Number(contentLength) > params.maxBytes) return;
+	if (contentLength && Number(contentLength) > params.maxBytes) {
+		await response.body?.cancel();
+		return;
+	}
 	try {
 		return await getMSTeamsRuntime().channel.media.saveResponseMedia(response, {
 			sourceUrl: url,
@@ -587,6 +594,7 @@ async function downloadMSTeamsBotFrameworkAttachment(params) {
 		accessToken,
 		policy,
 		fetchFn: params.fetchFn,
+		fetchFnSupportsDispatcher: params.fetchFnSupportsDispatcher,
 		resolveFn: params.resolveFn,
 		logger: params.logger
 	});
@@ -609,6 +617,7 @@ async function downloadMSTeamsBotFrameworkAttachment(params) {
 		preserveFilenames: params.preserveFilenames,
 		policy,
 		fetchFn: params.fetchFn,
+		fetchFnSupportsDispatcher: params.fetchFnSupportsDispatcher,
 		resolveFn: params.resolveFn,
 		logger: params.logger
 	});
@@ -652,6 +661,7 @@ async function downloadMSTeamsBotFrameworkAttachments(params) {
 			allowHosts: params.allowHosts,
 			authAllowHosts: params.authAllowHosts,
 			fetchFn: params.fetchFn,
+			fetchFnSupportsDispatcher: params.fetchFnSupportsDispatcher,
 			resolveFn: params.resolveFn,
 			fileNameHint: params.fileNameHint,
 			contentTypeHint: params.contentTypeHint,
@@ -673,17 +683,9 @@ async function downloadMSTeamsBotFrameworkAttachments(params) {
 //#endregion
 //#region extensions/msteams/src/attachments/remote-media.ts
 /**
-* Direct fetch path used when the caller's `fetchImpl` has already validated
-* the URL against a hostname allowlist (for example `safeFetchWithPolicy`).
-*
-* Bypasses the strict SSRF dispatcher on `readRemoteMediaBuffer` because:
-*   1. The pinned undici dispatcher used by `readRemoteMediaBuffer` is incompatible
-*      with Node 24+'s built-in undici v7 (fails with "invalid onRequestStart
-*      method"), which silently breaks SharePoint/OneDrive downloads. See
-*      issue #63396.
-*   2. SSRF protection is already enforced by the caller's `fetchImpl`
-*      (`safeFetch` validates every redirect hop against the hostname
-*      allowlist before following).
+* Direct save path used when the caller supplies the already-guarded fetch
+* implementation. This lets Teams-specific auth fallback own the request
+* sequence while keeping redirect and DNS pinning inside `safeFetchWithPolicy`.
 */
 async function saveRemoteMediaDirect(params) {
 	return await saveResponseMedia(await params.fetchImpl(params.url, { redirect: "follow" }), {
@@ -783,6 +785,7 @@ async function fetchWithAuthFallback(params) {
 		url: params.url,
 		policy: params.policy,
 		fetchFn: params.fetchFn,
+		fetchFnSupportsDispatcher: params.fetchFnSupportsDispatcher,
 		requestInit: params.requestInit,
 		resolveFn: params.resolveFn
 	});
@@ -790,6 +793,7 @@ async function fetchWithAuthFallback(params) {
 	if (!params.tokenProvider) return firstAttempt;
 	if (firstAttempt.status !== 401 && firstAttempt.status !== 403) return firstAttempt;
 	if (!isUrlAllowed(params.url, params.policy.authAllowHosts)) return firstAttempt;
+	await firstAttempt.body?.cancel();
 	const scopes = scopeCandidatesForUrl(params.url);
 	const fetchFn = params.fetchFn ?? fetch;
 	for (const scope of scopes) try {
@@ -800,6 +804,7 @@ async function fetchWithAuthFallback(params) {
 			url: params.url,
 			policy: params.policy,
 			fetchFn,
+			fetchFnSupportsDispatcher: params.fetchFnSupportsDispatcher,
 			requestInit: {
 				...params.requestInit,
 				headers: authHeaders
@@ -808,7 +813,11 @@ async function fetchWithAuthFallback(params) {
 		});
 		if (authAttempt.ok) return authAttempt;
 		if (isRedirectStatus(authAttempt.status)) return authAttempt;
-		if (authAttempt.status !== 401 && authAttempt.status !== 403) continue;
+		if (authAttempt.status !== 401 && authAttempt.status !== 403) {
+			await authAttempt.body?.cancel();
+			continue;
+		}
+		await authAttempt.body?.cancel();
 	} catch {}
 	return firstAttempt;
 }
@@ -876,6 +885,7 @@ async function downloadMSTeamsAttachments(params) {
 					url: resolveRequestUrl(input),
 					tokenProvider: params.tokenProvider,
 					fetchFn: params.fetchFn,
+					fetchFnSupportsDispatcher: params.fetchFnSupportsDispatcher,
 					requestInit: init,
 					resolveFn: params.resolveFn,
 					policy
@@ -1144,6 +1154,7 @@ async function downloadMSTeamsGraphMedia(params) {
 									url: requestUrl,
 									policy,
 									fetchFn,
+									fetchFnSupportsDispatcher: params.fetchFnSupportsDispatcher,
 									requestInit: {
 										...init,
 										headers
@@ -1200,6 +1211,7 @@ async function downloadMSTeamsGraphMedia(params) {
 			allowHosts: policy.allowHosts,
 			authAllowHosts: policy.authAllowHosts,
 			fetchFn: params.fetchFn,
+			fetchFnSupportsDispatcher: params.fetchFnSupportsDispatcher,
 			resolveFn: params.resolveFn,
 			preserveFilenames: params.preserveFilenames,
 			logger: params.logger

package/npm-shrinkwrap.json

@@ -1,12 +1,12 @@
 {
   "name": "@openclaw/msteams",
-  "version": "2026.5.28-beta.1",
+  "version": "2026.5.28-beta.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@openclaw/msteams",
-      "version": "2026.5.28-beta.1",
+      "version": "2026.5.28-beta.2",
       "dependencies": {
         "@azure/identity": "4.13.1",
         "@microsoft/teams.api": "2.0.12",
@@ -15,7 +15,7 @@
         "typebox": "1.1.38"
       },
       "peerDependencies": {
-        "openclaw": ">=2026.5.28-beta.1"
+        "openclaw": ">=2026.5.28-beta.2"
       },
       "peerDependenciesMeta": {
         "openclaw": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/msteams",
-  "version": "2026.5.28-beta.1",
+  "version": "2026.5.28-beta.2",
   "description": "OpenClaw Microsoft Teams channel plugin for bot conversations.",
   "repository": {
     "type": "git",
@@ -15,7 +15,7 @@
     "typebox": "1.1.38"
   },
   "peerDependencies": {
-    "openclaw": ">=2026.5.28-beta.1"
+    "openclaw": ">=2026.5.28-beta.2"
   },
   "peerDependenciesMeta": {
     "openclaw": {
@@ -51,10 +51,10 @@
       "minHostVersion": ">=2026.4.10"
     },
     "compat": {
-      "pluginApi": ">=2026.5.28-beta.1"
+      "pluginApi": ">=2026.5.28-beta.2"
     },
     "build": {
-      "openclawVersion": "2026.5.28-beta.1"
+      "openclawVersion": "2026.5.28-beta.2"
     },
     "release": {
       "publishToClawHub": true,