@openclaw/msteams 2026.5.7 → 2026.5.10-beta.1

package/dist/api.js

@@ -1,3 +1,3 @@
-import { t as msteamsPlugin } from "./channel-BOwKBAvY.js";
-import { i as msteamsSetupAdapter, n as openDelegatedOAuthUrl, r as createMSTeamsSetupWizardBase, t as msteamsSetupWizard } from "./setup-surface-BLkFQYIQ.js";
+import { t as msteamsPlugin } from "./channel-kz4Rzh2w.js";
+import { i as msteamsSetupAdapter, n as openDelegatedOAuthUrl, r as createMSTeamsSetupWizardBase, t as msteamsSetupWizard } from "./setup-surface-C7d0jGM5.js";
 export { createMSTeamsSetupWizardBase, msteamsPlugin, msteamsSetupAdapter, msteamsSetupWizard, openDelegatedOAuthUrl };

package/dist/{channel-BOwKBAvY.js → channel-kz4Rzh2w.js}

@@ -1,13 +1,14 @@
-import { o as buildProbeChannelStatusSummary, r as PAIRING_APPROVED_MESSAGE, s as chunkTextForOutbound, t as DEFAULT_ACCOUNT_ID, u as createDefaultChannelRuntimeState } from "./runtime-api-DV1iVMn1.js";
-import { h as resolveMSTeamsCredentials } from "./graph-users-9uQJepqr.js";
-import { a as parseMSTeamsTeamChannelInput, c as resolveMSTeamsUserAllowlist, i as parseMSTeamsConversationId, n as normalizeMSTeamsMessagingTarget, r as normalizeMSTeamsUserInput, s as resolveMSTeamsChannelAllowlist, t as looksLikeMSTeamsTargetId } from "./resolve-allowlist-D41JSziq.js";
+import { o as buildProbeChannelStatusSummary, r as PAIRING_APPROVED_MESSAGE, s as chunkTextForOutbound, t as DEFAULT_ACCOUNT_ID, u as createDefaultChannelRuntimeState } from "./runtime-api-C3EIaIpt.js";
+import { h as resolveMSTeamsCredentials } from "./graph-users-CCU0WVMZ.js";
+import { a as parseMSTeamsTeamChannelInput, c as resolveMSTeamsUserAllowlist, i as parseMSTeamsConversationId, n as normalizeMSTeamsMessagingTarget, r as normalizeMSTeamsUserInput, s as resolveMSTeamsChannelAllowlist, t as looksLikeMSTeamsTargetId } from "./resolve-allowlist-7CHP2hEA.js";
 import { t as MSTeamsChannelConfigSchema } from "./config-schema-DwOEthCC.js";
-import { r as resolveMSTeamsGroupToolPolicy } from "./policy-DTnU2GR7.js";
-import { i as msteamsSetupAdapter, t as msteamsSetupWizard } from "./setup-surface-BLkFQYIQ.js";
+import { n as resolveMSTeamsGroupToolPolicy } from "./policy-bM71GXRd.js";
+import { i as msteamsSetupAdapter, t as msteamsSetupWizard } from "./setup-surface-C7d0jGM5.js";
 import { describeAccountSnapshot } from "openclaw/plugin-sdk/account-helpers";
 import { formatAllowFromLowercase } from "openclaw/plugin-sdk/allow-from";
 import { createTopLevelChannelConfigAdapter } from "openclaw/plugin-sdk/channel-config-helpers";
 import { buildChannelOutboundSessionRoute, createChatChannelPlugin, stripChannelTargetPrefix, stripTargetKindPrefix } from "openclaw/plugin-sdk/channel-core";
+import { createChannelMessageAdapterFromOutbound } from "openclaw/plugin-sdk/channel-message";
 import { createPairingPrefixStripper } from "openclaw/plugin-sdk/channel-pairing";
 import { createAllowlistProviderGroupPolicyWarningCollector, createDangerousNameMatchingMutableAllowlistWarningCollector, projectConfigWarningCollector } from "openclaw/plugin-sdk/channel-policy";
 import { createChannelDirectoryAdapter, createRuntimeDirectoryLiveAdapter, listDirectoryEntriesFromSources } from "openclaw/plugin-sdk/directory-runtime";
@@ -182,7 +183,7 @@ const collectMSTeamsSecurityWarnings = createAllowlistProviderGroupPolicyWarning
 	resolveGroupPolicy: ({ cfg }) => cfg.channels?.msteams?.groupPolicy,
 	collect: ({ groupPolicy }) => groupPolicy === "open" ? ["- MS Teams groups: groupPolicy=\"open\" allows any member to trigger (mention-gated). Set channels.msteams.groupPolicy=\"allowlist\" + channels.msteams.groupAllowFrom to restrict senders."] : []
 });
-const loadMSTeamsChannelRuntime = createLazyRuntimeNamedExport(() => import("./channel.runtime-BC1ruIfN.js"), "msTeamsChannelRuntime");
+const loadMSTeamsChannelRuntime = createLazyRuntimeNamedExport(() => import("./channel.runtime-C1IGCVBT.js"), "msTeamsChannelRuntime");
 const resolveMSTeamsChannelConfig = (cfg) => ({
 	allowFrom: cfg.channels?.msteams?.allowFrom,
 	defaultTo: cfg.channels?.msteams?.defaultTo
@@ -376,6 +377,41 @@ function describeMSTeamsMessageTool({ cfg }) {
 		} : null
 	};
 }
+const msteamsChannelOutbound = {
+	deliveryMode: "direct",
+	chunker: chunkTextForOutbound,
+	chunkerMode: "markdown",
+	textChunkLimit: 4e3,
+	pollMaxOptions: 12,
+	deliveryCapabilities: { durableFinal: {
+		text: true,
+		media: true,
+		messageSendingHooks: true
+	} },
+	...createRuntimeOutboundDelegates({
+		getRuntime: loadMSTeamsChannelRuntime,
+		sendText: { resolve: (runtime) => runtime.msteamsOutbound.sendText },
+		sendMedia: { resolve: (runtime) => runtime.msteamsOutbound.sendMedia },
+		sendPoll: { resolve: (runtime) => runtime.msteamsOutbound.sendPoll }
+	})
+};
+const msteamsMessageAdapter = createChannelMessageAdapterFromOutbound({
+	id: "msteams",
+	outbound: msteamsChannelOutbound,
+	live: {
+		capabilities: {
+			draftPreview: true,
+			previewFinalization: true,
+			progressUpdates: true,
+			nativeStreaming: true
+		},
+		finalizer: { capabilities: {
+			finalEdit: true,
+			normalFallback: true,
+			previewReceipt: true
+		} }
+	}
+});
 const msteamsPlugin = createChatChannelPlugin({
 	base: {
 		id: "msteams",
@@ -428,6 +464,7 @@ const msteamsPlugin = createChatChannelPlugin({
 				hint: "<conversationId|user:ID|conversation:ID>"
 			}
 		},
+		message: msteamsMessageAdapter,
 		directory: createChannelDirectoryAdapter({
 			self: async ({ cfg }) => {
 				const creds = resolveMSTeamsCredentials(cfg.channels?.msteams);
@@ -928,7 +965,7 @@ const msteamsPlugin = createChatChannelPlugin({
 			})
 		}),
 		gateway: { startAccount: async (ctx) => {
-			const { monitorMSTeamsProvider } = await import("./src-CP7V_TeZ.js");
+			const { monitorMSTeamsProvider } = await import("./src-DQ7ARgDd.js");
 			const port = ctx.cfg.channels?.msteams?.webhook?.port ?? 3978;
 			ctx.setStatus({
 				accountId: ctx.accountId,
@@ -966,19 +1003,7 @@ const msteamsPlugin = createChatChannelPlugin({
 			hasRepliedRef
 		};
 	} },
-	outbound: {
-		deliveryMode: "direct",
-		chunker: chunkTextForOutbound,
-		chunkerMode: "markdown",
-		textChunkLimit: 4e3,
-		pollMaxOptions: 12,
-		...createRuntimeOutboundDelegates({
-			getRuntime: loadMSTeamsChannelRuntime,
-			sendText: { resolve: (runtime) => runtime.msteamsOutbound.sendText },
-			sendMedia: { resolve: (runtime) => runtime.msteamsOutbound.sendMedia },
-			sendPoll: { resolve: (runtime) => runtime.msteamsOutbound.sendPoll }
-		})
-	}
+	outbound: msteamsChannelOutbound
 });
 //#endregion
 export { msteamsPlugin as t };

package/dist/channel-plugin-api.js

@@ -1,2 +1,2 @@
-import { t as msteamsPlugin } from "./channel-BOwKBAvY.js";
+import { t as msteamsPlugin } from "./channel-kz4Rzh2w.js";
 export { msteamsPlugin };

package/dist/{channel.runtime-BC1ruIfN.js → channel.runtime-C1IGCVBT.js}

@@ -1,6 +1,6 @@
-import { s as chunkTextForOutbound } from "./runtime-api-DV1iVMn1.js";
-import { a as fetchGraphJson, c as normalizeQuery, d as postGraphJson, f as resolveGraphToken, i as fetchGraphAbsoluteUrl, l as patchGraphJson, n as deleteGraphRequest, o as listChannelsForTeam, r as escapeOData, s as listTeamsByName, t as searchGraphUsers, u as postGraphBetaJson } from "./graph-users-9uQJepqr.js";
-import { S as createMSTeamsConversationStoreFs, a as sendMessageMSTeams, b as createMSTeamsPollStoreFs, i as sendAdaptiveCardMSTeams, n as deleteMessageMSTeams, o as sendPollMSTeams, r as editMessageMSTeams, t as probeMSTeams } from "./probe-D_H8yFps.js";
+import { s as chunkTextForOutbound } from "./runtime-api-C3EIaIpt.js";
+import { a as fetchGraphJson, c as normalizeQuery, d as postGraphJson, f as resolveGraphToken, i as fetchGraphAbsoluteUrl, l as patchGraphJson, n as deleteGraphRequest, o as listChannelsForTeam, r as escapeOData, s as listTeamsByName, t as searchGraphUsers, u as postGraphBetaJson } from "./graph-users-CCU0WVMZ.js";
+import { S as createMSTeamsConversationStoreFs, a as sendMessageMSTeams, b as createMSTeamsPollStoreFs, i as sendAdaptiveCardMSTeams, n as deleteMessageMSTeams, o as sendPollMSTeams, r as editMessageMSTeams, t as probeMSTeams } from "./probe-CQKmxtlj.js";
 import { normalizeLowercaseStringOrEmpty } from "openclaw/plugin-sdk/text-runtime";
 import { createAttachedChannelResultAdapter } from "openclaw/plugin-sdk/channel-send-result";
 import { resolveOutboundSendDep } from "openclaw/plugin-sdk/outbound-send-deps";

package/dist/{graph-users-9uQJepqr.js → graph-users-CCU0WVMZ.js}

@@ -1,14 +1,15 @@
-import { L as getMSTeamsRuntime, g as fetchWithSsrFGuard$1 } from "./runtime-api-DV1iVMn1.js";
+import { M as getMSTeamsRuntime, h as fetchWithSsrFGuard$1 } from "./runtime-api-C3EIaIpt.js";
 import { n as refreshMSTeamsDelegatedTokens } from "./oauth.token-xxpoLWy5.js";
 import { createRequire } from "node:module";
-import { isRecord as isRecord$1, normalizeLowercaseStringOrEmpty, normalizeOptionalString } from "openclaw/plugin-sdk/text-runtime";
+import { isRecord as isRecord$2, normalizeLowercaseStringOrEmpty, normalizeOptionalString } from "openclaw/plugin-sdk/text-runtime";
 import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
 import { Buffer } from "node:buffer";
 import { lookup } from "node:dns/promises";
 import { buildHostnameAllowlistPolicyFromSuffixAllowlist, isHttpsUrlAllowedByHostnameSuffixAllowlist, isPrivateIpAddress, normalizeHostnameSuffixAllowlist } from "openclaw/plugin-sdk/ssrf-policy";
-import * as fs$1 from "node:fs";
-import { mkdirSync, readFileSync, writeFileSync } from "node:fs";
-import path, { dirname } from "node:path";
+import * as fs from "node:fs";
+import { readFileSync } from "node:fs";
+import path, { basename, dirname } from "node:path";
+import { privateFileStoreSync } from "openclaw/plugin-sdk/security-runtime";
 import { hasConfiguredSecretInput, normalizeResolvedSecretInputString, normalizeSecretInputString } from "openclaw/plugin-sdk/secret-input";
 //#region extensions/msteams/src/attachments/shared.ts
 const IMAGE_EXT_RE = /\.(avif|bmp|gif|heic|heif|jpe?g|png|tiff?|webp)$/i;
@@ -122,7 +123,7 @@ function tryBuildGraphSharesUrlForSharedLink(url) {
 function readNestedString(value, keys) {
 	let current = value;
 	for (const key of keys) {
-		if (!isRecord$1(current)) return;
+		if (!isRecord$2(current)) return;
 		current = current[key];
 	}
 	return normalizeOptionalString(current);
@@ -153,7 +154,7 @@ function isLikelyImageAttachment(att) {
 	const name = typeof att.name === "string" ? att.name : "";
 	if (contentType.startsWith("image/")) return true;
 	if (IMAGE_EXT_RE.test(name)) return true;
-	if (contentType === "application/vnd.microsoft.teams.file.download.info" && isRecord$1(att.content)) {
+	if (contentType === "application/vnd.microsoft.teams.file.download.info" && isRecord$2(att.content)) {
 		const fileType = typeof att.content.fileType === "string" ? att.content.fileType : "";
 		if (fileType && IMAGE_EXT_RE.test(`x.${fileType}`)) return true;
 		const fileName = typeof att.content.fileName === "string" ? att.content.fileName : "";
@@ -166,7 +167,7 @@ function isLikelyImageAttachment(att) {
 * Used when downloading all files, not just images.
 */
 function isDownloadableAttachment(att) {
-	if ((normalizeContentType(att.contentType) ?? "") === "application/vnd.microsoft.teams.file.download.info" && isRecord$1(att.content) && typeof att.content.downloadUrl === "string") return true;
+	if ((normalizeContentType(att.contentType) ?? "") === "application/vnd.microsoft.teams.file.download.info" && isRecord$2(att.content) && typeof att.content.downloadUrl === "string") return true;
 	if (typeof att.contentUrl === "string" && att.contentUrl.trim()) return true;
 	return false;
 }
@@ -176,7 +177,7 @@ function isHtmlAttachment(att) {
 function extractHtmlFromAttachment(att) {
 	if (!isHtmlAttachment(att)) return;
 	if (typeof att.content === "string") return att.content;
-	if (!isRecord$1(att.content)) return;
+	if (!isRecord$2(att.content)) return;
 	return typeof att.content.text === "string" ? att.content.text : typeof att.content.body === "string" ? att.content.body : typeof att.content.content === "string" ? att.content.content : void 0;
 }
 function isLikelyBase64Payload(value) {
@@ -387,7 +388,7 @@ async function safeFetchWithPolicy(params) {
 }
 //#endregion
 //#region extensions/msteams/src/errors.ts
-function isRecord(value) {
+function isRecord$1(value) {
 	return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function formatUnknownError(err) {
@@ -405,7 +406,7 @@ function formatUnknownError(err) {
 	}
 }
 function extractStatusCode(err) {
-	if (!isRecord(err)) return null;
+	if (!isRecord$1(err)) return null;
 	const direct = err.statusCode ?? err.status;
 	if (typeof direct === "number" && Number.isFinite(direct)) return direct;
 	if (typeof direct === "string") {
@@ -413,7 +414,7 @@ function extractStatusCode(err) {
 		if (Number.isFinite(parsed)) return parsed;
 	}
 	const response = err.response;
-	if (isRecord(response)) {
+	if (isRecord$1(response)) {
 		const status = response.status;
 		if (typeof status === "number" && Number.isFinite(status)) return status;
 		if (typeof status === "string") {
@@ -424,20 +425,20 @@ function extractStatusCode(err) {
 	return null;
 }
 function extractErrorCode(err) {
-	if (!isRecord(err)) return null;
+	if (!isRecord$1(err)) return null;
 	const direct = err.code;
 	if (typeof direct === "string" && direct.trim()) return direct;
 	const response = err.response;
-	if (!isRecord(response)) return null;
+	if (!isRecord$1(response)) return null;
 	const body = response.body;
-	if (isRecord(body)) {
+	if (isRecord$1(body)) {
 		const error = body.error;
-		if (isRecord(error) && typeof error.code === "string" && error.code.trim()) return error.code;
+		if (isRecord$1(error) && typeof error.code === "string" && error.code.trim()) return error.code;
 	}
 	return null;
 }
 function extractRetryAfterMs(err) {
-	if (!isRecord(err)) return null;
+	if (!isRecord$1(err)) return null;
 	const direct = err.retryAfterMs ?? err.retry_after_ms;
 	if (typeof direct === "number" && Number.isFinite(direct) && direct >= 0) return direct;
 	const retryAfter = err.retryAfter ?? err.retry_after;
@@ -447,10 +448,10 @@ function extractRetryAfterMs(err) {
 		if (Number.isFinite(parsed) && parsed >= 0) return parsed * 1e3;
 	}
 	const response = err.response;
-	if (!isRecord(response)) return null;
+	if (!isRecord$1(response)) return null;
 	const headers = response.headers;
 	if (!headers) return null;
-	if (isRecord(headers)) {
+	if (isRecord$1(headers)) {
 		const raw = headers["retry-after"] ?? headers["Retry-After"];
 		if (typeof raw === "string") {
 			const parsed = Number.parseFloat(raw);
@@ -512,6 +513,13 @@ function classifyMSTeamsSendError(err) {
 		statusCode,
 		errorCode
 	};
+	if (statusCode == null) {
+		const networkCode = isRecord$1(err) && typeof err.code === "string" ? err.code : null;
+		if (networkCode === "ECONNREFUSED" || networkCode === "ENOTFOUND" || networkCode === "EHOSTUNREACH" || networkCode === "ETIMEDOUT" || networkCode === "ECONNRESET") return {
+			kind: "network",
+			errorCode: networkCode
+		};
+	}
 	return {
 		kind: "unknown",
 		statusCode: statusCode ?? void 0,
@@ -536,6 +544,7 @@ function formatMSTeamsSendErrorHint(classification) {
 	if (classification.errorCode === "ContentStreamNotAllowed") return "Teams expired the content stream; stop streaming earlier and fall back to normal message delivery";
 	if (classification.kind === "throttled") return "Teams throttled the bot; backing off may help";
 	if (classification.kind === "transient") return "transient Teams/Bot Framework error; retry may succeed";
+	if (classification.kind === "network") return "transport-level failure sending reply to Teams Bot Connector (smba.trafficmanager.net) — check egress firewall rules allow outbound HTTPS to smba.trafficmanager.net";
 }
 //#endregion
 //#region extensions/msteams/src/user-agent.ts
@@ -617,7 +626,7 @@ function createFederatedApp(creds, sdk) {
 	if (!creds.certificatePath) throw new Error("Federated credentials require either a certificate path or managed identity.");
 	let privateKey;
 	try {
-		privateKey = fs$1.readFileSync(creds.certificatePath, "utf-8");
+		privateKey = fs.readFileSync(creds.certificatePath, "utf-8");
 	} catch (err) {
 		const msg = err instanceof Error ? err.message : String(err);
 		throw new Error(`Failed to read certificate file at '${creds.certificatePath}': ${msg}`, { cause: err });
@@ -1045,11 +1054,23 @@ async function createBotFrameworkJwtValidator(creds) {
 			if (!isJwtPayloadObject(verifiedPayload)) return false;
 			if (getAudienceClaims(verifiedPayload).includes(BOT_FRAMEWORK_GLOBAL_AUDIENCE) && !hasExpectedBotIdentity(verifiedPayload, creds.appId)) return false;
 			return true;
-		} catch {
+		} catch (err) {
+			if (isJwksNetworkError(err)) throw err;
 			return false;
 		}
 	} };
 }
+/**
+* Return true when the error originated from a network-level failure fetching
+* the JWKS endpoint (DNS resolution, connection refused, TLS handshake, etc.)
+* rather than from token verification logic.
+*/
+function isJwksNetworkError(err) {
+	if (!(err instanceof Error)) return false;
+	const code = err.code;
+	if (code === "ECONNREFUSED" || code === "ENOTFOUND" || code === "EHOSTUNREACH" || code === "ETIMEDOUT" || code === "ECONNRESET") return true;
+	return /jwks|key fetch|getSigningKey/i.test(err.message) && /network|fetch|connect/i.test(err.message);
+}
 //#endregion
 //#region extensions/msteams/src/token-response.ts
 function readAccessToken(value) {
@@ -1135,8 +1156,7 @@ function loadDelegatedTokens() {
 }
 function saveDelegatedTokens(tokens) {
 	const tokenPath = resolveDelegatedTokenPath();
-	mkdirSync(dirname(tokenPath), { recursive: true });
-	writeFileSync(tokenPath, JSON.stringify(tokens, null, 2), "utf8");
+	privateFileStoreSync(dirname(tokenPath)).writeJson(basename(tokenPath), tokens);
 }
 async function resolveDelegatedAccessToken(params) {
 	const tokens = loadDelegatedTokens();
@@ -1351,4 +1371,4 @@ async function searchGraphUsers(params) {
 	})).value ?? [];
 }
 //#endregion
-export { ATTACHMENT_TAG_RE as A, isLikelyImageAttachment as B, loadMSTeamsSdkWithAuth as C, formatMSTeamsSendErrorHint as D, classifyMSTeamsSendError as E, estimateBase64DecodedBytes as F, resolveAttachmentFetchPolicy as G, isUrlAllowed as H, extractHtmlFromAttachment as I, safeFetchWithPolicy as J, resolveMediaSsrfPolicy as K, extractInlineImageCandidates as L, IMG_SRC_RE as M, applyAuthorizationHeaderForUrl as N, formatUnknownError as O, encodeGraphShareId as P, inferPlaceholder as R, createMSTeamsTokenProvider as S, ensureUserAgentHeader as T, normalizeContentType as U, isRecord$1 as V, readNestedString as W, tryBuildGraphSharesUrlForSharedLink as X, safeHostForUrl as Y, resolveMSTeamsStorePath as _, fetchGraphJson as a, createBotFrameworkJwtValidator as b, normalizeQuery as c, postGraphJson as d, resolveGraphToken as f, saveDelegatedTokens as g, resolveMSTeamsCredentials as h, fetchGraphAbsoluteUrl as i, GRAPH_ROOT as j, isRevokedProxyError as k, patchGraphJson as l, loadDelegatedTokens as m, deleteGraphRequest as n, listChannelsForTeam as o, hasConfiguredMSTeamsCredentials as p, resolveRequestUrl as q, escapeOData as r, listTeamsByName as s, searchGraphUsers as t, postGraphBetaJson as u, normalizeSecretInputString as v, buildUserAgent as w, createMSTeamsAdapter as x, readAccessToken as y, isDownloadableAttachment as z };
+export { ATTACHMENT_TAG_RE as A, isLikelyImageAttachment as B, loadMSTeamsSdkWithAuth as C, formatMSTeamsSendErrorHint as D, classifyMSTeamsSendError as E, estimateBase64DecodedBytes as F, resolveAttachmentFetchPolicy as G, isUrlAllowed as H, extractHtmlFromAttachment as I, safeFetchWithPolicy as J, resolveMediaSsrfPolicy as K, extractInlineImageCandidates as L, IMG_SRC_RE as M, applyAuthorizationHeaderForUrl as N, formatUnknownError as O, encodeGraphShareId as P, inferPlaceholder as R, createMSTeamsTokenProvider as S, ensureUserAgentHeader as T, normalizeContentType as U, isRecord$2 as V, readNestedString as W, tryBuildGraphSharesUrlForSharedLink as X, safeHostForUrl as Y, resolveMSTeamsStorePath as _, fetchGraphJson as a, createBotFrameworkJwtValidator as b, normalizeQuery as c, postGraphJson as d, resolveGraphToken as f, saveDelegatedTokens as g, resolveMSTeamsCredentials as h, fetchGraphAbsoluteUrl as i, GRAPH_ROOT as j, isRevokedProxyError as k, patchGraphJson as l, loadDelegatedTokens as m, deleteGraphRequest as n, listChannelsForTeam as o, hasConfiguredMSTeamsCredentials as p, resolveRequestUrl as q, escapeOData as r, listTeamsByName as s, searchGraphUsers as t, postGraphBetaJson as u, normalizeSecretInputString as v, buildUserAgent as w, createMSTeamsAdapter as x, readAccessToken as y, isDownloadableAttachment as z };

package/dist/{policy-DTnU2GR7.js → policy-bM71GXRd.js}

@@ -1,4 +1,4 @@
-import { C as normalizeChannelSlug, D as resolveChannelEntryMatchWithFallback, E as resolveAllowlistMatchSimple, M as resolveNestedAllowlistDecision, P as resolveToolsBySender, i as buildChannelKeyCandidates, p as evaluateSenderGroupAccessForPolicy, v as isDangerousNameMatchingEnabled } from "./runtime-api-DV1iVMn1.js";
+import { O as resolveNestedAllowlistDecision, S as normalizeChannelSlug, T as resolveChannelEntryMatchWithFallback, _ as isDangerousNameMatchingEnabled, i as buildChannelKeyCandidates, k as resolveToolsBySender, w as resolveAllowlistMatchSimple } from "./runtime-api-C3EIaIpt.js";
 //#region extensions/msteams/src/policy.ts
 function resolveMSTeamsRouteConfig(params) {
 	const teamId = params.teamId?.trim();
@@ -130,13 +130,5 @@ function resolveMSTeamsReplyPolicy(params) {
 		replyStyle: params.channelConfig?.replyStyle ?? params.teamConfig?.replyStyle ?? params.globalConfig?.replyStyle ?? (requireMention ? "thread" : "top-level")
 	};
 }
-function isMSTeamsGroupAllowed(params) {
-	return evaluateSenderGroupAccessForPolicy({
-		groupPolicy: params.groupPolicy,
-		groupAllowFrom: params.allowFrom.map((entry) => String(entry)),
-		senderId: params.senderId,
-		isSenderAllowed: () => resolveMSTeamsAllowlistMatch(params).allowed
-	}).allowed;
-}
 //#endregion
-export { resolveMSTeamsRouteConfig as a, resolveMSTeamsReplyPolicy as i, resolveMSTeamsAllowlistMatch as n, resolveMSTeamsGroupToolPolicy as r, isMSTeamsGroupAllowed as t };
+export { resolveMSTeamsRouteConfig as i, resolveMSTeamsGroupToolPolicy as n, resolveMSTeamsReplyPolicy as r, resolveMSTeamsAllowlistMatch as t };

package/dist/{probe-D_H8yFps.js → probe-CQKmxtlj.js}

@@ -1,11 +1,14 @@
-import { L as getMSTeamsRuntime, O as resolveChannelMediaMaxBytes, _ as getFileExtension, b as loadOutboundMediaFromUrl, d as detectMime, h as extractOriginalFilename, m as extensionForMime, w as normalizeStringEntries } from "./runtime-api-DV1iVMn1.js";
-import { C as loadMSTeamsSdkWithAuth, D as formatMSTeamsSendErrorHint, E as classifyMSTeamsSendError, O as formatUnknownError, S as createMSTeamsTokenProvider, _ as resolveMSTeamsStorePath, h as resolveMSTeamsCredentials, k as isRevokedProxyError, m as loadDelegatedTokens, w as buildUserAgent, x as createMSTeamsAdapter, y as readAccessToken } from "./graph-users-9uQJepqr.js";
-import { convertMarkdownTables, normalizeLowercaseStringOrEmpty, normalizeOptionalLowercaseString, sleep } from "openclaw/plugin-sdk/text-runtime";
+import { C as normalizeStringEntries, E as resolveChannelMediaMaxBytes, M as getMSTeamsRuntime, d as detectMime, g as getFileExtension, m as extractOriginalFilename, p as extensionForMime, y as loadOutboundMediaFromUrl } from "./runtime-api-C3EIaIpt.js";
+import { C as loadMSTeamsSdkWithAuth, D as formatMSTeamsSendErrorHint, E as classifyMSTeamsSendError, O as formatUnknownError, S as createMSTeamsTokenProvider, _ as resolveMSTeamsStorePath, h as resolveMSTeamsCredentials, k as isRevokedProxyError, m as loadDelegatedTokens, w as buildUserAgent, x as createMSTeamsAdapter, y as readAccessToken } from "./graph-users-CCU0WVMZ.js";
+import { i as resolveMSTeamsRouteConfig, r as resolveMSTeamsReplyPolicy } from "./policy-bM71GXRd.js";
+import { createMessageReceiptFromOutboundResults } from "openclaw/plugin-sdk/channel-message";
+import { convertMarkdownTables, isRecord, normalizeLowercaseStringOrEmpty, normalizeOptionalLowercaseString, normalizeOptionalString, sleep } from "openclaw/plugin-sdk/text-runtime";
 import { withFileLock } from "openclaw/plugin-sdk/file-lock";
 import { resolveSendableOutboundReplyParts } from "openclaw/plugin-sdk/reply-payload";
 import { lookup } from "node:dns/promises";
-import fs from "node:fs";
+import { isPrivateIpAddress } from "openclaw/plugin-sdk/ssrf-policy";
 import path from "node:path";
+import { pathExists } from "openclaw/plugin-sdk/security-runtime";
 import { readJsonFileWithFallback, writeJsonFileAtomically } from "openclaw/plugin-sdk/json-store";
 import crypto from "node:crypto";
 import { resolveMarkdownTableMode } from "openclaw/plugin-sdk/markdown-table-runtime";
@@ -72,11 +75,7 @@ async function writeJsonFile(filePath, value) {
 	await writeJsonFileAtomically(filePath, value);
 }
 async function ensureJsonFile(filePath, fallback) {
-	try {
-		await fs.promises.access(filePath);
-	} catch {
-		await writeJsonFile(filePath, fallback);
-	}
+	if (!await pathExists(filePath)) await writeJsonFile(filePath, fallback);
 }
 async function withFileLock$1(filePath, fallback, fn) {
 	await ensureJsonFile(filePath, fallback);
@@ -182,14 +181,6 @@ function createMSTeamsConversationStoreFs(params) {
 const STORE_FILENAME$1 = "msteams-polls.json";
 const MAX_POLLS = 1e3;
 const POLL_TTL_MS = 720 * 60 * 60 * 1e3;
-function isRecord(value) {
-	return typeof value === "object" && value !== null && !Array.isArray(value);
-}
-function normalizeOptionalString$1(value) {
-	if (typeof value !== "string") return;
-	const trimmed = value.trim();
-	return trimmed ? trimmed : void 0;
-}
 function normalizeChoiceValue(value) {
 	if (typeof value === "string") {
 		const trimmed = value.trim();
@@ -214,7 +205,7 @@ function readNestedValue(value, keys) {
 	return current;
 }
 function readNestedString(value, keys) {
-	return normalizeOptionalString$1(readNestedValue(value, keys));
+	return normalizeOptionalString(readNestedValue(value, keys));
 }
 function extractMSTeamsPollVote(activity) {
 	const value = activity?.value;
@@ -395,9 +386,6 @@ function createMSTeamsPollStoreFs(params) {
 * - Building FileInfoCard attachments (to confirm upload completion)
 * - Parsing fileConsent/invoke activities
 */
-function normalizeLowercaseStringOrEmpty$1(value) {
-	return typeof value === "string" ? value.trim().toLowerCase() : "";
-}
 /**
 * Allowlist of domains that are valid targets for file consent uploads.
 * These are the Microsoft/SharePoint domains that Teams legitimately provides
@@ -418,31 +406,10 @@ const CONSENT_UPLOAD_HOST_ALLOWLIST = [
 	"graph.microsoft.cn"
 ];
 /**
-* Returns true if the given IPv4 or IPv6 address is in a private, loopback,
-* or link-local range that must never be reached via consent uploads.
+* Returns true if the given IPv4 or IPv6 address is private, internal, or
+* special-use and must never be reached via consent uploads.
 */
-function isPrivateOrReservedIP(ip) {
-	const ipv4MappedMatch = /^::ffff:(\d+\.\d+\.\d+\.\d+)$/i.exec(ip);
-	if (ipv4MappedMatch) return isPrivateOrReservedIP(ipv4MappedMatch[1]);
-	const v4Parts = ip.split(".");
-	if (v4Parts.length === 4) {
-		const octets = v4Parts.map(Number);
-		if (octets.some((n) => !Number.isInteger(n) || n < 0 || n > 255)) return false;
-		const [a, b] = octets;
-		if (a === 10) return true;
-		if (a === 172 && b >= 16 && b <= 31) return true;
-		if (a === 192 && b === 168) return true;
-		if (a === 127) return true;
-		if (a === 169 && b === 254) return true;
-		if (a === 0) return true;
-	}
-	const normalized = normalizeLowercaseStringOrEmpty$1(ip);
-	if (normalized === "::1") return true;
-	if (normalized.startsWith("fe80:") || normalized.startsWith("fe80")) return true;
-	if (normalized.startsWith("fc") || normalized.startsWith("fd")) return true;
-	if (normalized === "::") return true;
-	return false;
-}
+const isPrivateOrReservedIP = isPrivateIpAddress;
 /**
 * Validate that a consent upload URL is safe to PUT to.
 * Checks:
@@ -460,7 +427,7 @@ async function validateConsentUploadUrl(url, opts) {
 		throw new Error("Consent upload URL is not a valid URL");
 	}
 	if (parsed.protocol !== "https:") throw new Error(`Consent upload URL must use HTTPS, got ${parsed.protocol}`);
-	const hostname = normalizeLowercaseStringOrEmpty$1(parsed.hostname);
+	const hostname = normalizeLowercaseStringOrEmpty(parsed.hostname);
 	if (!(opts?.allowlist ?? CONSENT_UPLOAD_HOST_ALLOWLIST).some((entry) => hostname === entry || hostname.endsWith(`.${entry}`))) throw new Error(`Consent upload URL hostname "${hostname}" is not in the allowed domains`);
 	const resolveFn = opts?.resolveFn ?? ((name) => lookup(name, { all: true }));
 	let resolved;
@@ -1554,7 +1521,7 @@ async function sendMSTeamsMessages(params) {
 	const resolvedThreadId = params.conversationRef.threadId ?? params.conversationRef.activityId;
 	if (params.replyStyle === "thread") {
 		const ctx = params.context;
-		if (!ctx) throw new Error("Missing context for replyStyle=thread");
+		if (!ctx) return await sendProactively(messages, 0, resolvedThreadId);
 		const messageIds = [];
 		for (const [idx, message] of messages.entries()) {
 			const result = await withRevokedProxyFallback({
@@ -1579,6 +1546,23 @@ async function sendMSTeamsMessages(params) {
 }
 //#endregion
 //#region extensions/msteams/src/send-context.ts
+function resolveMSTeamsProactiveReplyStyle(params) {
+	const threadRootId = params.ref.threadId ?? params.ref.activityId;
+	if (params.conversationType !== "channel" || !threadRootId) return "top-level";
+	const routeConfig = resolveMSTeamsRouteConfig({
+		cfg: params.cfg,
+		teamId: params.ref.teamId,
+		conversationId: params.conversationId,
+		allowNameMatching: false
+	});
+	const { replyStyle } = resolveMSTeamsReplyPolicy({
+		isDirectMessage: false,
+		globalConfig: params.cfg,
+		teamConfig: routeConfig.teamConfig,
+		channelConfig: routeConfig.channelConfig
+	});
+	return replyStyle;
+}
 /**
 * Parse the target value into a conversation reference lookup key.
 * Supported formats:
@@ -1646,6 +1630,12 @@ async function resolveMSTeamsSendContext(params) {
 	if (storedConversationType === "personal") conversationType = "personal";
 	else if (storedConversationType === "channel") conversationType = "channel";
 	else conversationType = "groupChat";
+	const replyStyle = resolveMSTeamsProactiveReplyStyle({
+		cfg: msteamsCfg,
+		conversationId,
+		ref,
+		conversationType
+	});
 	const sharePointSiteId = msteamsCfg.sharePointSiteId;
 	const mediaMaxBytes = resolveChannelMediaMaxBytes({
 		cfg: params.cfg,
@@ -1678,6 +1668,7 @@ async function resolveMSTeamsSendContext(params) {
 		adapter,
 		log,
 		conversationType,
+		replyStyle,
 		tokenProvider,
 		sharePointSiteId,
 		mediaMaxBytes,
@@ -1693,6 +1684,29 @@ const FILE_CONSENT_THRESHOLD_BYTES = 4 * 1024 * 1024;
 * Higher than the default because OneDrive upload handles large files well.
 */
 const MSTEAMS_MAX_MEDIA_BYTES = 100 * 1024 * 1024;
+function createMSTeamsSendReceipt(params) {
+	return createMessageReceiptFromOutboundResults({
+		kind: params.kind,
+		results: params.platformMessageIds.map((messageId) => ({
+			channel: "msteams",
+			messageId,
+			conversationId: params.conversationId
+		}))
+	});
+}
+function createMSTeamsSendResult(params) {
+	const platformMessageIds = (params.platformMessageIds?.length ? [...params.platformMessageIds] : [params.messageId]).map((messageId) => messageId.trim()).filter((messageId) => messageId && messageId !== "unknown");
+	return {
+		messageId: params.messageId,
+		conversationId: params.conversationId,
+		receipt: createMSTeamsSendReceipt({
+			conversationId: params.conversationId,
+			platformMessageIds,
+			kind: params.kind
+		}),
+		...params.pendingUploadId ? { pendingUploadId: params.pendingUploadId } : {}
+	};
+}
 /**
 * Send a message to a Teams conversation or user.
 *
@@ -1774,11 +1788,12 @@ async function sendMessageMSTeams(params) {
 				messageId,
 				uploadId
 			});
-			return {
+			return createMSTeamsSendResult({
 				messageId,
 				conversationId,
+				kind: "card",
 				pendingUploadId: uploadId
-			};
+			});
 		}
 		if (conversationType === "personal") {
 			const base64 = media.buffer.toString("base64");
@@ -1833,10 +1848,11 @@ async function sendMessageMSTeams(params) {
 					messageId,
 					fileName: driveItem.name
 				});
-				return {
+				return createMSTeamsSendResult({
 					messageId,
-					conversationId
-				};
+					conversationId,
+					kind: "media"
+				});
 			}
 			log.debug?.("uploading to OneDrive (no SharePoint site configured)", {
 				fileName,
@@ -1867,10 +1883,11 @@ async function sendMessageMSTeams(params) {
 				messageId,
 				shareUrl: uploaded.shareUrl
 			});
-			return {
+			return createMSTeamsSendResult({
 				messageId,
-				conversationId
-			};
+				conversationId,
+				kind: "media"
+			});
 		} catch (err) {
 			const classification = classifyMSTeamsSendError(err);
 			const hint = formatMSTeamsSendErrorHint(classification);
@@ -1884,11 +1901,11 @@ async function sendMessageMSTeams(params) {
 * Send a text message with optional base64 media URL.
 */
 async function sendTextWithMedia(ctx, text, mediaUrl) {
-	const { adapter, appId, conversationId, ref, log, tokenProvider, sharePointSiteId, mediaMaxBytes } = ctx;
-	let messageIds;
+	const { adapter, appId, conversationId, ref, log, tokenProvider, sharePointSiteId, mediaMaxBytes, replyStyle } = ctx;
+	let platformMessageIds;
 	try {
-		messageIds = await sendMSTeamsMessages({
-			replyStyle: "top-level",
+		platformMessageIds = await sendMSTeamsMessages({
+			replyStyle,
 			adapter,
 			appId,
 			conversationRef: ref,
@@ -1913,14 +1930,19 @@ async function sendTextWithMedia(ctx, text, mediaUrl) {
 		const status = classification.statusCode ? ` (HTTP ${classification.statusCode})` : "";
 		throw new Error(`msteams send failed${status}: ${formatUnknownError(err)}${hint ? ` (${hint})` : ""}`, { cause: err });
 	}
-	const messageId = messageIds[0] ?? "unknown";
+	const messageId = platformMessageIds[0] ?? "unknown";
 	log.info("sent proactive message", {
 		conversationId,
 		messageId
 	});
 	return {
 		messageId,
-		conversationId
+		conversationId,
+		receipt: createMSTeamsSendReceipt({
+			conversationId,
+			platformMessageIds,
+			kind: mediaUrl ? "media" : "text"
+		})
 	};
 }
 async function sendProactiveActivityRaw({ adapter, appId, ref, activity }) {

package/dist/{resolve-allowlist-D41JSziq.js → resolve-allowlist-7CHP2hEA.js}

@@ -1,4 +1,4 @@
-import { c as normalizeQuery, f as resolveGraphToken, o as listChannelsForTeam, s as listTeamsByName, t as searchGraphUsers } from "./graph-users-9uQJepqr.js";
+import { c as normalizeQuery, f as resolveGraphToken, o as listChannelsForTeam, s as listTeamsByName, t as searchGraphUsers } from "./graph-users-CCU0WVMZ.js";
 import { mapAllowlistResolutionInputs } from "openclaw/plugin-sdk/allow-from";
 import { normalizeLowercaseStringOrEmpty, normalizeOptionalLowercaseString } from "openclaw/plugin-sdk/text-runtime";
 //#region extensions/msteams/src/resolve-allowlist.ts

package/dist/{runtime-api-DV1iVMn1.js → runtime-api-C3EIaIpt.js}

@@ -1,9 +1,9 @@
 import { mergeAllowlist, resolveAllowlistMatchSimple, summarizeMapping } from "openclaw/plugin-sdk/allow-from";
+import { createChannelMessageReplyPipeline } from "openclaw/plugin-sdk/channel-message";
 import { createChannelPairingController } from "openclaw/plugin-sdk/channel-pairing";
-import { evaluateSenderGroupAccessForPolicy, readStoreAllowFromForDmPolicy, resolveDmGroupAccessWithLists, resolveEffectiveAllowFromLists, resolveSenderScopedGroupPolicy, resolveToolsBySender } from "openclaw/plugin-sdk/channel-policy";
+import { resolveToolsBySender } from "openclaw/plugin-sdk/channel-policy";
 import { DEFAULT_ACCOUNT_ID } from "openclaw/plugin-sdk/account-id";
 import { logTypingFailure } from "openclaw/plugin-sdk/channel-logging";
-import { createChannelReplyPipeline } from "openclaw/plugin-sdk/channel-reply-pipeline";
 import { PAIRING_APPROVED_MESSAGE, buildProbeChannelStatusSummary, createDefaultChannelRuntimeState } from "openclaw/plugin-sdk/channel-status";
 import { buildChannelKeyCandidates, normalizeChannelSlug, resolveChannelEntryMatchWithFallback, resolveNestedAllowlistDecision } from "openclaw/plugin-sdk/channel-targets";
 import { isDangerousNameMatchingEnabled } from "openclaw/plugin-sdk/dangerous-name-runtime";
@@ -25,4 +25,4 @@ const { setRuntime: setMSTeamsRuntime, getRuntime: getMSTeamsRuntime, tryGetRunt
 	errorMessage: "MSTeams runtime not initialized"
 });
 //#endregion
-export { resolveDmGroupAccessWithLists as A, normalizeChannelSlug as C, resolveChannelEntryMatchWithFallback as D, resolveAllowlistMatchSimple as E, summarizeMapping as F, withFileLock$1 as I, getMSTeamsRuntime as L, resolveNestedAllowlistDecision as M, resolveSenderScopedGroupPolicy as N, resolveChannelMediaMaxBytes as O, resolveToolsBySender as P, getOptionalMSTeamsRuntime as R, mergeAllowlist as S, readStoreAllowFromForDmPolicy as T, getFileExtension as _, buildMediaPayload as a, loadOutboundMediaFromUrl as b, createChannelPairingController as c, detectMime as d, dispatchReplyFromConfigWithSettledDispatcher$1 as f, fetchWithSsrFGuard$1 as g, extractOriginalFilename as h, buildChannelKeyCandidates as i, resolveEffectiveAllowFromLists as j, resolveDefaultGroupPolicy as k, createChannelReplyPipeline as l, extensionForMime as m, DEFAULT_WEBHOOK_MAX_BODY_BYTES as n, buildProbeChannelStatusSummary as o, evaluateSenderGroupAccessForPolicy as p, PAIRING_APPROVED_MESSAGE as r, chunkTextForOutbound as s, DEFAULT_ACCOUNT_ID as t, createDefaultChannelRuntimeState as u, isDangerousNameMatchingEnabled as v, normalizeStringEntries as w, logTypingFailure as x, keepHttpServerTaskAlive as y, setMSTeamsRuntime as z };
+export { summarizeMapping as A, normalizeStringEntries as C, resolveDefaultGroupPolicy as D, resolveChannelMediaMaxBytes as E, getMSTeamsRuntime as M, getOptionalMSTeamsRuntime as N, resolveNestedAllowlistDecision as O, setMSTeamsRuntime as P, normalizeChannelSlug as S, resolveChannelEntryMatchWithFallback as T, isDangerousNameMatchingEnabled as _, buildMediaPayload as a, logTypingFailure as b, createChannelMessageReplyPipeline as c, detectMime as d, dispatchReplyFromConfigWithSettledDispatcher$1 as f, getFileExtension as g, fetchWithSsrFGuard$1 as h, buildChannelKeyCandidates as i, withFileLock$1 as j, resolveToolsBySender as k, createChannelPairingController as l, extractOriginalFilename as m, DEFAULT_WEBHOOK_MAX_BODY_BYTES as n, buildProbeChannelStatusSummary as o, extensionForMime as p, PAIRING_APPROVED_MESSAGE as r, chunkTextForOutbound as s, DEFAULT_ACCOUNT_ID as t, createDefaultChannelRuntimeState as u, keepHttpServerTaskAlive as v, resolveAllowlistMatchSimple as w, mergeAllowlist as x, loadOutboundMediaFromUrl as y };