@openclaw/msteams 2026.5.7 → 2026.5.10-beta.1

package/dist/{src-CP7V_TeZ.js → src-DQ7ARgDd.js}

@@ -1,9 +1,10 @@
-import { A as resolveDmGroupAccessWithLists, F as summarizeMapping, L as getMSTeamsRuntime, N as resolveSenderScopedGroupPolicy, O as resolveChannelMediaMaxBytes, R as getOptionalMSTeamsRuntime, S as mergeAllowlist, T as readStoreAllowFromForDmPolicy, a as buildMediaPayload, c as createChannelPairingController, f as dispatchReplyFromConfigWithSettledDispatcher$1, j as resolveEffectiveAllowFromLists, k as resolveDefaultGroupPolicy, l as createChannelReplyPipeline, n as DEFAULT_WEBHOOK_MAX_BODY_BYTES, p as evaluateSenderGroupAccessForPolicy$1, t as DEFAULT_ACCOUNT_ID, v as isDangerousNameMatchingEnabled, x as logTypingFailure, y as keepHttpServerTaskAlive } from "./runtime-api-DV1iVMn1.js";
-import { A as ATTACHMENT_TAG_RE, B as isLikelyImageAttachment, C as loadMSTeamsSdkWithAuth, D as formatMSTeamsSendErrorHint, E as classifyMSTeamsSendError, F as estimateBase64DecodedBytes, G as resolveAttachmentFetchPolicy, H as isUrlAllowed, I as extractHtmlFromAttachment, J as safeFetchWithPolicy, K as resolveMediaSsrfPolicy, L as extractInlineImageCandidates, M as IMG_SRC_RE, N as applyAuthorizationHeaderForUrl, O as formatUnknownError, P as encodeGraphShareId, R as inferPlaceholder, S as createMSTeamsTokenProvider, T as ensureUserAgentHeader, U as normalizeContentType, V as isRecord, W as readNestedString, X as tryBuildGraphSharesUrlForSharedLink, Y as safeHostForUrl, _ as resolveMSTeamsStorePath, a as fetchGraphJson, b as createBotFrameworkJwtValidator, h as resolveMSTeamsCredentials, j as GRAPH_ROOT, q as resolveRequestUrl, w as buildUserAgent, x as createMSTeamsAdapter, z as isDownloadableAttachment } from "./graph-users-9uQJepqr.js";
-import { c as resolveMSTeamsUserAllowlist, s as resolveMSTeamsChannelAllowlist } from "./resolve-allowlist-D41JSziq.js";
-import { a as resolveMSTeamsRouteConfig, i as resolveMSTeamsReplyPolicy, n as resolveMSTeamsAllowlistMatch, t as isMSTeamsGroupAllowed } from "./policy-DTnU2GR7.js";
-import { C as readJsonFile, S as createMSTeamsConversationStoreFs, T as writeJsonFile, _ as buildFileInfoCard, b as createMSTeamsPollStoreFs, c as renderReplyPayloadsToMessages, d as withRevokedProxyFallback, f as resolveGraphChatId, g as removePendingUploadFs, h as getPendingUploadFs, l as sendMSTeamsMessages, m as removePendingUpload, p as getPendingUpload, s as buildConversationReference, u as AI_GENERATED_ENTITY, v as parseFileConsentInvoke, w as withFileLock, x as extractMSTeamsPollVote, y as uploadToConsentUrl } from "./probe-D_H8yFps.js";
+import { A as summarizeMapping, D as resolveDefaultGroupPolicy, E as resolveChannelMediaMaxBytes, M as getMSTeamsRuntime, N as getOptionalMSTeamsRuntime, _ as isDangerousNameMatchingEnabled, a as buildMediaPayload, b as logTypingFailure, c as createChannelMessageReplyPipeline, f as dispatchReplyFromConfigWithSettledDispatcher$1, l as createChannelPairingController, n as DEFAULT_WEBHOOK_MAX_BODY_BYTES, t as DEFAULT_ACCOUNT_ID, v as keepHttpServerTaskAlive, x as mergeAllowlist } from "./runtime-api-C3EIaIpt.js";
+import { A as ATTACHMENT_TAG_RE, B as isLikelyImageAttachment, C as loadMSTeamsSdkWithAuth, D as formatMSTeamsSendErrorHint, E as classifyMSTeamsSendError, F as estimateBase64DecodedBytes, G as resolveAttachmentFetchPolicy, H as isUrlAllowed, I as extractHtmlFromAttachment, J as safeFetchWithPolicy, K as resolveMediaSsrfPolicy, L as extractInlineImageCandidates, M as IMG_SRC_RE, N as applyAuthorizationHeaderForUrl, O as formatUnknownError, P as encodeGraphShareId, R as inferPlaceholder, S as createMSTeamsTokenProvider, T as ensureUserAgentHeader, U as normalizeContentType, V as isRecord$1, W as readNestedString, X as tryBuildGraphSharesUrlForSharedLink, Y as safeHostForUrl, _ as resolveMSTeamsStorePath, a as fetchGraphJson, b as createBotFrameworkJwtValidator, h as resolveMSTeamsCredentials, j as GRAPH_ROOT, q as resolveRequestUrl, w as buildUserAgent, x as createMSTeamsAdapter, z as isDownloadableAttachment } from "./graph-users-CCU0WVMZ.js";
+import { c as resolveMSTeamsUserAllowlist, s as resolveMSTeamsChannelAllowlist } from "./resolve-allowlist-7CHP2hEA.js";
+import { i as resolveMSTeamsRouteConfig, r as resolveMSTeamsReplyPolicy, t as resolveMSTeamsAllowlistMatch } from "./policy-bM71GXRd.js";
+import { C as readJsonFile, S as createMSTeamsConversationStoreFs, T as writeJsonFile, _ as buildFileInfoCard, b as createMSTeamsPollStoreFs, c as renderReplyPayloadsToMessages, d as withRevokedProxyFallback, f as resolveGraphChatId, g as removePendingUploadFs, h as getPendingUploadFs, l as sendMSTeamsMessages, m as removePendingUpload, p as getPendingUpload, s as buildConversationReference, u as AI_GENERATED_ENTITY, v as parseFileConsentInvoke, w as withFileLock, x as extractMSTeamsPollVote, y as uploadToConsentUrl } from "./probe-CQKmxtlj.js";
 import { formatAllowlistMatchMeta } from "openclaw/plugin-sdk/allow-from";
+import { createLiveMessageState, createPreviewMessageReceipt, defineFinalizableLivePreviewAdapter, deliverWithFinalizableLivePreviewAdapter, markLiveMessageFinalized } from "openclaw/plugin-sdk/channel-message";
 import { normalizeLowercaseStringOrEmpty, normalizeOptionalLowercaseString, normalizeOptionalString, readStringValue } from "openclaw/plugin-sdk/text-runtime";
 import { createDraftStreamLoop } from "openclaw/plugin-sdk/channel-lifecycle";
 import { readResponseWithLimit } from "openclaw/plugin-sdk/media-runtime";
@@ -11,14 +12,15 @@ import { dispatchReplyFromConfigWithSettledDispatcher, hasFinalInboundReplyDispa
 import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
 import { Buffer as Buffer$1 } from "node:buffer";
 import path from "node:path";
-import fs from "node:fs/promises";
+import { appendRegularFile } from "openclaw/plugin-sdk/security-runtime";
+import { writeJsonFileAtomically } from "openclaw/plugin-sdk/json-store";
 import { resolveThreadSessionKeys } from "openclaw/plugin-sdk/routing";
+import fs from "node:fs/promises";
+import { channelIngressRoutes, resolveStableChannelMessageIngress } from "openclaw/plugin-sdk/channel-ingress-runtime";
 import { logInboundDrop, resolveInboundMentionDecision, resolveInboundSessionEnvelopeContext } from "openclaw/plugin-sdk/channel-inbound";
-import { resolveDualTextControlCommandGate } from "openclaw/plugin-sdk/command-gating";
 import { filterSupplementalContextItems, resolveChannelContextVisibilityMode, shouldIncludeSupplementalContext } from "openclaw/plugin-sdk/context-visibility-runtime";
-import { evaluateSenderGroupAccessForPolicy } from "openclaw/plugin-sdk/group-access";
 import { DEFAULT_GROUP_HISTORY_LIMIT, buildPendingHistoryContextFromMap, recordPendingHistoryEntryIfEnabled } from "openclaw/plugin-sdk/reply-history";
-import { createChannelProgressDraftGate, formatChannelProgressDraftLine, formatChannelProgressDraftLineForEntry, formatChannelProgressDraftText, isChannelProgressDraftWorkToolName, resolveChannelPreviewStreamMode, resolveChannelProgressDraftMaxLines, resolveChannelStreamingBlockEnabled, resolveChannelStreamingPreviewToolProgress } from "openclaw/plugin-sdk/channel-streaming";
+import { buildChannelProgressDraftLine, buildChannelProgressDraftLineForEntry, createChannelProgressDraftGate, formatChannelProgressDraftText, isChannelProgressDraftWorkToolName, resolveChannelPreviewStreamMode, resolveChannelProgressDraftMaxLines, resolveChannelStreamingBlockEnabled, resolveChannelStreamingPreviewToolProgress } from "openclaw/plugin-sdk/channel-streaming";
 //#region extensions/msteams/src/feedback-reflection-prompt.ts
 /** Max chars of the thumbed-down response to include in the reflection prompt. */
 const MAX_RESPONSE_CHARS = 500;
@@ -126,8 +128,7 @@ async function storeSessionLearning(params) {
 	let learnings = exists ? existingLearnings : legacyLearnings;
 	learnings.push(params.learning);
 	if (learnings.length > 10) learnings = learnings.slice(-10);
-	await fs.mkdir(path.dirname(learningsFile), { recursive: true });
-	await fs.writeFile(learningsFile, JSON.stringify(learnings, null, 2), "utf-8");
+	await writeJsonFileAtomically(learningsFile, learnings);
 	if (!exists && legacyLearningsFile !== learningsFile) await fs.rm(legacyLearningsFile, { force: true }).catch(() => void 0);
 }
 //#endregion
@@ -490,6 +491,22 @@ async function respondToMSTeamsFileConsentInvoke(context, log) {
 }
 //#endregion
 //#region extensions/msteams/src/monitor-handler/access.ts
+const msteamsIngressIdentity = {
+	key: "sender-id",
+	normalize: normalizeIngressValue,
+	aliases: [{
+		key: "sender-name",
+		kind: "plugin:msteams-sender-name",
+		normalizeEntry: normalizeIngressValue,
+		normalizeSubject: normalizeIngressValue,
+		dangerous: true
+	}],
+	isWildcardEntry: (entry) => normalizeIngressValue(entry) === "*",
+	resolveEntryId: ({ entryIndex, fieldKey }) => `msteams-entry-${entryIndex + 1}:${fieldKey === "sender-name" ? "name" : "id"}`
+};
+function normalizeIngressValue(value) {
+	return normalizeOptionalLowercaseString(value) ?? null;
+}
 async function resolveMSTeamsSenderAccess(params) {
 	const activity = params.activity;
 	const msteamsCfg = params.cfg.channels?.msteams;
@@ -504,23 +521,10 @@ async function resolveMSTeamsSenderAccess(params) {
 		accountId: DEFAULT_ACCOUNT_ID
 	});
 	const dmPolicy = msteamsCfg?.dmPolicy ?? "pairing";
-	const storedAllowFrom = await readStoreAllowFromForDmPolicy({
-		provider: "msteams",
-		accountId: pairing.accountId,
-		dmPolicy,
-		readStore: pairing.readStoreForDmPolicy
-	});
 	const configuredDmAllowFrom = msteamsCfg?.allowFrom ?? [];
 	const groupAllowFrom = msteamsCfg?.groupAllowFrom;
-	const resolvedAllowFromLists = resolveEffectiveAllowFromLists({
-		allowFrom: configuredDmAllowFrom,
-		groupAllowFrom,
-		storeAllowFrom: storedAllowFrom,
-		dmPolicy
-	});
 	const defaultGroupPolicy = resolveDefaultGroupPolicy(params.cfg);
 	const groupPolicy = !isDirectMessage && msteamsCfg ? msteamsCfg.groupPolicy ?? defaultGroupPolicy ?? "allowlist" : "disabled";
-	const effectiveGroupAllowFrom = resolvedAllowFromLists.effectiveGroupAllowFrom;
 	const allowNameMatching = isDangerousNameMatchingEnabled(msteamsCfg);
 	const channelGate = resolveMSTeamsRouteConfig({
 		cfg: msteamsCfg,
@@ -530,49 +534,55 @@ async function resolveMSTeamsSenderAccess(params) {
 		channelName: activity.channelData?.channel?.name,
 		allowNameMatching
 	});
-	const senderGroupPolicy = channelGate.allowlistConfigured && effectiveGroupAllowFrom.length === 0 ? groupPolicy : resolveSenderScopedGroupPolicy({
-		groupPolicy,
-		groupAllowFrom: effectiveGroupAllowFrom
-	});
-	const access = resolveDmGroupAccessWithLists({
-		isGroup: !isDirectMessage,
-		dmPolicy,
-		groupPolicy: senderGroupPolicy,
-		allowFrom: configuredDmAllowFrom,
-		groupAllowFrom,
-		storeAllowFrom: storedAllowFrom,
-		groupAllowFromFallbackToAllowFrom: false,
-		isSenderAllowed: (allowFrom) => resolveMSTeamsAllowlistMatch({
-			allowFrom,
-			senderId,
-			senderName,
-			allowNameMatching
-		}).allowed
-	});
 	return {
-		msteamsCfg,
+		...await resolveStableChannelMessageIngress({
+			channelId: "msteams",
+			accountId: pairing.accountId,
+			identity: msteamsIngressIdentity,
+			cfg: params.cfg,
+			readStoreAllowFrom: pairing.readAllowFromStore,
+			subject: {
+				stableId: senderId,
+				aliases: { "sender-name": senderName }
+			},
+			conversation: {
+				kind: isDirectMessage ? "direct" : convType === "channel" ? "channel" : "group",
+				id: conversationId,
+				parentId: activity.channelData?.team?.id
+			},
+			route: channelIngressRoutes(!isDirectMessage && channelGate.allowlistConfigured && {
+				id: "msteams:team-channel",
+				kind: "nestedAllowlist",
+				allowed: channelGate.allowed,
+				precedence: 0,
+				matchId: "msteams-route",
+				...channelGate.allowed && groupPolicy === "allowlist" ? {
+					senderPolicy: "deny-when-empty",
+					senderAllowFromSource: "effective-group"
+				} : {}
+			}),
+			dmPolicy,
+			groupPolicy,
+			policy: {
+				groupAllowFromFallbackToAllowFrom: true,
+				mutableIdentifierMatching: allowNameMatching ? "enabled" : "disabled"
+			},
+			allowFrom: configuredDmAllowFrom,
+			groupAllowFrom,
+			command: {
+				allowTextCommands: true,
+				hasControlCommand: params.hasControlCommand === true,
+				directGroupAllowFrom: isDirectMessage ? "effective" : "none"
+			}
+		}),
 		pairing,
 		isDirectMessage,
 		conversationId,
 		senderId,
 		senderName,
+		msteamsCfg,
 		dmPolicy,
 		channelGate,
-		access,
-		senderGroupAccess: evaluateSenderGroupAccessForPolicy$1({
-			groupPolicy,
-			groupAllowFrom: effectiveGroupAllowFrom,
-			senderId,
-			isSenderAllowed: (_senderId, allowFrom) => resolveMSTeamsAllowlistMatch({
-				allowFrom,
-				senderId,
-				senderName,
-				allowNameMatching
-			}).allowed
-		}),
-		configuredDmAllowFrom,
-		effectiveDmAllowFrom: access.effectiveAllowFrom,
-		effectiveGroupAllowFrom,
 		allowNameMatching,
 		groupPolicy
 	};
@@ -842,7 +852,7 @@ function resolveDownloadCandidate(att) {
 	const contentType = normalizeContentType(att.contentType);
 	const name = normalizeOptionalString(att.name) ?? "";
 	if (contentType === "application/vnd.microsoft.teams.file.download.info") {
-		if (!isRecord(att.content)) return null;
+		if (!isRecord$1(att.content)) return null;
 		const downloadUrl = normalizeOptionalString(att.content.downloadUrl) ?? "";
 		if (!downloadUrl) return null;
 		const fileType = normalizeOptionalString(att.content.fileType) ?? "";
@@ -1612,6 +1622,7 @@ var TeamsHttpStream = class {
 		this.finalized = false;
 		this.streamFailed = false;
 		this.lastStreamedText = "";
+		this.finalMessageId = void 0;
 		this.streamStartedAt = void 0;
 		this.sendActivity = options.sendActivity;
 		this.feedbackLoopEnabled = options.feedbackLoopEnabled ?? false;
@@ -1678,22 +1689,23 @@ var TeamsHttpStream = class {
 	* Finalize the stream — send the final message activity.
 	*/
 	async finalize() {
-		if (this.finalized) return;
+		if (this.finalized) return this.finalMessageId;
 		this.finalized = true;
 		this.stopped = true;
 		this.loop.stop();
 		await this.loop.waitForInFlight();
-		if (!this.accumulatedText.trim()) return;
+		if (!this.accumulatedText.trim()) return this.finalMessageId;
 		if (this.streamFailed) {
 			if (this.streamId) try {
-				await this.sendActivity({
+				const response = await this.sendActivity({
 					type: "message",
 					text: this.lastStreamedText || "",
 					channelData: { feedbackLoopEnabled: this.feedbackLoopEnabled },
 					entities: [AI_GENERATED_ENTITY, buildStreamInfoEntity(this.streamId, "final")]
 				});
+				this.finalMessageId = extractId(response);
 			} catch {}
-			return;
+			return this.finalMessageId;
 		}
 		try {
 			const entities = [AI_GENERATED_ENTITY];
@@ -1704,11 +1716,13 @@ var TeamsHttpStream = class {
 				channelData: { feedbackLoopEnabled: this.feedbackLoopEnabled },
 				entities
 			};
-			await this.sendActivity(finalActivity);
+			const response = await this.sendActivity(finalActivity);
+			this.finalMessageId = extractId(response);
 		} catch (err) {
 			this.streamFailed = true;
 			this.onError?.(err);
 		}
+		return this.finalMessageId;
 	}
 	/** Whether streaming successfully delivered content (at least one chunk sent, not failed). */
 	get hasContent() {
@@ -1726,6 +1740,14 @@ var TeamsHttpStream = class {
 	get isFinalized() {
 		return this.finalized;
 	}
+	/** Platform id returned by the final message activity, when available. */
+	get messageId() {
+		return this.finalMessageId;
+	}
+	/** Stream id returned by the first streaminfo activity, when available. */
+	get previewStreamId() {
+		return this.streamId;
+	}
 	/** Whether streaming fell back (not used in this implementation). */
 	get isFallback() {
 		return false;
@@ -1781,6 +1803,13 @@ function createTeamsReplyStreamController(params) {
 	let progressLines = [];
 	let lastInformativeText = "";
 	let pendingFinalize;
+	let liveState = createLiveMessageState({ canFinalizeInPlace: Boolean(stream) });
+	const markStreamFinalized = () => {
+		if (!stream || stream.isFailed) return;
+		const messageId = stream.messageId ?? stream.previewStreamId;
+		if (!messageId) return;
+		liveState = markLiveMessageFinalized(liveState, createPreviewMessageReceipt({ id: messageId }));
+	};
 	const renderInformativeUpdate = async () => {
 		if (!stream) return;
 		const informativeText = formatChannelProgressDraftText({
@@ -1806,9 +1835,12 @@ function createTeamsReplyStreamController(params) {
 		if (!stream || streamMode !== "progress") return;
 		if (options?.toolName !== void 0 && !isChannelProgressDraftWorkToolName(options.toolName)) return;
 		if (shouldStreamPreviewToolProgress) {
-			const normalized = line?.replace(/\s+/g, " ").trim();
+			const normalized = normalizeProgressLineIdentity(line);
 			if (normalized) {
-				if (progressLines.at(-1) !== normalized) progressLines = [...progressLines, normalized].slice(-resolveChannelProgressDraftMaxLines(params.msteamsConfig));
+				if (normalizeProgressLineIdentity(progressLines.at(-1)) !== normalized) {
+					const progressLine = typeof line === "object" && line !== void 0 ? line : normalized;
+					progressLines = [...progressLines, progressLine].slice(-resolveChannelProgressDraftMaxLines(params.msteamsConfig));
+				}
 			}
 		}
 		await noteProgressWork();
@@ -1827,6 +1859,39 @@ function createTeamsReplyStreamController(params) {
 			text: remainingText
 		};
 	};
+	const finalizeProgressPayload = async (payload, hasMedia) => {
+		if (!stream || !payload.text) return payload;
+		return (await deliverWithFinalizableLivePreviewAdapter({
+			kind: "final",
+			payload,
+			liveState,
+			adapter: defineFinalizableLivePreviewAdapter({
+				draft: {
+					flush: async () => {},
+					clear: async () => {},
+					id: () => stream.previewStreamId
+				},
+				buildFinalEdit: (candidate) => candidate.text ? { text: candidate.text } : void 0,
+				editFinal: async (_previewId, edit) => {
+					const finalized = await stream.replaceInformativeWithFinal(edit.text);
+					informativeUpdateSent = false;
+					if (!finalized || stream.isFailed) throw new Error("Teams progress stream finalization failed");
+				},
+				resolveFinalizedId: (previewId) => stream.messageId ?? stream.previewStreamId ?? previewId,
+				createPreviewReceipt: (id) => createPreviewMessageReceipt({ id }),
+				onPreviewFinalized: (_id, _receipt, state) => {
+					liveState = state;
+				},
+				logPreviewEditFailure: (err) => {
+					params.log.debug?.(`stream finalization failed: ${formatUnknownError(err)}`);
+				}
+			}),
+			deliverNormally: async () => false
+		})).kind === "preview-finalized" ? hasMedia ? {
+			...payload,
+			text: void 0
+		} : void 0 : payload;
+	};
 	return {
 		async onReplyStart() {},
 		async noteProgressWork(options) {
@@ -1851,13 +1916,7 @@ function createTeamsReplyStreamController(params) {
 			const hasMedia = Boolean(payload.mediaUrl || payload.mediaUrls?.length);
 			if (stream && streamMode === "progress" && informativeUpdateSent && !stream.isFinalized) {
 				if (!payload.text) return payload;
-				const finalized = await stream.replaceInformativeWithFinal(payload.text);
-				informativeUpdateSent = false;
-				if (!finalized || stream.isFailed) return payload;
-				return hasMedia ? {
-					...payload,
-					text: void 0
-				} : void 0;
+				return await finalizeProgressPayload(payload, hasMedia);
 			}
 			if (!stream || !streamReceivedTokens) return payload;
 			if (stream.isFailed) {
@@ -1866,7 +1925,9 @@ function createTeamsReplyStreamController(params) {
 			}
 			if (!stream.hasContent || stream.isFinalized) return payload;
 			streamReceivedTokens = false;
-			pendingFinalize = stream.finalize();
+			pendingFinalize = stream.finalize().then(() => {
+				markStreamFinalized();
+			});
 			if (!hasMedia) return;
 			return {
 				...payload,
@@ -1876,11 +1937,17 @@ function createTeamsReplyStreamController(params) {
 		async finalize() {
 			progressDraftGate.cancel();
 			await pendingFinalize;
-			await stream?.finalize();
+			if (!pendingFinalize) {
+				await stream?.finalize();
+				markStreamFinalized();
+			}
 		},
 		hasStream() {
 			return Boolean(stream);
 		},
+		liveState() {
+			return liveState;
+		},
 		/**
 		* Whether the Teams streaming card is currently receiving LLM tokens.
 		* Used to gate side-channel keepalive activity so we don't overlay plain
@@ -1905,6 +1972,9 @@ function createTeamsReplyStreamController(params) {
 		}
 	};
 }
+function normalizeProgressLineIdentity(line) {
+	return (typeof line === "string" ? line : line?.text)?.replace(/\s+/g, " ").trim() ?? "";
+}
 //#endregion
 //#region extensions/msteams/src/reply-dispatcher.ts
 function createMSTeamsReplyDispatcher(params) {
@@ -1952,7 +2022,7 @@ function createMSTeamsReplyDispatcher(params) {
 		if (streamActiveRef.current()) return;
 		await rawSendTypingIndicator();
 	} : async () => {};
-	const { onModelSelected, typingCallbacks, ...replyPipeline } = createChannelReplyPipeline({
+	const { onModelSelected, typingCallbacks, ...replyPipeline } = createChannelMessageReplyPipeline({
 		cfg: params.cfg,
 		agentId: params.agentId,
 		channel: "msteams",
@@ -2145,7 +2215,7 @@ function createMSTeamsReplyDispatcher(params) {
 			...streamController.shouldSuppressDefaultToolProgressMessages() ? { suppressDefaultToolProgressMessages: true } : {},
 			...streamController.shouldStreamPreviewToolProgress() ? {
 				onToolStart: async (payload) => {
-					await streamController.pushProgressLine(formatChannelProgressDraftLineForEntry(msteamsCfg, {
+					await streamController.pushProgressLine(buildChannelProgressDraftLineForEntry(msteamsCfg, {
 						event: "tool",
 						name: payload.name,
 						phase: payload.phase,
@@ -2153,7 +2223,7 @@ function createMSTeamsReplyDispatcher(params) {
 					}, payload.detailMode ? { detailMode: payload.detailMode } : void 0), { toolName: payload.name });
 				},
 				onItemEvent: async (payload) => {
-					await streamController.pushProgressLine(formatChannelProgressDraftLineForEntry(msteamsCfg, {
+					await streamController.pushProgressLine(buildChannelProgressDraftLineForEntry(msteamsCfg, {
 						event: "item",
 						itemKind: payload.kind,
 						title: payload.title,
@@ -2167,7 +2237,7 @@ function createMSTeamsReplyDispatcher(params) {
 				},
 				onPlanUpdate: async (payload) => {
 					if (payload.phase !== "update") return;
-					await streamController.pushProgressLine(formatChannelProgressDraftLine({
+					await streamController.pushProgressLine(buildChannelProgressDraftLine({
 						event: "plan",
 						phase: payload.phase,
 						title: payload.title,
@@ -2177,7 +2247,7 @@ function createMSTeamsReplyDispatcher(params) {
 				},
 				onApprovalEvent: async (payload) => {
 					if (payload.phase !== "requested") return;
-					await streamController.pushProgressLine(formatChannelProgressDraftLine({
+					await streamController.pushProgressLine(buildChannelProgressDraftLine({
 						event: "approval",
 						phase: payload.phase,
 						title: payload.title,
@@ -2188,7 +2258,7 @@ function createMSTeamsReplyDispatcher(params) {
 				},
 				onCommandOutput: async (payload) => {
 					if (payload.phase !== "end") return;
-					await streamController.pushProgressLine(formatChannelProgressDraftLine({
+					await streamController.pushProgressLine(buildChannelProgressDraftLine({
 						event: "command-output",
 						phase: payload.phase,
 						title: payload.title,
@@ -2199,7 +2269,7 @@ function createMSTeamsReplyDispatcher(params) {
 				},
 				onPatchSummary: async (payload) => {
 					if (payload.phase !== "end") return;
-					await streamController.pushProgressLine(formatChannelProgressDraftLine({
+					await streamController.pushProgressLine(buildChannelProgressDraftLine({
 						event: "patch",
 						phase: payload.phase,
 						title: payload.title,
@@ -2430,13 +2500,29 @@ function extractTextFromHtmlAttachments(attachments) {
 	for (const attachment of attachments) {
 		if (attachment.contentType !== "text/html") continue;
 		const content = attachment.content;
-		const raw = typeof content === "string" ? content : isRecord(content) && typeof content.text === "string" ? content.text : isRecord(content) && typeof content.body === "string" ? content.body : "";
+		const raw = typeof content === "string" ? content : isRecord$1(content) && typeof content.text === "string" ? content.text : isRecord$1(content) && typeof content.body === "string" ? content.body : "";
 		if (!raw) continue;
 		const text = raw.replace(/<at[^>]*>.*?<\/at>/gis, " ").replace(/<a\b[^>]*href=["']([^"']+)["'][^>]*>(.*?)<\/a>/gis, "$2 $1").replace(/<br\s*\/?>/gi, "\n").replace(/<\/p>/gi, "\n").replace(/<[^>]+>/g, " ").replace(/&nbsp;/gi, " ").replace(/&amp;/gi, "&").replace(/\s+/g, " ").trim();
 		if (text) return text;
 	}
 	return "";
 }
+function formatMSTeamsSenderReason(params) {
+	switch (params.reasonCode) {
+		case "dm_policy_open": return "dmPolicy=open";
+		case "dm_policy_disabled": return "dmPolicy=disabled";
+		case "dm_policy_pairing_required": return "dmPolicy=pairing (not allowlisted)";
+		case "dm_policy_allowlisted": return `dmPolicy=${params.dmPolicy ?? "allowlist"} (allowlisted)`;
+		case "dm_policy_not_allowlisted": return `dmPolicy=${params.dmPolicy ?? "allowlist"} (not allowlisted)`;
+		case "group_policy_disabled": return "groupPolicy=disabled";
+		case "group_policy_empty_allowlist":
+		case "route_sender_empty": return "groupPolicy=allowlist (empty allowlist)";
+		case "group_policy_not_allowlisted": return "groupPolicy=allowlist (not allowlisted)";
+		case "group_policy_open": return "groupPolicy=open";
+		case "group_policy_allowed": return `groupPolicy=${params.groupPolicy ?? "allowlist"}`;
+		default: return params.reasonCode;
+	}
+}
 function buildStoredConversationReference(params) {
 	const { activity, conversationId, conversationType, teamId, threadId } = params;
 	const from = activity.from;
@@ -2532,14 +2618,17 @@ function createMSTeamsMessageHandler(deps) {
 			teamId,
 			threadId: conversationType === "channel" ? conversationMessageId ?? activity.replyToId ?? void 0 : void 0
 		});
-		const { dmPolicy, senderId, senderName, pairing, isDirectMessage, channelGate, access, configuredDmAllowFrom, effectiveDmAllowFrom, effectiveGroupAllowFrom, allowNameMatching, groupPolicy } = await resolveMSTeamsSenderAccess({
+		const { dmPolicy, senderId, senderName, pairing, isDirectMessage, channelGate, senderAccess, commandAccess, allowNameMatching, groupPolicy } = await resolveMSTeamsSenderAccess({
 			cfg,
-			activity
+			activity,
+			hasControlCommand: core.channel.text.hasControlCommand(text, cfg)
 		});
-		const useAccessGroups = cfg.commands?.useAccessGroups !== false;
+		const commandAuthorized = commandAccess.requested ? commandAccess.authorized : void 0;
+		const effectiveDmAllowFrom = senderAccess.effectiveAllowFrom;
+		const effectiveGroupAllowFrom = senderAccess.effectiveGroupAllowFrom;
 		const isChannel = conversationType === "channel";
-		if (isDirectMessage && msteamsCfg && access.decision !== "allow") {
-			if (access.reason === "dmPolicy=disabled") {
+		if (isDirectMessage && msteamsCfg && senderAccess.decision !== "allow") {
+			if (senderAccess.reasonCode === "dm_policy_disabled") {
 				log.info("dropping dm (dms disabled)", {
 					sender: senderId,
 					label: senderName
@@ -2553,7 +2642,7 @@ function createMSTeamsMessageHandler(deps) {
 				senderName,
 				allowNameMatching
 			});
-			if (access.decision === "pairing") {
+			if (senderAccess.decision === "pairing") {
 				conversationStore.upsert(conversationId, conversationRef).catch((err) => {
 					log.debug?.("failed to save conversation reference", { error: formatUnknownError(err) });
 				});
@@ -2574,7 +2663,11 @@ function createMSTeamsMessageHandler(deps) {
 				sender: senderId,
 				label: senderName,
 				dmPolicy,
-				reason: access.reason,
+				reason: formatMSTeamsSenderReason({
+					reasonCode: senderAccess.reasonCode,
+					dmPolicy,
+					groupPolicy
+				}),
 				allowlistMatch: formatAllowlistMatchMeta(allowMatch)
 			});
 			return;
@@ -2597,28 +2690,17 @@ function createMSTeamsMessageHandler(deps) {
 				});
 				return;
 			}
-			const senderGroupAccess = evaluateSenderGroupAccessForPolicy({
-				groupPolicy,
-				groupAllowFrom: effectiveGroupAllowFrom,
-				senderId,
-				isSenderAllowed: (_senderId, allowFrom) => resolveMSTeamsAllowlistMatch({
-					allowFrom,
-					senderId,
-					senderName,
-					allowNameMatching
-				}).allowed
-			});
-			if (!senderGroupAccess.allowed && senderGroupAccess.reason === "disabled") {
+			if (!senderAccess.allowed && senderAccess.reasonCode === "group_policy_disabled") {
 				log.info("dropping group message (groupPolicy: disabled)", { conversationId });
 				log.debug?.("dropping group message (groupPolicy: disabled)", { conversationId });
 				return;
 			}
-			if (!senderGroupAccess.allowed && senderGroupAccess.reason === "empty_allowlist") {
+			if (!senderAccess.allowed && (senderAccess.reasonCode === "group_policy_empty_allowlist" || senderAccess.reasonCode === "route_sender_empty")) {
 				log.info("dropping group message (groupPolicy: allowlist, no allowlist)", { conversationId });
 				log.debug?.("dropping group message (groupPolicy: allowlist, no allowlist)", { conversationId });
 				return;
 			}
-			if (!senderGroupAccess.allowed && senderGroupAccess.reason === "sender_not_allowlisted") {
+			if (!senderAccess.allowed && senderAccess.reasonCode === "group_policy_not_allowlisted") {
 				const allowMatch = resolveMSTeamsAllowlistMatch({
 					allowFrom: effectiveGroupAllowFrom,
 					senderId,
@@ -2638,30 +2720,7 @@ function createMSTeamsMessageHandler(deps) {
 				return;
 			}
 		}
-		const commandDmAllowFrom = isDirectMessage ? effectiveDmAllowFrom : configuredDmAllowFrom;
-		const ownerAllowedForCommands = isMSTeamsGroupAllowed({
-			groupPolicy: "allowlist",
-			allowFrom: commandDmAllowFrom,
-			senderId,
-			senderName,
-			allowNameMatching
-		});
-		const groupAllowedForCommands = isMSTeamsGroupAllowed({
-			groupPolicy: "allowlist",
-			allowFrom: effectiveGroupAllowFrom,
-			senderId,
-			senderName,
-			allowNameMatching
-		});
-		const { commandAuthorized, shouldBlock } = resolveDualTextControlCommandGate({
-			useAccessGroups,
-			primaryConfigured: commandDmAllowFrom.length > 0,
-			primaryAllowed: ownerAllowedForCommands,
-			secondaryConfigured: effectiveGroupAllowFrom.length > 0,
-			secondaryAllowed: groupAllowedForCommands,
-			hasControlCommand: core.channel.text.hasControlCommand(text, cfg)
-		});
-		if (shouldBlock) {
+		if (commandAccess.shouldBlockControlCommand) {
 			logInboundDrop({
 				log: logVerboseMessage,
 				channel: "msteams",
@@ -3021,7 +3080,7 @@ function createMSTeamsMessageHandler(deps) {
 			logVerboseMessage(`msteams: delivered ${finalCount} reply${finalCount === 1 ? "" : "ies"} to ${teamsTo}`);
 		} catch (err) {
 			log.error("dispatch failed", { error: formatUnknownError(err) });
-			runtime.error?.(`msteams dispatch failed: ${formatUnknownError(err)}`);
+			runtime.error(`msteams dispatch failed: ${formatUnknownError(err)}`);
 			try {
 				await context.sendActivity("⚠️ Something went wrong. Please try again.");
 			} catch {}
@@ -3062,7 +3121,7 @@ function createMSTeamsMessageHandler(deps) {
 			});
 		},
 		onError: (err) => {
-			runtime.error?.(`msteams debounce flush failed: ${formatUnknownError(err)}`);
+			runtime.error(`msteams debounce flush failed: ${formatUnknownError(err)}`);
 		}
 	});
 	return async function handleTeamsMessage(context) {
@@ -3114,11 +3173,6 @@ function createMSTeamsReactionHandler(deps) {
 	const { cfg, log } = deps;
 	const core = getMSTeamsRuntime();
 	const msteamsCfg = cfg.channels?.msteams;
-	const pairing = createChannelPairingController({
-		core,
-		channel: "msteams",
-		accountId: DEFAULT_ACCOUNT_ID
-	});
 	return async function handleReaction(context, direction) {
 		const activity = context.activity;
 		const reactions = direction === "added" ? activity.reactionsAdded ?? [] : activity.reactionsRemoved ?? [];
@@ -3138,74 +3192,19 @@ function createMSTeamsReactionHandler(deps) {
 		const isDirectMessage = !isGroupChat && !isChannel;
 		const senderId = from.aadObjectId ?? from.id;
 		const senderName = from.name ?? from.id;
-		const dmPolicy = msteamsCfg?.dmPolicy ?? "pairing";
-		const storedAllowFrom = await readStoreAllowFromForDmPolicy({
-			provider: "msteams",
-			accountId: pairing.accountId,
-			dmPolicy,
-			readStore: pairing.readStoreForDmPolicy
-		});
-		const dmAllowFrom = msteamsCfg?.allowFrom ?? [];
-		const groupAllowFrom = msteamsCfg?.groupAllowFrom;
-		const resolvedAllowFromLists = resolveEffectiveAllowFromLists({
-			allowFrom: dmAllowFrom,
-			groupAllowFrom,
-			storeAllowFrom: storedAllowFrom,
-			dmPolicy
-		});
-		const defaultGroupPolicy = resolveDefaultGroupPolicy(cfg);
-		if (isDirectMessage && msteamsCfg) {
-			const access = resolveDmGroupAccessWithLists({
-				isGroup: false,
-				dmPolicy,
-				groupPolicy: msteamsCfg.groupPolicy ?? defaultGroupPolicy ?? "allowlist",
-				allowFrom: dmAllowFrom,
-				groupAllowFrom,
-				storeAllowFrom: storedAllowFrom,
-				groupAllowFromFallbackToAllowFrom: false,
-				isSenderAllowed: (allowFrom) => resolveMSTeamsAllowlistMatch({
-					allowFrom,
-					senderId,
-					senderName,
-					allowNameMatching: isDangerousNameMatchingEnabled(msteamsCfg)
-				}).allowed
+		if (msteamsCfg) {
+			const senderAccess = await resolveMSTeamsSenderAccess({
+				cfg,
+				activity
 			});
-			if (access.decision !== "allow") {
-				log.debug?.("dropping reaction (dm access denied)", {
+			if (senderAccess.senderAccess.decision !== "allow") {
+				log.debug?.("dropping reaction (access denied)", {
 					sender: senderId,
-					reason: access.reason
+					reason: senderAccess.senderAccess.reasonCode
 				});
 				return;
 			}
 		}
-		if (!isDirectMessage && msteamsCfg) {
-			const teamId = activity.channelData?.team?.id;
-			const teamName = activity.channelData?.team?.name;
-			const channelName = activity.channelData?.channel?.name;
-			const channelGate = resolveMSTeamsRouteConfig({
-				cfg: msteamsCfg,
-				teamId,
-				teamName,
-				conversationId,
-				channelName,
-				allowNameMatching: isDangerousNameMatchingEnabled(msteamsCfg)
-			});
-			if (channelGate.allowlistConfigured && !channelGate.allowed) {
-				log.debug?.("dropping reaction (not in team/channel allowlist)", { conversationId });
-				return;
-			}
-			const effectiveGroupAllowFrom = resolvedAllowFromLists.effectiveGroupAllowFrom;
-			if (!isMSTeamsGroupAllowed({
-				groupPolicy: msteamsCfg.groupPolicy ?? defaultGroupPolicy ?? "allowlist",
-				allowFrom: effectiveGroupAllowFrom,
-				senderId,
-				senderName,
-				allowNameMatching: isDangerousNameMatchingEnabled(msteamsCfg)
-			})) {
-				log.debug?.("dropping reaction (sender not in group allowlist)", { sender: senderId });
-				return;
-			}
-		}
 		const teamId = isDirectMessage ? void 0 : activity.channelData?.team?.id;
 		const route = core.channel.routing.resolveAgentRoute({
 			cfg,
@@ -3489,7 +3488,7 @@ async function isInvokeAuthorized(params) {
 	const { msteamsCfg, isDirectMessage, conversationId, senderId } = resolved;
 	if (!msteamsCfg) return true;
 	const maybeInvokeName = includeInvokeName ? { name: context.activity.name } : void 0;
-	if (isDirectMessage && resolved.access.decision !== "allow") {
+	if (isDirectMessage && resolved.senderAccess.decision !== "allow") {
 		deps.log.debug?.(deniedLogs.dm, {
 			sender: senderId,
 			conversationId,
@@ -3506,7 +3505,7 @@ async function isInvokeAuthorized(params) {
 		});
 		return false;
 	}
-	if (!isDirectMessage && !resolved.senderGroupAccess.allowed) {
+	if (!isDirectMessage && !resolved.senderAccess.allowed) {
 		deps.log.debug?.(deniedLogs.group, {
 			sender: senderId,
 			conversationId,
@@ -3603,8 +3602,11 @@ async function handleFeedbackInvoke(context, deps) {
 	try {
 		const storePath = core.channel.session.resolveStorePath(deps.cfg.session?.store, { agentId: route.agentId });
 		const safeKey = route.sessionKey.replace(/[^a-zA-Z0-9_-]/g, "_");
-		const transcriptFile = path.join(storePath, `${safeKey}.jsonl`);
-		await fs.appendFile(transcriptFile, JSON.stringify(feedbackEvent) + "\n", "utf-8").catch(() => {});
+		await appendRegularFile({
+			filePath: path.join(storePath, `${safeKey}.jsonl`),
+			content: `${JSON.stringify(feedbackEvent)}\n`,
+			rejectSymlinkParents: true
+		}).catch(() => {});
 	} catch {}
 	const conversationRef = {
 		activityId: activity.id,
@@ -3744,7 +3746,7 @@ function registerMSTeamsHandlers(handler, deps) {
 		try {
 			await handleTeamsMessage(context);
 		} catch (err) {
-			deps.runtime.error?.(`msteams handler failed: ${formatUnknownError(err)}`);
+			deps.runtime.error(`msteams handler failed: ${formatUnknownError(err)}`);
 		}
 		await next();
 	});
@@ -3788,7 +3790,7 @@ function registerMSTeamsHandlers(handler, deps) {
 		try {
 			await handleReaction(context, "added");
 		} catch (err) {
-			deps.runtime.error?.(`msteams reaction handler failed: ${String(err)}`);
+			deps.runtime.error(`msteams reaction handler failed: ${String(err)}`);
 		}
 		await next();
 	});
@@ -3796,7 +3798,7 @@ function registerMSTeamsHandlers(handler, deps) {
 		try {
 			await handleReaction(context, "removed");
 		} catch (err) {
-			deps.runtime.error?.(`msteams reaction handler failed: ${String(err)}`);
+			deps.runtime.error(`msteams reaction handler failed: ${String(err)}`);
 		}
 		await next();
 	});
@@ -3941,7 +3943,17 @@ async function monitorMSTeamsProvider(opts) {
 	let allowFrom = msteamsCfg.allowFrom;
 	let groupAllowFrom = msteamsCfg.groupAllowFrom;
 	let teamsConfig = msteamsCfg.teams;
+	const allowNameMatching = isDangerousNameMatchingEnabled(msteamsCfg);
 	const cleanAllowEntry = (entry) => entry.replace(/^(msteams|teams):/i, "").replace(/^user:/i, "").trim();
+	const isStableUserId = (entry) => /^[0-9a-fA-F-]{16,}$/.test(entry);
+	const cleanAllowEntries = (entries) => entries?.map((entry) => cleanAllowEntry(entry)).filter((entry) => entry && entry !== "*") ?? [];
+	const mergeStableUserIds = (entries) => {
+		const additions = cleanAllowEntries(entries).filter((entry) => isStableUserId(entry));
+		return additions.length > 0 ? mergeAllowlist({
+			existing: entries,
+			additions
+		}) : entries;
+	};
 	const resolveAllowlistUsers = async (label, entries) => {
 		if (entries.length === 0) return {
 			additions: [],
@@ -3962,23 +3974,27 @@ async function monitorMSTeamsProvider(opts) {
 		};
 	};
 	try {
-		const allowEntries = allowFrom?.map((entry) => cleanAllowEntry(entry)).filter((entry) => entry && entry !== "*") ?? [];
-		if (allowEntries.length > 0) {
-			const { additions } = await resolveAllowlistUsers("msteams users", allowEntries);
-			allowFrom = mergeAllowlist({
-				existing: allowFrom,
-				additions
-			});
-		}
-		if (Array.isArray(groupAllowFrom) && groupAllowFrom.length > 0) {
-			const groupEntries = groupAllowFrom.map((entry) => cleanAllowEntry(entry)).filter((entry) => entry && entry !== "*");
-			if (groupEntries.length > 0) {
-				const { additions } = await resolveAllowlistUsers("msteams group users", groupEntries);
-				groupAllowFrom = mergeAllowlist({
-					existing: groupAllowFrom,
+		allowFrom = mergeStableUserIds(allowFrom);
+		if (Array.isArray(groupAllowFrom) && groupAllowFrom.length > 0) groupAllowFrom = mergeStableUserIds(groupAllowFrom);
+		if (allowNameMatching) {
+			const allowEntries = cleanAllowEntries(allowFrom).filter((entry) => !isStableUserId(entry));
+			if (allowEntries.length > 0) {
+				const { additions } = await resolveAllowlistUsers("msteams users", allowEntries);
+				allowFrom = mergeAllowlist({
+					existing: allowFrom,
 					additions
 				});
 			}
+			if (Array.isArray(groupAllowFrom) && groupAllowFrom.length > 0) {
+				const groupEntries = cleanAllowEntries(groupAllowFrom).filter((entry) => !isStableUserId(entry));
+				if (groupEntries.length > 0) {
+					const { additions } = await resolveAllowlistUsers("msteams group users", groupEntries);
+					groupAllowFrom = mergeAllowlist({
+						existing: groupAllowFrom,
+						additions
+					});
+				}
+			}
 		}
 		if (teamsConfig && Object.keys(teamsConfig).length > 0) {
 			const entries = [];
@@ -4046,7 +4062,7 @@ async function monitorMSTeamsProvider(opts) {
 			}
 		}
 	} catch (err) {
-		runtime.log?.(`msteams resolve failed; using config entries. ${formatUnknownError(err)}`);
+		runtime?.error(`msteams resolve failed; falling back to raw config entries — allowlist members resolved via Graph may be missing. ${formatUnknownError(err)}`);
 	}
 	msteamsCfg = {
 		...msteamsCfg,
@@ -4116,7 +4132,8 @@ async function monitorMSTeamsProvider(opts) {
 			}
 			next();
 		}).catch((err) => {
-			log.debug?.(`JWT validation error: ${formatUnknownError(err)}`);
+			if (err instanceof Error && /ECONNREFUSED|ENOTFOUND|EHOSTUNREACH|ETIMEDOUT|ECONNRESET/i.test(err.code ?? err.message)) runtime?.error(`msteams: JWKS key fetch failed — check egress to login.botframework.com:443 (firewall or DNS may be blocking it). Bot will 401 all inbound requests until this is resolved. Error: ${formatUnknownError(err)}`);
+			else log.debug?.(`JWT validation error: ${formatUnknownError(err)}`);
 			res.status(401).json({ error: "Unauthorized" });
 		});
 	});