@openclaw/msteams 2026.6.1-beta.3 → 2026.6.2-beta.1

package/dist/api.js

@@ -1,3 +1,3 @@
-import { i as msteamsSetupAdapter, n as openDelegatedOAuthUrl, r as createMSTeamsSetupWizardBase, t as msteamsSetupWizard } from "./setup-surface-DGTz8Mlf.js";
-import { t as msteamsPlugin } from "./channel-Dhw8AvTl.js";
+import { t as msteamsPlugin } from "./channel-BwNnuHbh.js";
+import { c as msteamsSetupAdapter, n as openDelegatedOAuthUrl, s as createMSTeamsSetupWizardBase, t as msteamsSetupWizard } from "./setup-surface-DdyMxq-W.js";
 export { createMSTeamsSetupWizardBase, msteamsPlugin, msteamsSetupAdapter, msteamsSetupWizard, openDelegatedOAuthUrl };

package/dist/{channel-Dhw8AvTl.js → channel-BwNnuHbh.js}

@@ -1,7 +1,7 @@
 import { O as resolveNestedAllowlistDecision, S as normalizeChannelSlug, T as resolveChannelEntryMatchWithFallback, _ as isDangerousNameMatchingEnabled, i as buildChannelKeyCandidates, k as resolveToolsBySender, o as buildProbeChannelStatusSummary, r as PAIRING_APPROVED_MESSAGE, s as chunkTextForOutbound, t as DEFAULT_ACCOUNT_ID, u as createDefaultChannelRuntimeState, w as resolveAllowlistMatchSimple } from "./runtime-api-BlvMnDKz.js";
-import { y as resolveMSTeamsCredentials } from "./errors-Dpn8B05h.js";
-import { a as looksLikeMSTeamsTargetId, c as parseMSTeamsConversationId, d as resolveMSTeamsUserAllowlist, i as msteamsSetupAdapter, l as parseMSTeamsTeamChannelInput, o as normalizeMSTeamsMessagingTarget, s as normalizeMSTeamsUserInput, t as msteamsSetupWizard, u as resolveMSTeamsChannelAllowlist } from "./setup-surface-DGTz8Mlf.js";
+import { C as resolveMSTeamsCredentials, a as parseMSTeamsTeamChannelInput, c as resolveMSTeamsUserAllowlist, i as parseMSTeamsConversationId, n as normalizeMSTeamsMessagingTarget, r as normalizeMSTeamsUserInput, s as resolveMSTeamsChannelAllowlist, t as looksLikeMSTeamsTargetId } from "./resolve-allowlist-C6VVTfbj.js";
 import { t as MSTeamsChannelConfigSchema } from "./config-schema-BL4qQZiA.js";
+import { c as msteamsSetupAdapter, t as msteamsSetupWizard } from "./setup-surface-DdyMxq-W.js";
 import { describeAccountSnapshot } from "openclaw/plugin-sdk/account-helpers";
 import { formatAllowFromLowercase } from "openclaw/plugin-sdk/allow-from";
 import { createTopLevelChannelConfigAdapter } from "openclaw/plugin-sdk/channel-config-helpers";
@@ -331,7 +331,7 @@ const collectMSTeamsSecurityWarnings = createAllowlistProviderGroupPolicyWarning
 	resolveGroupPolicy: ({ cfg }) => cfg.channels?.msteams?.groupPolicy,
 	collect: ({ groupPolicy }) => groupPolicy === "open" ? ["- MS Teams groups: groupPolicy=\"open\" allows any member to trigger (mention-gated). Set channels.msteams.groupPolicy=\"allowlist\" + channels.msteams.groupAllowFrom to restrict senders."] : []
 });
-const loadMSTeamsChannelRuntime = createLazyRuntimeNamedExport(() => import("./channel.runtime-t52N99bX.js"), "msTeamsChannelRuntime");
+const loadMSTeamsChannelRuntime = createLazyRuntimeNamedExport(() => import("./channel.runtime-JR5pBsop.js"), "msTeamsChannelRuntime");
 const resolveMSTeamsChannelConfig = (cfg) => ({
 	allowFrom: cfg.channels?.msteams?.allowFrom,
 	defaultTo: cfg.channels?.msteams?.defaultTo
@@ -1117,7 +1117,7 @@ const msteamsPlugin = createChatChannelPlugin({
 			})
 		}),
 		gateway: { startAccount: async (ctx) => {
-			const { monitorMSTeamsProvider } = await import("./src-DZ76sgTp.js");
+			const { monitorMSTeamsProvider } = await import("./src-_wVYF1sz.js");
 			const port = ctx.cfg.channels?.msteams?.webhook?.port ?? 3978;
 			ctx.setStatus({
 				accountId: ctx.accountId,

package/dist/channel-plugin-api.js

@@ -1,2 +1,2 @@
-import { t as msteamsPlugin } from "./channel-Dhw8AvTl.js";
+import { t as msteamsPlugin } from "./channel-BwNnuHbh.js";
 export { msteamsPlugin };

package/dist/{channel.runtime-t52N99bX.js → channel.runtime-JR5pBsop.js}

@@ -1,7 +1,7 @@
 import { C as normalizeStringEntries$1, s as chunkTextForOutbound } from "./runtime-api-BlvMnDKz.js";
-import { a as searchGraphUsers, c as fetchGraphAbsoluteUrl, d as listTeamsByName, f as normalizeQuery, g as resolveGraphToken, h as postGraphJson, l as fetchGraphJson, m as postGraphBetaJson, o as deleteGraphRequest, p as patchGraphJson, s as escapeOData, u as listChannelsForTeam } from "./errors-Dpn8B05h.js";
-import { n as MSTEAMS_PRESENTATION_CAPABILITIES, r as buildMSTeamsPresentationCard } from "./channel-Dhw8AvTl.js";
-import { S as createMSTeamsConversationStoreState, a as sendMessageMSTeams, b as createMSTeamsPollStoreState, i as sendAdaptiveCardMSTeams, n as deleteMessageMSTeams, o as sendPollMSTeams, r as editMessageMSTeams, t as probeMSTeams } from "./probe-DYb-0Hmx.js";
+import { _ as patchGraphJson, b as resolveGraphToken, d as escapeOData, f as fetchGraphAbsoluteUrl, g as normalizeQuery, h as listTeamsByName, l as searchGraphUsers, m as listChannelsForTeam, p as fetchGraphJson, u as deleteGraphRequest, v as postGraphBetaJson, y as postGraphJson } from "./resolve-allowlist-C6VVTfbj.js";
+import { n as MSTEAMS_PRESENTATION_CAPABILITIES, r as buildMSTeamsPresentationCard } from "./channel-BwNnuHbh.js";
+import { S as createMSTeamsConversationStoreState, a as sendMessageMSTeams, b as createMSTeamsPollStoreState, i as sendAdaptiveCardMSTeams, n as deleteMessageMSTeams, o as sendPollMSTeams, r as editMessageMSTeams, t as probeMSTeams } from "./probe-bq_Uev4c.js";
 import { resolveOutboundSendDep } from "openclaw/plugin-sdk/channel-outbound";
 import { normalizeLowercaseStringOrEmpty, normalizeStringEntries } from "openclaw/plugin-sdk/string-coerce-runtime";
 import { resolvePayloadMediaUrls, resolveTextChunksWithFallback, sendPayloadMediaSequence } from "openclaw/plugin-sdk/reply-payload";

package/dist/directory-contract-api.js

@@ -0,0 +1,35 @@
+import { C as resolveMSTeamsCredentials, n as normalizeMSTeamsMessagingTarget } from "./resolve-allowlist-C6VVTfbj.js";
+import { listDirectoryEntriesFromSources } from "openclaw/plugin-sdk/directory-runtime";
+const msteamsDirectoryContractPlugin = {
+	id: "msteams",
+	directory: {
+		self: async ({ cfg }) => {
+			const creds = resolveMSTeamsCredentials(cfg.channels?.msteams);
+			return creds ? {
+				kind: "user",
+				id: creds.appId,
+				name: creds.appId
+			} : null;
+		},
+		listPeers: async ({ cfg, query, limit }) => listDirectoryEntriesFromSources({
+			kind: "user",
+			sources: [cfg.channels?.msteams?.allowFrom ?? [], Object.keys(cfg.channels?.msteams?.dms ?? {})],
+			query,
+			limit,
+			normalizeId: (raw) => {
+				const normalized = normalizeMSTeamsMessagingTarget(raw) ?? raw;
+				const lowered = normalized.toLowerCase();
+				return lowered.startsWith("user:") || lowered.startsWith("conversation:") ? normalized : `user:${normalized}`;
+			}
+		}),
+		listGroups: async ({ cfg, query, limit }) => listDirectoryEntriesFromSources({
+			kind: "group",
+			sources: [Object.values(cfg.channels?.msteams?.teams ?? {}).flatMap((team) => Object.keys(team.channels ?? {}))],
+			query,
+			limit,
+			normalizeId: (raw) => `conversation:${raw.replace(/^conversation:/i, "").trim()}`
+		})
+	}
+};
+//#endregion
+export { msteamsDirectoryContractPlugin };

package/dist/{oauth-ei63gdyS.js → oauth-CJj-b_Kn.js}

@@ -1,4 +1,4 @@
-import { a as MSTEAMS_OAUTH_CALLBACK_PORT, i as MSTEAMS_OAUTH_CALLBACK_PATH, o as MSTEAMS_OAUTH_REDIRECT_URI, r as MSTEAMS_DEFAULT_DELEGATED_SCOPES, s as buildMSTeamsAuthEndpoint, t as exchangeMSTeamsCodeForTokens } from "./oauth.token-BKzEFepQ.js";
+import { A as MSTEAMS_OAUTH_CALLBACK_PORT, D as exchangeMSTeamsCodeForTokens, M as buildMSTeamsAuthEndpoint, O as MSTEAMS_DEFAULT_DELEGATED_SCOPES, j as MSTEAMS_OAUTH_REDIRECT_URI, k as MSTEAMS_OAUTH_CALLBACK_PATH } from "./resolve-allowlist-C6VVTfbj.js";
 import { generateHexPkceVerifierChallenge } from "openclaw/plugin-sdk/provider-auth";
 import { generateOAuthState, parseOAuthCallbackInput, waitForLocalOAuthCallback } from "openclaw/plugin-sdk/provider-auth-runtime";
 import { isWSL2Sync } from "openclaw/plugin-sdk/runtime-env";

package/dist/{probe-DYb-0Hmx.js → probe-bq_Uev4c.js}

@@ -1,7 +1,7 @@
 import { C as normalizeStringEntries$1, E as resolveChannelMediaMaxBytes, M as getMSTeamsRuntime, d as detectMime, g as getFileExtension, m as extractOriginalFilename, p as extensionForMime, y as loadOutboundMediaFromUrl } from "./runtime-api-BlvMnDKz.js";
-import { A as isAllowedBotFrameworkServiceUrl, C as readAccessToken, D as buildUserAgent, E as loadMSTeamsSdkWithAuth, N as resolveMSTeamsSdkCloudOptions, P as validateMSTeamsProactiveServiceUrlBoundary, T as createMSTeamsTokenProvider, i as isRevokedProxyError, j as normalizeBotFrameworkServiceUrl, k as describeBotFrameworkServiceUrlHost, n as formatMSTeamsSendErrorHint, r as formatUnknownError, t as classifyMSTeamsSendError, v as loadDelegatedTokens, x as resolveMSTeamsStorePath, y as resolveMSTeamsCredentials } from "./errors-Dpn8B05h.js";
-import { c as createMSTeamsHttpError } from "./oauth.token-BKzEFepQ.js";
-import { a as resolveMSTeamsReplyPolicy, o as resolveMSTeamsRouteConfig } from "./channel-Dhw8AvTl.js";
+import { B as isAllowedBotFrameworkServiceUrl, C as resolveMSTeamsCredentials, F as createMSTeamsTokenProvider, G as validateMSTeamsProactiveServiceUrlBoundary, I as loadMSTeamsSdkWithAuth, L as buildUserAgent, N as readAccessToken, S as loadDelegatedTokens, T as resolveMSTeamsStorePath, U as createMSTeamsHttpError, V as normalizeBotFrameworkServiceUrl, W as resolveMSTeamsSdkCloudOptions, z as describeBotFrameworkServiceUrlHost } from "./resolve-allowlist-C6VVTfbj.js";
+import { a as resolveMSTeamsReplyPolicy, o as resolveMSTeamsRouteConfig } from "./channel-BwNnuHbh.js";
+import { a as formatUnknownError, i as formatMSTeamsSendErrorHint, o as isRevokedProxyError, r as classifyMSTeamsSendError } from "./setup-surface-DdyMxq-W.js";
 import { createMessageReceiptFromOutboundResults } from "openclaw/plugin-sdk/channel-outbound";
 import { isRecord, normalizeLowercaseStringOrEmpty, normalizeOptionalLowercaseString, normalizeOptionalString, normalizeStringEntries, uniqueStrings } from "openclaw/plugin-sdk/string-coerce-runtime";
 import { withFileLock } from "openclaw/plugin-sdk/file-lock";

package/dist/{errors-Dpn8B05h.js → resolve-allowlist-C6VVTfbj.js}

@@ -1,16 +1,16 @@
 import { M as getMSTeamsRuntime, h as fetchWithSsrFGuard$1 } from "./runtime-api-BlvMnDKz.js";
-import { c as createMSTeamsHttpError, n as refreshMSTeamsDelegatedTokens } from "./oauth.token-BKzEFepQ.js";
 import { createRequire } from "node:module";
-import { isRecord, isRecord as isRecord$1, normalizeLowercaseStringOrEmpty, normalizeOptionalString } from "openclaw/plugin-sdk/string-coerce-runtime";
+import { mapAllowlistResolutionInputs } from "openclaw/plugin-sdk/allow-from";
+import { isRecord as isRecord$1, normalizeLowercaseStringOrEmpty, normalizeOptionalLowercaseString, normalizeOptionalString } from "openclaw/plugin-sdk/string-coerce-runtime";
 import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
-import { readProviderJsonResponse } from "openclaw/plugin-sdk/provider-http";
+import { createProviderHttpError, readProviderJsonResponse } from "openclaw/plugin-sdk/provider-http";
 import { Buffer } from "node:buffer";
 import { lookup } from "node:dns/promises";
 import { buildHostnameAllowlistPolicyFromSuffixAllowlist, isHttpsUrlAllowedByHostnameSuffixAllowlist, isPrivateIpAddress, normalizeHostnameSuffixAllowlist } from "openclaw/plugin-sdk/ssrf-policy";
 import * as fs from "node:fs";
 import { readFileSync } from "node:fs";
 import path, { basename, dirname } from "node:path";
-import { asFiniteNumberInRange, isFutureDateTimestampMs, parseStrictFiniteNumber } from "openclaw/plugin-sdk/number-runtime";
+import { isFutureDateTimestampMs, resolveExpiresAtMsFromDurationSeconds } from "openclaw/plugin-sdk/number-runtime";
 import { privateFileStoreSync } from "openclaw/plugin-sdk/security-runtime";
 import { hasConfiguredSecretInput, normalizeResolvedSecretInputString, normalizeSecretInputString } from "openclaw/plugin-sdk/secret-input";
 //#region extensions/msteams/src/attachments/shared.ts
@@ -539,6 +539,11 @@ function validateMSTeamsProactiveServiceUrlBoundary(params) {
 	if (isChinaBotFrameworkServiceUrl(stored.value)) throw new Error(`msteams proactive send blocked for ${params.conversationId}: stored conversation serviceUrl (${stored.value}) requires channels.msteams.cloud=China.`);
 	if (stored.host !== PUBLIC_MSTEAMS_SERVICE_HOST) throw new Error(`msteams proactive send blocked for ${params.conversationId}: stored conversation serviceUrl (${stored.value}) is not a Microsoft Teams public-cloud Bot Connector endpoint. Set channels.msteams.cloud and channels.msteams.serviceUrl for the supported Teams cloud that owns this conversation.`);
 }
+//#endregion
+//#region extensions/msteams/src/http-error.ts
+async function createMSTeamsHttpError(response, label, options) {
+	return await createProviderHttpError(response, label, options);
+}
 const BOT_FRAMEWORK_SERVICE_URL_HOST_ALLOWLIST = normalizeHostnameSuffixAllowlist([
 	"smba.trafficmanager.net",
 	"smba.infra.gcc.teams.microsoft.com",
@@ -728,6 +733,129 @@ function readAccessToken(value) {
 	return null;
 }
 //#endregion
+//#region extensions/msteams/src/oauth.shared.ts
+const MSTEAMS_OAUTH_REDIRECT_URI = "http://localhost:8086/oauth2callback";
+const MSTEAMS_OAUTH_CALLBACK_PORT = 8086;
+const MSTEAMS_OAUTH_CALLBACK_PATH = "/oauth2callback";
+const MSTEAMS_DEFAULT_TOKEN_FETCH_TIMEOUT_MS = 1e4;
+const MSTEAMS_DEFAULT_DELEGATED_SCOPES = [
+	"ChatMessage.Send",
+	"ChannelMessage.Send",
+	"Chat.ReadWrite",
+	"offline_access"
+];
+function buildMSTeamsAuthEndpoint(tenantId) {
+	return `https://login.microsoftonline.com/${encodeURIComponent(tenantId)}/oauth2/v2.0/authorize`;
+}
+function buildMSTeamsTokenEndpoint(tenantId) {
+	return `https://login.microsoftonline.com/${encodeURIComponent(tenantId)}/oauth2/v2.0/token`;
+}
+//#endregion
+//#region extensions/msteams/src/oauth.token.ts
+/** Five-minute buffer subtracted from token expiry to avoid edge-case clock drift. */
+const EXPIRY_BUFFER_MS = 300 * 1e3;
+function createMSTeamsTokenBody(params) {
+	const body = new URLSearchParams({
+		client_id: params.clientId,
+		client_secret: params.clientSecret,
+		grant_type: params.grantType,
+		scope: [...params.scopes].join(" ")
+	});
+	for (const [key, value] of Object.entries(params.values ?? {})) body.set(key, value);
+	return body;
+}
+function resolveMSTeamsTokenExpiresAt(value) {
+	return resolveExpiresAtMsFromDurationSeconds(value, { bufferMs: EXPIRY_BUFFER_MS });
+}
+function parseMSTeamsTokenResponse(data, failureLabel) {
+	const expiresAt = resolveMSTeamsTokenExpiresAt(data.expires_in);
+	if (typeof data.access_token !== "string" || !data.access_token || expiresAt === void 0 || data.refresh_token !== void 0 && typeof data.refresh_token !== "string" || data.scope !== void 0 && typeof data.scope !== "string") throw new Error(`MSTeams ${failureLabel} failed: invalid token response fields`);
+	return {
+		access_token: data.access_token,
+		refresh_token: data.refresh_token,
+		expiresAt,
+		scope: data.scope
+	};
+}
+async function fetchMSTeamsTokens(params) {
+	const currentFetch = globalThis.fetch;
+	const { response, release } = await fetchWithSsrFGuard({
+		url: params.tokenUrl,
+		fetchImpl: async (input, guardedInit) => await currentFetch(input, guardedInit),
+		init: {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
+				Accept: "application/json"
+			},
+			body: params.body,
+			signal: AbortSignal.timeout(MSTEAMS_DEFAULT_TOKEN_FETCH_TIMEOUT_MS)
+		},
+		auditContext: params.auditContext
+	});
+	try {
+		if (!response.ok) throw await createMSTeamsHttpError(response, `MSTeams ${params.failureLabel} failed`);
+		return parseMSTeamsTokenResponse(await readProviderJsonResponse(response, `MSTeams ${params.failureLabel} failed`), params.failureLabel);
+	} finally {
+		await release();
+	}
+}
+async function requestMSTeamsDelegatedTokens(params) {
+	const scopes = params.scopes ?? MSTEAMS_DEFAULT_DELEGATED_SCOPES;
+	const body = createMSTeamsTokenBody({
+		clientId: params.clientId,
+		clientSecret: params.clientSecret,
+		grantType: params.grantType,
+		scopes,
+		values: params.values
+	});
+	const data = await fetchMSTeamsTokens({
+		tokenUrl: buildMSTeamsTokenEndpoint(params.tenantId),
+		body,
+		auditContext: params.auditContext,
+		failureLabel: params.failureLabel
+	});
+	return {
+		accessToken: data.access_token,
+		refreshToken: params.resolveRefreshToken(data),
+		expiresAt: data.expiresAt,
+		scopes: data.scope ? data.scope.split(" ") : [...scopes]
+	};
+}
+async function exchangeMSTeamsCodeForTokens(params) {
+	return await requestMSTeamsDelegatedTokens({
+		tenantId: params.tenantId,
+		clientId: params.clientId,
+		clientSecret: params.clientSecret,
+		grantType: "authorization_code",
+		scopes: params.scopes,
+		values: {
+			code: params.code,
+			redirect_uri: MSTEAMS_OAUTH_REDIRECT_URI,
+			code_verifier: params.verifier
+		},
+		auditContext: "msteams-oauth-token-exchange",
+		failureLabel: "token exchange",
+		resolveRefreshToken: (data) => {
+			if (!data.refresh_token) throw new Error("No refresh token received from Azure AD. Please try again.");
+			return data.refresh_token;
+		}
+	});
+}
+async function refreshMSTeamsDelegatedTokens(params) {
+	return await requestMSTeamsDelegatedTokens({
+		tenantId: params.tenantId,
+		clientId: params.clientId,
+		clientSecret: params.clientSecret,
+		grantType: "refresh_token",
+		scopes: params.scopes,
+		values: { refresh_token: params.refreshToken },
+		auditContext: "msteams-oauth-token-refresh",
+		failureLabel: "token refresh",
+		resolveRefreshToken: (data) => data.refresh_token ?? params.refreshToken
+	});
+}
+//#endregion
 //#region extensions/msteams/src/storage.ts
 function resolveMSTeamsStorePath(params) {
 	if (params.storePath) return params.storePath;
@@ -1032,179 +1160,219 @@ async function searchGraphUsers(params) {
 	})).value ?? [];
 }
 //#endregion
-//#region extensions/msteams/src/errors.ts
-const MAX_SAFE_RETRY_AFTER_SECONDS = Number.MAX_SAFE_INTEGER / 1e3;
-function formatUnknownError(err) {
-	if (err instanceof Error) return err.message;
-	if (typeof err === "string") return err;
-	if (err === null) return "null";
-	if (err === void 0) return "undefined";
-	if (typeof err === "number" || typeof err === "boolean" || typeof err === "bigint") return String(err);
-	if (typeof err === "symbol") return err.description ?? err.toString();
-	if (typeof err === "function") return err.name ? `[function ${err.name}]` : "[function]";
-	try {
-		return JSON.stringify(err) ?? "unknown error";
-	} catch {
-		return "unknown error";
+//#region extensions/msteams/src/resolve-allowlist.ts
+function stripProviderPrefix(raw) {
+	return raw.replace(/^(msteams|teams):/i, "");
+}
+function normalizeMSTeamsMessagingTarget(raw) {
+	let trimmed = raw.trim();
+	if (!trimmed) return;
+	trimmed = stripProviderPrefix(trimmed).trim();
+	if (/^conversation:/i.test(trimmed)) {
+		const id = trimmed.slice(13).trim();
+		return id ? `conversation:${id}` : void 0;
 	}
-}
-function extractStatusCode(err) {
-	if (!isRecord(err)) return null;
-	const parseStatusCode = (value) => {
-		if (typeof value === "number") return Number.isInteger(value) && value >= 100 && value <= 599 ? value : null;
-		if (typeof value === "string") {
-			const trimmed = value.trim();
-			if (!/^\d{3}$/.test(trimmed)) return null;
-			const parsed = Number(trimmed);
-			return parsed >= 100 && parsed <= 599 ? parsed : null;
-		}
-		return null;
-	};
-	const directStatus = parseStatusCode(err.statusCode ?? err.status);
-	if (directStatus !== null) return directStatus;
-	const response = err.response;
-	if (isRecord(response)) {
-		const responseStatus = parseStatusCode(response.status);
-		if (responseStatus !== null) return responseStatus;
+	if (/^user:/i.test(trimmed)) {
+		const id = trimmed.slice(5).trim();
+		return id ? `user:${id}` : void 0;
 	}
-	return null;
+	return trimmed || void 0;
 }
-function extractErrorCode(err) {
-	if (!isRecord(err)) return null;
-	const direct = err.code;
-	if (typeof direct === "string" && direct.trim()) return direct;
-	const response = err.response;
-	if (!isRecord(response)) return null;
-	const body = response.body;
-	if (isRecord(body)) {
-		const error = body.error;
-		if (isRecord(error) && typeof error.code === "string" && error.code.trim()) return error.code;
-	}
-	return null;
+function normalizeMSTeamsUserInput(raw) {
+	return stripProviderPrefix(raw).replace(/^(user|conversation):/i, "").trim();
 }
-function extractRetryAfterMs(err) {
-	if (!isRecord(err)) return null;
-	const directMs = asFiniteNumberInRange(err.retryAfterMs ?? err.retry_after_ms, {
-		min: 0,
-		max: Number.MAX_SAFE_INTEGER
-	});
-	if (directMs !== void 0) return directMs;
-	const retryAfter = err.retryAfter ?? err.retry_after;
-	const retryAfterSeconds = asFiniteNumberInRange(retryAfter, {
-		min: 0,
-		max: MAX_SAFE_RETRY_AFTER_SECONDS
-	});
-	if (retryAfterSeconds !== void 0) return retryAfterSeconds * 1e3;
-	if (typeof retryAfter === "string") {
-		const parsed = parseNonNegativeRetryAfterSeconds(retryAfter);
-		if (parsed !== void 0) return parsed * 1e3;
-	}
-	const response = err.response;
-	if (!isRecord(response)) return null;
-	const headers = response.headers;
-	if (!headers) return null;
-	if (isRecord(headers)) {
-		const raw = headers["retry-after"] ?? headers["Retry-After"];
-		if (typeof raw === "string") {
-			const parsed = parseNonNegativeRetryAfterSeconds(raw);
-			if (parsed !== void 0) return parsed * 1e3;
-		}
-	}
-	if (typeof headers === "object" && headers !== null && "get" in headers && typeof headers.get === "function") {
-		const raw = headers.get("retry-after");
-		if (raw) {
-			const parsed = parseNonNegativeRetryAfterSeconds(raw);
-			if (parsed !== void 0) return parsed * 1e3;
-		}
-	}
-	return null;
-}
-function parseNonNegativeRetryAfterSeconds(raw) {
-	const trimmed = raw.trim();
-	if (!/^\d+(?:\.\d+)?$/.test(trimmed)) return;
-	return asFiniteNumberInRange(parseStrictFiniteNumber(trimmed), {
-		min: 0,
-		max: MAX_SAFE_RETRY_AFTER_SECONDS
-	});
+function parseMSTeamsConversationId(raw) {
+	const trimmed = stripProviderPrefix(raw).trim();
+	if (!/^conversation:/i.test(trimmed)) return null;
+	return trimmed.slice(13).trim();
 }
 /**
-* Classify outbound send errors for safe retries and actionable logs.
+* Detect whether a raw target string looks like a Microsoft Teams conversation
+* or user id that cron announce delivery and other explicit-target paths can
+* forward verbatim to the channel adapter.
 *
-* Important: We only mark errors as retryable when we have an explicit HTTP
-* status code that indicates the message was not accepted (e.g. 429, 5xx).
-* For transport-level errors where delivery is ambiguous, we prefer to avoid
-* retries to reduce the chance of duplicate posts.
+* Accepts both prefixed and bare formats:
+* - `conversation:<id>` — explicit conversation prefix
+* - `user:<aad-guid>`   — user id (16+ hex chars, UUID-like)
+* - `19:abc@thread.tacv2` / `19:abc@thread.skype` — channel / legacy group
+* - `19:{userId}_{appId}@unq.gbl.spaces` — Graph 1:1 chat thread format
+* - `a:1xxx` — Bot Framework personal (1:1) chat id
+* - `8:orgid:xxx` — Bot Framework org-scoped personal chat id
+* - `29:xxx` — Bot Framework user id
+*
+* Display-name user targets such as `user:John Smith` intentionally return
+* false so that the Graph API directory lookup still runs for them.
 */
-function classifyMSTeamsSendError(err) {
-	const statusCode = extractStatusCode(err);
-	const retryAfterMs = extractRetryAfterMs(err);
-	const errorCode = extractErrorCode(err) ?? void 0;
-	if (statusCode === 401) return {
-		kind: "auth",
-		statusCode,
-		errorCode
-	};
-	if (statusCode === 403) {
-		if (errorCode === "ContentStreamNotAllowed") return {
-			kind: "permanent",
-			statusCode,
-			errorCode
-		};
-		return {
-			kind: "auth",
-			statusCode,
-			errorCode
-		};
+function looksLikeMSTeamsTargetId(raw) {
+	const trimmed = raw.trim();
+	if (!trimmed) return false;
+	if (/^conversation:/i.test(trimmed)) return true;
+	if (/^user:/i.test(trimmed)) {
+		const id = trimmed.slice(5).trim();
+		return /^[0-9a-fA-F-]{16,}$/.test(id);
 	}
-	if (statusCode === 429) return {
-		kind: "throttled",
-		statusCode,
-		retryAfterMs: retryAfterMs ?? void 0,
-		errorCode
-	};
-	if (statusCode === 408 || statusCode != null && statusCode >= 500) return {
-		kind: "transient",
-		statusCode,
-		retryAfterMs: retryAfterMs ?? void 0,
-		errorCode
-	};
-	if (statusCode != null && statusCode >= 400) return {
-		kind: "permanent",
-		statusCode,
-		errorCode
+	if (/^19:.+@thread\.(tacv2|skype)$/i.test(trimmed)) return true;
+	if (/^19:.+@unq\.gbl\.spaces$/i.test(trimmed)) return true;
+	if (/^a:1[A-Za-z0-9_-]+$/i.test(trimmed)) return true;
+	if (/^8:orgid:[A-Za-z0-9-]+$/i.test(trimmed)) return true;
+	if (/^29:[A-Za-z0-9_-]+$/i.test(trimmed)) return true;
+	return /@thread\b/i.test(trimmed);
+}
+function normalizeMSTeamsTeamKey(raw) {
+	return stripProviderPrefix(raw).replace(/^team:/i, "").trim() || void 0;
+}
+function normalizeMSTeamsChannelKey(raw) {
+	return (raw?.trim().replace(/^#/, "").trim() ?? "") || void 0;
+}
+function normalizeMSTeamsConversationTargetId(raw) {
+	const trimmed = stripProviderPrefix(raw).trim();
+	return parseMSTeamsConversationId(trimmed) ?? trimmed;
+}
+function looksLikeMSTeamsThreadConversationId(raw) {
+	const normalized = normalizeMSTeamsConversationTargetId(raw);
+	return /^19:.+@thread\./i.test(normalized);
+}
+function parseMSTeamsTeamChannelInput(raw) {
+	const trimmed = stripProviderPrefix(raw).trim();
+	if (!trimmed) return {};
+	const parts = trimmed.split("/");
+	const team = normalizeMSTeamsTeamKey(parts[0] ?? "");
+	const channel = parts.length > 1 ? normalizeMSTeamsChannelKey(parts.slice(1).join("/")) : void 0;
+	return {
+		...team ? { team } : {},
+		...channel ? { channel } : {}
 	};
-	if (statusCode == null) {
-		const networkCode = isRecord(err) && typeof err.code === "string" ? err.code : null;
-		if (networkCode === "ECONNREFUSED" || networkCode === "ENOTFOUND" || networkCode === "EHOSTUNREACH" || networkCode === "ETIMEDOUT" || networkCode === "ECONNRESET") return {
-			kind: "network",
-			errorCode: networkCode
-		};
-	}
+}
+function parseMSTeamsTeamEntry(raw) {
+	const { team, channel } = parseMSTeamsTeamChannelInput(raw);
+	if (!team) return null;
 	return {
-		kind: "unknown",
-		statusCode: statusCode ?? void 0,
-		retryAfterMs: retryAfterMs ?? void 0,
-		errorCode
+		teamKey: team,
+		...channel ? { channelKey: channel } : {}
 	};
 }
-/**
-* Detect whether an error is caused by a revoked Proxy.
-*
-* The Bot Framework SDK wraps TurnContext in a Proxy that is revoked once the
-* turn handler returns.  Any later access (e.g. from a debounced callback)
-* throws a TypeError whose message contains the distinctive "proxy that has
-* been revoked" string.
-*/
-function isRevokedProxyError(err) {
-	if (!(err instanceof TypeError)) return false;
-	return /proxy that has been revoked/i.test(err.message);
+async function resolveMSTeamsChannelAllowlist(params) {
+	let tokenPromise;
+	const getToken = () => {
+		tokenPromise ??= resolveGraphToken(params.cfg);
+		return tokenPromise;
+	};
+	return await mapAllowlistResolutionInputs({
+		inputs: params.entries,
+		mapInput: async (input) => {
+			const { team, channel } = parseMSTeamsTeamChannelInput(input);
+			if (!team) return {
+				input,
+				resolved: false
+			};
+			if (looksLikeMSTeamsThreadConversationId(team)) {
+				const teamId = normalizeMSTeamsConversationTargetId(team);
+				if (!channel) return {
+					input,
+					resolved: true,
+					teamId,
+					teamName: teamId
+				};
+				if (!looksLikeMSTeamsThreadConversationId(channel)) return {
+					input,
+					resolved: false,
+					teamId,
+					teamName: teamId,
+					note: "channel id required for conversation-id team"
+				};
+				const channelId = normalizeMSTeamsConversationTargetId(channel);
+				return {
+					input,
+					resolved: true,
+					teamId,
+					teamName: teamId,
+					channelId,
+					channelName: channelId
+				};
+			}
+			const token = await getToken();
+			const teams = /^[0-9a-fA-F-]{16,}$/.test(team) ? [{
+				id: team,
+				displayName: team
+			}] : await listTeamsByName(token, team);
+			if (teams.length === 0) return {
+				input,
+				resolved: false,
+				note: "team not found"
+			};
+			const teamMatch = teams[0];
+			const graphTeamId = teamMatch.id?.trim();
+			const teamName = teamMatch.displayName?.trim() || team;
+			if (!graphTeamId) return {
+				input,
+				resolved: false,
+				note: "team id missing"
+			};
+			let teamChannels = [];
+			try {
+				teamChannels = await listChannelsForTeam(token, graphTeamId);
+			} catch {}
+			const teamId = teamChannels.find((ch) => normalizeOptionalLowercaseString(ch.displayName) === "general")?.id?.trim() || graphTeamId;
+			if (!channel) return {
+				input,
+				resolved: true,
+				teamId,
+				teamName,
+				note: teams.length > 1 ? "multiple teams; chose first" : void 0
+			};
+			const normalizedChannel = normalizeOptionalLowercaseString(channel);
+			const channelMatch = teamChannels.find((item) => item.id === channel) ?? teamChannels.find((item) => normalizeOptionalLowercaseString(item.displayName) === normalizedChannel) ?? teamChannels.find((item) => normalizeLowercaseStringOrEmpty(item.displayName ?? "").includes(normalizedChannel ?? ""));
+			if (!channelMatch?.id) return {
+				input,
+				resolved: false,
+				note: "channel not found"
+			};
+			return {
+				input,
+				resolved: true,
+				teamId,
+				teamName,
+				channelId: channelMatch.id,
+				channelName: channelMatch.displayName ?? channel,
+				note: teamChannels.length > 1 ? "multiple channels; chose first" : void 0
+			};
+		}
+	});
 }
-function formatMSTeamsSendErrorHint(classification) {
-	if (classification.kind === "auth") return "check msteams appId/appPassword/tenantId (or env vars MSTEAMS_APP_ID/MSTEAMS_APP_PASSWORD/MSTEAMS_TENANT_ID)";
-	if (classification.errorCode === "ContentStreamNotAllowed") return "Teams expired the content stream; stop streaming earlier and fall back to normal message delivery";
-	if (classification.kind === "throttled") return "Teams throttled the bot; backing off may help";
-	if (classification.kind === "transient") return "transient Teams/Bot Framework error; retry may succeed";
-	if (classification.kind === "network") return "transport-level failure sending reply to Teams Bot Connector (smba.trafficmanager.net) — check egress firewall rules allow outbound HTTPS to smba.trafficmanager.net";
+async function resolveMSTeamsUserAllowlist(params) {
+	const token = await resolveGraphToken(params.cfg);
+	return await mapAllowlistResolutionInputs({
+		inputs: params.entries,
+		mapInput: async (input) => {
+			const query = normalizeQuery(normalizeMSTeamsUserInput(input));
+			if (!query) return {
+				input,
+				resolved: false
+			};
+			if (/^[0-9a-fA-F-]{16,}$/.test(query)) return {
+				input,
+				resolved: true,
+				id: query
+			};
+			const users = await searchGraphUsers({
+				token,
+				query,
+				top: 10
+			});
+			const match = users[0];
+			if (!match?.id) return {
+				input,
+				resolved: false
+			};
+			return {
+				input,
+				resolved: true,
+				id: match.id,
+				name: match.displayName ?? void 0,
+				note: users.length > 1 ? "multiple matches; chose first" : void 0
+			};
+		}
+	});
 }
 //#endregion
-export { safeFetchWithPolicy as $, isAllowedBotFrameworkServiceUrl as A, estimateBase64DecodedBytes as B, readAccessToken as C, buildUserAgent as D, loadMSTeamsSdkWithAuth as E, ATTACHMENT_TAG_RE as F, isLikelyImageAttachment as G, extractInlineImageCandidates as H, GRAPH_ROOT as I, normalizeContentType as J, isRecord$1 as K, IMG_SRC_RE as L, tryNormalizeBotFrameworkServiceUrl as M, resolveMSTeamsSdkCloudOptions as N, ensureUserAgentHeader as O, validateMSTeamsProactiveServiceUrlBoundary as P, resolveRequestUrl as Q, applyAuthorizationHeaderForUrl as R, normalizeSecretInputString as S, createMSTeamsTokenProvider as T, inferPlaceholder as U, extractHtmlFromAttachment as V, isDownloadableAttachment as W, resolveAttachmentFetchPolicy as X, readNestedString as Y, resolveMediaSsrfPolicy as Z, hasConfiguredMSTeamsCredentials as _, searchGraphUsers as a, saveDelegatedTokens as b, fetchGraphAbsoluteUrl as c, listTeamsByName as d, safeHostForUrl as et, normalizeQuery as f, resolveGraphToken as g, postGraphJson as h, isRevokedProxyError as i, normalizeBotFrameworkServiceUrl as j, describeBotFrameworkServiceUrlHost as k, fetchGraphJson as l, postGraphBetaJson as m, formatMSTeamsSendErrorHint as n, deleteGraphRequest as o, patchGraphJson as p, isUrlAllowed as q, formatUnknownError as r, escapeOData as s, classifyMSTeamsSendError as t, tryBuildGraphSharesUrlForSharedLink as tt, listChannelsForTeam as u, loadDelegatedTokens as v, createMSTeamsExpressAdapter as w, resolveMSTeamsStorePath as x, resolveMSTeamsCredentials as y, encodeGraphShareId as z };
+export { extractInlineImageCandidates as $, MSTEAMS_OAUTH_CALLBACK_PORT as A, isAllowedBotFrameworkServiceUrl as B, resolveMSTeamsCredentials as C, exchangeMSTeamsCodeForTokens as D, normalizeSecretInputString as E, createMSTeamsTokenProvider as F, validateMSTeamsProactiveServiceUrlBoundary as G, tryNormalizeBotFrameworkServiceUrl as H, loadMSTeamsSdkWithAuth as I, IMG_SRC_RE as J, ATTACHMENT_TAG_RE as K, buildUserAgent as L, buildMSTeamsAuthEndpoint as M, readAccessToken as N, MSTEAMS_DEFAULT_DELEGATED_SCOPES as O, createMSTeamsExpressAdapter as P, extractHtmlFromAttachment as Q, ensureUserAgentHeader as R, loadDelegatedTokens as S, resolveMSTeamsStorePath as T, createMSTeamsHttpError as U, normalizeBotFrameworkServiceUrl as V, resolveMSTeamsSdkCloudOptions as W, encodeGraphShareId as X, applyAuthorizationHeaderForUrl as Y, estimateBase64DecodedBytes as Z, patchGraphJson as _, parseMSTeamsTeamChannelInput as a, normalizeContentType as at, resolveGraphToken as b, resolveMSTeamsUserAllowlist as c, resolveMediaSsrfPolicy as ct, escapeOData as d, safeHostForUrl as dt, inferPlaceholder as et, fetchGraphAbsoluteUrl as f, tryBuildGraphSharesUrlForSharedLink as ft, normalizeQuery as g, listTeamsByName as h, parseMSTeamsConversationId as i, isUrlAllowed as it, MSTEAMS_OAUTH_REDIRECT_URI as j, MSTEAMS_OAUTH_CALLBACK_PATH as k, searchGraphUsers as l, resolveRequestUrl as lt, listChannelsForTeam as m, normalizeMSTeamsMessagingTarget as n, isLikelyImageAttachment as nt, parseMSTeamsTeamEntry as o, readNestedString as ot, fetchGraphJson as p, GRAPH_ROOT as q, normalizeMSTeamsUserInput as r, isRecord$1 as rt, resolveMSTeamsChannelAllowlist as s, resolveAttachmentFetchPolicy as st, looksLikeMSTeamsTargetId as t, isDownloadableAttachment as tt, deleteGraphRequest as u, safeFetchWithPolicy as ut, postGraphBetaJson as v, saveDelegatedTokens as w, hasConfiguredMSTeamsCredentials as x, postGraphJson as y, describeBotFrameworkServiceUrlHost as z };

package/dist/setup-plugin-api.js

@@ -1,6 +1,6 @@
-import { y as resolveMSTeamsCredentials } from "./errors-Dpn8B05h.js";
-import { i as msteamsSetupAdapter, t as msteamsSetupWizard } from "./setup-surface-DGTz8Mlf.js";
+import { C as resolveMSTeamsCredentials } from "./resolve-allowlist-C6VVTfbj.js";
 import { t as MSTeamsChannelConfigSchema } from "./config-schema-BL4qQZiA.js";
+import { c as msteamsSetupAdapter, t as msteamsSetupWizard } from "./setup-surface-DdyMxq-W.js";
 import { describeAccountSnapshot } from "openclaw/plugin-sdk/account-helpers";
 import { formatAllowFromLowercase } from "openclaw/plugin-sdk/allow-from";
 import { createTopLevelChannelConfigAdapter } from "openclaw/plugin-sdk/channel-config-helpers";

package/dist/{setup-surface-DGTz8Mlf.js → setup-surface-DdyMxq-W.js}

@@ -1,223 +1,8 @@
-import { S as normalizeSecretInputString, _ as hasConfiguredMSTeamsCredentials, a as searchGraphUsers, b as saveDelegatedTokens, d as listTeamsByName, f as normalizeQuery, g as resolveGraphToken, r as formatUnknownError, u as listChannelsForTeam, y as resolveMSTeamsCredentials } from "./errors-Dpn8B05h.js";
-import { mapAllowlistResolutionInputs } from "openclaw/plugin-sdk/allow-from";
-import { normalizeLowercaseStringOrEmpty, normalizeOptionalLowercaseString } from "openclaw/plugin-sdk/string-coerce-runtime";
+import { C as resolveMSTeamsCredentials, E as normalizeSecretInputString, c as resolveMSTeamsUserAllowlist, o as parseMSTeamsTeamEntry, s as resolveMSTeamsChannelAllowlist, w as saveDelegatedTokens, x as hasConfiguredMSTeamsCredentials } from "./resolve-allowlist-C6VVTfbj.js";
+import { isRecord } from "openclaw/plugin-sdk/string-coerce-runtime";
+import { asFiniteNumberInRange, parseStrictFiniteNumber } from "openclaw/plugin-sdk/number-runtime";
 import { DEFAULT_ACCOUNT_ID, createSetupTranslator, createStandardChannelSetupStatus, createTopLevelChannelAllowFromSetter, createTopLevelChannelDmPolicy, createTopLevelChannelGroupPolicySetter, mergeAllowFromEntries, splitSetupEntries } from "openclaw/plugin-sdk/setup";
 import { formatDocsLink } from "openclaw/plugin-sdk/setup-tools";
-//#region extensions/msteams/src/resolve-allowlist.ts
-function stripProviderPrefix(raw) {
-	return raw.replace(/^(msteams|teams):/i, "");
-}
-function normalizeMSTeamsMessagingTarget(raw) {
-	let trimmed = raw.trim();
-	if (!trimmed) return;
-	trimmed = stripProviderPrefix(trimmed).trim();
-	if (/^conversation:/i.test(trimmed)) {
-		const id = trimmed.slice(13).trim();
-		return id ? `conversation:${id}` : void 0;
-	}
-	if (/^user:/i.test(trimmed)) {
-		const id = trimmed.slice(5).trim();
-		return id ? `user:${id}` : void 0;
-	}
-	return trimmed || void 0;
-}
-function normalizeMSTeamsUserInput(raw) {
-	return stripProviderPrefix(raw).replace(/^(user|conversation):/i, "").trim();
-}
-function parseMSTeamsConversationId(raw) {
-	const trimmed = stripProviderPrefix(raw).trim();
-	if (!/^conversation:/i.test(trimmed)) return null;
-	return trimmed.slice(13).trim();
-}
-/**
-* Detect whether a raw target string looks like a Microsoft Teams conversation
-* or user id that cron announce delivery and other explicit-target paths can
-* forward verbatim to the channel adapter.
-*
-* Accepts both prefixed and bare formats:
-* - `conversation:<id>` — explicit conversation prefix
-* - `user:<aad-guid>`   — user id (16+ hex chars, UUID-like)
-* - `19:abc@thread.tacv2` / `19:abc@thread.skype` — channel / legacy group
-* - `19:{userId}_{appId}@unq.gbl.spaces` — Graph 1:1 chat thread format
-* - `a:1xxx` — Bot Framework personal (1:1) chat id
-* - `8:orgid:xxx` — Bot Framework org-scoped personal chat id
-* - `29:xxx` — Bot Framework user id
-*
-* Display-name user targets such as `user:John Smith` intentionally return
-* false so that the Graph API directory lookup still runs for them.
-*/
-function looksLikeMSTeamsTargetId(raw) {
-	const trimmed = raw.trim();
-	if (!trimmed) return false;
-	if (/^conversation:/i.test(trimmed)) return true;
-	if (/^user:/i.test(trimmed)) {
-		const id = trimmed.slice(5).trim();
-		return /^[0-9a-fA-F-]{16,}$/.test(id);
-	}
-	if (/^19:.+@thread\.(tacv2|skype)$/i.test(trimmed)) return true;
-	if (/^19:.+@unq\.gbl\.spaces$/i.test(trimmed)) return true;
-	if (/^a:1[A-Za-z0-9_-]+$/i.test(trimmed)) return true;
-	if (/^8:orgid:[A-Za-z0-9-]+$/i.test(trimmed)) return true;
-	if (/^29:[A-Za-z0-9_-]+$/i.test(trimmed)) return true;
-	return /@thread\b/i.test(trimmed);
-}
-function normalizeMSTeamsTeamKey(raw) {
-	return stripProviderPrefix(raw).replace(/^team:/i, "").trim() || void 0;
-}
-function normalizeMSTeamsChannelKey(raw) {
-	return (raw?.trim().replace(/^#/, "").trim() ?? "") || void 0;
-}
-function normalizeMSTeamsConversationTargetId(raw) {
-	const trimmed = stripProviderPrefix(raw).trim();
-	return parseMSTeamsConversationId(trimmed) ?? trimmed;
-}
-function looksLikeMSTeamsThreadConversationId(raw) {
-	const normalized = normalizeMSTeamsConversationTargetId(raw);
-	return /^19:.+@thread\./i.test(normalized);
-}
-function parseMSTeamsTeamChannelInput(raw) {
-	const trimmed = stripProviderPrefix(raw).trim();
-	if (!trimmed) return {};
-	const parts = trimmed.split("/");
-	const team = normalizeMSTeamsTeamKey(parts[0] ?? "");
-	const channel = parts.length > 1 ? normalizeMSTeamsChannelKey(parts.slice(1).join("/")) : void 0;
-	return {
-		...team ? { team } : {},
-		...channel ? { channel } : {}
-	};
-}
-function parseMSTeamsTeamEntry(raw) {
-	const { team, channel } = parseMSTeamsTeamChannelInput(raw);
-	if (!team) return null;
-	return {
-		teamKey: team,
-		...channel ? { channelKey: channel } : {}
-	};
-}
-async function resolveMSTeamsChannelAllowlist(params) {
-	let tokenPromise;
-	const getToken = () => {
-		tokenPromise ??= resolveGraphToken(params.cfg);
-		return tokenPromise;
-	};
-	return await mapAllowlistResolutionInputs({
-		inputs: params.entries,
-		mapInput: async (input) => {
-			const { team, channel } = parseMSTeamsTeamChannelInput(input);
-			if (!team) return {
-				input,
-				resolved: false
-			};
-			if (looksLikeMSTeamsThreadConversationId(team)) {
-				const teamId = normalizeMSTeamsConversationTargetId(team);
-				if (!channel) return {
-					input,
-					resolved: true,
-					teamId,
-					teamName: teamId
-				};
-				if (!looksLikeMSTeamsThreadConversationId(channel)) return {
-					input,
-					resolved: false,
-					teamId,
-					teamName: teamId,
-					note: "channel id required for conversation-id team"
-				};
-				const channelId = normalizeMSTeamsConversationTargetId(channel);
-				return {
-					input,
-					resolved: true,
-					teamId,
-					teamName: teamId,
-					channelId,
-					channelName: channelId
-				};
-			}
-			const token = await getToken();
-			const teams = /^[0-9a-fA-F-]{16,}$/.test(team) ? [{
-				id: team,
-				displayName: team
-			}] : await listTeamsByName(token, team);
-			if (teams.length === 0) return {
-				input,
-				resolved: false,
-				note: "team not found"
-			};
-			const teamMatch = teams[0];
-			const graphTeamId = teamMatch.id?.trim();
-			const teamName = teamMatch.displayName?.trim() || team;
-			if (!graphTeamId) return {
-				input,
-				resolved: false,
-				note: "team id missing"
-			};
-			let teamChannels = [];
-			try {
-				teamChannels = await listChannelsForTeam(token, graphTeamId);
-			} catch {}
-			const teamId = teamChannels.find((ch) => normalizeOptionalLowercaseString(ch.displayName) === "general")?.id?.trim() || graphTeamId;
-			if (!channel) return {
-				input,
-				resolved: true,
-				teamId,
-				teamName,
-				note: teams.length > 1 ? "multiple teams; chose first" : void 0
-			};
-			const normalizedChannel = normalizeOptionalLowercaseString(channel);
-			const channelMatch = teamChannels.find((item) => item.id === channel) ?? teamChannels.find((item) => normalizeOptionalLowercaseString(item.displayName) === normalizedChannel) ?? teamChannels.find((item) => normalizeLowercaseStringOrEmpty(item.displayName ?? "").includes(normalizedChannel ?? ""));
-			if (!channelMatch?.id) return {
-				input,
-				resolved: false,
-				note: "channel not found"
-			};
-			return {
-				input,
-				resolved: true,
-				teamId,
-				teamName,
-				channelId: channelMatch.id,
-				channelName: channelMatch.displayName ?? channel,
-				note: teamChannels.length > 1 ? "multiple channels; chose first" : void 0
-			};
-		}
-	});
-}
-async function resolveMSTeamsUserAllowlist(params) {
-	const token = await resolveGraphToken(params.cfg);
-	return await mapAllowlistResolutionInputs({
-		inputs: params.entries,
-		mapInput: async (input) => {
-			const query = normalizeQuery(normalizeMSTeamsUserInput(input));
-			if (!query) return {
-				input,
-				resolved: false
-			};
-			if (/^[0-9a-fA-F-]{16,}$/.test(query)) return {
-				input,
-				resolved: true,
-				id: query
-			};
-			const users = await searchGraphUsers({
-				token,
-				query,
-				top: 10
-			});
-			const match = users[0];
-			if (!match?.id) return {
-				input,
-				resolved: false
-			};
-			return {
-				input,
-				resolved: true,
-				id: match.id,
-				name: match.displayName ?? void 0,
-				note: users.length > 1 ? "multiple matches; chose first" : void 0
-			};
-		}
-	});
-}
-//#endregion
 //#region extensions/msteams/src/setup-core.ts
 const t$1 = createSetupTranslator();
 const msteamsSetupAdapter = {
@@ -321,6 +106,181 @@ function createMSTeamsSetupWizardBase() {
 	};
 }
 //#endregion
+//#region extensions/msteams/src/errors.ts
+const MAX_SAFE_RETRY_AFTER_SECONDS = Number.MAX_SAFE_INTEGER / 1e3;
+function formatUnknownError(err) {
+	if (err instanceof Error) return err.message;
+	if (typeof err === "string") return err;
+	if (err === null) return "null";
+	if (err === void 0) return "undefined";
+	if (typeof err === "number" || typeof err === "boolean" || typeof err === "bigint") return String(err);
+	if (typeof err === "symbol") return err.description ?? err.toString();
+	if (typeof err === "function") return err.name ? `[function ${err.name}]` : "[function]";
+	try {
+		return JSON.stringify(err) ?? "unknown error";
+	} catch {
+		return "unknown error";
+	}
+}
+function extractStatusCode(err) {
+	if (!isRecord(err)) return null;
+	const parseStatusCode = (value) => {
+		if (typeof value === "number") return Number.isInteger(value) && value >= 100 && value <= 599 ? value : null;
+		if (typeof value === "string") {
+			const trimmed = value.trim();
+			if (!/^\d{3}$/.test(trimmed)) return null;
+			const parsed = Number(trimmed);
+			return parsed >= 100 && parsed <= 599 ? parsed : null;
+		}
+		return null;
+	};
+	const directStatus = parseStatusCode(err.statusCode ?? err.status);
+	if (directStatus !== null) return directStatus;
+	const response = err.response;
+	if (isRecord(response)) {
+		const responseStatus = parseStatusCode(response.status);
+		if (responseStatus !== null) return responseStatus;
+	}
+	return null;
+}
+function extractErrorCode(err) {
+	if (!isRecord(err)) return null;
+	const direct = err.code;
+	if (typeof direct === "string" && direct.trim()) return direct;
+	const response = err.response;
+	if (!isRecord(response)) return null;
+	const body = response.body;
+	if (isRecord(body)) {
+		const error = body.error;
+		if (isRecord(error) && typeof error.code === "string" && error.code.trim()) return error.code;
+	}
+	return null;
+}
+function extractRetryAfterMs(err) {
+	if (!isRecord(err)) return null;
+	const directMs = asFiniteNumberInRange(err.retryAfterMs ?? err.retry_after_ms, {
+		min: 0,
+		max: Number.MAX_SAFE_INTEGER
+	});
+	if (directMs !== void 0) return directMs;
+	const retryAfter = err.retryAfter ?? err.retry_after;
+	const retryAfterSeconds = asFiniteNumberInRange(retryAfter, {
+		min: 0,
+		max: MAX_SAFE_RETRY_AFTER_SECONDS
+	});
+	if (retryAfterSeconds !== void 0) return retryAfterSeconds * 1e3;
+	if (typeof retryAfter === "string") {
+		const parsed = parseNonNegativeRetryAfterSeconds(retryAfter);
+		if (parsed !== void 0) return parsed * 1e3;
+	}
+	const response = err.response;
+	if (!isRecord(response)) return null;
+	const headers = response.headers;
+	if (!headers) return null;
+	if (isRecord(headers)) {
+		const raw = headers["retry-after"] ?? headers["Retry-After"];
+		if (typeof raw === "string") {
+			const parsed = parseNonNegativeRetryAfterSeconds(raw);
+			if (parsed !== void 0) return parsed * 1e3;
+		}
+	}
+	if (typeof headers === "object" && headers !== null && "get" in headers && typeof headers.get === "function") {
+		const raw = headers.get("retry-after");
+		if (raw) {
+			const parsed = parseNonNegativeRetryAfterSeconds(raw);
+			if (parsed !== void 0) return parsed * 1e3;
+		}
+	}
+	return null;
+}
+function parseNonNegativeRetryAfterSeconds(raw) {
+	const trimmed = raw.trim();
+	if (!/^\d+(?:\.\d+)?$/.test(trimmed)) return;
+	return asFiniteNumberInRange(parseStrictFiniteNumber(trimmed), {
+		min: 0,
+		max: MAX_SAFE_RETRY_AFTER_SECONDS
+	});
+}
+/**
+* Classify outbound send errors for safe retries and actionable logs.
+*
+* Important: We only mark errors as retryable when we have an explicit HTTP
+* status code that indicates the message was not accepted (e.g. 429, 5xx).
+* For transport-level errors where delivery is ambiguous, we prefer to avoid
+* retries to reduce the chance of duplicate posts.
+*/
+function classifyMSTeamsSendError(err) {
+	const statusCode = extractStatusCode(err);
+	const retryAfterMs = extractRetryAfterMs(err);
+	const errorCode = extractErrorCode(err) ?? void 0;
+	if (statusCode === 401) return {
+		kind: "auth",
+		statusCode,
+		errorCode
+	};
+	if (statusCode === 403) {
+		if (errorCode === "ContentStreamNotAllowed") return {
+			kind: "permanent",
+			statusCode,
+			errorCode
+		};
+		return {
+			kind: "auth",
+			statusCode,
+			errorCode
+		};
+	}
+	if (statusCode === 429) return {
+		kind: "throttled",
+		statusCode,
+		retryAfterMs: retryAfterMs ?? void 0,
+		errorCode
+	};
+	if (statusCode === 408 || statusCode != null && statusCode >= 500) return {
+		kind: "transient",
+		statusCode,
+		retryAfterMs: retryAfterMs ?? void 0,
+		errorCode
+	};
+	if (statusCode != null && statusCode >= 400) return {
+		kind: "permanent",
+		statusCode,
+		errorCode
+	};
+	if (statusCode == null) {
+		const networkCode = isRecord(err) && typeof err.code === "string" ? err.code : null;
+		if (networkCode === "ECONNREFUSED" || networkCode === "ENOTFOUND" || networkCode === "EHOSTUNREACH" || networkCode === "ETIMEDOUT" || networkCode === "ECONNRESET") return {
+			kind: "network",
+			errorCode: networkCode
+		};
+	}
+	return {
+		kind: "unknown",
+		statusCode: statusCode ?? void 0,
+		retryAfterMs: retryAfterMs ?? void 0,
+		errorCode
+	};
+}
+/**
+* Detect whether an error is caused by a revoked Proxy.
+*
+* The Bot Framework SDK wraps TurnContext in a Proxy that is revoked once the
+* turn handler returns.  Any later access (e.g. from a debounced callback)
+* throws a TypeError whose message contains the distinctive "proxy that has
+* been revoked" string.
+*/
+function isRevokedProxyError(err) {
+	if (!(err instanceof TypeError)) return false;
+	return /proxy that has been revoked/i.test(err.message);
+}
+function formatMSTeamsSendErrorHint(classification) {
+	if (classification.kind === "auth") return "check msteams appId/appPassword/tenantId (or env vars MSTEAMS_APP_ID/MSTEAMS_APP_PASSWORD/MSTEAMS_TENANT_ID)";
+	if (classification.errorCode === "ContentStreamNotAllowed") return "Teams expired the content stream; stop streaming earlier and fall back to normal message delivery";
+	if (classification.kind === "throttled") return "Teams throttled the bot; backing off may help";
+	if (classification.kind === "transient") return "transient Teams/Bot Framework error; retry may succeed";
+	if (classification.kind === "network") return "transport-level failure sending reply to Teams Bot Connector (smba.trafficmanager.net) — check egress firewall rules allow outbound HTTPS to smba.trafficmanager.net";
+}
+//#endregion
 //#region extensions/msteams/src/setup-surface.ts
 const t = createSetupTranslator();
 const channel = "msteams";
@@ -489,7 +449,7 @@ const msteamsSetupWizard = {
 					}
 				};
 				try {
-					const { loginMSTeamsDelegated } = await import("./oauth-ei63gdyS.js");
+					const { loginMSTeamsDelegated } = await import("./oauth-CJj-b_Kn.js");
 					const progress = params.prompter.progress(t("wizard.msteams.delegatedOAuthProgress"));
 					saveDelegatedTokens(await loginMSTeamsDelegated({
 						isRemote: true,
@@ -530,4 +490,4 @@ const msteamsSetupWizard = {
 	})
 };
 //#endregion
-export { looksLikeMSTeamsTargetId as a, parseMSTeamsConversationId as c, resolveMSTeamsUserAllowlist as d, msteamsSetupAdapter as i, parseMSTeamsTeamChannelInput as l, openDelegatedOAuthUrl as n, normalizeMSTeamsMessagingTarget as o, createMSTeamsSetupWizardBase as r, normalizeMSTeamsUserInput as s, msteamsSetupWizard as t, resolveMSTeamsChannelAllowlist as u };
+export { formatUnknownError as a, msteamsSetupAdapter as c, formatMSTeamsSendErrorHint as i, openDelegatedOAuthUrl as n, isRevokedProxyError as o, classifyMSTeamsSendError as r, createMSTeamsSetupWizardBase as s, msteamsSetupWizard as t };

package/dist/{src-DZ76sgTp.js → src-_wVYF1sz.js}

@@ -1,8 +1,8 @@
 import { A as summarizeMapping, D as resolveDefaultGroupPolicy, E as resolveChannelMediaMaxBytes, M as getMSTeamsRuntime, N as getOptionalMSTeamsRuntime, _ as isDangerousNameMatchingEnabled, a as buildMediaPayload, b as logTypingFailure, c as createChannelMessageReplyPipeline, f as dispatchReplyFromConfigWithSettledDispatcher$1, l as createChannelPairingController, n as DEFAULT_WEBHOOK_MAX_BODY_BYTES, t as DEFAULT_ACCOUNT_ID, v as keepHttpServerTaskAlive, x as mergeAllowlist } from "./runtime-api-BlvMnDKz.js";
-import { $ as safeFetchWithPolicy, B as estimateBase64DecodedBytes, E as loadMSTeamsSdkWithAuth, F as ATTACHMENT_TAG_RE, G as isLikelyImageAttachment, H as extractInlineImageCandidates, I as GRAPH_ROOT, J as normalizeContentType, K as isRecord$1, L as IMG_SRC_RE, M as tryNormalizeBotFrameworkServiceUrl, N as resolveMSTeamsSdkCloudOptions, O as ensureUserAgentHeader, Q as resolveRequestUrl, R as applyAuthorizationHeaderForUrl, T as createMSTeamsTokenProvider, U as inferPlaceholder, V as extractHtmlFromAttachment, W as isDownloadableAttachment, X as resolveAttachmentFetchPolicy, Y as readNestedString, Z as resolveMediaSsrfPolicy, et as safeHostForUrl, l as fetchGraphJson, n as formatMSTeamsSendErrorHint, q as isUrlAllowed, r as formatUnknownError, t as classifyMSTeamsSendError, tt as tryBuildGraphSharesUrlForSharedLink, w as createMSTeamsExpressAdapter, x as resolveMSTeamsStorePath, y as resolveMSTeamsCredentials, z as encodeGraphShareId } from "./errors-Dpn8B05h.js";
-import { d as resolveMSTeamsUserAllowlist, u as resolveMSTeamsChannelAllowlist } from "./setup-surface-DGTz8Mlf.js";
-import { a as resolveMSTeamsReplyPolicy, i as resolveMSTeamsAllowlistMatch, o as resolveMSTeamsRouteConfig } from "./channel-Dhw8AvTl.js";
-import { C as resolveMSTeamsSqliteStateEnv, E as readJsonFile, S as createMSTeamsConversationStoreState, T as withMSTeamsSqliteMutationLock, _ as buildFileInfoCard, b as createMSTeamsPollStoreState, c as renderReplyPayloadsToMessages, d as withRevokedProxyFallback, f as resolveGraphChatId, g as removePendingUploadFs, h as getPendingUploadFs, l as sendMSTeamsMessages, m as removePendingUpload, p as getPendingUpload, s as buildConversationReference, u as sendMSTeamsActivityWithReference, v as parseFileConsentInvoke, w as toPluginJsonValue, x as extractMSTeamsPollVote, y as uploadToConsentUrl } from "./probe-DYb-0Hmx.js";
+import { $ as extractInlineImageCandidates, C as resolveMSTeamsCredentials, F as createMSTeamsTokenProvider, H as tryNormalizeBotFrameworkServiceUrl, I as loadMSTeamsSdkWithAuth, J as IMG_SRC_RE, K as ATTACHMENT_TAG_RE, P as createMSTeamsExpressAdapter, Q as extractHtmlFromAttachment, R as ensureUserAgentHeader, T as resolveMSTeamsStorePath, W as resolveMSTeamsSdkCloudOptions, X as encodeGraphShareId, Y as applyAuthorizationHeaderForUrl, Z as estimateBase64DecodedBytes, at as normalizeContentType, c as resolveMSTeamsUserAllowlist, ct as resolveMediaSsrfPolicy, dt as safeHostForUrl, et as inferPlaceholder, ft as tryBuildGraphSharesUrlForSharedLink, it as isUrlAllowed, lt as resolveRequestUrl, nt as isLikelyImageAttachment, ot as readNestedString, p as fetchGraphJson, q as GRAPH_ROOT, rt as isRecord$1, s as resolveMSTeamsChannelAllowlist, st as resolveAttachmentFetchPolicy, tt as isDownloadableAttachment, ut as safeFetchWithPolicy } from "./resolve-allowlist-C6VVTfbj.js";
+import { a as resolveMSTeamsReplyPolicy, i as resolveMSTeamsAllowlistMatch, o as resolveMSTeamsRouteConfig } from "./channel-BwNnuHbh.js";
+import { a as formatUnknownError, i as formatMSTeamsSendErrorHint, r as classifyMSTeamsSendError } from "./setup-surface-DdyMxq-W.js";
+import { C as resolveMSTeamsSqliteStateEnv, E as readJsonFile, S as createMSTeamsConversationStoreState, T as withMSTeamsSqliteMutationLock, _ as buildFileInfoCard, b as createMSTeamsPollStoreState, c as renderReplyPayloadsToMessages, d as withRevokedProxyFallback, f as resolveGraphChatId, g as removePendingUploadFs, h as getPendingUploadFs, l as sendMSTeamsMessages, m as removePendingUpload, p as getPendingUpload, s as buildConversationReference, u as sendMSTeamsActivityWithReference, v as parseFileConsentInvoke, w as toPluginJsonValue, x as extractMSTeamsPollVote, y as uploadToConsentUrl } from "./probe-bq_Uev4c.js";
 import { formatAllowlistMatchMeta } from "openclaw/plugin-sdk/allow-from";
 import { buildChannelProgressDraftLine, buildChannelProgressDraftLineForEntry, createChannelProgressDraftGate, formatChannelProgressDraftText, isChannelProgressDraftWorkToolName, mergeChannelProgressDraftLine, normalizeChannelProgressDraftLineIdentity, resolveChannelPreviewStreamMode, resolveChannelProgressDraftMaxLines, resolveChannelStreamingBlockEnabled, resolveChannelStreamingPreviewToolProgress, resolveChannelStreamingSuppressDefaultToolProgressMessages } from "openclaw/plugin-sdk/channel-outbound";
 import { normalizeLowercaseStringOrEmpty, normalizeOptionalLowercaseString, normalizeOptionalString, uniqueStrings } from "openclaw/plugin-sdk/string-coerce-runtime";

package/npm-shrinkwrap.json

@@ -1,12 +1,12 @@
 {
   "name": "@openclaw/msteams",
-  "version": "2026.6.1-beta.3",
+  "version": "2026.6.2-beta.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@openclaw/msteams",
-      "version": "2026.6.1-beta.3",
+      "version": "2026.6.2-beta.1",
       "dependencies": {
         "@azure/identity": "4.13.1",
         "@microsoft/teams.api": "2.0.12",
@@ -15,7 +15,7 @@
         "typebox": "1.1.39"
       },
       "peerDependencies": {
-        "openclaw": ">=2026.6.1-beta.3"
+        "openclaw": ">=2026.6.2-beta.1"
       },
       "peerDependenciesMeta": {
         "openclaw": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/msteams",
-  "version": "2026.6.1-beta.3",
+  "version": "2026.6.2-beta.1",
   "description": "OpenClaw Microsoft Teams channel plugin for bot conversations.",
   "repository": {
     "type": "git",
@@ -15,7 +15,7 @@
     "typebox": "1.1.39"
   },
   "peerDependencies": {
-    "openclaw": ">=2026.6.1-beta.3"
+    "openclaw": ">=2026.6.2-beta.1"
   },
   "peerDependenciesMeta": {
     "openclaw": {
@@ -51,10 +51,10 @@
       "minHostVersion": ">=2026.4.10"
     },
     "compat": {
-      "pluginApi": ">=2026.6.1-beta.3"
+      "pluginApi": ">=2026.6.2-beta.1"
     },
     "build": {
-      "openclawVersion": "2026.6.1-beta.3"
+      "openclawVersion": "2026.6.2-beta.1"
     },
     "release": {
       "publishToClawHub": true,

package/dist/oauth.token-BKzEFepQ.js

@@ -1,132 +0,0 @@
-import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
-import { createProviderHttpError, readProviderJsonResponse } from "openclaw/plugin-sdk/provider-http";
-import { resolveExpiresAtMsFromDurationSeconds } from "openclaw/plugin-sdk/number-runtime";
-//#region extensions/msteams/src/http-error.ts
-async function createMSTeamsHttpError(response, label, options) {
-	return await createProviderHttpError(response, label, options);
-}
-//#endregion
-//#region extensions/msteams/src/oauth.shared.ts
-const MSTEAMS_OAUTH_REDIRECT_URI = "http://localhost:8086/oauth2callback";
-const MSTEAMS_OAUTH_CALLBACK_PORT = 8086;
-const MSTEAMS_OAUTH_CALLBACK_PATH = "/oauth2callback";
-const MSTEAMS_DEFAULT_TOKEN_FETCH_TIMEOUT_MS = 1e4;
-const MSTEAMS_DEFAULT_DELEGATED_SCOPES = [
-	"ChatMessage.Send",
-	"ChannelMessage.Send",
-	"Chat.ReadWrite",
-	"offline_access"
-];
-function buildMSTeamsAuthEndpoint(tenantId) {
-	return `https://login.microsoftonline.com/${encodeURIComponent(tenantId)}/oauth2/v2.0/authorize`;
-}
-function buildMSTeamsTokenEndpoint(tenantId) {
-	return `https://login.microsoftonline.com/${encodeURIComponent(tenantId)}/oauth2/v2.0/token`;
-}
-//#endregion
-//#region extensions/msteams/src/oauth.token.ts
-/** Five-minute buffer subtracted from token expiry to avoid edge-case clock drift. */
-const EXPIRY_BUFFER_MS = 300 * 1e3;
-function createMSTeamsTokenBody(params) {
-	const body = new URLSearchParams({
-		client_id: params.clientId,
-		client_secret: params.clientSecret,
-		grant_type: params.grantType,
-		scope: [...params.scopes].join(" ")
-	});
-	for (const [key, value] of Object.entries(params.values ?? {})) body.set(key, value);
-	return body;
-}
-function resolveMSTeamsTokenExpiresAt(value) {
-	return resolveExpiresAtMsFromDurationSeconds(value, { bufferMs: EXPIRY_BUFFER_MS });
-}
-function parseMSTeamsTokenResponse(data, failureLabel) {
-	const expiresAt = resolveMSTeamsTokenExpiresAt(data.expires_in);
-	if (typeof data.access_token !== "string" || !data.access_token || expiresAt === void 0 || data.refresh_token !== void 0 && typeof data.refresh_token !== "string" || data.scope !== void 0 && typeof data.scope !== "string") throw new Error(`MSTeams ${failureLabel} failed: invalid token response fields`);
-	return {
-		access_token: data.access_token,
-		refresh_token: data.refresh_token,
-		expiresAt,
-		scope: data.scope
-	};
-}
-async function fetchMSTeamsTokens(params) {
-	const currentFetch = globalThis.fetch;
-	const { response, release } = await fetchWithSsrFGuard({
-		url: params.tokenUrl,
-		fetchImpl: async (input, guardedInit) => await currentFetch(input, guardedInit),
-		init: {
-			method: "POST",
-			headers: {
-				"Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
-				Accept: "application/json"
-			},
-			body: params.body,
-			signal: AbortSignal.timeout(MSTEAMS_DEFAULT_TOKEN_FETCH_TIMEOUT_MS)
-		},
-		auditContext: params.auditContext
-	});
-	try {
-		if (!response.ok) throw await createMSTeamsHttpError(response, `MSTeams ${params.failureLabel} failed`);
-		return parseMSTeamsTokenResponse(await readProviderJsonResponse(response, `MSTeams ${params.failureLabel} failed`), params.failureLabel);
-	} finally {
-		await release();
-	}
-}
-async function requestMSTeamsDelegatedTokens(params) {
-	const scopes = params.scopes ?? MSTEAMS_DEFAULT_DELEGATED_SCOPES;
-	const body = createMSTeamsTokenBody({
-		clientId: params.clientId,
-		clientSecret: params.clientSecret,
-		grantType: params.grantType,
-		scopes,
-		values: params.values
-	});
-	const data = await fetchMSTeamsTokens({
-		tokenUrl: buildMSTeamsTokenEndpoint(params.tenantId),
-		body,
-		auditContext: params.auditContext,
-		failureLabel: params.failureLabel
-	});
-	return {
-		accessToken: data.access_token,
-		refreshToken: params.resolveRefreshToken(data),
-		expiresAt: data.expiresAt,
-		scopes: data.scope ? data.scope.split(" ") : [...scopes]
-	};
-}
-async function exchangeMSTeamsCodeForTokens(params) {
-	return await requestMSTeamsDelegatedTokens({
-		tenantId: params.tenantId,
-		clientId: params.clientId,
-		clientSecret: params.clientSecret,
-		grantType: "authorization_code",
-		scopes: params.scopes,
-		values: {
-			code: params.code,
-			redirect_uri: MSTEAMS_OAUTH_REDIRECT_URI,
-			code_verifier: params.verifier
-		},
-		auditContext: "msteams-oauth-token-exchange",
-		failureLabel: "token exchange",
-		resolveRefreshToken: (data) => {
-			if (!data.refresh_token) throw new Error("No refresh token received from Azure AD. Please try again.");
-			return data.refresh_token;
-		}
-	});
-}
-async function refreshMSTeamsDelegatedTokens(params) {
-	return await requestMSTeamsDelegatedTokens({
-		tenantId: params.tenantId,
-		clientId: params.clientId,
-		clientSecret: params.clientSecret,
-		grantType: "refresh_token",
-		scopes: params.scopes,
-		values: { refresh_token: params.refreshToken },
-		auditContext: "msteams-oauth-token-refresh",
-		failureLabel: "token refresh",
-		resolveRefreshToken: (data) => data.refresh_token ?? params.refreshToken
-	});
-}
-//#endregion
-export { MSTEAMS_OAUTH_CALLBACK_PORT as a, createMSTeamsHttpError as c, MSTEAMS_OAUTH_CALLBACK_PATH as i, refreshMSTeamsDelegatedTokens as n, MSTEAMS_OAUTH_REDIRECT_URI as o, MSTEAMS_DEFAULT_DELEGATED_SCOPES as r, buildMSTeamsAuthEndpoint as s, exchangeMSTeamsCodeForTokens as t };