@openclaw/msteams 2026.6.2-beta.1 → 2026.6.5-beta.2

package/dist/{resolve-allowlist-C6VVTfbj.js → resolve-allowlist-BzIUWmMm.js}

@@ -1,4 +1,5 @@
-import { M as getMSTeamsRuntime, h as fetchWithSsrFGuard$1 } from "./runtime-api-BlvMnDKz.js";
+import { t as getMSTeamsRuntime } from "./runtime-BS5AZrKK.js";
+import { fetchWithSsrFGuard as fetchWithSsrFGuard$1 } from "./runtime-api.js";
 import { createRequire } from "node:module";
 import { mapAllowlistResolutionInputs } from "openclaw/plugin-sdk/allow-from";
 import { isRecord as isRecord$1, normalizeLowercaseStringOrEmpty, normalizeOptionalLowercaseString, normalizeOptionalString } from "openclaw/plugin-sdk/string-coerce-runtime";
@@ -1375,4 +1376,4 @@ async function resolveMSTeamsUserAllowlist(params) {
 	});
 }
 //#endregion
-export { extractInlineImageCandidates as $, MSTEAMS_OAUTH_CALLBACK_PORT as A, isAllowedBotFrameworkServiceUrl as B, resolveMSTeamsCredentials as C, exchangeMSTeamsCodeForTokens as D, normalizeSecretInputString as E, createMSTeamsTokenProvider as F, validateMSTeamsProactiveServiceUrlBoundary as G, tryNormalizeBotFrameworkServiceUrl as H, loadMSTeamsSdkWithAuth as I, IMG_SRC_RE as J, ATTACHMENT_TAG_RE as K, buildUserAgent as L, buildMSTeamsAuthEndpoint as M, readAccessToken as N, MSTEAMS_DEFAULT_DELEGATED_SCOPES as O, createMSTeamsExpressAdapter as P, extractHtmlFromAttachment as Q, ensureUserAgentHeader as R, loadDelegatedTokens as S, resolveMSTeamsStorePath as T, createMSTeamsHttpError as U, normalizeBotFrameworkServiceUrl as V, resolveMSTeamsSdkCloudOptions as W, encodeGraphShareId as X, applyAuthorizationHeaderForUrl as Y, estimateBase64DecodedBytes as Z, patchGraphJson as _, parseMSTeamsTeamChannelInput as a, normalizeContentType as at, resolveGraphToken as b, resolveMSTeamsUserAllowlist as c, resolveMediaSsrfPolicy as ct, escapeOData as d, safeHostForUrl as dt, inferPlaceholder as et, fetchGraphAbsoluteUrl as f, tryBuildGraphSharesUrlForSharedLink as ft, normalizeQuery as g, listTeamsByName as h, parseMSTeamsConversationId as i, isUrlAllowed as it, MSTEAMS_OAUTH_REDIRECT_URI as j, MSTEAMS_OAUTH_CALLBACK_PATH as k, searchGraphUsers as l, resolveRequestUrl as lt, listChannelsForTeam as m, normalizeMSTeamsMessagingTarget as n, isLikelyImageAttachment as nt, parseMSTeamsTeamEntry as o, readNestedString as ot, fetchGraphJson as p, GRAPH_ROOT as q, normalizeMSTeamsUserInput as r, isRecord$1 as rt, resolveMSTeamsChannelAllowlist as s, resolveAttachmentFetchPolicy as st, looksLikeMSTeamsTargetId as t, isDownloadableAttachment as tt, deleteGraphRequest as u, safeFetchWithPolicy as ut, postGraphBetaJson as v, saveDelegatedTokens as w, hasConfiguredMSTeamsCredentials as x, postGraphJson as y, describeBotFrameworkServiceUrlHost as z };
+export { inferPlaceholder as $, MSTEAMS_OAUTH_REDIRECT_URI as A, normalizeBotFrameworkServiceUrl as B, resolveMSTeamsCredentials as C, MSTEAMS_DEFAULT_DELEGATED_SCOPES as D, exchangeMSTeamsCodeForTokens as E, loadMSTeamsSdkWithAuth as F, ATTACHMENT_TAG_RE as G, createMSTeamsHttpError as H, buildUserAgent as I, applyAuthorizationHeaderForUrl as J, GRAPH_ROOT as K, ensureUserAgentHeader as L, readAccessToken as M, createMSTeamsExpressAdapter as N, MSTEAMS_OAUTH_CALLBACK_PATH as O, createMSTeamsTokenProvider as P, extractInlineImageCandidates as Q, describeBotFrameworkServiceUrlHost as R, loadDelegatedTokens as S, normalizeSecretInputString as T, resolveMSTeamsSdkCloudOptions as U, tryNormalizeBotFrameworkServiceUrl as V, validateMSTeamsProactiveServiceUrlBoundary as W, estimateBase64DecodedBytes as X, encodeGraphShareId as Y, extractHtmlFromAttachment as Z, patchGraphJson as _, parseMSTeamsTeamChannelInput as a, readNestedString as at, resolveGraphToken as b, resolveMSTeamsUserAllowlist as c, resolveRequestUrl as ct, escapeOData as d, tryBuildGraphSharesUrlForSharedLink as dt, isDownloadableAttachment as et, fetchGraphAbsoluteUrl as f, normalizeQuery as g, listTeamsByName as h, parseMSTeamsConversationId as i, normalizeContentType as it, buildMSTeamsAuthEndpoint as j, MSTEAMS_OAUTH_CALLBACK_PORT as k, searchGraphUsers as l, safeFetchWithPolicy as lt, listChannelsForTeam as m, normalizeMSTeamsMessagingTarget as n, isRecord$1 as nt, parseMSTeamsTeamEntry as o, resolveAttachmentFetchPolicy as ot, fetchGraphJson as p, IMG_SRC_RE as q, normalizeMSTeamsUserInput as r, isUrlAllowed as rt, resolveMSTeamsChannelAllowlist as s, resolveMediaSsrfPolicy as st, looksLikeMSTeamsTargetId as t, isLikelyImageAttachment as tt, deleteGraphRequest as u, safeHostForUrl as ut, postGraphBetaJson as v, saveDelegatedTokens as w, hasConfiguredMSTeamsCredentials as x, postGraphJson as y, isAllowedBotFrameworkServiceUrl as z };

package/dist/runtime-BS5AZrKK.js

@@ -0,0 +1,8 @@
+import { createPluginRuntimeStore } from "openclaw/plugin-sdk/runtime-store";
+//#region extensions/msteams/src/runtime.ts
+const { setRuntime: setMSTeamsRuntime, getRuntime: getMSTeamsRuntime, tryGetRuntime: getOptionalMSTeamsRuntime } = createPluginRuntimeStore({
+	pluginId: "msteams",
+	errorMessage: "MSTeams runtime not initialized"
+});
+//#endregion
+export { getOptionalMSTeamsRuntime as n, setMSTeamsRuntime as r, getMSTeamsRuntime as t };

package/dist/runtime-api.js

@@ -1,2 +1,20 @@
-import { A as summarizeMapping, C as normalizeStringEntries, D as resolveDefaultGroupPolicy, E as resolveChannelMediaMaxBytes, O as resolveNestedAllowlistDecision, P as setMSTeamsRuntime, S as normalizeChannelSlug, T as resolveChannelEntryMatchWithFallback, _ as isDangerousNameMatchingEnabled, a as buildMediaPayload, b as logTypingFailure, c as createChannelMessageReplyPipeline, d as detectMime, f as dispatchReplyFromConfigWithSettledDispatcher, g as getFileExtension, h as fetchWithSsrFGuard, i as buildChannelKeyCandidates, j as withFileLock, k as resolveToolsBySender, l as createChannelPairingController, m as extractOriginalFilename, n as DEFAULT_WEBHOOK_MAX_BODY_BYTES, o as buildProbeChannelStatusSummary, p as extensionForMime, r as PAIRING_APPROVED_MESSAGE, s as chunkTextForOutbound, t as DEFAULT_ACCOUNT_ID, u as createDefaultChannelRuntimeState, v as keepHttpServerTaskAlive, w as resolveAllowlistMatchSimple, x as mergeAllowlist, y as loadOutboundMediaFromUrl } from "./runtime-api-BlvMnDKz.js";
+import { r as setMSTeamsRuntime } from "./runtime-BS5AZrKK.js";
+import { mergeAllowlist, resolveAllowlistMatchSimple, summarizeMapping } from "openclaw/plugin-sdk/allow-from";
+import { createChannelMessageReplyPipeline, keepHttpServerTaskAlive, logTypingFailure } from "openclaw/plugin-sdk/channel-outbound";
+import { createChannelPairingController } from "openclaw/plugin-sdk/channel-pairing";
+import { resolveToolsBySender } from "openclaw/plugin-sdk/channel-policy";
+import { DEFAULT_ACCOUNT_ID } from "openclaw/plugin-sdk/account-id";
+import { PAIRING_APPROVED_MESSAGE, buildProbeChannelStatusSummary, createDefaultChannelRuntimeState } from "openclaw/plugin-sdk/channel-status";
+import { buildChannelKeyCandidates, normalizeChannelSlug, resolveChannelEntryMatchWithFallback, resolveNestedAllowlistDecision } from "openclaw/plugin-sdk/channel-targets";
+import { isDangerousNameMatchingEnabled } from "openclaw/plugin-sdk/dangerous-name-runtime";
+import { resolveDefaultGroupPolicy } from "openclaw/plugin-sdk/runtime-group-policy";
+import { withFileLock } from "openclaw/plugin-sdk/file-lock";
+import { detectMime, extensionForMime, extractOriginalFilename, getFileExtension, resolveChannelMediaMaxBytes } from "openclaw/plugin-sdk/media-runtime";
+import { dispatchReplyFromConfigWithSettledDispatcher } from "openclaw/plugin-sdk/channel-inbound";
+import { loadOutboundMediaFromUrl } from "openclaw/plugin-sdk/outbound-media";
+import { buildMediaPayload } from "openclaw/plugin-sdk/reply-payload";
+import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
+import { normalizeStringEntries } from "openclaw/plugin-sdk/string-normalization-runtime";
+import { chunkTextForOutbound } from "openclaw/plugin-sdk/text-chunking";
+import { DEFAULT_WEBHOOK_MAX_BODY_BYTES } from "openclaw/plugin-sdk/webhook-ingress";
 export { DEFAULT_ACCOUNT_ID, DEFAULT_WEBHOOK_MAX_BODY_BYTES, PAIRING_APPROVED_MESSAGE, buildChannelKeyCandidates, buildMediaPayload, buildProbeChannelStatusSummary, chunkTextForOutbound, createChannelMessageReplyPipeline, createChannelPairingController, createDefaultChannelRuntimeState, detectMime, dispatchReplyFromConfigWithSettledDispatcher, extensionForMime, extractOriginalFilename, fetchWithSsrFGuard, getFileExtension, isDangerousNameMatchingEnabled, keepHttpServerTaskAlive, loadOutboundMediaFromUrl, logTypingFailure, mergeAllowlist, normalizeChannelSlug, normalizeStringEntries, resolveAllowlistMatchSimple, resolveChannelEntryMatchWithFallback, resolveChannelMediaMaxBytes, resolveDefaultGroupPolicy, resolveNestedAllowlistDecision, resolveToolsBySender, setMSTeamsRuntime, summarizeMapping, withFileLock };

package/dist/setup-plugin-api.js

@@ -1,6 +1,6 @@
-import { C as resolveMSTeamsCredentials } from "./resolve-allowlist-C6VVTfbj.js";
+import { C as resolveMSTeamsCredentials } from "./resolve-allowlist-BzIUWmMm.js";
 import { t as MSTeamsChannelConfigSchema } from "./config-schema-BL4qQZiA.js";
-import { c as msteamsSetupAdapter, t as msteamsSetupWizard } from "./setup-surface-DdyMxq-W.js";
+import { c as msteamsSetupAdapter, t as msteamsSetupWizard } from "./setup-surface-Dik4VU7f.js";
 import { describeAccountSnapshot } from "openclaw/plugin-sdk/account-helpers";
 import { formatAllowFromLowercase } from "openclaw/plugin-sdk/allow-from";
 import { createTopLevelChannelConfigAdapter } from "openclaw/plugin-sdk/channel-config-helpers";

package/dist/{setup-surface-DdyMxq-W.js → setup-surface-Dik4VU7f.js}

@@ -1,4 +1,4 @@
-import { C as resolveMSTeamsCredentials, E as normalizeSecretInputString, c as resolveMSTeamsUserAllowlist, o as parseMSTeamsTeamEntry, s as resolveMSTeamsChannelAllowlist, w as saveDelegatedTokens, x as hasConfiguredMSTeamsCredentials } from "./resolve-allowlist-C6VVTfbj.js";
+import { C as resolveMSTeamsCredentials, T as normalizeSecretInputString, c as resolveMSTeamsUserAllowlist, o as parseMSTeamsTeamEntry, s as resolveMSTeamsChannelAllowlist, w as saveDelegatedTokens, x as hasConfiguredMSTeamsCredentials } from "./resolve-allowlist-BzIUWmMm.js";
 import { isRecord } from "openclaw/plugin-sdk/string-coerce-runtime";
 import { asFiniteNumberInRange, parseStrictFiniteNumber } from "openclaw/plugin-sdk/number-runtime";
 import { DEFAULT_ACCOUNT_ID, createSetupTranslator, createStandardChannelSetupStatus, createTopLevelChannelAllowFromSetter, createTopLevelChannelDmPolicy, createTopLevelChannelGroupPolicySetter, mergeAllowFromEntries, splitSetupEntries } from "openclaw/plugin-sdk/setup";
@@ -449,7 +449,7 @@ const msteamsSetupWizard = {
 					}
 				};
 				try {
-					const { loginMSTeamsDelegated } = await import("./oauth-CJj-b_Kn.js");
+					const { loginMSTeamsDelegated } = await import("./oauth-CDUB5xPY.js");
 					const progress = params.prompter.progress(t("wizard.msteams.delegatedOAuthProgress"));
 					saveDelegatedTokens(await loginMSTeamsDelegated({
 						isRemote: true,

package/dist/{src-_wVYF1sz.js → src-CLsoqMj1.js}

@@ -1,8 +1,11 @@
-import { A as summarizeMapping, D as resolveDefaultGroupPolicy, E as resolveChannelMediaMaxBytes, M as getMSTeamsRuntime, N as getOptionalMSTeamsRuntime, _ as isDangerousNameMatchingEnabled, a as buildMediaPayload, b as logTypingFailure, c as createChannelMessageReplyPipeline, f as dispatchReplyFromConfigWithSettledDispatcher$1, l as createChannelPairingController, n as DEFAULT_WEBHOOK_MAX_BODY_BYTES, t as DEFAULT_ACCOUNT_ID, v as keepHttpServerTaskAlive, x as mergeAllowlist } from "./runtime-api-BlvMnDKz.js";
-import { $ as extractInlineImageCandidates, C as resolveMSTeamsCredentials, F as createMSTeamsTokenProvider, H as tryNormalizeBotFrameworkServiceUrl, I as loadMSTeamsSdkWithAuth, J as IMG_SRC_RE, K as ATTACHMENT_TAG_RE, P as createMSTeamsExpressAdapter, Q as extractHtmlFromAttachment, R as ensureUserAgentHeader, T as resolveMSTeamsStorePath, W as resolveMSTeamsSdkCloudOptions, X as encodeGraphShareId, Y as applyAuthorizationHeaderForUrl, Z as estimateBase64DecodedBytes, at as normalizeContentType, c as resolveMSTeamsUserAllowlist, ct as resolveMediaSsrfPolicy, dt as safeHostForUrl, et as inferPlaceholder, ft as tryBuildGraphSharesUrlForSharedLink, it as isUrlAllowed, lt as resolveRequestUrl, nt as isLikelyImageAttachment, ot as readNestedString, p as fetchGraphJson, q as GRAPH_ROOT, rt as isRecord$1, s as resolveMSTeamsChannelAllowlist, st as resolveAttachmentFetchPolicy, tt as isDownloadableAttachment, ut as safeFetchWithPolicy } from "./resolve-allowlist-C6VVTfbj.js";
-import { a as resolveMSTeamsReplyPolicy, i as resolveMSTeamsAllowlistMatch, o as resolveMSTeamsRouteConfig } from "./channel-BwNnuHbh.js";
-import { a as formatUnknownError, i as formatMSTeamsSendErrorHint, r as classifyMSTeamsSendError } from "./setup-surface-DdyMxq-W.js";
-import { C as resolveMSTeamsSqliteStateEnv, E as readJsonFile, S as createMSTeamsConversationStoreState, T as withMSTeamsSqliteMutationLock, _ as buildFileInfoCard, b as createMSTeamsPollStoreState, c as renderReplyPayloadsToMessages, d as withRevokedProxyFallback, f as resolveGraphChatId, g as removePendingUploadFs, h as getPendingUploadFs, l as sendMSTeamsMessages, m as removePendingUpload, p as getPendingUpload, s as buildConversationReference, u as sendMSTeamsActivityWithReference, v as parseFileConsentInvoke, w as toPluginJsonValue, x as extractMSTeamsPollVote, y as uploadToConsentUrl } from "./probe-bq_Uev4c.js";
+import { n as getOptionalMSTeamsRuntime, t as getMSTeamsRuntime } from "./runtime-BS5AZrKK.js";
+import { DEFAULT_ACCOUNT_ID, DEFAULT_WEBHOOK_MAX_BODY_BYTES, buildMediaPayload, createChannelMessageReplyPipeline, createChannelPairingController, dispatchReplyFromConfigWithSettledDispatcher as dispatchReplyFromConfigWithSettledDispatcher$1, isDangerousNameMatchingEnabled, keepHttpServerTaskAlive, logTypingFailure, mergeAllowlist, resolveChannelMediaMaxBytes, resolveDefaultGroupPolicy, summarizeMapping } from "./runtime-api.js";
+import { $ as inferPlaceholder, C as resolveMSTeamsCredentials, F as loadMSTeamsSdkWithAuth, G as ATTACHMENT_TAG_RE, J as applyAuthorizationHeaderForUrl, K as GRAPH_ROOT, L as ensureUserAgentHeader, N as createMSTeamsExpressAdapter, P as createMSTeamsTokenProvider, Q as extractInlineImageCandidates, U as resolveMSTeamsSdkCloudOptions, V as tryNormalizeBotFrameworkServiceUrl, X as estimateBase64DecodedBytes, Y as encodeGraphShareId, Z as extractHtmlFromAttachment, at as readNestedString, c as resolveMSTeamsUserAllowlist, ct as resolveRequestUrl, dt as tryBuildGraphSharesUrlForSharedLink, et as isDownloadableAttachment, it as normalizeContentType, lt as safeFetchWithPolicy, nt as isRecord$1, ot as resolveAttachmentFetchPolicy, p as fetchGraphJson, q as IMG_SRC_RE, rt as isUrlAllowed, s as resolveMSTeamsChannelAllowlist, st as resolveMediaSsrfPolicy, tt as isLikelyImageAttachment, ut as safeHostForUrl } from "./resolve-allowlist-BzIUWmMm.js";
+import { a as resolveMSTeamsReplyPolicy, i as resolveMSTeamsAllowlistMatch, o as resolveMSTeamsRouteConfig } from "./channel--oT3fyD5.js";
+import { a as formatUnknownError, i as formatMSTeamsSendErrorHint, r as classifyMSTeamsSendError } from "./setup-surface-Dik4VU7f.js";
+import { l as createMSTeamsPollStoreState, u as extractMSTeamsPollVote, v as createMSTeamsConversationStoreState } from "./polls-C1VgSvKE.js";
+import { i as createMSTeamsSsoTokenStoreFs } from "./sso-token-store-BYZaKr82.js";
+import { _ as buildFileInfoCard, c as renderReplyPayloadsToMessages, d as withRevokedProxyFallback, f as resolveGraphChatId, g as removePendingUploadFs, h as getPendingUploadFs, l as sendMSTeamsMessages, m as removePendingUpload, p as getPendingUpload, s as buildConversationReference, u as sendMSTeamsActivityWithReference, v as parseFileConsentInvoke, y as uploadToConsentUrl } from "./probe-C-rWMb-m.js";
 import { formatAllowlistMatchMeta } from "openclaw/plugin-sdk/allow-from";
 import { buildChannelProgressDraftLine, buildChannelProgressDraftLineForEntry, createChannelProgressDraftGate, formatChannelProgressDraftText, isChannelProgressDraftWorkToolName, mergeChannelProgressDraftLine, normalizeChannelProgressDraftLineIdentity, resolveChannelPreviewStreamMode, resolveChannelProgressDraftMaxLines, resolveChannelStreamingBlockEnabled, resolveChannelStreamingPreviewToolProgress, resolveChannelStreamingSuppressDefaultToolProgressMessages } from "openclaw/plugin-sdk/channel-outbound";
 import { normalizeLowercaseStringOrEmpty, normalizeOptionalLowercaseString, normalizeOptionalString, uniqueStrings } from "openclaw/plugin-sdk/string-coerce-runtime";
@@ -12,8 +15,7 @@ import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
 import path from "node:path";
 import { asDateTimestampMs, resolveExpiresAtMsFromDurationMs } from "openclaw/plugin-sdk/number-runtime";
 import { appendRegularFile } from "openclaw/plugin-sdk/security-runtime";
-import crypto, { createHash } from "node:crypto";
-import fs from "node:fs/promises";
+import crypto from "node:crypto";
 import { resolveThreadSessionKeys } from "openclaw/plugin-sdk/routing";
 import { channelIngressRoutes, resolveStableChannelMessageIngress } from "openclaw/plugin-sdk/channel-ingress-runtime";
 import { filterSupplementalContextItems, resolveChannelContextVisibilityMode } from "openclaw/plugin-sdk/context-visibility-runtime";
@@ -3425,123 +3427,6 @@ async function runMSTeamsFileConsentInvokeHandler(context, log) {
 	}
 }
 //#endregion
-//#region extensions/msteams/src/sso-token-store.ts
-/**
-* SQLite-backed store for Bot Framework OAuth SSO tokens.
-*
-* Tokens are keyed by (connectionName, userId). `userId` should be the
-* stable AAD object ID (`activity.from.aadObjectId`) when available,
-* falling back to the Bot Framework `activity.from.id`.
-*
-* The store is intentionally minimal: it persists the exchanged user
-* token plus its expiration so consumers (for example tool handlers
-* that call Microsoft Graph with delegated permissions) can fetch a
-* valid token without reaching back into Bot Framework every turn.
-*/
-const STORE_FILENAME = "msteams-sso-tokens.json";
-const SSO_TOKENS_NAMESPACE = "sso-tokens";
-const SSO_TOKEN_MIGRATIONS_NAMESPACE = "sso-token-migrations";
-const SSO_TOKEN_LOCK_FILENAME = "msteams-sso-tokens.sqlite.lock";
-const MAX_SSO_TOKENS = 5e3;
-const STORE_KEY_VERSION_PREFIX = "v2:";
-function makeKey(connectionName, userId) {
-	return `${STORE_KEY_VERSION_PREFIX}${createHash("sha256").update(JSON.stringify([connectionName, userId])).digest("hex")}`;
-}
-function buildMigrationKey(filePath) {
-	return `legacy-json:${createHash("sha256").update(filePath).digest("hex")}`;
-}
-function buildMigrationContentKey(filePath, value) {
-	return `legacy-json-content:${createHash("sha256").update(filePath).update("\0").update(JSON.stringify(value) ?? "undefined").digest("hex")}`;
-}
-function createTokenStore(params) {
-	return getMSTeamsRuntime().state.openKeyedStore({
-		namespace: SSO_TOKENS_NAMESPACE,
-		maxEntries: MAX_SSO_TOKENS,
-		env: resolveMSTeamsSqliteStateEnv(params)
-	});
-}
-function createMigrationStore(params) {
-	return getMSTeamsRuntime().state.openKeyedStore({
-		namespace: SSO_TOKEN_MIGRATIONS_NAMESPACE,
-		maxEntries: 100,
-		env: resolveMSTeamsSqliteStateEnv(params)
-	});
-}
-function normalizeStoredToken(value) {
-	if (!value || typeof value !== "object") return null;
-	const token = value;
-	if (typeof token.connectionName !== "string" || !token.connectionName || typeof token.userId !== "string" || !token.userId || typeof token.token !== "string" || !token.token || typeof token.updatedAt !== "string" || !token.updatedAt) return null;
-	return {
-		connectionName: token.connectionName,
-		userId: token.userId,
-		token: token.token,
-		...typeof token.expiresAt === "string" ? { expiresAt: token.expiresAt } : {},
-		updatedAt: token.updatedAt
-	};
-}
-function isSsoStoreData(value) {
-	if (!value || typeof value !== "object") return false;
-	const obj = value;
-	return obj.version === 1 && typeof obj.tokens === "object" && obj.tokens !== null;
-}
-function createMSTeamsSsoTokenStoreFs(params) {
-	const legacyFilePath = resolveMSTeamsStorePath({
-		filename: STORE_FILENAME,
-		env: params?.env,
-		homedir: params?.homedir,
-		stateDir: params?.stateDir,
-		storePath: params?.storePath
-	});
-	const empty = {
-		version: 1,
-		tokens: {}
-	};
-	const tokenStore = createTokenStore(params);
-	const migrationStore = createMigrationStore(params);
-	const migrationKey = buildMigrationKey(legacyFilePath);
-	let legacyImportPromise = null;
-	const importLegacyStore = async () => {
-		const imported = await migrationStore.lookup(migrationKey) !== void 0;
-		const { value, exists } = await readJsonFile(legacyFilePath, empty);
-		const contentKey = exists ? buildMigrationContentKey(legacyFilePath, value) : null;
-		if (contentKey && await migrationStore.lookup(contentKey)) return;
-		if (exists && isSsoStoreData(value)) for (const stored of Object.values(value.tokens)) {
-			const normalized = normalizeStoredToken(stored);
-			if (!normalized) continue;
-			await tokenStore.registerIfAbsent(makeKey(normalized.connectionName, normalized.userId), toPluginJsonValue(normalized));
-		}
-		if (contentKey) await migrationStore.register(contentKey, { importedAt: (/* @__PURE__ */ new Date()).toISOString() });
-		if (!imported) await migrationStore.register(migrationKey, { importedAt: (/* @__PURE__ */ new Date()).toISOString() });
-		if (exists) await fs.rm(legacyFilePath, { force: true }).catch(() => {});
-	};
-	const ensureLegacyImported = async () => {
-		if (!legacyImportPromise) legacyImportPromise = withMSTeamsSqliteMutationLock(params, SSO_TOKEN_LOCK_FILENAME, () => importLegacyStore()).finally(() => {
-			legacyImportPromise = null;
-		});
-		await legacyImportPromise;
-	};
-	return {
-		async get({ connectionName, userId }) {
-			await ensureLegacyImported();
-			return await tokenStore.lookup(makeKey(connectionName, userId)) ?? null;
-		},
-		async save(token) {
-			await withMSTeamsSqliteMutationLock(params, SSO_TOKEN_LOCK_FILENAME, async () => {
-				await importLegacyStore();
-				await tokenStore.register(makeKey(token.connectionName, token.userId), toPluginJsonValue({ ...token }));
-			});
-		},
-		async remove({ connectionName, userId }) {
-			let removed = false;
-			await withMSTeamsSqliteMutationLock(params, SSO_TOKEN_LOCK_FILENAME, async () => {
-				await importLegacyStore();
-				removed = await tokenStore.delete(makeKey(connectionName, userId));
-			});
-			return removed;
-		}
-	};
-}
-//#endregion
 //#region extensions/msteams/src/webhook-timeouts.ts
 const MSTEAMS_WEBHOOK_INACTIVITY_TIMEOUT_MS = 3e4;
 const MSTEAMS_WEBHOOK_REQUEST_TIMEOUT_MS = 3e4;

package/dist/sso-token-store-BYZaKr82.js

@@ -0,0 +1,70 @@
+import { t as getMSTeamsRuntime } from "./runtime-BS5AZrKK.js";
+import { C as toPluginJsonValue, S as resolveMSTeamsSqliteStateEnv, w as withMSTeamsSqliteMutationLock } from "./polls-C1VgSvKE.js";
+import { createHash } from "node:crypto";
+//#region extensions/msteams/src/sso-token-store.ts
+/**
+* SQLite-backed store for Bot Framework OAuth SSO tokens.
+*
+* Tokens are keyed by (connectionName, userId). `userId` should be the
+* stable AAD object ID (`activity.from.aadObjectId`) when available,
+* falling back to the Bot Framework `activity.from.id`.
+*
+* The store is intentionally minimal: it persists the exchanged user
+* token plus its expiration so consumers (for example tool handlers
+* that call Microsoft Graph with delegated permissions) can fetch a
+* valid token without reaching back into Bot Framework every turn.
+*/
+const MSTEAMS_SSO_TOKENS_LEGACY_FILENAME = "msteams-sso-tokens.json";
+const MSTEAMS_SSO_TOKENS_NAMESPACE = "sso-tokens";
+const SSO_TOKEN_LOCK_FILENAME = "msteams-sso-tokens.sqlite.lock";
+const MSTEAMS_MAX_SSO_TOKENS = 5e3;
+const STORE_KEY_VERSION_PREFIX = "v2:";
+function makeMSTeamsSsoTokenStoreKey(connectionName, userId) {
+	return `${STORE_KEY_VERSION_PREFIX}${createHash("sha256").update(JSON.stringify([connectionName, userId])).digest("hex")}`;
+}
+function createTokenStore(params) {
+	return getMSTeamsRuntime().state.openKeyedStore({
+		namespace: MSTEAMS_SSO_TOKENS_NAMESPACE,
+		maxEntries: MSTEAMS_MAX_SSO_TOKENS,
+		env: resolveMSTeamsSqliteStateEnv(params)
+	});
+}
+function normalizeMSTeamsSsoStoredToken(value) {
+	if (!value || typeof value !== "object") return null;
+	const token = value;
+	if (typeof token.connectionName !== "string" || !token.connectionName || typeof token.userId !== "string" || !token.userId || typeof token.token !== "string" || !token.token || typeof token.updatedAt !== "string" || !token.updatedAt) return null;
+	return {
+		connectionName: token.connectionName,
+		userId: token.userId,
+		token: token.token,
+		...typeof token.expiresAt === "string" ? { expiresAt: token.expiresAt } : {},
+		updatedAt: token.updatedAt
+	};
+}
+function isMSTeamsSsoStoreData(value) {
+	if (!value || typeof value !== "object") return false;
+	const obj = value;
+	return obj.version === 1 && typeof obj.tokens === "object" && obj.tokens !== null;
+}
+function createMSTeamsSsoTokenStoreFs(params) {
+	const tokenStore = createTokenStore(params);
+	return {
+		async get({ connectionName, userId }) {
+			return await tokenStore.lookup(makeMSTeamsSsoTokenStoreKey(connectionName, userId)) ?? null;
+		},
+		async save(token) {
+			await withMSTeamsSqliteMutationLock(params, SSO_TOKEN_LOCK_FILENAME, async () => {
+				await tokenStore.register(makeMSTeamsSsoTokenStoreKey(token.connectionName, token.userId), toPluginJsonValue({ ...token }));
+			});
+		},
+		async remove({ connectionName, userId }) {
+			let removed = false;
+			await withMSTeamsSqliteMutationLock(params, SSO_TOKEN_LOCK_FILENAME, async () => {
+				removed = await tokenStore.delete(makeMSTeamsSsoTokenStoreKey(connectionName, userId));
+			});
+			return removed;
+		}
+	};
+}
+//#endregion
+export { isMSTeamsSsoStoreData as a, createMSTeamsSsoTokenStoreFs as i, MSTEAMS_SSO_TOKENS_LEGACY_FILENAME as n, makeMSTeamsSsoTokenStoreKey as o, MSTEAMS_SSO_TOKENS_NAMESPACE as r, normalizeMSTeamsSsoStoredToken as s, MSTEAMS_MAX_SSO_TOKENS as t };

package/npm-shrinkwrap.json

@@ -1,12 +1,12 @@
 {
   "name": "@openclaw/msteams",
-  "version": "2026.6.2-beta.1",
+  "version": "2026.6.5-beta.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@openclaw/msteams",
-      "version": "2026.6.2-beta.1",
+      "version": "2026.6.5-beta.2",
       "dependencies": {
         "@azure/identity": "4.13.1",
         "@microsoft/teams.api": "2.0.12",
@@ -15,7 +15,7 @@
         "typebox": "1.1.39"
       },
       "peerDependencies": {
-        "openclaw": ">=2026.6.2-beta.1"
+        "openclaw": ">=2026.6.5-beta.2"
       },
       "peerDependenciesMeta": {
         "openclaw": {

package/openclaw.plugin.json

@@ -353,6 +353,9 @@
                       "raw",
                       "status"
                     ]
+                  },
+                  "commentary": {
+                    "type": "boolean"
                   }
                 },
                 "additionalProperties": false

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/msteams",
-  "version": "2026.6.2-beta.1",
+  "version": "2026.6.5-beta.2",
   "description": "OpenClaw Microsoft Teams channel plugin for bot conversations.",
   "repository": {
     "type": "git",
@@ -15,7 +15,7 @@
     "typebox": "1.1.39"
   },
   "peerDependencies": {
-    "openclaw": ">=2026.6.2-beta.1"
+    "openclaw": ">=2026.6.5-beta.2"
   },
   "peerDependenciesMeta": {
     "openclaw": {
@@ -51,10 +51,10 @@
       "minHostVersion": ">=2026.4.10"
     },
     "compat": {
-      "pluginApi": ">=2026.6.2-beta.1"
+      "pluginApi": ">=2026.6.5-beta.2"
     },
     "build": {
-      "openclawVersion": "2026.6.2-beta.1"
+      "openclawVersion": "2026.6.5-beta.2"
     },
     "release": {
       "publishToClawHub": true,

package/dist/runtime-api-BlvMnDKz.js

@@ -1,26 +0,0 @@
-import { mergeAllowlist, resolveAllowlistMatchSimple, summarizeMapping } from "openclaw/plugin-sdk/allow-from";
-import { createChannelMessageReplyPipeline, keepHttpServerTaskAlive, logTypingFailure } from "openclaw/plugin-sdk/channel-outbound";
-import { createChannelPairingController } from "openclaw/plugin-sdk/channel-pairing";
-import { resolveToolsBySender } from "openclaw/plugin-sdk/channel-policy";
-import { DEFAULT_ACCOUNT_ID } from "openclaw/plugin-sdk/account-id";
-import { PAIRING_APPROVED_MESSAGE, buildProbeChannelStatusSummary, createDefaultChannelRuntimeState } from "openclaw/plugin-sdk/channel-status";
-import { buildChannelKeyCandidates, normalizeChannelSlug, resolveChannelEntryMatchWithFallback, resolveNestedAllowlistDecision } from "openclaw/plugin-sdk/channel-targets";
-import { isDangerousNameMatchingEnabled } from "openclaw/plugin-sdk/dangerous-name-runtime";
-import { resolveDefaultGroupPolicy } from "openclaw/plugin-sdk/runtime-group-policy";
-import { withFileLock as withFileLock$1 } from "openclaw/plugin-sdk/file-lock";
-import { detectMime, extensionForMime, extractOriginalFilename, getFileExtension, resolveChannelMediaMaxBytes } from "openclaw/plugin-sdk/media-runtime";
-import { dispatchReplyFromConfigWithSettledDispatcher as dispatchReplyFromConfigWithSettledDispatcher$1 } from "openclaw/plugin-sdk/channel-inbound";
-import { loadOutboundMediaFromUrl } from "openclaw/plugin-sdk/outbound-media";
-import { buildMediaPayload } from "openclaw/plugin-sdk/reply-payload";
-import { fetchWithSsrFGuard as fetchWithSsrFGuard$1 } from "openclaw/plugin-sdk/ssrf-runtime";
-import { normalizeStringEntries } from "openclaw/plugin-sdk/string-normalization-runtime";
-import { chunkTextForOutbound } from "openclaw/plugin-sdk/text-chunking";
-import { DEFAULT_WEBHOOK_MAX_BODY_BYTES } from "openclaw/plugin-sdk/webhook-ingress";
-import { createPluginRuntimeStore } from "openclaw/plugin-sdk/runtime-store";
-//#region extensions/msteams/src/runtime.ts
-const { setRuntime: setMSTeamsRuntime, getRuntime: getMSTeamsRuntime, tryGetRuntime: getOptionalMSTeamsRuntime } = createPluginRuntimeStore({
-	pluginId: "msteams",
-	errorMessage: "MSTeams runtime not initialized"
-});
-//#endregion
-export { summarizeMapping as A, normalizeStringEntries as C, resolveDefaultGroupPolicy as D, resolveChannelMediaMaxBytes as E, getMSTeamsRuntime as M, getOptionalMSTeamsRuntime as N, resolveNestedAllowlistDecision as O, setMSTeamsRuntime as P, normalizeChannelSlug as S, resolveChannelEntryMatchWithFallback as T, isDangerousNameMatchingEnabled as _, buildMediaPayload as a, logTypingFailure as b, createChannelMessageReplyPipeline as c, detectMime as d, dispatchReplyFromConfigWithSettledDispatcher$1 as f, getFileExtension as g, fetchWithSsrFGuard$1 as h, buildChannelKeyCandidates as i, withFileLock$1 as j, resolveToolsBySender as k, createChannelPairingController as l, extractOriginalFilename as m, DEFAULT_WEBHOOK_MAX_BODY_BYTES as n, buildProbeChannelStatusSummary as o, extensionForMime as p, PAIRING_APPROVED_MESSAGE as r, chunkTextForOutbound as s, DEFAULT_ACCOUNT_ID as t, createDefaultChannelRuntimeState as u, keepHttpServerTaskAlive as v, resolveAllowlistMatchSimple as w, mergeAllowlist as x, loadOutboundMediaFromUrl as y };