@openclaw/zalo 2026.3.1 → 2026.3.7

package/src/onboarding.status.test.ts

@@ -0,0 +1,24 @@
+import type { OpenClawConfig } from "openclaw/plugin-sdk/zalo";
+import { describe, expect, it } from "vitest";
+import { zaloOnboardingAdapter } from "./onboarding.js";
+
+describe("zalo onboarding status", () => {
+  it("treats SecretRef botToken as configured", async () => {
+    const status = await zaloOnboardingAdapter.getStatus({
+      cfg: {
+        channels: {
+          zalo: {
+            botToken: {
+              source: "env",
+              provider: "default",
+              id: "ZALO_BOT_TOKEN",
+            },
+          },
+        },
+      } as OpenClawConfig,
+      accountOverrides: {},
+    });
+
+    expect(status.configured).toBe(true);
+  });
+});

package/src/onboarding.ts

@@ -2,15 +2,19 @@ import type {
   ChannelOnboardingAdapter,
   ChannelOnboardingDmPolicy,
   OpenClawConfig,
+  SecretInput,
   WizardPrompter,
-} from "openclaw/plugin-sdk";
+} from "openclaw/plugin-sdk/zalo";
 import {
-  addWildcardAllowFrom,
+  buildSingleChannelSecretPromptState,
   DEFAULT_ACCOUNT_ID,
+  hasConfiguredSecretInput,
   mergeAllowFromEntries,
   normalizeAccountId,
-  promptAccountId,
-} from "openclaw/plugin-sdk";
+  promptSingleChannelSecretInput,
+  resolveAccountIdForConfigure,
+  setTopLevelChannelDmPolicyWithAllowFrom,
+} from "openclaw/plugin-sdk/zalo";
 import { listZaloAccountIds, resolveDefaultZaloAccountId, resolveZaloAccount } from "./accounts.js";
 
 const channel = "zalo" as const;
@@ -21,19 +25,11 @@ function setZaloDmPolicy(
   cfg: OpenClawConfig,
   dmPolicy: "pairing" | "allowlist" | "open" | "disabled",
 ) {
-  const allowFrom =
-    dmPolicy === "open" ? addWildcardAllowFrom(cfg.channels?.zalo?.allowFrom) : undefined;
-  return {
-    ...cfg,
-    channels: {
-      ...cfg.channels,
-      zalo: {
-        ...cfg.channels?.zalo,
-        dmPolicy,
-        ...(allowFrom ? { allowFrom } : {}),
-      },
-    },
-  } as OpenClawConfig;
+  return setTopLevelChannelDmPolicyWithAllowFrom({
+    cfg,
+    channel: "zalo",
+    dmPolicy,
+  }) as OpenClawConfig;
 }
 
 function setZaloUpdateMode(
@@ -41,7 +37,7 @@ function setZaloUpdateMode(
   accountId: string,
   mode: UpdateMode,
   webhookUrl?: string,
-  webhookSecret?: string,
+  webhookSecret?: SecretInput,
   webhookPath?: string,
 ): OpenClawConfig {
   const isDefault = accountId === DEFAULT_ACCOUNT_ID;
@@ -210,9 +206,18 @@ export const zaloOnboardingAdapter: ChannelOnboardingAdapter = {
   channel,
   dmPolicy,
   getStatus: async ({ cfg }) => {
-    const configured = listZaloAccountIds(cfg).some((accountId) =>
-      Boolean(resolveZaloAccount({ cfg: cfg, accountId }).token),
-    );
+    const configured = listZaloAccountIds(cfg).some((accountId) => {
+      const account = resolveZaloAccount({
+        cfg: cfg,
+        accountId,
+        allowUnresolvedSecretRef: true,
+      });
+      return (
+        Boolean(account.token) ||
+        hasConfiguredSecretInput(account.config.botToken) ||
+        Boolean(account.config.tokenFile?.trim())
+      );
+    });
     return {
       channel,
       configured,
@@ -228,77 +233,66 @@ export const zaloOnboardingAdapter: ChannelOnboardingAdapter = {
     shouldPromptAccountIds,
     forceAllowFrom,
   }) => {
-    const zaloOverride = accountOverrides.zalo?.trim();
     const defaultZaloAccountId = resolveDefaultZaloAccountId(cfg);
-    let zaloAccountId = zaloOverride ? normalizeAccountId(zaloOverride) : defaultZaloAccountId;
-    if (shouldPromptAccountIds && !zaloOverride) {
-      zaloAccountId = await promptAccountId({
-        cfg: cfg,
-        prompter,
-        label: "Zalo",
-        currentId: zaloAccountId,
-        listAccountIds: listZaloAccountIds,
-        defaultAccountId: defaultZaloAccountId,
-      });
-    }
+    const zaloAccountId = await resolveAccountIdForConfigure({
+      cfg,
+      prompter,
+      label: "Zalo",
+      accountOverride: accountOverrides.zalo,
+      shouldPromptAccountIds,
+      listAccountIds: listZaloAccountIds,
+      defaultAccountId: defaultZaloAccountId,
+    });
 
     let next = cfg;
-    const resolvedAccount = resolveZaloAccount({ cfg: next, accountId: zaloAccountId });
+    const resolvedAccount = resolveZaloAccount({
+      cfg: next,
+      accountId: zaloAccountId,
+      allowUnresolvedSecretRef: true,
+    });
     const accountConfigured = Boolean(resolvedAccount.token);
     const allowEnv = zaloAccountId === DEFAULT_ACCOUNT_ID;
-    const canUseEnv = allowEnv && Boolean(process.env.ZALO_BOT_TOKEN?.trim());
     const hasConfigToken = Boolean(
-      resolvedAccount.config.botToken || resolvedAccount.config.tokenFile,
+      hasConfiguredSecretInput(resolvedAccount.config.botToken) || resolvedAccount.config.tokenFile,
     );
+    const tokenPromptState = buildSingleChannelSecretPromptState({
+      accountConfigured,
+      hasConfigToken,
+      allowEnv,
+      envValue: process.env.ZALO_BOT_TOKEN,
+    });
 
-    let token: string | null = null;
+    let token: SecretInput | null = null;
     if (!accountConfigured) {
       await noteZaloTokenHelp(prompter);
     }
-    if (canUseEnv && !resolvedAccount.config.botToken) {
-      const keepEnv = await prompter.confirm({
-        message: "ZALO_BOT_TOKEN detected. Use env var?",
-        initialValue: true,
-      });
-      if (keepEnv) {
-        next = {
-          ...next,
-          channels: {
-            ...next.channels,
-            zalo: {
-              ...next.channels?.zalo,
-              enabled: true,
-            },
+    const tokenResult = await promptSingleChannelSecretInput({
+      cfg: next,
+      prompter,
+      providerHint: "zalo",
+      credentialLabel: "bot token",
+      accountConfigured: tokenPromptState.accountConfigured,
+      canUseEnv: tokenPromptState.canUseEnv,
+      hasConfigToken: tokenPromptState.hasConfigToken,
+      envPrompt: "ZALO_BOT_TOKEN detected. Use env var?",
+      keepPrompt: "Zalo token already configured. Keep it?",
+      inputPrompt: "Enter Zalo bot token",
+      preferredEnvVar: "ZALO_BOT_TOKEN",
+    });
+    if (tokenResult.action === "set") {
+      token = tokenResult.value;
+    }
+    if (tokenResult.action === "use-env" && zaloAccountId === DEFAULT_ACCOUNT_ID) {
+      next = {
+        ...next,
+        channels: {
+          ...next.channels,
+          zalo: {
+            ...next.channels?.zalo,
+            enabled: true,
           },
-        } as OpenClawConfig;
-      } else {
-        token = String(
-          await prompter.text({
-            message: "Enter Zalo bot token",
-            validate: (value) => (value?.trim() ? undefined : "Required"),
-          }),
-        ).trim();
-      }
-    } else if (hasConfigToken) {
-      const keep = await prompter.confirm({
-        message: "Zalo token already configured. Keep it?",
-        initialValue: true,
-      });
-      if (!keep) {
-        token = String(
-          await prompter.text({
-            message: "Enter Zalo bot token",
-            validate: (value) => (value?.trim() ? undefined : "Required"),
-          }),
-        ).trim();
-      }
-    } else {
-      token = String(
-        await prompter.text({
-          message: "Enter Zalo bot token",
-          validate: (value) => (value?.trim() ? undefined : "Required"),
-        }),
-      ).trim();
+        },
+      } as OpenClawConfig;
     }
 
     if (token) {
@@ -338,12 +332,13 @@ export const zaloOnboardingAdapter: ChannelOnboardingAdapter = {
 
     const wantsWebhook = await prompter.confirm({
       message: "Use webhook mode for Zalo?",
-      initialValue: false,
+      initialValue: Boolean(resolvedAccount.config.webhookUrl),
     });
     if (wantsWebhook) {
       const webhookUrl = String(
         await prompter.text({
           message: "Webhook URL (https://...) ",
+          initialValue: resolvedAccount.config.webhookUrl,
           validate: (value) =>
             value?.trim()?.startsWith("https://") ? undefined : "HTTPS URL required",
         }),
@@ -355,22 +350,51 @@ export const zaloOnboardingAdapter: ChannelOnboardingAdapter = {
           return "/zalo-webhook";
         }
       })();
-      const webhookSecret = String(
-        await prompter.text({
-          message: "Webhook secret (8-256 chars)",
-          validate: (value) => {
-            const raw = String(value ?? "");
-            if (raw.length < 8 || raw.length > 256) {
-              return "8-256 chars";
-            }
-            return undefined;
-          },
+      let webhookSecretResult = await promptSingleChannelSecretInput({
+        cfg: next,
+        prompter,
+        providerHint: "zalo-webhook",
+        credentialLabel: "webhook secret",
+        ...buildSingleChannelSecretPromptState({
+          accountConfigured: hasConfiguredSecretInput(resolvedAccount.config.webhookSecret),
+          hasConfigToken: hasConfiguredSecretInput(resolvedAccount.config.webhookSecret),
+          allowEnv: false,
         }),
-      ).trim();
+        envPrompt: "",
+        keepPrompt: "Zalo webhook secret already configured. Keep it?",
+        inputPrompt: "Webhook secret (8-256 chars)",
+        preferredEnvVar: "ZALO_WEBHOOK_SECRET",
+      });
+      while (
+        webhookSecretResult.action === "set" &&
+        typeof webhookSecretResult.value === "string" &&
+        (webhookSecretResult.value.length < 8 || webhookSecretResult.value.length > 256)
+      ) {
+        await prompter.note("Webhook secret must be between 8 and 256 characters.", "Zalo webhook");
+        webhookSecretResult = await promptSingleChannelSecretInput({
+          cfg: next,
+          prompter,
+          providerHint: "zalo-webhook",
+          credentialLabel: "webhook secret",
+          ...buildSingleChannelSecretPromptState({
+            accountConfigured: false,
+            hasConfigToken: false,
+            allowEnv: false,
+          }),
+          envPrompt: "",
+          keepPrompt: "Zalo webhook secret already configured. Keep it?",
+          inputPrompt: "Webhook secret (8-256 chars)",
+          preferredEnvVar: "ZALO_WEBHOOK_SECRET",
+        });
+      }
+      const webhookSecret =
+        webhookSecretResult.action === "set"
+          ? webhookSecretResult.value
+          : resolvedAccount.config.webhookSecret;
       const webhookPath = String(
         await prompter.text({
           message: "Webhook path (optional)",
-          initialValue: defaultPath,
+          initialValue: resolvedAccount.config.webhookPath ?? defaultPath,
         }),
       ).trim();
       next = setZaloUpdateMode(

package/src/probe.ts

@@ -1,4 +1,4 @@
-import type { BaseProbeResult } from "openclaw/plugin-sdk";
+import type { BaseProbeResult } from "openclaw/plugin-sdk/zalo";
 import { getMe, ZaloApiError, type ZaloBotInfo, type ZaloFetch } from "./api.js";
 
 export type ZaloProbeResult = BaseProbeResult<string> & {

package/src/runtime.ts

@@ -1,4 +1,4 @@
-import type { PluginRuntime } from "openclaw/plugin-sdk";
+import type { PluginRuntime } from "openclaw/plugin-sdk/zalo";
 
 let runtime: PluginRuntime | null = null;
 

package/src/secret-input.ts

@@ -0,0 +1,13 @@
+import {
+  buildSecretInputSchema,
+  hasConfiguredSecretInput,
+  normalizeResolvedSecretInputString,
+  normalizeSecretInputString,
+} from "openclaw/plugin-sdk/zalo";
+
+export {
+  buildSecretInputSchema,
+  hasConfiguredSecretInput,
+  normalizeResolvedSecretInputString,
+  normalizeSecretInputString,
+};

package/src/send.ts

@@ -1,4 +1,4 @@
-import type { OpenClawConfig } from "openclaw/plugin-sdk";
+import type { OpenClawConfig } from "openclaw/plugin-sdk/zalo";
 import { resolveZaloAccount } from "./accounts.js";
 import type { ZaloFetch } from "./api.js";
 import { sendMessage, sendPhoto } from "./api.js";
@@ -40,37 +40,47 @@ function resolveSendContext(options: ZaloSendOptions): {
   return { token, fetcher: resolveZaloProxyFetch(proxy) };
 }
 
-export async function sendMessageZalo(
+function resolveValidatedSendContext(
   chatId: string,
-  text: string,
-  options: ZaloSendOptions = {},
-): Promise<ZaloSendResult> {
+  options: ZaloSendOptions,
+): { ok: true; chatId: string; token: string; fetcher?: ZaloFetch } | { ok: false; error: string } {
   const { token, fetcher } = resolveSendContext(options);
-
   if (!token) {
     return { ok: false, error: "No Zalo bot token configured" };
   }
-
-  if (!chatId?.trim()) {
+  const trimmedChatId = chatId?.trim();
+  if (!trimmedChatId) {
     return { ok: false, error: "No chat_id provided" };
   }
+  return { ok: true, chatId: trimmedChatId, token, fetcher };
+}
+
+export async function sendMessageZalo(
+  chatId: string,
+  text: string,
+  options: ZaloSendOptions = {},
+): Promise<ZaloSendResult> {
+  const context = resolveValidatedSendContext(chatId, options);
+  if (!context.ok) {
+    return { ok: false, error: context.error };
+  }
 
   if (options.mediaUrl) {
-    return sendPhotoZalo(chatId, options.mediaUrl, {
+    return sendPhotoZalo(context.chatId, options.mediaUrl, {
       ...options,
-      token,
+      token: context.token,
       caption: text || options.caption,
     });
   }
 
   try {
     const response = await sendMessage(
-      token,
+      context.token,
       {
-        chat_id: chatId.trim(),
+        chat_id: context.chatId,
         text: text.slice(0, 2000),
       },
-      fetcher,
+      context.fetcher,
     );
 
     if (response.ok && response.result) {
@@ -88,14 +98,9 @@ export async function sendPhotoZalo(
   photoUrl: string,
   options: ZaloSendOptions = {},
 ): Promise<ZaloSendResult> {
-  const { token, fetcher } = resolveSendContext(options);
-
-  if (!token) {
-    return { ok: false, error: "No Zalo bot token configured" };
-  }
-
-  if (!chatId?.trim()) {
-    return { ok: false, error: "No chat_id provided" };
+  const context = resolveValidatedSendContext(chatId, options);
+  if (!context.ok) {
+    return { ok: false, error: context.error };
   }
 
   if (!photoUrl?.trim()) {
@@ -104,13 +109,13 @@ export async function sendPhotoZalo(
 
   try {
     const response = await sendPhoto(
-      token,
+      context.token,
       {
-        chat_id: chatId.trim(),
+        chat_id: context.chatId,
         photo: photoUrl.trim(),
         caption: options.caption?.slice(0, 2000),
       },
-      fetcher,
+      context.fetcher,
     );
 
     if (response.ok && response.result) {

package/src/status-issues.ts

@@ -1,4 +1,4 @@
-import type { ChannelAccountSnapshot, ChannelStatusIssue } from "openclaw/plugin-sdk";
+import type { ChannelAccountSnapshot, ChannelStatusIssue } from "openclaw/plugin-sdk/zalo";
 
 type ZaloAccountStatus = {
   accountId?: unknown;

package/src/token.test.ts

@@ -0,0 +1,58 @@
+import { describe, expect, it } from "vitest";
+import { resolveZaloToken } from "./token.js";
+import type { ZaloConfig } from "./types.js";
+
+describe("resolveZaloToken", () => {
+  it("falls back to top-level token for non-default accounts without overrides", () => {
+    const cfg = {
+      botToken: "top-level-token",
+      accounts: {
+        work: {},
+      },
+    } as ZaloConfig;
+    const res = resolveZaloToken(cfg, "work");
+    expect(res.token).toBe("top-level-token");
+    expect(res.source).toBe("config");
+  });
+
+  it("uses accounts.default botToken for default account when configured", () => {
+    const cfg = {
+      botToken: "top-level-token",
+      accounts: {
+        default: {
+          botToken: "default-account-token",
+        },
+      },
+    } as ZaloConfig;
+    const res = resolveZaloToken(cfg, "default");
+    expect(res.token).toBe("default-account-token");
+    expect(res.source).toBe("config");
+  });
+
+  it("does not inherit top-level token when account token is explicitly blank", () => {
+    const cfg = {
+      botToken: "top-level-token",
+      accounts: {
+        work: {
+          botToken: "",
+        },
+      },
+    } as ZaloConfig;
+    const res = resolveZaloToken(cfg, "work");
+    expect(res.token).toBe("");
+    expect(res.source).toBe("none");
+  });
+
+  it("resolves account token when account key casing differs from normalized id", () => {
+    const cfg = {
+      accounts: {
+        Work: {
+          botToken: "work-token",
+        },
+      },
+    } as ZaloConfig;
+    const res = resolveZaloToken(cfg, "work");
+    expect(res.token).toBe("work-token");
+    expect(res.source).toBe("config");
+  });
+});

package/src/token.ts

@@ -1,57 +1,92 @@
 import { readFileSync } from "node:fs";
-import { type BaseTokenResolution, DEFAULT_ACCOUNT_ID } from "openclaw/plugin-sdk";
+import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "openclaw/plugin-sdk/account-id";
+import type { BaseTokenResolution } from "openclaw/plugin-sdk/zalo";
+import { normalizeResolvedSecretInputString, normalizeSecretInputString } from "./secret-input.js";
 import type { ZaloConfig } from "./types.js";
 
 export type ZaloTokenResolution = BaseTokenResolution & {
   source: "env" | "config" | "configFile" | "none";
 };
 
+function readTokenFromFile(tokenFile: string | undefined): string {
+  const trimmedPath = tokenFile?.trim();
+  if (!trimmedPath) {
+    return "";
+  }
+  try {
+    return readFileSync(trimmedPath, "utf8").trim();
+  } catch {
+    // ignore read failures
+    return "";
+  }
+}
+
 export function resolveZaloToken(
   config: ZaloConfig | undefined,
   accountId?: string | null,
+  options?: { allowUnresolvedSecretRef?: boolean },
 ): ZaloTokenResolution {
   const resolvedAccountId = accountId ?? DEFAULT_ACCOUNT_ID;
   const isDefaultAccount = resolvedAccountId === DEFAULT_ACCOUNT_ID;
   const baseConfig = config;
-  const accountConfig =
-    resolvedAccountId !== DEFAULT_ACCOUNT_ID
-      ? (baseConfig?.accounts?.[resolvedAccountId] as ZaloConfig | undefined)
-      : undefined;
+  const resolveAccountConfig = (id: string): ZaloConfig | undefined => {
+    const accounts = baseConfig?.accounts;
+    if (!accounts || typeof accounts !== "object") {
+      return undefined;
+    }
+    const direct = accounts[id] as ZaloConfig | undefined;
+    if (direct) {
+      return direct;
+    }
+    const normalized = normalizeAccountId(id);
+    const matchKey = Object.keys(accounts).find((key) => normalizeAccountId(key) === normalized);
+    return matchKey ? ((accounts as Record<string, ZaloConfig>)[matchKey] ?? undefined) : undefined;
+  };
+  const accountConfig = resolveAccountConfig(resolvedAccountId);
+  const accountHasBotToken = Boolean(
+    accountConfig && Object.prototype.hasOwnProperty.call(accountConfig, "botToken"),
+  );
 
-  if (accountConfig) {
-    const token = accountConfig.botToken?.trim();
+  if (accountConfig && accountHasBotToken) {
+    const token = options?.allowUnresolvedSecretRef
+      ? normalizeSecretInputString(accountConfig.botToken)
+      : normalizeResolvedSecretInputString({
+          value: accountConfig.botToken,
+          path: `channels.zalo.accounts.${resolvedAccountId}.botToken`,
+        });
     if (token) {
       return { token, source: "config" };
     }
-    const tokenFile = accountConfig.tokenFile?.trim();
-    if (tokenFile) {
-      try {
-        const fileToken = readFileSync(tokenFile, "utf8").trim();
-        if (fileToken) {
-          return { token: fileToken, source: "configFile" };
-        }
-      } catch {
-        // ignore read failures
-      }
+    const fileToken = readTokenFromFile(accountConfig.tokenFile);
+    if (fileToken) {
+      return { token: fileToken, source: "configFile" };
     }
   }
 
-  if (isDefaultAccount) {
-    const token = baseConfig?.botToken?.trim();
+  if (!accountHasBotToken) {
+    const fileToken = readTokenFromFile(accountConfig?.tokenFile);
+    if (fileToken) {
+      return { token: fileToken, source: "configFile" };
+    }
+  }
+
+  if (!accountHasBotToken) {
+    const token = options?.allowUnresolvedSecretRef
+      ? normalizeSecretInputString(baseConfig?.botToken)
+      : normalizeResolvedSecretInputString({
+          value: baseConfig?.botToken,
+          path: "channels.zalo.botToken",
+        });
     if (token) {
       return { token, source: "config" };
     }
-    const tokenFile = baseConfig?.tokenFile?.trim();
-    if (tokenFile) {
-      try {
-        const fileToken = readFileSync(tokenFile, "utf8").trim();
-        if (fileToken) {
-          return { token: fileToken, source: "configFile" };
-        }
-      } catch {
-        // ignore read failures
-      }
+    const fileToken = readTokenFromFile(baseConfig?.tokenFile);
+    if (fileToken) {
+      return { token: fileToken, source: "configFile" };
     }
+  }
+
+  if (isDefaultAccount) {
     const envToken = process.env.ZALO_BOT_TOKEN?.trim();
     if (envToken) {
       return { token: envToken, source: "env" };

package/src/types.ts

@@ -1,16 +1,18 @@
+import type { SecretInput } from "openclaw/plugin-sdk/zalo";
+
 export type ZaloAccountConfig = {
   /** Optional display name for this account (used in CLI/UI lists). */
   name?: string;
   /** If false, do not start this Zalo account. Default: true. */
   enabled?: boolean;
   /** Bot token from Zalo Bot Creator. */
-  botToken?: string;
+  botToken?: SecretInput;
   /** Path to file containing the bot token. */
   tokenFile?: string;
   /** Webhook URL for receiving updates (HTTPS required). */
   webhookUrl?: string;
   /** Webhook secret token (8-256 chars) for request verification. */
-  webhookSecret?: string;
+  webhookSecret?: SecretInput;
   /** Webhook path for the gateway HTTP server (defaults to webhook URL path). */
   webhookPath?: string;
   /** Direct message access policy (default: pairing). */