@openclaw/zalo 2026.3.13 → 2026.5.1-beta.2

package/src/outbound-media.test.ts

@@ -0,0 +1,182 @@
+import { stat } from "node:fs/promises";
+import { join } from "node:path";
+import { resolvePreferredOpenClawTmpDir } from "openclaw/plugin-sdk/temp-path";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const loadOutboundMediaFromUrlMock = vi.fn();
+
+vi.mock("openclaw/plugin-sdk/outbound-media", () => ({
+  loadOutboundMediaFromUrl: (...args: unknown[]) => loadOutboundMediaFromUrlMock(...args),
+}));
+
+import {
+  clearHostedZaloMediaForTest,
+  prepareHostedZaloMediaUrl,
+  resolveHostedZaloMediaRoutePrefix,
+  tryHandleHostedZaloMediaRequest,
+} from "./outbound-media.js";
+
+function createMockResponse() {
+  const headers = new Map<string, string>();
+  return {
+    headers,
+    res: {
+      statusCode: 200,
+      setHeader(name: string, value: string) {
+        headers.set(name, value);
+      },
+      end: vi.fn(),
+    },
+  };
+}
+
+describe("zalo outbound hosted media", () => {
+  beforeEach(() => {
+    clearHostedZaloMediaForTest();
+    loadOutboundMediaFromUrlMock.mockReset();
+    loadOutboundMediaFromUrlMock.mockResolvedValue({
+      buffer: Buffer.from("image-bytes"),
+      contentType: "image/png",
+      fileName: "photo.png",
+    });
+  });
+
+  it("loads outbound media under OpenClaw control and returns a hosted URL", async () => {
+    const hostedUrl = await prepareHostedZaloMediaUrl({
+      mediaUrl: "https://example.com/photo.png",
+      webhookUrl: "https://gateway.example.com/zalo-webhook",
+      maxBytes: 1024,
+    });
+
+    expect(loadOutboundMediaFromUrlMock).toHaveBeenCalledWith("https://example.com/photo.png", {
+      maxBytes: 1024,
+    });
+    expect(hostedUrl).toMatch(
+      /^https:\/\/gateway\.example\.com\/zalo-webhook\/media\/[a-f0-9]+\?token=[a-f0-9]+$/,
+    );
+  });
+
+  it("passes proxy-aware fetch options into hosted media downloads", async () => {
+    await prepareHostedZaloMediaUrl({
+      mediaUrl: "https://example.com/photo.png",
+      webhookUrl: "https://gateway.example.com/zalo-webhook",
+      maxBytes: 1024,
+      proxyUrl: "http://proxy.example:8080",
+    });
+
+    expect(loadOutboundMediaFromUrlMock).toHaveBeenCalledWith("https://example.com/photo.png", {
+      maxBytes: 1024,
+      proxyUrl: "http://proxy.example:8080",
+    });
+  });
+
+  it("creates hosted media storage with private filesystem permissions", async () => {
+    const hostedUrl = await prepareHostedZaloMediaUrl({
+      mediaUrl: "https://example.com/photo.png",
+      webhookUrl: "https://gateway.example.com/zalo-webhook",
+      maxBytes: 1024,
+    });
+
+    if (process.platform === "win32") {
+      expect(hostedUrl).toContain("/zalo-webhook/media/");
+      return;
+    }
+
+    const { pathname } = new URL(hostedUrl);
+    const id = pathname.split("/").pop();
+    expect(id).toBeTruthy();
+
+    const storageDir = join(resolvePreferredOpenClawTmpDir(), "openclaw-zalo-outbound-media");
+    const [dirStats, metadataStats, bufferStats] = await Promise.all([
+      stat(storageDir),
+      stat(join(storageDir, `${id}.json`)),
+      stat(join(storageDir, `${id}.bin`)),
+    ]);
+
+    expect(dirStats.mode & 0o777).toBe(0o700);
+    expect(metadataStats.mode & 0o777).toBe(0o600);
+    expect(bufferStats.mode & 0o777).toBe(0o600);
+  });
+
+  it("preserves the root webhook path when deriving the hosted media route", () => {
+    expect(
+      resolveHostedZaloMediaRoutePrefix({
+        webhookUrl: "https://gateway.example.com/",
+      }),
+    ).toBe("/media");
+  });
+
+  it("serves hosted media once when the route token matches", async () => {
+    const hostedUrl = await prepareHostedZaloMediaUrl({
+      mediaUrl: "https://example.com/photo.png",
+      webhookUrl: "https://gateway.example.com/zalo-webhook",
+      maxBytes: 1024,
+    });
+    const { pathname, search } = new URL(hostedUrl);
+    const response = createMockResponse();
+
+    const handled = await tryHandleHostedZaloMediaRequest(
+      {
+        method: "GET",
+        url: `${pathname}${search}`,
+      } as never,
+      response.res as never,
+    );
+
+    expect(handled).toBe(true);
+    expect(response.res.statusCode).toBe(200);
+    expect(response.headers.get("Content-Type")).toBe("image/png");
+    expect(response.res.end).toHaveBeenCalledWith(Buffer.from("image-bytes"));
+
+    const secondResponse = createMockResponse();
+    const handledAgain = await tryHandleHostedZaloMediaRequest(
+      {
+        method: "GET",
+        url: `${pathname}${search}`,
+      } as never,
+      secondResponse.res as never,
+    );
+
+    expect(handledAgain).toBe(true);
+    expect(secondResponse.res.statusCode).toBe(404);
+  });
+
+  it("rejects hosted media requests with the wrong token", async () => {
+    const hostedUrl = await prepareHostedZaloMediaUrl({
+      mediaUrl: "https://example.com/photo.png",
+      webhookUrl: "https://gateway.example.com/custom/zalo",
+      webhookPath: "/custom/zalo-hook",
+      maxBytes: 1024,
+    });
+    const pathname = new URL(hostedUrl).pathname;
+    const response = createMockResponse();
+
+    const handled = await tryHandleHostedZaloMediaRequest(
+      {
+        method: "GET",
+        url: `${pathname}?token=wrong`,
+      } as never,
+      response.res as never,
+    );
+
+    expect(handled).toBe(true);
+    expect(response.res.statusCode).toBe(401);
+    expect(response.res.end).toHaveBeenCalledWith("Unauthorized");
+  });
+
+  it("rejects malformed hosted media ids before touching disk", async () => {
+    const response = createMockResponse();
+
+    const handled = await tryHandleHostedZaloMediaRequest(
+      {
+        method: "GET",
+        url: "/zalo-webhook/media/not-a-valid-hex-id?token=wrong",
+      } as never,
+      response.res as never,
+    );
+
+    expect(handled).toBe(true);
+    expect(response.res.statusCode).toBe(404);
+    expect(response.res.end).toHaveBeenCalledWith("Not Found");
+  });
+});

package/src/outbound-media.ts

@@ -0,0 +1,241 @@
+import { randomBytes } from "node:crypto";
+import { rmSync } from "node:fs";
+import { chmod, mkdir, readdir, readFile, stat, unlink, writeFile } from "node:fs/promises";
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { join } from "node:path";
+import { loadOutboundMediaFromUrl } from "openclaw/plugin-sdk/outbound-media";
+import { resolvePreferredOpenClawTmpDir } from "openclaw/plugin-sdk/temp-path";
+import { resolveWebhookPath } from "openclaw/plugin-sdk/webhook-ingress";
+
+const ZALO_OUTBOUND_MEDIA_TTL_MS = 2 * 60_000;
+const ZALO_OUTBOUND_MEDIA_SEGMENT = "media";
+const ZALO_OUTBOUND_MEDIA_PREFIX = `/${ZALO_OUTBOUND_MEDIA_SEGMENT}/`;
+const ZALO_OUTBOUND_MEDIA_DIR = join(
+  resolvePreferredOpenClawTmpDir(),
+  "openclaw-zalo-outbound-media",
+);
+const ZALO_OUTBOUND_MEDIA_ID_RE = /^[a-f0-9]{24}$/;
+
+type HostedZaloMediaMetadata = {
+  routePath: string;
+  token: string;
+  contentType?: string;
+  expiresAt: number;
+};
+
+function resolveHostedZaloMediaMetadataPath(id: string): string {
+  return join(ZALO_OUTBOUND_MEDIA_DIR, `${id}.json`);
+}
+
+function resolveHostedZaloMediaBufferPath(id: string): string {
+  return join(ZALO_OUTBOUND_MEDIA_DIR, `${id}.bin`);
+}
+
+function createHostedZaloMediaId(): string {
+  return randomBytes(12).toString("hex");
+}
+
+function createHostedZaloMediaToken(): string {
+  return randomBytes(24).toString("hex");
+}
+
+async function ensureHostedZaloMediaDir(): Promise<void> {
+  await mkdir(ZALO_OUTBOUND_MEDIA_DIR, { recursive: true, mode: 0o700 });
+  await chmod(ZALO_OUTBOUND_MEDIA_DIR, 0o700).catch(() => undefined);
+}
+
+async function deleteHostedZaloMediaEntry(id: string): Promise<void> {
+  await Promise.all([
+    unlink(resolveHostedZaloMediaMetadataPath(id)).catch(() => undefined),
+    unlink(resolveHostedZaloMediaBufferPath(id)).catch(() => undefined),
+  ]);
+}
+
+async function cleanupExpiredHostedZaloMedia(nowMs = Date.now()): Promise<void> {
+  let fileNames: string[];
+  try {
+    fileNames = await readdir(ZALO_OUTBOUND_MEDIA_DIR);
+  } catch {
+    return;
+  }
+
+  await Promise.all(
+    fileNames
+      .filter((fileName) => fileName.endsWith(".json"))
+      .map(async (fileName) => {
+        const id = fileName.slice(0, -5);
+        try {
+          const metadataRaw = await readFile(resolveHostedZaloMediaMetadataPath(id), "utf8");
+          const metadata = JSON.parse(metadataRaw) as HostedZaloMediaMetadata;
+          if (metadata.expiresAt <= nowMs) {
+            await deleteHostedZaloMediaEntry(id);
+          }
+        } catch {
+          await deleteHostedZaloMediaEntry(id);
+        }
+      }),
+  );
+}
+
+async function readHostedZaloMediaEntry(id: string): Promise<{
+  metadata: HostedZaloMediaMetadata;
+  buffer: Buffer;
+} | null> {
+  try {
+    const [metadataRaw, buffer] = await Promise.all([
+      readFile(resolveHostedZaloMediaMetadataPath(id), "utf8"),
+      readFile(resolveHostedZaloMediaBufferPath(id)),
+    ]);
+    return {
+      metadata: JSON.parse(metadataRaw) as HostedZaloMediaMetadata,
+      buffer,
+    };
+  } catch {
+    return null;
+  }
+}
+
+export function resolveHostedZaloMediaRoutePrefix(params: {
+  webhookUrl: string;
+  webhookPath?: string;
+}): string {
+  const webhookRoutePath = resolveWebhookPath({
+    webhookPath: params.webhookPath,
+    webhookUrl: params.webhookUrl,
+    defaultPath: null,
+  });
+  if (!webhookRoutePath) {
+    throw new Error("Zalo webhookPath could not be derived for outbound media hosting");
+  }
+  return webhookRoutePath === "/"
+    ? `/${ZALO_OUTBOUND_MEDIA_SEGMENT}`
+    : `${webhookRoutePath}/${ZALO_OUTBOUND_MEDIA_SEGMENT}`;
+}
+
+function resolveHostedZaloMediaRoutePath(params: {
+  webhookUrl: string;
+  webhookPath?: string;
+}): string {
+  return `${resolveHostedZaloMediaRoutePrefix(params)}/`;
+}
+
+export async function prepareHostedZaloMediaUrl(params: {
+  mediaUrl: string;
+  webhookUrl: string;
+  webhookPath?: string;
+  maxBytes: number;
+  proxyUrl?: string;
+}): Promise<string> {
+  await ensureHostedZaloMediaDir();
+  await cleanupExpiredHostedZaloMedia();
+
+  const media = await loadOutboundMediaFromUrl(params.mediaUrl, {
+    maxBytes: params.maxBytes,
+    ...(params.proxyUrl ? { proxyUrl: params.proxyUrl } : {}),
+  });
+
+  const routePath = resolveHostedZaloMediaRoutePath({
+    webhookUrl: params.webhookUrl,
+    webhookPath: params.webhookPath,
+  });
+  const id = createHostedZaloMediaId();
+  const token = createHostedZaloMediaToken();
+  const publicBaseUrl = new URL(params.webhookUrl).origin;
+
+  await writeFile(resolveHostedZaloMediaBufferPath(id), media.buffer, { mode: 0o600 });
+  try {
+    await writeFile(
+      resolveHostedZaloMediaMetadataPath(id),
+      JSON.stringify({
+        routePath,
+        token,
+        contentType: media.contentType,
+        expiresAt: Date.now() + ZALO_OUTBOUND_MEDIA_TTL_MS,
+      } satisfies HostedZaloMediaMetadata),
+      { encoding: "utf8", mode: 0o600 },
+    );
+  } catch (error) {
+    await deleteHostedZaloMediaEntry(id);
+    throw error;
+  }
+
+  return `${publicBaseUrl}${routePath}${id}?token=${token}`;
+}
+
+export async function tryHandleHostedZaloMediaRequest(
+  req: IncomingMessage,
+  res: ServerResponse,
+): Promise<boolean> {
+  await cleanupExpiredHostedZaloMedia();
+
+  const method = req.method ?? "GET";
+  if (method !== "GET" && method !== "HEAD") {
+    return false;
+  }
+
+  let url: URL;
+  try {
+    url = new URL(req.url ?? "/", "http://localhost");
+  } catch {
+    return false;
+  }
+
+  const mediaPath = url.pathname;
+  const prefixIndex = mediaPath.lastIndexOf(ZALO_OUTBOUND_MEDIA_PREFIX);
+  if (prefixIndex < 0) {
+    return false;
+  }
+
+  const routePath = mediaPath.slice(0, prefixIndex + ZALO_OUTBOUND_MEDIA_PREFIX.length);
+  const id = mediaPath.slice(prefixIndex + ZALO_OUTBOUND_MEDIA_PREFIX.length);
+  if (!id || !ZALO_OUTBOUND_MEDIA_ID_RE.test(id)) {
+    res.statusCode = 404;
+    res.end("Not Found");
+    return true;
+  }
+
+  const entry = await readHostedZaloMediaEntry(id);
+  if (!entry || entry.metadata.routePath !== routePath) {
+    res.statusCode = 404;
+    res.end("Not Found");
+    return true;
+  }
+
+  if (entry.metadata.expiresAt <= Date.now()) {
+    await deleteHostedZaloMediaEntry(id);
+    res.statusCode = 410;
+    res.end("Expired");
+    return true;
+  }
+
+  if (url.searchParams.get("token") !== entry.metadata.token) {
+    res.statusCode = 401;
+    res.end("Unauthorized");
+    return true;
+  }
+
+  if (entry.metadata.contentType) {
+    res.setHeader("Content-Type", entry.metadata.contentType);
+  }
+  res.setHeader("Cache-Control", "no-store");
+  res.setHeader("X-Content-Type-Options", "nosniff");
+  const bufferStats = await stat(resolveHostedZaloMediaBufferPath(id)).catch(() => null);
+  if (bufferStats) {
+    res.setHeader("Content-Length", String(bufferStats.size));
+  }
+
+  if (method === "HEAD") {
+    res.statusCode = 200;
+    res.end();
+    return true;
+  }
+
+  res.statusCode = 200;
+  res.end(entry.buffer);
+  await deleteHostedZaloMediaEntry(id);
+  return true;
+}
+
+export function clearHostedZaloMediaForTest(): void {
+  rmSync(ZALO_OUTBOUND_MEDIA_DIR, { recursive: true, force: true });
+}

package/src/outbound-payload.contract.test.ts

@@ -0,0 +1,45 @@
+import {
+  installChannelOutboundPayloadContractSuite,
+  primeChannelOutboundSendMock,
+  type OutboundPayloadHarnessParams,
+} from "openclaw/plugin-sdk/channel-contract-testing";
+import { describe, vi } from "vitest";
+import { zaloPlugin } from "./channel.js";
+
+const { sendZaloTextMock } = vi.hoisted(() => ({
+  sendZaloTextMock: vi.fn(),
+}));
+
+vi.mock("./channel.runtime.js", () => ({
+  sendZaloText: sendZaloTextMock,
+}));
+
+function createZaloHarness(params: OutboundPayloadHarnessParams) {
+  const sendZalo = vi.fn();
+  primeChannelOutboundSendMock(sendZalo, { ok: true, messageId: "zl-1" }, params.sendResults);
+  sendZaloTextMock.mockReset().mockImplementation(
+    async (nextCtx: { to: string; text: string; mediaUrl?: string }) =>
+      await sendZalo(nextCtx.to, nextCtx.text, {
+        mediaUrl: nextCtx.mediaUrl,
+      }),
+  );
+  const ctx = {
+    cfg: {},
+    to: "123456789",
+    text: "",
+    payload: params.payload,
+  };
+  return {
+    run: async () => await zaloPlugin.outbound!.sendPayload!(ctx),
+    sendMock: sendZalo,
+    to: ctx.to,
+  };
+}
+
+describe("Zalo outbound payload contract", () => {
+  installChannelOutboundPayloadContractSuite({
+    channel: "zalo",
+    chunking: { mode: "split", longTextLength: 3000, maxChunkLength: 2000 },
+    createHarness: createZaloHarness,
+  });
+});

package/src/probe.ts

@@ -1,4 +1,4 @@
-import type { BaseProbeResult } from "openclaw/plugin-sdk/zalo";
+import type { BaseProbeResult } from "openclaw/plugin-sdk/channel-contract";
 import { getMe, ZaloApiError, type ZaloBotInfo, type ZaloFetch } from "./api.js";
 
 export type ZaloProbeResult = BaseProbeResult<string> & {

package/src/proxy.ts

@@ -1,4 +1,4 @@
-import type { Dispatcher, RequestInit as UndiciRequestInit } from "undici";
+import type { RequestInit as UndiciRequestInit } from "undici";
 import { ProxyAgent, fetch as undiciFetch } from "undici";
 import type { ZaloFetch } from "./api.js";
 

package/src/runtime-api.ts

@@ -0,0 +1,75 @@
+export {
+  addWildcardAllowFrom,
+  applyAccountNameToChannelSection,
+  applyBasicWebhookRequestGuards,
+  applySetupAccountConfigPatch,
+  type BaseProbeResult,
+  type BaseTokenResolution,
+  buildBaseAccountStatusSnapshot,
+  buildChannelConfigSchema,
+  buildSecretInputSchema,
+  buildSingleChannelSecretPromptState,
+  buildTokenChannelStatusSummary,
+  type ChannelAccountSnapshot,
+  type ChannelMessageActionAdapter,
+  type ChannelMessageActionName,
+  type ChannelPlugin,
+  type ChannelStatusIssue,
+  chunkTextForOutbound,
+  createChannelPairingController,
+  createChannelReplyPipeline,
+  createDedupeCache,
+  createFixedWindowRateLimiter,
+  createWebhookAnomalyTracker,
+  DEFAULT_ACCOUNT_ID,
+  deliverTextOrMediaReply,
+  evaluateSenderGroupAccess,
+  formatAllowFromLowercase,
+  formatPairingApproveHint,
+  type GroupPolicy,
+  hasConfiguredSecretInput,
+  isNormalizedSenderAllowed,
+  isNumericTargetId,
+  jsonResult,
+  logTypingFailure,
+  type MarkdownTableMode,
+  mergeAllowFromEntries,
+  migrateBaseNameToDefaultAccount,
+  normalizeAccountId,
+  normalizeResolvedSecretInputString,
+  normalizeSecretInputString,
+  type OpenClawConfig,
+  type OutboundReplyPayload,
+  PAIRING_APPROVED_MESSAGE,
+  type PluginRuntime,
+  promptSingleChannelSecretInput,
+  readJsonWebhookBodyOrReject,
+  readStringParam,
+  registerPluginHttpRoute,
+  type RegisterWebhookPluginRouteOptions,
+  registerWebhookTarget,
+  type RegisterWebhookTargetOptions,
+  registerWebhookTargetWithPluginRoute,
+  type ReplyPayload,
+  resolveClientIp,
+  resolveDefaultGroupPolicy,
+  resolveDirectDmAuthorizationOutcome,
+  resolveInboundRouteEnvelopeBuilderWithRuntime,
+  resolveOpenProviderRuntimeGroupPolicy,
+  resolveSenderCommandAuthorizationWithRuntime,
+  resolveWebhookPath,
+  resolveWebhookTargetWithAuthOrRejectSync,
+  runSingleChannelSecretStep,
+  type RuntimeEnv,
+  type SecretInput,
+  type SenderGroupAccessDecision,
+  sendPayloadWithChunkedTextAndMedia,
+  setTopLevelChannelDmPolicyWithAllowFrom,
+  waitForAbortSignal,
+  warnMissingProviderGroupPolicyFallbackOnce,
+  WEBHOOK_ANOMALY_COUNTER_DEFAULTS,
+  WEBHOOK_RATE_LIMIT_DEFAULTS,
+  withResolvedWebhookRequestPipeline,
+  type WizardPrompter,
+} from "./runtime-support.js";
+export { setZaloRuntime } from "./runtime.js";

package/src/runtime-support.ts

@@ -0,0 +1,91 @@
+export type { ReplyPayload } from "openclaw/plugin-sdk/reply-runtime";
+export type { OpenClawConfig, GroupPolicy } from "openclaw/plugin-sdk/config-types";
+export type { MarkdownTableMode } from "openclaw/plugin-sdk/config-types";
+export type { BaseTokenResolution } from "openclaw/plugin-sdk/channel-contract";
+export type {
+  BaseProbeResult,
+  ChannelAccountSnapshot,
+  ChannelMessageActionAdapter,
+  ChannelMessageActionName,
+  ChannelStatusIssue,
+} from "openclaw/plugin-sdk/channel-contract";
+export type { SecretInput } from "openclaw/plugin-sdk/secret-input";
+export type { SenderGroupAccessDecision } from "openclaw/plugin-sdk/group-access";
+export type { ChannelPlugin, PluginRuntime, WizardPrompter } from "openclaw/plugin-sdk/core";
+export type { RuntimeEnv } from "openclaw/plugin-sdk/runtime";
+export type { OutboundReplyPayload } from "openclaw/plugin-sdk/reply-payload";
+export {
+  DEFAULT_ACCOUNT_ID,
+  buildChannelConfigSchema,
+  createDedupeCache,
+  formatPairingApproveHint,
+  jsonResult,
+  normalizeAccountId,
+  readStringParam,
+  resolveClientIp,
+} from "openclaw/plugin-sdk/core";
+export {
+  applyAccountNameToChannelSection,
+  applySetupAccountConfigPatch,
+  buildSingleChannelSecretPromptState,
+  mergeAllowFromEntries,
+  migrateBaseNameToDefaultAccount,
+  promptSingleChannelSecretInput,
+  runSingleChannelSecretStep,
+  setTopLevelChannelDmPolicyWithAllowFrom,
+} from "openclaw/plugin-sdk/setup";
+export {
+  buildSecretInputSchema,
+  hasConfiguredSecretInput,
+  normalizeResolvedSecretInputString,
+  normalizeSecretInputString,
+} from "openclaw/plugin-sdk/secret-input";
+export {
+  buildTokenChannelStatusSummary,
+  PAIRING_APPROVED_MESSAGE,
+} from "openclaw/plugin-sdk/channel-status";
+export { buildBaseAccountStatusSnapshot } from "openclaw/plugin-sdk/status-helpers";
+export { chunkTextForOutbound } from "openclaw/plugin-sdk/text-chunking";
+export {
+  formatAllowFromLowercase,
+  isNormalizedSenderAllowed,
+} from "openclaw/plugin-sdk/allow-from";
+export { addWildcardAllowFrom } from "openclaw/plugin-sdk/setup";
+export { evaluateSenderGroupAccess } from "openclaw/plugin-sdk/group-access";
+export { resolveOpenProviderRuntimeGroupPolicy } from "openclaw/plugin-sdk/runtime-group-policy";
+export {
+  warnMissingProviderGroupPolicyFallbackOnce,
+  resolveDefaultGroupPolicy,
+} from "openclaw/plugin-sdk/runtime-group-policy";
+export { createChannelPairingController } from "openclaw/plugin-sdk/channel-pairing";
+export { createChannelReplyPipeline } from "openclaw/plugin-sdk/channel-reply-pipeline";
+export { logTypingFailure } from "openclaw/plugin-sdk/channel-feedback";
+export {
+  deliverTextOrMediaReply,
+  isNumericTargetId,
+  sendPayloadWithChunkedTextAndMedia,
+} from "openclaw/plugin-sdk/reply-payload";
+export {
+  resolveDirectDmAuthorizationOutcome,
+  resolveSenderCommandAuthorizationWithRuntime,
+} from "openclaw/plugin-sdk/command-auth";
+export { resolveInboundRouteEnvelopeBuilderWithRuntime } from "openclaw/plugin-sdk/inbound-envelope";
+export { waitForAbortSignal } from "openclaw/plugin-sdk/runtime";
+export {
+  applyBasicWebhookRequestGuards,
+  createFixedWindowRateLimiter,
+  createWebhookAnomalyTracker,
+  readJsonWebhookBodyOrReject,
+  registerPluginHttpRoute,
+  registerWebhookTarget,
+  registerWebhookTargetWithPluginRoute,
+  resolveWebhookPath,
+  resolveWebhookTargetWithAuthOrRejectSync,
+  WEBHOOK_ANOMALY_COUNTER_DEFAULTS,
+  WEBHOOK_RATE_LIMIT_DEFAULTS,
+  withResolvedWebhookRequestPipeline,
+} from "openclaw/plugin-sdk/webhook-ingress";
+export type {
+  RegisterWebhookPluginRouteOptions,
+  RegisterWebhookTargetOptions,
+} from "openclaw/plugin-sdk/webhook-ingress";

package/src/runtime.ts

@@ -1,6 +1,9 @@
-import { createPluginRuntimeStore } from "openclaw/plugin-sdk/compat";
-import type { PluginRuntime } from "openclaw/plugin-sdk/zalo";
+import { createPluginRuntimeStore } from "openclaw/plugin-sdk/runtime-store";
+import type { PluginRuntime } from "./runtime-support.js";
 
 const { setRuntime: setZaloRuntime, getRuntime: getZaloRuntime } =
-  createPluginRuntimeStore<PluginRuntime>("Zalo runtime not initialized");
+  createPluginRuntimeStore<PluginRuntime>({
+    pluginId: "zalo",
+    errorMessage: "Zalo runtime not initialized",
+  });
 export { getZaloRuntime, setZaloRuntime };