@openclaw/zalouser 2026.3.12 → 2026.3.13

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 2026.3.13
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
 ## 2026.3.12
 
 ### Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/zalouser",
-  "version": "2026.3.12",
+  "version": "2026.3.13",
   "description": "OpenClaw Zalo Personal Account plugin via native zca-js integration",
   "type": "module",
   "dependencies": {

package/src/accounts.test-mocks.ts

@@ -0,0 +1,10 @@
+import { vi } from "vitest";
+import { createDefaultResolvedZalouserAccount } from "./test-helpers.js";
+
+vi.mock("./accounts.js", async (importOriginal) => {
+  const actual = (await importOriginal()) as Record<string, unknown>;
+  return {
+    ...actual,
+    resolveZalouserAccountSync: () => createDefaultResolvedZalouserAccount(),
+  };
+});

package/src/accounts.ts

@@ -43,17 +43,24 @@ function resolveProfile(config: ZalouserAccountConfig, accountId: string): strin
   return "default";
 }
 
-export async function resolveZalouserAccount(params: {
-  cfg: OpenClawConfig;
-  accountId?: string | null;
-}): Promise<ResolvedZalouserAccount> {
+function resolveZalouserAccountBase(params: { cfg: OpenClawConfig; accountId?: string | null }) {
   const accountId = normalizeAccountId(params.accountId);
   const baseEnabled =
     (params.cfg.channels?.zalouser as ZalouserConfig | undefined)?.enabled !== false;
   const merged = mergeZalouserAccountConfig(params.cfg, accountId);
-  const accountEnabled = merged.enabled !== false;
-  const enabled = baseEnabled && accountEnabled;
-  const profile = resolveProfile(merged, accountId);
+  return {
+    accountId,
+    enabled: baseEnabled && merged.enabled !== false,
+    merged,
+    profile: resolveProfile(merged, accountId),
+  };
+}
+
+export async function resolveZalouserAccount(params: {
+  cfg: OpenClawConfig;
+  accountId?: string | null;
+}): Promise<ResolvedZalouserAccount> {
+  const { accountId, enabled, merged, profile } = resolveZalouserAccountBase(params);
   const authenticated = await checkZaloAuthenticated(profile);
 
   return {
@@ -70,13 +77,7 @@ export function resolveZalouserAccountSync(params: {
   cfg: OpenClawConfig;
   accountId?: string | null;
 }): ResolvedZalouserAccount {
-  const accountId = normalizeAccountId(params.accountId);
-  const baseEnabled =
-    (params.cfg.channels?.zalouser as ZalouserConfig | undefined)?.enabled !== false;
-  const merged = mergeZalouserAccountConfig(params.cfg, accountId);
-  const accountEnabled = merged.enabled !== false;
-  const enabled = baseEnabled && accountEnabled;
-  const profile = resolveProfile(merged, accountId);
+  const { accountId, enabled, merged, profile } = resolveZalouserAccountBase(params);
 
   return {
     accountId,

package/src/channel.directory.test.ts

@@ -1,5 +1,6 @@
-import type { RuntimeEnv } from "openclaw/plugin-sdk/zalouser";
 import { describe, expect, it, vi } from "vitest";
+import "./accounts.test-mocks.js";
+import { createZalouserRuntimeEnv } from "./test-helpers.js";
 
 const listZaloGroupMembersMock = vi.hoisted(() => vi.fn(async () => []));
 
@@ -11,30 +12,9 @@ vi.mock("./zalo-js.js", async (importOriginal) => {
   };
 });
 
-vi.mock("./accounts.js", async (importOriginal) => {
-  const actual = (await importOriginal()) as Record<string, unknown>;
-  return {
-    ...actual,
-    resolveZalouserAccountSync: () => ({
-      accountId: "default",
-      profile: "default",
-      name: "test",
-      enabled: true,
-      authenticated: true,
-      config: {},
-    }),
-  };
-});
-
 import { zalouserPlugin } from "./channel.js";
 
-const runtimeStub: RuntimeEnv = {
-  log: vi.fn(),
-  error: vi.fn(),
-  exit: ((code: number): never => {
-    throw new Error(`exit ${code}`);
-  }) as RuntimeEnv["exit"],
-};
+const runtimeStub = createZalouserRuntimeEnv();
 
 describe("zalouser directory group members", () => {
   it("accepts prefixed group ids from directory groups list output", async () => {

package/src/channel.sendpayload.test.ts

@@ -1,5 +1,6 @@
 import type { ReplyPayload } from "openclaw/plugin-sdk/zalouser";
 import { beforeEach, describe, expect, it, vi } from "vitest";
+import "./accounts.test-mocks.js";
 import {
   installSendPayloadContractSuite,
   primeSendMock,
@@ -12,20 +13,6 @@ vi.mock("./send.js", () => ({
   sendReactionZalouser: vi.fn().mockResolvedValue({ ok: true }),
 }));
 
-vi.mock("./accounts.js", async (importOriginal) => {
-  const actual = (await importOriginal()) as Record<string, unknown>;
-  return {
-    ...actual,
-    resolveZalouserAccountSync: () => ({
-      accountId: "default",
-      profile: "default",
-      name: "test",
-      enabled: true,
-      config: {},
-    }),
-  };
-});
-
 function baseCtx(payload: ReplyPayload) {
   return {
     cfg: {},

package/src/channel.test.ts

@@ -15,6 +15,33 @@ vi.mock("./send.js", async (importOriginal) => {
 const mockSendMessage = vi.mocked(sendMessageZalouser);
 const mockSendReaction = vi.mocked(sendReactionZalouser);
 
+function getResolveToolPolicy() {
+  const resolveToolPolicy = zalouserPlugin.groups?.resolveToolPolicy;
+  expect(resolveToolPolicy).toBeTypeOf("function");
+  if (!resolveToolPolicy) {
+    throw new Error("resolveToolPolicy unavailable");
+  }
+  return resolveToolPolicy;
+}
+
+function resolveGroupToolPolicy(
+  groups: Record<string, { tools: { allow?: string[]; deny?: string[] } }>,
+  groupId: string,
+) {
+  return getResolveToolPolicy()({
+    cfg: {
+      channels: {
+        zalouser: {
+          groups,
+        },
+      },
+    },
+    accountId: "default",
+    groupId,
+    groupChannel: groupId,
+  });
+}
+
 describe("zalouser outbound", () => {
   beforeEach(() => {
     mockSendMessage.mockClear();
@@ -93,48 +120,12 @@ describe("zalouser channel policies", () => {
   });
 
   it("resolves group tool policy by explicit group id", () => {
-    const resolveToolPolicy = zalouserPlugin.groups?.resolveToolPolicy;
-    expect(resolveToolPolicy).toBeTypeOf("function");
-    if (!resolveToolPolicy) {
-      return;
-    }
-    const policy = resolveToolPolicy({
-      cfg: {
-        channels: {
-          zalouser: {
-            groups: {
-              "123": { tools: { allow: ["search"] } },
-            },
-          },
-        },
-      },
-      accountId: "default",
-      groupId: "123",
-      groupChannel: "123",
-    });
+    const policy = resolveGroupToolPolicy({ "123": { tools: { allow: ["search"] } } }, "123");
     expect(policy).toEqual({ allow: ["search"] });
   });
 
   it("falls back to wildcard group policy", () => {
-    const resolveToolPolicy = zalouserPlugin.groups?.resolveToolPolicy;
-    expect(resolveToolPolicy).toBeTypeOf("function");
-    if (!resolveToolPolicy) {
-      return;
-    }
-    const policy = resolveToolPolicy({
-      cfg: {
-        channels: {
-          zalouser: {
-            groups: {
-              "*": { tools: { deny: ["system.run"] } },
-            },
-          },
-        },
-      },
-      accountId: "default",
-      groupId: "missing",
-      groupChannel: "missing",
-    });
+    const policy = resolveGroupToolPolicy({ "*": { tools: { deny: ["system.run"] } } }, "missing");
     expect(policy).toEqual({ deny: ["system.run"] });
   });
 

package/src/channel.ts

@@ -29,6 +29,7 @@ import {
   sendPayloadWithChunkedTextAndMedia,
   setAccountEnabledInConfigSection,
 } from "openclaw/plugin-sdk/zalouser";
+import { buildPassiveProbedChannelStatusSummary } from "../../shared/channel-status-summary.js";
 import {
   listZalouserAccountIds,
   resolveDefaultZalouserAccountId,
@@ -652,15 +653,7 @@ export const zalouserPlugin: ChannelPlugin<ResolvedZalouserAccount> = {
       lastError: null,
     },
     collectStatusIssues: collectZalouserStatusIssues,
-    buildChannelSummary: ({ snapshot }) => ({
-      configured: snapshot.configured ?? false,
-      running: snapshot.running ?? false,
-      lastStartAt: snapshot.lastStartAt ?? null,
-      lastStopAt: snapshot.lastStopAt ?? null,
-      lastError: snapshot.lastError ?? null,
-      probe: snapshot.probe,
-      lastProbeAt: snapshot.lastProbeAt ?? null,
-    }),
+    buildChannelSummary: ({ snapshot }) => buildPassiveProbedChannelStatusSummary(snapshot),
     probeAccount: async ({ account, timeoutMs }) => probeZalouser(account.profile, timeoutMs),
     buildAccountSnapshot: async ({ account, runtime }) => {
       const configured = await checkZcaAuthenticated(account.profile);

package/src/monitor.account-scope.test.ts

@@ -4,6 +4,7 @@ import "./monitor.send-mocks.js";
 import { __testing } from "./monitor.js";
 import { sendMessageZalouserMock } from "./monitor.send-mocks.js";
 import { setZalouserRuntime } from "./runtime.js";
+import { createZalouserRuntimeEnv } from "./test-helpers.js";
 import type { ResolvedZalouserAccount, ZaloInboundMessage } from "./types.js";
 
 describe("zalouser monitor pairing account scoping", () => {
@@ -80,19 +81,11 @@ describe("zalouser monitor pairing account scoping", () => {
       raw: { source: "test" },
     };
 
-    const runtime: RuntimeEnv = {
-      log: vi.fn(),
-      error: vi.fn(),
-      exit: ((code: number): never => {
-        throw new Error(`exit ${code}`);
-      }) as RuntimeEnv["exit"],
-    };
-
     await __testing.processMessage({
       message,
       account,
       config,
-      runtime,
+      runtime: createZalouserRuntimeEnv(),
     });
 
     expect(readAllowFromStore).toHaveBeenCalledWith(

package/src/monitor.group-gating.test.ts

@@ -9,6 +9,7 @@ import {
   sendTypingZalouserMock,
 } from "./monitor.send-mocks.js";
 import { setZalouserRuntime } from "./runtime.js";
+import { createZalouserRuntimeEnv } from "./test-helpers.js";
 import type { ResolvedZalouserAccount, ZaloInboundMessage } from "./types.js";
 
 function createAccount(): ResolvedZalouserAccount {
@@ -39,15 +40,7 @@ function createConfig(): OpenClawConfig {
   };
 }
 
-function createRuntimeEnv(): RuntimeEnv {
-  return {
-    log: vi.fn(),
-    error: vi.fn(),
-    exit: ((code: number): never => {
-      throw new Error(`exit ${code}`);
-    }) as RuntimeEnv["exit"],
-  };
-}
+const createRuntimeEnv = () => createZalouserRuntimeEnv();
 
 function installRuntime(params: {
   commandAuthorized?: boolean;
@@ -187,6 +180,31 @@ function installRuntime(params: {
   };
 }
 
+function installGroupCommandAuthRuntime() {
+  return installRuntime({
+    resolveCommandAuthorizedFromAuthorizers: ({ useAccessGroups, authorizers }) =>
+      useAccessGroups && authorizers.some((entry) => entry.configured && entry.allowed),
+  });
+}
+
+async function processGroupControlCommand(params: {
+  account: ResolvedZalouserAccount;
+  content?: string;
+  commandContent?: string;
+}) {
+  await __testing.processMessage({
+    message: createGroupMessage({
+      content: params.content ?? "/new",
+      commandContent: params.commandContent ?? "/new",
+      hasAnyMention: true,
+      wasExplicitlyMentioned: true,
+    }),
+    account: params.account,
+    config: createConfig(),
+    runtime: createRuntimeEnv(),
+  });
+}
+
 function createGroupMessage(overrides: Partial<ZaloInboundMessage> = {}): ZaloInboundMessage {
   return {
     threadId: "g-1",
@@ -229,57 +247,152 @@ describe("zalouser monitor group mention gating", () => {
     sendSeenZalouserMock.mockClear();
   });
 
-  it("skips unmentioned group messages when requireMention=true", async () => {
-    const { dispatchReplyWithBufferedBlockDispatcher } = installRuntime({
-      commandAuthorized: false,
-    });
+  async function processMessageWithDefaults(params: {
+    message: ZaloInboundMessage;
+    account?: ResolvedZalouserAccount;
+    historyState?: {
+      historyLimit: number;
+      groupHistories: Map<
+        string,
+        Array<{ sender: string; body: string; timestamp?: number; messageId?: string }>
+      >;
+    };
+  }) {
     await __testing.processMessage({
-      message: createGroupMessage(),
-      account: createAccount(),
+      message: params.message,
+      account: params.account ?? createAccount(),
       config: createConfig(),
-      runtime: createRuntimeEnv(),
+      runtime: createZalouserRuntimeEnv(),
+      historyState: params.historyState,
     });
+  }
 
-    expect(dispatchReplyWithBufferedBlockDispatcher).not.toHaveBeenCalled();
-    expect(sendTypingZalouserMock).not.toHaveBeenCalled();
-  });
-
-  it("fails closed when requireMention=true but mention detection is unavailable", async () => {
+  async function expectSkippedGroupMessage(message?: Partial<ZaloInboundMessage>) {
     const { dispatchReplyWithBufferedBlockDispatcher } = installRuntime({
       commandAuthorized: false,
     });
-    await __testing.processMessage({
-      message: createGroupMessage({
-        canResolveExplicitMention: false,
-        hasAnyMention: false,
-        wasExplicitlyMentioned: false,
-      }),
-      account: createAccount(),
-      config: createConfig(),
-      runtime: createRuntimeEnv(),
+    await processMessageWithDefaults({
+      message: createGroupMessage(message),
     });
-
     expect(dispatchReplyWithBufferedBlockDispatcher).not.toHaveBeenCalled();
     expect(sendTypingZalouserMock).not.toHaveBeenCalled();
-  });
+  }
 
-  it("dispatches explicitly-mentioned group messages and marks WasMentioned", async () => {
+  async function expectGroupCommandAuthorizers(params: {
+    accountConfig: ResolvedZalouserAccount["config"];
+    expectedAuthorizers: Array<{ configured: boolean; allowed: boolean }>;
+  }) {
+    const { dispatchReplyWithBufferedBlockDispatcher, resolveCommandAuthorizedFromAuthorizers } =
+      installGroupCommandAuthRuntime();
+    await processGroupControlCommand({
+      account: {
+        ...createAccount(),
+        config: params.accountConfig,
+      },
+    });
+    expect(dispatchReplyWithBufferedBlockDispatcher).toHaveBeenCalledTimes(1);
+    const authCall = resolveCommandAuthorizedFromAuthorizers.mock.calls[0]?.[0];
+    expect(authCall?.authorizers).toEqual(params.expectedAuthorizers);
+  }
+
+  async function processOpenDmMessage(params?: {
+    message?: Partial<ZaloInboundMessage>;
+    readSessionUpdatedAt?: (input?: {
+      storePath: string;
+      sessionKey: string;
+    }) => number | undefined;
+  }) {
+    const runtime = installRuntime({
+      commandAuthorized: false,
+    });
+    if (params?.readSessionUpdatedAt) {
+      runtime.readSessionUpdatedAt.mockImplementation(params.readSessionUpdatedAt);
+    }
+    const account = createAccount();
+    await processMessageWithDefaults({
+      message: createDmMessage(params?.message),
+      account: {
+        ...account,
+        config: {
+          ...account.config,
+          dmPolicy: "open",
+        },
+      },
+    });
+    return runtime;
+  }
+
+  async function expectDangerousNameMatching(params: {
+    dangerouslyAllowNameMatching?: boolean;
+    expectedDispatches: number;
+  }) {
     const { dispatchReplyWithBufferedBlockDispatcher } = installRuntime({
       commandAuthorized: false,
     });
-    await __testing.processMessage({
+    await processMessageWithDefaults({
       message: createGroupMessage({
+        threadId: "g-attacker-001",
+        groupName: "Trusted Team",
+        senderId: "666",
         hasAnyMention: true,
         wasExplicitlyMentioned: true,
         content: "ping @bot",
       }),
-      account: createAccount(),
-      config: createConfig(),
-      runtime: createRuntimeEnv(),
+      account: {
+        ...createAccount(),
+        config: {
+          ...createAccount().config,
+          ...(params.dangerouslyAllowNameMatching ? { dangerouslyAllowNameMatching: true } : {}),
+          groupPolicy: "allowlist",
+          groupAllowFrom: ["*"],
+          groups: {
+            "group:g-trusted-001": { allow: true },
+            "Trusted Team": { allow: true },
+          },
+        },
+      },
     });
+    expect(dispatchReplyWithBufferedBlockDispatcher).toHaveBeenCalledTimes(
+      params.expectedDispatches,
+    );
+    return dispatchReplyWithBufferedBlockDispatcher;
+  }
 
+  async function dispatchGroupMessage(params: {
+    commandAuthorized: boolean;
+    message: Partial<ZaloInboundMessage>;
+  }) {
+    const { dispatchReplyWithBufferedBlockDispatcher } = installRuntime({
+      commandAuthorized: params.commandAuthorized,
+    });
+    await processMessageWithDefaults({
+      message: createGroupMessage(params.message),
+    });
     expect(dispatchReplyWithBufferedBlockDispatcher).toHaveBeenCalledTimes(1);
-    const callArg = dispatchReplyWithBufferedBlockDispatcher.mock.calls[0]?.[0];
+    return dispatchReplyWithBufferedBlockDispatcher.mock.calls[0]?.[0];
+  }
+
+  it("skips unmentioned group messages when requireMention=true", async () => {
+    await expectSkippedGroupMessage();
+  });
+
+  it("fails closed when requireMention=true but mention detection is unavailable", async () => {
+    await expectSkippedGroupMessage({
+      canResolveExplicitMention: false,
+      hasAnyMention: false,
+      wasExplicitlyMentioned: false,
+    });
+  });
+
+  it("dispatches explicitly-mentioned group messages and marks WasMentioned", async () => {
+    const callArg = await dispatchGroupMessage({
+      commandAuthorized: false,
+      message: {
+        hasAnyMention: true,
+        wasExplicitlyMentioned: true,
+        content: "ping @bot",
+      },
+    });
     expect(callArg?.ctx?.WasMentioned).toBe(true);
     expect(callArg?.ctx?.To).toBe("zalouser:group:g-1");
     expect(callArg?.ctx?.OriginatingTo).toBe("zalouser:group:g-1");
@@ -290,22 +403,14 @@ describe("zalouser monitor group mention gating", () => {
   });
 
   it("allows authorized control commands to bypass mention gating", async () => {
-    const { dispatchReplyWithBufferedBlockDispatcher } = installRuntime({
+    const callArg = await dispatchGroupMessage({
       commandAuthorized: true,
-    });
-    await __testing.processMessage({
-      message: createGroupMessage({
+      message: {
         content: "/status",
         hasAnyMention: false,
         wasExplicitlyMentioned: false,
-      }),
-      account: createAccount(),
-      config: createConfig(),
-      runtime: createRuntimeEnv(),
+      },
     });
-
-    expect(dispatchReplyWithBufferedBlockDispatcher).toHaveBeenCalledTimes(1);
-    const callArg = dispatchReplyWithBufferedBlockDispatcher.mock.calls[0]?.[0];
     expect(callArg?.ctx?.WasMentioned).toBe(true);
   });
 
@@ -346,57 +451,30 @@ describe("zalouser monitor group mention gating", () => {
   });
 
   it("uses commandContent for mention-prefixed control commands", async () => {
-    const { dispatchReplyWithBufferedBlockDispatcher } = installRuntime({
+    const callArg = await dispatchGroupMessage({
       commandAuthorized: true,
-    });
-    await __testing.processMessage({
-      message: createGroupMessage({
+      message: {
         content: "@Bot /new",
         commandContent: "/new",
         hasAnyMention: true,
         wasExplicitlyMentioned: true,
-      }),
-      account: createAccount(),
-      config: createConfig(),
-      runtime: createRuntimeEnv(),
+      },
     });
-
-    expect(dispatchReplyWithBufferedBlockDispatcher).toHaveBeenCalledTimes(1);
-    const callArg = dispatchReplyWithBufferedBlockDispatcher.mock.calls[0]?.[0];
     expect(callArg?.ctx?.CommandBody).toBe("/new");
     expect(callArg?.ctx?.BodyForCommands).toBe("/new");
   });
 
   it("allows group control commands when only allowFrom is configured", async () => {
-    const { dispatchReplyWithBufferedBlockDispatcher, resolveCommandAuthorizedFromAuthorizers } =
-      installRuntime({
-        resolveCommandAuthorizedFromAuthorizers: ({ useAccessGroups, authorizers }) =>
-          useAccessGroups && authorizers.some((entry) => entry.configured && entry.allowed),
-      });
-    await __testing.processMessage({
-      message: createGroupMessage({
-        content: "/new",
-        commandContent: "/new",
-        hasAnyMention: true,
-        wasExplicitlyMentioned: true,
-      }),
-      account: {
-        ...createAccount(),
-        config: {
-          ...createAccount().config,
-          allowFrom: ["123"],
-        },
+    await expectGroupCommandAuthorizers({
+      accountConfig: {
+        ...createAccount().config,
+        allowFrom: ["123"],
       },
-      config: createConfig(),
-      runtime: createRuntimeEnv(),
+      expectedAuthorizers: [
+        { configured: true, allowed: true },
+        { configured: true, allowed: true },
+      ],
     });
-
-    expect(dispatchReplyWithBufferedBlockDispatcher).toHaveBeenCalledTimes(1);
-    const authCall = resolveCommandAuthorizedFromAuthorizers.mock.calls[0]?.[0];
-    expect(authCall?.authorizers).toEqual([
-      { configured: true, allowed: true },
-      { configured: true, allowed: true },
-    ]);
   });
 
   it("blocks group messages when sender is not in groupAllowFrom/allowFrom", async () => {
@@ -425,123 +503,35 @@ describe("zalouser monitor group mention gating", () => {
   });
 
   it("does not accept a different group id by matching only the mutable group name by default", async () => {
-    const { dispatchReplyWithBufferedBlockDispatcher } = installRuntime({
-      commandAuthorized: false,
-    });
-    await __testing.processMessage({
-      message: createGroupMessage({
-        threadId: "g-attacker-001",
-        groupName: "Trusted Team",
-        senderId: "666",
-        hasAnyMention: true,
-        wasExplicitlyMentioned: true,
-        content: "ping @bot",
-      }),
-      account: {
-        ...createAccount(),
-        config: {
-          ...createAccount().config,
-          groupPolicy: "allowlist",
-          groupAllowFrom: ["*"],
-          groups: {
-            "group:g-trusted-001": { allow: true },
-            "Trusted Team": { allow: true },
-          },
-        },
-      },
-      config: createConfig(),
-      runtime: createRuntimeEnv(),
-    });
-
-    expect(dispatchReplyWithBufferedBlockDispatcher).not.toHaveBeenCalled();
+    await expectDangerousNameMatching({ expectedDispatches: 0 });
   });
 
   it("accepts mutable group-name matches only when dangerouslyAllowNameMatching is enabled", async () => {
-    const { dispatchReplyWithBufferedBlockDispatcher } = installRuntime({
-      commandAuthorized: false,
-    });
-    await __testing.processMessage({
-      message: createGroupMessage({
-        threadId: "g-attacker-001",
-        groupName: "Trusted Team",
-        senderId: "666",
-        hasAnyMention: true,
-        wasExplicitlyMentioned: true,
-        content: "ping @bot",
-      }),
-      account: {
-        ...createAccount(),
-        config: {
-          ...createAccount().config,
-          dangerouslyAllowNameMatching: true,
-          groupPolicy: "allowlist",
-          groupAllowFrom: ["*"],
-          groups: {
-            "group:g-trusted-001": { allow: true },
-            "Trusted Team": { allow: true },
-          },
-        },
-      },
-      config: createConfig(),
-      runtime: createRuntimeEnv(),
+    const dispatchReplyWithBufferedBlockDispatcher = await expectDangerousNameMatching({
+      dangerouslyAllowNameMatching: true,
+      expectedDispatches: 1,
     });
-
-    expect(dispatchReplyWithBufferedBlockDispatcher).toHaveBeenCalledTimes(1);
     const callArg = dispatchReplyWithBufferedBlockDispatcher.mock.calls[0]?.[0];
     expect(callArg?.ctx?.To).toBe("zalouser:group:g-attacker-001");
   });
 
   it("allows group control commands when sender is in groupAllowFrom", async () => {
-    const { dispatchReplyWithBufferedBlockDispatcher, resolveCommandAuthorizedFromAuthorizers } =
-      installRuntime({
-        resolveCommandAuthorizedFromAuthorizers: ({ useAccessGroups, authorizers }) =>
-          useAccessGroups && authorizers.some((entry) => entry.configured && entry.allowed),
-      });
-    await __testing.processMessage({
-      message: createGroupMessage({
-        content: "/new",
-        commandContent: "/new",
-        hasAnyMention: true,
-        wasExplicitlyMentioned: true,
-      }),
-      account: {
-        ...createAccount(),
-        config: {
-          ...createAccount().config,
-          allowFrom: ["999"],
-          groupAllowFrom: ["123"],
-        },
+    await expectGroupCommandAuthorizers({
+      accountConfig: {
+        ...createAccount().config,
+        allowFrom: ["999"],
+        groupAllowFrom: ["123"],
       },
-      config: createConfig(),
-      runtime: createRuntimeEnv(),
+      expectedAuthorizers: [
+        { configured: true, allowed: false },
+        { configured: true, allowed: true },
+      ],
     });
-
-    expect(dispatchReplyWithBufferedBlockDispatcher).toHaveBeenCalledTimes(1);
-    const authCall = resolveCommandAuthorizedFromAuthorizers.mock.calls[0]?.[0];
-    expect(authCall?.authorizers).toEqual([
-      { configured: true, allowed: false },
-      { configured: true, allowed: true },
-    ]);
   });
 
   it("routes DM messages with direct peer kind", async () => {
     const { dispatchReplyWithBufferedBlockDispatcher, resolveAgentRoute, buildAgentSessionKey } =
-      installRuntime({
-        commandAuthorized: false,
-      });
-    const account = createAccount();
-    await __testing.processMessage({
-      message: createDmMessage(),
-      account: {
-        ...account,
-        config: {
-          ...account.config,
-          dmPolicy: "open",
-        },
-      },
-      config: createConfig(),
-      runtime: createRuntimeEnv(),
-    });
+      await processOpenDmMessage();
 
     expect(resolveAgentRoute).toHaveBeenCalledWith(
       expect.objectContaining({
@@ -559,24 +549,9 @@ describe("zalouser monitor group mention gating", () => {
   });
 
   it("reuses the legacy DM session key when only the old group-shaped session exists", async () => {
-    const { dispatchReplyWithBufferedBlockDispatcher, readSessionUpdatedAt } = installRuntime({
-      commandAuthorized: false,
-    });
-    readSessionUpdatedAt.mockImplementation((input?: { storePath: string; sessionKey: string }) =>
-      input?.sessionKey === "agent:main:zalouser:group:321" ? 123 : undefined,
-    );
-    const account = createAccount();
-    await __testing.processMessage({
-      message: createDmMessage(),
-      account: {
-        ...account,
-        config: {
-          ...account.config,
-          dmPolicy: "open",
-        },
-      },
-      config: createConfig(),
-      runtime: createRuntimeEnv(),
+    const { dispatchReplyWithBufferedBlockDispatcher } = await processOpenDmMessage({
+      readSessionUpdatedAt: (input?: { storePath: string; sessionKey: string }) =>
+        input?.sessionKey === "agent:main:zalouser:group:321" ? 123 : undefined,
     });
 
     const callArg = dispatchReplyWithBufferedBlockDispatcher.mock.calls[0]?.[0];

package/src/monitor.ts

@@ -31,6 +31,7 @@ import {
   summarizeMapping,
   warnMissingProviderGroupPolicyFallbackOnce,
 } from "openclaw/plugin-sdk/zalouser";
+import { createDeferred } from "../../shared/deferred.js";
 import {
   buildZalouserGroupCandidates,
   findZalouserGroupEntry,
@@ -129,16 +130,6 @@ function resolveInboundQueueKey(message: ZaloInboundMessage): string {
   return `direct:${senderId || threadId}`;
 }
 
-function createDeferred<T>() {
-  let resolve!: (value: T | PromiseLike<T>) => void;
-  let reject!: (reason?: unknown) => void;
-  const promise = new Promise<T>((res, rej) => {
-    resolve = res;
-    reject = rej;
-  });
-  return { promise, resolve, reject };
-}
-
 function resolveZalouserDmSessionScope(config: OpenClawConfig) {
   const configured = config.session?.dmScope;
   return configured === "main" || !configured ? "per-channel-peer" : configured;

package/src/status-issues.test.ts

@@ -1,4 +1,5 @@
 import { describe, expect, it } from "vitest";
+import { expectOpenDmPolicyConfigIssue } from "../../test-utils/status-issues.js";
 import { collectZalouserStatusIssues } from "./status-issues.js";
 
 describe("collectZalouserStatusIssues", () => {
@@ -17,16 +18,15 @@ describe("collectZalouserStatusIssues", () => {
   });
 
   it("warns when dmPolicy is open", () => {
-    const issues = collectZalouserStatusIssues([
-      {
+    expectOpenDmPolicyConfigIssue({
+      collectIssues: collectZalouserStatusIssues,
+      account: {
         accountId: "default",
         enabled: true,
         configured: true,
         dmPolicy: "open",
       },
-    ]);
-    expect(issues).toHaveLength(1);
-    expect(issues[0]?.kind).toBe("config");
+    });
   });
 
   it("skips disabled accounts", () => {

package/src/status-issues.ts

@@ -1,42 +1,24 @@
 import type { ChannelAccountSnapshot, ChannelStatusIssue } from "openclaw/plugin-sdk/zalouser";
+import { coerceStatusIssueAccountId, readStatusIssueFields } from "../../shared/status-issues.js";
 
-type ZalouserAccountStatus = {
-  accountId?: unknown;
-  enabled?: unknown;
-  configured?: unknown;
-  dmPolicy?: unknown;
-  lastError?: unknown;
-};
-
-const isRecord = (value: unknown): value is Record<string, unknown> =>
-  Boolean(value && typeof value === "object");
-
-const asString = (value: unknown): string | undefined =>
-  typeof value === "string" ? value : typeof value === "number" ? String(value) : undefined;
-
-function readZalouserAccountStatus(value: ChannelAccountSnapshot): ZalouserAccountStatus | null {
-  if (!isRecord(value)) {
-    return null;
-  }
-  return {
-    accountId: value.accountId,
-    enabled: value.enabled,
-    configured: value.configured,
-    dmPolicy: value.dmPolicy,
-    lastError: value.lastError,
-  };
-}
+const ZALOUSER_STATUS_FIELDS = [
+  "accountId",
+  "enabled",
+  "configured",
+  "dmPolicy",
+  "lastError",
+] as const;
 
 export function collectZalouserStatusIssues(
   accounts: ChannelAccountSnapshot[],
 ): ChannelStatusIssue[] {
   const issues: ChannelStatusIssue[] = [];
   for (const entry of accounts) {
-    const account = readZalouserAccountStatus(entry);
+    const account = readStatusIssueFields(entry, ZALOUSER_STATUS_FIELDS);
     if (!account) {
       continue;
     }
-    const accountId = asString(account.accountId) ?? "default";
+    const accountId = coerceStatusIssueAccountId(account.accountId) ?? "default";
     const enabled = account.enabled !== false;
     if (!enabled) {
       continue;

package/src/test-helpers.ts

@@ -0,0 +1,26 @@
+import type { RuntimeEnv } from "openclaw/plugin-sdk/zalouser";
+import type { ResolvedZalouserAccount } from "./types.js";
+
+export function createZalouserRuntimeEnv(): RuntimeEnv {
+  return {
+    log: () => {},
+    error: () => {},
+    exit: ((code: number): never => {
+      throw new Error(`exit ${code}`);
+    }) as RuntimeEnv["exit"],
+  };
+}
+
+export function createDefaultResolvedZalouserAccount(
+  overrides: Partial<ResolvedZalouserAccount> = {},
+): ResolvedZalouserAccount {
+  return {
+    accountId: "default",
+    profile: "default",
+    name: "test",
+    enabled: true,
+    authenticated: true,
+    config: {},
+    ...overrides,
+  };
+}