@openclaw/zalouser 2026.3.13 → 2026.5.2-beta.1

package/src/security-audit.test.ts

@@ -0,0 +1,80 @@
+import { describe, expect, it } from "vitest";
+import { collectZalouserSecurityAuditFindings } from "./security-audit.js";
+import type { ResolvedZalouserAccount, ZalouserAccountConfig } from "./types.js";
+
+function createAccount(config: ZalouserAccountConfig): ResolvedZalouserAccount {
+  return {
+    accountId: "default",
+    enabled: true,
+    profile: "default",
+    authenticated: true,
+    config,
+  };
+}
+
+describe("Zalouser security audit findings", () => {
+  const cases: Array<{
+    name: string;
+    config: ZalouserAccountConfig;
+    expectedSeverity: "info" | "warn";
+    detailIncludes: string[];
+    detailExcludes?: string[];
+    expectFindingMatch?: { checkId: string; severity: "info" | "warn" };
+  }> = [
+    {
+      name: "warns when group routing contains mutable group entries",
+      config: {
+        enabled: true,
+        groups: {
+          "Ops Room": { enabled: true },
+          "group:g-123": { enabled: true },
+        },
+      } satisfies ZalouserAccountConfig,
+      expectedSeverity: "warn",
+      detailIncludes: ["channels.zalouser.groups:Ops Room"],
+      detailExcludes: ["group:g-123"],
+    },
+    {
+      name: "marks mutable group routing as break-glass when dangerous matching is enabled",
+      config: {
+        enabled: true,
+        dangerouslyAllowNameMatching: true,
+        groups: {
+          "Ops Room": { enabled: true },
+        },
+      } satisfies ZalouserAccountConfig,
+      expectedSeverity: "info",
+      detailIncludes: ["out-of-scope"],
+      expectFindingMatch: {
+        checkId: "channels.zalouser.groups.mutable_entries",
+        severity: "info",
+      },
+    },
+  ];
+
+  it.each(cases)("$name", (testCase) => {
+    const findings = collectZalouserSecurityAuditFindings({
+      account: createAccount(testCase.config),
+      accountId: "default",
+      orderedAccountIds: ["default"],
+      hasExplicitAccountPath: false,
+    });
+    const finding = findings.find(
+      (entry) => entry.checkId === "channels.zalouser.groups.mutable_entries",
+    );
+
+    expect(finding).toBeDefined();
+    expect(finding?.severity).toBe(testCase.expectedSeverity);
+    for (const snippet of testCase.detailIncludes) {
+      expect(finding?.detail).toContain(snippet);
+    }
+    for (const snippet of testCase.detailExcludes ?? []) {
+      expect(finding?.detail).not.toContain(snippet);
+    }
+    if (testCase.expectFindingMatch) {
+      expect(findings).toEqual(
+        expect.arrayContaining([expect.objectContaining(testCase.expectFindingMatch)]),
+      );
+    }
+  });
+});

package/src/security-audit.ts

@@ -0,0 +1,71 @@
+import { isDangerousNameMatchingEnabled } from "openclaw/plugin-sdk/dangerous-name-runtime";
+import type { ResolvedZalouserAccount } from "./accounts.js";
+
+export function isZalouserMutableGroupEntry(raw: string): boolean {
+  const text = raw.trim();
+  if (!text || text === "*") {
+    return false;
+  }
+  const normalized = text
+    .replace(/^(zalouser|zlu):/i, "")
+    .replace(/^group:/i, "")
+    .trim();
+  if (!normalized) {
+    return false;
+  }
+  if (/^\d+$/.test(normalized)) {
+    return false;
+  }
+  return !/^g-\S+$/i.test(normalized);
+}
+
+export function collectZalouserSecurityAuditFindings(params: {
+  accountId?: string | null;
+  account: ResolvedZalouserAccount;
+  orderedAccountIds: string[];
+  hasExplicitAccountPath: boolean;
+}) {
+  const zalouserCfg = params.account.config ?? {};
+  const accountId = params.accountId?.trim() || params.account.accountId || "default";
+  const dangerousNameMatchingEnabled = isDangerousNameMatchingEnabled(zalouserCfg);
+  const zalouserPathPrefix =
+    params.orderedAccountIds.length > 1 || params.hasExplicitAccountPath
+      ? `channels.zalouser.accounts.${accountId}`
+      : "channels.zalouser";
+  const mutableGroupEntries = new Set<string>();
+  const groups = zalouserCfg.groups;
+  if (groups && typeof groups === "object" && !Array.isArray(groups)) {
+    for (const key of Object.keys(groups as Record<string, unknown>)) {
+      if (!isZalouserMutableGroupEntry(key)) {
+        continue;
+      }
+      mutableGroupEntries.add(`${zalouserPathPrefix}.groups:${key}`);
+    }
+  }
+  if (mutableGroupEntries.size === 0) {
+    return [];
+  }
+  const examples = Array.from(mutableGroupEntries).slice(0, 5);
+  const more =
+    mutableGroupEntries.size > examples.length
+      ? ` (+${mutableGroupEntries.size - examples.length} more)`
+      : "";
+  const severity: "info" | "warn" = dangerousNameMatchingEnabled ? "info" : "warn";
+  return [
+    {
+      checkId: "channels.zalouser.groups.mutable_entries",
+      severity,
+      title: dangerousNameMatchingEnabled
+        ? "Zalouser group routing uses break-glass name matching"
+        : "Zalouser group routing contains mutable group entries",
+      detail: dangerousNameMatchingEnabled
+        ? "Zalouser group-name routing is explicitly enabled via dangerouslyAllowNameMatching. This mutable-identity mode is operator-selected break-glass behavior and out-of-scope for vulnerability reports by itself. " +
+          `Found: ${examples.join(", ")}${more}.`
+        : "Zalouser group auth is ID-only by default, so unresolved group-name or slug entries are ignored for auth and can drift from the intended trusted group. " +
+          `Found: ${examples.join(", ")}${more}.`,
+      remediation: dangerousNameMatchingEnabled
+        ? "Prefer stable Zalo group IDs (for example group:<id> or provider-native g- ids), then disable dangerouslyAllowNameMatching."
+        : "Prefer stable Zalo group IDs in channels.zalouser.groups, or explicitly opt in with dangerouslyAllowNameMatching=true if you accept mutable group-name matching.",
+    },
+  ];
+}

package/src/send.test.ts

@@ -17,7 +17,7 @@ import {
   sendZaloTextMessage,
   sendZaloTypingEvent,
 } from "./zalo-js.js";
-import { TextStyle } from "./zca-client.js";
+import { TextStyle } from "./zca-constants.js";
 
 vi.mock("./zalo-js.js", () => ({
   sendZaloTextMessage: vi.fn(),
@@ -149,7 +149,7 @@ describe("zalouser send helpers", () => {
     expect(formatted.text.length).toBeGreaterThan(2000);
     expect(mockSendText).toHaveBeenCalledTimes(2);
     expect(mockSendText.mock.calls.map((call) => call[1]).join("")).toBe(formatted.text);
-    expect(mockSendText.mock.calls.every((call) => (call[1] as string).length <= 2000)).toBe(true);
+    expect(mockSendText.mock.calls.every((call) => call[1].length <= 2000)).toBe(true);
     expect(result).toEqual({ ok: true, messageId: "mid-2c-2" });
   });
 

package/src/send.ts

@@ -8,10 +8,10 @@ import {
   sendZaloTextMessage,
   sendZaloTypingEvent,
 } from "./zalo-js.js";
-import { TextStyle } from "./zca-client.js";
+import { TextStyle } from "./zca-constants.js";
 
-export type ZalouserSendOptions = ZaloSendOptions;
-export type ZalouserSendResult = ZaloSendResult;
+type ZalouserSendOptions = ZaloSendOptions;
+type ZalouserSendResult = ZaloSendResult;
 
 const ZALO_TEXT_LIMIT = 2000;
 const DEFAULT_TEXT_CHUNK_MODE = "length";

package/src/session-route.ts

@@ -0,0 +1,121 @@
+import {
+  buildChannelOutboundSessionRoute,
+  type ChannelOutboundSessionRouteParams,
+} from "openclaw/plugin-sdk/core";
+import {
+  normalizeLowercaseStringOrEmpty,
+  normalizeOptionalLowercaseString,
+} from "openclaw/plugin-sdk/text-runtime";
+
+function stripZalouserTargetPrefix(raw: string): string {
+  return raw
+    .trim()
+    .replace(/^(zalouser|zlu):/i, "")
+    .trim();
+}
+
+export function normalizeZalouserTarget(raw: string): string | undefined {
+  const trimmed = stripZalouserTargetPrefix(raw);
+  if (!trimmed) {
+    return undefined;
+  }
+
+  const lower = normalizeLowercaseStringOrEmpty(trimmed);
+  if (lower.startsWith("group:")) {
+    const id = trimmed.slice("group:".length).trim();
+    return id ? `group:${id}` : undefined;
+  }
+  if (lower.startsWith("g:")) {
+    const id = trimmed.slice("g:".length).trim();
+    return id ? `group:${id}` : undefined;
+  }
+  if (lower.startsWith("user:")) {
+    const id = trimmed.slice("user:".length).trim();
+    return id ? `user:${id}` : undefined;
+  }
+  if (lower.startsWith("dm:")) {
+    const id = trimmed.slice("dm:".length).trim();
+    return id ? `user:${id}` : undefined;
+  }
+  if (lower.startsWith("u:")) {
+    const id = trimmed.slice("u:".length).trim();
+    return id ? `user:${id}` : undefined;
+  }
+  if (/^g-\S+$/i.test(trimmed)) {
+    return `group:${trimmed}`;
+  }
+  if (/^u-\S+$/i.test(trimmed)) {
+    return `user:${trimmed}`;
+  }
+
+  return trimmed;
+}
+
+export function parseZalouserOutboundTarget(raw: string): {
+  threadId: string;
+  isGroup: boolean;
+} {
+  const normalized = normalizeZalouserTarget(raw);
+  if (!normalized) {
+    throw new Error("Zalouser target is required");
+  }
+  const lowered = normalizeLowercaseStringOrEmpty(normalized);
+  if (lowered.startsWith("group:")) {
+    const threadId = normalized.slice("group:".length).trim();
+    if (!threadId) {
+      throw new Error("Zalouser group target is missing group id");
+    }
+    return { threadId, isGroup: true };
+  }
+  if (lowered.startsWith("user:")) {
+    const threadId = normalized.slice("user:".length).trim();
+    if (!threadId) {
+      throw new Error("Zalouser user target is missing user id");
+    }
+    return { threadId, isGroup: false };
+  }
+  // Backward-compatible fallback for bare IDs.
+  // Group sends should use explicit `group:<id>` targets.
+  return { threadId: normalized, isGroup: false };
+}
+
+export function parseZalouserDirectoryGroupId(raw: string): string {
+  const normalized = normalizeZalouserTarget(raw);
+  if (!normalized) {
+    throw new Error("Zalouser group target is required");
+  }
+  const lowered = normalizeLowercaseStringOrEmpty(normalized);
+  if (lowered.startsWith("group:")) {
+    const groupId = normalized.slice("group:".length).trim();
+    if (!groupId) {
+      throw new Error("Zalouser group target is missing group id");
+    }
+    return groupId;
+  }
+  if (lowered.startsWith("user:")) {
+    throw new Error("Zalouser group members lookup requires a group target (group:<id>)");
+  }
+  return normalized;
+}
+
+export function resolveZalouserOutboundSessionRoute(params: ChannelOutboundSessionRouteParams) {
+  const normalized = normalizeZalouserTarget(params.target);
+  if (!normalized) {
+    return null;
+  }
+  const isGroup = (normalizeOptionalLowercaseString(normalized) ?? "").startsWith("group:");
+  const peerId = normalized.replace(/^(group|user):/i, "").trim();
+  return buildChannelOutboundSessionRoute({
+    cfg: params.cfg,
+    agentId: params.agentId,
+    channel: "zalouser",
+    accountId: params.accountId,
+    peer: {
+      kind: isGroup ? "group" : "direct",
+      id: peerId,
+    },
+    chatType: isGroup ? "group" : "direct",
+    from: isGroup ? `zalouser:group:${peerId}` : `zalouser:${peerId}`,
+    to: `zalouser:${peerId}`,
+  });
+}

package/src/setup-core.ts

@@ -0,0 +1,33 @@
+import {
+  createDelegatedSetupWizardProxy,
+  createPatchedAccountSetupAdapter,
+  type ChannelSetupWizard,
+} from "openclaw/plugin-sdk/setup-runtime";
+
+const channel = "zalouser" as const;
+
+export const zalouserSetupAdapter = createPatchedAccountSetupAdapter({
+  channelKey: channel,
+  validateInput: () => null,
+  buildPatch: () => ({}),
+});
+
+export function createZalouserSetupWizardProxy(
+  loadWizard: () => Promise<ChannelSetupWizard>,
+): ChannelSetupWizard {
+  return createDelegatedSetupWizardProxy({
+    channel,
+    loadWizard,
+    status: {
+      configuredLabel: "logged in",
+      unconfiguredLabel: "needs QR login",
+      configuredHint: "recommended · logged in",
+      unconfiguredHint: "recommended · QR login",
+      configuredScore: 1,
+      unconfiguredScore: 15,
+    },
+    credentials: [],
+    delegatePrepare: true,
+    delegateFinalize: true,
+  });
+}

package/src/setup-surface.test.ts

@@ -0,0 +1,363 @@
+import {
+  createPluginSetupWizardConfigure,
+  createTestWizardPrompter,
+  runSetupWizardConfigure,
+} from "openclaw/plugin-sdk/plugin-test-runtime";
+import { describe, expect, it, vi } from "vitest";
+import type { OpenClawConfig } from "../runtime-api.js";
+import "./zalo-js.test-mocks.js";
+import { zalouserSetupWizard } from "./setup-surface.js";
+import { zalouserSetupPlugin } from "./setup-test-helpers.js";
+
+const zalouserConfigure = createPluginSetupWizardConfigure(zalouserSetupPlugin);
+
+async function runSetup(params: {
+  cfg?: OpenClawConfig;
+  prompter: ReturnType<typeof createTestWizardPrompter>;
+  options?: Record<string, unknown>;
+  forceAllowFrom?: boolean;
+}) {
+  return await runSetupWizardConfigure({
+    configure: zalouserConfigure,
+    cfg: params.cfg,
+    prompter: params.prompter,
+    options: params.options,
+    forceAllowFrom: params.forceAllowFrom,
+  });
+}
+
+describe("zalouser setup wizard", () => {
+  function expectEnabledDefaultSetup(
+    result: Awaited<ReturnType<typeof runSetup>>,
+    dmPolicy?: "pairing" | "allowlist",
+  ) {
+    expect(result.accountId).toBe("default");
+    expect(result.cfg.channels?.zalouser?.enabled).toBe(true);
+    expect(result.cfg.plugins?.entries?.zalouser?.enabled).toBe(true);
+    if (dmPolicy) {
+      expect(result.cfg.channels?.zalouser?.dmPolicy).toBe(dmPolicy);
+    }
+  }
+
+  function createQuickstartPrompter(params?: {
+    note?: ReturnType<typeof createTestWizardPrompter>["note"];
+    seen?: string[];
+    dmPolicy?: "pairing" | "allowlist";
+    groupAccess?: boolean;
+    groupPolicy?: "allowlist";
+    textByMessage?: Record<string, string>;
+  }) {
+    const select = vi.fn(
+      async ({ message, options }: { message: string; options: Array<{ value: string }> }) => {
+        const first = options[0];
+        if (!first) {
+          throw new Error("no options");
+        }
+        params?.seen?.push(message);
+        if (message === "Zalo Personal DM policy" && params?.dmPolicy) {
+          return params.dmPolicy;
+        }
+        if (message === "Zalo groups access" && params?.groupPolicy) {
+          return params.groupPolicy;
+        }
+        return first.value;
+      },
+    ) as ReturnType<typeof createTestWizardPrompter>["select"];
+    const text = vi.fn(
+      async ({ message }: { message: string }) => params?.textByMessage?.[message] ?? "",
+    ) as ReturnType<typeof createTestWizardPrompter>["text"];
+    return createTestWizardPrompter({
+      ...(params?.note ? { note: params.note } : {}),
+      confirm: vi.fn(async ({ message }: { message: string }) => {
+        params?.seen?.push(message);
+        if (message === "Login via QR code now?") {
+          return false;
+        }
+        if (message === "Configure Zalo groups access?") {
+          return params?.groupAccess ?? false;
+        }
+        return false;
+      }),
+      select,
+      text,
+    });
+  }
+
+  it("enables the account without forcing QR login", async () => {
+    const prompter = createTestWizardPrompter({
+      confirm: vi.fn(async ({ message }: { message: string }) => {
+        if (message === "Login via QR code now?") {
+          return false;
+        }
+        if (message === "Configure Zalo groups access?") {
+          return false;
+        }
+        return false;
+      }),
+    });
+
+    const result = await runSetup({ prompter });
+
+    expect(result.accountId).toBe("default");
+    expect(result.cfg.channels?.zalouser?.enabled).toBe(true);
+    expect(result.cfg.plugins?.entries?.zalouser?.enabled).toBe(true);
+  });
+
+  it("prompts DM policy before group access in quickstart", async () => {
+    const seen: string[] = [];
+    const prompter = createQuickstartPrompter({ seen, dmPolicy: "pairing" });
+
+    const result = await runSetup({
+      prompter,
+      options: { quickstartDefaults: true },
+    });
+
+    expectEnabledDefaultSetup(result, "pairing");
+    expect(seen.indexOf("Zalo Personal DM policy")).toBeGreaterThanOrEqual(0);
+    expect(seen.indexOf("Configure Zalo groups access?")).toBeGreaterThanOrEqual(0);
+    expect(seen.indexOf("Zalo Personal DM policy")).toBeLessThan(
+      seen.indexOf("Configure Zalo groups access?"),
+    );
+  });
+
+  it("allows an empty quickstart DM allowlist with a warning", async () => {
+    const note = vi.fn(async (_message: string, _title?: string) => {});
+    const prompter = createQuickstartPrompter({
+      note,
+      dmPolicy: "allowlist",
+      textByMessage: {
+        "Zalouser allowFrom (name or user id)": "",
+      },
+    });
+
+    const result = await runSetup({
+      prompter,
+      options: { quickstartDefaults: true },
+    });
+
+    expectEnabledDefaultSetup(result, "allowlist");
+    expect(result.cfg.channels?.zalouser?.allowFrom).toEqual([]);
+    expect(
+      note.mock.calls.some(([message]) => message.includes("No DM allowlist entries added yet.")),
+    ).toBe(true);
+  });
+
+  it("allows an empty group allowlist with a warning", async () => {
+    const note = vi.fn(async (_message: string, _title?: string) => {});
+    const prompter = createQuickstartPrompter({
+      note,
+      groupAccess: true,
+      groupPolicy: "allowlist",
+      textByMessage: {
+        "Zalo groups allowlist (comma-separated)": "",
+      },
+    });
+
+    const result = await runSetup({ prompter });
+
+    expect(result.cfg.channels?.zalouser?.groupPolicy).toBe("allowlist");
+    expect(result.cfg.channels?.zalouser?.groups).toEqual({});
+    expect(
+      note.mock.calls.some(([message]) =>
+        message.includes("No group allowlist entries added yet."),
+      ),
+    ).toBe(true);
+  });
+
+  it("writes canonical enabled entries for configured groups", async () => {
+    const prompter = createQuickstartPrompter({
+      groupAccess: true,
+      groupPolicy: "allowlist",
+      textByMessage: {
+        "Zalo groups allowlist (comma-separated)": "Family, Work",
+      },
+    });
+
+    const result = await runSetup({ prompter });
+
+    expect(result.cfg.channels?.zalouser?.groups).toEqual({
+      Family: { enabled: true, requireMention: true },
+      Work: { enabled: true, requireMention: true },
+    });
+  });
+
+  it("preserves non-quickstart forceAllowFrom behavior", async () => {
+    const note = vi.fn(async (_message: string, _title?: string) => {});
+    const seen: string[] = [];
+    const prompter = createTestWizardPrompter({
+      note,
+      confirm: vi.fn(async ({ message }: { message: string }) => {
+        seen.push(message);
+        if (message === "Login via QR code now?") {
+          return false;
+        }
+        if (message === "Configure Zalo groups access?") {
+          return false;
+        }
+        return false;
+      }),
+      text: vi.fn(async ({ message }: { message: string }) => {
+        seen.push(message);
+        if (message === "Zalouser allowFrom (name or user id)") {
+          return "";
+        }
+        return "";
+      }) as ReturnType<typeof createTestWizardPrompter>["text"],
+    });
+
+    const result = await runSetup({ prompter, forceAllowFrom: true });
+
+    expect(result.cfg.channels?.zalouser?.dmPolicy).toBe("allowlist");
+    expect(result.cfg.channels?.zalouser?.allowFrom).toEqual([]);
+    expect(seen).not.toContain("Zalo Personal DM policy");
+    expect(seen).toContain("Zalouser allowFrom (name or user id)");
+    expect(
+      note.mock.calls.some(([message]) => message.includes("No DM allowlist entries added yet.")),
+    ).toBe(true);
+  });
+
+  it("allowlists the plugin when a plugin allowlist already exists", async () => {
+    const prompter = createTestWizardPrompter({
+      confirm: vi.fn(async ({ message }: { message: string }) => {
+        if (message === "Login via QR code now?") {
+          return false;
+        }
+        if (message === "Configure Zalo groups access?") {
+          return false;
+        }
+        return false;
+      }),
+    });
+
+    const result = await runSetup({
+      cfg: {
+        plugins: {
+          allow: ["telegram"],
+        },
+      } as OpenClawConfig,
+      prompter,
+    });
+
+    expect(result.cfg.plugins?.entries?.zalouser?.enabled).toBe(true);
+    expect(result.cfg.plugins?.allow).toEqual(["telegram", "zalouser"]);
+  });
+
+  it("reads the named-account DM policy instead of the channel root", () => {
+    expect(
+      zalouserSetupWizard.dmPolicy?.getCurrent(
+        {
+          channels: {
+            zalouser: {
+              dmPolicy: "disabled",
+              accounts: {
+                work: {
+                  profile: "work",
+                  dmPolicy: "allowlist",
+                },
+              },
+            },
+          },
+        } as OpenClawConfig,
+        "work",
+      ),
+    ).toBe("allowlist");
+  });
+
+  it("reports account-scoped config keys for named accounts", () => {
+    expect(zalouserSetupWizard.dmPolicy?.resolveConfigKeys?.({} as OpenClawConfig, "work")).toEqual(
+      {
+        policyKey: "channels.zalouser.accounts.work.dmPolicy",
+        allowFromKey: "channels.zalouser.accounts.work.allowFrom",
+      },
+    );
+  });
+
+  it("uses configured defaultAccount for omitted DM policy account context", () => {
+    const cfg = {
+      channels: {
+        zalouser: {
+          defaultAccount: "work",
+          dmPolicy: "disabled",
+          allowFrom: ["123456789"],
+          accounts: {
+            work: {
+              dmPolicy: "allowlist",
+              profile: "work-profile",
+            },
+          },
+        },
+      },
+    } as OpenClawConfig;
+
+    expect(zalouserSetupWizard.dmPolicy?.getCurrent(cfg)).toBe("allowlist");
+    expect(zalouserSetupWizard.dmPolicy?.resolveConfigKeys?.(cfg)).toEqual({
+      policyKey: "channels.zalouser.accounts.work.dmPolicy",
+      allowFromKey: "channels.zalouser.accounts.work.allowFrom",
+    });
+
+    const next = zalouserSetupWizard.dmPolicy?.setPolicy(cfg, "open");
+    expect(next?.channels?.zalouser?.dmPolicy).toBe("disabled");
+    const workAccount = next?.channels?.zalouser?.accounts?.work as
+      | { dmPolicy?: string; allowFrom?: Array<string | number> }
+      | undefined;
+    expect(workAccount?.dmPolicy).toBe("open");
+  });
+
+  it('writes open policy state to the named account and preserves inherited allowFrom with "*"', () => {
+    const next = zalouserSetupWizard.dmPolicy?.setPolicy(
+      {
+        channels: {
+          zalouser: {
+            allowFrom: ["123456789"],
+            accounts: {
+              work: {
+                profile: "work",
+              },
+            },
+          },
+        },
+      } as OpenClawConfig,
+      "open",
+      "work",
+    );
+
+    expect(next?.channels?.zalouser?.dmPolicy).toBeUndefined();
+    const workAccount = next?.channels?.zalouser?.accounts?.work as
+      | { dmPolicy?: string; allowFrom?: Array<string | number> }
+      | undefined;
+    expect(workAccount?.dmPolicy).toBe("open");
+    expect(workAccount?.allowFrom).toEqual(["123456789", "*"]);
+  });
+
+  it("shows the account-scoped current DM policy in quickstart notes", async () => {
+    const note = vi.fn(async (_message: string, _title?: string) => {});
+    const prompter = createQuickstartPrompter({ note, dmPolicy: "pairing" });
+
+    await runSetupWizardConfigure({
+      configure: zalouserConfigure,
+      cfg: {
+        channels: {
+          zalouser: {
+            dmPolicy: "disabled",
+            accounts: {
+              work: {
+                profile: "work",
+                dmPolicy: "allowlist",
+                allowFrom: ["123456789"],
+              },
+            },
+          },
+        },
+      } as OpenClawConfig,
+      prompter,
+      options: { quickstartDefaults: true },
+      accountOverrides: { zalouser: "work" },
+    });
+
+    expect(
+      note.mock.calls.some(([message]) =>
+        message.includes("Current: dmPolicy=allowlist, allowFrom=123456789"),
+      ),
+    ).toBe(true);
+  });
+});