@searchfe/openclaw-baiduapp 0.1.8 → 0.1.9-beta.1

package/dist/index.js

@@ -1,6 +1,8 @@
+import { spawnSync } from 'child_process';
+import readline from 'readline';
 import path2 from 'path';
 import { fileURLToPath } from 'url';
-import crypto3 from 'crypto';
+import crypto2 from 'crypto';
 import { createRequire } from 'module';
 import { lookup } from 'dns/promises';
 import fs2 from 'fs/promises';
@@ -9,11 +11,120 @@ import fs from 'fs';
 import { tmpdir } from 'os';
 
 var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/auth/login.ts
+var login_exports = {};
+__export(login_exports, {
+  loginBaiduApp: () => loginBaiduApp
+});
+function createTerminalPrompter() {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  const question = (message) => new Promise((resolve) => {
+    rl.question(message, (answer) => resolve(answer));
+  });
+  return {
+    select: async (message, choices) => {
+      while (true) {
+        process.stdout.write(`${message}
+`);
+        for (const [index, choice] of choices.entries()) {
+          process.stdout.write(`${index + 1}. ${choice}
+`);
+        }
+        const answer = (await question("\u8BF7\u9009\u62E9\u5E8F\u53F7: ")).trim();
+        const choiceIndex = Number(answer);
+        if (Number.isInteger(choiceIndex) && choiceIndex >= 1 && choiceIndex <= choices.length) {
+          return choices[choiceIndex - 1];
+        }
+        process.stdout.write(`\u8BF7\u8F93\u5165 1-${choices.length} \u4E4B\u95F4\u7684\u5E8F\u53F7\u3002
+`);
+      }
+    },
+    text: async (message, opts) => {
+      while (true) {
+        const answer = (await question(`${message}: `)).trim();
+        if (!opts?.required || answer) {
+          return answer;
+        }
+        process.stdout.write("\u8BE5\u9879\u4E3A\u5FC5\u586B\uFF0C\u8BF7\u91CD\u65B0\u8F93\u5165\u3002\n");
+      }
+    },
+    close: () => {
+      rl.close();
+    }
+  };
+}
+function redactValue(value, opts) {
+  if (!value) {
+    return "(empty)";
+  }
+  const keepStart = opts?.keepStart ?? 2;
+  const keepEnd = opts?.keepEnd ?? 2;
+  if (value.length <= keepStart + keepEnd) {
+    return "*".repeat(value.length);
+  }
+  return `${value.slice(0, keepStart)}***${value.slice(-keepEnd)}`;
+}
+function setConfigValue(key, value) {
+  const args = ["config", "set", key, String(value)];
+  const result = spawnSync("openclaw", args, {
+    stdio: ["ignore", "pipe", "pipe"],
+    encoding: "utf8",
+    timeout: 15e3
+  });
+  if (result.status !== 0) {
+    const stderr = (result.stderr ?? "").trim();
+    throw new Error(`openclaw config set failed: ${stderr || `exit code ${result.status}`}`);
+  }
+}
+async function loginBaiduApp(params) {
+  void params.cfg;
+  void params.verbose;
+  const agentId = params.accountId?.trim() || "main";
+  const prompter = createTerminalPrompter();
+  try {
+    const mode = await prompter.select("\u8BF7\u9009\u62E9\u767E\u5EA6 App \u914D\u7F6E\u65B9\u5F0F", [
+      "\u624B\u52A8\u586B\u5199",
+      "\u626B\u7801\u914D\u7F6E\uFF08\u5373\u5C06\u652F\u6301\uFF09"
+    ]);
+    if (mode === "\u626B\u7801\u914D\u7F6E\uFF08\u5373\u5C06\u652F\u6301\uFF09") {
+      params.runtime.log("\u23F3 \u626B\u7801\u914D\u7F6E\u529F\u80FD\u6B63\u5728\u5F00\u53D1\u4E2D\uFF0C\u656C\u8BF7\u671F\u5F85...");
+      params.runtime.log("\u8BF7\u5148\u4F7F\u7528\u624B\u52A8\u586B\u5199\u65B9\u5F0F\u5B8C\u6210\u914D\u7F6E\u3002");
+      return;
+    }
+    const appKey = await prompter.text("App Key", { required: true });
+    const appSecret = await prompter.text("App Secret", { required: true });
+    const accountKeyPrefix = `channels.openclaw-baiduapp.accounts.${agentId}`;
+    setConfigValue(`${accountKeyPrefix}.appKey`, appKey);
+    setConfigValue(`${accountKeyPrefix}.appSecret`, appSecret);
+    setConfigValue(`${accountKeyPrefix}.enabled`, true);
+    params.runtime.log(`\u2705 openclaw-baiduapp \u5DF2\u5B8C\u6210\u914D\u7F6E\uFF08account: ${agentId}\uFF09`);
+    params.runtime.log(`- appKey: ${redactValue(appKey, { keepStart: 3, keepEnd: 3 })}`);
+    params.runtime.log(`- appSecret: ${redactValue(appSecret, { keepStart: 3, keepEnd: 3 })}`);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    params.runtime.error(`openclaw-baiduapp \u767B\u5F55\u914D\u7F6E\u5931\u8D25\uFF1A${message}`);
+    throw error;
+  } finally {
+    prompter.close();
+  }
+}
+var init_login = __esm({
+  "src/auth/login.ts"() {
+  }
+});
+
 // node_modules/.pnpm/zod@3.25.76/node_modules/zod/v3/external.js
 var external_exports = {};
 __export(external_exports, {
@@ -4056,14 +4167,13 @@ var NEVER = INVALID;
 
 // src/config.ts
 var DEFAULT_ACCOUNT_ID = "default";
+var DEFAULT_AGENT_ID = "main";
 var DEFAULT_API_BASE = "https://claw.baidu.com";
 var BaiduAppAccountSchema = external_exports.object({
   name: external_exports.string().optional(),
   enabled: external_exports.boolean().optional(),
   pollingEnabled: external_exports.boolean().optional(),
   webhookPath: external_exports.string().optional(),
-  token: external_exports.string().optional(),
-  encodingAESKey: external_exports.string().optional(),
   appKey: external_exports.string().optional(),
   appSecret: external_exports.string().optional(),
   apiBase: external_exports.string().optional(),
@@ -4082,8 +4192,6 @@ var BaiduAppConfigJsonSchema = {
       enabled: { type: "boolean" },
       pollingEnabled: { type: "boolean" },
       webhookPath: { type: "string" },
-      token: { type: "string" },
-      encodingAESKey: { type: "string" },
       appKey: { type: "string" },
       appSecret: { type: "string" },
       apiBase: { type: "string" },
@@ -4099,8 +4207,6 @@ var BaiduAppConfigJsonSchema = {
             enabled: { type: "boolean" },
             pollingEnabled: { type: "boolean" },
             webhookPath: { type: "string" },
-            token: { type: "string" },
-            encodingAESKey: { type: "string" },
             appKey: { type: "string" },
             appSecret: { type: "string" },
             apiBase: { type: "string" },
@@ -4115,6 +4221,10 @@ function normalizeAccountId(raw) {
   const trimmed = String(raw ?? "").trim();
   return trimmed || DEFAULT_ACCOUNT_ID;
 }
+function extractAgentId(msg) {
+  const raw = msg.agentid ?? "";
+  return raw.trim() || DEFAULT_AGENT_ID;
+}
 function listConfiguredAccountIds(cfg) {
   const accounts = cfg.channels?.["openclaw-baiduapp"]?.accounts;
   if (!accounts || typeof accounts !== "object") {
@@ -4162,12 +4272,10 @@ function resolveBaiduAppAccount(params) {
   const merged = mergeBaiduAppAccountConfig(params.cfg, accountId);
   const enabled = baseEnabled && merged.enabled !== false;
   const isDefaultAccount = accountId === DEFAULT_ACCOUNT_ID;
-  const token = merged.token?.trim() || (isDefaultAccount ? process.env.BAIDU_APP_TOKEN?.trim() : void 0) || void 0;
-  const encodingAESKey = merged.encodingAESKey?.trim() || (isDefaultAccount ? process.env.BAIDU_APP_ENCODING_AES_KEY?.trim() : void 0) || void 0;
   const appKey = merged.appKey?.trim() || (isDefaultAccount ? process.env.BAIDU_APP_KEY?.trim() : void 0) || void 0;
   const appSecret = merged.appSecret?.trim() || (isDefaultAccount ? process.env.BAIDU_APP_SECRET?.trim() : void 0) || void 0;
-  const configured = Boolean(token && encodingAESKey);
-  const canSendActive = Boolean(appKey && appSecret && token && encodingAESKey);
+  const configured = Boolean(appKey && appSecret);
+  const canSendActive = Boolean(appKey && appSecret);
   const rawApiBase = merged.apiBase?.trim() || (isDefaultAccount ? process.env.BAIDU_API_BASE?.trim() : void 0) || void 0;
   const apiBase = (rawApiBase || DEFAULT_API_BASE).replace(/\/+$/, "");
   return {
@@ -4175,8 +4283,6 @@ function resolveBaiduAppAccount(params) {
     name: merged.name?.trim() || void 0,
     enabled,
     configured,
-    token,
-    encodingAESKey,
     appKey,
     appSecret,
     apiBase,
@@ -4184,6 +4290,37 @@ function resolveBaiduAppAccount(params) {
     config: merged
   };
 }
+function resolveAgentField(agentCfg, mainCfg, baseAccount, field) {
+  return agentCfg?.[field]?.trim() || mainCfg?.[field]?.trim() || baseAccount[field];
+}
+function resolveAgentAccount(params) {
+  const { baseAccount, cfg, agentId } = params;
+  if (agentId === baseAccount.accountId) {
+    return baseAccount;
+  }
+  const accounts = cfg.channels?.["openclaw-baiduapp"]?.accounts;
+  const agentCfg = accounts?.[agentId] && typeof accounts[agentId] === "object" ? accounts[agentId] : void 0;
+  const mainCfg = agentId !== DEFAULT_AGENT_ID && accounts?.[DEFAULT_AGENT_ID] && typeof accounts[DEFAULT_AGENT_ID] === "object" ? accounts[DEFAULT_AGENT_ID] : void 0;
+  const appKey = resolveAgentField(agentCfg, mainCfg, baseAccount, "appKey");
+  const appSecret = resolveAgentField(agentCfg, mainCfg, baseAccount, "appSecret");
+  const apiBase = baseAccount.apiBase;
+  const name = resolveAgentField(agentCfg, mainCfg, baseAccount, "name");
+  const configured = Boolean(appKey && appSecret);
+  const canSendActive = Boolean(appKey && appSecret);
+  const agentEnabled = agentCfg?.enabled !== false;
+  return {
+    ...baseAccount,
+    accountId: agentId,
+    name: name || baseAccount.name,
+    enabled: agentEnabled && baseAccount.enabled,
+    configured,
+    appKey,
+    appSecret,
+    apiBase,
+    canSendActive,
+    config: { ...baseAccount.config, ...mainCfg ?? {}, ...agentCfg ?? {} }
+  };
+}
 
 // src/shared/logger.ts
 function createLogger(prefix, opts) {
@@ -4196,86 +4333,27 @@ function createLogger(prefix, opts) {
     error: (msg) => errorFn(`[${prefix}] [ERROR] ${msg}`)
   };
 }
-function decodeEncodingAESKey(encodingAESKey) {
-  const trimmed = encodingAESKey.trim();
-  if (!trimmed) {
-    throw new Error("encodingAESKey missing");
-  }
-  const withPadding = trimmed.endsWith("=") ? trimmed : `${trimmed}=`;
-  const key = Buffer.from(withPadding, "base64");
-  if (key.length !== 32) {
-    throw new Error(`invalid encodingAESKey (expected 32 bytes after base64 decode, got ${key.length})`);
-  }
-  return key;
-}
-var PKCS7_BLOCK_SIZE = 32;
-function pkcs7Pad(buf, blockSize) {
-  const mod = buf.length % blockSize;
-  const pad = mod === 0 ? blockSize : blockSize - mod;
-  return Buffer.concat([buf, Buffer.alloc(pad, pad)]);
-}
-function pkcs7Unpad(buf, blockSize) {
-  if (buf.length === 0) {
-    throw new Error("invalid pkcs7 payload");
-  }
-  const pad = buf[buf.length - 1];
-  if (!pad || pad < 1 || pad > blockSize || pad > buf.length) {
-    throw new Error("invalid pkcs7 padding");
-  }
-  for (let i = 1; i <= pad; i += 1) {
-    if (buf[buf.length - i] !== pad) {
-      throw new Error("invalid pkcs7 padding");
-    }
-  }
-  return buf.subarray(0, buf.length - pad);
-}
 function sha1Hex(input) {
-  return crypto3.createHash("sha1").update(input).digest("hex");
+  return crypto2.createHash("sha1").update(input).digest("hex");
 }
-function computeBaiduAppMsgSignature(params) {
-  const parts = [params.token, params.timestamp, params.nonce, params.encrypt].map((value) => String(value ?? "")).sort();
-  return sha1Hex(parts.join(""));
+function computeAKSKBearerToken(params) {
+  return sha1Hex(params.ak + params.sk + params.timestamp + params.nonce);
 }
-function verifyBaiduAppSignature(params) {
-  const expected = computeBaiduAppMsgSignature({
-    token: params.token,
+function verifyAKSKBearerToken(params) {
+  const expected = computeAKSKBearerToken({
+    ak: params.ak,
+    sk: params.sk,
     timestamp: params.timestamp,
-    nonce: params.nonce,
-    encrypt: params.encrypt
+    nonce: params.nonce
   });
-  return expected === params.signature;
+  return expected === params.token;
 }
-function decryptBaiduAppEncrypted(params) {
-  const aesKey = decodeEncodingAESKey(params.encodingAESKey);
-  const iv = aesKey.subarray(0, 16);
-  const decipher = crypto3.createDecipheriv("aes-256-cbc", aesKey, iv);
-  decipher.setAutoPadding(false);
-  const decryptedPadded = Buffer.concat([decipher.update(Buffer.from(params.encrypt, "base64")), decipher.final()]);
-  const decrypted = pkcs7Unpad(decryptedPadded, PKCS7_BLOCK_SIZE);
-  if (decrypted.length < 20) {
-    throw new Error(`invalid decrypted payload (expected at least 20 bytes, got ${decrypted.length})`);
-  }
-  const msgLen = decrypted.readUInt32BE(16);
-  const msgStart = 20;
-  const msgEnd = msgStart + msgLen;
-  if (msgEnd > decrypted.length) {
-    throw new Error(`invalid decrypted msg length (msgEnd=${msgEnd}, payloadLength=${decrypted.length})`);
-  }
-  return decrypted.subarray(msgStart, msgEnd).toString("utf8");
+function generateNonce() {
+  return crypto2.randomBytes(8).toString("hex");
 }
-function encryptBaiduAppPlaintext(params) {
-  const aesKey = decodeEncodingAESKey(params.encodingAESKey);
-  const iv = aesKey.subarray(0, 16);
-  const random16 = crypto3.randomBytes(16);
-  const msg = Buffer.from(params.plaintext ?? "", "utf8");
-  const msgLen = Buffer.alloc(4);
-  msgLen.writeUInt32BE(msg.length, 0);
-  const raw = Buffer.concat([random16, msgLen, msg]);
-  const padded = pkcs7Pad(raw, PKCS7_BLOCK_SIZE);
-  const cipher = crypto3.createCipheriv("aes-256-cbc", aesKey, iv);
-  cipher.setAutoPadding(false);
-  const encrypted = Buffer.concat([cipher.update(padded), cipher.final()]);
-  return encrypted.toString("base64");
+function buildAuthorizationHeader(params) {
+  const token = computeAKSKBearerToken(params);
+  return `Bearer ${token}`;
 }
 var require2 = createRequire(import.meta.url);
 var pkg = require2("../package.json");
@@ -4283,48 +4361,54 @@ var PLUGIN_VERSION = pkg.version;
 
 // src/api.ts
 var logger = createLogger("openclaw-baiduapp");
+var DEFAULT_sessionId = "agent:main:main";
 async function sendBaiduAppMessage(account, message, options) {
   if (!account.canSendActive) {
-    logger.error("Account not configured for active sending (missing appKey, token, or encodingAESKey)");
+    logger.error("Account not configured for active sending (missing appKey or appSecret)");
     return {
       ok: false,
       errcode: -1,
-      errmsg: "Account not configured for active sending (missing appKey, token, or encodingAESKey)"
+      errmsg: "Account not configured for active sending (missing appKey or appSecret)"
     };
   }
   const normalizedPayload = typeof message === "string" ? {
-    msgtype: "text",
-    text: { content: message }
+    list: [{
+      type: "text",
+      data: {
+        text: { content: message }
+      }
+    }]
   } : message;
-  const payload = {
-    ...normalizedPayload,
+  const sessionId = options?.sessionId ?? DEFAULT_sessionId;
+  const callbackBody = {
+    sessionId,
+    list: normalizedPayload.list,
     version: PLUGIN_VERSION,
-    ...options?.msgid != null ? { msgid: options.msgid } : {},
-    ...options?.streamId != null ? { streamId: options.streamId } : {},
-    ...options?.chunkKey != null ? { chunkKey: options.chunkKey } : {}
+    isActive: options?.isActive || false,
+    ...options?.agentid ? { agentid: options.agentid } : {},
+    ...options?.chunkKey != null ? { chunkKey: options.chunkKey } : {},
+    ...options?.replyToMsgId ? { replyToMsgId: options.replyToMsgId } : {}
   };
-  const plaintext = JSON.stringify(payload);
-  const encrypt = encryptBaiduAppPlaintext({
-    encodingAESKey: account.encodingAESKey ?? "",
-    plaintext
-  });
   const timestamp = String(Math.floor(Date.now() / 1e3));
-  const nonce = crypto3.randomBytes(8).toString("hex");
-  const msgSignature = computeBaiduAppMsgSignature({
-    token: account.token ?? "",
+  const nonce = generateNonce();
+  const authorization = buildAuthorizationHeader({
+    ak: account.appKey ?? "",
+    sk: account.appSecret ?? "",
     timestamp,
-    nonce,
-    encrypt
+    nonce
   });
-  const sendMessageUrl = `${account.apiBase}/chat/openclaw/callback`;
-  const url = `${sendMessageUrl}?timestamp=${encodeURIComponent(timestamp)}&ak=${encodeURIComponent(account.appKey ?? "")}&nonce=${encodeURIComponent(nonce)}&msg_signature=${encodeURIComponent(msgSignature)}`;
-  const body = JSON.stringify({ encrypt });
+  const sendMessageUrl = `${account.apiBase}/channel/msg/callback`;
+  const url = `${sendMessageUrl}?timestamp=${encodeURIComponent(timestamp)}&ak=${encodeURIComponent(account.appKey ?? "")}&nonce=${encodeURIComponent(nonce)}`;
+  const body = JSON.stringify(callbackBody);
   logger.info(`POST ${url}`);
   logger.debug(`request body: ${body}`);
   const resp = await fetch(url, {
     method: "POST",
     body,
-    headers: { "Content-Type": "application/json" }
+    headers: {
+      "Authorization": authorization,
+      "Content-Type": "application/json"
+    }
   });
   const text = await resp.text();
   if (!text) {
@@ -4365,21 +4449,21 @@ function buildMediaPayload(mediaList, opts) {
 
 // src/bot.ts
 function extractBaiduAppTextContent(msg) {
-  const msgtype = String(msg.msgtype ?? msg.MsgType ?? "").toLowerCase();
+  const msgtype = String(msg.msgtype ?? "").toLowerCase();
   if (msgtype === "text") {
-    const content = msg.text?.content ?? msg.Content;
+    const content = msg.text?.content;
     return typeof content === "string" ? content : "";
   }
   if (msgtype === "event") {
     const eventtype = String(
-      msg.event?.eventtype ?? msg.Event ?? ""
+      msg.event?.eventtype ?? ""
     ).trim();
     return eventtype ? `[event] ${eventtype}` : "[event]";
   }
   return msgtype ? `[${msgtype}]` : "";
 }
 function canDispatchBaiduAppInboundMessage(msg) {
-  const msgtype = String(msg.msgtype ?? msg.MsgType ?? "").toLowerCase();
+  const msgtype = String(msg.msgtype ?? "").toLowerCase();
   if (msgtype === "text") {
     if (extractBaiduAppTextContent(msg)) {
       return true;
@@ -4449,7 +4533,7 @@ async function dispatchBaiduAppMessage(params) {
     cfg: safeCfg,
     channel: "openclaw-baiduapp",
     accountId: account.accountId,
-    peer: { kind: "dm", id: "default" }
+    peer: { kind: "dm", id: account.accountId || DEFAULT_AGENT_ID }
   });
   logger3.info(`SessionKey: ${route.sessionKey}`);
   logger3.info(
@@ -4479,7 +4563,7 @@ async function dispatchBaiduAppMessage(params) {
     envelope: envelopeOptions,
     body: rawBody
   }) : rawBody;
-  const msgid = msg.msgid ?? msg.MsgId ?? void 0;
+  const msgid = msg.msgid ?? void 0;
   const ctxPayload = channel.reply?.finalizeInboundContext ? channel.reply.finalizeInboundContext({
     Body: body,
     RawBody: rawBody,
@@ -4685,7 +4769,7 @@ var require3 = createRequire(import.meta.url);
 var BaiduCloudSdk = require3("@baiducloud/sdk");
 var DefaultBosClient = BaiduCloudSdk.BosClient;
 var MAX_DOWNLOAD_REDIRECTS = 5;
-var EMPTY_QUERY_MD5 = crypto3.createHash("md5").update("").digest("hex");
+var EMPTY_QUERY_MD5 = crypto2.createHash("md5").update("").digest("hex");
 var SKS_BASE_TOKEN_POSITIONS = [12, 37, 5, 23, 48, 15, 62, 33];
 async function fetchSksCredentials(account, deps = {}) {
   if (!account.appKey?.trim()) {
@@ -4699,7 +4783,7 @@ async function fetchSksCredentials(account, deps = {}) {
   const pageLid = deps.createPageLid?.() ?? generateSksPageLid();
   const timestamp = String((deps.now?.() ?? /* @__PURE__ */ new Date()).getTime());
   const token = createSksRequestToken({ pageLid, timestamp });
-  const url = `${apiBase}/file/sts?ak=${encodeURIComponent(account.appKey)}&sk=${encodeURIComponent(account.appSecret)}&tk=${encodeURIComponent(token)}`;
+  const url = `${apiBase}/channel/file/sts?ak=${encodeURIComponent(account.appKey)}&sk=${encodeURIComponent(account.appSecret)}&tk=${encodeURIComponent(token)}`;
   const response = await fetchImpl(url, { method: "POST" });
   if (!response.ok) {
     throw new Error(`SKS request failed with HTTP ${response.status}`);
@@ -4888,10 +4972,10 @@ function parseSksResponse(payload) {
   };
 }
 function generateSksPageLid() {
-  return crypto3.randomBytes(16).toString("hex");
+  return crypto2.randomBytes(16).toString("hex");
 }
 function createSksBaseToken(pageLid) {
-  const pageLidHash = crypto3.createHash("sha256").update(pageLid).digest("hex");
+  const pageLidHash = crypto2.createHash("sha256").update(pageLid).digest("hex");
   const characters = SKS_BASE_TOKEN_POSITIONS.map((position) => {
     const character = pageLidHash[position];
     if (!character) {
@@ -4950,7 +5034,7 @@ function assertSafeUntrustedFileName(fileName) {
 }
 function buildBosObjectKey(params) {
   const timestamp = formatUtcDate(params.now?.() ?? /* @__PURE__ */ new Date());
-  const uniqueId = crypto3.randomUUID();
+  const uniqueId = crypto2.randomUUID();
   return `${params.prefixPath}/${timestamp}/${uniqueId}-${params.fileName}`;
 }
 function formatUtcDate(date) {
@@ -5083,7 +5167,7 @@ function resolveDownloadFileName(params) {
 }
 function buildTempFilePath(params) {
   const timestamp = (params.now?.() ?? /* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-  return path2.join(params.tempDir, `${timestamp}-${crypto3.randomUUID()}-${params.fileName}`);
+  return path2.join(params.tempDir, `${timestamp}-${crypto2.randomUUID()}-${params.fileName}`);
 }
 async function ensurePluginTempDir(resolveTmpDir) {
   const baseTmpDir = resolveTmpDir?.() ?? resolvePreferredOpenClawTmpDir();
@@ -5144,12 +5228,12 @@ function normalizeWebhookPath(raw) {
 function jsonOk(res, body) {
   res.statusCode = 200;
   res.setHeader("Content-Type", "application/json; charset=utf-8");
-  res.end(JSON.stringify({ status: 0, data: body }));
+  res.end(JSON.stringify({ code: 0, msg: "success", data: body }));
 }
 function jsonError(res, message, statusCode = 200) {
   res.statusCode = statusCode;
   res.setHeader("Content-Type", "application/json; charset=utf-8");
-  res.end(JSON.stringify({ status: -1, message }));
+  res.end(JSON.stringify({ code: -1, msg: message, data: {} }));
 }
 async function readRawBody(req, maxBytes) {
   const chunks = [];
@@ -5181,47 +5265,6 @@ async function readRawBody(req, maxBytes) {
     });
   });
 }
-function parseXmlBody(xml) {
-  const result = {};
-  const cdataRegex = /<(\w+)><!\[CDATA\[([\s\S]*?)\]\]><\/\1>/g;
-  let match;
-  while ((match = cdataRegex.exec(xml)) !== null) {
-    const [, key = "", value = ""] = match;
-    result[key] = value;
-  }
-  const simpleRegex = /<(\w+)>([^<]*)<\/\1>/g;
-  while ((match = simpleRegex.exec(xml)) !== null) {
-    const [, key = "", value = ""] = match;
-    if (!result[key]) {
-      result[key] = value;
-    }
-  }
-  return result;
-}
-function isXmlFormat(raw) {
-  const trimmed = raw.trim();
-  return trimmed.startsWith("<") && trimmed.endsWith(">");
-}
-function buildEncryptedJsonReply(params) {
-  const base = params.plaintextJson != null && typeof params.plaintextJson === "object" ? params.plaintextJson : {};
-  const plaintext = JSON.stringify({ ...base, version: PLUGIN_VERSION });
-  const encrypt = encryptBaiduAppPlaintext({
-    encodingAESKey: params.account.encodingAESKey ?? "",
-    plaintext
-  });
-  const msgsignature = computeBaiduAppMsgSignature({
-    token: params.account.token ?? "",
-    timestamp: params.timestamp,
-    nonce: params.nonce,
-    encrypt
-  });
-  return {
-    encrypt,
-    msgsignature,
-    timestamp: params.timestamp,
-    nonce: params.nonce
-  };
-}
 function resolveQueryParams(req) {
   const url = new URL(req.url ?? "/", "http://localhost");
   return url.searchParams;
@@ -5230,8 +5273,16 @@ function resolvePath(req) {
   const url = new URL(req.url ?? "/", "http://localhost");
   return normalizeWebhookPath(url.pathname || "/");
 }
-function resolveSignatureParam(params) {
-  return params.get("msg_signature") ?? params.get("msgsignature") ?? params.get("signature") ?? "";
+function resolveBearerToken(req) {
+  const authorization = req.headers.authorization ?? req.headers.Authorization;
+  if (Array.isArray(authorization)) {
+    return "";
+  }
+  const value = typeof authorization === "string" ? authorization.trim() : "";
+  if (!value.toLowerCase().startsWith("bearer ")) {
+    return "";
+  }
+  return value.slice(7).trim();
 }
 function buildLogger(target) {
   return createLogger("openclaw-baiduapp", {
@@ -5299,50 +5350,49 @@ async function downloadInboundFiles(params) {
     }
   };
 }
-function parseBaiduAppPlainMessage(raw) {
-  const trimmed = raw.trim();
-  if (trimmed.startsWith("<") && trimmed.endsWith(">")) {
-    const xmlData = parseXmlBody(trimmed);
-    return {
-      msgtype: xmlData.MsgType,
-      MsgType: xmlData.MsgType,
-      msgid: xmlData.MsgId,
-      MsgId: xmlData.MsgId,
-      content: xmlData.Content,
-      Content: xmlData.Content,
-      from: xmlData.FromUserName ? { appkey: xmlData.FromUserName } : void 0,
-      ToUserName: xmlData.ToUserName,
-      CreateTime: xmlData.CreateTime ? Number(xmlData.CreateTime) : void 0,
-      BotID: xmlData.BotID ? Number(xmlData.BotID) : void 0,
-      Event: xmlData.Event
-    };
-  }
+function parseV2MsgToInbound(inner, outer) {
+  const list = Array.isArray(inner.list) ? inner.list : [];
+  const textItem = list.find(
+    (item) => item && typeof item === "object" && item.type === "text"
+  );
+  const fileItems = list.filter(
+    (item) => item && typeof item === "object" && item.type === "file"
+  );
+  const textContent = textItem?.data?.text?.content ?? "";
+  const files = fileItems.map((f) => ({ url: f.data.file_id, fileType: "file" }));
+  return {
+    msgtype: "text",
+    msgid: typeof outer.msgid === "string" ? outer.msgid : void 0,
+    agentid: typeof outer.agentid === "string" ? outer.agentid : void 0,
+    text: textContent ? { content: textContent } : void 0,
+    ...files.length > 0 ? { files } : {}
+  };
+}
+function parseBaiduAppCandidates(params) {
+  const results = [];
+  let outer = {};
   try {
-    const parsed = JSON.parse(trimmed);
-    if (!parsed || typeof parsed !== "object") {
-      return {};
+    const parsed = JSON.parse(params.raw);
+    if (parsed && typeof parsed === "object") {
+      outer = parsed;
     }
-    return parsed;
   } catch {
-    return {};
+    outer = {};
   }
-}
-function decryptBaiduAppCandidates(params) {
-  const results = [];
-  for (const candidate of params.candidates) {
-    if (!candidate.account.encodingAESKey) {
-      continue;
-    }
+  let inner = {};
+  if (typeof outer.msg === "string") {
     try {
-      const plaintext = decryptBaiduAppEncrypted({
-        encodingAESKey: candidate.account.encodingAESKey,
-        encrypt: params.encrypt
-      });
-      const msg = parseBaiduAppPlainMessage(plaintext);
-      results.push({ target: candidate, plaintext, msg });
+      const parsedInner = JSON.parse(outer.msg);
+      if (parsedInner && typeof parsedInner === "object") {
+        inner = parsedInner;
+      }
     } catch {
+      inner = {};
     }
   }
+  for (const candidate of params.candidates) {
+    results.push({ target: candidate, msg: parseV2MsgToInbound(inner, outer) });
+  }
   return results;
 }
 function selectDecryptedTarget(params) {
@@ -5359,8 +5409,9 @@ async function processBaiduAppInboundMessage(params) {
   const { target, msg } = params;
   const logger3 = buildLogger(target);
   target.statusSink?.({ lastInboundAt: Date.now() });
-  const msgtype = String(msg.msgtype ?? msg.MsgType ?? "").toLowerCase();
-  const msgid = msg.msgid ?? msg.MsgId ? String(msg.msgid ?? msg.MsgId) : void 0;
+  const msgtype = String(msg.msgtype ?? "").toLowerCase();
+  const msgid = msg.msgid ? String(msg.msgid) : void 0;
+  const agentId = extractAgentId(msg);
   logger3.info(`inbound: type=${msgtype || "unknown"} msgid=${msgid ?? "none"} account=${target.account.accountId}`);
   if (!canDispatchBaiduAppInboundMessage(msg)) {
     logger3.warn(`inbound message skipped: type=${msgtype || "unknown"} reason=no-dispatchable-content`);
@@ -5368,6 +5419,11 @@ async function processBaiduAppInboundMessage(params) {
   }
   const inboundFileResult = msgtype === "text" ? await downloadInboundFiles({ msg, logger: logger3, runtime: target.runtime }) : { localFiles: [], diagnostic: {} };
   const inboundMediaFiles = inboundFileResult.localFiles;
+  const agentAccount = resolveAgentAccount({
+    baseAccount: target.account,
+    cfg: target.config,
+    agentId
+  });
   const core = tryGetBaiduAppRuntime();
   if (core) {
     logger3.info(`agent dispatch started: canSendActive=${target.account.canSendActive}`);
@@ -5380,8 +5436,9 @@ async function processBaiduAppInboundMessage(params) {
         );
         target.statusSink?.({ lastOutboundAt: Date.now() });
         if (target.account.canSendActive) {
-          sendBaiduAppMessage(target.account, text, {
-            msgid,
+          sendBaiduAppMessage(agentAccount, text, {
+            replyToMsgId: msgid,
+            agentid: agentId,
             chunkKey: currentChunkKey
           }).then((result) => {
             if (!result.ok) {
@@ -5404,7 +5461,7 @@ async function processBaiduAppInboundMessage(params) {
     };
     dispatchBaiduAppMessage({
       cfg: target.config,
-      account: target.account,
+      account: agentAccount,
       msg,
       core,
       hooks,
@@ -5446,53 +5503,43 @@ async function handleBaiduAppWebhookRequest(req, res) {
   const query = resolveQueryParams(req);
   const timestamp = query.get("timestamp") ?? "";
   const nonce = query.get("nonce") ?? "";
-  const signature = resolveSignatureParam(query);
+  const ak = query.get("ak") ?? "";
+  const token = resolveBearerToken(req);
   const primary = targets[0];
   const logger3 = buildLogger(primary);
   if (req.method === "GET") {
     const echostr = query.get("echostr") ?? "";
-    if (!timestamp || !nonce || !signature || !echostr) {
+    if (!ak || !timestamp || !nonce || !token || !echostr) {
       jsonError(res, "missing query params", 400);
       return true;
     }
-    const signatureMatched2 = targets.filter((candidate) => {
-      if (!candidate.account.token) {
+    const tokenMatched2 = targets.filter((candidate) => {
+      if (!candidate.account.appKey || !candidate.account.appSecret) {
+        return false;
+      }
+      if (candidate.account.appKey !== ak) {
         return false;
       }
-      return verifyBaiduAppSignature({
-        token: candidate.account.token,
+      return verifyAKSKBearerToken({
+        ak: candidate.account.appKey,
+        sk: candidate.account.appSecret,
         timestamp,
         nonce,
-        encrypt: echostr,
-        signature
+        token
       });
     });
-    if (signatureMatched2.length === 0) {
-      jsonError(res, "unauthorized");
-      return true;
-    }
-    const decryptable2 = signatureMatched2.filter((candidate) => Boolean(candidate.account.encodingAESKey));
-    if (decryptable2.length === 0) {
+    if (tokenMatched2.length === 0) {
       jsonError(res, "unauthorized");
       return true;
     }
-    const decryptedCandidates2 = decryptBaiduAppCandidates({
-      candidates: decryptable2,
-      encrypt: echostr
-    });
-    if (decryptedCandidates2.length === 0) {
-      jsonError(res, "decrypt failed");
-      return true;
-    }
-    const selected2 = selectDecryptedTarget({ candidates: decryptedCandidates2, logger: logger3 });
-    jsonOk(res, selected2.plaintext);
+    jsonOk(res, echostr);
     return true;
   }
   if (req.method !== "POST") {
     jsonError(res, "Method Not Allowed", 405);
     return true;
   }
-  if (!timestamp || !nonce || !signature) {
+  if (!ak || !timestamp || !nonce || !token) {
     jsonError(res, "missing query params");
     return true;
   }
@@ -5502,90 +5549,56 @@ async function handleBaiduAppWebhookRequest(req, res) {
     return true;
   }
   const rawBody = body.raw;
-  let encrypt = "";
-  let msgSignature = signature;
-  let msgTimestamp = timestamp;
-  let msgNonce = nonce;
-  if (isXmlFormat(rawBody)) {
-    const xmlData = parseXmlBody(rawBody);
-    encrypt = xmlData.Encrypt ?? "";
-    msgSignature = xmlData.MsgSignature ?? signature;
-    msgTimestamp = xmlData.TimeStamp ?? timestamp;
-    msgNonce = xmlData.Nonce ?? nonce;
-    logger3.info(`inbound xml parsed: hasEncrypt=${Boolean(encrypt)}, msg_signature=${msgSignature ? "yes" : "no"}`);
-  } else {
-    try {
-      const record = JSON.parse(rawBody);
-      encrypt = String(record.encrypt ?? record.Encrypt ?? "");
-      logger3.info(`inbound json parsed: hasEncrypt=${Boolean(encrypt)}`);
-    } catch {
-      logger3.warn(`inbound payload parse failed: not valid xml or json`);
-      jsonError(res, "invalid payload format");
-      return true;
-    }
-  }
-  if (!encrypt) {
-    jsonError(res, "missing encrypt");
+  try {
+    JSON.parse(rawBody);
+    logger3.info("inbound json parsed");
+  } catch {
+    logger3.warn("inbound payload parse failed: not valid json");
+    jsonError(res, "invalid payload format");
     return true;
   }
-  const signatureMatched = targets.filter((candidate) => {
-    if (!candidate.account.token) {
+  const tokenMatched = targets.filter((candidate) => {
+    if (!candidate.account.appKey || !candidate.account.appSecret) {
+      return false;
+    }
+    if (candidate.account.appKey !== ak) {
       return false;
     }
-    return verifyBaiduAppSignature({
-      token: candidate.account.token,
-      timestamp: msgTimestamp,
-      nonce: msgNonce,
-      encrypt,
-      signature: msgSignature
+    return verifyAKSKBearerToken({
+      ak: candidate.account.appKey,
+      sk: candidate.account.appSecret,
+      timestamp,
+      nonce,
+      token
     });
   });
-  if (signatureMatched.length === 0) {
-    logger3.warn(`signature verification failed: checked ${targets.length} account(s), none matched`);
+  if (tokenMatched.length === 0) {
+    logger3.warn(`bearer token verification failed: checked ${targets.length} account(s), none matched`);
     jsonError(res, "unauthorized");
     return true;
   }
-  logger3.debug(`signature verified: ${signatureMatched.length} account(s) matched`);
-  const decryptable = signatureMatched.filter((candidate) => Boolean(candidate.account.encodingAESKey));
-  if (decryptable.length === 0) {
-    logger3.warn(`no account has encodingAESKey configured`);
-    jsonError(res, "openclaw-baiduapp not configured");
-    return true;
-  }
-  const decryptedCandidates = decryptBaiduAppCandidates({
-    candidates: decryptable,
-    encrypt
+  logger3.debug(`bearer token verified: ${tokenMatched.length} account(s) matched`);
+  const decryptedCandidates = parseBaiduAppCandidates({
+    candidates: tokenMatched,
+    raw: rawBody
   });
-  if (decryptedCandidates.length === 0) {
-    logger3.warn(`decrypt failed for all ${decryptable.length} candidate account(s)`);
-    jsonError(res, "decrypt failed");
-    return true;
-  }
   const selected = selectDecryptedTarget({ candidates: decryptedCandidates, logger: logger3 });
   const target = selected.target;
-  if (!target.account.configured || !target.account.token || !target.account.encodingAESKey) {
+  if (!target.account.configured || !target.account.appKey || !target.account.appSecret) {
     logger3.warn(`selected account ${target.account.accountId} not fully configured`);
     jsonError(res, "openclaw-baiduapp not configured");
     return true;
   }
-  const reply = await processBaiduAppInboundMessage({
+  await processBaiduAppInboundMessage({
     target,
     msg: selected.msg
   });
-  jsonOk(
-    res,
-    buildEncryptedJsonReply({
-      account: target.account,
-      plaintextJson: reply,
-      nonce: msgNonce,
-      timestamp: msgTimestamp
-    })
-  );
+  jsonOk(res, {});
   return true;
 }
 
 // src/poller.ts
-var DEFAULT_POLL_INTERVAL_MS = 1e3;
+var DEFAULT_POLL_INTERVAL_MS = 3e3;
 var DEFAULT_POLL_REQUEST_TIMEOUT_MS = 1e4;
 var accountPollers = /* @__PURE__ */ new Map();
 function buildPollingTextInboundMessage(content) {
@@ -5596,21 +5609,36 @@ function buildPollingTextInboundMessage(content) {
     }
   };
 }
+function parseTextAndFilesFromList(list) {
+  const textItem = list.find((entry) => entry.type === "text");
+  const fileItems = list.filter((entry) => entry.type === "file");
+  const content = textItem?.type === "text" ? textItem.data.text.content : void 0;
+  const files = fileItems.map((file) => {
+    const fileId = file.data.file_id;
+    return typeof fileId === "string" && fileId.trim() ? { url: fileId, fileType: "file" } : null;
+  }).filter((file) => file != null);
+  return { content, files };
+}
 async function dispatchPendingPollingMessages(data, target) {
+  console.log(data);
   if (!target || data.length === 0) {
     return;
   }
   for (const item of data) {
-    if (String(item.msgtype).toLowerCase() !== "text") {
-      continue;
-    }
-    const content = item.data?.content;
-    if (typeof content !== "string" || content.length === 0) {
+    const list = Array.isArray(item.list) ? item.list : [];
+    const { content, files } = parseTextAndFilesFromList(list);
+    console.log({ content, files });
+    if (typeof content !== "string" && files.length === 0) {
       continue;
     }
     await processBaiduAppInboundMessage({
       target,
-      msg: buildPollingTextInboundMessage(content)
+      msg: {
+        ...buildPollingTextInboundMessage(typeof content === "string" ? content : ""),
+        msgid: typeof item.msgId === "string" ? item.msgId : void 0,
+        agentid: typeof item.agentId === "string" ? item.agentId : void 0,
+        ...files.length > 0 ? { files } : {}
+      }
     });
   }
 }
@@ -5665,12 +5693,29 @@ function createAbortSignalController(params) {
   };
 }
 async function pollBaiduAppChatlistOnce(account, loggerOptions, requestOptions) {
-  const endpoint = `${account.apiBase}/chat/demo/chatlist`;
+  const endpoint = `${account.apiBase}/channel/msg/poll`;
+  const logger3 = createLogger("openclaw-baiduapp:poller", loggerOptions);
+  const timestamp = String(Math.floor(Date.now() / 1e3));
+  const nonce = generateNonce();
+  const authorization = buildAuthorizationHeader({
+    ak: account.appKey ?? "",
+    sk: account.appSecret ?? "",
+    timestamp,
+    nonce
+  });
   const query = new URLSearchParams({
     ak: account.appKey ?? "",
-    sk: account.appSecret ?? ""
+    timestamp,
+    nonce
   });
   const url = `${endpoint}?${query.toString()}`;
+  const payload = {
+    sessionId: "agent:main:main",
+    num: 5,
+    version: PLUGIN_VERSION
+  };
+  const body = JSON.stringify(payload);
+  console.log("start poll");
   const requestSignal = createAbortSignalController({
     signal: requestOptions?.signal,
     timeoutMs: requestOptions?.timeoutMs
@@ -5678,8 +5723,13 @@ async function pollBaiduAppChatlistOnce(account, loggerOptions, requestOptions)
   let response;
   try {
     response = await (requestOptions?.fetchImpl ?? fetch)(url, {
-      method: "GET",
-      signal: requestSignal.signal
+      method: "POST",
+      body,
+      signal: requestSignal.signal,
+      headers: {
+        "Authorization": authorization,
+        "Content-Type": "application/json"
+      }
     });
   } catch (error) {
     requestSignal.cleanup();
@@ -5732,10 +5782,13 @@ async function pollBaiduAppChatlistOnce(account, loggerOptions, requestOptions)
       }
     });
   }
-  const data = Array.isArray(parsed.data) ? parsed.data : [];
+  if (parsed.code !== 0) {
+    logger3.debug(`Baidu poll returned non-zero code=${String(parsed.code)}, message=${parsed.message}`);
+  }
+  const msgList = Array.isArray(parsed.data?.msgList) ? parsed.data.msgList : [];
   return buildPollResult({
     ok: true,
-    data
+    data: msgList
   });
 }
 function scheduleNextPoll(account, state) {
@@ -5858,9 +5911,20 @@ function inferBaiduOutboundFileType(params) {
 function buildOutboundMediaPayload(params) {
   const caption = params.caption?.trim();
   return {
-    msgtype: "text",
-    ...caption ? { text: { content: caption } } : {},
-    files: [{ url: params.uploadedUrl, fileType: params.fileType }]
+    list: [
+      ...caption ? [{
+        type: "text",
+        data: {
+          text: { content: caption }
+        }
+      }] : [],
+      {
+        type: "file",
+        data: {
+          file_id: params.uploadedUrl
+        }
+      }
+    ]
   };
 }
 function resolveDirectOutboundFiles(files) {
@@ -6097,7 +6161,10 @@ var baiduAppPlugin = {
         };
       }
       try {
-        const result = await sendBaiduAppMessage(account, params.text);
+        const result = await sendBaiduAppMessage(account, params.text, {
+          agentid: account.accountId,
+          isActive: true
+        });
         return {
           channel: "openclaw-baiduapp",
           ok: result.ok,
@@ -6142,7 +6209,8 @@ var baiduAppPlugin = {
               caption: params.text,
               uploadedUrl: remoteUrl,
               fileType: inferBaiduOutboundFileType({ mediaPath: remoteUrl })
-            })
+            }),
+            { agentid: account.accountId, isActive: true }
           );
           return {
             channel: "openclaw-baiduapp",
@@ -6184,7 +6252,8 @@ var baiduAppPlugin = {
             fileType: inferBaiduOutboundFileType({
               mediaPath: uploaded.fileName || localMediaPath
             })
-          })
+          }),
+          { agentid: account.accountId, isActive: true }
         );
         return {
           channel: "openclaw-baiduapp",
@@ -6206,6 +6275,18 @@ var baiduAppPlugin = {
       }
     }
   },
+  auth: {
+    login: async (params) => {
+      void params.channelInput;
+      const { loginBaiduApp: loginBaiduApp2 } = await Promise.resolve().then(() => (init_login(), login_exports));
+      await loginBaiduApp2({
+        cfg: params.cfg,
+        accountId: params.accountId,
+        runtime: params.runtime,
+        verbose: params.verbose
+      });
+    }
+  },
   gateway: {
     startAccount: async (ctx) => {
       ctx.setStatus?.({ accountId: ctx.accountId });
@@ -6243,21 +6324,19 @@ var baiduAppPlugin = {
         existing();
       }
       unregisterHooks.set(ctx.accountId, unregister);
-      if (account.config.pollingEnabled === true) {
-        startAccountPolling({
+      startAccountPolling({
+        account,
+        dispatchTarget: {
           account,
-          dispatchTarget: {
-            account,
-            config: ctx.cfg ?? {},
-            runtime: runtime2,
-            statusSink: (patch) => ctx.setStatus?.({ accountId: ctx.accountId, ...patch })
-          },
-          onError: (error) => {
-            const message = error instanceof Error ? error.message : String(error);
-            ctx.log?.error(`[openclaw-baiduapp] polling failed for account ${ctx.accountId}: ${message}`);
-          }
-        });
-      }
+          config: ctx.cfg ?? {},
+          runtime: runtime2,
+          statusSink: (patch) => ctx.setStatus?.({ accountId: ctx.accountId, ...patch })
+        },
+        onError: (error) => {
+          const message = error instanceof Error ? error.message : String(error);
+          ctx.log?.error(`[openclaw-baiduapp] polling failed for account ${ctx.accountId}: ${message}`);
+        }
+      });
       ctx.log?.info(
         `[openclaw-baiduapp] webhook registered at ${path4} for account ${ctx.accountId} (canSendActive=${account.canSendActive})`
       );
@@ -6309,7 +6388,7 @@ async function sendMessage(account, options) {
     };
   }
   try {
-    const textResult = await sendBaiduAppMessage(account, options.text);
+    const textResult = await sendBaiduAppMessage(account, options.text, { isActive: true });
     return {
       ok: textResult.ok,
       msgid: textResult.msgid,