@searchfe/openclaw-baiduapp 0.1.8 → 0.1.9-beta.2

package/dist/index.js

@@ -1,6 +1,8 @@
+import { spawnSync } from 'child_process';
+import readline from 'readline';
 import path2 from 'path';
 import { fileURLToPath } from 'url';
-import crypto3 from 'crypto';
+import crypto from 'crypto';
 import { createRequire } from 'module';
 import { lookup } from 'dns/promises';
 import fs2 from 'fs/promises';
@@ -9,11 +11,120 @@ import fs from 'fs';
 import { tmpdir } from 'os';
 
 var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
 };
 
+// src/auth/login.ts
+var login_exports = {};
+__export(login_exports, {
+  loginBaiduApp: () => loginBaiduApp
+});
+function createTerminalPrompter() {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  const question = (message) => new Promise((resolve) => {
+    rl.question(message, (answer) => resolve(answer));
+  });
+  return {
+    select: async (message, choices) => {
+      while (true) {
+        process.stdout.write(`${message}
+`);
+        for (const [index, choice] of choices.entries()) {
+          process.stdout.write(`${index + 1}. ${choice}
+`);
+        }
+        const answer = (await question("\u8BF7\u9009\u62E9\u5E8F\u53F7: ")).trim();
+        const choiceIndex = Number(answer);
+        if (Number.isInteger(choiceIndex) && choiceIndex >= 1 && choiceIndex <= choices.length) {
+          return choices[choiceIndex - 1];
+        }
+        process.stdout.write(`\u8BF7\u8F93\u5165 1-${choices.length} \u4E4B\u95F4\u7684\u5E8F\u53F7\u3002
+`);
+      }
+    },
+    text: async (message, opts) => {
+      while (true) {
+        const answer = (await question(`${message}: `)).trim();
+        if (!opts?.required || answer) {
+          return answer;
+        }
+        process.stdout.write("\u8BE5\u9879\u4E3A\u5FC5\u586B\uFF0C\u8BF7\u91CD\u65B0\u8F93\u5165\u3002\n");
+      }
+    },
+    close: () => {
+      rl.close();
+    }
+  };
+}
+function redactValue(value, opts) {
+  if (!value) {
+    return "(empty)";
+  }
+  const keepStart = opts?.keepStart ?? 2;
+  const keepEnd = opts?.keepEnd ?? 2;
+  if (value.length <= keepStart + keepEnd) {
+    return "*".repeat(value.length);
+  }
+  return `${value.slice(0, keepStart)}***${value.slice(-keepEnd)}`;
+}
+function setConfigValue(key, value) {
+  const args = ["config", "set", key, String(value)];
+  const result = spawnSync("openclaw", args, {
+    stdio: ["ignore", "pipe", "pipe"],
+    encoding: "utf8",
+    timeout: 15e3
+  });
+  if (result.status !== 0) {
+    const stderr = (result.stderr ?? "").trim();
+    throw new Error(`openclaw config set failed: ${stderr || `exit code ${result.status}`}`);
+  }
+}
+async function loginBaiduApp(params) {
+  void params.cfg;
+  void params.verbose;
+  const agentId = params.accountId?.trim() || "main";
+  const prompter = createTerminalPrompter();
+  try {
+    const mode = await prompter.select("\u8BF7\u9009\u62E9\u767E\u5EA6 App \u914D\u7F6E\u65B9\u5F0F", [
+      "\u624B\u52A8\u586B\u5199",
+      "\u626B\u7801\u914D\u7F6E\uFF08\u5373\u5C06\u652F\u6301\uFF09"
+    ]);
+    if (mode === "\u626B\u7801\u914D\u7F6E\uFF08\u5373\u5C06\u652F\u6301\uFF09") {
+      params.runtime.log("\u23F3 \u626B\u7801\u914D\u7F6E\u529F\u80FD\u6B63\u5728\u5F00\u53D1\u4E2D\uFF0C\u656C\u8BF7\u671F\u5F85...");
+      params.runtime.log("\u8BF7\u5148\u4F7F\u7528\u624B\u52A8\u586B\u5199\u65B9\u5F0F\u5B8C\u6210\u914D\u7F6E\u3002");
+      return;
+    }
+    const appKey = await prompter.text("App Key", { required: true });
+    const appSecret = await prompter.text("App Secret", { required: true });
+    const accountKeyPrefix = `channels.openclaw-baiduapp.accounts.${agentId}`;
+    setConfigValue(`${accountKeyPrefix}.appKey`, appKey);
+    setConfigValue(`${accountKeyPrefix}.appSecret`, appSecret);
+    setConfigValue(`${accountKeyPrefix}.enabled`, true);
+    params.runtime.log(`\u2705 openclaw-baiduapp \u5DF2\u5B8C\u6210\u914D\u7F6E\uFF08account: ${agentId}\uFF09`);
+    params.runtime.log(`- appKey: ${redactValue(appKey, { keepStart: 3, keepEnd: 3 })}`);
+    params.runtime.log(`- appSecret: ${redactValue(appSecret, { keepStart: 3, keepEnd: 3 })}`);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    params.runtime.error(`openclaw-baiduapp \u767B\u5F55\u914D\u7F6E\u5931\u8D25\uFF1A${message}`);
+    throw error;
+  } finally {
+    prompter.close();
+  }
+}
+var init_login = __esm({
+  "src/auth/login.ts"() {
+  }
+});
+
 // node_modules/.pnpm/zod@3.25.76/node_modules/zod/v3/external.js
 var external_exports = {};
 __export(external_exports, {
@@ -4056,14 +4167,13 @@ var NEVER = INVALID;
 
 // src/config.ts
 var DEFAULT_ACCOUNT_ID = "default";
+var DEFAULT_AGENT_ID = "main";
 var DEFAULT_API_BASE = "https://claw.baidu.com";
 var BaiduAppAccountSchema = external_exports.object({
   name: external_exports.string().optional(),
   enabled: external_exports.boolean().optional(),
   pollingEnabled: external_exports.boolean().optional(),
   webhookPath: external_exports.string().optional(),
-  token: external_exports.string().optional(),
-  encodingAESKey: external_exports.string().optional(),
   appKey: external_exports.string().optional(),
   appSecret: external_exports.string().optional(),
   apiBase: external_exports.string().optional(),
@@ -4082,8 +4192,6 @@ var BaiduAppConfigJsonSchema = {
       enabled: { type: "boolean" },
       pollingEnabled: { type: "boolean" },
       webhookPath: { type: "string" },
-      token: { type: "string" },
-      encodingAESKey: { type: "string" },
       appKey: { type: "string" },
       appSecret: { type: "string" },
       apiBase: { type: "string" },
@@ -4099,8 +4207,6 @@ var BaiduAppConfigJsonSchema = {
             enabled: { type: "boolean" },
             pollingEnabled: { type: "boolean" },
             webhookPath: { type: "string" },
-            token: { type: "string" },
-            encodingAESKey: { type: "string" },
             appKey: { type: "string" },
             appSecret: { type: "string" },
             apiBase: { type: "string" },
@@ -4115,6 +4221,10 @@ function normalizeAccountId(raw) {
   const trimmed = String(raw ?? "").trim();
   return trimmed || DEFAULT_ACCOUNT_ID;
 }
+function extractAgentId(msg) {
+  const raw = msg.agentid ?? "";
+  return raw.trim() || DEFAULT_AGENT_ID;
+}
 function listConfiguredAccountIds(cfg) {
   const accounts = cfg.channels?.["openclaw-baiduapp"]?.accounts;
   if (!accounts || typeof accounts !== "object") {
@@ -4162,12 +4272,10 @@ function resolveBaiduAppAccount(params) {
   const merged = mergeBaiduAppAccountConfig(params.cfg, accountId);
   const enabled = baseEnabled && merged.enabled !== false;
   const isDefaultAccount = accountId === DEFAULT_ACCOUNT_ID;
-  const token = merged.token?.trim() || (isDefaultAccount ? process.env.BAIDU_APP_TOKEN?.trim() : void 0) || void 0;
-  const encodingAESKey = merged.encodingAESKey?.trim() || (isDefaultAccount ? process.env.BAIDU_APP_ENCODING_AES_KEY?.trim() : void 0) || void 0;
   const appKey = merged.appKey?.trim() || (isDefaultAccount ? process.env.BAIDU_APP_KEY?.trim() : void 0) || void 0;
   const appSecret = merged.appSecret?.trim() || (isDefaultAccount ? process.env.BAIDU_APP_SECRET?.trim() : void 0) || void 0;
-  const configured = Boolean(token && encodingAESKey);
-  const canSendActive = Boolean(appKey && appSecret && token && encodingAESKey);
+  const configured = Boolean(appKey && appSecret);
+  const canSendActive = Boolean(appKey && appSecret);
   const rawApiBase = merged.apiBase?.trim() || (isDefaultAccount ? process.env.BAIDU_API_BASE?.trim() : void 0) || void 0;
   const apiBase = (rawApiBase || DEFAULT_API_BASE).replace(/\/+$/, "");
   return {
@@ -4175,8 +4283,6 @@ function resolveBaiduAppAccount(params) {
     name: merged.name?.trim() || void 0,
     enabled,
     configured,
-    token,
-    encodingAESKey,
     appKey,
     appSecret,
     apiBase,
@@ -4184,6 +4290,37 @@ function resolveBaiduAppAccount(params) {
     config: merged
   };
 }
+function resolveAgentField(agentCfg, mainCfg, baseAccount, field) {
+  return agentCfg?.[field]?.trim() || mainCfg?.[field]?.trim() || baseAccount[field];
+}
+function resolveAgentAccount(params) {
+  const { baseAccount, cfg, agentId } = params;
+  if (agentId === baseAccount.accountId) {
+    return baseAccount;
+  }
+  const accounts = cfg.channels?.["openclaw-baiduapp"]?.accounts;
+  const agentCfg = accounts?.[agentId] && typeof accounts[agentId] === "object" ? accounts[agentId] : void 0;
+  const mainCfg = agentId !== DEFAULT_AGENT_ID && accounts?.[DEFAULT_AGENT_ID] && typeof accounts[DEFAULT_AGENT_ID] === "object" ? accounts[DEFAULT_AGENT_ID] : void 0;
+  const appKey = resolveAgentField(agentCfg, mainCfg, baseAccount, "appKey");
+  const appSecret = resolveAgentField(agentCfg, mainCfg, baseAccount, "appSecret");
+  const apiBase = baseAccount.apiBase;
+  const name = resolveAgentField(agentCfg, mainCfg, baseAccount, "name");
+  const configured = Boolean(appKey && appSecret);
+  const canSendActive = Boolean(appKey && appSecret);
+  const agentEnabled = agentCfg?.enabled !== false;
+  return {
+    ...baseAccount,
+    accountId: agentId,
+    name: name || baseAccount.name,
+    enabled: agentEnabled && baseAccount.enabled,
+    configured,
+    appKey,
+    appSecret,
+    apiBase,
+    canSendActive,
+    config: { ...baseAccount.config, ...mainCfg ?? {}, ...agentCfg ?? {} }
+  };
+}
 
 // src/shared/logger.ts
 function createLogger(prefix, opts) {
@@ -4196,135 +4333,85 @@ function createLogger(prefix, opts) {
     error: (msg) => errorFn(`[${prefix}] [ERROR] ${msg}`)
   };
 }
-function decodeEncodingAESKey(encodingAESKey) {
-  const trimmed = encodingAESKey.trim();
-  if (!trimmed) {
-    throw new Error("encodingAESKey missing");
-  }
-  const withPadding = trimmed.endsWith("=") ? trimmed : `${trimmed}=`;
-  const key = Buffer.from(withPadding, "base64");
-  if (key.length !== 32) {
-    throw new Error(`invalid encodingAESKey (expected 32 bytes after base64 decode, got ${key.length})`);
-  }
-  return key;
-}
-var PKCS7_BLOCK_SIZE = 32;
-function pkcs7Pad(buf, blockSize) {
-  const mod = buf.length % blockSize;
-  const pad = mod === 0 ? blockSize : blockSize - mod;
-  return Buffer.concat([buf, Buffer.alloc(pad, pad)]);
-}
-function pkcs7Unpad(buf, blockSize) {
-  if (buf.length === 0) {
-    throw new Error("invalid pkcs7 payload");
-  }
-  const pad = buf[buf.length - 1];
-  if (!pad || pad < 1 || pad > blockSize || pad > buf.length) {
-    throw new Error("invalid pkcs7 padding");
-  }
-  for (let i = 1; i <= pad; i += 1) {
-    if (buf[buf.length - i] !== pad) {
-      throw new Error("invalid pkcs7 padding");
-    }
-  }
-  return buf.subarray(0, buf.length - pad);
-}
 function sha1Hex(input) {
-  return crypto3.createHash("sha1").update(input).digest("hex");
+  return crypto.createHash("sha1").update(input).digest("hex");
 }
-function computeBaiduAppMsgSignature(params) {
-  const parts = [params.token, params.timestamp, params.nonce, params.encrypt].map((value) => String(value ?? "")).sort();
-  return sha1Hex(parts.join(""));
+function computeAKSKBearerToken(params) {
+  return sha1Hex(params.ak + params.sk + params.timestamp + params.nonce);
 }
-function verifyBaiduAppSignature(params) {
-  const expected = computeBaiduAppMsgSignature({
-    token: params.token,
+function verifyAKSKBearerToken(params) {
+  const expected = computeAKSKBearerToken({
+    ak: params.ak,
+    sk: params.sk,
     timestamp: params.timestamp,
-    nonce: params.nonce,
-    encrypt: params.encrypt
+    nonce: params.nonce
   });
-  return expected === params.signature;
+  return expected === params.token;
 }
-function decryptBaiduAppEncrypted(params) {
-  const aesKey = decodeEncodingAESKey(params.encodingAESKey);
-  const iv = aesKey.subarray(0, 16);
-  const decipher = crypto3.createDecipheriv("aes-256-cbc", aesKey, iv);
-  decipher.setAutoPadding(false);
-  const decryptedPadded = Buffer.concat([decipher.update(Buffer.from(params.encrypt, "base64")), decipher.final()]);
-  const decrypted = pkcs7Unpad(decryptedPadded, PKCS7_BLOCK_SIZE);
-  if (decrypted.length < 20) {
-    throw new Error(`invalid decrypted payload (expected at least 20 bytes, got ${decrypted.length})`);
-  }
-  const msgLen = decrypted.readUInt32BE(16);
-  const msgStart = 20;
-  const msgEnd = msgStart + msgLen;
-  if (msgEnd > decrypted.length) {
-    throw new Error(`invalid decrypted msg length (msgEnd=${msgEnd}, payloadLength=${decrypted.length})`);
-  }
-  return decrypted.subarray(msgStart, msgEnd).toString("utf8");
+function generateNonce() {
+  return crypto.randomBytes(8).toString("hex");
 }
-function encryptBaiduAppPlaintext(params) {
-  const aesKey = decodeEncodingAESKey(params.encodingAESKey);
-  const iv = aesKey.subarray(0, 16);
-  const random16 = crypto3.randomBytes(16);
-  const msg = Buffer.from(params.plaintext ?? "", "utf8");
-  const msgLen = Buffer.alloc(4);
-  msgLen.writeUInt32BE(msg.length, 0);
-  const raw = Buffer.concat([random16, msgLen, msg]);
-  const padded = pkcs7Pad(raw, PKCS7_BLOCK_SIZE);
-  const cipher = crypto3.createCipheriv("aes-256-cbc", aesKey, iv);
-  cipher.setAutoPadding(false);
-  const encrypted = Buffer.concat([cipher.update(padded), cipher.final()]);
-  return encrypted.toString("base64");
+function buildAuthorizationHeader(params) {
+  const token = computeAKSKBearerToken(params);
+  return `Bearer ${token}`;
 }
+
+// src/types.ts
+var DEFAULT_BAIDU_APP_SESSION_ID = "agent:main:main";
 var require2 = createRequire(import.meta.url);
 var pkg = require2("../package.json");
 var PLUGIN_VERSION = pkg.version;
 
 // src/api.ts
 var logger = createLogger("openclaw-baiduapp");
+var DEFAULT_sessionId = DEFAULT_BAIDU_APP_SESSION_ID;
 async function sendBaiduAppMessage(account, message, options) {
   if (!account.canSendActive) {
-    logger.error("Account not configured for active sending (missing appKey, token, or encodingAESKey)");
+    logger.error("Account not configured for active sending (missing appKey or appSecret)");
     return {
       ok: false,
       errcode: -1,
-      errmsg: "Account not configured for active sending (missing appKey, token, or encodingAESKey)"
+      errmsg: "Account not configured for active sending (missing appKey or appSecret)"
     };
   }
   const normalizedPayload = typeof message === "string" ? {
-    msgtype: "text",
-    text: { content: message }
+    list: [{
+      type: "text",
+      data: {
+        text: { content: message }
+      }
+    }]
   } : message;
-  const payload = {
-    ...normalizedPayload,
+  const sessionId = options?.sessionId ?? DEFAULT_sessionId;
+  const callbackBody = {
+    sessionId,
+    list: normalizedPayload.list,
     version: PLUGIN_VERSION,
-    ...options?.msgid != null ? { msgid: options.msgid } : {},
-    ...options?.streamId != null ? { streamId: options.streamId } : {},
-    ...options?.chunkKey != null ? { chunkKey: options.chunkKey } : {}
+    isActive: options?.isActive || false,
+    ...options?.agentid ? { agentid: options.agentid } : {},
+    ...options?.chunkKey != null ? { chunkKey: options.chunkKey } : {},
+    ...options?.replyToMsgId ? { replyToMsgId: options.replyToMsgId } : {}
   };
-  const plaintext = JSON.stringify(payload);
-  const encrypt = encryptBaiduAppPlaintext({
-    encodingAESKey: account.encodingAESKey ?? "",
-    plaintext
-  });
   const timestamp = String(Math.floor(Date.now() / 1e3));
-  const nonce = crypto3.randomBytes(8).toString("hex");
-  const msgSignature = computeBaiduAppMsgSignature({
-    token: account.token ?? "",
+  const nonce = generateNonce();
+  const authorization = buildAuthorizationHeader({
+    ak: account.appKey ?? "",
+    sk: account.appSecret ?? "",
     timestamp,
-    nonce,
-    encrypt
+    nonce
   });
-  const sendMessageUrl = `${account.apiBase}/chat/openclaw/callback`;
-  const url = `${sendMessageUrl}?timestamp=${encodeURIComponent(timestamp)}&ak=${encodeURIComponent(account.appKey ?? "")}&nonce=${encodeURIComponent(nonce)}&msg_signature=${encodeURIComponent(msgSignature)}`;
-  const body = JSON.stringify({ encrypt });
+  const sendMessageUrl = `${account.apiBase}/channel/msg/callback`;
+  const url = `${sendMessageUrl}?timestamp=${encodeURIComponent(timestamp)}&ak=${encodeURIComponent(account.appKey ?? "")}&nonce=${encodeURIComponent(nonce)}`;
+  const body = JSON.stringify(callbackBody);
   logger.info(`POST ${url}`);
   logger.debug(`request body: ${body}`);
   const resp = await fetch(url, {
     method: "POST",
     body,
-    headers: { "Content-Type": "application/json" }
+    headers: {
+      "Authorization": authorization,
+      "Content-Type": "application/json"
+    }
   });
   const text = await resp.text();
   if (!text) {
@@ -4340,6 +4427,15 @@ async function sendBaiduAppMessage(account, message, options) {
     logger.error(`request failed: ${errmsg}`);
     return { ok: false, errcode: resp.status, errmsg };
   }
+  if (data.code !== 0) {
+    const errmsg = data.msg ?? `channel callback failed with code ${String(data.code)}`;
+    logger.error(`request failed: ${errmsg}`);
+    return {
+      ok: false,
+      errcode: data.code,
+      errmsg
+    };
+  }
   const result = {
     ok: true
   };
@@ -4365,21 +4461,21 @@ function buildMediaPayload(mediaList, opts) {
 
 // src/bot.ts
 function extractBaiduAppTextContent(msg) {
-  const msgtype = String(msg.msgtype ?? msg.MsgType ?? "").toLowerCase();
+  const msgtype = String(msg.msgtype ?? "").toLowerCase();
   if (msgtype === "text") {
-    const content = msg.text?.content ?? msg.Content;
+    const content = msg.text?.content;
     return typeof content === "string" ? content : "";
   }
   if (msgtype === "event") {
     const eventtype = String(
-      msg.event?.eventtype ?? msg.Event ?? ""
+      msg.event?.eventtype ?? ""
     ).trim();
     return eventtype ? `[event] ${eventtype}` : "[event]";
   }
   return msgtype ? `[${msgtype}]` : "";
 }
 function canDispatchBaiduAppInboundMessage(msg) {
-  const msgtype = String(msg.msgtype ?? msg.MsgType ?? "").toLowerCase();
+  const msgtype = String(msg.msgtype ?? "").toLowerCase();
   if (msgtype === "text") {
     if (extractBaiduAppTextContent(msg)) {
       return true;
@@ -4449,7 +4545,7 @@ async function dispatchBaiduAppMessage(params) {
     cfg: safeCfg,
     channel: "openclaw-baiduapp",
     accountId: account.accountId,
-    peer: { kind: "dm", id: "default" }
+    peer: { kind: "dm", id: account.accountId || DEFAULT_AGENT_ID }
   });
   logger3.info(`SessionKey: ${route.sessionKey}`);
   logger3.info(
@@ -4479,7 +4575,7 @@ async function dispatchBaiduAppMessage(params) {
     envelope: envelopeOptions,
     body: rawBody
   }) : rawBody;
-  const msgid = msg.msgid ?? msg.MsgId ?? void 0;
+  const msgid = msg.msgid ?? void 0;
   const ctxPayload = channel.reply?.finalizeInboundContext ? channel.reply.finalizeInboundContext({
     Body: body,
     RawBody: rawBody,
@@ -4685,92 +4781,122 @@ var require3 = createRequire(import.meta.url);
 var BaiduCloudSdk = require3("@baiducloud/sdk");
 var DefaultBosClient = BaiduCloudSdk.BosClient;
 var MAX_DOWNLOAD_REDIRECTS = 5;
-var EMPTY_QUERY_MD5 = crypto3.createHash("md5").update("").digest("hex");
-var SKS_BASE_TOKEN_POSITIONS = [12, 37, 5, 23, 48, 15, 62, 33];
-async function fetchSksCredentials(account, deps = {}) {
-  if (!account.appKey?.trim()) {
-    throw new Error("Cannot fetch SKS credentials without account.appKey");
-  }
-  if (!account.appSecret?.trim()) {
-    throw new Error("Cannot fetch SKS credentials without account.appSecret");
-  }
-  const fetchImpl = deps.fetchImpl ?? fetch;
-  const apiBase = account.apiBase.replace(/\/+$/, "");
-  const pageLid = deps.createPageLid?.() ?? generateSksPageLid();
-  const timestamp = String((deps.now?.() ?? /* @__PURE__ */ new Date()).getTime());
-  const token = createSksRequestToken({ pageLid, timestamp });
-  const url = `${apiBase}/file/sts?ak=${encodeURIComponent(account.appKey)}&sk=${encodeURIComponent(account.appSecret)}&tk=${encodeURIComponent(token)}`;
-  const response = await fetchImpl(url, { method: "POST" });
-  if (!response.ok) {
-    throw new Error(`SKS request failed with HTTP ${response.status}`);
-  }
-  let payload;
-  try {
-    payload = await response.json();
-  } catch (error) {
-    throw new Error(`SKS response is not valid JSON: ${formatError(error)}`, { cause: error });
-  }
-  return parseSksCredentialsFromPayload(payload);
-}
-function parseSksCredentialsFromPayload(payload) {
-  const parsed = parseSksResponse(payload);
-  if (parsed.status !== 0) {
-    throw new Error(`SKS request failed with status ${parsed.status}`);
+async function fetchFileUploadSts(options, deps = {}) {
+  assertAccountCanUseChannelApi(options.account);
+  const responsePayload = await postAuthenticatedChannelJson(
+    options.account,
+    "/channel/file/sts",
+    {
+      sessionId: options.sessionId ?? DEFAULT_BAIDU_APP_SESSION_ID,
+      filename: requireSafeDisplayFileName(options.filename),
+      fileSize: options.fileSize,
+      fileType: normalizeOutboundFileType(options.fileType),
+      ...options.md5 ? { md5: options.md5 } : {}
+    },
+    deps
+  );
+  const envelope = parseChannelEnvelope(responsePayload, "file STS");
+  const data = envelope.data;
+  if (!data) {
+    throw new Error("file STS response missing data");
   }
-  if (!parsed.data) {
-    throw new Error("SKS response missing data");
+  const fileId = requireNonEmptyString(data.fileId, "file STS data.fileId");
+  const reuse = requireBoolean(data.reuse, "file STS data.reuse");
+  if (reuse) {
+    return { fileId, reuse };
   }
   return {
-    ak: requireNonEmptyString(parsed.data.ak, "SKS data.ak"),
-    sk: requireNonEmptyString(parsed.data.sk, "SKS data.sk"),
-    sessionToken: requireNonEmptyString(parsed.data.token, "SKS data.token"),
-    bucketName: requireNonEmptyString(parsed.data.bucketName, "SKS data.bucketName"),
-    prefixPath: sanitizeObjectKeyPrefix(requireNonEmptyString(parsed.data.preFixPath, "SKS data.preFixPath")),
-    endpoint: requireNonEmptyString(parsed.data.bceUrl, "SKS data.bceUrl")
+    fileId,
+    reuse,
+    sts: parseFileUploadStsCredentials(data.sts),
+    bceUrl: requireNonEmptyString(data.bceUrl, "file STS data.bceUrl"),
+    bucket: requireNonEmptyString(data.bucket, "file STS data.bucket"),
+    bosName: requireNonEmptyString(data.bosName, "file STS data.bosName")
   };
 }
-function createSksRequestToken(params) {
-  const pageLid = requireNonEmptyString(params.pageLid, "SKS pageLid");
-  const timestamp = requireNonEmptyString(params.timestamp, "SKS timestamp");
-  const baseToken = createSksBaseToken(pageLid);
-  const payload = `${baseToken}|${EMPTY_QUERY_MD5}|${timestamp}|${pageLid}`;
-  return `${Buffer.from(payload, "utf8").toString("base64")}-${pageLid}-3`;
+async function notifyFileUploadComplete(options, deps = {}) {
+  assertAccountCanUseChannelApi(options.account);
+  if (options.fileIds.length === 0) {
+    throw new Error("file complete requires at least one fileId");
+  }
+  const responsePayload = await postAuthenticatedChannelJson(
+    options.account,
+    "/channel/file/complete",
+    {
+      sessionId: options.sessionId ?? DEFAULT_BAIDU_APP_SESSION_ID,
+      fileIds: options.fileIds
+    },
+    deps
+  );
+  const envelope = parseChannelEnvelope(responsePayload, "file complete");
+  const files = extractCompleteFiles(envelope.data);
+  const fileIds = new Set(options.fileIds);
+  for (const file of files) {
+    if (!fileIds.has(file.fileId)) {
+      continue;
+    }
+    if (file.status === -1) {
+      throw new Error(`file complete failed for fileId ${file.fileId}`);
+    }
+  }
+  return { files };
 }
-function createBosClient(credentials, deps = {}) {
+function createBosClient(fileSts, deps = {}) {
+  if (!fileSts.sts || !fileSts.bceUrl) {
+    throw new Error("Cannot create BOS client without STS credentials");
+  }
   const BosClientCtor = deps.bosClientCtor ?? DefaultBosClient;
   return new BosClientCtor({
-    endpoint: credentials.endpoint,
-    sessionToken: credentials.sessionToken,
+    endpoint: fileSts.bceUrl,
+    sessionToken: fileSts.sts.token,
     credentials: {
-      ak: credentials.ak,
-      sk: credentials.sk
+      ak: fileSts.sts.ak,
+      sk: fileSts.sts.sk
     }
   });
 }
 async function uploadLocalFileToBos(options, deps = {}) {
   const localFile = await assertUploadableLocalFile(options.filePath);
-  const credentials = await fetchSksCredentials(options.account, deps);
-  const client = createBosClient(credentials, deps);
   const sourceName = options.fileName ?? path2.basename(localFile);
-  const sanitizedFileName = sanitizeFileName(sourceName);
-  const key = buildBosObjectKey({
-    prefixPath: credentials.prefixPath,
-    fileName: sanitizedFileName,
-    now: deps.now
-  });
-  const uploadOptions = options.contentType?.trim() ? {
-    "Content-Type": options.contentType.trim()
-  } : void 0;
-  const [, fileStat] = await Promise.all([
-    client.putObjectFromFile(credentials.bucketName, key, localFile, uploadOptions),
-    fs2.stat(localFile)
-  ]);
+  const fileName = requireSafeDisplayFileName(sourceName);
+  const [fileBuffer, fileStat] = await Promise.all([fs2.readFile(localFile), fs2.stat(localFile)]);
+  const md5 = crypto.createHash("md5").update(fileBuffer).digest("hex");
+  const fileType = inferOutboundFileType(fileName);
+  const fileSts = await fetchFileUploadSts(
+    {
+      account: options.account,
+      sessionId: options.sessionId,
+      filename: fileName,
+      fileSize: fileStat.size,
+      fileType,
+      md5
+    },
+    deps
+  );
+  if (!fileSts.reuse) {
+    const bucketName = requireNonEmptyString(fileSts.bucket, "file STS bucket");
+    const key = requireNonEmptyString(fileSts.bosName, "file STS bosName");
+    const client = createBosClient(fileSts, deps);
+    const uploadOptions = options.contentType?.trim() ? {
+      "Content-Type": options.contentType.trim()
+    } : void 0;
+    await client.putObjectFromFile(bucketName, key, localFile, uploadOptions);
+  }
+  await notifyFileUploadComplete(
+    {
+      account: options.account,
+      sessionId: options.sessionId,
+      fileIds: [fileSts.fileId]
+    },
+    deps
+  );
   return {
-    bucketName: credentials.bucketName,
-    key,
-    url: client.generateUrl(credentials.bucketName, key),
-    fileName: sanitizedFileName,
-    fileSize: fileStat.size
+    fileId: fileSts.fileId,
+    bucketName: fileSts.bucket,
+    key: fileSts.bosName,
+    fileName,
+    fileSize: fileStat.size,
+    reuse: fileSts.reuse
   };
 }
 async function downloadInboundFileToTemp(options, deps = {}) {
@@ -4868,38 +4994,93 @@ async function pruneExpiredTempFiles(deps = {}) {
   await walk(tempDir);
   return { deletedFiles };
 }
-function parseSksResponse(payload) {
+async function postAuthenticatedChannelJson(account, pathname, bodyPayload, deps) {
+  const fetchImpl = deps.fetchImpl ?? fetch;
+  const now = deps.now?.() ?? /* @__PURE__ */ new Date();
+  const timestamp = String(Math.floor(now.getTime() / 1e3));
+  const nonce = (deps.generateNonceImpl ?? generateNonce)();
+  const authorization = buildAuthorizationHeader({
+    ak: account.appKey ?? "",
+    sk: account.appSecret ?? "",
+    timestamp,
+    nonce
+  });
+  const url = new URL(`${account.apiBase.replace(/\/+$/, "")}${pathname}`);
+  url.searchParams.set("ak", account.appKey ?? "");
+  url.searchParams.set("timestamp", timestamp);
+  url.searchParams.set("nonce", nonce);
+  const response = await fetchImpl(url.toString(), {
+    method: "POST",
+    headers: {
+      "Authorization": authorization,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify(bodyPayload)
+  });
+  if (!response.ok) {
+    throw new Error(`channel request failed with HTTP ${response.status}`);
+  }
+  try {
+    return await response.json();
+  } catch (error) {
+    throw new Error(`channel response is not valid JSON: ${formatError(error)}`, { cause: error });
+  }
+}
+function parseChannelEnvelope(payload, label) {
   if (!payload || typeof payload !== "object") {
-    throw new Error("SKS response must be an object");
+    throw new Error(`${label} response must be an object`);
   }
   const record = payload;
-  const status = typeof record.code === "number" ? record.code : typeof record.status === "number" ? record.status : void 0;
+  const code = record.code;
+  if (typeof code !== "number") {
+    throw new Error(`${label} response missing numeric code`);
+  }
+  if (code !== 0) {
+    const msg = typeof record.msg === "string" ? record.msg : "unknown error";
+    throw new Error(`${label} request failed with code ${code}: ${msg}`);
+  }
   const data = record.data;
   return {
-    status,
-    data: data && typeof data === "object" ? {
-      ak: data.ak,
-      sk: data.sk,
-      token: data.token,
-      bucketName: data.bucketName,
-      preFixPath: data.preFixPath,
-      bceUrl: data.bceUrl
-    } : void 0
+    code,
+    msg: typeof record.msg === "string" ? record.msg : void 0,
+    data: data && typeof data === "object" ? data : void 0
   };
 }
-function generateSksPageLid() {
-  return crypto3.randomBytes(16).toString("hex");
+function parseFileUploadStsCredentials(payload) {
+  if (!payload || typeof payload !== "object") {
+    throw new Error("file STS data.sts is required");
+  }
+  const record = payload;
+  return {
+    ak: requireNonEmptyString(record.ak, "file STS data.sts.ak"),
+    sk: requireNonEmptyString(record.sk, "file STS data.sts.sk"),
+    token: requireNonEmptyString(record.token, "file STS data.sts.token"),
+    expireAt: requireNumber(record.expireAt, "file STS data.sts.expireAt")
+  };
 }
-function createSksBaseToken(pageLid) {
-  const pageLidHash = crypto3.createHash("sha256").update(pageLid).digest("hex");
-  const characters = SKS_BASE_TOKEN_POSITIONS.map((position) => {
-    const character = pageLidHash[position];
-    if (!character) {
-      throw new Error(`SKS base token position is out of range: ${position}`);
-    }
-    return character;
+function extractCompleteFiles(payload) {
+  const files = payload?.files;
+  if (!Array.isArray(files)) {
+    return [];
+  }
+  return files.map((file, index) => {
+    if (!file || typeof file !== "object") {
+      throw new Error(`file complete data.files[${index}] must be an object`);
+    }
+    const record = file;
+    return {
+      fileId: requireNonEmptyString(record.fileId, `file complete data.files[${index}].fileId`),
+      status: requireNumber(record.status, `file complete data.files[${index}].status`)
+    };
   });
-  return characters.join("");
+}
+function assertAccountCanUseChannelApi(account) {
+  if (!account.appKey?.trim()) {
+    throw new Error("Cannot call channel API without account.appKey");
+  }
+  if (!account.appSecret?.trim()) {
+    throw new Error("Cannot call channel API without account.appSecret");
+  }
 }
 function requireNonEmptyString(value, label) {
   if (typeof value !== "string" || !value.trim()) {
@@ -4907,36 +5088,19 @@ function requireNonEmptyString(value, label) {
   }
   return value.trim();
 }
-function sanitizeObjectKeyPrefix(prefixPath) {
-  const normalized = prefixPath.replace(/\\/g, "/").trim();
-  const segments = normalized.split("/").map((segment) => segment.trim()).filter(Boolean);
-  if (segments.length === 0) {
-    throw new Error("SKS data.preFixPath must contain at least one safe path segment");
+function requireBoolean(value, label) {
+  if (typeof value !== "boolean") {
+    throw new Error(`${label} must be a boolean`);
   }
-  const safeSegments = segments.map((segment) => {
-    if (segment === "." || segment === "..") {
-      throw new Error("SKS data.preFixPath contains path traversal");
-    }
-    return sanitizeObjectKeySegment(segment);
-  });
-  return safeSegments.join("/");
+  return value;
 }
-function sanitizeObjectKeySegment(segment) {
-  const sanitized = segment.replace(/[^a-zA-Z0-9._-]+/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
-  if (!sanitized) {
-    throw new Error(`Object key segment is not safe: ${segment}`);
+function requireNumber(value, label) {
+  if (typeof value !== "number" || !Number.isFinite(value)) {
+    throw new Error(`${label} must be a finite number`);
   }
-  return sanitized.slice(0, 80);
-}
-function sanitizeFileName(fileName) {
-  assertSafeUntrustedFileName(fileName);
-  const parsed = path2.parse(fileName.trim());
-  const safeBase = parsed.name.replace(/[^a-zA-Z0-9._-]+/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
-  const safeExt = parsed.ext.replace(/[^a-zA-Z0-9.]+/g, "").slice(0, 16);
-  const baseName = safeBase || "file";
-  return `${baseName.slice(0, 80)}${safeExt}`;
+  return value;
 }
-function assertSafeUntrustedFileName(fileName) {
+function requireSafeDisplayFileName(fileName) {
   const trimmed = fileName.trim();
   if (!trimmed) {
     throw new Error("Filename cannot be empty");
@@ -4947,14 +5111,18 @@ function assertSafeUntrustedFileName(fileName) {
   if (trimmed === "." || trimmed === "..") {
     throw new Error(`Filename is not safe: ${fileName}`);
   }
+  return trimmed;
 }
-function buildBosObjectKey(params) {
-  const timestamp = formatUtcDate(params.now?.() ?? /* @__PURE__ */ new Date());
-  const uniqueId = crypto3.randomUUID();
-  return `${params.prefixPath}/${timestamp}/${uniqueId}-${params.fileName}`;
+function normalizeOutboundFileType(fileType) {
+  const normalized = fileType.trim().replace(/^\.+/, "").toLowerCase();
+  if (!normalized) {
+    throw new Error("fileType is required");
+  }
+  return normalized;
 }
-function formatUtcDate(date) {
-  return date.toISOString().slice(0, 10);
+function inferOutboundFileType(fileName) {
+  const extension = path2.extname(fileName).replace(/^\./, "").toLowerCase();
+  return extension || "bin";
 }
 async function assertUploadableLocalFile(filePath) {
   const resolvedPath = path2.resolve(filePath);
@@ -5079,11 +5247,11 @@ function parseContentDispositionFileName(contentDisposition) {
 }
 function resolveDownloadFileName(params) {
   const candidate = params.explicitFileName ?? params.headerFileName ?? params.urlFileName ?? "file.bin";
-  return sanitizeFileName(candidate);
+  return requireSafeDisplayFileName(candidate);
 }
 function buildTempFilePath(params) {
   const timestamp = (params.now?.() ?? /* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-  return path2.join(params.tempDir, `${timestamp}-${crypto3.randomUUID()}-${params.fileName}`);
+  return path2.join(params.tempDir, `${timestamp}-${crypto.randomUUID()}-${params.fileName}`);
 }
 async function ensurePluginTempDir(resolveTmpDir) {
   const baseTmpDir = resolveTmpDir?.() ?? resolvePreferredOpenClawTmpDir();
@@ -5144,12 +5312,12 @@ function normalizeWebhookPath(raw) {
 function jsonOk(res, body) {
   res.statusCode = 200;
   res.setHeader("Content-Type", "application/json; charset=utf-8");
-  res.end(JSON.stringify({ status: 0, data: body }));
+  res.end(JSON.stringify({ code: 0, msg: "success", data: body }));
 }
 function jsonError(res, message, statusCode = 200) {
   res.statusCode = statusCode;
   res.setHeader("Content-Type", "application/json; charset=utf-8");
-  res.end(JSON.stringify({ status: -1, message }));
+  res.end(JSON.stringify({ code: -1, msg: message, data: {} }));
 }
 async function readRawBody(req, maxBytes) {
   const chunks = [];
@@ -5181,47 +5349,6 @@ async function readRawBody(req, maxBytes) {
     });
   });
 }
-function parseXmlBody(xml) {
-  const result = {};
-  const cdataRegex = /<(\w+)><!\[CDATA\[([\s\S]*?)\]\]><\/\1>/g;
-  let match;
-  while ((match = cdataRegex.exec(xml)) !== null) {
-    const [, key = "", value = ""] = match;
-    result[key] = value;
-  }
-  const simpleRegex = /<(\w+)>([^<]*)<\/\1>/g;
-  while ((match = simpleRegex.exec(xml)) !== null) {
-    const [, key = "", value = ""] = match;
-    if (!result[key]) {
-      result[key] = value;
-    }
-  }
-  return result;
-}
-function isXmlFormat(raw) {
-  const trimmed = raw.trim();
-  return trimmed.startsWith("<") && trimmed.endsWith(">");
-}
-function buildEncryptedJsonReply(params) {
-  const base = params.plaintextJson != null && typeof params.plaintextJson === "object" ? params.plaintextJson : {};
-  const plaintext = JSON.stringify({ ...base, version: PLUGIN_VERSION });
-  const encrypt = encryptBaiduAppPlaintext({
-    encodingAESKey: params.account.encodingAESKey ?? "",
-    plaintext
-  });
-  const msgsignature = computeBaiduAppMsgSignature({
-    token: params.account.token ?? "",
-    timestamp: params.timestamp,
-    nonce: params.nonce,
-    encrypt
-  });
-  return {
-    encrypt,
-    msgsignature,
-    timestamp: params.timestamp,
-    nonce: params.nonce
-  };
-}
 function resolveQueryParams(req) {
   const url = new URL(req.url ?? "/", "http://localhost");
   return url.searchParams;
@@ -5230,8 +5357,16 @@ function resolvePath(req) {
   const url = new URL(req.url ?? "/", "http://localhost");
   return normalizeWebhookPath(url.pathname || "/");
 }
-function resolveSignatureParam(params) {
-  return params.get("msg_signature") ?? params.get("msgsignature") ?? params.get("signature") ?? "";
+function resolveBearerToken(req) {
+  const authorization = req.headers.authorization ?? req.headers.Authorization;
+  if (Array.isArray(authorization)) {
+    return "";
+  }
+  const value = typeof authorization === "string" ? authorization.trim() : "";
+  if (!value.toLowerCase().startsWith("bearer ")) {
+    return "";
+  }
+  return value.slice(7).trim();
 }
 function buildLogger(target) {
   return createLogger("openclaw-baiduapp", {
@@ -5299,50 +5434,49 @@ async function downloadInboundFiles(params) {
     }
   };
 }
-function parseBaiduAppPlainMessage(raw) {
-  const trimmed = raw.trim();
-  if (trimmed.startsWith("<") && trimmed.endsWith(">")) {
-    const xmlData = parseXmlBody(trimmed);
-    return {
-      msgtype: xmlData.MsgType,
-      MsgType: xmlData.MsgType,
-      msgid: xmlData.MsgId,
-      MsgId: xmlData.MsgId,
-      content: xmlData.Content,
-      Content: xmlData.Content,
-      from: xmlData.FromUserName ? { appkey: xmlData.FromUserName } : void 0,
-      ToUserName: xmlData.ToUserName,
-      CreateTime: xmlData.CreateTime ? Number(xmlData.CreateTime) : void 0,
-      BotID: xmlData.BotID ? Number(xmlData.BotID) : void 0,
-      Event: xmlData.Event
-    };
-  }
+function parseV2MsgToInbound(inner, outer) {
+  const list = Array.isArray(inner.list) ? inner.list : [];
+  const textItem = list.find(
+    (item) => item && typeof item === "object" && item.type === "text"
+  );
+  const fileItems = list.filter(
+    (item) => item && typeof item === "object" && item.type === "file"
+  );
+  const textContent = textItem?.data?.text?.content ?? "";
+  const files = fileItems.map((f) => ({ url: f.data.file_id, fileType: "file" }));
+  return {
+    msgtype: "text",
+    msgid: typeof outer.msgid === "string" ? outer.msgid : void 0,
+    agentid: typeof outer.agentid === "string" ? outer.agentid : void 0,
+    text: textContent ? { content: textContent } : void 0,
+    ...files.length > 0 ? { files } : {}
+  };
+}
+function parseBaiduAppCandidates(params) {
+  const results = [];
+  let outer = {};
   try {
-    const parsed = JSON.parse(trimmed);
-    if (!parsed || typeof parsed !== "object") {
-      return {};
+    const parsed = JSON.parse(params.raw);
+    if (parsed && typeof parsed === "object") {
+      outer = parsed;
     }
-    return parsed;
   } catch {
-    return {};
+    outer = {};
   }
-}
-function decryptBaiduAppCandidates(params) {
-  const results = [];
-  for (const candidate of params.candidates) {
-    if (!candidate.account.encodingAESKey) {
-      continue;
-    }
+  let inner = {};
+  if (typeof outer.msg === "string") {
     try {
-      const plaintext = decryptBaiduAppEncrypted({
-        encodingAESKey: candidate.account.encodingAESKey,
-        encrypt: params.encrypt
-      });
-      const msg = parseBaiduAppPlainMessage(plaintext);
-      results.push({ target: candidate, plaintext, msg });
+      const parsedInner = JSON.parse(outer.msg);
+      if (parsedInner && typeof parsedInner === "object") {
+        inner = parsedInner;
+      }
     } catch {
+      inner = {};
     }
   }
+  for (const candidate of params.candidates) {
+    results.push({ target: candidate, msg: parseV2MsgToInbound(inner, outer) });
+  }
   return results;
 }
 function selectDecryptedTarget(params) {
@@ -5359,8 +5493,9 @@ async function processBaiduAppInboundMessage(params) {
   const { target, msg } = params;
   const logger3 = buildLogger(target);
   target.statusSink?.({ lastInboundAt: Date.now() });
-  const msgtype = String(msg.msgtype ?? msg.MsgType ?? "").toLowerCase();
-  const msgid = msg.msgid ?? msg.MsgId ? String(msg.msgid ?? msg.MsgId) : void 0;
+  const msgtype = String(msg.msgtype ?? "").toLowerCase();
+  const msgid = msg.msgid ? String(msg.msgid) : void 0;
+  const agentId = extractAgentId(msg);
   logger3.info(`inbound: type=${msgtype || "unknown"} msgid=${msgid ?? "none"} account=${target.account.accountId}`);
   if (!canDispatchBaiduAppInboundMessage(msg)) {
     logger3.warn(`inbound message skipped: type=${msgtype || "unknown"} reason=no-dispatchable-content`);
@@ -5368,6 +5503,11 @@ async function processBaiduAppInboundMessage(params) {
   }
   const inboundFileResult = msgtype === "text" ? await downloadInboundFiles({ msg, logger: logger3, runtime: target.runtime }) : { localFiles: [], diagnostic: {} };
   const inboundMediaFiles = inboundFileResult.localFiles;
+  const agentAccount = resolveAgentAccount({
+    baseAccount: target.account,
+    cfg: target.config,
+    agentId
+  });
   const core = tryGetBaiduAppRuntime();
   if (core) {
     logger3.info(`agent dispatch started: canSendActive=${target.account.canSendActive}`);
@@ -5380,8 +5520,9 @@ async function processBaiduAppInboundMessage(params) {
         );
         target.statusSink?.({ lastOutboundAt: Date.now() });
         if (target.account.canSendActive) {
-          sendBaiduAppMessage(target.account, text, {
-            msgid,
+          sendBaiduAppMessage(agentAccount, text, {
+            replyToMsgId: msgid,
+            agentid: agentId,
             chunkKey: currentChunkKey
           }).then((result) => {
             if (!result.ok) {
@@ -5404,7 +5545,7 @@ async function processBaiduAppInboundMessage(params) {
     };
     dispatchBaiduAppMessage({
       cfg: target.config,
-      account: target.account,
+      account: agentAccount,
       msg,
       core,
       hooks,
@@ -5446,53 +5587,43 @@ async function handleBaiduAppWebhookRequest(req, res) {
   const query = resolveQueryParams(req);
   const timestamp = query.get("timestamp") ?? "";
   const nonce = query.get("nonce") ?? "";
-  const signature = resolveSignatureParam(query);
+  const ak = query.get("ak") ?? "";
+  const token = resolveBearerToken(req);
   const primary = targets[0];
   const logger3 = buildLogger(primary);
   if (req.method === "GET") {
     const echostr = query.get("echostr") ?? "";
-    if (!timestamp || !nonce || !signature || !echostr) {
+    if (!ak || !timestamp || !nonce || !token || !echostr) {
       jsonError(res, "missing query params", 400);
       return true;
     }
-    const signatureMatched2 = targets.filter((candidate) => {
-      if (!candidate.account.token) {
+    const tokenMatched2 = targets.filter((candidate) => {
+      if (!candidate.account.appKey || !candidate.account.appSecret) {
         return false;
       }
-      return verifyBaiduAppSignature({
-        token: candidate.account.token,
+      if (candidate.account.appKey !== ak) {
+        return false;
+      }
+      return verifyAKSKBearerToken({
+        ak: candidate.account.appKey,
+        sk: candidate.account.appSecret,
         timestamp,
         nonce,
-        encrypt: echostr,
-        signature
+        token
       });
     });
-    if (signatureMatched2.length === 0) {
+    if (tokenMatched2.length === 0) {
       jsonError(res, "unauthorized");
       return true;
     }
-    const decryptable2 = signatureMatched2.filter((candidate) => Boolean(candidate.account.encodingAESKey));
-    if (decryptable2.length === 0) {
-      jsonError(res, "unauthorized");
-      return true;
-    }
-    const decryptedCandidates2 = decryptBaiduAppCandidates({
-      candidates: decryptable2,
-      encrypt: echostr
-    });
-    if (decryptedCandidates2.length === 0) {
-      jsonError(res, "decrypt failed");
-      return true;
-    }
-    const selected2 = selectDecryptedTarget({ candidates: decryptedCandidates2, logger: logger3 });
-    jsonOk(res, selected2.plaintext);
+    jsonOk(res, echostr);
     return true;
   }
   if (req.method !== "POST") {
     jsonError(res, "Method Not Allowed", 405);
     return true;
   }
-  if (!timestamp || !nonce || !signature) {
+  if (!ak || !timestamp || !nonce || !token) {
     jsonError(res, "missing query params");
     return true;
   }
@@ -5502,90 +5633,56 @@ async function handleBaiduAppWebhookRequest(req, res) {
     return true;
   }
   const rawBody = body.raw;
-  let encrypt = "";
-  let msgSignature = signature;
-  let msgTimestamp = timestamp;
-  let msgNonce = nonce;
-  if (isXmlFormat(rawBody)) {
-    const xmlData = parseXmlBody(rawBody);
-    encrypt = xmlData.Encrypt ?? "";
-    msgSignature = xmlData.MsgSignature ?? signature;
-    msgTimestamp = xmlData.TimeStamp ?? timestamp;
-    msgNonce = xmlData.Nonce ?? nonce;
-    logger3.info(`inbound xml parsed: hasEncrypt=${Boolean(encrypt)}, msg_signature=${msgSignature ? "yes" : "no"}`);
-  } else {
-    try {
-      const record = JSON.parse(rawBody);
-      encrypt = String(record.encrypt ?? record.Encrypt ?? "");
-      logger3.info(`inbound json parsed: hasEncrypt=${Boolean(encrypt)}`);
-    } catch {
-      logger3.warn(`inbound payload parse failed: not valid xml or json`);
-      jsonError(res, "invalid payload format");
-      return true;
-    }
-  }
-  if (!encrypt) {
-    jsonError(res, "missing encrypt");
+  try {
+    JSON.parse(rawBody);
+    logger3.info("inbound json parsed");
+  } catch {
+    logger3.warn("inbound payload parse failed: not valid json");
+    jsonError(res, "invalid payload format");
     return true;
   }
-  const signatureMatched = targets.filter((candidate) => {
-    if (!candidate.account.token) {
+  const tokenMatched = targets.filter((candidate) => {
+    if (!candidate.account.appKey || !candidate.account.appSecret) {
+      return false;
+    }
+    if (candidate.account.appKey !== ak) {
       return false;
     }
-    return verifyBaiduAppSignature({
-      token: candidate.account.token,
-      timestamp: msgTimestamp,
-      nonce: msgNonce,
-      encrypt,
-      signature: msgSignature
+    return verifyAKSKBearerToken({
+      ak: candidate.account.appKey,
+      sk: candidate.account.appSecret,
+      timestamp,
+      nonce,
+      token
     });
   });
-  if (signatureMatched.length === 0) {
-    logger3.warn(`signature verification failed: checked ${targets.length} account(s), none matched`);
+  if (tokenMatched.length === 0) {
+    logger3.warn(`bearer token verification failed: checked ${targets.length} account(s), none matched`);
     jsonError(res, "unauthorized");
     return true;
   }
-  logger3.debug(`signature verified: ${signatureMatched.length} account(s) matched`);
-  const decryptable = signatureMatched.filter((candidate) => Boolean(candidate.account.encodingAESKey));
-  if (decryptable.length === 0) {
-    logger3.warn(`no account has encodingAESKey configured`);
-    jsonError(res, "openclaw-baiduapp not configured");
-    return true;
-  }
-  const decryptedCandidates = decryptBaiduAppCandidates({
-    candidates: decryptable,
-    encrypt
+  logger3.debug(`bearer token verified: ${tokenMatched.length} account(s) matched`);
+  const decryptedCandidates = parseBaiduAppCandidates({
+    candidates: tokenMatched,
+    raw: rawBody
   });
-  if (decryptedCandidates.length === 0) {
-    logger3.warn(`decrypt failed for all ${decryptable.length} candidate account(s)`);
-    jsonError(res, "decrypt failed");
-    return true;
-  }
   const selected = selectDecryptedTarget({ candidates: decryptedCandidates, logger: logger3 });
   const target = selected.target;
-  if (!target.account.configured || !target.account.token || !target.account.encodingAESKey) {
+  if (!target.account.configured || !target.account.appKey || !target.account.appSecret) {
     logger3.warn(`selected account ${target.account.accountId} not fully configured`);
     jsonError(res, "openclaw-baiduapp not configured");
     return true;
   }
-  const reply = await processBaiduAppInboundMessage({
+  await processBaiduAppInboundMessage({
     target,
     msg: selected.msg
   });
-  jsonOk(
-    res,
-    buildEncryptedJsonReply({
-      account: target.account,
-      plaintextJson: reply,
-      nonce: msgNonce,
-      timestamp: msgTimestamp
-    })
-  );
+  jsonOk(res, {});
   return true;
 }
 
 // src/poller.ts
-var DEFAULT_POLL_INTERVAL_MS = 1e3;
+var DEFAULT_POLL_INTERVAL_MS = 3e3;
 var DEFAULT_POLL_REQUEST_TIMEOUT_MS = 1e4;
 var accountPollers = /* @__PURE__ */ new Map();
 function buildPollingTextInboundMessage(content) {
@@ -5596,21 +5693,36 @@ function buildPollingTextInboundMessage(content) {
     }
   };
 }
+function parseTextAndFilesFromList(list) {
+  const textItem = list.find((entry) => entry.type === "text");
+  const fileItems = list.filter((entry) => entry.type === "file");
+  const content = textItem?.type === "text" ? textItem.data.text.content : void 0;
+  const files = fileItems.map((file) => {
+    const fileId = file.data.file.fileId;
+    return typeof fileId === "string" && fileId.trim() ? { url: fileId, fileType: "file" } : null;
+  }).filter((file) => file != null);
+  return { content, files };
+}
 async function dispatchPendingPollingMessages(data, target) {
+  console.log(data);
   if (!target || data.length === 0) {
     return;
   }
   for (const item of data) {
-    if (String(item.msgtype).toLowerCase() !== "text") {
-      continue;
-    }
-    const content = item.data?.content;
-    if (typeof content !== "string" || content.length === 0) {
+    const list = Array.isArray(item.list) ? item.list : [];
+    const { content, files } = parseTextAndFilesFromList(list);
+    console.log({ content, files });
+    if (typeof content !== "string" && files.length === 0) {
       continue;
     }
     await processBaiduAppInboundMessage({
       target,
-      msg: buildPollingTextInboundMessage(content)
+      msg: {
+        ...buildPollingTextInboundMessage(typeof content === "string" ? content : ""),
+        msgid: typeof item.msgId === "string" ? item.msgId : void 0,
+        agentid: typeof item.agentId === "string" ? item.agentId : void 0,
+        ...files.length > 0 ? { files } : {}
+      }
     });
   }
 }
@@ -5665,12 +5777,29 @@ function createAbortSignalController(params) {
   };
 }
 async function pollBaiduAppChatlistOnce(account, loggerOptions, requestOptions) {
-  const endpoint = `${account.apiBase}/chat/demo/chatlist`;
+  const endpoint = `${account.apiBase}/channel/msg/poll`;
+  const logger3 = createLogger("openclaw-baiduapp:poller", loggerOptions);
+  const timestamp = String(Math.floor(Date.now() / 1e3));
+  const nonce = generateNonce();
+  const authorization = buildAuthorizationHeader({
+    ak: account.appKey ?? "",
+    sk: account.appSecret ?? "",
+    timestamp,
+    nonce
+  });
   const query = new URLSearchParams({
     ak: account.appKey ?? "",
-    sk: account.appSecret ?? ""
+    timestamp,
+    nonce
   });
   const url = `${endpoint}?${query.toString()}`;
+  const payload = {
+    sessionId: "agent:main:main",
+    num: 5,
+    version: PLUGIN_VERSION
+  };
+  const body = JSON.stringify(payload);
+  console.log("start poll", url);
   const requestSignal = createAbortSignalController({
     signal: requestOptions?.signal,
     timeoutMs: requestOptions?.timeoutMs
@@ -5678,8 +5807,13 @@ async function pollBaiduAppChatlistOnce(account, loggerOptions, requestOptions)
   let response;
   try {
     response = await (requestOptions?.fetchImpl ?? fetch)(url, {
-      method: "GET",
-      signal: requestSignal.signal
+      method: "POST",
+      body,
+      signal: requestSignal.signal,
+      headers: {
+        "Authorization": authorization,
+        "Content-Type": "application/json"
+      }
     });
   } catch (error) {
     requestSignal.cleanup();
@@ -5732,10 +5866,13 @@ async function pollBaiduAppChatlistOnce(account, loggerOptions, requestOptions)
       }
     });
   }
-  const data = Array.isArray(parsed.data) ? parsed.data : [];
+  if (parsed.code !== 0) {
+    logger3.debug(`Baidu poll returned non-zero code=${String(parsed.code)}, message=${parsed.message}`);
+  }
+  const msgList = Array.isArray(parsed.data?.msgList) ? parsed.data.msgList : [];
   return buildPollResult({
     ok: true,
-    data
+    data: msgList
   });
 }
 function scheduleNextPoll(account, state) {
@@ -5851,16 +5988,33 @@ function resolveOutboundLocalMediaPath(mediaUrl) {
   }
   return trimmed;
 }
-function inferBaiduOutboundFileType(params) {
-  const ext = path2.extname(params.mediaPath).toLowerCase();
-  return ext.startsWith(".") ? ext.slice(1) : ext || "bin";
-}
 function buildOutboundMediaPayload(params) {
   const caption = params.caption?.trim();
+  const mediaItem = params.externalUrl ? {
+    type: "external_url",
+    data: {
+      externalUrl: {
+        url: params.externalUrl
+      }
+    }
+  } : {
+    type: "file",
+    data: {
+      file: {
+        fileId: params.fileId ?? ""
+      }
+    }
+  };
   return {
-    msgtype: "text",
-    ...caption ? { text: { content: caption } } : {},
-    files: [{ url: params.uploadedUrl, fileType: params.fileType }]
+    list: [
+      ...caption ? [{
+        type: "text",
+        data: {
+          text: { content: caption }
+        }
+      }] : [],
+      mediaItem
+    ]
   };
 }
 function resolveDirectOutboundFiles(files) {
@@ -6097,7 +6251,10 @@ var baiduAppPlugin = {
         };
       }
       try {
-        const result = await sendBaiduAppMessage(account, params.text);
+        const result = await sendBaiduAppMessage(account, params.text, {
+          agentid: account.accountId,
+          isActive: true
+        });
         return {
           channel: "openclaw-baiduapp",
           ok: result.ok,
@@ -6140,14 +6297,15 @@ var baiduAppPlugin = {
             account,
             buildOutboundMediaPayload({
               caption: params.text,
-              uploadedUrl: remoteUrl,
-              fileType: inferBaiduOutboundFileType({ mediaPath: remoteUrl })
-            })
+              externalUrl: remoteUrl
+            }),
+            { agentid: account.accountId, isActive: true }
           );
           return {
             channel: "openclaw-baiduapp",
-            ok: true,
-            messageId: result.msgid ?? ""
+            ok: result.ok,
+            messageId: result.msgid ?? "",
+            error: result.ok ? void 0 : new Error(result.errmsg ?? "send failed")
           };
         } catch (err) {
           return {
@@ -6180,11 +6338,9 @@ var baiduAppPlugin = {
           account,
           buildOutboundMediaPayload({
             caption: params.text,
-            uploadedUrl: uploaded.url,
-            fileType: inferBaiduOutboundFileType({
-              mediaPath: uploaded.fileName || localMediaPath
-            })
-          })
+            fileId: uploaded.fileId
+          }),
+          { agentid: account.accountId, isActive: true }
         );
         return {
           channel: "openclaw-baiduapp",
@@ -6206,6 +6362,18 @@ var baiduAppPlugin = {
       }
     }
   },
+  auth: {
+    login: async (params) => {
+      void params.channelInput;
+      const { loginBaiduApp: loginBaiduApp2 } = await Promise.resolve().then(() => (init_login(), login_exports));
+      await loginBaiduApp2({
+        cfg: params.cfg,
+        accountId: params.accountId,
+        runtime: params.runtime,
+        verbose: params.verbose
+      });
+    }
+  },
   gateway: {
     startAccount: async (ctx) => {
       ctx.setStatus?.({ accountId: ctx.accountId });
@@ -6243,21 +6411,19 @@ var baiduAppPlugin = {
         existing();
       }
       unregisterHooks.set(ctx.accountId, unregister);
-      if (account.config.pollingEnabled === true) {
-        startAccountPolling({
+      startAccountPolling({
+        account,
+        dispatchTarget: {
           account,
-          dispatchTarget: {
-            account,
-            config: ctx.cfg ?? {},
-            runtime: runtime2,
-            statusSink: (patch) => ctx.setStatus?.({ accountId: ctx.accountId, ...patch })
-          },
-          onError: (error) => {
-            const message = error instanceof Error ? error.message : String(error);
-            ctx.log?.error(`[openclaw-baiduapp] polling failed for account ${ctx.accountId}: ${message}`);
-          }
-        });
-      }
+          config: ctx.cfg ?? {},
+          runtime: runtime2,
+          statusSink: (patch) => ctx.setStatus?.({ accountId: ctx.accountId, ...patch })
+        },
+        onError: (error) => {
+          const message = error instanceof Error ? error.message : String(error);
+          ctx.log?.error(`[openclaw-baiduapp] polling failed for account ${ctx.accountId}: ${message}`);
+        }
+      });
       ctx.log?.info(
         `[openclaw-baiduapp] webhook registered at ${path4} for account ${ctx.accountId} (canSendActive=${account.canSendActive})`
       );
@@ -6309,7 +6475,7 @@ async function sendMessage(account, options) {
     };
   }
   try {
-    const textResult = await sendBaiduAppMessage(account, options.text);
+    const textResult = await sendBaiduAppMessage(account, options.text, { isActive: true });
     return {
       ok: textResult.ok,
       msgid: textResult.msgid,