@searchfe/openclaw-baiduapp 0.1.9-beta.3 → 0.1.9

package/dist/index.js

@@ -1,8 +1,6 @@
-import { spawnSync } from 'child_process';
-import readline from 'readline';
 import path2 from 'path';
 import { fileURLToPath } from 'url';
-import crypto from 'crypto';
+import crypto3 from 'crypto';
 import { createRequire } from 'module';
 import { lookup } from 'dns/promises';
 import fs2 from 'fs/promises';
@@ -1360,19 +1358,19 @@ var require_package = __commonJS({
 var require_crypto = __commonJS({
   "node_modules/.pnpm/@baiducloud+sdk@1.0.7/node_modules/@baiducloud/sdk/src/crypto.js"(exports$1) {
     var fs3 = __require("fs");
-    var crypto3 = __require("crypto");
+    var crypto4 = __require("crypto");
     var Q = require_q();
     exports$1.md5sum = function(data, enc, digest) {
       if (!Buffer.isBuffer(data)) {
         data = new Buffer(data, enc || "UTF-8");
       }
-      var md5 = crypto3.createHash("md5");
+      var md5 = crypto4.createHash("md5");
       md5.update(data);
       return md5.digest(digest || "base64");
     };
     exports$1.md5stream = function(stream, digest) {
       var deferred = Q.defer();
-      var md5 = crypto3.createHash("md5");
+      var md5 = crypto4.createHash("md5");
       stream.on("data", function(chunk2) {
         md5.update(chunk2);
       });
@@ -5131,8 +5129,8 @@ var require_auth = __commonJS({
       return [canonicalHeaders.join("\n"), signedHeaders];
     };
     Auth.prototype.hash = function(data, key) {
-      var crypto3 = __require("crypto");
-      var sha256Hmac = crypto3.createHmac("sha256", key);
+      var crypto4 = __require("crypto");
+      var sha256Hmac = crypto4.createHmac("sha256", key);
       sha256Hmac.update(data);
       return sha256Hmac.digest("hex");
     };
@@ -14399,7 +14397,7 @@ var require_bos_client = __commonJS({
     var H = require_headers();
     var strings = require_strings();
     var Auth = require_auth();
-    var crypto3 = require_crypto();
+    var crypto4 = require_crypto();
     var HttpClient = require_http_client();
     var BceBaseClient = require_bce_base_client();
     var MimeType = require_mime_types();
@@ -15016,7 +15014,7 @@ var require_bos_client = __commonJS({
       var headers = {};
       headers[H.CONTENT_LENGTH] = Buffer.byteLength(data);
       headers[H.CONTENT_TYPE] = options[H.CONTENT_TYPE] || MimeType.guess(path4.extname(key));
-      headers[H.CONTENT_MD5] = crypto3.md5sum(data);
+      headers[H.CONTENT_MD5] = crypto4.md5sum(data);
       options = u.extend(headers, options);
       return this.putObject(bucketName, key, data, options);
     };
@@ -15048,7 +15046,7 @@ var require_bos_client = __commonJS({
       }
       if (!u.has(options, H.CONTENT_MD5)) {
         var fp2 = fs3.createReadStream(filename, streamOptions);
-        return crypto3.md5stream(fp2).then(function(md5sum) {
+        return crypto4.md5stream(fp2).then(function(md5sum) {
           options[H.CONTENT_MD5] = md5sum;
           return putObjectWithRetry(options.retryCount || MAX_RETRY_COUNT);
         });
@@ -15383,7 +15381,7 @@ var require_bos_client = __commonJS({
       var headers = {};
       headers[H.CONTENT_LENGTH] = Buffer.byteLength(data);
       headers[H.CONTENT_TYPE] = options[H.CONTENT_TYPE] || MimeType.guess(path4.extname(key));
-      headers[H.CONTENT_MD5] = crypto3.md5sum(data);
+      headers[H.CONTENT_MD5] = crypto4.md5sum(data);
       options = u.extend(headers, options);
       return this.appendObject(bucketName, key, data, offset, options);
     };
@@ -15408,7 +15406,7 @@ var require_bos_client = __commonJS({
       if (!u.has(options, H.CONTENT_MD5)) {
         var me = this;
         var fp2 = fs3.createReadStream(filename, streamOptions);
-        return crypto3.md5stream(fp2).then(function(md5sum) {
+        return crypto4.md5stream(fp2).then(function(md5sum) {
           options[H.CONTENT_MD5] = md5sum;
           return me.appendObject(bucketName, key, fp, offset, options);
         });
@@ -15989,7 +15987,7 @@ var require_bos_client = __commonJS({
 // node_modules/.pnpm/@baiducloud+sdk@1.0.7/node_modules/@baiducloud/sdk/src/bcs_client.js
 var require_bcs_client = __commonJS({
   "node_modules/.pnpm/@baiducloud+sdk@1.0.7/node_modules/@baiducloud/sdk/src/bcs_client.js"(exports$1, module) {
-    var crypto3 = __require("crypto");
+    var crypto4 = __require("crypto");
     var util2 = __require("util");
     var path4 = __require("path");
     var fs3 = __require("fs");
@@ -16128,7 +16126,7 @@ var require_bcs_client = __commonJS({
         "Object=" + objectName
       ].join("\n");
       var content = flag + "\n" + body + "\n";
-      var hmac = crypto3.createHmac("sha1", credentials.sk);
+      var hmac = crypto4.createHmac("sha1", credentials.sk);
       hmac.update(new Buffer(content, "utf-8"));
       var digest = encodeURIComponent(hmac.digest("base64")).replace(/%2F/g, "/");
       return [flag, credentials.ak, digest].join(":");
@@ -17969,7 +17967,7 @@ var require_doc_client = __commonJS({
     var BosClient = require_bos_client();
     var BceBaseClient = require_bce_base_client();
     var UploadHelper = require_helper();
-    var crypto3 = require_crypto();
+    var crypto4 = require_crypto();
     var DATA_TYPE_FILE = 1;
     var DATA_TYPE_BUFFER = 2;
     var DATA_TYPE_BLOB = 4;
@@ -18041,12 +18039,12 @@ var require_doc_client = __commonJS({
       }
       var self2 = this;
       if (dataType === DATA_TYPE_FILE) {
-        return crypto3.md5stream(fs3.createReadStream(data), "hex").then(function(md5) {
+        return crypto4.md5stream(fs3.createReadStream(data), "hex").then(function(md5) {
           options.meta.md5 = md5;
           return self2._doCreate(data, options);
         });
       } else if (dataType === DATA_TYPE_BLOB) {
-        return crypto3.md5blob(data, "hex").then(function(md5) {
+        return crypto4.md5blob(data, "hex").then(function(md5) {
           options.meta.md5 = md5;
           return self2._doCreate(data, options);
         });
@@ -22789,111 +22787,6 @@ var require_sdk = __commonJS({
   }
 });
 
-// src/auth/login.ts
-var login_exports = {};
-__export(login_exports, {
-  loginBaiduApp: () => loginBaiduApp
-});
-function createTerminalPrompter() {
-  const rl = readline.createInterface({
-    input: process.stdin,
-    output: process.stdout
-  });
-  const question = (message) => new Promise((resolve) => {
-    rl.question(message, (answer) => resolve(answer));
-  });
-  return {
-    select: async (message, choices) => {
-      while (true) {
-        process.stdout.write(`${message}
-`);
-        for (const [index2, choice] of choices.entries()) {
-          process.stdout.write(`${index2 + 1}. ${choice}
-`);
-        }
-        const answer = (await question("\u8BF7\u9009\u62E9\u5E8F\u53F7: ")).trim();
-        const choiceIndex = Number(answer);
-        if (Number.isInteger(choiceIndex) && choiceIndex >= 1 && choiceIndex <= choices.length) {
-          return choices[choiceIndex - 1];
-        }
-        process.stdout.write(`\u8BF7\u8F93\u5165 1-${choices.length} \u4E4B\u95F4\u7684\u5E8F\u53F7\u3002
-`);
-      }
-    },
-    text: async (message, opts) => {
-      while (true) {
-        const answer = (await question(`${message}: `)).trim();
-        if (!opts?.required || answer) {
-          return answer;
-        }
-        process.stdout.write("\u8BE5\u9879\u4E3A\u5FC5\u586B\uFF0C\u8BF7\u91CD\u65B0\u8F93\u5165\u3002\n");
-      }
-    },
-    close: () => {
-      rl.close();
-    }
-  };
-}
-function redactValue(value, opts) {
-  if (!value) {
-    return "(empty)";
-  }
-  const keepStart = opts?.keepStart ?? 2;
-  const keepEnd = opts?.keepEnd ?? 2;
-  if (value.length <= keepStart + keepEnd) {
-    return "*".repeat(value.length);
-  }
-  return `${value.slice(0, keepStart)}***${value.slice(-keepEnd)}`;
-}
-function setConfigValue(key, value) {
-  const args = ["config", "set", key, String(value)];
-  const result2 = spawnSync("openclaw", args, {
-    stdio: ["ignore", "pipe", "pipe"],
-    encoding: "utf8",
-    timeout: 15e3
-  });
-  if (result2.status !== 0) {
-    const stderr = (result2.stderr ?? "").trim();
-    throw new Error(`openclaw config set failed: ${stderr || `exit code ${result2.status}`}`);
-  }
-}
-async function loginBaiduApp(params) {
-  void params.cfg;
-  void params.verbose;
-  const agentId = params.accountId?.trim() || "main";
-  const prompter = createTerminalPrompter();
-  try {
-    const mode = await prompter.select("\u8BF7\u9009\u62E9\u767E\u5EA6 App \u914D\u7F6E\u65B9\u5F0F", [
-      "\u624B\u52A8\u586B\u5199",
-      "\u626B\u7801\u914D\u7F6E\uFF08\u5373\u5C06\u652F\u6301\uFF09"
-    ]);
-    if (mode === "\u626B\u7801\u914D\u7F6E\uFF08\u5373\u5C06\u652F\u6301\uFF09") {
-      params.runtime.log("\u23F3 \u626B\u7801\u914D\u7F6E\u529F\u80FD\u6B63\u5728\u5F00\u53D1\u4E2D\uFF0C\u656C\u8BF7\u671F\u5F85...");
-      params.runtime.log("\u8BF7\u5148\u4F7F\u7528\u624B\u52A8\u586B\u5199\u65B9\u5F0F\u5B8C\u6210\u914D\u7F6E\u3002");
-      return;
-    }
-    const appKey = await prompter.text("App Key", { required: true });
-    const appSecret = await prompter.text("App Secret", { required: true });
-    const accountKeyPrefix = `channels.openclaw-baiduapp.accounts.${agentId}`;
-    setConfigValue(`${accountKeyPrefix}.appKey`, appKey);
-    setConfigValue(`${accountKeyPrefix}.appSecret`, appSecret);
-    setConfigValue(`${accountKeyPrefix}.enabled`, true);
-    params.runtime.log(`\u2705 openclaw-baiduapp \u5DF2\u5B8C\u6210\u914D\u7F6E\uFF08account: ${agentId}\uFF09`);
-    params.runtime.log(`- appKey: ${redactValue(appKey, { keepStart: 3, keepEnd: 3 })}`);
-    params.runtime.log(`- appSecret: ${redactValue(appSecret, { keepStart: 3, keepEnd: 3 })}`);
-  } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    params.runtime.error(`openclaw-baiduapp \u767B\u5F55\u914D\u7F6E\u5931\u8D25\uFF1A${message}`);
-    throw error;
-  } finally {
-    prompter.close();
-  }
-}
-var init_login = __esm({
-  "src/auth/login.ts"() {
-  }
-});
-
 // node_modules/.pnpm/zod@3.25.76/node_modules/zod/v3/external.js
 var external_exports = {};
 __export(external_exports, {
@@ -26936,13 +26829,14 @@ var NEVER = INVALID;
 
 // src/config.ts
 var DEFAULT_ACCOUNT_ID = "default";
-var DEFAULT_AGENT_ID = "main";
 var DEFAULT_API_BASE = "https://claw.baidu.com";
 var BaiduAppAccountSchema = external_exports.object({
   name: external_exports.string().optional(),
   enabled: external_exports.boolean().optional(),
   pollingEnabled: external_exports.boolean().optional(),
   webhookPath: external_exports.string().optional(),
+  token: external_exports.string().optional(),
+  encodingAESKey: external_exports.string().optional(),
   appKey: external_exports.string().optional(),
   appSecret: external_exports.string().optional(),
   apiBase: external_exports.string().optional(),
@@ -26961,6 +26855,8 @@ var BaiduAppConfigJsonSchema = {
       enabled: { type: "boolean" },
       pollingEnabled: { type: "boolean" },
       webhookPath: { type: "string" },
+      token: { type: "string" },
+      encodingAESKey: { type: "string" },
       appKey: { type: "string" },
       appSecret: { type: "string" },
       apiBase: { type: "string" },
@@ -26976,6 +26872,8 @@ var BaiduAppConfigJsonSchema = {
             enabled: { type: "boolean" },
             pollingEnabled: { type: "boolean" },
             webhookPath: { type: "string" },
+            token: { type: "string" },
+            encodingAESKey: { type: "string" },
             appKey: { type: "string" },
             appSecret: { type: "string" },
             apiBase: { type: "string" },
@@ -26990,10 +26888,6 @@ function normalizeAccountId(raw) {
   const trimmed = String(raw ?? "").trim();
   return trimmed || DEFAULT_ACCOUNT_ID;
 }
-function extractAgentId(msg) {
-  const raw = msg.agentid ?? "";
-  return raw.trim() || DEFAULT_AGENT_ID;
-}
 function listConfiguredAccountIds(cfg) {
   const accounts = cfg.channels?.["openclaw-baiduapp"]?.accounts;
   if (!accounts || typeof accounts !== "object") {
@@ -27041,10 +26935,12 @@ function resolveBaiduAppAccount(params) {
   const merged = mergeBaiduAppAccountConfig(params.cfg, accountId);
   const enabled = baseEnabled && merged.enabled !== false;
   const isDefaultAccount = accountId === DEFAULT_ACCOUNT_ID;
+  const token = merged.token?.trim() || (isDefaultAccount ? process.env.BAIDU_APP_TOKEN?.trim() : void 0) || void 0;
+  const encodingAESKey = merged.encodingAESKey?.trim() || (isDefaultAccount ? process.env.BAIDU_APP_ENCODING_AES_KEY?.trim() : void 0) || void 0;
   const appKey = merged.appKey?.trim() || (isDefaultAccount ? process.env.BAIDU_APP_KEY?.trim() : void 0) || void 0;
   const appSecret = merged.appSecret?.trim() || (isDefaultAccount ? process.env.BAIDU_APP_SECRET?.trim() : void 0) || void 0;
-  const configured = Boolean(appKey && appSecret);
-  const canSendActive = Boolean(appKey && appSecret);
+  const configured = Boolean(token && encodingAESKey);
+  const canSendActive = Boolean(appKey && appSecret && token && encodingAESKey);
   const rawApiBase = merged.apiBase?.trim() || (isDefaultAccount ? process.env.BAIDU_API_BASE?.trim() : void 0) || void 0;
   const apiBase = (rawApiBase || DEFAULT_API_BASE).replace(/\/+$/, "");
   return {
@@ -27052,6 +26948,8 @@ function resolveBaiduAppAccount(params) {
     name: merged.name?.trim() || void 0,
     enabled,
     configured,
+    token,
+    encodingAESKey,
     appKey,
     appSecret,
     apiBase,
@@ -27059,37 +26957,6 @@ function resolveBaiduAppAccount(params) {
     config: merged
   };
 }
-function resolveAgentField(agentCfg, mainCfg, baseAccount, field) {
-  return agentCfg?.[field]?.trim() || mainCfg?.[field]?.trim() || baseAccount[field];
-}
-function resolveAgentAccount(params) {
-  const { baseAccount, cfg, agentId } = params;
-  if (agentId === baseAccount.accountId) {
-    return baseAccount;
-  }
-  const accounts = cfg.channels?.["openclaw-baiduapp"]?.accounts;
-  const agentCfg = accounts?.[agentId] && typeof accounts[agentId] === "object" ? accounts[agentId] : void 0;
-  const mainCfg = agentId !== DEFAULT_AGENT_ID && accounts?.[DEFAULT_AGENT_ID] && typeof accounts[DEFAULT_AGENT_ID] === "object" ? accounts[DEFAULT_AGENT_ID] : void 0;
-  const appKey = resolveAgentField(agentCfg, mainCfg, baseAccount, "appKey");
-  const appSecret = resolveAgentField(agentCfg, mainCfg, baseAccount, "appSecret");
-  const apiBase = baseAccount.apiBase;
-  const name = resolveAgentField(agentCfg, mainCfg, baseAccount, "name");
-  const configured = Boolean(appKey && appSecret);
-  const canSendActive = Boolean(appKey && appSecret);
-  const agentEnabled = agentCfg?.enabled !== false;
-  return {
-    ...baseAccount,
-    accountId: agentId,
-    name: name || baseAccount.name,
-    enabled: agentEnabled && baseAccount.enabled,
-    configured,
-    appKey,
-    appSecret,
-    apiBase,
-    canSendActive,
-    config: { ...baseAccount.config, ...mainCfg ?? {}, ...agentCfg ?? {} }
-  };
-}
 
 // src/shared/logger.ts
 function createLogger(prefix, opts) {
@@ -27102,85 +26969,135 @@ function createLogger(prefix, opts) {
     error: (msg) => errorFn(`[${prefix}] [ERROR] ${msg}`)
   };
 }
+function decodeEncodingAESKey(encodingAESKey) {
+  const trimmed = encodingAESKey.trim();
+  if (!trimmed) {
+    throw new Error("encodingAESKey missing");
+  }
+  const withPadding = trimmed.endsWith("=") ? trimmed : `${trimmed}=`;
+  const key = Buffer.from(withPadding, "base64");
+  if (key.length !== 32) {
+    throw new Error(`invalid encodingAESKey (expected 32 bytes after base64 decode, got ${key.length})`);
+  }
+  return key;
+}
+var PKCS7_BLOCK_SIZE = 32;
+function pkcs7Pad(buf, blockSize) {
+  const mod = buf.length % blockSize;
+  const pad = mod === 0 ? blockSize : blockSize - mod;
+  return Buffer.concat([buf, Buffer.alloc(pad, pad)]);
+}
+function pkcs7Unpad(buf, blockSize) {
+  if (buf.length === 0) {
+    throw new Error("invalid pkcs7 payload");
+  }
+  const pad = buf[buf.length - 1];
+  if (!pad || pad < 1 || pad > blockSize || pad > buf.length) {
+    throw new Error("invalid pkcs7 padding");
+  }
+  for (let i = 1; i <= pad; i += 1) {
+    if (buf[buf.length - i] !== pad) {
+      throw new Error("invalid pkcs7 padding");
+    }
+  }
+  return buf.subarray(0, buf.length - pad);
+}
 function sha1Hex(input) {
-  return crypto.createHash("sha1").update(input).digest("hex");
+  return crypto3.createHash("sha1").update(input).digest("hex");
 }
-function computeAKSKBearerToken(params) {
-  return sha1Hex(params.ak + params.sk + params.timestamp + params.nonce);
+function computeBaiduAppMsgSignature(params) {
+  const parts = [params.token, params.timestamp, params.nonce, params.encrypt].map((value) => String(value ?? "")).sort();
+  return sha1Hex(parts.join(""));
 }
-function verifyAKSKBearerToken(params) {
-  const expected = computeAKSKBearerToken({
-    ak: params.ak,
-    sk: params.sk,
+function verifyBaiduAppSignature(params) {
+  const expected = computeBaiduAppMsgSignature({
+    token: params.token,
     timestamp: params.timestamp,
-    nonce: params.nonce
+    nonce: params.nonce,
+    encrypt: params.encrypt
   });
-  return expected === params.token;
-}
-function generateNonce() {
-  return crypto.randomBytes(8).toString("hex");
+  return expected === params.signature;
+}
+function decryptBaiduAppEncrypted(params) {
+  const aesKey = decodeEncodingAESKey(params.encodingAESKey);
+  const iv = aesKey.subarray(0, 16);
+  const decipher = crypto3.createDecipheriv("aes-256-cbc", aesKey, iv);
+  decipher.setAutoPadding(false);
+  const decryptedPadded = Buffer.concat([decipher.update(Buffer.from(params.encrypt, "base64")), decipher.final()]);
+  const decrypted = pkcs7Unpad(decryptedPadded, PKCS7_BLOCK_SIZE);
+  if (decrypted.length < 20) {
+    throw new Error(`invalid decrypted payload (expected at least 20 bytes, got ${decrypted.length})`);
+  }
+  const msgLen = decrypted.readUInt32BE(16);
+  const msgStart = 20;
+  const msgEnd = msgStart + msgLen;
+  if (msgEnd > decrypted.length) {
+    throw new Error(`invalid decrypted msg length (msgEnd=${msgEnd}, payloadLength=${decrypted.length})`);
+  }
+  return decrypted.subarray(msgStart, msgEnd).toString("utf8");
+}
+function encryptBaiduAppPlaintext(params) {
+  const aesKey = decodeEncodingAESKey(params.encodingAESKey);
+  const iv = aesKey.subarray(0, 16);
+  const random16 = crypto3.randomBytes(16);
+  const msg = Buffer.from(params.plaintext ?? "", "utf8");
+  const msgLen = Buffer.alloc(4);
+  msgLen.writeUInt32BE(msg.length, 0);
+  const raw = Buffer.concat([random16, msgLen, msg]);
+  const padded = pkcs7Pad(raw, PKCS7_BLOCK_SIZE);
+  const cipher = crypto3.createCipheriv("aes-256-cbc", aesKey, iv);
+  cipher.setAutoPadding(false);
+  const encrypted = Buffer.concat([cipher.update(padded), cipher.final()]);
+  return encrypted.toString("base64");
 }
-function buildAuthorizationHeader(params) {
-  const token = computeAKSKBearerToken(params);
-  return `Bearer ${token}`;
-}
-
-// src/types.ts
-var DEFAULT_BAIDU_APP_SESSION_ID = "agent:main:main";
 var require2 = createRequire(import.meta.url);
 var pkg = require2("../package.json");
 var PLUGIN_VERSION = pkg.version;
 
 // src/api.ts
 var logger = createLogger("openclaw-baiduapp");
-var DEFAULT_sessionId = DEFAULT_BAIDU_APP_SESSION_ID;
 async function sendBaiduAppMessage(account, message, options) {
   if (!account.canSendActive) {
-    logger.error("Account not configured for active sending (missing appKey or appSecret)");
+    logger.error("Account not configured for active sending (missing appKey, token, or encodingAESKey)");
     return {
       ok: false,
       errcode: -1,
-      errmsg: "Account not configured for active sending (missing appKey or appSecret)"
+      errmsg: "Account not configured for active sending (missing appKey, token, or encodingAESKey)"
     };
   }
   const normalizedPayload = typeof message === "string" ? {
-    list: [{
-      type: "text",
-      data: {
-        text: { content: message }
-      }
-    }]
+    msgtype: "text",
+    text: { content: message }
   } : message;
-  const sessionId = options?.sessionId ?? DEFAULT_sessionId;
-  const callbackBody = {
-    sessionId,
-    list: normalizedPayload.list,
+  const payload = {
+    ...normalizedPayload,
     version: PLUGIN_VERSION,
-    isActive: options?.isActive || false,
-    ...options?.agentid ? { agentid: options.agentid } : {},
-    ...options?.chunkKey != null ? { chunkKey: options.chunkKey } : {},
-    ...options?.replyToMsgId ? { replyToMsgId: options.replyToMsgId } : {}
+    ...options?.msgid != null ? { msgid: options.msgid } : {},
+    ...options?.streamId != null ? { streamId: options.streamId } : {},
+    ...options?.chunkKey != null ? { chunkKey: options.chunkKey } : {}
   };
+  const plaintext = JSON.stringify(payload);
+  const encrypt = encryptBaiduAppPlaintext({
+    encodingAESKey: account.encodingAESKey ?? "",
+    plaintext
+  });
   const timestamp = String(Math.floor(Date.now() / 1e3));
-  const nonce = generateNonce();
-  const authorization = buildAuthorizationHeader({
-    ak: account.appKey ?? "",
-    sk: account.appSecret ?? "",
+  const nonce = crypto3.randomBytes(8).toString("hex");
+  const msgSignature = computeBaiduAppMsgSignature({
+    token: account.token ?? "",
     timestamp,
-    nonce
+    nonce,
+    encrypt
   });
-  const sendMessageUrl = `${account.apiBase}/channel/msg/callback`;
-  const url = `${sendMessageUrl}?timestamp=${encodeURIComponent(timestamp)}&ak=${encodeURIComponent(account.appKey ?? "")}&nonce=${encodeURIComponent(nonce)}`;
-  const body = JSON.stringify(callbackBody);
+  const sendMessageUrl = `${account.apiBase}/chat/openclaw/callback`;
+  const url = `${sendMessageUrl}?timestamp=${encodeURIComponent(timestamp)}&ak=${encodeURIComponent(account.appKey ?? "")}&nonce=${encodeURIComponent(nonce)}&msg_signature=${encodeURIComponent(msgSignature)}`;
+  const body = JSON.stringify({ encrypt });
   logger.info(`POST ${url}`);
   logger.debug(`request body: ${body}`);
   const resp = await fetch(url, {
     method: "POST",
     body,
-    headers: {
-      "Authorization": authorization,
-      "Content-Type": "application/json"
-    }
+    headers: { "Content-Type": "application/json" }
   });
   const text = await resp.text();
   if (!text) {
@@ -27196,15 +27113,6 @@ async function sendBaiduAppMessage(account, message, options) {
     logger.error(`request failed: ${errmsg}`);
     return { ok: false, errcode: resp.status, errmsg };
   }
-  if (data.code !== 0) {
-    const errmsg = data.msg ?? `channel callback failed with code ${String(data.code)}`;
-    logger.error(`request failed: ${errmsg}`);
-    return {
-      ok: false,
-      errcode: data.code,
-      errmsg
-    };
-  }
   const result2 = {
     ok: true
   };
@@ -27230,21 +27138,21 @@ function buildMediaPayload(mediaList, opts) {
 
 // src/bot.ts
 function extractBaiduAppTextContent(msg) {
-  const msgtype = String(msg.msgtype ?? "").toLowerCase();
+  const msgtype = String(msg.msgtype ?? msg.MsgType ?? "").toLowerCase();
   if (msgtype === "text") {
-    const content = msg.text?.content;
+    const content = msg.text?.content ?? msg.Content;
     return typeof content === "string" ? content : "";
   }
   if (msgtype === "event") {
     const eventtype = String(
-      msg.event?.eventtype ?? ""
+      msg.event?.eventtype ?? msg.Event ?? ""
     ).trim();
     return eventtype ? `[event] ${eventtype}` : "[event]";
   }
   return msgtype ? `[${msgtype}]` : "";
 }
 function canDispatchBaiduAppInboundMessage(msg) {
-  const msgtype = String(msg.msgtype ?? "").toLowerCase();
+  const msgtype = String(msg.msgtype ?? msg.MsgType ?? "").toLowerCase();
   if (msgtype === "text") {
     if (extractBaiduAppTextContent(msg)) {
       return true;
@@ -27314,7 +27222,7 @@ async function dispatchBaiduAppMessage(params) {
     cfg: safeCfg,
     channel: "openclaw-baiduapp",
     accountId: account.accountId,
-    peer: { kind: "dm", id: account.accountId || DEFAULT_AGENT_ID }
+    peer: { kind: "dm", id: "default" }
   });
   logger3.info(`SessionKey: ${route.sessionKey}`);
   logger3.info(
@@ -27344,7 +27252,7 @@ async function dispatchBaiduAppMessage(params) {
     envelope: envelopeOptions,
     body: rawBody
   }) : rawBody;
-  const msgid = msg.msgid ?? void 0;
+  const msgid = msg.msgid ?? msg.MsgId ?? void 0;
   const ctxPayload = channel.reply?.finalizeInboundContext ? channel.reply.finalizeInboundContext({
     Body: body,
     RawBody: rawBody,
@@ -27551,122 +27459,92 @@ var DEFAULT_DOWNLOAD_MAX_BYTES = 20 * 1024 * 1024;
 path2.join("openclaw-baiduapp", "media");
 var DefaultBosClient = import_sdk.default.BosClient;
 var MAX_DOWNLOAD_REDIRECTS = 5;
-async function fetchFileUploadSts(options, deps = {}) {
-  assertAccountCanUseChannelApi(options.account);
-  const responsePayload = await postAuthenticatedChannelJson(
-    options.account,
-    "/channel/file/sts",
-    {
-      sessionId: options.sessionId ?? DEFAULT_BAIDU_APP_SESSION_ID,
-      filename: requireSafeDisplayFileName(options.filename),
-      fileSize: options.fileSize,
-      fileType: normalizeOutboundFileType(options.fileType),
-      ...options.md5 ? { md5: options.md5 } : {}
-    },
-    deps
-  );
-  const envelope = parseChannelEnvelope(responsePayload, "file STS");
-  const data = envelope.data;
-  if (!data) {
-    throw new Error("file STS response missing data");
+var EMPTY_QUERY_MD5 = crypto3.createHash("md5").update("").digest("hex");
+var SKS_BASE_TOKEN_POSITIONS = [12, 37, 5, 23, 48, 15, 62, 33];
+async function fetchSksCredentials(account, deps = {}) {
+  if (!account.appKey?.trim()) {
+    throw new Error("Cannot fetch SKS credentials without account.appKey");
+  }
+  if (!account.appSecret?.trim()) {
+    throw new Error("Cannot fetch SKS credentials without account.appSecret");
+  }
+  const fetchImpl = deps.fetchImpl ?? fetch;
+  const apiBase = account.apiBase.replace(/\/+$/, "");
+  const pageLid = deps.createPageLid?.() ?? generateSksPageLid();
+  const timestamp = String((deps.now?.() ?? /* @__PURE__ */ new Date()).getTime());
+  const token = createSksRequestToken({ pageLid, timestamp });
+  const url = `${apiBase}/file/sts?ak=${encodeURIComponent(account.appKey)}&sk=${encodeURIComponent(account.appSecret)}&tk=${encodeURIComponent(token)}`;
+  const response = await fetchImpl(url, { method: "POST" });
+  if (!response.ok) {
+    throw new Error(`SKS request failed with HTTP ${response.status}`);
   }
-  const fileId = requireNonEmptyString(data.fileId, "file STS data.fileId");
-  const reuse = requireBoolean(data.reuse, "file STS data.reuse");
-  if (reuse) {
-    return { fileId, reuse };
+  let payload;
+  try {
+    payload = await response.json();
+  } catch (error) {
+    throw new Error(`SKS response is not valid JSON: ${formatError(error)}`, { cause: error });
+  }
+  return parseSksCredentialsFromPayload(payload);
+}
+function parseSksCredentialsFromPayload(payload) {
+  const parsed = parseSksResponse(payload);
+  if (parsed.status !== 0) {
+    throw new Error(`SKS request failed with status ${parsed.status}`);
+  }
+  if (!parsed.data) {
+    throw new Error("SKS response missing data");
   }
   return {
-    fileId,
-    reuse,
-    sts: parseFileUploadStsCredentials(data.sts),
-    bceUrl: requireNonEmptyString(data.bceUrl, "file STS data.bceUrl"),
-    bucket: requireNonEmptyString(data.bucket, "file STS data.bucket"),
-    bosName: requireNonEmptyString(data.bosName, "file STS data.bosName")
+    ak: requireNonEmptyString(parsed.data.ak, "SKS data.ak"),
+    sk: requireNonEmptyString(parsed.data.sk, "SKS data.sk"),
+    sessionToken: requireNonEmptyString(parsed.data.token, "SKS data.token"),
+    bucketName: requireNonEmptyString(parsed.data.bucketName, "SKS data.bucketName"),
+    prefixPath: sanitizeObjectKeyPrefix(requireNonEmptyString(parsed.data.preFixPath, "SKS data.preFixPath")),
+    endpoint: requireNonEmptyString(parsed.data.bceUrl, "SKS data.bceUrl")
   };
 }
-async function notifyFileUploadComplete(options, deps = {}) {
-  assertAccountCanUseChannelApi(options.account);
-  if (options.fileIds.length === 0) {
-    throw new Error("file complete requires at least one fileId");
-  }
-  const responsePayload = await postAuthenticatedChannelJson(
-    options.account,
-    "/channel/file/complete",
-    {
-      sessionId: options.sessionId ?? DEFAULT_BAIDU_APP_SESSION_ID,
-      fileIds: options.fileIds
-    },
-    deps
-  );
-  const envelope = parseChannelEnvelope(responsePayload, "file complete");
-  const files = extractCompleteFiles(envelope.data);
-  const fileIds = new Set(options.fileIds);
-  for (const file of files) {
-    if (!fileIds.has(file.fileId)) {
-      continue;
-    }
-    if (file.status === -1) {
-      throw new Error(`file complete failed for fileId ${file.fileId}`);
-    }
-  }
-  return { files };
+function createSksRequestToken(params) {
+  const pageLid = requireNonEmptyString(params.pageLid, "SKS pageLid");
+  const timestamp = requireNonEmptyString(params.timestamp, "SKS timestamp");
+  const baseToken = createSksBaseToken(pageLid);
+  const payload = `${baseToken}|${EMPTY_QUERY_MD5}|${timestamp}|${pageLid}`;
+  return `${Buffer.from(payload, "utf8").toString("base64")}-${pageLid}-3`;
 }
-function createBosClient(fileSts, deps = {}) {
-  if (!fileSts.sts || !fileSts.bceUrl) {
-    throw new Error("Cannot create BOS client without STS credentials");
-  }
+function createBosClient(credentials, deps = {}) {
   const BosClientCtor = deps.bosClientCtor ?? DefaultBosClient;
   return new BosClientCtor({
-    endpoint: fileSts.bceUrl,
-    sessionToken: fileSts.sts.token,
+    endpoint: credentials.endpoint,
+    sessionToken: credentials.sessionToken,
     credentials: {
-      ak: fileSts.sts.ak,
-      sk: fileSts.sts.sk
+      ak: credentials.ak,
+      sk: credentials.sk
     }
   });
 }
 async function uploadLocalFileToBos(options, deps = {}) {
   const localFile = await assertUploadableLocalFile(options.filePath);
+  const credentials = await fetchSksCredentials(options.account, deps);
+  const client = createBosClient(credentials, deps);
   const sourceName = options.fileName ?? path2.basename(localFile);
-  const fileName = requireSafeDisplayFileName(sourceName);
-  const [fileBuffer, fileStat] = await Promise.all([fs2.readFile(localFile), fs2.stat(localFile)]);
-  const md5 = crypto.createHash("md5").update(fileBuffer).digest("hex");
-  const fileType = inferOutboundFileType(fileName);
-  const fileSts = await fetchFileUploadSts(
-    {
-      account: options.account,
-      sessionId: options.sessionId,
-      filename: fileName,
-      fileSize: fileStat.size,
-      fileType,
-      md5
-    },
-    deps
-  );
-  if (!fileSts.reuse) {
-    const bucketName = requireNonEmptyString(fileSts.bucket, "file STS bucket");
-    const key = requireNonEmptyString(fileSts.bosName, "file STS bosName");
-    const client = createBosClient(fileSts, deps);
-    const uploadOptions = options.contentType?.trim() ? {
-      "Content-Type": options.contentType.trim()
-    } : void 0;
-    await client.putObjectFromFile(bucketName, key, localFile, uploadOptions);
-  }
-  await notifyFileUploadComplete(
-    {
-      account: options.account,
-      sessionId: options.sessionId,
-      fileIds: [fileSts.fileId]
-    },
-    deps
-  );
+  const sanitizedFileName = sanitizeFileName(sourceName);
+  const key = buildBosObjectKey({
+    prefixPath: credentials.prefixPath,
+    fileName: sanitizedFileName,
+    now: deps.now
+  });
+  const uploadOptions = options.contentType?.trim() ? {
+    "Content-Type": options.contentType.trim()
+  } : void 0;
+  const [, fileStat] = await Promise.all([
+    client.putObjectFromFile(credentials.bucketName, key, localFile, uploadOptions),
+    fs2.stat(localFile)
+  ]);
   return {
-    fileId: fileSts.fileId,
-    bucketName: fileSts.bucket,
-    key: fileSts.bosName,
-    fileName,
-    fileSize: fileStat.size,
-    reuse: fileSts.reuse
+    bucketName: credentials.bucketName,
+    key,
+    url: client.generateUrl(credentials.bucketName, key),
+    fileName: sanitizedFileName,
+    fileSize: fileStat.size
   };
 }
 async function downloadInboundFileToTemp(options, deps = {}) {
@@ -27764,93 +27642,38 @@ async function pruneExpiredTempFiles(deps = {}) {
   await walk(tempDir);
   return { deletedFiles };
 }
-async function postAuthenticatedChannelJson(account, pathname, bodyPayload, deps) {
-  const fetchImpl = deps.fetchImpl ?? fetch;
-  const now = deps.now?.() ?? /* @__PURE__ */ new Date();
-  const timestamp = String(Math.floor(now.getTime() / 1e3));
-  const nonce = (deps.generateNonceImpl ?? generateNonce)();
-  const authorization = buildAuthorizationHeader({
-    ak: account.appKey ?? "",
-    sk: account.appSecret ?? "",
-    timestamp,
-    nonce
-  });
-  const url = new URL(`${account.apiBase.replace(/\/+$/, "")}${pathname}`);
-  url.searchParams.set("ak", account.appKey ?? "");
-  url.searchParams.set("timestamp", timestamp);
-  url.searchParams.set("nonce", nonce);
-  const response = await fetchImpl(url.toString(), {
-    method: "POST",
-    headers: {
-      "Authorization": authorization,
-      "Content-Type": "application/json"
-    },
-    body: JSON.stringify(bodyPayload)
-  });
-  if (!response.ok) {
-    throw new Error(`channel request failed with HTTP ${response.status}`);
-  }
-  try {
-    return await response.json();
-  } catch (error) {
-    throw new Error(`channel response is not valid JSON: ${formatError(error)}`, { cause: error });
-  }
-}
-function parseChannelEnvelope(payload, label) {
+function parseSksResponse(payload) {
   if (!payload || typeof payload !== "object") {
-    throw new Error(`${label} response must be an object`);
+    throw new Error("SKS response must be an object");
   }
   const record = payload;
-  const code = record.code;
-  if (typeof code !== "number") {
-    throw new Error(`${label} response missing numeric code`);
-  }
-  if (code !== 0) {
-    const msg = typeof record.msg === "string" ? record.msg : "unknown error";
-    throw new Error(`${label} request failed with code ${code}: ${msg}`);
-  }
+  const status = typeof record.code === "number" ? record.code : typeof record.status === "number" ? record.status : void 0;
   const data = record.data;
   return {
-    code,
-    msg: typeof record.msg === "string" ? record.msg : void 0,
-    data: data && typeof data === "object" ? data : void 0
+    status,
+    data: data && typeof data === "object" ? {
+      ak: data.ak,
+      sk: data.sk,
+      token: data.token,
+      bucketName: data.bucketName,
+      preFixPath: data.preFixPath,
+      bceUrl: data.bceUrl
+    } : void 0
   };
 }
-function parseFileUploadStsCredentials(payload) {
-  if (!payload || typeof payload !== "object") {
-    throw new Error("file STS data.sts is required");
-  }
-  const record = payload;
-  return {
-    ak: requireNonEmptyString(record.ak, "file STS data.sts.ak"),
-    sk: requireNonEmptyString(record.sk, "file STS data.sts.sk"),
-    token: requireNonEmptyString(record.token, "file STS data.sts.token"),
-    expireAt: requireNumber(record.expireAt, "file STS data.sts.expireAt")
-  };
+function generateSksPageLid() {
+  return crypto3.randomBytes(16).toString("hex");
 }
-function extractCompleteFiles(payload) {
-  const files = payload?.files;
-  if (!Array.isArray(files)) {
-    return [];
-  }
-  return files.map((file, index2) => {
-    if (!file || typeof file !== "object") {
-      throw new Error(`file complete data.files[${index2}] must be an object`);
+function createSksBaseToken(pageLid) {
+  const pageLidHash = crypto3.createHash("sha256").update(pageLid).digest("hex");
+  const characters = SKS_BASE_TOKEN_POSITIONS.map((position) => {
+    const character = pageLidHash[position];
+    if (!character) {
+      throw new Error(`SKS base token position is out of range: ${position}`);
     }
-    const record = file;
-    return {
-      fileId: requireNonEmptyString(record.fileId, `file complete data.files[${index2}].fileId`),
-      status: requireNumber(record.status, `file complete data.files[${index2}].status`)
-    };
+    return character;
   });
-}
-function assertAccountCanUseChannelApi(account) {
-  if (!account.appKey?.trim()) {
-    throw new Error("Cannot call channel API without account.appKey");
-  }
-  if (!account.appSecret?.trim()) {
-    throw new Error("Cannot call channel API without account.appSecret");
-  }
+  return characters.join("");
 }
 function requireNonEmptyString(value, label) {
   if (typeof value !== "string" || !value.trim()) {
@@ -27858,19 +27681,36 @@ function requireNonEmptyString(value, label) {
   }
   return value.trim();
 }
-function requireBoolean(value, label) {
-  if (typeof value !== "boolean") {
-    throw new Error(`${label} must be a boolean`);
+function sanitizeObjectKeyPrefix(prefixPath) {
+  const normalized = prefixPath.replace(/\\/g, "/").trim();
+  const segments = normalized.split("/").map((segment) => segment.trim()).filter(Boolean);
+  if (segments.length === 0) {
+    throw new Error("SKS data.preFixPath must contain at least one safe path segment");
   }
-  return value;
+  const safeSegments = segments.map((segment) => {
+    if (segment === "." || segment === "..") {
+      throw new Error("SKS data.preFixPath contains path traversal");
+    }
+    return sanitizeObjectKeySegment(segment);
+  });
+  return safeSegments.join("/");
 }
-function requireNumber(value, label) {
-  if (typeof value !== "number" || !Number.isFinite(value)) {
-    throw new Error(`${label} must be a finite number`);
+function sanitizeObjectKeySegment(segment) {
+  const sanitized = segment.replace(/[^a-zA-Z0-9._-]+/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
+  if (!sanitized) {
+    throw new Error(`Object key segment is not safe: ${segment}`);
   }
-  return value;
+  return sanitized.slice(0, 80);
+}
+function sanitizeFileName(fileName) {
+  assertSafeUntrustedFileName(fileName);
+  const parsed = path2.parse(fileName.trim());
+  const safeBase = parsed.name.replace(/[^a-zA-Z0-9._-]+/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
+  const safeExt = parsed.ext.replace(/[^a-zA-Z0-9.]+/g, "").slice(0, 16);
+  const baseName = safeBase || "file";
+  return `${baseName.slice(0, 80)}${safeExt}`;
 }
-function requireSafeDisplayFileName(fileName) {
+function assertSafeUntrustedFileName(fileName) {
   const trimmed = fileName.trim();
   if (!trimmed) {
     throw new Error("Filename cannot be empty");
@@ -27881,18 +27721,14 @@ function requireSafeDisplayFileName(fileName) {
   if (trimmed === "." || trimmed === "..") {
     throw new Error(`Filename is not safe: ${fileName}`);
   }
-  return trimmed;
 }
-function normalizeOutboundFileType(fileType) {
-  const normalized = fileType.trim().replace(/^\.+/, "").toLowerCase();
-  if (!normalized) {
-    throw new Error("fileType is required");
-  }
-  return normalized;
+function buildBosObjectKey(params) {
+  const timestamp = formatUtcDate(params.now?.() ?? /* @__PURE__ */ new Date());
+  const uniqueId2 = crypto3.randomUUID();
+  return `${params.prefixPath}/${timestamp}/${uniqueId2}-${params.fileName}`;
 }
-function inferOutboundFileType(fileName) {
-  const extension = path2.extname(fileName).replace(/^\./, "").toLowerCase();
-  return extension || "bin";
+function formatUtcDate(date) {
+  return date.toISOString().slice(0, 10);
 }
 async function assertUploadableLocalFile(filePath) {
   const resolvedPath = path2.resolve(filePath);
@@ -28017,11 +27853,11 @@ function parseContentDispositionFileName(contentDisposition) {
 }
 function resolveDownloadFileName(params) {
   const candidate = params.explicitFileName ?? params.headerFileName ?? params.urlFileName ?? "file.bin";
-  return requireSafeDisplayFileName(candidate);
+  return sanitizeFileName(candidate);
 }
 function buildTempFilePath(params) {
   const timestamp = (params.now?.() ?? /* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-  return path2.join(params.tempDir, `${timestamp}-${crypto.randomUUID()}-${params.fileName}`);
+  return path2.join(params.tempDir, `${timestamp}-${crypto3.randomUUID()}-${params.fileName}`);
 }
 async function ensurePluginTempDir(resolveTmpDir) {
   const baseTmpDir = resolveTmpDir?.() ?? resolvePreferredOpenClawTmpDir();
@@ -28082,12 +27918,12 @@ function normalizeWebhookPath(raw) {
 function jsonOk(res, body) {
   res.statusCode = 200;
   res.setHeader("Content-Type", "application/json; charset=utf-8");
-  res.end(JSON.stringify({ code: 0, msg: "success", data: body }));
+  res.end(JSON.stringify({ status: 0, data: body }));
 }
 function jsonError(res, message, statusCode = 200) {
   res.statusCode = statusCode;
   res.setHeader("Content-Type", "application/json; charset=utf-8");
-  res.end(JSON.stringify({ code: -1, msg: message, data: {} }));
+  res.end(JSON.stringify({ status: -1, message }));
 }
 async function readRawBody(req, maxBytes) {
   const chunks = [];
@@ -28119,6 +27955,47 @@ async function readRawBody(req, maxBytes) {
     });
   });
 }
+function parseXmlBody(xml) {
+  const result2 = {};
+  const cdataRegex = /<(\w+)><!\[CDATA\[([\s\S]*?)\]\]><\/\1>/g;
+  let match;
+  while ((match = cdataRegex.exec(xml)) !== null) {
+    const [, key = "", value = ""] = match;
+    result2[key] = value;
+  }
+  const simpleRegex = /<(\w+)>([^<]*)<\/\1>/g;
+  while ((match = simpleRegex.exec(xml)) !== null) {
+    const [, key = "", value = ""] = match;
+    if (!result2[key]) {
+      result2[key] = value;
+    }
+  }
+  return result2;
+}
+function isXmlFormat(raw) {
+  const trimmed = raw.trim();
+  return trimmed.startsWith("<") && trimmed.endsWith(">");
+}
+function buildEncryptedJsonReply(params) {
+  const base = params.plaintextJson != null && typeof params.plaintextJson === "object" ? params.plaintextJson : {};
+  const plaintext = JSON.stringify({ ...base, version: PLUGIN_VERSION });
+  const encrypt = encryptBaiduAppPlaintext({
+    encodingAESKey: params.account.encodingAESKey ?? "",
+    plaintext
+  });
+  const msgsignature = computeBaiduAppMsgSignature({
+    token: params.account.token ?? "",
+    timestamp: params.timestamp,
+    nonce: params.nonce,
+    encrypt
+  });
+  return {
+    encrypt,
+    msgsignature,
+    timestamp: params.timestamp,
+    nonce: params.nonce
+  };
+}
 function resolveQueryParams(req) {
   const url = new URL(req.url ?? "/", "http://localhost");
   return url.searchParams;
@@ -28127,16 +28004,8 @@ function resolvePath(req) {
   const url = new URL(req.url ?? "/", "http://localhost");
   return normalizeWebhookPath(url.pathname || "/");
 }
-function resolveBearerToken(req) {
-  const authorization = req.headers.authorization ?? req.headers.Authorization;
-  if (Array.isArray(authorization)) {
-    return "";
-  }
-  const value = typeof authorization === "string" ? authorization.trim() : "";
-  if (!value.toLowerCase().startsWith("bearer ")) {
-    return "";
-  }
-  return value.slice(7).trim();
+function resolveSignatureParam(params) {
+  return params.get("msg_signature") ?? params.get("msgsignature") ?? params.get("signature") ?? "";
 }
 function buildLogger(target) {
   return createLogger("openclaw-baiduapp", {
@@ -28204,49 +28073,50 @@ async function downloadInboundFiles(params) {
     }
   };
 }
-function parseV2MsgToInbound(inner, outer) {
-  const list = Array.isArray(inner.list) ? inner.list : [];
-  const textItem = list.find(
-    (item) => item && typeof item === "object" && item.type === "text"
-  );
-  const fileItems = list.filter(
-    (item) => item && typeof item === "object" && item.type === "file"
-  );
-  const textContent = textItem?.data?.text?.content ?? "";
-  const files = fileItems.map((f) => ({ url: f.data.fileId, fileType: "file" }));
-  return {
-    msgtype: "text",
-    msgid: typeof outer.msgid === "string" ? outer.msgid : void 0,
-    agentid: typeof outer.agentid === "string" ? outer.agentid : void 0,
-    text: textContent ? { content: textContent } : void 0,
-    ...files.length > 0 ? { files } : {}
-  };
-}
-function parseBaiduAppCandidates(params) {
-  const results = [];
-  let outer = {};
+function parseBaiduAppPlainMessage(raw) {
+  const trimmed = raw.trim();
+  if (trimmed.startsWith("<") && trimmed.endsWith(">")) {
+    const xmlData = parseXmlBody(trimmed);
+    return {
+      msgtype: xmlData.MsgType,
+      MsgType: xmlData.MsgType,
+      msgid: xmlData.MsgId,
+      MsgId: xmlData.MsgId,
+      content: xmlData.Content,
+      Content: xmlData.Content,
+      from: xmlData.FromUserName ? { appkey: xmlData.FromUserName } : void 0,
+      ToUserName: xmlData.ToUserName,
+      CreateTime: xmlData.CreateTime ? Number(xmlData.CreateTime) : void 0,
+      BotID: xmlData.BotID ? Number(xmlData.BotID) : void 0,
+      Event: xmlData.Event
+    };
+  }
   try {
-    const parsed = JSON.parse(params.raw);
-    if (parsed && typeof parsed === "object") {
-      outer = parsed;
+    const parsed = JSON.parse(trimmed);
+    if (!parsed || typeof parsed !== "object") {
+      return {};
     }
+    return parsed;
   } catch {
-    outer = {};
+    return {};
   }
-  let inner = {};
-  if (typeof outer.msg === "string") {
+}
+function decryptBaiduAppCandidates(params) {
+  const results = [];
+  for (const candidate of params.candidates) {
+    if (!candidate.account.encodingAESKey) {
+      continue;
+    }
     try {
-      const parsedInner = JSON.parse(outer.msg);
-      if (parsedInner && typeof parsedInner === "object") {
-        inner = parsedInner;
-      }
+      const plaintext = decryptBaiduAppEncrypted({
+        encodingAESKey: candidate.account.encodingAESKey,
+        encrypt: params.encrypt
+      });
+      const msg = parseBaiduAppPlainMessage(plaintext);
+      results.push({ target: candidate, plaintext, msg });
     } catch {
-      inner = {};
     }
   }
-  for (const candidate of params.candidates) {
-    results.push({ target: candidate, msg: parseV2MsgToInbound(inner, outer) });
-  }
   return results;
 }
 function selectDecryptedTarget(params) {
@@ -28263,9 +28133,8 @@ async function processBaiduAppInboundMessage(params) {
   const { target, msg } = params;
   const logger3 = buildLogger(target);
   target.statusSink?.({ lastInboundAt: Date.now() });
-  const msgtype = String(msg.msgtype ?? "").toLowerCase();
-  const msgid = msg.msgid ? String(msg.msgid) : void 0;
-  const agentId = extractAgentId(msg);
+  const msgtype = String(msg.msgtype ?? msg.MsgType ?? "").toLowerCase();
+  const msgid = msg.msgid ?? msg.MsgId ? String(msg.msgid ?? msg.MsgId) : void 0;
   logger3.info(`inbound: type=${msgtype || "unknown"} msgid=${msgid ?? "none"} account=${target.account.accountId}`);
   if (!canDispatchBaiduAppInboundMessage(msg)) {
     logger3.warn(`inbound message skipped: type=${msgtype || "unknown"} reason=no-dispatchable-content`);
@@ -28273,11 +28142,6 @@ async function processBaiduAppInboundMessage(params) {
   }
   const inboundFileResult = msgtype === "text" ? await downloadInboundFiles({ msg, logger: logger3, runtime: target.runtime }) : { localFiles: [], diagnostic: {} };
   const inboundMediaFiles = inboundFileResult.localFiles;
-  const agentAccount = resolveAgentAccount({
-    baseAccount: target.account,
-    cfg: target.config,
-    agentId
-  });
   const core = tryGetBaiduAppRuntime();
   if (core) {
     logger3.info(`agent dispatch started: canSendActive=${target.account.canSendActive}`);
@@ -28290,9 +28154,8 @@ async function processBaiduAppInboundMessage(params) {
         );
         target.statusSink?.({ lastOutboundAt: Date.now() });
         if (target.account.canSendActive) {
-          sendBaiduAppMessage(agentAccount, text, {
-            replyToMsgId: msgid,
-            agentid: agentId,
+          sendBaiduAppMessage(target.account, text, {
+            msgid,
             chunkKey: currentChunkKey
           }).then((result2) => {
             if (!result2.ok) {
@@ -28315,7 +28178,7 @@ async function processBaiduAppInboundMessage(params) {
     };
     dispatchBaiduAppMessage({
       cfg: target.config,
-      account: agentAccount,
+      account: target.account,
       msg,
       core,
       hooks,
@@ -28357,43 +28220,53 @@ async function handleBaiduAppWebhookRequest(req, res) {
   const query = resolveQueryParams(req);
   const timestamp = query.get("timestamp") ?? "";
   const nonce = query.get("nonce") ?? "";
-  const ak = query.get("ak") ?? "";
-  const token = resolveBearerToken(req);
+  const signature = resolveSignatureParam(query);
   const primary = targets[0];
   const logger3 = buildLogger(primary);
   if (req.method === "GET") {
     const echostr = query.get("echostr") ?? "";
-    if (!ak || !timestamp || !nonce || !token || !echostr) {
+    if (!timestamp || !nonce || !signature || !echostr) {
       jsonError(res, "missing query params", 400);
       return true;
     }
-    const tokenMatched2 = targets.filter((candidate) => {
-      if (!candidate.account.appKey || !candidate.account.appSecret) {
-        return false;
-      }
-      if (candidate.account.appKey !== ak) {
+    const signatureMatched2 = targets.filter((candidate) => {
+      if (!candidate.account.token) {
         return false;
       }
-      return verifyAKSKBearerToken({
-        ak: candidate.account.appKey,
-        sk: candidate.account.appSecret,
+      return verifyBaiduAppSignature({
+        token: candidate.account.token,
         timestamp,
         nonce,
-        token
+        encrypt: echostr,
+        signature
       });
     });
-    if (tokenMatched2.length === 0) {
+    if (signatureMatched2.length === 0) {
+      jsonError(res, "unauthorized");
+      return true;
+    }
+    const decryptable2 = signatureMatched2.filter((candidate) => Boolean(candidate.account.encodingAESKey));
+    if (decryptable2.length === 0) {
       jsonError(res, "unauthorized");
       return true;
     }
-    jsonOk(res, echostr);
+    const decryptedCandidates2 = decryptBaiduAppCandidates({
+      candidates: decryptable2,
+      encrypt: echostr
+    });
+    if (decryptedCandidates2.length === 0) {
+      jsonError(res, "decrypt failed");
+      return true;
+    }
+    const selected2 = selectDecryptedTarget({ candidates: decryptedCandidates2, logger: logger3 });
+    jsonOk(res, selected2.plaintext);
     return true;
   }
   if (req.method !== "POST") {
     jsonError(res, "Method Not Allowed", 405);
     return true;
   }
-  if (!ak || !timestamp || !nonce || !token) {
+  if (!timestamp || !nonce || !signature) {
     jsonError(res, "missing query params");
     return true;
   }
@@ -28403,56 +28276,90 @@ async function handleBaiduAppWebhookRequest(req, res) {
     return true;
   }
   const rawBody = body.raw;
-  try {
-    JSON.parse(rawBody);
-    logger3.info("inbound json parsed");
-  } catch {
-    logger3.warn("inbound payload parse failed: not valid json");
-    jsonError(res, "invalid payload format");
+  let encrypt = "";
+  let msgSignature = signature;
+  let msgTimestamp = timestamp;
+  let msgNonce = nonce;
+  if (isXmlFormat(rawBody)) {
+    const xmlData = parseXmlBody(rawBody);
+    encrypt = xmlData.Encrypt ?? "";
+    msgSignature = xmlData.MsgSignature ?? signature;
+    msgTimestamp = xmlData.TimeStamp ?? timestamp;
+    msgNonce = xmlData.Nonce ?? nonce;
+    logger3.info(`inbound xml parsed: hasEncrypt=${Boolean(encrypt)}, msg_signature=${msgSignature ? "yes" : "no"}`);
+  } else {
+    try {
+      const record = JSON.parse(rawBody);
+      encrypt = String(record.encrypt ?? record.Encrypt ?? "");
+      logger3.info(`inbound json parsed: hasEncrypt=${Boolean(encrypt)}`);
+    } catch {
+      logger3.warn(`inbound payload parse failed: not valid xml or json`);
+      jsonError(res, "invalid payload format");
+      return true;
+    }
+  }
+  if (!encrypt) {
+    jsonError(res, "missing encrypt");
     return true;
   }
-  const tokenMatched = targets.filter((candidate) => {
-    if (!candidate.account.appKey || !candidate.account.appSecret) {
+  const signatureMatched = targets.filter((candidate) => {
+    if (!candidate.account.token) {
       return false;
     }
-    if (candidate.account.appKey !== ak) {
-      return false;
-    }
-    return verifyAKSKBearerToken({
-      ak: candidate.account.appKey,
-      sk: candidate.account.appSecret,
-      timestamp,
-      nonce,
-      token
+    return verifyBaiduAppSignature({
+      token: candidate.account.token,
+      timestamp: msgTimestamp,
+      nonce: msgNonce,
+      encrypt,
+      signature: msgSignature
     });
   });
-  if (tokenMatched.length === 0) {
-    logger3.warn(`bearer token verification failed: checked ${targets.length} account(s), none matched`);
+  if (signatureMatched.length === 0) {
+    logger3.warn(`signature verification failed: checked ${targets.length} account(s), none matched`);
     jsonError(res, "unauthorized");
     return true;
   }
-  logger3.debug(`bearer token verified: ${tokenMatched.length} account(s) matched`);
-  const decryptedCandidates = parseBaiduAppCandidates({
-    candidates: tokenMatched,
-    raw: rawBody
+  logger3.debug(`signature verified: ${signatureMatched.length} account(s) matched`);
+  const decryptable = signatureMatched.filter((candidate) => Boolean(candidate.account.encodingAESKey));
+  if (decryptable.length === 0) {
+    logger3.warn(`no account has encodingAESKey configured`);
+    jsonError(res, "openclaw-baiduapp not configured");
+    return true;
+  }
+  const decryptedCandidates = decryptBaiduAppCandidates({
+    candidates: decryptable,
+    encrypt
   });
+  if (decryptedCandidates.length === 0) {
+    logger3.warn(`decrypt failed for all ${decryptable.length} candidate account(s)`);
+    jsonError(res, "decrypt failed");
+    return true;
+  }
   const selected = selectDecryptedTarget({ candidates: decryptedCandidates, logger: logger3 });
   const target = selected.target;
-  if (!target.account.configured || !target.account.appKey || !target.account.appSecret) {
+  if (!target.account.configured || !target.account.token || !target.account.encodingAESKey) {
     logger3.warn(`selected account ${target.account.accountId} not fully configured`);
     jsonError(res, "openclaw-baiduapp not configured");
     return true;
   }
-  await processBaiduAppInboundMessage({
+  const reply = await processBaiduAppInboundMessage({
     target,
     msg: selected.msg
   });
-  jsonOk(res, {});
+  jsonOk(
+    res,
+    buildEncryptedJsonReply({
+      account: target.account,
+      plaintextJson: reply,
+      nonce: msgNonce,
+      timestamp: msgTimestamp
+    })
+  );
   return true;
 }
 
 // src/poller.ts
-var DEFAULT_POLL_INTERVAL_MS = 3e3;
+var DEFAULT_POLL_INTERVAL_MS = 1e3;
 var DEFAULT_POLL_REQUEST_TIMEOUT_MS = 1e4;
 var accountPollers = /* @__PURE__ */ new Map();
 function buildPollingTextInboundMessage(content) {
@@ -28463,36 +28370,21 @@ function buildPollingTextInboundMessage(content) {
     }
   };
 }
-function parseTextAndFilesFromList(list) {
-  const textItem = list.find((entry) => entry.type === "text");
-  const fileItems = list.filter((entry) => entry.type === "file");
-  const content = textItem?.type === "text" ? textItem.data.text.content : void 0;
-  const files = fileItems.map((file) => {
-    const fileId = file.data.file.fileId;
-    return typeof fileId === "string" && fileId.trim() ? { url: fileId, fileType: "file" } : null;
-  }).filter((file) => file != null);
-  return { content, files };
-}
 async function dispatchPendingPollingMessages(data, target) {
-  console.log(data);
   if (!target || data.length === 0) {
     return;
   }
   for (const item of data) {
-    const list = Array.isArray(item.list) ? item.list : [];
-    const { content, files } = parseTextAndFilesFromList(list);
-    console.log({ content, files });
-    if (typeof content !== "string" && files.length === 0) {
+    if (String(item.msgtype).toLowerCase() !== "text") {
+      continue;
+    }
+    const content = item.data?.content;
+    if (typeof content !== "string" || content.length === 0) {
       continue;
     }
     await processBaiduAppInboundMessage({
       target,
-      msg: {
-        ...buildPollingTextInboundMessage(typeof content === "string" ? content : ""),
-        msgid: typeof item.msgId === "string" ? item.msgId : void 0,
-        agentid: typeof item.agentId === "string" ? item.agentId : void 0,
-        ...files.length > 0 ? { files } : {}
-      }
+      msg: buildPollingTextInboundMessage(content)
     });
   }
 }
@@ -28547,29 +28439,12 @@ function createAbortSignalController(params) {
   };
 }
 async function pollBaiduAppChatlistOnce(account, loggerOptions, requestOptions) {
-  const endpoint = `${account.apiBase}/channel/msg/poll`;
-  const logger3 = createLogger("openclaw-baiduapp:poller", loggerOptions);
-  const timestamp = String(Math.floor(Date.now() / 1e3));
-  const nonce = generateNonce();
-  const authorization = buildAuthorizationHeader({
-    ak: account.appKey ?? "",
-    sk: account.appSecret ?? "",
-    timestamp,
-    nonce
-  });
+  const endpoint = `${account.apiBase}/chat/demo/chatlist`;
   const query = new URLSearchParams({
     ak: account.appKey ?? "",
-    timestamp,
-    nonce
+    sk: account.appSecret ?? ""
   });
   const url = `${endpoint}?${query.toString()}`;
-  const payload = {
-    sessionId: "agent:main:main",
-    num: 5,
-    version: PLUGIN_VERSION
-  };
-  const body = JSON.stringify(payload);
-  console.log("start poll", url);
   const requestSignal = createAbortSignalController({
     signal: requestOptions?.signal,
     timeoutMs: requestOptions?.timeoutMs
@@ -28577,13 +28452,8 @@ async function pollBaiduAppChatlistOnce(account, loggerOptions, requestOptions)
   let response;
   try {
     response = await (requestOptions?.fetchImpl ?? fetch)(url, {
-      method: "POST",
-      body,
-      signal: requestSignal.signal,
-      headers: {
-        "Authorization": authorization,
-        "Content-Type": "application/json"
-      }
+      method: "GET",
+      signal: requestSignal.signal
     });
   } catch (error) {
     requestSignal.cleanup();
@@ -28636,13 +28506,10 @@ async function pollBaiduAppChatlistOnce(account, loggerOptions, requestOptions)
       }
     });
   }
-  if (parsed.code !== 0) {
-    logger3.debug(`Baidu poll returned non-zero code=${String(parsed.code)}, message=${parsed.message}`);
-  }
-  const msgList = Array.isArray(parsed.data?.msgList) ? parsed.data.msgList : [];
+  const data = Array.isArray(parsed.data) ? parsed.data : [];
   return buildPollResult({
     ok: true,
-    data: msgList
+    data
   });
 }
 function scheduleNextPoll(account, state) {
@@ -28758,33 +28625,16 @@ function resolveOutboundLocalMediaPath(mediaUrl) {
   }
   return trimmed;
 }
+function inferBaiduOutboundFileType(params) {
+  const ext = path2.extname(params.mediaPath).toLowerCase();
+  return ext.startsWith(".") ? ext.slice(1) : ext || "bin";
+}
 function buildOutboundMediaPayload(params) {
   const caption = params.caption?.trim();
-  const mediaItem = params.externalUrl ? {
-    type: "external_url",
-    data: {
-      externalUrl: {
-        url: params.externalUrl
-      }
-    }
-  } : {
-    type: "file",
-    data: {
-      file: {
-        fileId: params.fileId ?? ""
-      }
-    }
-  };
   return {
-    list: [
-      ...caption ? [{
-        type: "text",
-        data: {
-          text: { content: caption }
-        }
-      }] : [],
-      mediaItem
-    ]
+    msgtype: "text",
+    ...caption ? { text: { content: caption } } : {},
+    files: [{ url: params.uploadedUrl, fileType: params.fileType }]
   };
 }
 function resolveDirectOutboundFiles(files) {
@@ -29021,10 +28871,7 @@ var baiduAppPlugin = {
         };
       }
       try {
-        const result2 = await sendBaiduAppMessage(account, params.text, {
-          agentid: account.accountId,
-          isActive: true
-        });
+        const result2 = await sendBaiduAppMessage(account, params.text);
         return {
           channel: "openclaw-baiduapp",
           ok: result2.ok,
@@ -29067,15 +28914,14 @@ var baiduAppPlugin = {
             account,
             buildOutboundMediaPayload({
               caption: params.text,
-              externalUrl: remoteUrl
-            }),
-            { agentid: account.accountId, isActive: true }
+              uploadedUrl: remoteUrl,
+              fileType: inferBaiduOutboundFileType({ mediaPath: remoteUrl })
+            })
           );
           return {
             channel: "openclaw-baiduapp",
-            ok: result2.ok,
-            messageId: result2.msgid ?? "",
-            error: result2.ok ? void 0 : new Error(result2.errmsg ?? "send failed")
+            ok: true,
+            messageId: result2.msgid ?? ""
           };
         } catch (err) {
           return {
@@ -29108,9 +28954,11 @@ var baiduAppPlugin = {
           account,
           buildOutboundMediaPayload({
             caption: params.text,
-            fileId: uploaded.fileId
-          }),
-          { agentid: account.accountId, isActive: true }
+            uploadedUrl: uploaded.url,
+            fileType: inferBaiduOutboundFileType({
+              mediaPath: uploaded.fileName || localMediaPath
+            })
+          })
         );
         return {
           channel: "openclaw-baiduapp",
@@ -29132,18 +28980,6 @@ var baiduAppPlugin = {
       }
     }
   },
-  auth: {
-    login: async (params) => {
-      void params.channelInput;
-      const { loginBaiduApp: loginBaiduApp2 } = await Promise.resolve().then(() => (init_login(), login_exports));
-      await loginBaiduApp2({
-        cfg: params.cfg,
-        accountId: params.accountId,
-        runtime: params.runtime,
-        verbose: params.verbose
-      });
-    }
-  },
   gateway: {
     startAccount: async (ctx) => {
       ctx.setStatus?.({ accountId: ctx.accountId });
@@ -29181,19 +29017,21 @@ var baiduAppPlugin = {
         existing();
       }
       unregisterHooks.set(ctx.accountId, unregister);
-      startAccountPolling({
-        account,
-        dispatchTarget: {
+      if (account.config.pollingEnabled === true) {
+        startAccountPolling({
           account,
-          config: ctx.cfg ?? {},
-          runtime: runtime2,
-          statusSink: (patch) => ctx.setStatus?.({ accountId: ctx.accountId, ...patch })
-        },
-        onError: (error) => {
-          const message = error instanceof Error ? error.message : String(error);
-          ctx.log?.error(`[openclaw-baiduapp] polling failed for account ${ctx.accountId}: ${message}`);
-        }
-      });
+          dispatchTarget: {
+            account,
+            config: ctx.cfg ?? {},
+            runtime: runtime2,
+            statusSink: (patch) => ctx.setStatus?.({ accountId: ctx.accountId, ...patch })
+          },
+          onError: (error) => {
+            const message = error instanceof Error ? error.message : String(error);
+            ctx.log?.error(`[openclaw-baiduapp] polling failed for account ${ctx.accountId}: ${message}`);
+          }
+        });
+      }
       ctx.log?.info(
         `[openclaw-baiduapp] webhook registered at ${path4} for account ${ctx.accountId} (canSendActive=${account.canSendActive})`
       );
@@ -29245,7 +29083,7 @@ async function sendMessage(account, options) {
     };
   }
   try {
-    const textResult = await sendBaiduAppMessage(account, options.text, { isActive: true });
+    const textResult = await sendBaiduAppMessage(account, options.text);
     return {
       ok: textResult.ok,
       msgid: textResult.msgid,