@tencent-connect/openclaw-qqbot 1.7.1 → 1.7.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +188 -3
- package/README.zh.md +190 -3
- package/dist/index.d.ts +1 -0
- package/dist/index.js +1 -0
- package/dist/src/api.d.ts +2 -0
- package/dist/src/api.js +16 -3
- package/dist/src/config.d.ts +5 -1
- package/dist/src/config.js +12 -2
- package/dist/src/gateway.js +131 -169
- package/dist/src/slash-commands.js +119 -3
- package/dist/src/tools/channel.js +1 -4
- package/dist/src/tools/remind.js +0 -1
- package/dist/src/transport/index.d.ts +10 -0
- package/dist/src/transport/index.js +9 -0
- package/dist/src/transport/webhook-transport.d.ts +67 -0
- package/dist/src/transport/webhook-transport.js +245 -0
- package/dist/src/transport/webhook-verify.d.ts +48 -0
- package/dist/src/transport/webhook-verify.js +98 -0
- package/dist/src/types.d.ts +19 -0
- package/dist/src/utils/audio-convert.js +37 -9
- package/index.ts +1 -0
- package/package.json +1 -1
- package/scripts/postinstall-link-sdk.js +44 -0
- package/scripts/upgrade-via-npm.sh +358 -62
- package/scripts/upgrade-via-source.sh +122 -85
- package/src/api.ts +18 -4
- package/src/config.ts +15 -2
- package/src/gateway.ts +135 -167
- package/src/onboarding.ts +8 -0
- package/src/slash-commands.ts +137 -3
- package/src/tools/channel.ts +1 -7
- package/src/tools/remind.ts +0 -2
- package/src/transport/index.ts +11 -0
- package/src/transport/webhook-transport.ts +332 -0
- package/src/transport/webhook-verify.ts +119 -0
- package/src/types.ts +22 -1
- package/src/typings/openclaw-webhook-ingress.d.ts +66 -0
- package/src/utils/audio-convert.ts +37 -9
|
@@ -0,0 +1,332 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Webhook Transport — receive QQ Bot events via HTTP POST callbacks.
|
|
3
|
+
*
|
|
4
|
+
* Uses OpenClaw plugin-sdk's `registerWebhookTargetWithPluginRoute` (模式 C)
|
|
5
|
+
* to register webhook HTTP routes through the framework's gateway HTTP server,
|
|
6
|
+
* sharing the same port and benefiting from built-in rate limiting & in-flight guards.
|
|
7
|
+
*
|
|
8
|
+
* Architecture:
|
|
9
|
+
* 1. On gateway startAccount, register a webhook target via plugin-sdk
|
|
10
|
+
* 2. Framework routes POST requests to our handler
|
|
11
|
+
* 3. Handler verifies Ed25519 signatures and dispatches events
|
|
12
|
+
* 4. Returns op:12 ACK immediately, processes events asynchronously
|
|
13
|
+
* 5. On account stop (abortSignal), unregister the target
|
|
14
|
+
*
|
|
15
|
+
* Configuration (openclaw.yaml):
|
|
16
|
+
* ```yaml
|
|
17
|
+
* channels:
|
|
18
|
+
* qqbot:
|
|
19
|
+
* appId: "xxx"
|
|
20
|
+
* clientSecret: "xxx"
|
|
21
|
+
* transport: webhook
|
|
22
|
+
* webhook:
|
|
23
|
+
* path: /qqbot/webhook
|
|
24
|
+
* ```
|
|
25
|
+
*/
|
|
26
|
+
|
|
27
|
+
import type { IncomingMessage, ServerResponse } from "node:http";
|
|
28
|
+
import {
|
|
29
|
+
registerWebhookTargetWithPluginRoute,
|
|
30
|
+
withResolvedWebhookRequestPipeline,
|
|
31
|
+
resolveWebhookTargetWithAuthOrRejectSync,
|
|
32
|
+
createWebhookInFlightLimiter,
|
|
33
|
+
createFixedWindowRateLimiter,
|
|
34
|
+
readWebhookBodyOrReject,
|
|
35
|
+
type WebhookInFlightLimiter,
|
|
36
|
+
type FixedWindowRateLimiter,
|
|
37
|
+
} from "openclaw/plugin-sdk/webhook-ingress";
|
|
38
|
+
|
|
39
|
+
import type { ResolvedQQBotAccount } from "../types.js";
|
|
40
|
+
import { verifyWebhookSignature, signValidationResponse } from "./webhook-verify.js";
|
|
41
|
+
|
|
42
|
+
// ============ Constants ============
|
|
43
|
+
|
|
44
|
+
const OP_DISPATCH = 0;
|
|
45
|
+
const OP_HTTP_CALLBACK_ACK = 12;
|
|
46
|
+
const OP_VALIDATION = 13;
|
|
47
|
+
|
|
48
|
+
const PLUGIN_ID = "openclaw-qqbot";
|
|
49
|
+
const DEFAULT_WEBHOOK_PATH = "/qqbot/webhook";
|
|
50
|
+
|
|
51
|
+
// ============ Types ============
|
|
52
|
+
|
|
53
|
+
/** Webhook target registered per account */
|
|
54
|
+
export interface QQBotWebhookTarget {
|
|
55
|
+
path: string;
|
|
56
|
+
accountId: string;
|
|
57
|
+
appId: string;
|
|
58
|
+
clientSecret: string;
|
|
59
|
+
}
|
|
60
|
+
|
|
61
|
+
/** Webhook event dispatched to the consumer */
|
|
62
|
+
export interface WebhookInboundEvent {
|
|
63
|
+
eventType: string;
|
|
64
|
+
data: unknown;
|
|
65
|
+
seq?: number;
|
|
66
|
+
}
|
|
67
|
+
|
|
68
|
+
/** Options for starting webhook transport */
|
|
69
|
+
export interface WebhookTransportOptions {
|
|
70
|
+
account: ResolvedQQBotAccount;
|
|
71
|
+
abortSignal: AbortSignal;
|
|
72
|
+
onEvent: (event: WebhookInboundEvent) => void | Promise<void>;
|
|
73
|
+
onReady?: () => void;
|
|
74
|
+
onError?: (error: Error) => void;
|
|
75
|
+
log?: {
|
|
76
|
+
info: (msg: string) => void;
|
|
77
|
+
warn?: (msg: string) => void;
|
|
78
|
+
error: (msg: string) => void;
|
|
79
|
+
debug?: (msg: string) => void;
|
|
80
|
+
};
|
|
81
|
+
}
|
|
82
|
+
|
|
83
|
+
// ============ Module state ============
|
|
84
|
+
|
|
85
|
+
/** Per-path target registry (shared across all accounts) */
|
|
86
|
+
const webhookTargets = new Map<string, QQBotWebhookTarget[]>();
|
|
87
|
+
|
|
88
|
+
/** Per-account event handler map */
|
|
89
|
+
const eventHandlers = new Map<string, (event: WebhookInboundEvent) => void | Promise<void>>();
|
|
90
|
+
|
|
91
|
+
/** Module-level logger (set by the last startWebhookTransport call) */
|
|
92
|
+
let log: WebhookTransportOptions["log"] | undefined;
|
|
93
|
+
|
|
94
|
+
/** Shared rate limiter (fixed window, per source IP) */
|
|
95
|
+
let rateLimiter: FixedWindowRateLimiter | null = null;
|
|
96
|
+
|
|
97
|
+
/** Shared in-flight limiter */
|
|
98
|
+
let inFlightLimiter: WebhookInFlightLimiter | null = null;
|
|
99
|
+
|
|
100
|
+
function ensureGuards(): { rateLimiter: FixedWindowRateLimiter; inFlightLimiter: WebhookInFlightLimiter } {
|
|
101
|
+
if (!rateLimiter) {
|
|
102
|
+
rateLimiter = createFixedWindowRateLimiter({
|
|
103
|
+
windowMs: 60_000,
|
|
104
|
+
maxRequests: 600,
|
|
105
|
+
maxTrackedKeys: 4096,
|
|
106
|
+
});
|
|
107
|
+
}
|
|
108
|
+
if (!inFlightLimiter) {
|
|
109
|
+
inFlightLimiter = createWebhookInFlightLimiter({
|
|
110
|
+
maxInFlightPerKey: 8,
|
|
111
|
+
maxTrackedKeys: 4096,
|
|
112
|
+
});
|
|
113
|
+
}
|
|
114
|
+
return { rateLimiter, inFlightLimiter };
|
|
115
|
+
}
|
|
116
|
+
|
|
117
|
+
// ============ Main handler ============
|
|
118
|
+
|
|
119
|
+
/**
|
|
120
|
+
* Shared HTTP handler for all QQBot webhook routes.
|
|
121
|
+
* Registered once per unique path, dispatches to the correct account target.
|
|
122
|
+
*/
|
|
123
|
+
async function handleQQBotWebhookRequest(req: IncomingMessage, res: ServerResponse): Promise<boolean | void> {
|
|
124
|
+
const guards = ensureGuards();
|
|
125
|
+
|
|
126
|
+
const handled = await withResolvedWebhookRequestPipeline({
|
|
127
|
+
req,
|
|
128
|
+
res,
|
|
129
|
+
targetsByPath: webhookTargets,
|
|
130
|
+
rateLimiter: guards.rateLimiter,
|
|
131
|
+
inFlightLimiter: guards.inFlightLimiter,
|
|
132
|
+
requireJsonContentType: true,
|
|
133
|
+
handle: async ({ targets }) => {
|
|
134
|
+
// Read raw body (up to 1MB, 30s timeout)
|
|
135
|
+
const bodyResult = await readWebhookBodyOrReject({
|
|
136
|
+
req,
|
|
137
|
+
res,
|
|
138
|
+
maxBytes: 1024 * 1024,
|
|
139
|
+
timeoutMs: 30_000,
|
|
140
|
+
});
|
|
141
|
+
if (!bodyResult.ok) return;
|
|
142
|
+
|
|
143
|
+
const rawBodyStr = bodyResult.value;
|
|
144
|
+
const rawBody = Buffer.from(rawBodyStr, "utf-8");
|
|
145
|
+
let payload: { op: number; d?: unknown; t?: string; s?: number };
|
|
146
|
+
try {
|
|
147
|
+
payload = JSON.parse(rawBodyStr);
|
|
148
|
+
} catch (err) {
|
|
149
|
+
log?.error(`[qqbot:webhook] Failed to parse request body as JSON: ${err instanceof Error ? err.message : String(err)}, body preview: ${rawBodyStr.slice(0, 200)}`);
|
|
150
|
+
res.statusCode = 400;
|
|
151
|
+
res.end(JSON.stringify({ error: "invalid json" }));
|
|
152
|
+
return;
|
|
153
|
+
}
|
|
154
|
+
|
|
155
|
+
// ── op:13 — Callback URL validation (before signature check) ──
|
|
156
|
+
if (payload.op === OP_VALIDATION) {
|
|
157
|
+
handleValidation(payload, targets, res);
|
|
158
|
+
return;
|
|
159
|
+
}
|
|
160
|
+
|
|
161
|
+
// ── Signature verification → resolve target ──
|
|
162
|
+
const timestamp = getHeader(req, "x-signature-timestamp") ?? "";
|
|
163
|
+
const signature = getHeader(req, "x-signature-ed25519") ?? "";
|
|
164
|
+
|
|
165
|
+
if (!timestamp || !signature) {
|
|
166
|
+
log?.warn?.(`[qqbot:webhook] Missing signature headers — timestamp: "${timestamp}", signature: "${signature}", url: ${req.url}`);
|
|
167
|
+
res.statusCode = 401;
|
|
168
|
+
res.end(JSON.stringify({ error: "missing signature headers" }));
|
|
169
|
+
return;
|
|
170
|
+
}
|
|
171
|
+
|
|
172
|
+
const matchedTarget = resolveWebhookTargetWithAuthOrRejectSync({
|
|
173
|
+
targets,
|
|
174
|
+
res,
|
|
175
|
+
isMatch: (target) =>
|
|
176
|
+
verifyWebhookSignature({
|
|
177
|
+
body: rawBody,
|
|
178
|
+
timestamp,
|
|
179
|
+
signature,
|
|
180
|
+
botSecret: target.clientSecret,
|
|
181
|
+
}),
|
|
182
|
+
unauthorizedStatusCode: 401,
|
|
183
|
+
unauthorizedMessage: JSON.stringify({ error: "invalid signature" }),
|
|
184
|
+
});
|
|
185
|
+
|
|
186
|
+
if (!matchedTarget) {
|
|
187
|
+
log?.warn?.(`[qqbot:webhook] Signature verification failed for path: ${req.url}, timestamp: ${timestamp}`);
|
|
188
|
+
return; // response already sent by resolver
|
|
189
|
+
}
|
|
190
|
+
|
|
191
|
+
// ── ACK immediately ──
|
|
192
|
+
res.statusCode = 200;
|
|
193
|
+
res.setHeader("Content-Type", "application/json");
|
|
194
|
+
res.end(JSON.stringify({ op: OP_HTTP_CALLBACK_ACK, d: 0 }));
|
|
195
|
+
|
|
196
|
+
// ── Async dispatch (fire-and-forget) ──
|
|
197
|
+
if (payload.op === OP_DISPATCH) {
|
|
198
|
+
const handler = eventHandlers.get(matchedTarget.accountId);
|
|
199
|
+
if (handler) {
|
|
200
|
+
Promise.resolve(
|
|
201
|
+
handler({
|
|
202
|
+
eventType: payload.t ?? "",
|
|
203
|
+
data: payload.d,
|
|
204
|
+
seq: payload.s,
|
|
205
|
+
}),
|
|
206
|
+
).catch((err) => {
|
|
207
|
+
log?.error(`[qqbot:${matchedTarget.accountId}] Event handler error for "${payload.t}": ${err instanceof Error ? err.message : String(err)}`);
|
|
208
|
+
});
|
|
209
|
+
} else {
|
|
210
|
+
log?.warn?.(`[qqbot:webhook] No event handler registered for account: ${matchedTarget.accountId}, event: ${payload.t}`);
|
|
211
|
+
}
|
|
212
|
+
}
|
|
213
|
+
},
|
|
214
|
+
});
|
|
215
|
+
|
|
216
|
+
return handled;
|
|
217
|
+
}
|
|
218
|
+
|
|
219
|
+
// ============ Validation handler (op:13) ============
|
|
220
|
+
|
|
221
|
+
function handleValidation(
|
|
222
|
+
payload: { d?: unknown },
|
|
223
|
+
targets: QQBotWebhookTarget[],
|
|
224
|
+
res: ServerResponse,
|
|
225
|
+
): void {
|
|
226
|
+
const d = payload.d as { plain_token?: string; event_ts?: string } | undefined;
|
|
227
|
+
|
|
228
|
+
if (!d?.plain_token || !d?.event_ts) {
|
|
229
|
+
log?.warn?.(`[qqbot:webhook] Invalid validation payload (op:13): missing plain_token or event_ts, got: ${JSON.stringify(d)}`);
|
|
230
|
+
res.statusCode = 400;
|
|
231
|
+
res.end(JSON.stringify({ error: "invalid validation payload" }));
|
|
232
|
+
return;
|
|
233
|
+
}
|
|
234
|
+
|
|
235
|
+
// Use the first target's secret for validation
|
|
236
|
+
// (op:13 is sent during URL registration, only one bot should be using the path at that time)
|
|
237
|
+
const target = targets[0];
|
|
238
|
+
if (!target) {
|
|
239
|
+
log?.error(`[qqbot:webhook] No target registered for validation (op:13), cannot sign response`);
|
|
240
|
+
res.statusCode = 500;
|
|
241
|
+
res.end(JSON.stringify({ error: "no target registered" }));
|
|
242
|
+
return;
|
|
243
|
+
}
|
|
244
|
+
|
|
245
|
+
const response = signValidationResponse({
|
|
246
|
+
plainToken: d.plain_token,
|
|
247
|
+
eventTs: d.event_ts,
|
|
248
|
+
botSecret: target.clientSecret,
|
|
249
|
+
});
|
|
250
|
+
|
|
251
|
+
res.statusCode = 200;
|
|
252
|
+
res.setHeader("Content-Type", "application/json");
|
|
253
|
+
res.end(JSON.stringify(response));
|
|
254
|
+
}
|
|
255
|
+
|
|
256
|
+
// ============ Public API ============
|
|
257
|
+
|
|
258
|
+
/**
|
|
259
|
+
* Start the webhook transport for a given account.
|
|
260
|
+
*
|
|
261
|
+
* Registers a webhook target on the framework's plugin HTTP route system.
|
|
262
|
+
* The handler verifies Ed25519 signatures, ACKs immediately, and dispatches
|
|
263
|
+
* events asynchronously via the provided `onEvent` callback.
|
|
264
|
+
*
|
|
265
|
+
* Returns when the abortSignal is triggered (account stopped).
|
|
266
|
+
*/
|
|
267
|
+
export async function startWebhookTransport(opts: WebhookTransportOptions): Promise<void> {
|
|
268
|
+
const { account, abortSignal, onEvent, onReady, onError, log: optLog } = opts;
|
|
269
|
+
log = optLog;
|
|
270
|
+
const webhookPath = account.config.webhook?.path ?? DEFAULT_WEBHOOK_PATH;
|
|
271
|
+
|
|
272
|
+
log?.info(`[qqbot:${account.accountId}] Starting webhook transport on path: ${webhookPath}`);
|
|
273
|
+
|
|
274
|
+
// Register event handler for this account
|
|
275
|
+
eventHandlers.set(account.accountId, onEvent);
|
|
276
|
+
|
|
277
|
+
// Register webhook target + plugin HTTP route
|
|
278
|
+
const { unregister } = registerWebhookTargetWithPluginRoute({
|
|
279
|
+
targetsByPath: webhookTargets,
|
|
280
|
+
target: {
|
|
281
|
+
path: webhookPath,
|
|
282
|
+
accountId: account.accountId,
|
|
283
|
+
appId: account.appId,
|
|
284
|
+
clientSecret: account.clientSecret,
|
|
285
|
+
},
|
|
286
|
+
route: {
|
|
287
|
+
auth: "plugin",
|
|
288
|
+
match: "exact" as const,
|
|
289
|
+
pluginId: PLUGIN_ID,
|
|
290
|
+
source: "qqbot-webhook",
|
|
291
|
+
accountId: account.accountId,
|
|
292
|
+
replaceExisting: true,
|
|
293
|
+
log: (msg: string) => log?.info(msg),
|
|
294
|
+
handler: handleQQBotWebhookRequest,
|
|
295
|
+
},
|
|
296
|
+
onLastPathTargetRemoved: () => {
|
|
297
|
+
log?.info(`[qqbot] Last webhook target removed from path: ${webhookPath}`);
|
|
298
|
+
},
|
|
299
|
+
});
|
|
300
|
+
|
|
301
|
+
log?.info(`[qqbot:${account.accountId}] Webhook transport registered on path: ${webhookPath}`);
|
|
302
|
+
onReady?.();
|
|
303
|
+
|
|
304
|
+
// Wait until abort signal fires
|
|
305
|
+
await new Promise<void>((resolve) => {
|
|
306
|
+
if (abortSignal.aborted) {
|
|
307
|
+
resolve();
|
|
308
|
+
return;
|
|
309
|
+
}
|
|
310
|
+
abortSignal.addEventListener("abort", () => resolve(), { once: true });
|
|
311
|
+
});
|
|
312
|
+
|
|
313
|
+
// Cleanup
|
|
314
|
+
unregister();
|
|
315
|
+
eventHandlers.delete(account.accountId);
|
|
316
|
+
log?.info(`[qqbot:${account.accountId}] Webhook transport stopped`);
|
|
317
|
+
}
|
|
318
|
+
|
|
319
|
+
/**
|
|
320
|
+
* Resolve the webhook path for a given account (for external configuration / setWebhook calls).
|
|
321
|
+
*/
|
|
322
|
+
export function resolveWebhookPath(account: ResolvedQQBotAccount): string {
|
|
323
|
+
return account.config.webhook?.path ?? DEFAULT_WEBHOOK_PATH;
|
|
324
|
+
}
|
|
325
|
+
|
|
326
|
+
// ============ Helpers ============
|
|
327
|
+
|
|
328
|
+
function getHeader(req: IncomingMessage, key: string): string | undefined {
|
|
329
|
+
const val = req.headers[key];
|
|
330
|
+
if (Array.isArray(val)) return val[0];
|
|
331
|
+
return val;
|
|
332
|
+
}
|
|
@@ -0,0 +1,119 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Webhook signature verification — Ed25519.
|
|
3
|
+
*
|
|
4
|
+
* QQ Open Platform uses Ed25519 for webhook callback verification:
|
|
5
|
+
* 1. Bot secret is padded/truncated to 32 bytes as the Ed25519 seed.
|
|
6
|
+
* 2. The public key verifies `timestamp + body` against `X-Signature-Ed25519`.
|
|
7
|
+
* 3. For callback URL validation (op:13), signs `event_ts + plain_token`.
|
|
8
|
+
*
|
|
9
|
+
* Reference: https://bot.q.qq.com/wiki/develop/api-v2/dev-prepare/interface-framework/event-emit.html
|
|
10
|
+
*/
|
|
11
|
+
|
|
12
|
+
import * as crypto from "node:crypto";
|
|
13
|
+
|
|
14
|
+
// ============ Seed derivation ============
|
|
15
|
+
|
|
16
|
+
/**
|
|
17
|
+
* Derive an Ed25519 seed (32 bytes) from the bot secret.
|
|
18
|
+
* QQ's spec: repeat the secret until >= 32 chars, then truncate to 32.
|
|
19
|
+
*/
|
|
20
|
+
function deriveSeed(botSecret: string): Buffer {
|
|
21
|
+
let seed = botSecret;
|
|
22
|
+
while (seed.length < 32) {
|
|
23
|
+
seed = seed + seed;
|
|
24
|
+
}
|
|
25
|
+
return Buffer.from(seed.slice(0, 32), "utf-8");
|
|
26
|
+
}
|
|
27
|
+
|
|
28
|
+
/**
|
|
29
|
+
* Generate Ed25519 key pair from bot secret.
|
|
30
|
+
*/
|
|
31
|
+
function getKeyPair(botSecret: string): { privateKey: crypto.KeyObject; publicKey: crypto.KeyObject } {
|
|
32
|
+
const seed = deriveSeed(botSecret);
|
|
33
|
+
// Node.js Ed25519: create private key from raw 32-byte seed
|
|
34
|
+
const privateKey = crypto.createPrivateKey({
|
|
35
|
+
key: Buffer.concat([
|
|
36
|
+
// Ed25519 PKCS8 DER prefix for 32-byte seed
|
|
37
|
+
Buffer.from("302e020100300506032b657004220420", "hex"),
|
|
38
|
+
seed,
|
|
39
|
+
]),
|
|
40
|
+
format: "der",
|
|
41
|
+
type: "pkcs8",
|
|
42
|
+
});
|
|
43
|
+
const publicKey = crypto.createPublicKey(privateKey);
|
|
44
|
+
return { privateKey, publicKey };
|
|
45
|
+
}
|
|
46
|
+
|
|
47
|
+
// ============ Signature generation ============
|
|
48
|
+
|
|
49
|
+
/**
|
|
50
|
+
* Sign a message using the bot's Ed25519 private key.
|
|
51
|
+
* Returns hex-encoded signature.
|
|
52
|
+
*/
|
|
53
|
+
export function ed25519Sign(botSecret: string, message: Buffer): string {
|
|
54
|
+
const { privateKey } = getKeyPair(botSecret);
|
|
55
|
+
const signature = crypto.sign(null, message, privateKey);
|
|
56
|
+
return signature.toString("hex");
|
|
57
|
+
}
|
|
58
|
+
|
|
59
|
+
// ============ Signature verification ============
|
|
60
|
+
|
|
61
|
+
/**
|
|
62
|
+
* Verify an Ed25519 signature from a QQ webhook callback request.
|
|
63
|
+
*
|
|
64
|
+
* @param params.body - Raw request body (Buffer)
|
|
65
|
+
* @param params.timestamp - Value of `X-Signature-Timestamp` header
|
|
66
|
+
* @param params.signature - Value of `X-Signature-Ed25519` header (hex string)
|
|
67
|
+
* @param params.botSecret - The bot's AppSecret
|
|
68
|
+
* @returns `true` if signature is valid
|
|
69
|
+
*/
|
|
70
|
+
export function verifyWebhookSignature(params: {
|
|
71
|
+
body: Buffer;
|
|
72
|
+
timestamp: string;
|
|
73
|
+
signature: string;
|
|
74
|
+
botSecret: string;
|
|
75
|
+
}): boolean {
|
|
76
|
+
const { body, timestamp, signature, botSecret } = params;
|
|
77
|
+
|
|
78
|
+
try {
|
|
79
|
+
const { publicKey } = getKeyPair(botSecret);
|
|
80
|
+
const message = Buffer.concat([
|
|
81
|
+
Buffer.from(timestamp, "utf-8"),
|
|
82
|
+
body,
|
|
83
|
+
]);
|
|
84
|
+
const sigBuffer = Buffer.from(signature, "hex");
|
|
85
|
+
return crypto.verify(null, message, publicKey, sigBuffer);
|
|
86
|
+
} catch (err) {
|
|
87
|
+
console.warn(`[qqbot:webhook-verify] Ed25519 verification threw: ${err instanceof Error ? err.message : String(err)}`);
|
|
88
|
+
return false;
|
|
89
|
+
}
|
|
90
|
+
}
|
|
91
|
+
|
|
92
|
+
// ============ Callback URL validation (op:13) ============
|
|
93
|
+
|
|
94
|
+
/**
|
|
95
|
+
* Generate the response for callback URL validation (op:13).
|
|
96
|
+
*
|
|
97
|
+
* QQ sends `{ op: 13, d: { plain_token, event_ts } }` to verify
|
|
98
|
+
* the callback URL. We must return `{ plain_token, signature }`.
|
|
99
|
+
*
|
|
100
|
+
* @param params.plainToken - The `plain_token` from the validation request
|
|
101
|
+
* @param params.eventTs - The `event_ts` from the validation request
|
|
102
|
+
* @param params.botSecret - The bot's AppSecret
|
|
103
|
+
*/
|
|
104
|
+
export function signValidationResponse(params: {
|
|
105
|
+
plainToken: string;
|
|
106
|
+
eventTs: string;
|
|
107
|
+
botSecret: string;
|
|
108
|
+
}): { plain_token: string; signature: string } {
|
|
109
|
+
const { plainToken, eventTs, botSecret } = params;
|
|
110
|
+
|
|
111
|
+
// Sign: event_ts + plain_token
|
|
112
|
+
const message = Buffer.from(eventTs + plainToken, "utf-8");
|
|
113
|
+
const signature = ed25519Sign(botSecret, message);
|
|
114
|
+
|
|
115
|
+
return {
|
|
116
|
+
plain_token: plainToken,
|
|
117
|
+
signature,
|
|
118
|
+
};
|
|
119
|
+
}
|
package/src/types.ts
CHANGED
|
@@ -29,6 +29,8 @@ export interface ResolvedQQBotAccount {
|
|
|
29
29
|
imageServerBaseUrl?: string;
|
|
30
30
|
/** 是否支持 markdown 消息(默认 true) */
|
|
31
31
|
markdownSupport: boolean;
|
|
32
|
+
/** User-Agent 追加后缀(从通道级配置 channels.qqbot.userAgentSuffix 解析) */
|
|
33
|
+
userAgentSuffix?: string;
|
|
32
34
|
config: QQBotAccountConfig;
|
|
33
35
|
}
|
|
34
36
|
|
|
@@ -57,6 +59,15 @@ export interface GroupConfig {
|
|
|
57
59
|
historyLimit?: number;
|
|
58
60
|
}
|
|
59
61
|
|
|
62
|
+
/** 消息接收传输方式 */
|
|
63
|
+
export type TransportMode = "websocket" | "webhook";
|
|
64
|
+
|
|
65
|
+
/** Webhook 传输配置 */
|
|
66
|
+
export interface WebhookTransportConfig {
|
|
67
|
+
/** 监听路径(默认 /qqbot/webhook) */
|
|
68
|
+
path?: string;
|
|
69
|
+
}
|
|
70
|
+
|
|
60
71
|
/**
|
|
61
72
|
* QQ Bot 账户配置
|
|
62
73
|
*/
|
|
@@ -68,6 +79,10 @@ export interface QQBotAccountConfig {
|
|
|
68
79
|
clientSecretFile?: string;
|
|
69
80
|
dmPolicy?: "open" | "pairing" | "allowlist";
|
|
70
81
|
allowFrom?: string[];
|
|
82
|
+
/** 消息接收传输方式:websocket(默认)| webhook */
|
|
83
|
+
transport?: TransportMode;
|
|
84
|
+
/** webhook 传输配置(transport="webhook" 时生效) */
|
|
85
|
+
webhook?: WebhookTransportConfig;
|
|
71
86
|
/** 群消息策略(默认 allowlist) */
|
|
72
87
|
groupPolicy?: GroupPolicy;
|
|
73
88
|
/** 群白名单(groupPolicy 为 allowlist 时生效) */
|
|
@@ -114,6 +129,12 @@ export interface QQBotAccountConfig {
|
|
|
114
129
|
* 示例: "ryantest/openclaw-qqbot"
|
|
115
130
|
*/
|
|
116
131
|
upgradePkg?: string;
|
|
132
|
+
/**
|
|
133
|
+
* 群消息是否默认需要 @机器人才响应(默认 true)
|
|
134
|
+
* 优先级低于 groups.{groupId}.requireMention 和 groups."*".requireMention
|
|
135
|
+
* 设为 false 时,所有群默认无需 @ 即触发回复(仍可被群级配置覆盖)
|
|
136
|
+
*/
|
|
137
|
+
defaultRequireMention?: boolean;
|
|
117
138
|
/**
|
|
118
139
|
* 出站消息合并回复(debounce)配置
|
|
119
140
|
* 当短时间内收到多次 deliver 时,将文本合并为一条消息发送,避免消息轰炸
|
|
@@ -124,7 +145,7 @@ export interface QQBotAccountConfig {
|
|
|
124
145
|
* 启用后,AI 的回复会以流式形式逐步显示在 QQ 聊天中,
|
|
125
146
|
* 用户可以看到文字逐字出现的打字机效果。
|
|
126
147
|
* 设置为 true 可开启流式消息。
|
|
127
|
-
*
|
|
148
|
+
*
|
|
128
149
|
* 注意:仅 C2C(私聊)支持流式消息 API。
|
|
129
150
|
*/
|
|
130
151
|
streaming?: boolean;
|
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
declare module "openclaw/plugin-sdk/webhook-ingress" {
|
|
2
|
+
import type { IncomingMessage, ServerResponse } from "node:http";
|
|
3
|
+
|
|
4
|
+
export interface WebhookInFlightLimiter {
|
|
5
|
+
acquire(): boolean;
|
|
6
|
+
release(): void;
|
|
7
|
+
}
|
|
8
|
+
|
|
9
|
+
export interface FixedWindowRateLimiter {
|
|
10
|
+
check(key?: string): boolean;
|
|
11
|
+
}
|
|
12
|
+
|
|
13
|
+
export function createWebhookInFlightLimiter(opts: {
|
|
14
|
+
max?: number;
|
|
15
|
+
maxInFlightPerKey?: number;
|
|
16
|
+
maxTrackedKeys?: number;
|
|
17
|
+
}): WebhookInFlightLimiter;
|
|
18
|
+
|
|
19
|
+
export function createFixedWindowRateLimiter(opts: {
|
|
20
|
+
windowMs: number;
|
|
21
|
+
max?: number;
|
|
22
|
+
maxRequests?: number;
|
|
23
|
+
maxTrackedKeys?: number;
|
|
24
|
+
}): FixedWindowRateLimiter;
|
|
25
|
+
|
|
26
|
+
export function registerWebhookTargetWithPluginRoute<T extends { path: string }>(opts: {
|
|
27
|
+
targetsByPath: Map<string, T[]>;
|
|
28
|
+
target: T;
|
|
29
|
+
route: {
|
|
30
|
+
auth: string;
|
|
31
|
+
match: "exact" | "prefix";
|
|
32
|
+
pluginId: string;
|
|
33
|
+
source: string;
|
|
34
|
+
accountId: string;
|
|
35
|
+
replaceExisting?: boolean;
|
|
36
|
+
log?: (msg: string) => void;
|
|
37
|
+
handler: (req: IncomingMessage, res: ServerResponse) => Promise<boolean | void>;
|
|
38
|
+
};
|
|
39
|
+
onLastPathTargetRemoved?: () => void;
|
|
40
|
+
}): { unregister: () => void };
|
|
41
|
+
|
|
42
|
+
export function withResolvedWebhookRequestPipeline<T extends { path: string }>(opts: {
|
|
43
|
+
req: IncomingMessage;
|
|
44
|
+
res: ServerResponse;
|
|
45
|
+
targetsByPath: Map<string, T[]>;
|
|
46
|
+
rateLimiter: FixedWindowRateLimiter;
|
|
47
|
+
inFlightLimiter: WebhookInFlightLimiter;
|
|
48
|
+
requireJsonContentType?: boolean;
|
|
49
|
+
handle: (ctx: { targets: T[] }) => Promise<void> | void;
|
|
50
|
+
}): Promise<boolean>;
|
|
51
|
+
|
|
52
|
+
export function resolveWebhookTargetWithAuthOrRejectSync<T>(opts: {
|
|
53
|
+
targets: T[];
|
|
54
|
+
res: ServerResponse;
|
|
55
|
+
isMatch: (target: T) => boolean;
|
|
56
|
+
unauthorizedStatusCode?: number;
|
|
57
|
+
unauthorizedMessage?: string;
|
|
58
|
+
}): T | null;
|
|
59
|
+
|
|
60
|
+
export function readWebhookBodyOrReject(opts: {
|
|
61
|
+
req: IncomingMessage;
|
|
62
|
+
res: ServerResponse;
|
|
63
|
+
maxBytes: number;
|
|
64
|
+
timeoutMs: number;
|
|
65
|
+
}): Promise<{ ok: true; value: string } | { ok: false }>;
|
|
66
|
+
}
|
|
@@ -1,9 +1,30 @@
|
|
|
1
1
|
import * as fs from "node:fs";
|
|
2
2
|
import * as path from "node:path";
|
|
3
3
|
import { execFile } from "node:child_process";
|
|
4
|
-
import { decode, encode, isSilk } from "silk-wasm";
|
|
5
4
|
import { detectFfmpeg, isWindows } from "./platform.js";
|
|
6
5
|
|
|
6
|
+
// silk-wasm 动态加载(可选依赖,未安装时降级为不支持语音编解码)
|
|
7
|
+
let silkWasm: { decode: typeof import("silk-wasm").decode; encode: typeof import("silk-wasm").encode; isSilk: typeof import("silk-wasm").isSilk } | null = null;
|
|
8
|
+
let silkWasmLoaded = false;
|
|
9
|
+
|
|
10
|
+
async function loadSilkWasm() {
|
|
11
|
+
if (silkWasmLoaded) return silkWasm;
|
|
12
|
+
silkWasmLoaded = true;
|
|
13
|
+
try {
|
|
14
|
+
silkWasm = await import("silk-wasm");
|
|
15
|
+
} catch {
|
|
16
|
+
console.warn("[audio-convert] silk-wasm not available, voice encoding/decoding disabled");
|
|
17
|
+
silkWasm = null;
|
|
18
|
+
}
|
|
19
|
+
return silkWasm;
|
|
20
|
+
}
|
|
21
|
+
|
|
22
|
+
// 同步版本的 isSilk(用于不方便 await 的场景),首次调用前需先 loadSilkWasm
|
|
23
|
+
function isSilkSync(data: Uint8Array): boolean {
|
|
24
|
+
if (!silkWasm) return false;
|
|
25
|
+
return silkWasm.isSilk(data);
|
|
26
|
+
}
|
|
27
|
+
|
|
7
28
|
/**
|
|
8
29
|
* 检查文件是否为 SILK 格式(QQ/微信语音常用格式)
|
|
9
30
|
* QQ 语音文件通常以 .amr 扩展名保存,但实际编码可能是 SILK v3
|
|
@@ -12,7 +33,7 @@ import { detectFfmpeg, isWindows } from "./platform.js";
|
|
|
12
33
|
function isSilkFile(filePath: string): boolean {
|
|
13
34
|
try {
|
|
14
35
|
const buf = fs.readFileSync(filePath);
|
|
15
|
-
return
|
|
36
|
+
return isSilkSync(new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength));
|
|
16
37
|
} catch {
|
|
17
38
|
return false;
|
|
18
39
|
}
|
|
@@ -91,14 +112,15 @@ export async function convertSilkToWav(
|
|
|
91
112
|
const rawData = new Uint8Array(strippedBuf.buffer, strippedBuf.byteOffset, strippedBuf.byteLength);
|
|
92
113
|
|
|
93
114
|
// 验证是否为 SILK 格式
|
|
94
|
-
|
|
115
|
+
const silk = await loadSilkWasm();
|
|
116
|
+
if (!silk || !silk.isSilk(rawData)) {
|
|
95
117
|
return null;
|
|
96
118
|
}
|
|
97
119
|
|
|
98
120
|
// SILK 解码为 PCM (s16le)
|
|
99
121
|
// QQ 语音通常采样率为 24000Hz
|
|
100
122
|
const sampleRate = 24000;
|
|
101
|
-
const result = await decode(rawData, sampleRate);
|
|
123
|
+
const result = await silk.decode(rawData, sampleRate);
|
|
102
124
|
|
|
103
125
|
// PCM → WAV
|
|
104
126
|
const wavBuffer = pcmToWav(result.data, sampleRate);
|
|
@@ -380,8 +402,12 @@ export async function pcmToSilk(
|
|
|
380
402
|
pcmBuffer: Buffer,
|
|
381
403
|
sampleRate: number,
|
|
382
404
|
): Promise<{ silkBuffer: Buffer; duration: number }> {
|
|
405
|
+
const silk = await loadSilkWasm();
|
|
406
|
+
if (!silk) {
|
|
407
|
+
throw new Error("silk-wasm not available, cannot encode PCM to SILK. Install silk-wasm to enable voice sending.");
|
|
408
|
+
}
|
|
383
409
|
const pcmData = new Uint8Array(pcmBuffer.buffer, pcmBuffer.byteOffset, pcmBuffer.byteLength);
|
|
384
|
-
const result = await encode(pcmData, sampleRate);
|
|
410
|
+
const result = await silk.encode(pcmData, sampleRate);
|
|
385
411
|
return {
|
|
386
412
|
silkBuffer: Buffer.from(result.data.buffer, result.data.byteOffset, result.data.byteLength),
|
|
387
413
|
duration: result.duration,
|
|
@@ -440,10 +466,11 @@ export async function audioFileToSilkBase64(filePath: string, directUploadFormat
|
|
|
440
466
|
}
|
|
441
467
|
|
|
442
468
|
// 1. .slk / .amr 扩展名 → 检测 SILK 魔数,是 SILK 则直传
|
|
469
|
+
const silk = await loadSilkWasm();
|
|
443
470
|
if ([".slk", ".slac"].includes(ext)) {
|
|
444
471
|
const stripped = stripAmrHeader(buf);
|
|
445
472
|
const raw = new Uint8Array(stripped.buffer, stripped.byteOffset, stripped.byteLength);
|
|
446
|
-
if (isSilk(raw)) {
|
|
473
|
+
if (silk?.isSilk(raw)) {
|
|
447
474
|
console.log(`[audio-convert] SILK file, direct use: ${filePath} (${buf.length} bytes)`);
|
|
448
475
|
return buf.toString("base64");
|
|
449
476
|
}
|
|
@@ -453,7 +480,7 @@ export async function audioFileToSilkBase64(filePath: string, directUploadFormat
|
|
|
453
480
|
const rawCheck = new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
|
|
454
481
|
const strippedCheck = stripAmrHeader(buf);
|
|
455
482
|
const strippedRaw = new Uint8Array(strippedCheck.buffer, strippedCheck.byteOffset, strippedCheck.byteLength);
|
|
456
|
-
if (isSilk(rawCheck) || isSilk(strippedRaw)) {
|
|
483
|
+
if (silk?.isSilk(rawCheck) || silk?.isSilk(strippedRaw)) {
|
|
457
484
|
console.log(`[audio-convert] SILK detected by header: ${filePath} (${buf.length} bytes)`);
|
|
458
485
|
return buf.toString("base64");
|
|
459
486
|
}
|
|
@@ -544,10 +571,11 @@ export async function audioFileToSilkFile(filePath: string, directUploadFormats?
|
|
|
544
571
|
}
|
|
545
572
|
|
|
546
573
|
// 1. 已经是 SILK 编码 → 直接返回原文件
|
|
574
|
+
const silk = await loadSilkWasm();
|
|
547
575
|
if ([".slk", ".slac"].includes(ext)) {
|
|
548
576
|
const stripped = stripAmrHeader(buf);
|
|
549
577
|
const raw = new Uint8Array(stripped.buffer, stripped.byteOffset, stripped.byteLength);
|
|
550
|
-
if (isSilk(raw)) {
|
|
578
|
+
if (silk?.isSilk(raw)) {
|
|
551
579
|
console.log(`[audio-convert] SILK file, direct use: ${filePath} (${buf.length} bytes)`);
|
|
552
580
|
return filePath;
|
|
553
581
|
}
|
|
@@ -555,7 +583,7 @@ export async function audioFileToSilkFile(filePath: string, directUploadFormats?
|
|
|
555
583
|
const rawCheck = new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
|
|
556
584
|
const strippedCheck = stripAmrHeader(buf);
|
|
557
585
|
const strippedRaw = new Uint8Array(strippedCheck.buffer, strippedCheck.byteOffset, strippedCheck.byteLength);
|
|
558
|
-
if (isSilk(rawCheck) || isSilk(strippedRaw)) {
|
|
586
|
+
if (silk?.isSilk(rawCheck) || silk?.isSilk(strippedRaw)) {
|
|
559
587
|
console.log(`[audio-convert] SILK detected by header: ${filePath} (${buf.length} bytes)`);
|
|
560
588
|
return filePath;
|
|
561
589
|
}
|