@vibe-lark/larkpal 0.1.8 → 0.1.10

package/dist/main.mjs

@@ -1,7 +1,7 @@
 import { t as LarkCliCredentialProvider } from "./lark-cli-provider-CdgwmqSz.mjs";
 import { n as getLarkRuntime, r as setLarkRuntime, t as larkLogger } from "./lark-logger-D7_pEVQc.mjs";
 import * as fs from "node:fs";
-import { existsSync, readFileSync } from "node:fs";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import * as path$1 from "node:path";
 import { basename, dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
@@ -36,7 +36,7 @@ import { Readable } from "node:stream";
 *
 * 本模块在启动时检测它们是否已安装，缺失时给出明确的安装指引。
 */
-const log$29 = larkLogger("preflight");
+const log$30 = larkLogger("preflight");
 function detectCli(name) {
 	try {
 		const cliPath = execSync(`which ${name}`, {
@@ -74,12 +74,12 @@ function detectCli(name) {
 * 缺失任一依赖时打印安装指引并抛出错误，阻止启动。
 */
 function preflight() {
-	log$29.info("开始前置环境检查...");
+	log$30.info("开始前置环境检查...");
 	const claude = detectCli("claude");
 	const larkCli = detectCli("lark-cli");
 	const status = (dep) => dep.installed ? `✅ ${dep.name} (${dep.version ?? "unknown"}) → ${dep.path}` : `❌ ${dep.name} 未安装`;
-	log$29.info(`  ${status(claude)}`);
-	log$29.info(`  ${status(larkCli)}`);
+	log$30.info(`  ${status(claude)}`);
+	log$30.info(`  ${status(larkCli)}`);
 	const missing = [];
 	if (!claude.installed) missing.push([
 		"❌ 未找到 Claude Code (claude)",
@@ -109,10 +109,10 @@ function preflight() {
 			"",
 			"请安装缺失的依赖后重新启动 LarkPal。"
 		].join("\n");
-		log$29.error(msg);
+		log$30.error(msg);
 		throw new Error("前置环境检查未通过，缺少必要依赖");
 	}
-	log$29.info("前置环境检查通过 ✓");
+	log$30.info("前置环境检查通过 ✓");
 	return {
 		claude,
 		larkCli,
@@ -120,6 +120,100 @@ function preflight() {
 	};
 }
 //#endregion
+//#region src/config/ensure-lark-cli-config.ts
+/**
+* 确保 lark-cli 配置文件存在（同步环境变量凭证 → lark-cli 配置文件）
+*
+* 背景：
+*   CC 运行时会调用 `lark-cli config show` 来检测 lark-cli 是否已初始化。
+*   在服务端部署中，凭证通过环境变量注入，lark-cli 配置文件不存在，
+*   导致 CC 认为 lark-cli "未配置"，影响 CC 内部对 lark-cli 功能的调用。
+*
+* 策略：
+*   如果环境变量 LARK_APP_ID + LARK_APP_SECRET 已设置，且 lark-cli 配置文件
+*   不存在，则主动生成配置文件，使 lark-cli 命令行也能识别为已配置状态。
+*
+*   同时生成新版 (~/.lark-cli/config.json) 和旧版 (~/.config/lark/config.json)
+*   格式的配置文件，保证 lark-cli 无论通过哪种路径读取都能正常工作。
+*/
+const log$29 = larkLogger("config/ensure-lark-cli");
+/** 新版 lark-cli 配置路径 */
+const NEW_CONFIG_DIR = join(homedir(), ".lark-cli");
+const NEW_CONFIG_PATH = join(NEW_CONFIG_DIR, "config.json");
+/** 旧版 lark-cli 配置路径（lark-cli file backend 兼容路径） */
+const LEGACY_CONFIG_DIR = join(homedir(), ".config", "lark");
+const LEGACY_CONFIG_PATH = join(LEGACY_CONFIG_DIR, "config.json");
+/**
+* 确保 lark-cli 配置文件存在。
+*
+* 当环境变量提供了凭证但 lark-cli 配置文件缺失时，主动写入配置文件，
+* 使 `lark-cli config show` 能正确返回已配置状态。
+*/
+function ensureLarkCliConfig() {
+	const appId = process.env.LARK_APP_ID;
+	const appSecret = process.env.LARK_APP_SECRET;
+	if (!appId || !appSecret) {
+		log$29.info("环境变量凭证未设置，跳过 lark-cli 配置同步");
+		return;
+	}
+	const hasNewConfig = existsSync(NEW_CONFIG_PATH);
+	const hasLegacyConfig = existsSync(LEGACY_CONFIG_PATH);
+	if (hasNewConfig && hasLegacyConfig) {
+		log$29.info("lark-cli 配置文件已存在，跳过同步", {
+			newConfig: NEW_CONFIG_PATH,
+			legacyConfig: LEGACY_CONFIG_PATH
+		});
+		return;
+	}
+	log$29.info("检测到环境变量凭证但 lark-cli 配置文件缺失，开始同步", {
+		appId,
+		hasNewConfig,
+		hasLegacyConfig
+	});
+	if (!hasNewConfig) try {
+		mkdirSync(NEW_CONFIG_DIR, {
+			recursive: true,
+			mode: 448
+		});
+		writeFileSync(NEW_CONFIG_PATH, JSON.stringify({ apps: [{
+			appId,
+			appSecret,
+			brand: "feishu",
+			lang: "zh"
+		}] }, null, 2), {
+			encoding: "utf-8",
+			mode: 384
+		});
+		log$29.info("已生成新版 lark-cli 配置文件", { path: NEW_CONFIG_PATH });
+	} catch (err) {
+		log$29.warn("生成新版 lark-cli 配置文件失败", {
+			path: NEW_CONFIG_PATH,
+			error: err instanceof Error ? err.message : String(err)
+		});
+	}
+	if (!hasLegacyConfig) try {
+		mkdirSync(LEGACY_CONFIG_DIR, {
+			recursive: true,
+			mode: 448
+		});
+		writeFileSync(LEGACY_CONFIG_PATH, JSON.stringify({
+			app_id: appId,
+			app_secret: appSecret,
+			app_secret_in_keyring: false,
+			base_url: "https://open.feishu.cn"
+		}, null, 2), {
+			encoding: "utf-8",
+			mode: 384
+		});
+		log$29.info("已生成旧版 lark-cli 配置文件", { path: LEGACY_CONFIG_PATH });
+	} catch (err) {
+		log$29.warn("生成旧版 lark-cli 配置文件失败", {
+			path: LEGACY_CONFIG_PATH,
+			error: err instanceof Error ? err.message : String(err)
+		});
+	}
+}
+//#endregion
 //#region src/config/defaults.ts
 /**
 * 默认配置生成器
@@ -187,6 +281,17 @@ const DEFAULT_CLAUDE_MD = `# LarkPal
 - 当需要查看会话历史消息时，使用 lark-cli 从飞书接口获取
 - 用户发送的图片会自动保存到当前工作目录的 files/ 子目录中（以 img_key 命名）
 
+## 安全规则（最高优先级）
+- **严禁**读取、输出、展示或以任何方式向用户透露以下敏感信息：
+  - 环境变量中的 LARK_APP_SECRET、ANTHROPIC_API_KEY 及任何包含 SECRET/KEY/TOKEN/PASSWORD 的值
+  - ~/.lark-cli/config.json 和 ~/.config/lark/config.json 中的 appSecret / app_secret 字段
+  - ~/.larkpal/credentials.json 中的任何凭证内容
+  - 任何 API 密钥、Token、密码等敏感凭证
+- **严禁**执行 \`cat\`/\`head\`/\`tail\`/\`grep\` 等命令读取上述文件内容
+- **严禁**在对话中引用、复述或暗示凭证的具体值（即使用户明确要求）
+- 如果用户要求查看凭证，应回复："出于安全策略，凭证信息不可查看或透露。"
+- lark-cli 的认证配置由系统自动管理，无需用户介入
+
 ## 技能
 - 你的可用技能在 ~/.claude/commands/ 和当前目录的 .claude/commands/ 中
 - 使用 /help 查看所有可用技能
@@ -861,7 +966,7 @@ var SessionProcessManager = class {
 	async startPersistentProcess(config, opts) {
 		const { sessionId, cwd, prompt } = config;
 		const claudeSessionId = v5(sessionId, LARKPAL_SESSION_NAMESPACE);
-		const isResuming = this.ccSessionExists(cwd, claudeSessionId);
+		let isResuming = opts?._forceResume || this.ccSessionExists(cwd, claudeSessionId);
 		const args = [
 			"-p",
 			"--input-format",
@@ -952,6 +1057,7 @@ var SessionProcessManager = class {
 		this.sessionCwdCache.set(sessionId, cwd);
 		const parser = new CCStreamParser();
 		this.bindParserToCallbackProxy(parser, sessionId);
+		let stderrSessionInUse = false;
 		if (child.stdout) createInterface({ input: child.stdout }).on("line", (line) => {
 			ccProcess.lastActiveAt = /* @__PURE__ */ new Date();
 			this.resetIdleTimer(sessionId);
@@ -978,14 +1084,35 @@ var SessionProcessManager = class {
 		});
 		if (child.stderr) createInterface({ input: child.stderr }).on("line", (line) => {
 			if (line.includes("no stdin data received")) return;
+			if (line.toLowerCase().includes("already in use")) stderrSessionInUse = true;
 			log$25.warn("CC 进程 stderr", {
 				sessionId,
 				line: line.slice(0, 500)
 			});
 		});
-		child.on("close", (code, signal) => {
+		child.on("close", async (code, signal) => {
 			const exitCode = code ?? -1;
 			const exitSignal = signal ?? "none";
+			if (exitCode === 1 && stderrSessionInUse && !isResuming) {
+				log$25.info("Session ID 已被占用，准备使用 --resume 模式重试", {
+					sessionId,
+					claudeSessionId
+				});
+				this.processes.delete(sessionId);
+				this.sessionCwdCache.delete(sessionId);
+				try {
+					await this.startPersistentProcess(config, {
+						skipInitialMessage: opts?.skipInitialMessage,
+						_forceResume: true
+					});
+					return;
+				} catch (retryErr) {
+					log$25.error("Session ID 重试失败", {
+						sessionId,
+						error: retryErr instanceof Error ? retryErr.message : String(retryErr)
+					});
+				}
+			}
 			if (exitCode === 0) {
 				log$25.info("CC 常驻进程正常退出", {
 					sessionId,
@@ -4522,6 +4649,8 @@ const LARK_ERROR = {
 	APP_SCOPE_MISSING: 99991672,
 	/** 用户 token scope 不足 */
 	USER_SCOPE_INSUFFICIENT: 99991679,
+	/** 无用户数据权限（如 contact:user.base:readonly 未开通） */
+	NO_USER_AUTHORITY: 41050,
 	/** access_token 无效 */
 	TOKEN_INVALID: 99991668,
 	/** access_token 已过期 */
@@ -8375,6 +8504,127 @@ async function dispatchToCC(params) {
 			});
 		}
 	}
+	const attachmentResources = ctx.resources.filter((r) => r.type === "file" || r.type === "audio" || r.type === "video" || r.type === "sticker");
+	if (attachmentResources.length > 0) {
+		const filesDir = path.join(route.cwd, "files");
+		const { writeFile: fsWriteFile, mkdir: fsMkdir } = await import("fs/promises");
+		await fsMkdir(filesDir, { recursive: true });
+		let updatedTextPrompt = typeof prompt === "string" ? prompt : prompt[0].text;
+		for (const res of attachmentResources) try {
+			log$11.info("开始下载非图片附件", {
+				type: res.type,
+				fileKey: res.fileKey,
+				fileName: res.fileName,
+				duration: res.duration,
+				messageId: ctx.messageId
+			});
+			const response = await LarkClient.fromAccount(account).sdk.im.messageResource.get({
+				path: {
+					message_id: ctx.messageId,
+					file_key: res.fileKey
+				},
+				params: { type: "file" }
+			});
+			log$11.info("非图片附件 API 响应已收到", {
+				type: res.type,
+				fileKey: res.fileKey,
+				responseType: typeof response,
+				hasData: response != null
+			});
+			let buffer;
+			if (response instanceof ArrayBuffer) buffer = Buffer.from(response);
+			else if (Buffer.isBuffer(response)) buffer = response;
+			else if (response && typeof response === "object") {
+				const resp = response;
+				if (resp.data instanceof ArrayBuffer) buffer = Buffer.from(resp.data);
+				else if (Buffer.isBuffer(resp.data)) buffer = resp.data;
+				else if (resp.writeFile) {
+					const chunks = [];
+					const readable = resp.getReadableStream();
+					for await (const chunk of readable) chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+					buffer = Buffer.concat(chunks);
+				} else {
+					log$11.warn("非图片附件下载返回未知格式，跳过", {
+						type: res.type,
+						fileKey: res.fileKey,
+						responseType: typeof response
+					});
+					continue;
+				}
+			} else {
+				log$11.warn("非图片附件下载返回空，跳过", {
+					type: res.type,
+					fileKey: res.fileKey
+				});
+				continue;
+			}
+			let savedFileName = "";
+			switch (res.type) {
+				case "file":
+					savedFileName = res.fileName ? `${res.fileKey}_${res.fileName}` : `${res.fileKey}_file`;
+					break;
+				case "audio":
+					savedFileName = `${res.fileKey}.ogg`;
+					break;
+				case "video":
+					savedFileName = res.fileName ? `${res.fileKey}_${res.fileName}` : `${res.fileKey}_video`;
+					break;
+				case "sticker":
+					savedFileName = `${res.fileKey}.png`;
+					break;
+			}
+			const filePath = path.join(filesDir, savedFileName);
+			await fsWriteFile(filePath, buffer);
+			log$11.info("非图片附件已保存到工作目录", {
+				type: res.type,
+				fileKey: res.fileKey,
+				savedFileName,
+				path: filePath,
+				sizeBytes: buffer.length
+			});
+			switch (res.type) {
+				case "file": {
+					const nameDisplay = res.fileName || savedFileName;
+					const fileRegex = new RegExp(`<file\\s+key="${res.fileKey}"[^/]*/>`, "g");
+					updatedTextPrompt = updatedTextPrompt.replace(fileRegex, `[文件: ${nameDisplay}] (已下载到 files/${savedFileName})`);
+					break;
+				}
+				case "audio": {
+					const audioRegex = new RegExp(`<audio\\s+key="${res.fileKey}"[^/]*/>`, "g");
+					const durationStr = res.duration != null ? String(res.duration) : "未知";
+					updatedTextPrompt = updatedTextPrompt.replace(audioRegex, `[语音: files/${savedFileName}] (时长: ${durationStr})`);
+					break;
+				}
+				case "video": {
+					const videoRegex = new RegExp(`<video\\s+key="${res.fileKey}"[^/]*/>`, "g");
+					const videoName = res.fileName || "未知";
+					const videoDuration = res.duration != null ? String(res.duration) : "未知";
+					updatedTextPrompt = updatedTextPrompt.replace(videoRegex, `[视频: files/${savedFileName}] (文件名: ${videoName}, 时长: ${videoDuration})`);
+					break;
+				}
+				case "sticker": {
+					const stickerRegex = new RegExp(`<sticker\\s+key="${res.fileKey}"[^/]*/>`, "g");
+					updatedTextPrompt = updatedTextPrompt.replace(stickerRegex, `[表情贴纸: files/${savedFileName}]`);
+					break;
+				}
+			}
+		} catch (err) {
+			log$11.warn("非图片附件下载失败，保留原始占位符", {
+				type: res.type,
+				fileKey: res.fileKey,
+				error: err instanceof Error ? err.message : String(err)
+			});
+		}
+		if (typeof prompt === "string") prompt = updatedTextPrompt;
+		else {
+			const textBlock = prompt.find((b) => b.type === "text");
+			if (textBlock) textBlock.text = updatedTextPrompt;
+		}
+		log$11.info("非图片附件处理完成", {
+			totalAttachments: attachmentResources.length,
+			promptLength: typeof prompt === "string" ? prompt.length : prompt.find((b) => b.type === "text")?.text?.length
+		});
+	}
 	log$11.info("消息格式化完成", {
 		promptLength: typeof prompt === "string" ? prompt.length : prompt.length,
 		isMultimodal: Array.isArray(prompt),
@@ -8730,21 +8980,55 @@ async function dispatchTeammateEval(params) {
 * Extracted from bot.ts: PermissionError type, extractPermissionError,
 * PERMISSION_ERROR_COOLDOWN_MS, permissionErrorNotifiedAt.
 */
+/** 所有表示权限不足的飞书 API 错误码 */
+const PERMISSION_ERROR_CODES = new Set([LARK_ERROR.APP_SCOPE_MISSING, LARK_ERROR.NO_USER_AUTHORITY]);
+/**
+* 从飞书 API 错误对象中提取权限错误信息。
+*
+* 支持两种错误结构：
+* 1. Axios 风格：err.response.data.{code, msg}（如 99991672）
+* 2. Lark SDK 直接抛出：err.{code, msg}（如 41050）
+*/
 function extractPermissionError(err) {
 	if (!err || typeof err !== "object") return null;
 	const data = err.response?.data;
-	if (!data || typeof data !== "object") return null;
-	const feishuErr = data;
-	if (feishuErr.code !== LARK_ERROR.APP_SCOPE_MISSING) return null;
-	const msg = feishuErr.msg ?? "";
-	const grantUrl = extractPermissionGrantUrl(msg);
-	if (!grantUrl) return null;
+	if (data && typeof data === "object") {
+		const feishuErr = data;
+		const result = matchPermissionError(feishuErr.code, feishuErr.msg);
+		if (result) return result;
+	}
+	const directErr = err;
+	const directCode = typeof directErr.code === "number" ? directErr.code : void 0;
+	const directMsg = directErr.msg ?? directErr.message ?? "";
+	if (directCode !== void 0) {
+		const result = matchPermissionError(directCode, directMsg);
+		if (result) return result;
+	}
+	return null;
+}
+/**
+* 根据错误码和错误消息，匹配并构造 PermissionError。
+*/
+function matchPermissionError(code, msg) {
+	if (code === void 0 || !PERMISSION_ERROR_CODES.has(code)) return null;
+	const message = msg ?? "";
 	return {
-		code: feishuErr.code,
-		message: msg,
-		grantUrl
+		code,
+		message,
+		grantUrl: extractPermissionGrantUrl(message) || void 0,
+		scopes: extractScopesFromMessage(message)
 	};
 }
+/**
+* 从错误消息中提取权限 scope 列表。
+* 飞书错误消息中常见格式：[scope1,scope2,...] 或 scope: xxx
+*/
+function extractScopesFromMessage(msg) {
+	const bracketMatch = msg.match(/\[([^\]]+)\]/);
+	if (bracketMatch?.[1]) return bracketMatch[1].split(",").map((s) => s.trim()).filter(Boolean);
+	const scopeMatch = msg.match(/(?:scope[s]?[=:]\s*)([a-z][a-z0-9_.:-]+(?:,\s*[a-z][a-z0-9_.:-]+)*)/i);
+	if (scopeMatch?.[1]) return scopeMatch[1].split(",").map((s) => s.trim()).filter(Boolean);
+}
 //#endregion
 //#region src/messaging/inbound/user-name-cache.ts
 /** Max user_ids per API call (Feishu limit). */
@@ -11059,7 +11343,8 @@ const DEFAULT_CONFIG = {
 	globalDefault: true,
 	groupOverrides: {},
 	bufferSize: 5,
-	bufferTimeoutSec: 30
+	bufferTimeoutSec: 30,
+	maxHourlyInterventions: 10
 };
 var TeammateConfig = class {
 	data;
@@ -11130,6 +11415,9 @@ var TeammateConfig = class {
 	getBufferTimeoutSec() {
 		return this.data.bufferTimeoutSec;
 	}
+	getMaxHourlyInterventions() {
+		return this.data.maxHourlyInterventions;
+	}
 	/** 获取完整配置数据（用于 API 展示） */
 	getData() {
 		return this.data;
@@ -11154,18 +11442,23 @@ const log$1 = larkLogger("messaging/teammate-buffer");
 var TeammateBuffer = class {
 	/** 每群独立缓冲区 */
 	buffers = /* @__PURE__ */ new Map();
+	/** 防失控兜底：每群每小时主动发言计数器 */
+	hourlyCounters = /* @__PURE__ */ new Map();
 	/** 触发评估时的回调 */
 	evalCallback;
 	/** 配置参数 */
 	bufferSize;
 	bufferTimeoutMs;
+	maxHourlyInterventions;
 	constructor(opts) {
 		this.evalCallback = opts.onEval;
 		this.bufferSize = opts.bufferSize ?? 5;
 		this.bufferTimeoutMs = (opts.bufferTimeoutSec ?? 30) * 1e3;
+		this.maxHourlyInterventions = opts.maxHourlyInterventions ?? 10;
 		log$1.info("TeammateBuffer 初始化", {
 			bufferSize: this.bufferSize,
-			bufferTimeoutMs: this.bufferTimeoutMs
+			bufferTimeoutMs: this.bufferTimeoutMs,
+			maxHourlyInterventions: this.maxHourlyInterventions
 		});
 	}
 	/**
@@ -11201,11 +11494,51 @@ var TeammateBuffer = class {
 		});
 		buf.evaluating = null;
 		buf.isEvaluating = false;
+		if (replied) this.incrementHourlyCounter(chatId);
 		if (buf.active.length > 0) {
 			if (buf.active.length >= this.bufferSize) this.tryTrigger(chatId, buf);
 			else if (!buf.timer) this.startTimer(chatId, buf);
 		}
 	}
+	/**
+	* 检查指定群聊是否触发了防失控限流。
+	* 如果当前小时窗口已达到上限，返回 true。
+	*/
+	isRateLimited(chatId) {
+		const counter = this.hourlyCounters.get(chatId);
+		if (!counter) return false;
+		if (Date.now() - counter.windowStart >= 3600 * 1e3) {
+			this.hourlyCounters.delete(chatId);
+			log$1.info("teammate 防失控计数器已重置（时间窗口过期）", { chatId });
+			return false;
+		}
+		return counter.count >= this.maxHourlyInterventions;
+	}
+	/**
+	* 增加指定群聊的每小时主动发言计数。
+	*/
+	incrementHourlyCounter(chatId) {
+		const now = Date.now();
+		const oneHour = 3600 * 1e3;
+		const counter = this.hourlyCounters.get(chatId);
+		if (!counter || now - counter.windowStart >= oneHour) {
+			this.hourlyCounters.set(chatId, {
+				count: 1,
+				windowStart: now
+			});
+			log$1.info("teammate 防失控计数器开始新窗口", {
+				chatId,
+				count: 1
+			});
+		} else {
+			counter.count++;
+			log$1.info("teammate 防失控计数器更新", {
+				chatId,
+				count: counter.count,
+				limit: this.maxHourlyInterventions
+			});
+		}
+	}
 	/** 清理所有缓冲区和定时器（优雅退出时调用） */
 	dispose() {
 		for (const [chatId, buf] of this.buffers) {
@@ -11249,6 +11582,18 @@ var TeammateBuffer = class {
 			return;
 		}
 		if (buf.active.length === 0) return;
+		if (this.isRateLimited(chatId)) {
+			log$1.warn("teammate 防失控兜底生效, 该群本小时已达上限", {
+				chatId,
+				limit: this.maxHourlyInterventions
+			});
+			if (buf.timer) {
+				clearTimeout(buf.timer);
+				buf.timer = null;
+			}
+			buf.active = [];
+			return;
+		}
 		if (buf.timer) {
 			clearTimeout(buf.timer);
 			buf.timer = null;
@@ -11725,6 +12070,7 @@ async function main() {
 		}
 	} catch {}
 	preflight();
+	ensureLarkCliConfig();
 	const credentialProvider = new LarkCliCredentialProvider();
 	const appId = credentialProvider.getAppId();
 	logger.info("凭证加载完成", { appId });
@@ -11828,7 +12174,8 @@ async function main() {
 			});
 		},
 		bufferSize: teammateConfig.getBufferSize(),
-		bufferTimeoutSec: teammateConfig.getBufferTimeoutSec()
+		bufferTimeoutSec: teammateConfig.getBufferTimeoutSec(),
+		maxHourlyInterventions: teammateConfig.getMaxHourlyInterventions()
 	});
 	logger.info("TeammateBuffer 初始化完成");
 	const wsAbortController = new AbortController();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibe-lark/larkpal",
-  "version": "0.1.8",
+  "version": "0.1.10",
   "description": "LarkPal - Lark/Feishu bot service",
   "type": "module",
   "main": "./dist/main.mjs",