@workclaw/openclaw-workclaw 1.0.0

package/src/gateway/workclaw-gateway.ts

@@ -0,0 +1,521 @@
+import type { OpenclawWorkclawAccountConfig, OpenclawWorkclawConfig, ResolvedOpenclawWorkclawAccount, WorkClawBaseConfig } from '../types.js'
+import type { MessageDispatcherContext } from './message-dispatcher.js'
+import { buildAccountMap, resolveAccountByUserIdAndAgentId } from '../accounts.js'
+import { clearOpenclawWorkclawTokenCache, openOpenclawWorkclawConnection } from '../connection/workclaw-client.js'
+import {
+  clearOpenclawWorkclawWsConnection,
+  clearReconnectScheduler,
+  createLogger,
+  finishConnecting,
+  getAllDispatchersByAppKey,
+  getAppKeyByAccountId,
+  getDispatcherByAppKeyAndAccountId,
+  getOpenclawWorkclawWsConnection,
+  getReconnectScheduler,
+  registerAccountContext,
+  setOpenclawWorkclawLoggerFromContext,
+  setOpenclawWorkclawWsConnection,
+  setReconnectScheduler,
+  tryStartConnecting,
+  unregisterAccountContext,
+} from '../runtime.js'
+import { parseWorkClawMessage } from './message-context.js'
+import { dispatchOpenclawWorkclawMessage } from './message-dispatcher.js'
+import { createReconnectScheduler } from './reconnect.js'
+
+export interface OpenclawWorkclawGatewayOptions {
+  accountId: string
+  account: ResolvedOpenclawWorkclawAccount
+  cfg: any
+  log?: any
+}
+
+export async function startOpenclawWorkclawGateway(options: OpenclawWorkclawGatewayOptions): Promise<void> {
+  const { account, log } = options
+
+  const logger = createLogger('', log)
+  setOpenclawWorkclawLoggerFromContext(logger)
+
+  const rawConfig = account.config as unknown as OpenclawWorkclawConfig & OpenclawWorkclawAccountConfig
+  const connectionMode = rawConfig.connectionMode || 'websocket'
+  const wsStrategy = rawConfig.wsConnectionStrategy || 'per-account'
+
+  if (connectionMode !== 'websocket') {
+    throw new Error(`Unsupported connectionMode: ${connectionMode}`)
+  }
+
+  if (wsStrategy === 'per-appKey') {
+    await startSharedWebSocket(options)
+  }
+  else {
+    await startPerAccountWebSocket(options)
+  }
+}
+
+/**
+ * per-account 模式: 每个账号独立 WebSocket 连接
+ */
+async function startPerAccountWebSocket(options: OpenclawWorkclawGatewayOptions): Promise<void> {
+  const { accountId, account, cfg, log } = options
+
+  const logger = createLogger('', log)
+  const rawConfig = account.config as unknown as OpenclawWorkclawConfig & OpenclawWorkclawAccountConfig
+
+  const baseConfig: WorkClawBaseConfig = {
+    baseUrl: rawConfig.baseUrl,
+    websocketUrl: rawConfig.websocketUrl,
+    appKey: rawConfig.appKey,
+    appSecret: rawConfig.appSecret,
+    localIp: rawConfig.localIp,
+    allowInsecureTls: rawConfig.allowInsecureTls,
+    requestTimeout: rawConfig.requestTimeout,
+  }
+
+  const accountConfig: OpenclawWorkclawAccountConfig = {
+    agentId: rawConfig.agentId,
+    userId: rawConfig.userId,
+    openConversationId: rawConfig.openConversationId,
+  }
+
+  const appKeyRaw = baseConfig.appKey ?? ''
+  const appSecretRaw = baseConfig.appSecret ?? ''
+
+  buildAccountMap(cfg)
+
+  logger.info(
+    `Gateway start (per-account) accountId=${accountId} baseUrl=${baseConfig.baseUrl ?? ''} websocketUrl=${baseConfig.websocketUrl ?? ''} localIp=${baseConfig.localIp ?? ''} allowInsecureTls=${baseConfig.allowInsecureTls} requestTimeout=${baseConfig.requestTimeout ?? ''} appKeyPrefix=${appKeyRaw ? `${appKeyRaw.slice(0, 8)}...` : 'missing'} appSecretLen=${appSecretRaw.length}`,
+  )
+
+  const ctx: MessageDispatcherContext = {
+    accountId,
+    account,
+    cfg,
+    baseConfig,
+    accountConfig,
+    log: logger,
+    scheduleReconnect: () => {
+      // eslint-disable-next-line ts/no-use-before-define
+      scheduler.scheduleReconnect()
+    },
+  }
+
+  const handleMessage = (data: string): void | Promise<void> => {
+    dispatchOpenclawWorkclawMessage(data, ctx).catch((err) => {
+      logger.error(`Dispatch error: ${String(err)}`)
+    })
+  }
+
+  const scheduler = createReconnectScheduler({
+    key: accountId,
+    config: baseConfig,
+    log: logger,
+    onMessage: handleMessage,
+  })
+
+  try {
+    const tokenCacheKey = baseConfig.appKey || accountId
+    const connConfig = {
+      baseUrl: baseConfig.baseUrl || '',
+      websocketUrl: baseConfig.websocketUrl,
+      appKey: baseConfig.appKey,
+      appSecret: baseConfig.appSecret,
+      localIp: baseConfig.localIp,
+      allowInsecureTls: baseConfig.allowInsecureTls,
+      requestTimeout: baseConfig.requestTimeout,
+    }
+
+    const { endpoint, ticket } = await openOpenclawWorkclawConnection(tokenCacheKey, connConfig)
+    logger.info(`Gateway Connection opened endpoint=${endpoint} ticketLen=${ticket?.length ?? 0}`)
+    const url = `${endpoint}?ticket=${encodeURIComponent(ticket)}`
+
+    const { Agent } = await import('undici')
+    const dispatcher = connConfig.allowInsecureTls
+      ? new Agent({ connect: { rejectUnauthorized: false } })
+      : undefined
+    const wsOptions = dispatcher ? { dispatcher } : undefined
+
+    const ws = new (await import('undici')).WebSocket(url, wsOptions)
+    setOpenclawWorkclawWsConnection(accountId, ws)
+
+    await new Promise<void>((resolve, reject) => {
+      const timeout = setTimeout(() => reject(new Error('websocket connection timeout')), 30000)
+
+      ws.onopen = () => {
+        clearTimeout(timeout)
+        logger.info(`Gateway WebSocket connected`)
+        resolve()
+      }
+
+      ws.onerror = (event: any) => {
+        clearTimeout(timeout)
+        const errorMsg = String(event?.message ?? event)
+        logger.error(`Gateway WebSocket error: ${errorMsg}`)
+        reject(new Error(errorMsg))
+      }
+
+      ws.onclose = (event: any) => {
+        clearTimeout(timeout)
+        reject(new Error(`websocket closed before ready code=${event?.code ?? ''} reason=${event?.reason ?? ''}`))
+      }
+    })
+
+    ws.onmessage = (event: any) => {
+      const data = typeof event.data === 'string' ? event.data : String(event.data ?? '')
+      logger.info(`Gateway WebSocket message received bytes=${data.length}`)
+      handleMessage(data)
+    }
+
+    ws.onclose = (event: any) => {
+      logger.warn(`Gateway WebSocket closed scheduling reconnect... accountId=${accountId} code=${event?.code ?? ''} reason=${event?.reason ?? ''}`)
+      clearOpenclawWorkclawWsConnection(accountId)
+      scheduler.scheduleReconnect()
+    }
+
+    ws.onerror = (event: any) => {
+      logger.error(`Gateway WebSocket error: ${String(event?.message ?? event)}`)
+    }
+  }
+  catch (err) {
+    const errorStr = String(err)
+    logger.error(`Gateway connect failed: ${errorStr}`)
+
+    if (errorStr.includes('访问过于频繁')) {
+      logger.warn(`Rate limited, scheduling reconnect...`)
+      scheduler.scheduleReconnect()
+      throw err
+    }
+
+    const isAuthError
+      = errorStr.includes('"errCode":2001')
+        || errorStr.includes('"code":2001')
+        || errorStr.includes('鉴权失败')
+        || errorStr.includes('invalid credentials')
+        || errorStr.includes('unauthorized')
+
+    if (isAuthError) {
+      logger.error(`Authentication failed, not scheduling reconnect`)
+      scheduler.stopReconnect()
+      throw err
+    }
+
+    scheduler.scheduleReconnect()
+    throw err
+  }
+}
+
+/**
+ * per-appKey 模式: 多个账号共享一个 WebSocket 连接
+ */
+async function startSharedWebSocket(options: OpenclawWorkclawGatewayOptions): Promise<void> {
+  const { accountId, account, cfg, log } = options
+
+  const logger = createLogger('', log)
+  const rawConfig = account.config as unknown as OpenclawWorkclawConfig & OpenclawWorkclawAccountConfig
+
+  const baseConfig: WorkClawBaseConfig = {
+    baseUrl: rawConfig.baseUrl,
+    websocketUrl: rawConfig.websocketUrl,
+    appKey: rawConfig.appKey,
+    appSecret: rawConfig.appSecret,
+    localIp: rawConfig.localIp,
+    allowInsecureTls: rawConfig.allowInsecureTls,
+    requestTimeout: rawConfig.requestTimeout,
+  }
+
+  const accountConfig: OpenclawWorkclawAccountConfig = {
+    agentId: rawConfig.agentId,
+    userId: rawConfig.userId,
+    openConversationId: rawConfig.openConversationId,
+  }
+
+  const appKey = baseConfig.appKey || accountId
+  const appKeyRaw = baseConfig.appKey ?? ''
+
+  buildAccountMap(cfg)
+
+  logger.info(
+    `Gateway start (per-appKey) accountId=${accountId} appKey=${appKeyRaw ? `${appKeyRaw.slice(0, 8)}...` : 'missing'} baseUrl=${baseConfig.baseUrl ?? ''} websocketUrl=${baseConfig.websocketUrl ?? ''}`,
+  )
+
+  // 注册账号上下文
+  const ctx: MessageDispatcherContext = {
+    accountId,
+    account,
+    cfg,
+    baseConfig,
+    accountConfig,
+    log: logger,
+    scheduleReconnect: () => {
+      const scheduler = getReconnectScheduler(appKey)
+      scheduler?.scheduleReconnect()
+    },
+  }
+
+  registerAccountContext(appKey, accountId, ctx)
+
+  // 检查是否已存在该 appKey 的 WebSocket
+  const existingWs = getOpenclawWorkclawWsConnection(appKey)
+  if (existingWs) {
+    logger.info(`Gateway (per-appKey) using existing WebSocket for appKey=${appKey}`)
+    return
+  }
+
+  // 尝试获取连接锁，防止竞态条件
+  const isConnector = tryStartConnecting(appKey)
+  if (!isConnector) {
+    // 另一个账号正在连接，等待完成
+    logger.info(`Gateway (per-appKey) another account is connecting, waiting... appKey=${appKey}`)
+    // 等待直到连接建立完成（通过轮询）
+    const maxWait = 30000
+    const interval = 500
+    const startTime = Date.now()
+    while (Date.now() - startTime < maxWait) {
+      const ws = getOpenclawWorkclawWsConnection(appKey)
+      if (ws) {
+        logger.info(`Gateway (per-appKey) connection established by another account, using it appKey=${appKey}`)
+        return
+      }
+      await new Promise(resolve => setTimeout(resolve, interval))
+    }
+    logger.warn(`Gateway (per-appKey) wait timeout, will create own connection appKey=${appKey}`)
+    // 如果等待超时，由当前账号创建连接
+  }
+
+  // 需要创建新的 WebSocket（只有获取到锁的账号才执行到这里）
+  const scheduler = createReconnectScheduler({
+    key: appKey,
+    config: baseConfig,
+    log: logger,
+    onMessage: (data: string) => {
+      handleSharedMessage(appKey, data, cfg, logger)
+    },
+    onReconnectSuccess: () => {
+      // 重连成功后重置退避时间
+    },
+  })
+  setReconnectScheduler(appKey, scheduler)
+
+  try {
+    const tokenCacheKey = baseConfig.appKey || accountId
+    const connConfig = {
+      baseUrl: baseConfig.baseUrl || '',
+      websocketUrl: baseConfig.websocketUrl,
+      appKey: baseConfig.appKey,
+      appSecret: baseConfig.appSecret,
+      localIp: baseConfig.localIp,
+      allowInsecureTls: baseConfig.allowInsecureTls,
+      requestTimeout: baseConfig.requestTimeout,
+    }
+
+    const { endpoint, ticket } = await openOpenclawWorkclawConnection(tokenCacheKey, connConfig)
+    logger.info(`Gateway (per-appKey) Connection opened endpoint=${endpoint} ticketLen=${ticket?.length ?? 0}`)
+    const url = `${endpoint}?ticket=${encodeURIComponent(ticket)}`
+
+    const { Agent } = await import('undici')
+    const dispatcher = connConfig.allowInsecureTls
+      ? new Agent({ connect: { rejectUnauthorized: false } })
+      : undefined
+    const wsOptions = dispatcher ? { dispatcher } : undefined
+
+    const ws = new (await import('undici')).WebSocket(url, wsOptions)
+    setOpenclawWorkclawWsConnection(appKey, ws)
+    finishConnecting(appKey) // 连接已建立，释放锁
+
+    await new Promise<void>((resolve, reject) => {
+      const timeout = setTimeout(() => reject(new Error('websocket connection timeout')), 30000)
+
+      ws.onopen = () => {
+        clearTimeout(timeout)
+        logger.info(`Gateway (per-appKey) WebSocket connected`)
+        resolve()
+      }
+
+      ws.onerror = (event: any) => {
+        clearTimeout(timeout)
+        const errorMsg = String(event?.message ?? event)
+        logger.error(`Gateway (per-appKey) WebSocket error: ${errorMsg}`)
+        reject(new Error(errorMsg))
+      }
+
+      ws.onclose = (event: any) => {
+        clearTimeout(timeout)
+        reject(new Error(`websocket closed before ready code=${event?.code ?? ''} reason=${event?.reason ?? ''}`))
+      }
+    })
+
+    ws.onmessage = (event: any) => {
+      const data = typeof event.data === 'string' ? event.data : String(event.data ?? '')
+      logger.info(`Gateway (per-appKey) WebSocket message received bytes=${data.length}`)
+      logger.info?.(`Gateway (per-appKey) received message: ${data}`)
+      handleSharedMessage(appKey, data, cfg, logger)
+    }
+
+    ws.onclose = (event: any) => {
+      logger.warn(`Gateway (per-appKey) WebSocket closed scheduling reconnect... appKey=${appKey} code=${event?.code ?? ''} reason=${event?.reason ?? ''}`)
+      clearOpenclawWorkclawWsConnection(appKey)
+      scheduler.scheduleReconnect()
+    }
+
+    ws.onerror = (event: any) => {
+      logger.error(`Gateway (per-appKey) WebSocket error: ${String(event?.message ?? event)}`)
+    }
+  }
+  catch (err) {
+    finishConnecting(appKey) // 连接失败，释放锁
+    const errorStr = String(err)
+    logger.error(`Gateway (per-appKey) connect failed: ${errorStr}`)
+
+    if (errorStr.includes('访问过于频繁')) {
+      logger.warn(`Rate limited, scheduling reconnect...`)
+      scheduler.scheduleReconnect()
+      throw err
+    }
+
+    const isAuthError
+      = errorStr.includes('"errCode":2001')
+        || errorStr.includes('"code":2001')
+        || errorStr.includes('鉴权失败')
+        || errorStr.includes('invalid credentials')
+        || errorStr.includes('unauthorized')
+
+    if (isAuthError) {
+      logger.error(`Authentication failed, not scheduling reconnect`)
+      scheduler.stopReconnect()
+      throw err
+    }
+
+    scheduler.scheduleReconnect()
+    throw err
+  }
+}
+
+/**
+ * per-appKey 模式下处理共享 WebSocket 消息
+ */
+function handleSharedMessage(appKey: string, data: string, cfg: any, logger: any): void {
+  const parsed = parseWorkClawMessage(data, logger)
+
+  if (!parsed) {
+    logger.warn?.(`Gateway (per-appKey) failed to parse message`)
+    return
+  }
+
+  // ping/pong/disconnect 无需路由
+  if (parsed.type === 'ping') {
+    const ws = getOpenclawWorkclawWsConnection(appKey)
+    if (ws && ws.readyState === 1) { // OPEN
+      const pongResponse = {
+        code: 200,
+        message: 'pong',
+        metadata: { contentType: 'application/json' },
+        data: JSON.stringify(parsed.pongData),
+      }
+      ws.send(JSON.stringify(pongResponse))
+    }
+    return
+  }
+
+  if (parsed.type === 'disconnect') {
+    const ws = getOpenclawWorkclawWsConnection(appKey)
+    ws?.close()
+    return
+  }
+
+  logger.info?.(`Gateway (per-appKey) received message: ${data}`)
+
+  // 根据消息类型确定 userId 和 agentId
+  let userId: string = ''
+  let agentId: string = ''
+
+  if (parsed.type === 'agent_message' && parsed.message) {
+    userId = String(parsed.message.userId || '')
+    agentId = String(parsed.message.agentId || '')
+  }
+  else if (parsed.type === 'agent_created') {
+    // agent_created 触发新账号创建
+    const allDispatchers = getAllDispatchersByAppKey(appKey)
+    if (allDispatchers && allDispatchers.size > 0) {
+      const firstDispatcher = allDispatchers.values().next().value
+      if (firstDispatcher) {
+        dispatchOpenclawWorkclawMessage(data, firstDispatcher.ctx).catch((err) => {
+          logger.error?.(`Dispatch error: ${String(err)}`)
+        })
+      }
+    }
+    return
+  }
+  else if (parsed.type === 'agent_updated' || parsed.type === 'agent_deleted') {
+    userId = String(parsed.eventData?.futureId || parsed.eventData?.userId || '')
+    agentId = String(parsed.eventData?.id || parsed.eventData?.agentId || '')
+  }
+  else if (parsed.type === 'tools_list' || parsed.type === 'skills_list' || parsed.type === 'skills_event') {
+    userId = String(parsed.eventData?.userId || '')
+    agentId = String(parsed.eventData?.agentId || '')
+  }
+  else if (parsed.type === 'init_agent') {
+    userId = String(parsed.eventData?.futureId || parsed.eventData?.userId || '')
+    agentId = String(parsed.eventData?.id || parsed.eventData?.agentId || '')
+    /**
+     * 在 init_agent 中，配置文件的agentId 为空,所有无法通过 resolveAccountByUserIdAndAgentId 查找账户
+     */
+
+    const accountId = 'default'
+    const dispatcher = getDispatcherByAppKeyAndAccountId(appKey, accountId)
+    if (dispatcher) {
+      dispatchOpenclawWorkclawMessage(data, dispatcher.ctx).catch((err) => {
+        logger.error?.(`Dispatch error: ${String(err)}`)
+      })
+    }
+    else {
+      logger.warn?.(`Gateway (per-appKey) no dispatcher for accountId=${accountId}`)
+    }
+    return
+  }
+  else {
+    // 未知消息类型，忽略
+    return
+  }
+
+  const accountId = resolveAccountByUserIdAndAgentId(cfg, userId, agentId)
+  if (!accountId) {
+    logger.warn?.(`Gateway (per-appKey) no account found for userId=${userId} agentId=${agentId}`)
+    return
+  }
+
+  const dispatcher = getDispatcherByAppKeyAndAccountId(appKey, accountId)
+  if (dispatcher) {
+    dispatchOpenclawWorkclawMessage(data, dispatcher.ctx).catch((err) => {
+      logger.error?.(`Dispatch error: ${String(err)}`)
+    })
+  }
+  else {
+    logger.warn?.(`Gateway (per-appKey) no dispatcher for accountId=${accountId}`)
+  }
+}
+
+export function stopOpenclawWorkclawGateway(accountId: string, wsStrategy?: string): void {
+  if (wsStrategy === 'per-appKey') {
+    const appKey = getAppKeyByAccountId(accountId)
+    if (!appKey)
+      return
+
+    unregisterAccountContext(appKey, accountId)
+
+    if (getAllDispatchersByAppKey(appKey)?.size === 0) {
+      const ws = getOpenclawWorkclawWsConnection(appKey)
+      ws?.close()
+      clearOpenclawWorkclawWsConnection(appKey)
+
+      const scheduler = getReconnectScheduler(appKey)
+      scheduler?.stopReconnect()
+      clearReconnectScheduler(appKey)
+    }
+  }
+  else {
+    const ws = getOpenclawWorkclawWsConnection(accountId)
+    if (ws)
+      ws.close()
+    clearOpenclawWorkclawWsConnection(accountId)
+    clearOpenclawWorkclawTokenCache(accountId)
+  }
+}

package/src/media/upload.ts

@@ -0,0 +1,168 @@
+import { readFile, stat } from 'node:fs/promises'
+import os from 'node:os'
+import path from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+export function isLocalMediaSource(value: string): boolean {
+  const trimmed = value.trim()
+  return (
+    trimmed.startsWith('/')
+    || trimmed.startsWith('./')
+    || trimmed.startsWith('../')
+    || trimmed.startsWith('~')
+    || trimmed.startsWith('file://')
+  )
+}
+
+export function resolveLocalPath(input: string): string {
+  if (input.startsWith('file://')) {
+    return fileURLToPath(input)
+  }
+  if (input.startsWith('~')) {
+    return path.join(os.homedir(), input.slice(1))
+  }
+  return path.resolve(input)
+}
+
+function readResponseUrlPath(
+  data: Record<string, unknown>,
+  pathValue?: string,
+): string | undefined {
+  if (!pathValue)
+    return undefined
+  const parts = pathValue.split('.').filter(Boolean)
+  let current: unknown = data
+  for (const part of parts) {
+    if (!current || typeof current !== 'object')
+      return undefined
+    current = (current as Record<string, unknown>)[part]
+  }
+  return typeof current === 'string' ? current : undefined
+}
+
+function extractUploadedUrl(
+  responseText: string,
+  responseData: Record<string, unknown>,
+  pathValue?: string,
+): string | undefined {
+  const fromPath = readResponseUrlPath(responseData, pathValue)
+  if (fromPath)
+    return fromPath
+
+  const direct
+    = (responseData.url as string | undefined)
+      ?? (responseData.mediaUrl as string | undefined)
+  if (typeof direct === 'string' && direct.trim())
+    return direct
+
+  const dataObj = responseData.data
+  if (dataObj && typeof dataObj === 'object') {
+    const dataUrl = (dataObj as Record<string, unknown>).url
+    const dataMedia = (dataObj as Record<string, unknown>).mediaUrl
+    if (typeof dataUrl === 'string' && dataUrl.trim())
+      return dataUrl
+    if (typeof dataMedia === 'string' && dataMedia.trim())
+      return dataMedia
+  }
+
+  const resultObj = responseData.result
+  if (resultObj && typeof resultObj === 'object') {
+    const resultUrl = (resultObj as Record<string, unknown>).url
+    const resultMedia = (resultObj as Record<string, unknown>).mediaUrl
+    if (typeof resultUrl === 'string' && resultUrl.trim())
+      return resultUrl
+    if (typeof resultMedia === 'string' && resultMedia.trim())
+      return resultMedia
+  }
+
+  if (responseText.trim() && /^https?:\/\//i.test(responseText.trim())) {
+    return responseText.trim()
+  }
+  return undefined
+}
+
+export interface UploadLocalMediaParams {
+  uploadUrl: string
+  filePath: string
+  uploadFieldName?: string
+  uploadHeaders?: Record<string, string>
+  uploadFormFields?: Record<string, string | number | boolean>
+  uploadResponseUrlPath?: string
+  requestTimeout: number
+  allowInsecureTls?: boolean
+}
+
+export async function uploadLocalMedia(params: UploadLocalMediaParams): Promise<string> {
+  const stats = await stat(params.filePath)
+  if (!stats.isFile()) {
+    throw new Error(`mediaUrl is not a file: ${params.filePath}`)
+  }
+
+  const content = await readFile(params.filePath)
+  const form = new FormData()
+  const fieldName = params.uploadFieldName?.trim() || 'file'
+  const fileName = path.basename(params.filePath)
+  form.set(fieldName, new Blob([content], { type: 'application/octet-stream' }), fileName)
+
+  if (params.uploadFormFields) {
+    for (const [key, value] of Object.entries(params.uploadFormFields)) {
+      form.set(key, String(value))
+    }
+  }
+
+  const controller = new AbortController()
+  const timeoutId = setTimeout(() => controller.abort(), params.requestTimeout)
+
+  let dispatcher: unknown
+  let doFetch: any = globalThis.fetch.bind(globalThis)
+
+  if (params.allowInsecureTls) {
+    try {
+      const { Agent, fetch: undiciFetchFn } = await import('undici')
+      dispatcher = new Agent({ connect: { rejectUnauthorized: false } })
+      doFetch = undiciFetchFn as any
+    }
+    catch (error) {
+      const message = error instanceof Error ? error.message : String(error)
+      throw new Error(`allowInsecureTls requires undici. ${message}`)
+    }
+  }
+
+  try {
+    const response = await doFetch(params.uploadUrl, {
+      method: 'POST',
+      headers: params.uploadHeaders ?? {},
+      body: form,
+      signal: controller.signal,
+      ...(dispatcher ? { dispatcher } : {}),
+    })
+
+    const responseText = await response.text().catch(() => '')
+    if (!response.ok) {
+      throw new Error(`Upload failed: ${response.status} ${responseText}`)
+    }
+
+    let data: Record<string, unknown> = {}
+    if (responseText) {
+      try {
+        data = JSON.parse(responseText) as Record<string, unknown>
+      }
+      catch {
+        data = {}
+      }
+    }
+
+    const uploadedUrl = extractUploadedUrl(
+      responseText,
+      data,
+      params.uploadResponseUrlPath,
+    )
+    if (!uploadedUrl) {
+      throw new Error('Upload response missing file URL')
+    }
+    return uploadedUrl
+  }
+  finally {
+    clearTimeout(timeoutId)
+  }
+}