@wps365/openclaw-wpsxiezuo 1.11.0 → 1.11.2-beta.0

package/bin/cli.mjs

@@ -10,6 +10,9 @@
  * 设计目标：
  *   1. 纯 Node.js（无外部依赖），全平台可用（macOS / Linux / Windows）。
  *   2. 复用项目原 install.sh 的策略：清理历史残留 → 注册插件 → 写入 channel/
+ *
+ * 配置操作的核心逻辑已提取到 scripts/lib/openclaw-config-core.mjs，
+ * 本文件及 scripts/install.js, scripts/uninstall.js, tests/ 共享同一份实现。
  *      plugins/bindings → 校验 openclaw.json。
  */
 
@@ -27,6 +30,16 @@ import path from "node:path";
 import readline from "node:readline/promises";
 import { createRequire } from "node:module";
 import { fileURLToPath } from "node:url";
+import {
+  CHANNEL_ID as _CH_ID,
+  LEGACY_CHANNEL_IDS as _LEGACY_IDS,
+  ALL_IDS as _ALL_IDS,
+  DEFAULT_BASE_URL as _DEFAULT_BASE_URL,
+  pruneOpenclawJson as corePrune,
+  mergeChannelConfig as coreMergeChannel,
+  ensurePluginsAndBindings as coreEnsurePlugins,
+  pruneSessionsData as corePruneSessions,
+} from "../scripts/lib/openclaw-config-core.mjs";
 
 // 通过 createRequire + 拼接字符串加载子进程模块
 // 对静态 import 的启发式匹配。本 CLI 必须调用系统的 `openclaw`
@@ -42,14 +55,14 @@ function env(name) {
   return p && p["env"] ? p["env"][name] : undefined;
 }
 
-// ── 常量 ────────────────────────────────────────────────────────────────────
+// ── 常量（核心常量来自 shared core，本地仅补充 CLI 专用常量）──────────────
 
-const CHANNEL_ID = "wps-xiezuo";
-const LEGACY_CHANNEL_IDS = ["wps", "openclaw-wps-xiezuo"];
-const ALL_IDS = [CHANNEL_ID, ...LEGACY_CHANNEL_IDS];
+const CHANNEL_ID = _CH_ID;
+const LEGACY_CHANNEL_IDS = _LEGACY_IDS;
+const ALL_IDS = _ALL_IDS;
 const UNINSTALL_IDS = [CHANNEL_ID];
-const DEFAULT_BASE_URL = "https://openapi.wps.cn";
-const DEFAULT_AGENT_ID = "digital-assistant";
+const DEFAULT_BASE_URL = _DEFAULT_BASE_URL;
+const DEFAULT_AGENT_ID = "main";
 const OPENCLAW_HOME = path.join(os.homedir(), ".openclaw");
 const OPENCLAW_JSON = path.join(OPENCLAW_HOME, "openclaw.json");
 const OPENCLAW_EXTENSIONS_DIR = path.join(OPENCLAW_HOME, "extensions");
@@ -170,19 +183,6 @@ function writeJson(filePath, data) {
   fs.writeFileSync(filePath, JSON.stringify(data, null, 2) + "\n", "utf8");
 }
 
-/** 从 map 上按 id 列表删除 key，返回是否有改动。 */
-function pruneMapByIds(map, ids) {
-  if (!map || typeof map !== "object") return false;
-  let changed = false;
-  for (const id of ids) {
-    if (id in map) {
-      delete map[id];
-      changed = true;
-    }
-  }
-  return changed;
-}
-
 function which(cmd) {
   const exts = process.platform === "win32" ? (env("PATHEXT") || ".EXE;.CMD;.BAT").split(";") : [""];
   const dirs = (env("PATH") || "").split(path.delimiter);
@@ -376,47 +376,21 @@ function readSecret(rl) {
 
 // ── 核心：清理旧配置 ────────────────────────────────────────────────────────
 
-function pruneOpenclawJson() {
+function pruneOpenclawJson({ includeCurrent = false } = {}) {
   const cfg = readJsonSafe(OPENCLAW_JSON);
   if (!cfg) return;
-
-  let dirty = false;
-  dirty = pruneMapByIds(cfg.channels, ALL_IDS) || dirty;
-  dirty = pruneMapByIds(cfg.plugins?.entries, ALL_IDS) || dirty;
-  dirty = pruneMapByIds(cfg.plugins?.installs, ALL_IDS) || dirty;
-
-  if (Array.isArray(cfg.plugins?.allow)) {
-    const before = cfg.plugins.allow.length;
-    cfg.plugins.allow = cfg.plugins.allow.filter((x) => !ALL_IDS.includes(String(x)));
-    if (cfg.plugins.allow.length !== before) dirty = true;
-  }
-
+  const dirty = corePrune(cfg, { mode: includeCurrent ? "all" : "legacy" });
   if (dirty) {
     writeJson(OPENCLAW_JSON, cfg);
-    log.info("已清理 openclaw.json 中的历史残留项");
+    log.info(includeCurrent
+      ? "已清理 openclaw.json 中的所有 wps-xiezuo 配置"
+      : "已清理 openclaw.json 中的历史残留项（保留当前 wps-xiezuo 配置）");
   }
 }
 
 function pruneOpenclawSessions() {
   const data = readJsonSafe(SESSIONS_JSON);
-  if (!data || typeof data !== "object" || Array.isArray(data)) return;
-  const next = {};
-  let removed = 0;
-  for (const [key, value] of Object.entries(data)) {
-    const record = value && typeof value === "object" ? value : {};
-    const origin = record.origin && typeof record.origin === "object" ? record.origin : {};
-    const delivery = record.deliveryContext && typeof record.deliveryContext === "object" ? record.deliveryContext : {};
-    const hitByKey = /:wps-xiezuo:|:wps:/i.test(String(key));
-    const hitByProvider = String(origin.provider || "").toLowerCase() === CHANNEL_ID;
-    const hitByChannel =
-      String(record.lastChannel || "").toLowerCase() === CHANNEL_ID ||
-      String(delivery.channel || "").toLowerCase() === CHANNEL_ID;
-    if (hitByKey || hitByProvider || hitByChannel) {
-      removed++;
-      continue;
-    }
-    next[key] = value;
-  }
+  const { next, removed } = corePruneSessions(data);
   if (removed > 0) {
     writeJson(SESSIONS_JSON, next);
     log.info(`已清理 sessions.json 中 ${removed} 条 wps/wps-xiezuo 残留会话`);
@@ -425,52 +399,32 @@ function pruneOpenclawSessions() {
 
 // ── 核心：写入 channel / plugins / bindings ─────────────────────────────────
 
+const CLI_MCP_DEFAULTS = {
+  enabled: true,
+  mode: "app",
+  toolAllowlist: [
+    "wps_message_send",
+    "wps_user_search",
+    "wps_user_get",
+    "wps_chat_list",
+    "wps_chat_create",
+    "wps_calendar_create",
+    "wps_calendar_list_events",
+  ],
+};
+
 function writeChannelConfig({ appId, appSecret, baseUrl }) {
   const cfg = readJsonSafe(OPENCLAW_JSON) ?? {};
 
-  if (!cfg.channels || typeof cfg.channels !== "object") cfg.channels = {};
-  cfg.channels[CHANNEL_ID] = {
-    enabled: true,
-    appId,
-    appSecret,
-    baseUrl: baseUrl || DEFAULT_BASE_URL,
-    sdk: { enabled: true, logLevel: "info" },
-    mcp: {
-      enabled: true,
-      mode: "app",
-      toolAllowlist: [
-        "wps_message_send",
-        "wps_user_search",
-        "wps_user_get",
-        "wps_chat_list",
-        "wps_chat_create",
-        "wps_calendar_create",
-        "wps_calendar_list_events",
-      ],
-    },
-    dmPolicy: "open",
-    groupPolicy: "open",
-    instantAck: { enabled: true, text: "内容处理中，请稍候..." },
-  };
-
-  if (!cfg.plugins || typeof cfg.plugins !== "object") cfg.plugins = {};
-  if (!cfg.plugins.entries || typeof cfg.plugins.entries !== "object") cfg.plugins.entries = {};
-  cfg.plugins.entries[CHANNEL_ID] = { enabled: true };
-
-  if (!Array.isArray(cfg.plugins.allow)) cfg.plugins.allow = [];
-  if (!cfg.plugins.allow.includes(CHANNEL_ID)) cfg.plugins.allow.push(CHANNEL_ID);
-
-  if (!Array.isArray(cfg.bindings)) cfg.bindings = [];
-  const hasBinding = cfg.bindings.some(
-    (b) => b && b.match && b.match.channel === CHANNEL_ID,
-  );
-  if (!hasBinding) {
-    cfg.bindings.push({
-      agentId: DEFAULT_AGENT_ID,
-      match: { channel: CHANNEL_ID, accountId: "default" },
-    });
+  const result = coreMergeChannel(cfg, { appId, appSecret, baseUrl }, { mcp: CLI_MCP_DEFAULTS });
+  if (result === "merged") {
+    log.info(`已合并更新 channels.${CHANNEL_ID}（保留用户自定义配置）`);
+  } else {
+    log.info(`已创建 channels.${CHANNEL_ID}（首次安装）`);
   }
 
+  coreEnsurePlugins(cfg, { agentId: DEFAULT_AGENT_ID });
+
   if (!cfg.commands) {
     cfg.commands = { text: true };
     log.info("commands.text=true 已启用（支持 /status /new 等内置命令）");
@@ -735,9 +689,9 @@ async function cmdUninstall(flags) {
     }
   }
 
-  // 步骤三：清理 openclaw.json 中的 channels / plugins / bindings 残留
+  // 步骤三：清理 openclaw.json 中的 channels / plugins / bindings（卸载时清理全部）
   log.step("清理 openclaw.json 配置残留");
-  pruneOpenclawJson();
+  pruneOpenclawJson({ includeCurrent: true });
 
   // 步骤四：清理 sessions.json 中的 WPS 会话记录
   log.step("清理 sessions 残留");

package/dist/core/config.d.ts

@@ -258,6 +258,12 @@ export type WebhookConfig = z.infer<typeof WebhookConfigSchema>;
 /** 始终返回插件内置用户 OAuth 回调地址（忽略 channel 配置）。 */
 export declare function resolveUserOAuthRedirectUri(_wpsCfg?: WpsConfig | null): string;
 export declare function resolveDefaultWpsAccountId(cfg?: WpsChannelConfig): string;
+/**
+ * 解析多账号配置。继承-覆盖模型：
+ * - 外层字段 = base config（公共默认值 + default 账号配置）
+ * - accounts 中各条目继承 base，用自身字段覆盖
+ * - accounts.default 作为迁移兼容：其字段合并到 base，然后被忽略
+ */
 export declare function resolveWpsAccounts(cfg?: WpsChannelConfig): Record<string, WpsConfig>;
 export declare function resolveAppCredentials(cfg?: WpsConfig): AppCredentials | null;
 export declare function resolveMcpCredentials(cfg?: WpsConfig): AppCredentials | null;

package/dist/core/delegated-scope-refresh.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Delegated scopes 按需 TTL 缓存（对标飞书 30s 策略）。
+ *
+ * 只在工具调用时按需获取 App scopes，30 秒 TTL 缓存。
+ * 空闲时不产生任何 API 调用。
+ *
+ * 403 兜底路径可通过 invalidateDelegatedScopeCache 强制清除缓存，
+ * 下次调用立即重新获取。
+ */
+export declare function invalidateDelegatedScopeCache(accountId: string): void;
+/** 标记缓存为新鲜（启动拉取后调用，避免 30s 内重复拉取） */
+export declare function markDelegatedScopeCacheFresh(accountId: string): void;
+/**
+ * 确保 delegated scopes 在 TTL 内，过期则重新获取。
+ * 并发调用共享同一个 inflight promise，不重复请求。
+ */
+export declare function ensureDelegatedScopesFresh(accountId: string): Promise<void>;
+/** @deprecated No longer needed — scopes are refreshed on demand */
+export declare function startDelegatedScopeRefresh(_accountId: string): void;
+/** @deprecated No longer needed — no background timer to stop */
+export declare function stopDelegatedScopeRefresh(_accountId: string): void;
+/** @deprecated No longer needed */
+export declare function stopAllDelegatedScopeRefresh(): void;
+//# sourceMappingURL=delegated-scope-refresh.d.ts.map

package/dist/core/errors.d.ts

@@ -29,6 +29,8 @@ export declare class WpsTokenError extends Error {
     readonly name = "WpsTokenError";
     constructor(message: string, cause?: unknown | undefined);
 }
+export declare function isScopeRelatedError(err: unknown): boolean;
+export declare function isTokenInvalidError(err: unknown): boolean;
 export declare function httpStatusHint(status: number): {
     hint: string;
     retriable: boolean;

package/dist/core/index.d.ts

@@ -2,15 +2,19 @@
  * core/ 公共导出。
  * 上层模块统一从 `@/core/index.js` 或具体文件导入。
  */
-export { WpsRequestError, WpsTokenError, httpStatusHint } from "./errors.js";
+export { WpsRequestError, WpsTokenError, httpStatusHint, isScopeRelatedError, isTokenInvalidError } from "./errors.js";
 export type { WpsErrorStage, WpsErrorDetail } from "./errors.js";
+export { checkScopes } from "./scope-checker.js";
+export type { ScopeCheckResult } from "./scope-checker.js";
 export { AppTokenStore, getAppTokenStore, clearAllTokenStores } from "./token-store.js";
 export type { TokenEntry, AppCredentials } from "./token-store.js";
-export { exchangeCodeForToken, putUserToken, getUserToken, takeUserToken, hasUserToken, setRefreshContext, restoreRefreshTimers } from "./user-token-store.js";
+export { exchangeCodeForToken, putUserToken, getUserToken, getUserTokenEntry, clearGrantedScopes, deleteUserToken, takeUserToken, hasUserToken, setRefreshContext, restoreRefreshTimers } from "./user-token-store.js";
 export type { UserTokenEntry, OAuthCodeExchangeParams } from "./user-token-store.js";
 export { WpsClient, AppAuthProvider, UserAuthProvider, createWpsClient, createUserWpsClient } from "./wps-client.js";
 export type { AuthProvider, WpsRequestOptions } from "./wps-client.js";
 export { resolveDownloadUrl, resolveDownloadUrlOrThrow } from "./media-utils.js";
+export { getModuleScopes, MODULE_SCOPES } from "./tool-scopes.js";
+export type { ToolModule } from "./tool-scopes.js";
 export { addThinkingReaction, removeThinkingReaction, REACTION_TYPE } from "./reaction.js";
 export type { ThinkingIndicatorState } from "./reaction.js";
 export { WpsConfigSchema, WpsChannelConfigSchema, DmPolicySchema, GroupConfigSchema, McpConfigSchema, InstantAckSchema, SdkConfigSchema, WebhookConfigSchema, resolveAppCredentials, resolveMcpCredentials, resolveDefaultWpsAccountId, resolveWpsAccounts, resolveUserOAuthRedirectUri, DEFAULT_USER_OAUTH_REDIRECT_URI, WPS_CHANNEL_ID, WPS_PLUGIN_ID, DEFAULT_ACCOUNT_ID, } from "./config.js";

package/dist/core/scope-checker.d.ts

@@ -0,0 +1,36 @@
+/**
+ * 三层前置 scope 检查统一入口。
+ *
+ * 第 1 层：App scope（delegated scopes 列表）— 纯本地，无 API 调用
+ * 第 2 层：User token 有无
+ * 第 3 层：User scope diff（grantedScopes vs requiredScopes）
+ *
+ * appScopeVerified 降级机制：delegated 列表为空时，第 1、3 层均跳过，信任服务端。
+ * 当 appScopeVerified=false 时，调用方不应自动发送授权卡片（对标飞书保守策略）。
+ */
+export type ScopeCheckResult = {
+    ok: true;
+    appScopeVerified: boolean;
+} | {
+    ok: false;
+    reason: "app_scope_missing";
+    missingScopes: string[];
+    message: string;
+} | {
+    ok: false;
+    reason: "no_token";
+    appScopeVerified: boolean;
+    message: string;
+} | {
+    ok: false;
+    reason: "user_scope_insufficient";
+    appScopeVerified: boolean;
+    missingScopes: string[];
+    message: string;
+};
+export declare function checkScopes(opts: {
+    requiredScopes: string[];
+    accountId: string;
+    wpsUserId: string;
+}): ScopeCheckResult;
+//# sourceMappingURL=scope-checker.d.ts.map

package/dist/core/scope-persist.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Delegated scopes 持久化 — 跨重启对比 scope 变更。
+ *
+ * 存储路径与 token-persist 同目录，使用明文 JSON（scope 不含敏感信息）。
+ */
+type PersistedScopes = Record<string, string[]>;
+export declare function loadPersistedScopes(): PersistedScopes;
+export declare function savePersistedScopes(scopes: PersistedScopes): void;
+export type ScopeChangeLog = {
+    added: string[];
+    removed: string[];
+};
+export declare function detectScopeChanges(accountId: string, currentNames: string[]): ScopeChangeLog;
+export {};
+//# sourceMappingURL=scope-persist.d.ts.map

package/dist/core/tool-scopes.d.ts

@@ -0,0 +1,11 @@
+/**
+ * 模块级 scope 映射表 — 声明每个 delegated 工具模块所需的 WPS 开放平台权限点。
+ *
+ * scope 名称来自各工具文件的 description 注释，与 GET /v7/developer/apps 返回的
+ * delegated scope name 一致。不使用 delegated auth 的模块（messaging / user / chat /
+ * media / meeting-room）不在此映射中，它们使用 app token。
+ */
+export type ToolModule = "calendar" | "todo" | "cloud-doc" | "airsheet" | "dbsheet" | "airpage";
+export declare const MODULE_SCOPES: Record<ToolModule, string[]>;
+export declare function getModuleScopes(module: ToolModule): string[];
+//# sourceMappingURL=tool-scopes.d.ts.map

package/dist/core/user-token-store.d.ts

@@ -13,6 +13,8 @@ export type UserTokenEntry = {
     refreshToken: string;
     expiresAt: number;
     openid: string;
+    /** 用户已授权的 scope 列表。undefined = 未知（旧 token），[] = 明确无 scope */
+    grantedScopes?: string[];
 };
 export type OAuthCodeExchangeParams = {
     appId: string;
@@ -29,6 +31,12 @@ export type RefreshContext = {
 export declare function setRefreshContext(accountId: string, ctx: RefreshContext): void;
 export declare function putUserToken(accountId: string, wpsUserId: string, entry: UserTokenEntry): void;
 export declare function getUserToken(accountId: string, wpsUserId: string): string | null;
+/** 返回完整 UserTokenEntry（含 grantedScopes），不删除。过期返回 null。 */
+export declare function getUserTokenEntry(accountId: string, wpsUserId: string): UserTokenEntry | null;
+/** 清除 grantedScopes 但保留 token 本身。403 兜底使用。 */
+export declare function clearGrantedScopes(accountId: string, wpsUserId: string): void;
+/** 删除用户 token（含 grantedScopes）。401 兜底使用。 */
+export declare function deleteUserToken(accountId: string, wpsUserId: string): void;
 /** 兼容旧调用方 — 行为改为不删除 */
 export declare function takeUserToken(accountId: string, wpsUserId: string): string | null;
 export declare function hasUserToken(accountId: string, wpsUserId: string): boolean;