@yanhaidao/wecom 2.4.120 → 2.5.110

package/dist/src/config/schema.js

@@ -0,0 +1,4 @@
+/**
+ * @deprecated No longer a Zod schema. Kept as a type-only export for backward compatibility.
+ */
+export const WecomConfigSchema = undefined;

package/{src/config-schema.ts → dist/src/config-schema.js}

@@ -2,4 +2,4 @@
  * Backward-compatible schema export.
  * Canonical schema lives in `src/config/schema.ts`.
  */
-export { WecomConfigSchema, type WecomConfigInput } from "./config/schema.js";
+export { WecomConfigSchema } from "./config/schema.js";

package/dist/src/context-store.js

@@ -0,0 +1,219 @@
+/**
+ * Context store for WeCom Bot WS proactive push.
+ *
+ * Similar to Weixin's contextToken mechanism, we need to track:
+ * - Which accountId has active sessions with which peerId
+ * - The contextToken for routing outbound messages
+ */
+import { randomUUID } from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+// Simple logger
+const logger = {
+    info: (...args) => console.log('[wecom-context]', ...args),
+    warn: (...args) => console.warn('[wecom-context]', ...args),
+    debug: (...args) => process.env.DEBUG && console.log('[wecom-context]', ...args),
+};
+// In-memory store: accountId -> peerId -> context info
+const peerContextStore = new Map();
+// Reverse lookup: peerId -> accountId (for routing outbound)
+const peerToAccountMap = new Map();
+const contextTokenToPeerMap = new Map();
+function resolveStateDir() {
+    return process.env.OPENCLAW_STATE_DIR || path.join(process.env.HOME || "/tmp", ".openclaw");
+}
+function resolveContextFilePath(accountId) {
+    return path.join(resolveStateDir(), "wecom", "context", `${accountId}.json`);
+}
+/** Persist peer contexts for an account to disk */
+function persistContexts(accountId) {
+    const peerMap = peerContextStore.get(accountId);
+    if (!peerMap)
+        return;
+    const data = {};
+    for (const [peerId, info] of peerMap) {
+        data[peerId] = info;
+    }
+    const filePath = resolveContextFilePath(accountId);
+    try {
+        const dir = path.dirname(filePath);
+        fs.mkdirSync(dir, { recursive: true });
+        fs.writeFileSync(filePath, JSON.stringify(data, null, 0), "utf-8");
+    }
+    catch (err) {
+        logger.warn?.(`persistContexts: failed to write ${filePath}: ${String(err)}`);
+    }
+}
+function normalizeContextToken(value) {
+    const token = typeof value === "string" ? value.trim() : "";
+    return token || undefined;
+}
+function normalizePeerKind(value) {
+    return value === "group" ? "group" : "direct";
+}
+function normalizeOptional(value) {
+    const normalized = typeof value === "string" ? value.trim() : "";
+    return normalized || undefined;
+}
+function findStoredPeerContext(accountId, peerId) {
+    const peerMap = peerContextStore.get(accountId);
+    if (!peerMap)
+        return undefined;
+    const exact = peerMap.get(peerId);
+    if (exact)
+        return exact;
+    const normalizedPeerId = peerId.trim().toLowerCase();
+    for (const [storedPeerId, info] of peerMap) {
+        if (storedPeerId.trim().toLowerCase() === normalizedPeerId) {
+            return info;
+        }
+    }
+    return undefined;
+}
+function registerPeerContext(accountId, peerId, info) {
+    let peerMap = peerContextStore.get(accountId);
+    if (!peerMap) {
+        peerMap = new Map();
+        peerContextStore.set(accountId, peerMap);
+    }
+    const previous = peerMap.get(peerId);
+    if (previous?.contextToken && previous.contextToken !== info.contextToken) {
+        contextTokenToPeerMap.delete(previous.contextToken);
+    }
+    peerMap.set(peerId, info);
+    peerToAccountMap.set(peerId, accountId);
+    contextTokenToPeerMap.set(info.contextToken, {
+        accountId,
+        peerId,
+        ...info,
+    });
+}
+function resolveStoredPeerContext(accountId, peerId, params) {
+    const existing = findStoredPeerContext(accountId, peerId);
+    return {
+        contextToken: normalizeContextToken(params.contextToken) ??
+            existing?.contextToken ??
+            randomUUID(),
+        peerKind: params.peerKind ?? existing?.peerKind ?? "direct",
+        lastSeen: params.lastSeen ?? Date.now(),
+        ...(normalizeOptional(params.upstreamCorpId) || existing?.upstreamCorpId
+            ? { upstreamCorpId: normalizeOptional(params.upstreamCorpId) ?? existing?.upstreamCorpId }
+            : {}),
+    };
+}
+/** Restore persisted peer contexts for an account */
+export function restorePeerContexts(accountId) {
+    const filePath = resolveContextFilePath(accountId);
+    try {
+        if (!fs.existsSync(filePath))
+            return;
+        const raw = fs.readFileSync(filePath, "utf-8");
+        const data = JSON.parse(raw);
+        const peerMap = new Map();
+        let count = 0;
+        let mutated = false;
+        for (const [peerId, info] of Object.entries(data)) {
+            const normalized = {
+                contextToken: normalizeContextToken(info?.contextToken) ?? randomUUID(),
+                peerKind: normalizePeerKind(info?.peerKind),
+                lastSeen: typeof info?.lastSeen === "number" && Number.isFinite(info.lastSeen)
+                    ? info.lastSeen
+                    : Date.now(),
+                ...(normalizeOptional(info?.upstreamCorpId)
+                    ? { upstreamCorpId: normalizeOptional(info?.upstreamCorpId) }
+                    : {}),
+            };
+            peerMap.set(peerId, normalized);
+            peerToAccountMap.set(peerId, accountId);
+            contextTokenToPeerMap.set(normalized.contextToken, {
+                accountId,
+                peerId,
+                ...normalized,
+            });
+            if (normalized.contextToken !== info?.contextToken ||
+                normalized.peerKind !== info?.peerKind ||
+                normalized.lastSeen !== info?.lastSeen ||
+                normalized.upstreamCorpId !== normalizeOptional(info?.upstreamCorpId)) {
+                mutated = true;
+            }
+            count++;
+        }
+        peerContextStore.set(accountId, peerMap);
+        if (mutated) {
+            persistContexts(accountId);
+        }
+        logger.info?.(`restorePeerContexts: restored ${count} peers for account=${accountId}`);
+    }
+    catch (err) {
+        logger.warn?.(`restorePeerContexts: failed to read ${filePath}: ${String(err)}`);
+    }
+}
+/** Store context for a peer (called on inbound message) */
+export function setPeerContext(accountId, peerId, options) {
+    const resolved = resolveStoredPeerContext(accountId, peerId, options ?? {});
+    registerPeerContext(accountId, peerId, resolved);
+    // Persist to disk (debounced would be better, but simple for now)
+    persistContexts(accountId);
+    logger.debug?.(`setPeerContext: accountId=${accountId} peerId=${peerId} token=${resolved.contextToken} kind=${resolved.peerKind}`);
+    return resolved.contextToken;
+}
+/** Get the accountId that has an active session with a peer */
+export function getAccountIdByPeer(peerId) {
+    return peerToAccountMap.get(peerId);
+}
+/** Get the most recent peerId for an account (for proactive push) */
+export function getRecentPeerForAccount(accountId, maxAgeMs = 30 * 60 * 1000) {
+    const peerMap = peerContextStore.get(accountId);
+    if (!peerMap)
+        return undefined;
+    let mostRecent;
+    for (const [peerId, info] of peerMap) {
+        if (Date.now() - info.lastSeen > maxAgeMs)
+            continue;
+        if (!mostRecent || info.lastSeen > mostRecent.lastSeen) {
+            mostRecent = { peerId, lastSeen: info.lastSeen };
+        }
+    }
+    return mostRecent?.peerId;
+}
+/** Get context token for a peer */
+export function getPeerContextToken(accountId, peerId) {
+    return findStoredPeerContext(accountId, peerId)?.contextToken;
+}
+export function getPeerUpstreamCorpId(accountId, peerId) {
+    return findStoredPeerContext(accountId, peerId)?.upstreamCorpId;
+}
+/** Resolve a peer context from a context token. */
+export function getPeerContextByToken(contextToken) {
+    return contextTokenToPeerMap.get(contextToken);
+}
+/** Resolve accountId from a context token. */
+export function getAccountIdByContextToken(contextToken) {
+    return contextTokenToPeerMap.get(contextToken)?.accountId;
+}
+/** Check if we have an active session for routing */
+export function hasActiveSession(accountId, peerId, maxAgeMs = 30 * 60 * 1000) {
+    const info = findStoredPeerContext(accountId, peerId);
+    if (!info)
+        return false;
+    return Date.now() - info.lastSeen < maxAgeMs;
+}
+/** Clear all contexts for an account */
+export function clearPeerContexts(accountId) {
+    const peerMap = peerContextStore.get(accountId);
+    if (peerMap) {
+        for (const [peerId, info] of peerMap) {
+            peerToAccountMap.delete(peerId);
+            contextTokenToPeerMap.delete(info.contextToken);
+        }
+    }
+    peerContextStore.delete(accountId);
+    const filePath = resolveContextFilePath(accountId);
+    try {
+        if (fs.existsSync(filePath))
+            fs.unlinkSync(filePath);
+    }
+    catch (err) {
+        logger.warn?.(`clearPeerContexts: failed to remove ${filePath}`);
+    }
+}

package/{src/crypto/aes.ts → dist/src/crypto/aes.js}

@@ -2,13 +2,12 @@
  * WeCom AES-256-CBC 加解密核心
  * Bot 和 Agent 模式共用
  */
-
 import crypto from "node:crypto";
 import { CRYPTO } from "../types/constants.js";
-
-export function decodeEncodingAESKey(encodingAESKey: string): Buffer {
+export function decodeEncodingAESKey(encodingAESKey) {
     const trimmed = encodingAESKey.trim();
-    if (!trimmed) throw new Error("encodingAESKey missing");
+    if (!trimmed)
+        throw new Error("encodingAESKey missing");
     const withPadding = trimmed.endsWith("=") ? trimmed : `${trimmed}=`;
     const key = Buffer.from(withPadding, "base64");
     if (key.length !== CRYPTO.AES_KEY_LENGTH) {
@@ -16,17 +15,16 @@ export function decodeEncodingAESKey(encodingAESKey: string): Buffer {
     }
     return key;
 }
-
-function pkcs7Pad(buf: Buffer, blockSize: number): Buffer {
+function pkcs7Pad(buf, blockSize) {
     const mod = buf.length % blockSize;
     const pad = mod === 0 ? blockSize : blockSize - mod;
     const padByte = Buffer.from([pad]);
-    return Buffer.concat([buf, Buffer.alloc(pad, padByte[0]!)]);
+    return Buffer.concat([buf, Buffer.alloc(pad, padByte[0])]);
 }
-
-export function pkcs7Unpad(buf: Buffer, blockSize: number): Buffer {
-    if (buf.length === 0) throw new Error("invalid pkcs7 payload");
-    const pad = buf[buf.length - 1]!;
+export function pkcs7Unpad(buf, blockSize) {
+    if (buf.length === 0)
+        throw new Error("invalid pkcs7 payload");
+    const pad = buf[buf.length - 1];
     if (pad < 1 || pad > blockSize) {
         throw new Error("invalid pkcs7 padding");
     }
@@ -40,15 +38,10 @@ export function pkcs7Unpad(buf: Buffer, blockSize: number): Buffer {
     }
     return buf.subarray(0, buf.length - pad);
 }
-
 /**
  * 解密 WeCom 加密消息
  */
-export function decryptWecomEncrypted(params: {
-    encodingAESKey: string;
-    receiveId?: string;
-    encrypt: string;
-}): string {
+export function decryptWecomEncrypted(params) {
     const aesKey = decodeEncodingAESKey(params.encodingAESKey);
     const iv = aesKey.subarray(0, 16);
     const decipher = crypto.createDecipheriv("aes-256-cbc", aesKey, iv);
@@ -58,11 +51,9 @@ export function decryptWecomEncrypted(params: {
         decipher.final(),
     ]);
     const decrypted = pkcs7Unpad(decryptedPadded, CRYPTO.PKCS7_BLOCK_SIZE);
-
     if (decrypted.length < 20) {
         throw new Error(`invalid payload (expected >=20 bytes, got ${decrypted.length})`);
     }
-
     // 16 bytes random + 4 bytes length + msg + receiveId
     const msgLen = decrypted.readUInt32BE(16);
     const msgStart = 20;
@@ -71,7 +62,6 @@ export function decryptWecomEncrypted(params: {
         throw new Error(`invalid msg length (msgEnd=${msgEnd}, total=${decrypted.length})`);
     }
     const msg = decrypted.subarray(msgStart, msgEnd).toString("utf8");
-
     const receiveId = params.receiveId ?? "";
     if (receiveId) {
         const trailing = decrypted.subarray(msgEnd).toString("utf8");
@@ -79,18 +69,12 @@ export function decryptWecomEncrypted(params: {
             throw new Error(`receiveId mismatch (expected "${receiveId}", got "${trailing}")`);
         }
     }
-
     return msg;
 }
-
 /**
  * 加密明文为 WeCom 格式
  */
-export function encryptWecomPlaintext(params: {
-    encodingAESKey: string;
-    receiveId?: string;
-    plaintext: string;
-}): string {
+export function encryptWecomPlaintext(params) {
     const aesKey = decodeEncodingAESKey(params.encodingAESKey);
     const iv = aesKey.subarray(0, 16);
     const random16 = crypto.randomBytes(16);
@@ -98,7 +82,6 @@ export function encryptWecomPlaintext(params: {
     const msgLen = Buffer.alloc(4);
     msgLen.writeUInt32BE(msg.length, 0);
     const receiveId = Buffer.from(params.receiveId ?? "", "utf8");
-
     const raw = Buffer.concat([random16, msgLen, msg, receiveId]);
     const padded = pkcs7Pad(raw, CRYPTO.PKCS7_BLOCK_SIZE);
     const cipher = crypto.createCipheriv("aes-256-cbc", aesKey, iv);

package/dist/src/crypto/index.js

@@ -0,0 +1,9 @@
+/**
+ * WeCom 加解密模块导出
+ */
+// AES 加解密
+export { decodeEncodingAESKey, pkcs7Unpad, decryptWecomEncrypted, encryptWecomPlaintext, } from "./aes.js";
+// 签名验证
+export { computeWecomMsgSignature, verifyWecomSignature, } from "./signature.js";
+// XML 辅助
+export { extractEncryptFromXml, extractToUserNameFromXml, buildEncryptedXmlResponse, } from "./xml.js";

package/{src/crypto/signature.ts → dist/src/crypto/signature.js}

@@ -1,38 +1,23 @@
 /**
  * WeCom 签名计算与验证
  */
-
 import crypto from "node:crypto";
-
-function sha1Hex(input: string): string {
+function sha1Hex(input) {
     return crypto.createHash("sha1").update(input).digest("hex");
 }
-
 /**
  * 计算 WeCom 消息签名
  */
-export function computeWecomMsgSignature(params: {
-    token: string;
-    timestamp: string;
-    nonce: string;
-    encrypt: string;
-}): string {
+export function computeWecomMsgSignature(params) {
     const parts = [params.token, params.timestamp, params.nonce, params.encrypt]
         .map((v) => String(v ?? ""))
         .sort();
     return sha1Hex(parts.join(""));
 }
-
 /**
  * 验证 WeCom 消息签名
  */
-export function verifyWecomSignature(params: {
-    token: string;
-    timestamp: string;
-    nonce: string;
-    encrypt: string;
-    signature: string;
-}): boolean {
+export function verifyWecomSignature(params) {
     const expected = computeWecomMsgSignature({
         token: params.token,
         timestamp: params.timestamp,

package/{src/crypto/xml.ts → dist/src/crypto/xml.js}

@@ -2,11 +2,10 @@
  * WeCom XML 加解密辅助函数
  * 用于 Agent 模式处理 XML 格式回调
  */
-
 /**
  * 从 XML 密文中提取 Encrypt 字段
  */
-export function extractEncryptFromXml(xml: string): string {
+export function extractEncryptFromXml(xml) {
     const match = /<Encrypt><!\[CDATA\[(.*?)\]\]><\/Encrypt>/s.exec(xml);
     if (!match?.[1]) {
         // 尝试不带 CDATA 的格式
@@ -18,11 +17,10 @@ export function extractEncryptFromXml(xml: string): string {
     }
     return match[1];
 }
-
 /**
  * 从 XML 中提取 ToUserName (CorpID)
  */
-export function extractToUserNameFromXml(xml: string): string {
+export function extractToUserNameFromXml(xml) {
     const match = /<ToUserName><!\[CDATA\[(.*?)\]\]><\/ToUserName>/s.exec(xml);
     if (!match?.[1]) {
         const altMatch = /<ToUserName>(.*?)<\/ToUserName>/s.exec(xml);
@@ -30,16 +28,10 @@ export function extractToUserNameFromXml(xml: string): string {
     }
     return match[1];
 }
-
 /**
  * 构建加密 XML 响应
  */
-export function buildEncryptedXmlResponse(params: {
-    encrypt: string;
-    signature: string;
-    timestamp: string;
-    nonce: string;
-}): string {
+export function buildEncryptedXmlResponse(params) {
     return `<xml>
 <Encrypt><![CDATA[${params.encrypt}]]></Encrypt>
 <MsgSignature><![CDATA[${params.signature}]]></MsgSignature>

package/dist/src/crypto.js

@@ -0,0 +1,145 @@
+import crypto from "node:crypto";
+/**
+ * **decodeEncodingAESKey (解码 AES Key)**
+ *
+ * 将企业微信配置的 Base64 编码的 AES Key 解码为 Buffer。
+ * 包含补全 Padding 和长度校验 (必须32字节)。
+ */
+export function decodeEncodingAESKey(encodingAESKey) {
+    const trimmed = encodingAESKey.trim();
+    if (!trimmed)
+        throw new Error("encodingAESKey missing");
+    const withPadding = trimmed.endsWith("=") ? trimmed : `${trimmed}=`;
+    const key = Buffer.from(withPadding, "base64");
+    if (key.length !== 32) {
+        throw new Error(`invalid encodingAESKey (expected 32 bytes after base64 decode, got ${key.length})`);
+    }
+    return key;
+}
+// WeCom uses PKCS#7 padding with a block size of 32 bytes (not AES's 16-byte block).
+// This is compatible with AES-CBC as 32 is a multiple of 16, but it requires manual padding/unpadding.
+export const WECOM_PKCS7_BLOCK_SIZE = 32;
+function pkcs7Pad(buf, blockSize) {
+    const mod = buf.length % blockSize;
+    const pad = mod === 0 ? blockSize : blockSize - mod;
+    const padByte = Buffer.from([pad]);
+    return Buffer.concat([buf, Buffer.alloc(pad, padByte[0])]);
+}
+/**
+ * **pkcs7Unpad (去除 PKCS#7 填充)**
+ *
+ * 移除 AES 解密后的 PKCS#7 填充字节。
+ * 包含填充合法性校验。
+ */
+export function pkcs7Unpad(buf, blockSize) {
+    if (buf.length === 0)
+        throw new Error("invalid pkcs7 payload");
+    const pad = buf[buf.length - 1];
+    if (pad < 1 || pad > blockSize) {
+        throw new Error("invalid pkcs7 padding");
+    }
+    if (pad > buf.length) {
+        throw new Error("invalid pkcs7 payload");
+    }
+    // Best-effort validation (all padding bytes equal).
+    for (let i = 0; i < pad; i += 1) {
+        if (buf[buf.length - 1 - i] !== pad) {
+            throw new Error("invalid pkcs7 padding");
+        }
+    }
+    return buf.subarray(0, buf.length - pad);
+}
+function sha1Hex(input) {
+    return crypto.createHash("sha1").update(input).digest("hex");
+}
+/**
+ * **computeWecomMsgSignature (计算消息签名)**
+ *
+ * 算法：sha1(sort(token, timestamp, nonce, encrypt_msg))
+ */
+export function computeWecomMsgSignature(params) {
+    const parts = [params.token, params.timestamp, params.nonce, params.encrypt]
+        .map((v) => String(v ?? ""))
+        .sort();
+    return sha1Hex(parts.join(""));
+}
+/**
+ * **verifyWecomSignature (验证消息签名)**
+ *
+ * 比较计算出的签名与企业微信传入的签名是否一致。
+ */
+export function verifyWecomSignature(params) {
+    const expected = computeWecomMsgSignature({
+        token: params.token,
+        timestamp: params.timestamp,
+        nonce: params.nonce,
+        encrypt: params.encrypt,
+    });
+    return expected === params.signature;
+}
+/**
+ * **decryptWecomEncrypted (解密企业微信消息)**
+ *
+ * 将企业微信的 AES 加密包解密为明文。
+ * 流程：
+ * 1. Base64 解码 AESKey 并获取 IV (前16字节)。
+ * 2. AES-CBC 解密。
+ * 3. 去除 PKCS#7 填充。
+ * 4. 拆解协议包结构: [16字节随机串][4字节长度][消息体][接收者ID]。
+ * 5. 校验接收者ID (ReceiveId)。
+ */
+export function decryptWecomEncrypted(params) {
+    const aesKey = decodeEncodingAESKey(params.encodingAESKey);
+    const iv = aesKey.subarray(0, 16);
+    const decipher = crypto.createDecipheriv("aes-256-cbc", aesKey, iv);
+    decipher.setAutoPadding(false);
+    const decryptedPadded = Buffer.concat([
+        decipher.update(Buffer.from(params.encrypt, "base64")),
+        decipher.final(),
+    ]);
+    const decrypted = pkcs7Unpad(decryptedPadded, WECOM_PKCS7_BLOCK_SIZE);
+    if (decrypted.length < 20) {
+        throw new Error(`invalid decrypted payload (expected at least 20 bytes, got ${decrypted.length})`);
+    }
+    // 16 bytes random + 4 bytes network-order length + msg + receiveId (optional)
+    const msgLen = decrypted.readUInt32BE(16);
+    const msgStart = 20;
+    const msgEnd = msgStart + msgLen;
+    if (msgEnd > decrypted.length) {
+        throw new Error(`invalid decrypted msg length (msgEnd=${msgEnd}, payloadLength=${decrypted.length})`);
+    }
+    const msg = decrypted.subarray(msgStart, msgEnd).toString("utf8");
+    const receiveId = params.receiveId ?? "";
+    if (receiveId) {
+        const trailing = decrypted.subarray(msgEnd).toString("utf8");
+        if (trailing !== receiveId) {
+            throw new Error(`receiveId mismatch (expected "${receiveId}", got "${trailing}")`);
+        }
+    }
+    return msg;
+}
+/**
+ * **encryptWecomPlaintext (加密回复消息)**
+ *
+ * 将明文消息打包为企业微信的加密格式。
+ * 流程：
+ * 1. 构造协议包: [16字节随机串][4字节长度][消息体][接收者ID]。
+ * 2. PKCS#7 填充。
+ * 3. AES-CBC 加密。
+ * 4. 转 Base64。
+ */
+export function encryptWecomPlaintext(params) {
+    const aesKey = decodeEncodingAESKey(params.encodingAESKey);
+    const iv = aesKey.subarray(0, 16);
+    const random16 = crypto.randomBytes(16);
+    const msg = Buffer.from(params.plaintext ?? "", "utf8");
+    const msgLen = Buffer.alloc(4);
+    msgLen.writeUInt32BE(msg.length, 0);
+    const receiveId = Buffer.from(params.receiveId ?? "", "utf8");
+    const raw = Buffer.concat([random16, msgLen, msg, receiveId]);
+    const padded = pkcs7Pad(raw, WECOM_PKCS7_BLOCK_SIZE);
+    const cipher = crypto.createCipheriv("aes-256-cbc", aesKey, iv);
+    cipher.setAutoPadding(false);
+    const encrypted = Buffer.concat([cipher.update(padded), cipher.final()]);
+    return encrypted.toString("base64");
+}

package/dist/src/domain/models.js

@@ -0,0 +1 @@
+export {};

package/dist/src/domain/policies.js

@@ -0,0 +1,32 @@
+export function assertBotPrimaryTransport(account) {
+    if (account.primaryTransport === "ws" && !account.wsConfigured) {
+        throw new Error(`WeCom bot account "${account.accountId}" is missing bot.ws credentials.`);
+    }
+    if (account.primaryTransport === "webhook" && !account.webhookConfigured) {
+        throw new Error(`WeCom bot account "${account.accountId}" is missing bot.webhook credentials.`);
+    }
+}
+export function buildDedupKey(event) {
+    return `${event.accountId}:${event.transport}:${event.messageId}`;
+}
+export function resolveConversationKey(event) {
+    const conversation = event.conversation;
+    return [event.accountId, conversation.peerKind, conversation.peerId, conversation.senderId].join(":");
+}
+export function normalizeWecomAllowFromEntry(raw) {
+    return raw
+        .trim()
+        .toLowerCase()
+        .replace(/^wecom:/, "")
+        .replace(/^user:/, "")
+        .replace(/^userid:/, "");
+}
+export function isWecomSenderAllowed(senderUserId, allowFrom) {
+    const list = allowFrom.map((entry) => normalizeWecomAllowFromEntry(entry)).filter(Boolean);
+    if (list.includes("*"))
+        return true;
+    const normalizedSender = normalizeWecomAllowFromEntry(senderUserId);
+    if (!normalizedSender)
+        return false;
+    return list.includes(normalizedSender);
+}