@ynhcj/xiaoyi-channel 0.0.157-beta → 0.0.157-next

package/dist/src/bot.js

@@ -1,6 +1,6 @@
 import { getXYRuntime } from "./runtime.js";
 import { createXYReplyDispatcher } from "./reply-dispatcher.js";
-import { parseA2AMessage, extractTextFromParts, extractFileParts, extractPushId, extractDeviceType, extractTriggerData, extractRunCrossTaskContext } from "./parser.js";
+import { parseA2AMessage, extractTextFromParts, extractFileParts, extractPushId, extractDeviceType, extractModelName, extractTriggerData, extractRunCrossTaskContext } from "./parser.js";
 import { downloadFilesFromParts } from "./file-download.js";
 import { resolveXYConfig } from "./config.js";
 import { sendStatusUpdate, sendClearContextResponse, sendTasksCancelResponse, sendA2AResponse } from "./formatter.js";
@@ -32,9 +32,10 @@ export async function handleXYMessage(params) {
     try {
         // Check for special messages BEFORE parsing (these have different param structures)
         const messageMethod = message.method;
-        // Handle clearContext messages (params only has sessionId)
+        logger.log(`[BOT] Received A2A message: ${JSON.stringify(message)}`);
+        // Handle clearContext messages (sessionId at top level, no params)
         if (messageMethod === "clearContext" || messageMethod === "clear_context") {
-            const sessionId = message.params?.sessionId;
+            const sessionId = message.sessionId ?? message.params?.sessionId;
             if (!sessionId) {
                 throw new Error("clearContext request missing sessionId in params");
             }
@@ -48,9 +49,9 @@ export async function handleXYMessage(params) {
             });
             return;
         }
-        // Handle tasks/cancel messages
+        // Handle tasks/cancel messages (sessionId at top level, no params)
         if (messageMethod === "tasks/cancel" || messageMethod === "tasks_cancel") {
-            const sessionId = message.params?.sessionId;
+            const sessionId = message.sessionId ?? message.params?.sessionId;
             const taskId = message.params?.id || message.id;
             if (!sessionId) {
                 throw new Error("tasks/cancel request missing sessionId in params");
@@ -138,6 +139,11 @@ export async function handleXYMessage(params) {
         if (deviceType) {
             log.log(`[BOT] Extracted deviceType: ${deviceType}`);
         }
+        // Extract modelName if present (used by provider.ts to override model.id)
+        const modelName = extractModelName(parsed.parts);
+        if (modelName) {
+            log.log(`[BOT] Extracted modelName: ${modelName}`);
+        }
         const runCrossTaskContext = extractRunCrossTaskContext(parsed.parts);
         // Resolve configuration (needed for status updates)
         const config = resolveXYConfig(cfg);
@@ -164,6 +170,7 @@ export async function handleXYMessage(params) {
                 messageId: parsed.messageId,
                 agentId: route.accountId,
                 deviceType,
+                modelName,
                 runCrossTaskContext: runCrossTaskContext ?? undefined,
             });
             // 🔑 发送初始状态更新
@@ -311,6 +318,7 @@ export async function handleXYMessage(params) {
             messageId: parsed.messageId,
             agentId: route.accountId,
             deviceType,
+            modelName,
             runCrossTaskContext: runCrossTaskContext ?? undefined,
         };
         log.log(`[BOT-DISPATCH] withReplyDispatcher starting, sessionKey=${route.sessionKey}`);

package/dist/src/cron-query-handler.d.ts

@@ -1,17 +1,7 @@
-export type CronQueryAction = "list" | "status" | "runs" | "add" | "update" | "remove" | "run";
-export interface CronQueryEventContext {
-    action: CronQueryAction;
-    jobId?: string;
-    params?: Record<string, unknown>;
-    /** Original A2A message fields for routing the response. */
-    sessionId?: string;
-    taskId?: string;
-    messageId?: string;
-}
 /**
  * Handle a cron-query-event.
  *
  * Calls the Gateway cron RPC and sends the result back through sendCommand
  * as a System.CronQuery command with the full result object in payload.ans.
  */
-export declare function handleCronQueryEvent(context: CronQueryEventContext, cfg?: unknown): Promise<void>;
+export declare function handleCronQueryEvent(context: any, cfg: any): Promise<void>;

package/dist/src/cron-query-handler.js

@@ -4,9 +4,12 @@
 // result back to the client via sendCommand as a System.CronQuery
 // command with the result in payload.ans.
 import { callGatewayTool } from "openclaw/plugin-sdk/agent-harness-runtime";
+import * as os from "os";
 import { sendCommand } from "./formatter.js";
 import { resolveXYConfig } from "./config.js";
 import { logger } from "./utils/logger.js";
+import { readFileSync, readdirSync } from "fs";
+import { join } from "path";
 const GATEWAY_TIMEOUT_MS = 60_000;
 /**
  * Handle a cron-query-event.
@@ -54,6 +57,9 @@ export async function handleCronQueryEvent(context, cfg) {
                     ...params,
                 });
                 break;
+            case "queryTimeList":
+                result = await queryTimeListLocal();
+                break;
             default:
                 error = `Unknown action: ${context.action}`;
                 logger.error(`[CRON-QUERY] ${error}`);
@@ -73,7 +79,7 @@ export async function handleCronQueryEvent(context, cfg) {
             const config = resolveXYConfig(cfg);
             const command = {
                 header: {
-                    namespace: "System",
+                    namespace: "AgentEvent",
                     name: "CronQuery",
                 },
                 payload: {
@@ -99,3 +105,84 @@ export async function handleCronQueryEvent(context, cfg) {
         logger.warn(`[CRON-QUERY] Missing cfg/sessionId/taskId/messageId, skipping sendCommand`);
     }
 }
+/**
+ * Read local cron folder directly (bypassing openclaw RPC) and return
+ * run records from the last 7 days, grouped by date and sorted by time.
+ *
+ * Data sources:
+ *   - state/cron/jobs.json   → job id → name mapping
+ *   - state/cron/runs/*.jsonl → run records (one JSON per line)
+ *
+ * Return format:
+ *   [ { "YYYY-MM-DD": [ { run record with .name }, ... ] }, ... ]
+ */
+async function queryTimeListLocal() {
+    const cronDir = join(os.homedir(), ".openclaw", "cron");
+    const jobsPath = join(cronDir, "jobs.json");
+    const runsDir = join(cronDir, "runs");
+    // 1. Build jobId → name map from jobs.json
+    const jobNameMap = {};
+    try {
+        const jobsRaw = readFileSync(jobsPath, "utf-8");
+        const jobsData = JSON.parse(jobsRaw);
+        for (const job of jobsData.jobs || []) {
+            jobNameMap[job.id] = job.name || job.id;
+        }
+    }
+    catch (err) {
+        logger.error(`[CRON-QUERY] Failed to read jobs.json: ${err.message}`);
+    }
+    // 2. Read all run files, collect runs within last 7 days
+    const sevenDaysAgo = Date.now() - 7 * 24 * 60 * 60 * 1000;
+    const allRuns = [];
+    let files = [];
+    try {
+        files = readdirSync(runsDir);
+    }
+    catch {
+        files = [];
+    }
+    for (const file of files) {
+        if (!file.endsWith(".jsonl"))
+            continue;
+        try {
+            const content = readFileSync(join(runsDir, file), "utf-8");
+            const lines = content.trim().split("\n");
+            for (const line of lines) {
+                if (!line.trim())
+                    continue;
+                try {
+                    const run = JSON.parse(line);
+                    if (run.ts && run.ts >= sevenDaysAgo) {
+                        run.name = jobNameMap[run.jobId] || run.jobId || "";
+                        allRuns.push(run);
+                    }
+                }
+                catch {
+                    // skip malformed line
+                }
+            }
+        }
+        catch (err) {
+            logger.error(`[CRON-QUERY] Failed to read run file ${file}: ${err.message}`);
+        }
+    }
+    // 3. Sort by ts ascending
+    allRuns.sort((a, b) => a.ts - b.ts);
+    // 4. Group by date (YYYY-MM-DD in local time)
+    const grouped = new Map();
+    for (const run of allRuns) {
+        const d = new Date(run.ts);
+        const label = `${d.getFullYear()}-${String(d.getMonth() + 1).padStart(2, "0")}-${String(d.getDate()).padStart(2, "0")}`;
+        if (!grouped.has(label)) {
+            grouped.set(label, []);
+        }
+        grouped.get(label).push(run);
+    }
+    // 5. Convert to ordered array of single-key objects
+    const result = [];
+    for (const [date, runs] of grouped) {
+        result.push({ [date]: runs });
+    }
+    return result;
+}

package/dist/src/cspl/call_api.d.ts

@@ -1,2 +1,2 @@
 import { ApiResponse } from './constants.js';
-export declare function callApi(questionText: string, api: any, sessionId: string): Promise<ApiResponse>;
+export declare function callApi(questionText: string, api: any, sessionId: string, action: string): Promise<ApiResponse>;

package/dist/src/cspl/call_api.js

@@ -78,13 +78,13 @@ function handleResponse(res, resolve, reject) {
         }
     });
 }
-export async function callApi(questionText, api, sessionId) {
+export async function callApi(questionText, api, sessionId, action) {
     const config = getConfig(api);
     const headersForCelia = buildHeadersForCelia(config, sessionId);
     const payload = {
         questionText: questionText,
         textSource: config.textSource,
-        action: config.action,
+        action: action,
         extra: `${JSON.stringify({ userId: config.uid })}`
     };
     const httpBody = JSON.stringify(payload);

package/dist/src/cspl/config.js

@@ -2,9 +2,9 @@
  * 版权所有 (c) 华为技术有限公司 2026-2026
  */
 import fs from 'fs';
-import { ENV_FILE_PATH, REQUIRED_ENV_VARS } from './constants.js';
+import path from 'path';
+import { CONFIG_FILE_NAME, ENV_FILE_PATH, REQUIRED_ENV_VARS } from './constants.js';
 import { logger } from '../utils/logger.js';
-import defaultConfig from './configs.json' with { type: 'json' };
 let cachedConfig = null;
 function readEnvFile() {
     if (!fs.existsSync(ENV_FILE_PATH)) {
@@ -41,25 +41,45 @@ export function getConfig(api) {
     if (cachedConfig) {
         return cachedConfig;
     }
-    // Use imported JSON (bundled at compile time, no runtime file read needed)
-    const config = { ...defaultConfig };
+    const configPath = path.join(__dirname, CONFIG_FILE_NAME);
+    if (!fs.existsSync(configPath)) {
+        throw new Error(`Config file not found: ${CONFIG_FILE_NAME}`);
+    }
+    let configData;
+    try {
+        configData = fs.readFileSync(configPath, 'utf-8');
+    }
+    catch (error) {
+        throw new Error(`Failed to read config file: ${CONFIG_FILE_NAME}.`);
+    }
+    let parsedConfig;
+    try {
+        parsedConfig = JSON.parse(configData);
+    }
+    catch (error) {
+        throw new Error(`Failed to parse config file: ${CONFIG_FILE_NAME}.`);
+    }
+    if (!parsedConfig || typeof parsedConfig !== 'object') {
+        throw new Error(`Invalid config structure: ${CONFIG_FILE_NAME}. Expected an object.`);
+    }
+    const config = parsedConfig;
     if (!config.api || typeof config.api !== 'object') {
-        throw new Error(`Invalid config: missing or invalid 'api' section`);
+        throw new Error(`Invalid config: missing or invalid 'api' section in ${CONFIG_FILE_NAME}`);
     }
     if (!config.api.timeout || typeof config.api.timeout !== 'number') {
-        throw new Error(`Invalid config: missing or invalid 'api.timeout'`);
+        throw new Error(`Invalid config: missing or invalid 'api.timeout' in ${CONFIG_FILE_NAME}`);
     }
     if (!config.skillId || typeof config.skillId !== 'string') {
-        throw new Error(`Invalid config: missing or invalid 'skillId'`);
+        throw new Error(`Invalid config: missing or invalid 'skillId' in ${CONFIG_FILE_NAME}`);
     }
     if (!config.requestFrom || typeof config.requestFrom !== 'string') {
-        throw new Error(`Invalid config: missing or invalid 'requestFrom'`);
+        throw new Error(`Invalid config: missing or invalid 'requestFrom' in ${CONFIG_FILE_NAME}`);
     }
     if (!config.textSource || typeof config.textSource !== 'string') {
-        throw new Error(`Invalid config: missing or invalid 'textSource'`);
+        throw new Error(`Invalid config: missing or invalid 'textSource' in ${CONFIG_FILE_NAME}`);
     }
     if (!config.action || typeof config.action !== 'string') {
-        throw new Error(`Invalid config: missing or invalid 'action'`);
+        throw new Error(`Invalid config: missing or invalid 'action' in ${CONFIG_FILE_NAME}`);
     }
     let env;
     try {

package/dist/src/cspl/constants.d.ts

@@ -29,6 +29,7 @@ export declare const ENV_FILE_PATH = "/home/sandbox/.openclaw/.xiaoyienv";
 export declare const API_URL_SUFFIX = "/celia-claw/v1/rest-api/skill/execute";
 export declare const REQUIRED_ENV_VARS: string[];
 export declare const ALLOWED_TOOLS: string[];
+export declare const STEER_ABORT_MESSAGE = "\u5F53\u524D\u884C\u4E3A\u5B58\u5728\u5B89\u5168\u9690\u60A3\uFF0C\u7EC8\u6B62\u6240\u6709\u64CD\u4F5C\uFF0C\u5E76\u4E14\u5728\u6700\u7EC8\u56DE\u590D\u4E2D\u8BF4\u660E\uFF0C\u8BC6\u522B\u5230\u5F53\u524D\u6D41\u7A0B\u4E2D\u5B58\u5728\u6F5C\u5728\u5B89\u5168\u98CE\u9669\uFF0C\u5DF2\u5E2E\u60A8\u4E2D\u6B62\u5F53\u524D\u6D41\u7A0B\uFF0C\u8BF7\u6E05\u7A7A\u4E0A\u4E0B\u6587\u540E\u91CD\u8BD5";
 export declare const MAX_FILE_COUNT = 10;
 export declare const MAX_COMMAND_LENGTH = 1024;
 export declare const CODE_FILE_EXTENSIONS: string[];
@@ -42,6 +43,8 @@ export declare const TOOL_INPUT_DEFAULT: {
     readonly source: "";
     readonly content: "";
 };
+export declare const TOOL_INPUT_ACTION = "TOOL_INPUT_SCAN";
+export declare const TOOL_OUTPUT_ACTION = "TOOL_OUTPUT_SCAN";
 export declare const MAX_TIMES = 3;
 export declare const CONNECT_TIMEOUT = 15000;
 export declare const READ_TIMEOUT = 300000;

package/dist/src/cspl/constants.js

@@ -28,6 +28,8 @@ export const API_URL_SUFFIX = '/celia-claw/v1/rest-api/skill/execute';
 export const REQUIRED_ENV_VARS = ['PERSONAL-API-KEY', 'PERSONAL-UID', 'SERVICE_URL'];
 // 工具白名单：除了web_fetch特殊处理外，只有这些工具才处理result文本
 export const ALLOWED_TOOLS = ['web_fetch', 'read', 'pdf', 'exec', 'message'];
+// Steer 注入话术：CSPL REJECT 时通过 steer 插话打断模型
+export const STEER_ABORT_MESSAGE = '当前行为存在安全隐患，终止所有操作，并且在最终回复中说明，识别到当前流程中存在潜在安全风险，已帮您中止当前流程，请清空上下文后重试';
 // 文件数量限制
 export const MAX_FILE_COUNT = 10;
 // 命令字符串截断长度（字节）
@@ -45,6 +47,9 @@ export const TOOL_INPUT_DEFAULT = {
     source: '',
     content: ''
 };
+// 安全扫描 action 常量
+export const TOOL_INPUT_ACTION = 'TOOL_INPUT_SCAN';
+export const TOOL_OUTPUT_ACTION = 'TOOL_OUTPUT_SCAN';
 // OBS上传相关常量
 export const MAX_TIMES = 3;
 export const CONNECT_TIMEOUT = 15000;

package/dist/src/cspl/sentinel_hook.js

@@ -4,8 +4,10 @@
 import crypto from 'crypto';
 import { callApi } from './call_api.js';
 import { processText, extractResultText, validateAndTruncateText, parseSecurityResult, handleExecToolInput, handleMessageToolInput, handleOtherToolInput } from './utils.js';
-import { ALLOWED_TOOLS, MAX_TEXT_LENGTH, MAX_TOTAL_LENGTH, MIN_TEXT_LENGTH } from './constants.js';
+import { ALLOWED_TOOLS, MAX_TEXT_LENGTH, MAX_TOTAL_LENGTH, MIN_TEXT_LENGTH, STEER_ABORT_MESSAGE, TOOL_OUTPUT_ACTION } from './constants.js';
 import { logger } from '../utils/logger.js';
+import { getSessionContext } from '../tools/session-manager.js';
+import { tryInjectSteer } from './steer-context.js';
 // 主入口模块
 export default function register(api) {
     api.on("before_tool_call", async (event, ctx) => {
@@ -13,16 +15,21 @@ export default function register(api) {
         // 生成sessionID
         const sessionId = (event.runId?.replace(/-/g, '') || crypto.randomBytes(16).toString('hex'));
         logger.log(`[SENTINEL HOOK] Generated Session ID: ${sessionId}`);
-        // 处理 TOOL_INPUT 数据采集、发送数据
+        // 处理 TOOL_INPUT 数据采集、发送数据，根据扫描结果决定是否阻塞
         try {
+            let scanResult = null;
             if (event.toolName === 'exec') {
-                await handleExecToolInput(event, api, sessionId);
+                scanResult = await handleExecToolInput(event, api, sessionId);
             }
             else if (event.toolName === 'message') {
-                await handleMessageToolInput(event, api, sessionId);
+                scanResult = await handleMessageToolInput(event, api, sessionId);
             }
             else {
-                await handleOtherToolInput(event, api, sessionId);
+                scanResult = await handleOtherToolInput(event, api, sessionId);
+            }
+            if (scanResult?.status === 'REJECT') {
+                logger.warn(`[SENTINEL HOOK] TOOL_INPUT REJECT, blocking tool call: ${event.toolName}`);
+                return { block: true, blockReason: `安全扫描检测到风险，已阻止工具调用: ${event.toolName}` };
             }
         }
         catch (error) {
@@ -66,11 +73,23 @@ export default function register(api) {
             const postText = JSON.stringify(questionText);
             logger.log(`[SENTINEL HOOK] Content extracted successfully. Length: ${postText.length}`);
             try {
-                const response = await callApi(postText, api, sessionId);
+                const response = await callApi(postText, api, sessionId, TOOL_OUTPUT_ACTION);
                 const result = parseSecurityResult(response);
                 logger.log(`[SENTINEL HOOK] TOOL_OUTPUT response: status=${result.status}.`);
                 if (result.status === 'REJECT') {
-                    logger.warn('[SENTINEL HOOK] Interrupt handler');
+                    logger.warn('[SENTINEL HOOK] REJECT detected, attempting steer injection');
+                    const sessionCtx = ctx.sessionKey ? getSessionContext(ctx.sessionKey) : null;
+                    if (sessionCtx?.sessionId && sessionCtx?.taskId) {
+                        await tryInjectSteer({
+                            sessionId: sessionCtx.sessionId,
+                            taskId: sessionCtx.taskId,
+                            message: STEER_ABORT_MESSAGE,
+                            source: 'cspl',
+                        });
+                    }
+                    else {
+                        logger.warn(`[SENTINEL HOOK] Cannot inject steer: sessionKey=${ctx.sessionKey}, sessionCtx found=${!!sessionCtx}`);
+                    }
                 }
             }
             catch (error) {

package/dist/src/cspl/utils.d.ts

@@ -14,6 +14,12 @@ export declare function extractFilePathsFromCommand(command: string): string[];
 export declare function calculateContentHash(content: string): string;
 export declare function getFileSizeInKB(filePath: string): number;
 export declare function adjustContentLength(data: any, api: OpenClawPluginApi, fields: string[]): any;
-export declare function handleExecToolInput(event: any, api: OpenClawPluginApi, sessionId: string): Promise<string | null>;
-export declare function handleMessageToolInput(event: any, api: OpenClawPluginApi, sessionId: string): Promise<string | null>;
-export declare function handleOtherToolInput(event: any, api: OpenClawPluginApi, sessionId: string): Promise<void>;
+export declare function handleExecToolInput(event: any, api: OpenClawPluginApi, sessionId: string): Promise<{
+    status: 'ACCEPT' | 'REJECT';
+} | null>;
+export declare function handleMessageToolInput(event: any, api: OpenClawPluginApi, sessionId: string): Promise<{
+    status: 'ACCEPT' | 'REJECT';
+} | null>;
+export declare function handleOtherToolInput(event: any, api: OpenClawPluginApi, sessionId: string): Promise<{
+    status: 'ACCEPT' | 'REJECT';
+} | null>;

package/dist/src/cspl/utils.js

@@ -1,7 +1,7 @@
 /*
  * 版权所有 (c) 华为技术有限公司 2026-2026
  */
-import { MAX_TEXT_LENGTH, regex, SECURITY_NOTICE, MAX_FILE_COUNT, MAX_COMMAND_LENGTH, CODE_FILE_EXTENSIONS, TOOL_INPUT_DEFAULT, FILE_EXTENSION_REGEX } from './constants.js';
+import { MAX_TEXT_LENGTH, regex, SECURITY_NOTICE, MAX_FILE_COUNT, MAX_COMMAND_LENGTH, CODE_FILE_EXTENSIONS, TOOL_INPUT_DEFAULT, FILE_EXTENSION_REGEX, TOOL_INPUT_ACTION } from './constants.js';
 import crypto from 'crypto';
 import fs from 'fs';
 import path from 'path';
@@ -213,13 +213,14 @@ export function adjustContentLength(data, api, fields) {
     }
     return adjusted;
 }
-// 发送TOOL_INPUT请求并处理响应
+// 发送TOOL_INPUT请求并处理响应，返回扫描结果
 async function sendToolInputRequest(postText, api, sessionId) {
-    const response = await callApi(postText, api, sessionId);
+    const response = await callApi(postText, api, sessionId, TOOL_INPUT_ACTION);
     const result = parseSecurityResult(response);
     logger.log(`[SENTINEL HOOK] TOOL_INPUT response: status=${result.status}`);
+    return result;
 }
-// 处理exec工具的TOOL_INPUT数据采集
+// 处理exec工具的TOOL_INPUT数据采集，返回最终扫描结果
 export async function handleExecToolInput(event, api, sessionId) {
     const command = extractInputParams(event, 'exec');
     if (!command) {
@@ -232,6 +233,7 @@ export async function handleExecToolInput(event, api, sessionId) {
         // 场景1：执行代码文件
         logger.log(`[SENTINEL HOOK] Found ${filePaths.length} file(s) in command`);
         const nonExistingFiles = [];
+        let lastResult = null;
         for (const filePath of filePaths) {
             if (!fs.existsSync(filePath)) {
                 nonExistingFiles.push(filePath);
@@ -247,7 +249,10 @@ export async function handleExecToolInput(event, api, sessionId) {
             const postText = JSON.stringify(adjustedData);
             logger.log(`[SENTINEL HOOK] Sending TOOL_INPUT for file: ${path.basename(filePath)}, body length: ${postText.length}`);
             try {
-                await sendToolInputRequest(postText, api, sessionId);
+                lastResult = await sendToolInputRequest(postText, api, sessionId);
+                if (lastResult.status === 'REJECT') {
+                    return lastResult;
+                }
             }
             catch (e) {
                 logger.error(`[SENTINEL HOOK] Sending TOOL_INPUT Failed: ${e}`);
@@ -258,6 +263,7 @@ export async function handleExecToolInput(event, api, sessionId) {
             const fileNames = nonExistingFiles.map(f => path.basename(f)).join(', ');
             logger.log(`[SENTINEL HOOK] Non-existing files: ${fileNames}`);
         }
+        return lastResult;
     }
     else {
         // 场景2：直接执行代码（heredoc场景）
@@ -268,10 +274,10 @@ export async function handleExecToolInput(event, api, sessionId) {
         const adjustedData = adjustContentLength(toolInputData, api, ['source']);
         const postText = JSON.stringify(adjustedData);
         logger.log(`[SENTINEL HOOK] Sending TOOL_INPUT for direct code execution, body length: ${postText.length}`);
-        await sendToolInputRequest(postText, api, sessionId);
+        return await sendToolInputRequest(postText, api, sessionId);
     }
 }
-// 处理message工具的TOOL_INPUT数据采集
+// 处理message工具的TOOL_INPUT数据采集，返回扫描结果
 export async function handleMessageToolInput(event, api, sessionId) {
     const message = extractInputParams(event, 'message');
     if (!message) {
@@ -285,14 +291,14 @@ export async function handleMessageToolInput(event, api, sessionId) {
     const adjustedData = adjustContentLength(toolInputData, api, ['content']);
     const postText = JSON.stringify(adjustedData);
     logger.log(`[SENTINEL HOOK] Sending TOOL_INPUT for message, body length: ${postText.length}`);
-    await sendToolInputRequest(postText, api, sessionId);
+    return await sendToolInputRequest(postText, api, sessionId);
 }
-// 处理其他工具（非 exec 和非 message）的 TOOL_INPUT 数据采集
+// 处理其他工具（非 exec 和非 message）的 TOOL_INPUT 数据采集，返回扫描结果
 export async function handleOtherToolInput(event, api, sessionId) {
     const params = event.params;
     if (!params) {
         logger.log('[SENTINEL HOOK] No params found for tool');
-        return;
+        return null;
     }
     logger.log(`[SENTINEL HOOK] Processing other tool input, toolName: ${event.toolName}`);
     // 将 params 序列化为 JSON 字符串
@@ -305,5 +311,5 @@ export async function handleOtherToolInput(event, api, sessionId) {
     const adjustedData = adjustContentLength(toolInputData, api, ['content']);
     const postText = JSON.stringify(adjustedData);
     logger.log(`[SENTINEL HOOK] Sending TOOL_INPUT for ${event.toolName}, body length: ${postText.length}`);
-    await sendToolInputRequest(postText, api, sessionId);
+    return await sendToolInputRequest(postText, api, sessionId);
 }

package/dist/src/file-upload.d.ts

@@ -17,6 +17,11 @@ export declare class XYFileUploadService {
      * Uses completeAndQuery endpoint to get the file URL directly.
      */
     uploadFileAndGetUrl(filePath: string, objectType?: string): Promise<string>;
+    /**
+     * Upload a file and return a preview-able URL (needPreview=true).
+     * Same as uploadFileAndGetUrl but adds needPreview flag to get a directly viewable URL.
+     */
+    uploadFileAndGetPreviewUrl(filePath: string, objectType?: string): Promise<string>;
     /**
      * Upload multiple files and return their file IDs.
      */

package/dist/src/file-upload.js

@@ -235,6 +235,108 @@ export class XYFileUploadService {
             }
         }
     }
+    /**
+     * Upload a file and return a preview-able URL (needPreview=true).
+     * Same as uploadFileAndGetUrl but adds needPreview flag to get a directly viewable URL.
+     */
+    async uploadFileAndGetPreviewUrl(filePath, objectType = "TEMPORARY_MATERIAL_DOC") {
+        let localFilePath = filePath;
+        let isTempFile = false;
+        try {
+            // Handle remote URLs by downloading first
+            if (isRemoteUrl(filePath)) {
+                localFilePath = await downloadToTempFile(filePath);
+                isTempFile = true;
+            }
+            // Read file
+            const fileBuffer = await fs.readFile(localFilePath);
+            const fileName = path.basename(localFilePath);
+            const fileSha256 = calculateSHA256(fileBuffer);
+            const fileSize = fileBuffer.length;
+            // Phase 1: Prepare
+            logger.log(`[XY File Upload] Phase 1 (preview): Prepare upload for ${fileName}`);
+            const prepareResp = await fetch(`${this.baseUrl}/osms/v1/file/manager/prepare`, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    "x-uid": this.uid,
+                    "x-api-key": this.apiKey,
+                    "x-request-from": "openclaw",
+                },
+                body: JSON.stringify({
+                    objectType,
+                    fileName,
+                    fileSha256,
+                    fileSize,
+                    fileOwnerInfo: {
+                        uid: this.uid,
+                        teamId: this.uid,
+                    },
+                    useEdge: false,
+                }),
+            });
+            if (!prepareResp.ok) {
+                throw new Error(`Prepare failed: HTTP ${prepareResp.status}`);
+            }
+            const prepareData = await prepareResp.json();
+            if (prepareData.code !== "0") {
+                throw new Error(`Prepare failed: ${prepareData.desc}`);
+            }
+            const { objectId, draftId, uploadInfos } = prepareData;
+            logger.log(`[XY File Upload] Prepare (preview) complete: objectId=${objectId}, draftId=${draftId}`);
+            // Phase 2: Upload
+            logger.log(`[XY File Upload] Phase 2 (preview): Upload file data`);
+            const uploadInfo = uploadInfos[0];
+            const uploadResp = await fetch(uploadInfo.url, {
+                method: uploadInfo.method,
+                headers: uploadInfo.headers,
+                body: fileBuffer,
+            });
+            if (!uploadResp.ok) {
+                throw new Error(`Upload failed: HTTP ${uploadResp.status}`);
+            }
+            logger.log(`[XY File Upload] Upload (preview) complete`);
+            // Phase 3: CompleteAndQuery with needPreview=true
+            logger.log(`[XY File Upload] Phase 3 (preview): CompleteAndQuery with needPreview=true`);
+            const completeResp = await fetch(`${this.baseUrl}/osms/v1/file/manager/completeAndQuery`, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    "x-uid": this.uid,
+                    "x-api-key": this.apiKey,
+                    "x-request-from": "openclaw",
+                },
+                body: JSON.stringify({
+                    objectId,
+                    draftId,
+                    needPreview: true,
+                    expireTime: 259200,
+                }),
+            });
+            if (!completeResp.ok) {
+                throw new Error(`CompleteAndQuery (preview) failed: HTTP ${completeResp.status}`);
+            }
+            const completeData = await completeResp.json();
+            const fileUrl = completeData?.fileDetailInfo?.url || "";
+            if (!fileUrl) {
+                throw new Error("No file URL returned from completeAndQuery (preview)");
+            }
+            logger.log(`[XY File Upload] File upload with preview URL successful`);
+            return fileUrl;
+        }
+        catch (error) {
+            logger.error(`[XY File Upload] File upload with preview URL failed for ${filePath}:`, error);
+            throw error;
+        }
+        finally {
+            if (isTempFile) {
+                try {
+                    await fs.unlink(localFilePath);
+                }
+                catch { }
+            }
+        }
+    }
     /**
      * Upload multiple files and return their file IDs.
      */

package/dist/src/formatter.d.ts

@@ -17,6 +17,7 @@ export interface SendA2AResponseParams {
     }>;
     errorCode?: number | string;
     errorMessage?: string;
+    log?: boolean;
 }
 /**
  * Send an A2A artifact update response.
@@ -81,6 +82,35 @@ export interface SendCommandParams {
  * listening in the calling tool works unchanged.
  */
 export declare function sendCommand(params: SendCommandParams): Promise<void>;
+/**
+ * Parameters for sending a card (e.g., HTML H5 card).
+ */
+export interface SendCardParams {
+    config: XYChannelConfig;
+    sessionId: string;
+    taskId: string;
+    messageId: string;
+    /** toolCallId from the tool's execute() — used for cron detection via hook-set Map. */
+    toolCallId?: string;
+    /** When true, the artifact-update is sent with final=true. Default: false. */
+    final?: boolean;
+    /** Array of card data objects to send. */
+    cardsInfo: CardDataObject[];
+}
+/**
+ * Card data object for sending display cards.
+ */
+export interface CardDataObject {
+    cardName: string;
+    cardData: Record<string, any>;
+    displayType: string;
+}
+/**
+ * Send a card (e.g., HTML H5 card) as an artifact update (final=false).
+ *
+ * Cron-aware: same routing logic as sendCommand.
+ */
+export declare function sendCard(params: SendCardParams): Promise<void>;
 /**
  * Parameters for sending a clearContext response.
  */