@zlr_236/popo 0.0.1

package/src/client.ts

@@ -0,0 +1,118 @@
+import type { PopoConfig } from "./types.js";
+import { resolvePopoCredentials } from "./accounts.js";
+import { getAccessToken } from "./auth.js";
+
+export type PopoApiResponse<T = unknown> = {
+  errcode: number;
+  errmsg: string;
+  data?: T;
+};
+
+/**
+ * Make an authenticated API request to POPO.
+ */
+export async function popoRequest<T = unknown>(params: {
+  cfg: PopoConfig;
+  method: "GET" | "POST" | "PUT" | "DELETE";
+  path: string;
+  body?: unknown;
+  query?: Record<string, string>;
+}): Promise<PopoApiResponse<T>> {
+  const { cfg, method, path, body, query } = params;
+  const creds = resolvePopoCredentials(cfg);
+  if (!creds) {
+    throw new Error("POPO credentials not configured");
+  }
+
+  const accessToken = await getAccessToken(cfg);
+  let url = `${creds.server}${path}`;
+
+  // Add query parameters if provided
+  if (query && Object.keys(query).length > 0) {
+    const queryString = new URLSearchParams(query).toString();
+    url = `${url}?${queryString}`;
+  }
+
+  const headers: Record<string, string> = {
+    "Open-Access-Token": accessToken,
+    "Content-Type": "application/json",
+  };
+
+  const response = await fetch(url, {
+    method,
+    headers,
+    body: body ? JSON.stringify(body) : undefined,
+  });
+
+  if (!response.ok) {
+    throw new Error(`POPO API request failed: ${response.status} ${response.statusText}`);
+  }
+
+  return (await response.json()) as PopoApiResponse<T>;
+}
+
+/**
+ * Make an authenticated multipart form request to POPO (for file uploads).
+ */
+export async function popoUploadRequest<T = unknown>(params: {
+  cfg: PopoConfig;
+  path: string;
+  formData: FormData;
+}): Promise<PopoApiResponse<T>> {
+  const { cfg, path, formData } = params;
+  const creds = resolvePopoCredentials(cfg);
+  if (!creds) {
+    throw new Error("POPO credentials not configured");
+  }
+
+  const accessToken = await getAccessToken(cfg);
+  const url = `${creds.server}${path}`;
+
+  const response = await fetch(url, {
+    method: "POST",
+    headers: {
+      "Open-Access-Token": accessToken,
+      // Don't set Content-Type for FormData - fetch will set it with boundary
+    },
+    body: formData,
+  });
+
+  if (!response.ok) {
+    throw new Error(`POPO upload request failed: ${response.status} ${response.statusText}`);
+  }
+
+  return (await response.json()) as PopoApiResponse<T>;
+}
+
+/**
+ * Download a file from POPO.
+ */
+export async function popoDownloadRequest(params: {
+  cfg: PopoConfig;
+  path: string;
+}): Promise<{ buffer: Buffer; contentType?: string }> {
+  const { cfg, path } = params;
+  const creds = resolvePopoCredentials(cfg);
+  if (!creds) {
+    throw new Error("POPO credentials not configured");
+  }
+
+  const accessToken = await getAccessToken(cfg);
+  const url = `${creds.server}${path}`;
+
+  const response = await fetch(url, {
+    method: "GET",
+    headers: {
+      "Open-Access-Token": accessToken,
+    },
+  });
+
+  if (!response.ok) {
+    throw new Error(`POPO download request failed: ${response.status} ${response.statusText}`);
+  }
+
+  const buffer = Buffer.from(await response.arrayBuffer());
+  const contentType = response.headers.get("content-type") || undefined;
+
+  return { buffer, contentType };
+}

package/src/config-schema.ts

@@ -0,0 +1,79 @@
+import { z } from "zod";
+export { z };
+
+const DmPolicySchema = z.enum(["open", "pairing", "allowlist"]);
+const GroupPolicySchema = z.enum(["open", "allowlist", "disabled"]);
+
+const ToolPolicySchema = z
+  .object({
+    allow: z.array(z.string()).optional(),
+    deny: z.array(z.string()).optional(),
+  })
+  .strict()
+  .optional();
+
+const DmConfigSchema = z
+  .object({
+    enabled: z.boolean().optional(),
+    systemPrompt: z.string().optional(),
+  })
+  .strict()
+  .optional();
+
+// Message render mode: raw (default) = plain text, rich_text = POPO rich text format
+const RenderModeSchema = z.enum(["raw", "rich_text"]).optional();
+
+export const PopoGroupSchema = z
+  .object({
+    requireMention: z.boolean().optional(),
+    tools: ToolPolicySchema,
+    skills: z.array(z.string()).optional(),
+    enabled: z.boolean().optional(),
+    allowFrom: z.array(z.union([z.string(), z.number()])).optional(),
+    systemPrompt: z.string().optional(),
+  })
+  .strict();
+
+export type PopoGroupConfig = z.infer<typeof PopoGroupSchema>;
+
+export const PopoConfigSchema = z
+  .object({
+    enabled: z.boolean().optional(),
+    systemPrompt: z.string().optional(),
+    appKey: z.string().optional(),
+    appSecret: z.string().optional(),
+    token: z.string().optional(), // Token for signature verification
+    aesKey: z.string().optional(), // 32-char AES key for encryption
+    server: z
+      .string()
+      .optional()
+      .default("https://open.popo.netease.com"),
+    webhookPath: z.string().optional().default("/popo/events"),
+    dmPolicy: DmPolicySchema.optional().default("pairing"),
+    allowFrom: z.array(z.union([z.string(), z.number()])).optional(),
+    groupPolicy: GroupPolicySchema.optional().default("allowlist"),
+    groupAllowFrom: z.array(z.union([z.string(), z.number()])).optional(),
+    requireMention: z.boolean().optional().default(true),
+    groups: z.record(z.string(), PopoGroupSchema.optional()).optional(),
+    historyLimit: z.number().int().min(0).optional(),
+    dmHistoryLimit: z.number().int().min(0).optional(),
+    dms: z.record(z.string(), DmConfigSchema).optional(),
+    textChunkLimit: z.number().int().positive().optional(),
+    chunkMode: z.enum(["length", "newline"]).optional(),
+    mediaMaxMb: z.number().positive().optional().default(20), // 20MB max
+    renderMode: RenderModeSchema, // raw = plain text (default), rich_text = POPO rich text
+  })
+  .strict()
+  .superRefine((value, ctx) => {
+    if (value.dmPolicy === "open") {
+      const allowFrom = value.allowFrom ?? [];
+      const hasWildcard = allowFrom.some((entry) => String(entry).trim() === "*");
+      if (!hasWildcard) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          path: ["allowFrom"],
+          message: 'channels.popo.dmPolicy="open" requires channels.popo.allowFrom to include "*"',
+        });
+      }
+    }
+  });

package/src/crypto.ts

@@ -0,0 +1,67 @@
+import crypto from "crypto";
+
+/**
+ * Verify POPO webhook signature.
+ * Signature = SHA256(token + nonce + timestamp)
+ */
+export function verifySignature(params: {
+  token: string;
+  nonce: string;
+  timestamp: string;
+  signature: string;
+}): boolean {
+  const { token, nonce, timestamp, signature } = params;
+  const data = [token, nonce, timestamp].sort().join("");
+  const computed = crypto.createHash("sha256").update(data).digest("hex");
+  return computed.toLowerCase() === signature.toLowerCase();
+}
+
+/**
+ * Decrypt POPO encrypted message using AES-CBC.
+ * Key derivation: aesKey is 32-char string, first 16 chars = key, last 16 chars = IV
+ */
+export function decryptMessage(encrypt: string, aesKey: string): string {
+  if (aesKey.length !== 32) {
+    throw new Error("AES key must be 32 characters");
+  }
+
+  // First 16 chars as key, last 16 chars as IV (AES-128-CBC)
+  // This matches Python: self.key = aes_key[:16].encode('utf-8')
+  const key = Buffer.from(aesKey.substring(0, 16), "utf8");
+  const iv = Buffer.from(aesKey.substring(16, 32), "utf8");
+
+  // Decrypt the base64-encoded ciphertext
+  const ciphertext = Buffer.from(encrypt, "base64");
+  const decipher = crypto.createDecipheriv("aes-128-cbc", key, iv);
+  let decrypted = decipher.update(ciphertext);
+  decrypted = Buffer.concat([decrypted, decipher.final()]);
+
+  // Remove PKCS7 padding and parse as UTF-8
+  return decrypted.toString("utf8");
+}
+
+/**
+ * Encrypt POPO response message using AES-CBC.
+ * Used to encrypt the "success" response.
+ */
+export function encryptMessage(plaintext: string, aesKey: string): string {
+  if (aesKey.length !== 32) {
+    throw new Error("AES key must be 32 characters");
+  }
+
+  const key = Buffer.from(aesKey.substring(0, 16), "utf8");
+  const iv = Buffer.from(aesKey.substring(16, 32), "utf8");
+
+  const cipher = crypto.createCipheriv("aes-128-cbc", key, iv);
+  let encrypted = cipher.update(plaintext, "utf8");
+  encrypted = Buffer.concat([encrypted, cipher.final()]);
+
+  return encrypted.toString("base64");
+}
+
+/**
+ * Generate a random nonce for webhook responses.
+ */
+export function generateNonce(): string {
+  return crypto.randomBytes(16).toString("hex");
+}