aamp-openclaw-plugin 0.1.37 → 0.1.39

package/dist/index.js

@@ -1,13 +1,13 @@
-// ../sdk/src/jmap-push.js
+// ../sdk/dist/jmap-push.js
 import WebSocket from "ws";
 
-// ../sdk/src/types.js
+// ../sdk/dist/types.js
 var AAMP_PROTOCOL_VERSION = "1.1";
 var AAMP_HEADER = {
   VERSION: "X-AAMP-Version",
   INTENT: "X-AAMP-Intent",
   TASK_ID: "X-AAMP-TaskId",
-  CONTEXT_LINKS: "X-AAMP-ContextLinks",
+  SESSION_KEY: "X-AAMP-Session-Key",
   DISPATCH_CONTEXT: "X-AAMP-Dispatch-Context",
   PRIORITY: "X-AAMP-Priority",
   EXPIRES_AT: "X-AAMP-Expires-At",
@@ -19,11 +19,13 @@ var AAMP_HEADER = {
   BLOCKED_REASON: "X-AAMP-BlockedReason",
   SUGGESTED_OPTIONS: "X-AAMP-SuggestedOptions",
   STREAM_ID: "X-AAMP-Stream-Id",
+  PAIR_CODE: "X-AAMP-Pair-Code",
+  DISPATCH_CONTEXT_RULES: "X-AAMP-Dispatch-Context-Rules",
   PARENT_TASK_ID: "X-AAMP-ParentTaskId",
   CARD_SUMMARY: "X-AAMP-Card-Summary"
 };
 
-// ../sdk/src/parser.js
+// ../sdk/dist/parser.js
 function normalizeBodyText(value) {
   return value?.replace(/\r\n/g, "\n").trim() ?? "";
 }
@@ -158,6 +160,20 @@ function encodeStructuredResult(value) {
   const json = JSON.stringify(value);
   return Buffer.from(json, "utf-8").toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
 }
+function decodeBase64UrlJson(value) {
+  if (!value)
+    return void 0;
+  try {
+    const normalized = value.replace(/-/g, "+").replace(/_/g, "/");
+    const padding = normalized.length % 4 === 0 ? "" : "=".repeat(4 - normalized.length % 4);
+    return JSON.parse(Buffer.from(normalized + padding, "base64").toString("utf-8"));
+  } catch {
+    return void 0;
+  }
+}
+function encodeBase64UrlJson(value) {
+  return Buffer.from(JSON.stringify(value), "utf-8").toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
 function parseAampHeaders(meta) {
   const headers = normalizeHeaders(meta.headers);
   const intent = getAampHeader(headers, AAMP_HEADER.INTENT);
@@ -169,8 +185,8 @@ function parseAampHeaders(meta) {
   const to = meta.to.replace(/^<|>$/g, "");
   const decodedSubject = decodeMimeEncodedWords(meta.subject);
   if (intent === "task.dispatch") {
-    const contextLinksStr = getAampHeader(headers, AAMP_HEADER.CONTEXT_LINKS) ?? "";
     const dispatchContext = parseDispatchContextHeader(getAampHeader(headers, AAMP_HEADER.DISPATCH_CONTEXT));
+    const sessionKey = getAampHeader(headers, AAMP_HEADER.SESSION_KEY);
     const parentTaskId = getAampHeader(headers, AAMP_HEADER.PARENT_TASK_ID);
     const priority = getAampHeader(headers, AAMP_HEADER.PRIORITY) ?? "normal";
     const expiresAt = getAampHeader(headers, AAMP_HEADER.EXPIRES_AT);
@@ -178,10 +194,10 @@ function parseAampHeaders(meta) {
       protocolVersion,
       intent: "task.dispatch",
       taskId,
+      ...sessionKey ? { sessionKey } : {},
       title: decodedSubject.replace(/^\[AAMP Task\]\s*/, "").trim() || "Untitled Task",
       priority: priority === "urgent" || priority === "high" ? priority : "normal",
       ...expiresAt ? { expiresAt } : {},
-      contextLinks: contextLinksStr ? contextLinksStr.split(",").map((s) => s.trim()).filter(Boolean) : [],
       ...dispatchContext ? { dispatchContext } : {},
       ...parentTaskId ? { parentTaskId } : {},
       from,
@@ -270,6 +286,43 @@ function parseAampHeaders(meta) {
     };
     return streamOpened;
   }
+  if (intent === "pair.request") {
+    const pairCode = getAampHeader(headers, AAMP_HEADER.PAIR_CODE) ?? "";
+    if (!pairCode)
+      return null;
+    const pairRequest = {
+      protocolVersion,
+      intent: "pair.request",
+      taskId,
+      pairCode,
+      dispatchContextRules: decodeBase64UrlJson(getAampHeader(headers, AAMP_HEADER.DISPATCH_CONTEXT_RULES)) ?? {},
+      from,
+      to,
+      messageId: meta.messageId,
+      subject: meta.subject,
+      bodyText: ""
+    };
+    return pairRequest;
+  }
+  if (intent === "pair.respond") {
+    const rawStatus = getAampHeader(headers, AAMP_HEADER.STATUS);
+    const status = rawStatus === "completed" ? "completed" : "rejected";
+    const reason = getAampHeader(headers, AAMP_HEADER.ERROR_MSG) || void 0;
+    const pairRespond = {
+      protocolVersion,
+      intent: "pair.respond",
+      taskId,
+      status,
+      success: status === "completed",
+      reason,
+      from,
+      to,
+      messageId: meta.messageId,
+      subject: meta.subject,
+      bodyText: normalizeBodyText(meta.bodyText)
+    };
+    return pairRespond;
+  }
   if (intent === "card.query") {
     const cardQuery = {
       protocolVersion,
@@ -310,8 +363,8 @@ function buildDispatchHeaders(params) {
   if (params.expiresAt) {
     headers[AAMP_HEADER.EXPIRES_AT] = params.expiresAt;
   }
-  if (params.contextLinks.length > 0) {
-    headers[AAMP_HEADER.CONTEXT_LINKS] = params.contextLinks.join(",");
+  if (params.sessionKey?.trim()) {
+    headers[AAMP_HEADER.SESSION_KEY] = params.sessionKey.trim();
   }
   const dispatchContext = serializeDispatchContextHeader(params.dispatchContext);
   if (dispatchContext) {
@@ -344,6 +397,27 @@ function buildStreamOpenedHeaders(opts) {
     [AAMP_HEADER.STREAM_ID]: opts.streamId
   };
 }
+function buildPairRequestHeaders(opts) {
+  return {
+    [AAMP_HEADER.VERSION]: AAMP_PROTOCOL_VERSION,
+    [AAMP_HEADER.INTENT]: "pair.request",
+    [AAMP_HEADER.TASK_ID]: opts.taskId,
+    [AAMP_HEADER.PAIR_CODE]: opts.pairCode,
+    [AAMP_HEADER.DISPATCH_CONTEXT_RULES]: encodeBase64UrlJson(opts.dispatchContextRules ?? {})
+  };
+}
+function buildPairRespondHeaders(opts) {
+  const headers = {
+    [AAMP_HEADER.VERSION]: AAMP_PROTOCOL_VERSION,
+    [AAMP_HEADER.INTENT]: "pair.respond",
+    [AAMP_HEADER.TASK_ID]: opts.taskId,
+    [AAMP_HEADER.STATUS]: opts.success ? "completed" : "rejected"
+  };
+  if (!opts.success && opts.reason?.trim()) {
+    headers[AAMP_HEADER.ERROR_MSG] = opts.reason.replace(/[\r\n]/g, " ").trim();
+  }
+  return headers;
+}
 function buildResultHeaders(params) {
   const headers = {
     [AAMP_HEADER.VERSION]: AAMP_PROTOCOL_VERSION,
@@ -381,7 +455,7 @@ function buildCardResponseHeaders(params) {
   };
 }
 
-// ../sdk/src/tiny-emitter.js
+// ../sdk/dist/tiny-emitter.js
 var TinyEmitter = class {
   listeners = /* @__PURE__ */ new Map();
   onceWrappers = /* @__PURE__ */ new WeakMap();
@@ -434,7 +508,7 @@ var TinyEmitter = class {
   }
 };
 
-// ../sdk/src/jmap-push.js
+// ../sdk/dist/jmap-push.js
 function describeError(err) {
   if (!(err instanceof Error))
     return String(err);
@@ -729,6 +803,12 @@ var JmapPushClient = class extends TinyEmitter {
         case "task.stream.opened":
           this.emit("task.stream.opened", aampMsg);
           break;
+        case "pair.request":
+          this.emit("pair.request", aampMsg);
+          break;
+        case "pair.respond":
+          this.emit("pair.respond", aampMsg);
+          break;
         case "card.query":
           this.emit("card.query", aampMsg);
           break;
@@ -1114,10 +1194,177 @@ var JmapPushClient = class extends TinyEmitter {
   }
 };
 
-// ../sdk/src/smtp-sender.js
+// ../sdk/dist/pairing.js
+import { randomBytes } from "node:crypto";
+function normalizeMailbox(value) {
+  const mailbox = value.trim().toLowerCase();
+  if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(mailbox)) {
+    throw new Error(`Invalid AAMP mailbox in pairing URL: ${value}`);
+  }
+  return mailbox;
+}
+function normalizeDispatchContextRules(rules) {
+  if (!rules)
+    return void 0;
+  const normalized = Object.fromEntries(Object.entries(rules).map(([key, values]) => [
+    key.trim().toLowerCase(),
+    (Array.isArray(values) ? values : []).map((value) => value.trim()).filter(Boolean)
+  ]).filter(([key, values]) => Boolean(key) && values.length > 0));
+  return Object.keys(normalized).length > 0 ? normalized : void 0;
+}
+function encodeBase64UrlJson2(value) {
+  return Buffer.from(JSON.stringify(value), "utf8").toString("base64url");
+}
+function decodeDispatchContextRules(value) {
+  const candidates = [
+    () => Buffer.from(value, "base64url").toString("utf8"),
+    () => value
+  ];
+  for (const read of candidates) {
+    try {
+      const parsed = JSON.parse(read());
+      return normalizeDispatchContextRules(parsed);
+    } catch {
+    }
+  }
+  throw new Error("Invalid dispatch_context_rules in pairing URL");
+}
+function buildPairingUrl(payload) {
+  const mailbox = normalizeMailbox(payload.mailbox);
+  const pairCode = payload.pairCode.trim();
+  if (!pairCode)
+    throw new Error("pairCode cannot be empty");
+  const url = new URL("aamp://connect");
+  url.searchParams.set("mailbox", mailbox);
+  url.searchParams.set("pair_code", pairCode);
+  const rules = normalizeDispatchContextRules(payload.dispatchContextRules);
+  if (rules) {
+    url.searchParams.set("dispatch_context_rules", encodeBase64UrlJson2(rules));
+  }
+  return url.toString();
+}
+function createPairingCode(options) {
+  const pairCode = options.pairCode?.trim() || randomBytes(6).toString("base64url");
+  const dispatchContextRules = normalizeDispatchContextRules(options.dispatchContextRules);
+  return {
+    mailbox: normalizeMailbox(options.mailbox),
+    pairCode,
+    expiresAt: new Date(Date.now() + (options.ttlSeconds ?? 300) * 1e3).toISOString(),
+    connectUrl: buildPairingUrl({
+      mailbox: options.mailbox,
+      pairCode,
+      ...dispatchContextRules ? { dispatchContextRules } : {}
+    }),
+    ...dispatchContextRules ? { dispatchContextRules } : {}
+  };
+}
+function parsePairingUrl(input) {
+  let url;
+  try {
+    url = new URL(input.trim());
+  } catch {
+    throw new Error("Invalid pairing URL");
+  }
+  if (url.protocol !== "aamp:" || url.hostname !== "connect") {
+    throw new Error("Pairing URL must start with aamp://connect");
+  }
+  const mailbox = url.searchParams.get("mailbox") ?? "";
+  const pairCode = url.searchParams.get("pair_code") ?? "";
+  if (!pairCode.trim())
+    throw new Error("Pairing URL is missing pair_code");
+  const rawRules = url.searchParams.get("dispatch_context_rules") ?? url.searchParams.get("dispatchContextRules");
+  const dispatchContextRules = rawRules ? decodeDispatchContextRules(rawRules) : void 0;
+  return {
+    mailbox: normalizeMailbox(mailbox),
+    pairCode: pairCode.trim(),
+    ...dispatchContextRules ? { dispatchContextRules } : {}
+  };
+}
+function isPairingUrl(input) {
+  try {
+    parsePairingUrl(input);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function consumePairingCode(state, options) {
+  if (state.consumedAt)
+    return null;
+  if (normalizeMailbox(state.mailbox) !== normalizeMailbox(options.mailbox))
+    return null;
+  if (state.pairCode !== options.pairCode.trim())
+    return null;
+  if (new Date(state.expiresAt).getTime() <= (options.now ?? /* @__PURE__ */ new Date()).getTime())
+    return null;
+  return {
+    ...state,
+    pairCode: "",
+    connectUrl: "",
+    consumedAt: (options.now ?? /* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function createPairedSenderPolicy(request, pairedAt = /* @__PURE__ */ new Date()) {
+  return {
+    sender: normalizeMailbox(request.from),
+    dispatchContextRules: normalizeDispatchContextRules(request.dispatchContextRules) ?? {},
+    pairedAt: pairedAt.toISOString()
+  };
+}
+function upsertPairedSenderPolicy(policies, policy) {
+  const sender = normalizeMailbox(policy.sender);
+  return [
+    ...policies.filter((item) => normalizeMailbox(item.sender) !== sender),
+    {
+      ...policy,
+      sender,
+      dispatchContextRules: normalizeDispatchContextRules(policy.dispatchContextRules) ?? {}
+    }
+  ];
+}
+function matchPairedSenderPolicy(policies, sender, dispatchContext) {
+  if (policies.length === 0) {
+    return { allowed: false, reason: "no paired sender policies configured" };
+  }
+  const normalizedSender = normalizeMailbox(sender);
+  const policy = policies.find((item) => normalizeMailbox(item.sender) === normalizedSender);
+  if (!policy) {
+    return { allowed: false, reason: `sender ${sender} is not paired` };
+  }
+  for (const [key, allowedValues] of Object.entries(policy.dispatchContextRules ?? {})) {
+    if (!Array.isArray(allowedValues) || allowedValues.length === 0)
+      continue;
+    const observed = dispatchContext?.[key];
+    if (!observed || !allowedValues.includes(observed)) {
+      return { allowed: false, reason: `dispatchContext does not match paired sender policy for ${sender}` };
+    }
+  }
+  return { allowed: true };
+}
+
+// ../sdk/dist/smtp-sender.js
 import { createTransport } from "nodemailer";
 import { randomUUID } from "crypto";
 var sanitize = (s) => s.replace(/[\r\n]/g, " ").trim();
+var HTTP_SEND_MAX_ATTEMPTS = 4;
+var HTTP_SEND_RETRY_BASE_DELAY_MS = 500;
+function sleep2(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isRetryableHttpStatus(status) {
+  return status === 408 || status === 409 || status === 425 || status === 429 || status >= 500;
+}
+function describeError2(err) {
+  if (!(err instanceof Error))
+    return String(err);
+  const details = err;
+  const parts = [err.message];
+  if (details.code)
+    parts.push(`code=${details.code}`);
+  if (details.cause instanceof Error)
+    parts.push(`cause=${describeError2(details.cause)}`);
+  return parts.join(" | ");
+}
 function deriveMailboxServiceDefaults(email, baseUrl2) {
   const domain = email.split("@")[1]?.trim();
   const resolvedBaseUrl = baseUrl2?.trim() || (domain ? `https://${domain}` : void 0);
@@ -1130,6 +1377,7 @@ function deriveMailboxServiceDefaults(email, baseUrl2) {
 var SmtpSender = class _SmtpSender {
   config;
   transport;
+  fetch;
   discoveredApiUrlPromise = null;
   jmapSessionPromise = null;
   sentMailboxIdPromise = null;
@@ -1142,12 +1390,16 @@ var SmtpSender = class _SmtpSender {
       password: config.password,
       httpBaseUrl: derived.httpBaseUrl,
       authToken: Buffer.from(`${config.email}:${config.password}`).toString("base64"),
+      fetch: config.fetch,
+      forceHttpSend: config.forceHttpSend,
+      persistSentCopy: config.persistSentCopy,
       secure: config.secure,
       rejectUnauthorized: config.rejectUnauthorized
     });
   }
   constructor(config) {
     this.config = config;
+    this.fetch = config.fetch ?? fetch;
     this.transport = createTransport({
       host: config.host,
       port: config.port,
@@ -1168,6 +1420,9 @@ var SmtpSender = class _SmtpSender {
     return email.split("@")[1]?.toLowerCase() ?? "";
   }
   shouldUseHttpFallback(to) {
+    if (this.config.forceHttpSend) {
+      return Boolean(this.config.httpBaseUrl && this.config.authToken);
+    }
     return Boolean(this.config.httpBaseUrl && this.config.authToken && this.senderDomain() && this.senderDomain() === this.recipientDomain(to));
   }
   async resolveAampApiUrl() {
@@ -1177,7 +1432,7 @@ var SmtpSender = class _SmtpSender {
     }
     if (!this.discoveredApiUrlPromise) {
       this.discoveredApiUrlPromise = (async () => {
-        const discoveryRes = await fetch(`${base}/.well-known/aamp`);
+        const discoveryRes = await this.fetch(`${base}/.well-known/aamp`);
         if (!discoveryRes.ok) {
           throw new Error(`AAMP discovery failed: ${discoveryRes.status}`);
         }
@@ -1199,33 +1454,49 @@ var SmtpSender = class _SmtpSender {
     if (!this.config.authToken) {
       throw new Error("HTTP send fallback is not configured");
     }
-    const apiUrl = new URL(await this.resolveAampApiUrl());
-    apiUrl.searchParams.set("action", "aamp.mailbox.send");
-    const res = await fetch(apiUrl, {
-      method: "POST",
-      headers: {
-        Authorization: `Basic ${this.config.authToken}`,
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify({
-        to: opts.to,
-        subject: opts.subject,
-        text: opts.text,
-        aampHeaders: opts.aampHeaders,
-        attachments: opts.attachments?.map((a) => ({
-          filename: a.filename,
-          contentType: a.contentType,
-          content: typeof a.content === "string" ? a.content : a.content.toString("base64")
-        }))
-      })
-    });
-    const data = await res.json().catch(() => ({}));
-    if (!res.ok) {
-      throw new Error(data.details || `HTTP send failed: ${res.status}`);
+    let lastError = null;
+    for (let attempt = 1; attempt <= HTTP_SEND_MAX_ATTEMPTS; attempt += 1) {
+      const apiUrl = new URL(await this.resolveAampApiUrl());
+      apiUrl.searchParams.set("action", "aamp.mailbox.send");
+      try {
+        const res = await this.fetch(apiUrl, {
+          method: "POST",
+          headers: {
+            Authorization: `Basic ${this.config.authToken}`,
+            "Content-Type": "application/json"
+          },
+          body: JSON.stringify({
+            to: opts.to,
+            subject: opts.subject,
+            text: opts.text,
+            aampHeaders: opts.aampHeaders,
+            attachments: opts.attachments?.map((a) => ({
+              filename: a.filename,
+              contentType: a.contentType,
+              content: typeof a.content === "string" ? a.content : a.content.toString("base64")
+            }))
+          })
+        });
+        const data = await res.json().catch(() => ({}));
+        if (res.ok)
+          return { messageId: data.messageId };
+        lastError = new Error(data.details || `HTTP send failed: ${res.status}`);
+        if (!isRetryableHttpStatus(res.status) || attempt === HTTP_SEND_MAX_ATTEMPTS)
+          break;
+      } catch (err) {
+        lastError = err instanceof Error ? err : new Error(String(err));
+        if (attempt === HTTP_SEND_MAX_ATTEMPTS) {
+          lastError = new Error(`HTTP send failed after ${attempt} attempts: ${describeError2(lastError)}`);
+          break;
+        }
+      }
+      await sleep2(HTTP_SEND_RETRY_BASE_DELAY_MS * attempt);
     }
-    return { messageId: data.messageId };
+    throw lastError ?? new Error("HTTP send failed");
   }
   canPersistSentCopy() {
+    if (this.config.persistSentCopy === false)
+      return false;
     return Boolean(this.config.httpBaseUrl && this.config.authToken);
   }
   getJmapAuthHeader() {
@@ -1241,7 +1512,7 @@ var SmtpSender = class _SmtpSender {
     }
     if (!this.jmapSessionPromise) {
       this.jmapSessionPromise = (async () => {
-        const res = await fetch(`${base}/.well-known/jmap`, {
+        const res = await this.fetch(`${base}/.well-known/jmap`, {
           headers: { Authorization: this.getJmapAuthHeader() }
         });
         if (!res.ok) {
@@ -1267,7 +1538,7 @@ var SmtpSender = class _SmtpSender {
   }
   async jmapCall(methodCalls) {
     const session = await this.resolveJmapSession();
-    const res = await fetch(session.apiUrl, {
+    const res = await this.fetch(session.apiUrl, {
       method: "POST",
       headers: {
         Authorization: this.getJmapAuthHeader(),
@@ -1364,7 +1635,6 @@ var SmtpSender = class _SmtpSender {
       taskId,
       priority: opts.priority,
       expiresAt: opts.expiresAt,
-      contextLinks: opts.contextLinks ?? [],
       dispatchContext: opts.dispatchContext,
       parentTaskId: opts.parentTaskId
     });
@@ -1372,13 +1642,11 @@ var SmtpSender = class _SmtpSender {
       from: this.config.user,
       to: opts.to,
       subject: `[AAMP Task] ${sanitize(opts.title)}`,
-      text: [
+      text: opts.rawBodyText ?? [
         `Task: ${opts.title}`,
         `Task ID: ${taskId}`,
         `Priority: ${opts.priority ?? "normal"}`,
         opts.expiresAt ? `Expires At: ${opts.expiresAt}` : `Expires At: none`,
-        opts.contextLinks?.length ? `Context:
-${opts.contextLinks.map((l) => `  ${l}`).join("\n")}` : "",
         opts.bodyText ?? "",
         ``,
         `--- This email was sent by AAMP. Reply directly to submit your result. ---`
@@ -1440,7 +1708,7 @@ ${opts.contextLinks.map((l) => `  ${l}`).join("\n")}` : "",
       from: this.config.user,
       to: opts.to,
       subject: `[AAMP Result] Task ${opts.taskId} \u2014 ${opts.status}`,
-      text: [
+      text: opts.rawBodyText ?? [
         `AAMP Task Result`,
         ``,
         `Task ID: ${opts.taskId}`,
@@ -1514,7 +1782,7 @@ Error: ${opts.errorMsg}` : ""
       from: this.config.user,
       to: opts.to,
       subject: `[AAMP Help] Task ${opts.taskId} needs assistance`,
-      text: [
+      text: opts.rawBodyText ?? [
         `AAMP Task Help Request`,
         ``,
         `Task ID: ${opts.taskId}`,
@@ -1721,6 +1989,110 @@ Stream ID: ${opts.streamId}`,
       references: opts.inReplyTo
     });
   }
+  async sendPairRequest(opts) {
+    const taskId = opts.taskId ?? randomUUID();
+    const aampHeaders = buildPairRequestHeaders({
+      taskId,
+      pairCode: opts.pairCode,
+      dispatchContextRules: opts.dispatchContextRules ?? {}
+    });
+    const text = [
+      "AAMP Pair Request",
+      "",
+      `Pair code: ${opts.pairCode}`,
+      `Dispatch context rules: ${JSON.stringify(opts.dispatchContextRules ?? {})}`
+    ].join("\n");
+    const mailOpts = {
+      from: this.config.user,
+      to: opts.to,
+      subject: "[AAMP Pair] Connection request",
+      text,
+      headers: aampHeaders
+    };
+    if (this.shouldUseHttpFallback(opts.to)) {
+      const info2 = await this.sendViaHttp({
+        to: opts.to,
+        subject: mailOpts.subject,
+        text,
+        aampHeaders
+      });
+      await this.saveToSentBestEffort({
+        from: this.config.user,
+        to: opts.to,
+        subject: mailOpts.subject,
+        text,
+        aampHeaders,
+        messageId: info2.messageId
+      });
+      return { taskId, messageId: info2.messageId ?? "" };
+    }
+    const info = await this.transport.sendMail(mailOpts);
+    await this.saveToSentBestEffort({
+      from: this.config.user,
+      to: opts.to,
+      subject: mailOpts.subject,
+      text,
+      aampHeaders,
+      messageId: info.messageId
+    });
+    return { taskId, messageId: info.messageId ?? "" };
+  }
+  async sendPairRespond(opts) {
+    const aampHeaders = buildPairRespondHeaders({
+      taskId: opts.taskId,
+      success: opts.success,
+      reason: opts.reason
+    });
+    const status = opts.success ? "completed" : "rejected";
+    const text = [
+      "AAMP Pair Response",
+      "",
+      `Task ID: ${opts.taskId}`,
+      `Status: ${status}`,
+      ...opts.reason?.trim() ? ["", `Reason: ${opts.reason.trim()}`] : []
+    ].join("\n");
+    const mailOpts = {
+      from: this.config.user,
+      to: opts.to,
+      subject: `[AAMP Pair] ${status}`,
+      text,
+      headers: aampHeaders
+    };
+    if (opts.inReplyTo) {
+      mailOpts.inReplyTo = opts.inReplyTo;
+      mailOpts.references = opts.inReplyTo;
+    }
+    if (this.shouldUseHttpFallback(opts.to)) {
+      const info2 = await this.sendViaHttp({
+        to: opts.to,
+        subject: mailOpts.subject,
+        text,
+        aampHeaders
+      });
+      await this.saveToSentBestEffort({
+        from: this.config.user,
+        to: opts.to,
+        subject: mailOpts.subject,
+        text,
+        aampHeaders,
+        messageId: info2.messageId,
+        inReplyTo: opts.inReplyTo,
+        references: opts.inReplyTo
+      });
+      return;
+    }
+    const info = await this.transport.sendMail(mailOpts);
+    await this.saveToSentBestEffort({
+      from: this.config.user,
+      to: opts.to,
+      subject: mailOpts.subject,
+      text,
+      aampHeaders,
+      messageId: info.messageId,
+      inReplyTo: opts.inReplyTo,
+      references: opts.inReplyTo
+    });
+  }
   async sendCardQuery(opts) {
     const taskId = opts.taskId ?? randomUUID();
     const aampHeaders = buildCardQueryHeaders({ taskId });
@@ -1830,7 +2202,7 @@ Stream ID: ${opts.streamId}`,
   }
 };
 
-// ../sdk/src/thread.js
+// ../sdk/dist/thread.js
 function singleLine(value, maxLength = 220) {
   const normalized = (value ?? "").replace(/\s+/g, " ").trim();
   if (!normalized)
@@ -1884,7 +2256,7 @@ function renderThreadHistoryForAgent(events, options = {}) {
   ].join("\n");
 }
 
-// ../sdk/src/client.js
+// ../sdk/dist/client.js
 function buildRegisteredCommandDispatchPayload(opts) {
   const command = opts.command.trim();
   if (!command) {
@@ -1961,6 +2333,9 @@ var AampClient = class _AampClient extends TinyEmitter {
       password: config.smtpPassword,
       httpBaseUrl: config.httpSendBaseUrl ?? resolvedBaseUrl,
       authToken: mailboxToken,
+      fetch: config.fetch,
+      forceHttpSend: config.forceHttpSend,
+      persistSentCopy: config.persistSentCopy,
       rejectUnauthorized: config.rejectUnauthorized
     });
     this.jmapClient.on("task.dispatch", (task) => {
@@ -1981,6 +2356,12 @@ var AampClient = class _AampClient extends TinyEmitter {
     this.jmapClient.on("task.stream.opened", (stream) => {
       this.emit("task.stream.opened", stream);
     });
+    this.jmapClient.on("pair.request", (request) => {
+      this.emit("pair.request", request);
+    });
+    this.jmapClient.on("pair.respond", (response) => {
+      this.emit("pair.respond", response);
+    });
     this.jmapClient.on("card.query", (query) => {
       this.emit("card.query", query);
     });
@@ -2018,12 +2399,23 @@ var AampClient = class _AampClient extends TinyEmitter {
       smtpPassword: config.smtpPassword,
       reconnectInterval: config.reconnectInterval,
       taskDispatchConcurrency: config.taskDispatchConcurrency,
+      fetch: config.fetch,
+      forceHttpSend: config.forceHttpSend,
+      persistSentCopy: config.persistSentCopy,
       rejectUnauthorized: config.rejectUnauthorized
     });
   }
-  static async discoverAampService(aampHost) {
+  static createPairingCode = createPairingCode;
+  static buildPairingUrl = buildPairingUrl;
+  static parsePairingUrl = parsePairingUrl;
+  static isPairingUrl = isPairingUrl;
+  static consumePairingCode = consumePairingCode;
+  static createPairedSenderPolicy = createPairedSenderPolicy;
+  static upsertPairedSenderPolicy = upsertPairedSenderPolicy;
+  static matchPairedSenderPolicy = matchPairedSenderPolicy;
+  static async discoverAampService(aampHost, fetchImpl = fetch) {
     const base = aampHost.replace(/\/$/, "");
-    const res = await fetch(`${base}/.well-known/aamp`);
+    const res = await fetchImpl(`${base}/.well-known/aamp`);
     if (!res.ok) {
       throw new Error(`AAMP discovery failed: ${res.status} ${res.statusText}`);
     }
@@ -2034,7 +2426,8 @@ var AampClient = class _AampClient extends TinyEmitter {
     return discovery;
   }
   static async callDiscoveredApi(base, opts) {
-    const discovery = await _AampClient.discoverAampService(base);
+    const fetchImpl = opts.fetch ?? fetch;
+    const discovery = await _AampClient.discoverAampService(base, fetchImpl);
     const apiUrl = new URL(discovery.api.url, `${base}/`);
     apiUrl.searchParams.set("action", opts.action);
     for (const [key, value] of Object.entries(opts.query ?? {})) {
@@ -2042,7 +2435,7 @@ var AampClient = class _AampClient extends TinyEmitter {
         continue;
       apiUrl.searchParams.set(key, String(value));
     }
-    return fetch(apiUrl, {
+    return fetchImpl(apiUrl, {
       method: opts.method ?? "GET",
       headers: {
         ...opts.authToken ? { Authorization: `Basic ${opts.authToken}` } : {},
@@ -2088,6 +2481,22 @@ var AampClient = class _AampClient extends TinyEmitter {
       baseUrl: base
     };
   }
+  static async checkMailbox(opts) {
+    const base = opts.aampHost.replace(/\/$/, "");
+    const res = await _AampClient.callDiscoveredApi(base, {
+      action: "aamp.mailbox.check",
+      query: { email: opts.email }
+    });
+    if (!res.ok) {
+      const body = await res.text().catch(() => "");
+      throw new Error(`Mailbox check failed: ${res.status} ${body || res.statusText}`);
+    }
+    const payload = await res.json();
+    return {
+      aamp: Boolean(payload.aamp),
+      ...payload.domain ? { domain: payload.domain } : {}
+    };
+  }
   // =====================================================
   // Lifecycle
   // =====================================================
@@ -2134,7 +2543,7 @@ var AampClient = class _AampClient extends TinyEmitter {
       rawBodyText: JSON.stringify(payload, null, 2),
       priority: opts.priority,
       expiresAt: opts.expiresAt,
-      contextLinks: opts.contextLinks,
+      sessionKey: opts.sessionKey,
       dispatchContext: opts.dispatchContext,
       parentTaskId: opts.parentTaskId,
       attachments: opts.attachments
@@ -2158,6 +2567,12 @@ var AampClient = class _AampClient extends TinyEmitter {
   async sendStreamOpened(opts) {
     return this.smtpSender.sendStreamOpened(opts);
   }
+  async sendPairRequest(opts) {
+    return this.smtpSender.sendPairRequest(opts);
+  }
+  async sendPairRespond(opts) {
+    return this.smtpSender.sendPairRespond(opts);
+  }
   async sendCardQuery(opts) {
     return this.smtpSender.sendCardQuery(opts);
   }
@@ -2171,6 +2586,7 @@ var AampClient = class _AampClient extends TinyEmitter {
       action: "aamp.directory.upsert",
       method: "POST",
       authToken: mailboxToken,
+      fetch: this.config.fetch,
       body: opts
     });
     if (!res.ok) {
@@ -2186,6 +2602,7 @@ var AampClient = class _AampClient extends TinyEmitter {
     const res = await _AampClient.callDiscoveredApi(base, {
       action: "aamp.directory.list",
       authToken: mailboxToken,
+      fetch: this.config.fetch,
       query: {
         scope: opts.scope,
         includeSelf: opts.includeSelf,
@@ -2205,6 +2622,7 @@ var AampClient = class _AampClient extends TinyEmitter {
     const res = await _AampClient.callDiscoveredApi(base, {
       action: "aamp.directory.search",
       authToken: mailboxToken,
+      fetch: this.config.fetch,
       query: {
         q: opts.query,
         scope: opts.scope,
@@ -2225,6 +2643,7 @@ var AampClient = class _AampClient extends TinyEmitter {
     const res = await _AampClient.callDiscoveredApi(base, {
       action: "aamp.mailbox.thread",
       authToken: mailboxToken,
+      fetch: this.config.fetch,
       query: {
         taskId,
         includeStreamOpened: opts.includeStreamOpened
@@ -2250,7 +2669,7 @@ var AampClient = class _AampClient extends TinyEmitter {
     };
   }
   async resolveStreamCapability() {
-    const discovery = await _AampClient.discoverAampService(this.config.baseUrl);
+    const discovery = await _AampClient.discoverAampService(this.config.baseUrl, this.config.fetch);
     const stream = discovery.capabilities?.stream;
     if (!stream?.transport) {
       throw new Error("AAMP stream capability is not available on this service");
@@ -2263,6 +2682,7 @@ var AampClient = class _AampClient extends TinyEmitter {
       action: stream.createAction ?? "aamp.stream.create",
       method: "POST",
       authToken: this.config.mailboxToken,
+      fetch: this.config.fetch,
       body: opts
     });
     if (!res.ok) {
@@ -2309,6 +2729,7 @@ var AampClient = class _AampClient extends TinyEmitter {
       action: stream.appendAction ?? "aamp.stream.append",
       method: "POST",
       authToken: this.config.mailboxToken,
+      fetch: this.config.fetch,
       body: opts
     });
     if (!res.ok) {
@@ -2414,6 +2835,7 @@ var AampClient = class _AampClient extends TinyEmitter {
       action: stream.closeAction ?? "aamp.stream.close",
       method: "POST",
       authToken: this.config.mailboxToken,
+      fetch: this.config.fetch,
       body: opts
     });
     if (!res.ok) {
@@ -2427,6 +2849,7 @@ var AampClient = class _AampClient extends TinyEmitter {
     const res = await _AampClient.callDiscoveredApi(this.config.baseUrl, {
       action: stream.getAction ?? "aamp.stream.get",
       authToken: this.config.mailboxToken,
+      fetch: this.config.fetch,
       query: {
         ...opts.taskId ? { taskId: opts.taskId } : {},
         ...opts.streamId ? { streamId: opts.streamId } : {}
@@ -2453,7 +2876,8 @@ var AampClient = class _AampClient extends TinyEmitter {
     if (opts.signal) {
       opts.signal.addEventListener("abort", () => controller.abort(), { once: true });
     }
-    const res = await fetch(url, {
+    const fetchImpl = this.config.fetch ?? fetch;
+    const res = await fetchImpl(url, {
       headers: {
         Authorization: `Basic ${this.config.mailboxToken}`,
         Accept: "text/event-stream"
@@ -2564,12 +2988,19 @@ import { readFileSync as readFileSync2 } from "node:fs";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { homedir } from "node:os";
+import { randomBytes as randomBytes2 } from "node:crypto";
 function defaultCredentialsPath() {
   return join(homedir(), ".openclaw", "extensions", "aamp-openclaw-plugin", ".credentials.json");
 }
 function defaultTaskStatePath() {
   return join(homedir(), ".openclaw", "extensions", "aamp-openclaw-plugin", ".task-state.json");
 }
+function defaultPairingPath() {
+  return join(homedir(), ".openclaw", "extensions", "aamp-openclaw-plugin", ".pairing.json");
+}
+function defaultSenderPoliciesPath() {
+  return join(homedir(), ".openclaw", "extensions", "aamp-openclaw-plugin", ".sender-policies.json");
+}
 function loadCachedIdentity(file) {
   const resolved = file ?? defaultCredentialsPath();
   if (!existsSync(resolved))
@@ -2616,6 +3047,66 @@ function saveTaskState(state, file) {
     terminalTaskIds: state.terminalTaskIds ?? []
   }, null, 2), "utf-8");
 }
+function createPairingCode2(params) {
+  const pairCode = randomBytes2(6).toString("base64url");
+  const expiresAt = new Date(Date.now() + (params.ttlSeconds ?? 300) * 1e3).toISOString();
+  const connectUrl = `aamp://connect?mailbox=${encodeURIComponent(params.mailbox.toLowerCase())}&pair_code=${encodeURIComponent(pairCode)}`;
+  const state = {
+    mailbox: params.mailbox.toLowerCase(),
+    pairCode,
+    expiresAt,
+    connectUrl
+  };
+  const resolved = params.file ?? defaultPairingPath();
+  mkdirSync(dirname(resolved), { recursive: true });
+  writeFileSync(resolved, JSON.stringify(state, null, 2), "utf-8");
+  return state;
+}
+function consumePairingCode2(params) {
+  const resolved = params.file ?? defaultPairingPath();
+  if (!existsSync(resolved))
+    return null;
+  const state = JSON.parse(readFileSync(resolved, "utf-8"));
+  if (state.mailbox.toLowerCase() !== params.mailbox.toLowerCase())
+    return null;
+  if (state.pairCode !== params.pairCode)
+    return null;
+  if (state.consumedAt)
+    return null;
+  if (new Date(state.expiresAt).getTime() <= Date.now())
+    return null;
+  writeFileSync(resolved, JSON.stringify({ ...state, pairCode: "", consumedAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2), "utf-8");
+  return state;
+}
+function isPairedSenderPolicy(value) {
+  if (!value || typeof value !== "object")
+    return false;
+  const policy = value;
+  return typeof policy.sender === "string" && typeof policy.dispatchContextRules === "object" && typeof policy.pairedAt === "string";
+}
+function loadPairedSenderPolicies(file) {
+  const resolved = file ?? defaultSenderPoliciesPath();
+  if (!existsSync(resolved))
+    return [];
+  try {
+    const data = JSON.parse(readFileSync(resolved, "utf-8"));
+    return Array.isArray(data) ? data.filter(isPairedSenderPolicy) : [];
+  } catch {
+    return [];
+  }
+}
+function addPairedSenderPolicy(file, policy) {
+  const resolved = file ?? defaultSenderPoliciesPath();
+  const policies = loadPairedSenderPolicies(resolved);
+  const normalizedSender = policy.sender.toLowerCase();
+  const next = [
+    ...policies.filter((item) => item.sender.toLowerCase() !== normalizedSender),
+    { ...policy, sender: normalizedSender }
+  ];
+  mkdirSync(dirname(resolved), { recursive: true });
+  writeFileSync(resolved, JSON.stringify(next, null, 2), "utf-8");
+  return next;
+}
 function ensureDir(dir) {
   mkdirSync(dir, { recursive: true });
 }
@@ -2630,7 +3121,7 @@ function writeBinaryFile(path, content) {
 // src/index.ts
 function matchSenderPolicy(task, senderPolicies) {
   if (!senderPolicies?.length)
-    return { allowed: true };
+    return { allowed: false, reason: "no configured senderPolicies" };
   const sender = task.from.toLowerCase();
   const policy = senderPolicies.find((item) => item.sender.trim().toLowerCase() === sender);
   if (!policy) {
@@ -2659,12 +3150,62 @@ function matchSenderPolicy(task, senderPolicies) {
   }
   return { allowed: true };
 }
+function rulesMatch(rules, dispatchContext) {
+  for (const [key, allowedValues] of Object.entries(rules ?? {})) {
+    if (!Array.isArray(allowedValues) || allowedValues.length === 0)
+      continue;
+    const observed = dispatchContext?.[key];
+    if (!observed || !allowedValues.includes(observed))
+      return false;
+  }
+  return true;
+}
+function matchPairedSenderPolicy2(task, senderPolicies) {
+  if (senderPolicies.length === 0)
+    return { allowed: false, reason: "no paired sender policies configured" };
+  const sender = task.from.toLowerCase();
+  const policy = senderPolicies.find((item) => item.sender.trim().toLowerCase() === sender);
+  if (!policy) {
+    return { allowed: false, reason: `sender ${task.from} is not paired` };
+  }
+  if (!rulesMatch(policy.dispatchContextRules, task.dispatchContext)) {
+    return { allowed: false, reason: `dispatchContext does not match paired sender policy for ${task.from}` };
+  }
+  return { allowed: true };
+}
+function matchCombinedSenderPolicy(task, configuredPolicies, pairedPolicies) {
+  const hasConfiguredPolicies = (configuredPolicies?.length ?? 0) > 0;
+  const hasPairedPolicies = pairedPolicies.length > 0;
+  if (!hasConfiguredPolicies && !hasPairedPolicies) {
+    return { allowed: false, reason: "no sender policy configured" };
+  }
+  const configuredDecision = hasConfiguredPolicies ? matchSenderPolicy(task, configuredPolicies) : { allowed: false, reason: "no configured senderPolicies" };
+  const pairedDecision = hasPairedPolicies ? matchPairedSenderPolicy2(task, pairedPolicies) : { allowed: false, reason: "no paired sender policies configured" };
+  if (pairedDecision.allowed)
+    return pairedDecision;
+  if (configuredDecision.allowed)
+    return configuredDecision;
+  return configuredDecision.reason ? configuredDecision : pairedDecision;
+}
 function baseUrl(aampHost) {
   if (aampHost.startsWith("http://") || aampHost.startsWith("https://")) {
     return aampHost.replace(/\/$/, "");
   }
   return `https://${aampHost}`;
 }
+async function renderTerminalQr(value) {
+  try {
+    const qrcode = await import("qrcode-terminal");
+    const generator = qrcode.default?.generate ?? qrcode.generate;
+    if (!generator)
+      return "";
+    return await new Promise((resolve) => {
+      generator(value, { small: true }, (qr) => resolve(qr));
+    });
+  } catch {
+    return "";
+  }
+}
 var pendingTasks = /* @__PURE__ */ new Map();
 var activeTaskStreams = /* @__PURE__ */ new Map();
 var terminalTaskIds = new Set(loadTaskState(defaultTaskStatePath()).terminalTaskIds ?? []);
@@ -2688,6 +3229,7 @@ var transportMonitorTimer = null;
 var historicalReconcileCompleted = false;
 var channelRuntime = null;
 var channelCfg = null;
+var pairedSenderPolicies = [];
 async function ensureTaskStream(task) {
   if (!aampClient?.isConnected())
     return null;
@@ -2756,17 +3298,8 @@ function isTaskAwaitingHelpReply(task) {
   return task.awaitingHelpReply === true;
 }
 function isConversationalTask(task) {
-  return task.dispatchContext?.source === "feishu";
-}
-function firstDispatchContextValue(context, keys) {
-  if (!context)
-    return void 0;
-  for (const key of keys) {
-    const value = context[key]?.trim();
-    if (value)
-      return value;
-  }
-  return void 0;
+  const source = task.dispatchContext?.source?.trim().toLowerCase();
+  return source === "feishu" || source === "wechat";
 }
 function threadAlreadyTerminal(events) {
   return (events ?? []).some(
@@ -2814,8 +3347,8 @@ function buildOpenClawMainSessionKey(mainKey, config) {
 function buildAampConversationSessionKey(value, config) {
   return buildOpenClawMainSessionKey(`${AAMP_SESSION_PREFIX}default:${value}`, config);
 }
-function buildAampStickySessionKey(dispatchContext, config) {
-  const stickyValue = firstDispatchContextValue(dispatchContext, ["session_key", "conversation_key", "thread_key"]);
+function buildAampStickySessionKey(sessionKey, config) {
+  const stickyValue = sessionKey?.trim();
   if (!stickyValue)
     return void 0;
   return buildAampConversationSessionKey(`session:${stickyValue}`, config);
@@ -2827,10 +3360,10 @@ function buildAampWakeSessionKey(kind, id) {
   return `${AAMP_SESSION_PREFIX}wake:${kind}:${id}`;
 }
 function buildSessionKeyForPendingTask(task, config) {
-  return buildAampStickySessionKey(task.dispatchContext, config) ?? buildAampTaskSessionKey(task.taskId, config);
+  return buildAampStickySessionKey(task.sessionKey, config) ?? buildAampTaskSessionKey(task.taskId, config);
 }
 function buildWakeSessionKeyForPendingTask(task, config) {
-  return buildAampStickySessionKey(task.dispatchContext, config) ?? buildAampWakeSessionKey("task", task.taskId);
+  return buildAampStickySessionKey(task.sessionKey, config) ?? buildAampWakeSessionKey("task", task.taskId);
 }
 function findPendingEntryForSession(sessionKey, config) {
   if (typeof sessionKey !== "string" || !isAampSessionKey(sessionKey))
@@ -2939,7 +3472,6 @@ function queuePendingTask(task) {
     threadContextText: task.threadContextText ?? "",
     priority: task.priority ?? "normal",
     ...task.expiresAt ? { expiresAt: task.expiresAt } : {},
-    contextLinks: task.contextLinks ?? [],
     messageId: task.messageId ?? "",
     receivedAt: (/* @__PURE__ */ new Date()).toISOString()
   });
@@ -2952,39 +3484,15 @@ function queuePendingTask(task) {
 }
 async function registerNode(cfg) {
   const slug = (cfg.slug ?? "openclaw-agent").toLowerCase().replace(/[\s_]+/g, "-").replace(/[^a-z0-9-]/g, "");
-  const base = baseUrl(cfg.aampHost);
-  const discoveryRes = await fetch(`${base}/.well-known/aamp`);
-  if (!discoveryRes.ok) {
-    throw new Error(`AAMP discovery failed (${discoveryRes.status}): ${discoveryRes.statusText}`);
-  }
-  const discovery = await discoveryRes.json();
-  const apiUrl = discovery.api?.url;
-  if (!apiUrl) {
-    throw new Error("AAMP discovery did not return api.url");
-  }
-  const apiBase = new URL(apiUrl, `${base}/`).toString();
-  const res = await fetch(`${apiBase}?action=aamp.mailbox.register`, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ slug, description: "OpenClaw AAMP agent node" })
+  const credData = await AampClient.registerMailbox({
+    aampHost: cfg.aampHost,
+    slug,
+    description: "OpenClaw AAMP agent node"
   });
-  if (!res.ok) {
-    const err = await res.json().catch(() => ({}));
-    throw new Error(`AAMP registration failed (${res.status}): ${err.error ?? res.statusText}`);
-  }
-  const regData = await res.json();
-  const credRes = await fetch(
-    `${apiBase}?action=aamp.mailbox.credentials&code=${encodeURIComponent(regData.registrationCode)}`
-  );
-  if (!credRes.ok) {
-    const err = await credRes.json().catch(() => ({}));
-    throw new Error(`AAMP credential exchange failed (${credRes.status}): ${err.error ?? credRes.statusText}`);
-  }
-  const credData = await credRes.json();
   return {
     email: credData.email,
-    mailboxToken: credData.mailbox.token,
-    smtpPassword: credData.smtp.password
+    mailboxToken: credData.mailboxToken,
+    smtpPassword: credData.smtpPassword
   };
 }
 async function resolveIdentity(cfg) {
@@ -3026,6 +3534,14 @@ var src_default = {
         type: "string",
         description: "Absolute path to cache AAMP credentials between gateway restarts. Default: ~/.openclaw/extensions/aamp-openclaw-plugin/.credentials.json. Delete this file to force re-registration with a new mailbox."
       },
+      pairingFile: {
+        type: "string",
+        description: "Absolute path to store the current one-time AAMP pairing code. Default: ~/.openclaw/extensions/aamp-openclaw-plugin/.pairing.json."
+      },
+      senderPoliciesFile: {
+        type: "string",
+        description: "Absolute path to persist senders approved by pair.request. Default: ~/.openclaw/extensions/aamp-openclaw-plugin/.sender-policies.json."
+      },
       senderPolicies: {
         type: "array",
         description: "Per-sender authorization policies. Each sender can optionally require specific X-AAMP-Dispatch-Context key/value pairs before a task is accepted.",
@@ -3116,6 +3632,70 @@ var src_default = {
       });
       api.logger.info(`[AAMP] Directory profile synced${cardText ? " (card text registered)" : ""}`);
     }
+    async function sendPairResponse(request, success, reason) {
+      if (!aampClient)
+        return;
+      try {
+        await aampClient.sendPairRespond({
+          to: request.from,
+          taskId: request.taskId,
+          success,
+          reason,
+          inReplyTo: request.messageId
+        });
+      } catch (err) {
+        api.logger.warn(`[AAMP] Failed to send pair.respond to ${request.from}: ${err.message}`);
+      }
+    }
+    async function handlePairRequest(request) {
+      if (!agentEmail)
+        return;
+      if (request.to.trim().toLowerCase() !== agentEmail.trim().toLowerCase())
+        return;
+      const consumed = consumePairingCode2({
+        file: cfg.pairingFile ?? defaultPairingPath(),
+        mailbox: agentEmail,
+        pairCode: request.pairCode
+      });
+      if (!consumed) {
+        const reason = "invalid or expired pair code";
+        api.logger.warn(`[AAMP] Rejected pair.request from ${request.from}: ${reason}`);
+        await sendPairResponse(request, false, reason);
+        return;
+      }
+      pairedSenderPolicies = addPairedSenderPolicy(cfg.senderPoliciesFile ?? defaultSenderPoliciesPath(), {
+        sender: request.from.trim().toLowerCase(),
+        dispatchContextRules: request.dispatchContextRules ?? {},
+        pairedAt: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      api.logger.info(`[AAMP] Paired sender ${request.from}; sender policy saved to ${cfg.senderPoliciesFile ?? defaultSenderPoliciesPath()}`);
+      await sendPairResponse(request, true);
+    }
+    async function renderPairingCodeForCurrentAgent() {
+      const identity = agentEmail ? { email: agentEmail } : loadCachedIdentity(cfg.credentialsFile ?? defaultCredentialsPath());
+      const email = identity?.email?.trim();
+      if (!email) {
+        return "Error: AAMP mailbox identity is not ready. Start the AAMP plugin service first.";
+      }
+      const pairing = createPairingCode2({
+        mailbox: email,
+        file: cfg.pairingFile ?? defaultPairingPath()
+      });
+      const qr = await renderTerminalQr(pairing.connectUrl);
+      api.logger.info(`[AAMP] Pair with AAMP App before ${pairing.expiresAt}: ${pairing.connectUrl}`);
+      if (qr)
+        api.logger.info(`
+${qr}`);
+      return [
+        `Pair ${email} with AAMP App or another AAMP runtime.`,
+        `Expires: ${pairing.expiresAt}`,
+        qr ? `
+Scan this QR code:
+${qr}` : "\nCould not render a terminal QR code.",
+        `
+Pairing URL: ${pairing.connectUrl}`
+      ].join("\n");
+    }
     function wakeAgentForPendingTask(task) {
       const fallbackSessionKey = buildWakeSessionKeyForPendingTask(task, api.config);
       const openClawSessionKey = buildSessionKeyForPendingTask(task, api.config);
@@ -3199,6 +3779,16 @@ var src_default = {
       lastTransportMode = "disconnected";
       lastLoggedTransportMode = "disconnected";
       api.logger.info(`[AAMP] Mailbox identity ready \u2014 ${agentEmail}`);
+      pairedSenderPolicies = loadPairedSenderPolicies(cfg.senderPoliciesFile ?? defaultSenderPoliciesPath());
+      const pairing = createPairingCode2({
+        mailbox: agentEmail,
+        file: cfg.pairingFile ?? defaultPairingPath()
+      });
+      api.logger.info(`[AAMP] Pair with AAMP App before ${pairing.expiresAt}: ${pairing.connectUrl}`);
+      const qr = await renderTerminalQr(pairing.connectUrl);
+      if (qr)
+        api.logger.info(`
+${qr}`);
       const base = baseUrl(cfg.aampHost);
       aampClient = AampClient.fromMailboxIdentity({
         email: identity.email,
@@ -3217,7 +3807,7 @@ var src_default = {
               api.logger.info(`[AAMP] Skipping already-terminal task ${task.taskId}`);
               return;
             }
-            const decision = matchSenderPolicy(task, cfg.senderPolicies);
+            const decision = matchCombinedSenderPolicy(task, cfg.senderPolicies, pairedSenderPolicies);
             if (!decision.allowed) {
               api.logger.warn(`[AAMP] \u2717 rejected by senderPolicies: ${task.from}  task=${task.taskId}  reason=${decision.reason}`);
               void aampClient.sendResult({
@@ -3274,6 +3864,11 @@ var src_default = {
           api.logger.info(`[AAMP] Cancelled task ${cancel.taskId} \u2014 removed from pending queue`);
         }
       });
+      aampClient.on("pair.request", (request) => {
+        void handlePairRequest(request).catch((err) => {
+          api.logger.warn(`[AAMP] Failed to handle pair.request: ${err.message}`);
+        });
+      });
       aampClient.on("task.result", (result) => {
         if (result.from.toLowerCase() === agentEmail.toLowerCase())
           return;
@@ -3341,7 +3936,6 @@ ${truncatedOutput}${attachmentInfo}` : `Agent ${result.from} rejected the sub-ta
 
 Reason: ${result.errorMsg ?? "unknown"}`,
             priority: "urgent",
-            contextLinks: [],
             messageId: "",
             receivedAt: (/* @__PURE__ */ new Date()).toISOString()
           });
@@ -3424,7 +4018,6 @@ Question: ${help.question}
 Blocked reason: ${help.blockedReason}${help.suggestedOptions?.length ? `
 Suggested options: ${help.suggestedOptions.join(", ")}` : ""}`,
           priority: "urgent",
-          contextLinks: [],
           messageId: "",
           receivedAt: (/* @__PURE__ */ new Date()).toISOString()
         });
@@ -3726,8 +4319,6 @@ ${Object.entries(task.dispatchContext).map(([key, value]) => `  - ${key}: ${valu
           task.threadContextText ? `${task.threadContextText}` : "",
           task.bodyText ? `Latest user message:
 ${task.bodyText}` : "",
-          task.contextLinks.length ? `Context Links:
-${task.contextLinks.map((l) => `  - ${l}`).join("\n")}` : "",
           task.expiresAt ? `Expires: ${task.expiresAt}` : `Expires: none`,
           `Received: ${task.receivedAt}`,
           otherActionableTasks.length > 0 ? `
@@ -3768,8 +4359,6 @@ ${task.contextLinks.map((l) => `  - ${l}`).join("\n")}` : "",
           task.threadContextText ? `${task.threadContextText}` : "",
           task.bodyText ? `Description:
 ${task.bodyText}` : "",
-          task.contextLinks.length ? `Context Links:
-${task.contextLinks.map((l) => `  - ${l}`).join("\n")}` : "",
           task.expiresAt ? `Expires: ${task.expiresAt}` : `Expires: none`,
           `Received: ${task.receivedAt}`,
           otherActionableTasks.length > 0 ? `
@@ -4091,6 +4680,14 @@ ${lines.join("\n")}`
         };
       }
     }, { name: "aamp_pending_tasks" });
+    api.registerTool({
+      name: "aamp_pairing_code",
+      description: "Generate a fresh five-minute AAMP pairing code for this OpenClaw agent and show a QR code. Use this when the user asks to pair AAMP App or another AAMP runtime with this agent.",
+      parameters: { type: "object", properties: {} },
+      execute: async () => ({
+        content: [{ type: "text", text: await renderPairingCodeForCurrentAgent() }]
+      })
+    }, { name: "aamp_pairing_code" });
     api.registerTool({
       name: "aamp_cancel_task",
       description: "Cancel a pending AAMP task and notify the dispatcher.",
@@ -4138,11 +4735,6 @@ ${lines.join("\n")}`
           parentTaskId: { type: "string", description: "If you are processing a pending AAMP task, pass its Task ID here to establish parent-child nesting. Omit for top-level tasks." },
           priority: { type: "string", enum: ["urgent", "high", "normal"], description: "Task priority (optional)" },
           expiresAt: { type: "string", description: "Absolute expiry time in ISO 8601 format (optional)" },
-          contextLinks: {
-            type: "array",
-            items: { type: "string" },
-            description: "URLs providing context (optional)"
-          },
           attachments: {
             type: "array",
             description: "File attachments. Each item: { filename, contentType, path (local file path) }",
@@ -4177,7 +4769,6 @@ ${lines.join("\n")}`
             parentTaskId: params.parentTaskId,
             priority: params.priority,
             expiresAt: params.expiresAt,
-            contextLinks: params.contextLinks,
             attachments
           });
           dispatchedSubtasks.set(result.taskId, {
@@ -4207,17 +4798,9 @@ ${lines.join("\n")}`
               const dir = "/tmp/aamp-files";
               ensureDir(dir);
               const downloaded = [];
-              const base = baseUrl(cfg.aampHost);
-              const identity = loadCachedIdentity(cfg.credentialsFile ?? defaultCredentialsPath());
-              const authHeader = identity ? `Basic ${Buffer.from(identity.email + ":" + identity.smtpPassword).toString("base64")}` : "";
               for (const att of r.attachments) {
                 try {
-                  const dlUrl = `${base}/jmap/download/n/${encodeURIComponent(att.blobId)}/${encodeURIComponent(att.filename)}?accept=application/octet-stream`;
-                  api.logger.info(`[AAMP] Fetching ${dlUrl}`);
-                  const dlRes = await fetch(dlUrl, { headers: { Authorization: authHeader } });
-                  if (!dlRes.ok)
-                    throw new Error(`HTTP ${dlRes.status}`);
-                  const buffer = Buffer.from(await dlRes.arrayBuffer());
+                  const buffer = await aampClient.downloadBlob(att.blobId, att.filename);
                   const filepath = `${dir}/${att.filename}`;
                   writeBinaryFile(filepath, buffer);
                   downloaded.push(`${att.filename} (${(buffer.length / 1024).toFixed(1)} KB) \u2192 ${filepath}`);
@@ -4289,18 +4872,10 @@ Question: ${h.question}`,
           return { content: [{ type: "text", text: "Error: email parameter is required" }] };
         }
         try {
-          const discoveryRes = await fetch(`${base}/.well-known/aamp`);
-          if (!discoveryRes.ok)
-            throw new Error(`HTTP ${discoveryRes.status}`);
-          const discovery = await discoveryRes.json();
-          const apiUrl = discovery.api?.url;
-          if (!apiUrl)
-            throw new Error("AAMP discovery did not return api.url");
-          const apiBase = new URL(apiUrl, `${base}/`).toString();
-          const res = await fetch(`${apiBase}?action=aamp.mailbox.check&email=${encodeURIComponent(email)}`);
-          if (!res.ok)
-            throw new Error(`HTTP ${res.status}`);
-          const data = await res.json();
+          const data = await AampClient.checkMailbox({
+            aampHost: base,
+            email
+          });
           return {
             content: [{
               type: "text",
@@ -4374,6 +4949,15 @@ Question: ${h.question}`,
         };
       }
     });
+    api.registerCommand({
+      name: "aamp-pair",
+      description: "Show a fresh AAMP pairing QR code for this OpenClaw agent",
+      acceptsArgs: false,
+      requireAuth: false,
+      handler: async () => ({
+        text: await renderPairingCodeForCurrentAgent()
+      })
+    });
   }
 };
 export {