agent-messenger 2.2.0 → 2.3.0

package/skills/agent-slackbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-slackbot
 description: Interact with Slack workspaces using bot tokens - send messages, read channels, manage reactions
-version: 2.2.0
+version: 2.3.0
 allowed-tools: Bash(agent-slackbot:*)
 metadata:
   openclaw:

package/skills/agent-teams/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-teams
 description: Interact with Microsoft Teams - send messages, read channels, manage reactions
-version: 2.2.0
+version: 2.3.0
 allowed-tools: Bash(agent-teams:*)
 metadata:
   openclaw:

package/skills/agent-telegram/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-telegram
 description: Interact with Telegram through TDLib - authenticate, inspect chats, and send messages
-version: 2.2.0
+version: 2.3.0
 allowed-tools: Bash(agent-telegram:*)
 ---
 

package/skills/agent-webex/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-webex
 description: Interact with Cisco Webex - send messages, read spaces, manage memberships
-version: 2.2.0
+version: 2.3.0
 allowed-tools: Bash(agent-webex:*)
 metadata:
   openclaw:

package/skills/agent-webex/references/authentication.md

@@ -4,7 +4,7 @@
 
 agent-webex supports four authentication methods against the Webex REST API (`https://webexapis.com/v1`):
 
-1. **Browser Token Extraction**: Extracts your first-party token from a Chromium browser where you're logged into web.webex.com. Currently supports read operations (spaces, members, auth). Zero-config.
+1. **Browser Token Extraction**: Extracts your first-party token and cached encryption keys from a Chromium browser where you're logged into web.webex.com. Supports all operations including encrypted messaging via the internal API. Zero-config.
 2. **OAuth Device Grant** (recommended for messaging): Zero-config. Run `auth login`, approve in browser, done. Tokens refresh automatically. Supports all operations including sending messages (shows "via agent-messenger").
 3. **Bot Token**: Pass via `auth login --token`. Never expires. Best for CI/CD.
 4. **Personal Access Token (PAT)**: Pass via `auth login --token`. Expires in 12 hours. For quick testing.
@@ -13,12 +13,13 @@ agent-webex supports four authentication methods against the Webex REST API (`ht
 
 ### Browser Token Extraction
 
-Extracts your first-party Webex session token from a Chromium-based browser where you're logged into web.webex.com. Currently supports read operations (authentication, listing spaces/members, snapshots). Sending messages via the REST API is not yet supported because the web client's token lacks `spark:messages_write` scope — the web client uses internal Cisco APIs for messaging instead.
+Extracts your first-party Webex session token from a Chromium-based browser where you're logged into web.webex.com. Supports full messaging with end-to-end encryption. The extracted token uses Webex's internal conversation API for sending messages. Encryption keys are also extracted from the browser's cached KMS key store, enabling client-side JWE encryption so messages appear as encrypted in the Webex client.
 
-- **How it works**: Run `agent-webex auth extract`. The CLI scans Chromium browser profiles for Webex localStorage data (LevelDB files). It finds the `webex-storage` key containing `Credentials.@.supertoken` and extracts the access token. No browser automation, no password prompts.
+- **How it works**: Run `agent-webex auth extract`. The CLI scans Chromium browser profiles for Webex localStorage data (LevelDB files). It finds the `webex-storage` key containing `Credentials.@.supertoken` and extracts the access token. It also extracts `userId` from the Device namespace and cached KMS encryption keys from the unbounded storage — these keys enable end-to-end encrypted messaging via the internal API. No browser automation, no password prompts.
 - **Supported browsers**: Chrome, Chrome Canary, Edge, Arc, Brave, Vivaldi, Chromium
 - **Token lifetime**: Depends on Webex session policy (typically hours to days). Re-extract when expired.
 - **Auto-extraction**: The CLI attempts browser extraction automatically when no valid token is stored, so you often don't need to run `auth extract` manually.
+- **End-to-end encryption**: When encryption keys are found in the browser's cache, messages are encrypted client-side (JWE with AES-256-GCM) before sending via the internal conversation API. This ensures messages appear as encrypted in the Webex client. If no keys are found (e.g., the conversation hasn't been opened in the browser), messages fall back to plaintext.
 - **Best for**: Interactive use, sending messages as yourself without the "via" label
 
 ```bash

package/skills/agent-webex/references/common-patterns.md

@@ -28,7 +28,7 @@ agent-webex auth login --token "YOUR_BOT_TOKEN_HERE"
 agent-webex auth login --token "YOUR_PAT_HERE"
 ```
 
-**When to use**: Before any other command, if not already authenticated. Browser extraction is preferred — it auto-runs when no valid token is stored.
+**When to use**: Before any other command, if not already authenticated. Browser extraction is preferred — it auto-runs when no valid token is stored. It also extracts cached KMS encryption keys from the browser, enabling end-to-end encrypted messaging via the internal API.
 
 ### Pattern 2: Check Auth Status
 

package/skills/agent-whatsapp/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-whatsapp
 description: Interact with WhatsApp - send messages, read chats, manage conversations
-version: 2.2.0
+version: 2.3.0
 allowed-tools: Bash(agent-whatsapp:*)
 metadata:
   openclaw:

package/skills/agent-whatsappbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-whatsappbot
 description: Interact with WhatsApp using Cloud API credentials - send messages, manage templates
-version: 2.2.0
+version: 2.3.0
 allowed-tools: Bash(agent-whatsappbot:*)
 metadata:
   openclaw:

package/src/platforms/line/client.ts

@@ -2,13 +2,34 @@ import { mkdirSync } from 'node:fs'
 import { homedir } from 'node:os'
 import { join } from 'node:path'
 
-import {
-  loginWithQR as linejsLoginWithQR,
-  loginWithPassword as linejsLoginWithPassword,
-  loginWithAuthToken as linejsLoginWithAuthToken,
-  type Client,
-} from '@evex/linejs'
-import { FileStorage } from '@evex/linejs/storage'
+type LinejsModule = typeof import('@evex/linejs')
+type LinejsStorageModule = typeof import('@evex/linejs/storage')
+type Client = Awaited<ReturnType<LinejsModule['loginWithQR']>>
+
+let cachedLinejs: LinejsModule | undefined
+let cachedLinejsStorage: LinejsStorageModule | undefined
+
+const INSTALL_HINT = '@evex/linejs is required for LINE support. Install it with: bun add @evex/linejs@npm:@jsr/evex__linejs'
+
+async function getLinejs(): Promise<LinejsModule> {
+  if (cachedLinejs) return cachedLinejs
+  try {
+    cachedLinejs = await import('@evex/linejs')
+    return cachedLinejs
+  } catch {
+    throw new Error(INSTALL_HINT)
+  }
+}
+
+async function getLinejsStorage(): Promise<LinejsStorageModule> {
+  if (cachedLinejsStorage) return cachedLinejsStorage
+  try {
+    cachedLinejsStorage = await import('@evex/linejs/storage')
+    return cachedLinejsStorage
+  } catch {
+    throw new Error(INSTALL_HINT)
+  }
+}
 
 import { LineCredentialManager } from './credential-manager'
 import type {
@@ -40,7 +61,8 @@ function getDefaultDevice(): LineDevice {
   return 'ANDROIDSECONDARY'
 }
 
-function createStorage(accountId?: string): FileStorage {
+async function createStorage(accountId?: string) {
+  const { FileStorage } = await getLinejsStorage()
   const dir = join(homedir(), '.config', 'agent-messenger', 'line-storage')
   mkdirSync(dir, { recursive: true })
   return new FileStorage(join(dir, `${accountId ?? 'default'}.json`))
@@ -60,10 +82,11 @@ export class LineClient {
     onPincode: (pin: string) => void
   }): Promise<LineLoginResult> {
     try {
+      const linejs = await getLinejs()
       const device: LineDevice = options.device ?? getDefaultDevice()
-      const storage = createStorage()
+      const storage = await createStorage()
 
-      const client = await linejsLoginWithQR(
+      const client = await linejs.loginWithQR(
         {
           onReceiveQRUrl: (url) => options.onQRUrl(url),
           onPincodeRequest: (pin) => options.onPincode(pin),
@@ -103,10 +126,11 @@ export class LineClient {
     onPincode: (pin: string) => void
   }): Promise<LineLoginResult> {
     try {
+      const linejs = await getLinejs()
       const device: LineDevice = options.device ?? getDefaultDevice()
-      const storage = createStorage()
+      const storage = await createStorage()
 
-      const client = await linejsLoginWithPassword(
+      const client = await linejs.loginWithPassword(
         {
           email: options.email,
           password: options.password,
@@ -154,10 +178,11 @@ export class LineClient {
         creds = account
       }
 
+      const linejs = await getLinejs()
       const device: LineDevice = creds.device ?? getDefaultDevice()
-      const storage = createStorage()
+      const storage = await createStorage()
 
-      this.client = await linejsLoginWithAuthToken(creds.auth_token, { device, storage })
+      this.client = await linejs.loginWithAuthToken(creds.auth_token, { device, storage })
       return this
     } catch (error) {
       throw wrapError(error, 'login_failed')

package/src/platforms/webex/client.ts

@@ -1,6 +1,7 @@
 import type { WebexMembership, WebexMessage, WebexPerson, WebexSpace } from './types'
 import { WebexError } from './types'
 import { WebexCredentialManager } from './credential-manager'
+import { WebexEncryptionService } from './encryption'
 
 const BASE_URL = 'https://webexapis.com/v1'
 const MAX_RETRIES = 3
@@ -17,6 +18,7 @@ export class WebexClient {
   private tokenType: string | null = null
   private buckets: Map<string, RateLimitBucket> = new Map()
   private globalRateLimitUntil: number = 0
+  private encryption: WebexEncryptionService | null = null
 
   async login(credentials?: { token: string }): Promise<this> {
     if (credentials) {
@@ -40,7 +42,16 @@ export class WebexClient {
     }
     this.deviceUrl = config?.deviceUrl ?? null
     this.tokenType = config?.tokenType ?? null
-    return this.login({ token })
+    await this.login({ token })
+
+    if (this.tokenType === 'extracted' && config?.encryptionKeys) {
+      const keysMap = new Map(Object.entries(config.encryptionKeys))
+      if (keysMap.size > 0) {
+        this.encryption = new WebexEncryptionService(keysMap)
+      }
+    }
+
+    return this
   }
 
   private ensureAuth(): string {
@@ -210,7 +221,7 @@ export class WebexClient {
   private async internalRequest<T>(path: string, init?: RequestInit): Promise<T> {
     const response = await fetch(`${this.convBaseUrl}${path}`, {
       ...init,
-      headers: { ...this.internalHeaders, ...init?.headers as Record<string, string> },
+      headers: { ...this.internalHeaders, ...(init?.headers as Record<string, string>) },
     })
 
     if (!response.ok) {
@@ -225,35 +236,78 @@ export class WebexClient {
     return response.json() as Promise<T>
   }
 
-  private activityToMessage(a: InternalActivity, roomId: string): WebexMessage {
+  private async activityToMessage(a: InternalActivity, roomId: string): Promise<WebexMessage> {
+    let text = a.object?.content ?? a.object?.displayName
+
+    if (this.encryption && text?.startsWith('eyJ')) {
+      const keyUrl = a.encryptionKeyUrl ?? a.object?.encryptionKeyUrl
+      if (keyUrl) {
+        const decrypted = await this.encryption.decryptText(keyUrl, text)
+        if (decrypted !== null) {
+          text = decrypted
+        }
+      }
+    }
+
     return {
       id: a.id,
       roomId,
       roomType: 'group' as const,
-      text: a.object?.content ?? a.object?.displayName,
+      text,
       personId: a.actor?.entryUUID ?? a.actor?.id ?? '',
       personEmail: a.actor?.emailAddress ?? '',
       created: a.published,
     }
   }
 
+  private async buildEncryptedObject(
+    convUuid: string,
+    text: string,
+    options?: { markdown?: boolean },
+  ): Promise<{ object: Record<string, string>; encryptionKeyUrl?: string }> {
+    const buildObject = (content: string): Record<string, string> =>
+      options?.markdown
+        ? { objectType: 'comment', displayName: content, content, markdown: content }
+        : { objectType: 'comment', displayName: content, content }
+
+    if (this.encryption) {
+      const conv = await this.internalRequest<InternalConversation>(
+        `/conversations/${convUuid}?activitiesLimit=0&participantsLimit=0`,
+      )
+      const keyUri = conv.defaultActivityEncryptionKeyUrl
+      if (keyUri) {
+        const encrypted = await this.encryption.encryptText(keyUri, text)
+        if (encrypted) {
+          return { object: buildObject(encrypted), encryptionKeyUrl: keyUri }
+        }
+      }
+    }
+
+    return { object: buildObject(text) }
+  }
+
   private async sendMessageInternal(
     roomId: string,
     text: string,
     options?: { markdown?: boolean },
   ): Promise<WebexMessage> {
     const convUuid = this.decodeConvUuid(roomId)
-    const object = options?.markdown
-      ? { objectType: 'comment', displayName: text, content: text, markdown: text }
-      : { objectType: 'comment', displayName: text, content: text }
+    const { object, encryptionKeyUrl } = await this.buildEncryptedObject(convUuid, text, options)
+
+    const activity: Record<string, unknown> = {
+      verb: 'post',
+      object,
+      target: { id: convUuid, objectType: 'conversation' },
+      clientTempId: `tmp-${Date.now()}`,
+    }
+
+    if (encryptionKeyUrl) {
+      activity['encryptionKeyUrl'] = encryptionKeyUrl
+    }
+
     const result = await this.internalRequest<InternalActivity>('/activities', {
       method: 'POST',
-      body: JSON.stringify({
-        verb: 'post',
-        object,
-        target: { id: convUuid, objectType: 'conversation' },
-        clientTempId: `tmp-${Date.now()}`,
-      }),
+      body: JSON.stringify(activity),
     })
     return this.activityToMessage(result, roomId)
   }
@@ -297,9 +351,8 @@ export class WebexClient {
       const conv = await this.internalRequest<InternalConversation>(
         `/conversations/${convUuid}?activitiesLimit=${max}&participantsLimit=0`,
       )
-      return (conv.activities?.items ?? [])
-        .filter((a) => a.verb === 'post')
-        .map((a) => this.activityToMessage(a, roomId))
+      const activities = (conv.activities?.items ?? []).filter((a) => a.verb === 'post')
+      return Promise.all(activities.map((a) => this.activityToMessage(a, roomId)))
     }
     const params = new URLSearchParams()
     params.set('roomId', roomId)
@@ -312,7 +365,9 @@ export class WebexClient {
     if (this.useInternalAPI) {
       const activity = await this.internalRequest<InternalActivity>(`/activities/${messageId}`)
       const convId = activity.target?.id ?? ''
-      const roomId = convId ? Buffer.from(`ciscospark://urn:TEAM:unknown/ROOM/${convId}`).toString('base64') : ''
+      const roomId = convId
+        ? Buffer.from(`ciscospark://urn:TEAM:unknown/ROOM/${convId}`).toString('base64')
+        : ''
       return this.activityToMessage(activity, roomId)
     }
     return this.request<WebexMessage>('GET', `/messages/${messageId}`)
@@ -344,15 +399,23 @@ export class WebexClient {
   ): Promise<WebexMessage> {
     if (this.useInternalAPI) {
       const convUuid = this.decodeConvUuid(roomId)
+      const { object, encryptionKeyUrl } = await this.buildEncryptedObject(convUuid, text, options)
+
+      const activity: Record<string, unknown> = {
+        verb: 'post',
+        object,
+        target: { id: convUuid, objectType: 'conversation' },
+        parent: { id: messageId, type: 'edit' },
+        clientTempId: `tmp-${Date.now()}`,
+      }
+
+      if (encryptionKeyUrl) {
+        activity['encryptionKeyUrl'] = encryptionKeyUrl
+      }
+
       const result = await this.internalRequest<InternalActivity>('/activities', {
         method: 'POST',
-        body: JSON.stringify({
-          verb: 'post',
-          object: { objectType: 'comment', displayName: text, content: text },
-          target: { id: convUuid, objectType: 'conversation' },
-          parent: { id: messageId, type: 'edit' },
-          clientTempId: `tmp-${Date.now()}`,
-        }),
+        body: JSON.stringify(activity),
       })
       return this.activityToMessage(result, roomId)
     }
@@ -394,12 +457,21 @@ interface InternalActivity {
   id: string
   verb: string
   actor?: { displayName?: string; emailAddress?: string; entryUUID?: string; id?: string }
-  object?: { content?: string; displayName?: string; objectType?: string }
-  target?: { id: string }
+  object?: {
+    content?: string
+    displayName?: string
+    objectType?: string
+    encryptionKeyUrl?: string
+  }
+  target?: { id: string; encryptionKeyUrl?: string }
   published: string
+  encryptionKeyUrl?: string
 }
 
 interface InternalConversation {
   id: string
   activities?: { items: InternalActivity[] }
+  defaultActivityEncryptionKeyUrl?: string
+  kmsResourceObjectUrl?: string
+  encryptionKeyUrl?: string
 }

package/src/platforms/webex/commands/auth.ts

@@ -174,6 +174,10 @@ export async function extractAction(options: { pretty?: boolean; debug?: boolean
       expiresAt: extracted.expiresAt ?? 0,
       tokenType: 'extracted',
       deviceUrl: extracted.deviceUrl,
+      userId: extracted.userId,
+      encryptionKeys: extracted.encryptionKeys
+        ? Object.fromEntries(extracted.encryptionKeys)
+        : undefined,
     })
 
     console.log(

package/src/platforms/webex/encryption.ts

@@ -0,0 +1,53 @@
+import * as jose from 'node-jose'
+
+export class WebexEncryptionService {
+  private rawKeys: Map<string, string>
+  private keyCache: Map<string, jose.JWK.Key> = new Map()
+
+  constructor(serializedKeys: Map<string, string>) {
+    this.rawKeys = serializedKeys
+  }
+
+  async getKey(keyUri: string): Promise<jose.JWK.Key | null> {
+    const cached = this.keyCache.get(keyUri)
+    if (cached) return cached
+
+    const raw = this.rawKeys.get(keyUri)
+    if (!raw) return null
+
+    try {
+      const parsed = JSON.parse(raw) as { jwk: object }
+      const joseKey = await jose.JWK.asKey(parsed.jwk)
+      this.keyCache.set(keyUri, joseKey)
+      return joseKey
+    } catch {
+      return null
+    }
+  }
+
+  async encryptText(keyUri: string, plaintext: string): Promise<string | null> {
+    const key = await this.getKey(keyUri)
+    if (!key) return null
+
+    try {
+      return await jose.JWE.createEncrypt(
+        { format: 'compact', contentAlg: 'A256GCM' },
+        { key, header: { alg: 'dir' }, reference: null },
+      ).final(plaintext, 'utf8')
+    } catch {
+      return null
+    }
+  }
+
+  async decryptText(keyUri: string, ciphertext: string): Promise<string | null> {
+    const key = await this.getKey(keyUri)
+    if (!key) return null
+
+    try {
+      const result = await jose.JWE.createDecrypt(key).decrypt(ciphertext)
+      return result.plaintext.toString('utf8')
+    } catch {
+      return null
+    }
+  }
+}

package/src/platforms/webex/ensure-auth.ts

@@ -31,6 +31,10 @@ export async function ensureWebexAuth(): Promise<void> {
       expiresAt: extracted.expiresAt ?? 0,
       tokenType: 'extracted',
       deviceUrl: extracted.deviceUrl,
+      userId: extracted.userId,
+      encryptionKeys: extracted.encryptionKeys
+        ? Object.fromEntries(extracted.encryptionKeys)
+        : undefined,
     })
   } catch {
     // Intentionally silent — best-effort preflight that should not block commands