agent-messenger 2.2.0 → 2.4.0

package/src/platforms/webex/commands/space.test.ts

@@ -1,8 +1,14 @@
-import { afterEach, beforeEach, describe, expect, spyOn, test } from 'bun:test'
+import { afterAll, afterEach, beforeEach, describe, expect, mock, spyOn, test } from 'bun:test'
 
-import { WebexClient } from '../client'
 import { WebexError } from '../types'
-import { infoAction, listAction } from './space'
+
+const mockHandleError = mock((err: Error) => {
+  throw err
+})
+
+mock.module('@/shared/utils/error-handler', () => ({
+  handleError: mockHandleError,
+}))
 
 const mockSpaces = [
   {
@@ -36,54 +42,46 @@ const mockSpace = {
   creatorId: 'person-1',
 }
 
-let clientLoginSpy: ReturnType<typeof spyOn>
-let clientListSpacesSpy: ReturnType<typeof spyOn>
-let clientGetSpaceSpy: ReturnType<typeof spyOn>
-let consoleLogSpy: ReturnType<typeof spyOn>
-let consoleErrorSpy: ReturnType<typeof spyOn>
-let processExitSpy: ReturnType<typeof spyOn>
-let stderrOutput: string
-let origStderrWrite: typeof process.stderr.write
+const mockListSpaces = mock(() => Promise.resolve(mockSpaces))
+const mockGetSpace = mock(() => Promise.resolve(mockSpace))
+const mockLogin = mock(() => Promise.resolve({ listSpaces: mockListSpaces, getSpace: mockGetSpace }))
 
-beforeEach(() => {
-  clientLoginSpy = spyOn(WebexClient.prototype, 'login').mockResolvedValue(
-    new WebexClient() as InstanceType<typeof WebexClient>,
-  )
+mock.module('../client', () => ({
+  WebexClient: class {
+    login = mockLogin
+  },
+}))
 
-  clientListSpacesSpy = spyOn(WebexClient.prototype, 'listSpaces').mockResolvedValue(mockSpaces)
+import { infoAction, listAction } from './space'
 
-  clientGetSpaceSpy = spyOn(WebexClient.prototype, 'getSpace').mockResolvedValue(mockSpace)
+afterAll(() => {
+  mock.restore()
+})
 
-  consoleLogSpy = spyOn(console, 'log').mockImplementation(() => {})
-  consoleErrorSpy = spyOn(console, 'error').mockImplementation(() => {})
+let consoleLogSpy: ReturnType<typeof spyOn>
 
-  processExitSpy = spyOn(process, 'exit').mockImplementation((_code?: number) => {
-    throw new Error(`process.exit(${_code})`)
+beforeEach(() => {
+  mockListSpaces.mockReset().mockImplementation(() => Promise.resolve(mockSpaces))
+  mockGetSpace.mockReset().mockImplementation(() => Promise.resolve(mockSpace))
+  mockLogin.mockReset().mockImplementation(() =>
+    Promise.resolve({ listSpaces: mockListSpaces, getSpace: mockGetSpace }),
+  )
+  mockHandleError.mockReset().mockImplementation((err: Error) => {
+    throw err
   })
 
-  stderrOutput = ''
-  origStderrWrite = process.stderr.write
-  process.stderr.write = ((chunk: string | Uint8Array) => {
-    stderrOutput += typeof chunk === 'string' ? chunk : new TextDecoder().decode(chunk)
-    return true
-  }) as typeof process.stderr.write
+  consoleLogSpy = spyOn(console, 'log').mockImplementation(() => {})
 })
 
 afterEach(() => {
-  process.stderr.write = origStderrWrite
-  clientLoginSpy?.mockRestore()
-  clientListSpacesSpy?.mockRestore()
-  clientGetSpaceSpy?.mockRestore()
-  consoleLogSpy?.mockRestore()
-  consoleErrorSpy?.mockRestore()
-  processExitSpy?.mockRestore()
+  consoleLogSpy.mockRestore()
 })
 
 describe('listAction', () => {
   test('calls listSpaces and outputs mapped array', async () => {
     await listAction({})
 
-    expect(clientListSpacesSpy).toHaveBeenCalled()
+    expect(mockListSpaces).toHaveBeenCalled()
     expect(consoleLogSpy).toHaveBeenCalledWith(
       JSON.stringify([
         {
@@ -107,13 +105,13 @@ describe('listAction', () => {
   test('passes type and limit options to listSpaces', async () => {
     await listAction({ type: 'group', limit: 10 })
 
-    expect(clientListSpacesSpy).toHaveBeenCalledWith({ type: 'group', max: 10 })
+    expect(mockListSpaces).toHaveBeenCalledWith({ type: 'group', max: 10 })
   })
 
   test('passes undefined type and limit when not provided', async () => {
     await listAction({})
 
-    expect(clientListSpacesSpy).toHaveBeenCalledWith({ type: undefined, max: undefined })
+    expect(mockListSpaces).toHaveBeenCalledWith({ type: undefined, max: undefined })
   })
 
   test('outputs pretty-printed JSON when pretty is true', async () => {
@@ -144,12 +142,14 @@ describe('listAction', () => {
   })
 
   test('not authenticated: outputs error and exits', async () => {
-    clientLoginSpy.mockRejectedValue(new WebexError('No Webex credentials found.', 'no_credentials'))
+    mockLogin.mockImplementation(async () => {
+      throw new WebexError('No Webex credentials found.', 'no_credentials')
+    })
 
-    await expect(listAction({})).rejects.toThrow('process.exit(1)')
+    await expect(listAction({})).rejects.toThrow('No Webex credentials found.')
 
-    expect(clientListSpacesSpy).not.toHaveBeenCalled()
-    expect(stderrOutput).toContain('No Webex credentials found')
+    expect(mockListSpaces).not.toHaveBeenCalled()
+    expect(mockHandleError).toHaveBeenCalledWith(expect.any(WebexError))
   })
 })
 
@@ -157,7 +157,7 @@ describe('infoAction', () => {
   test('calls getSpace with spaceId and outputs space details', async () => {
     await infoAction('space-1', {})
 
-    expect(clientGetSpaceSpy).toHaveBeenCalledWith('space-1')
+    expect(mockGetSpace).toHaveBeenCalledWith('space-1')
     expect(consoleLogSpy).toHaveBeenCalledWith(
       JSON.stringify({
         id: 'space-1',
@@ -173,8 +173,7 @@ describe('infoAction', () => {
   })
 
   test('outputs null for teamId when not present', async () => {
-    const spaceWithoutTeam = { ...mockSpace, teamId: undefined }
-    clientGetSpaceSpy.mockResolvedValue(spaceWithoutTeam)
+    mockGetSpace.mockImplementation(() => Promise.resolve({ ...mockSpace, teamId: undefined }))
 
     await infoAction('space-1', {})
 
@@ -206,11 +205,13 @@ describe('infoAction', () => {
   })
 
   test('not authenticated: outputs error and exits', async () => {
-    clientLoginSpy.mockRejectedValue(new WebexError('No Webex credentials found.', 'no_credentials'))
+    mockLogin.mockImplementation(async () => {
+      throw new WebexError('No Webex credentials found.', 'no_credentials')
+    })
 
-    await expect(infoAction('space-1', {})).rejects.toThrow('process.exit(1)')
+    await expect(infoAction('space-1', {})).rejects.toThrow('No Webex credentials found.')
 
-    expect(clientGetSpaceSpy).not.toHaveBeenCalled()
-    expect(stderrOutput).toContain('No Webex credentials found')
+    expect(mockGetSpace).not.toHaveBeenCalled()
+    expect(mockHandleError).toHaveBeenCalledWith(expect.any(WebexError))
   })
 })

package/src/platforms/webex/encryption.ts

@@ -0,0 +1,53 @@
+import * as jose from 'node-jose'
+
+export class WebexEncryptionService {
+  private rawKeys: Map<string, string>
+  private keyCache: Map<string, jose.JWK.Key> = new Map()
+
+  constructor(serializedKeys: Map<string, string>) {
+    this.rawKeys = serializedKeys
+  }
+
+  async getKey(keyUri: string): Promise<jose.JWK.Key | null> {
+    const cached = this.keyCache.get(keyUri)
+    if (cached) return cached
+
+    const raw = this.rawKeys.get(keyUri)
+    if (!raw) return null
+
+    try {
+      const parsed = JSON.parse(raw) as { jwk: object }
+      const joseKey = await jose.JWK.asKey(parsed.jwk)
+      this.keyCache.set(keyUri, joseKey)
+      return joseKey
+    } catch {
+      return null
+    }
+  }
+
+  async encryptText(keyUri: string, plaintext: string): Promise<string | null> {
+    const key = await this.getKey(keyUri)
+    if (!key) return null
+
+    try {
+      return await jose.JWE.createEncrypt(
+        { format: 'compact', contentAlg: 'A256GCM' },
+        { key, header: { alg: 'dir' }, reference: null },
+      ).final(plaintext, 'utf8')
+    } catch {
+      return null
+    }
+  }
+
+  async decryptText(keyUri: string, ciphertext: string): Promise<string | null> {
+    const key = await this.getKey(keyUri)
+    if (!key) return null
+
+    try {
+      const result = await jose.JWE.createDecrypt(key).decrypt(ciphertext)
+      return result.plaintext.toString('utf8')
+    } catch {
+      return null
+    }
+  }
+}

package/src/platforms/webex/ensure-auth.ts

@@ -31,6 +31,10 @@ export async function ensureWebexAuth(): Promise<void> {
       expiresAt: extracted.expiresAt ?? 0,
       tokenType: 'extracted',
       deviceUrl: extracted.deviceUrl,
+      userId: extracted.userId,
+      encryptionKeys: extracted.encryptionKeys
+        ? Object.fromEntries(extracted.encryptionKeys)
+        : undefined,
     })
   } catch {
     // Intentionally silent — best-effort preflight that should not block commands

package/src/platforms/webex/token-extractor.ts

@@ -17,6 +17,8 @@ export interface ExtractedWebexToken {
   refreshToken?: string
   expiresAt?: number
   deviceUrl?: string
+  userId?: string
+  encryptionKeys?: Map<string, string>
 }
 
 interface BrowserConfig {
@@ -73,6 +75,11 @@ const BROWSERS: BrowserConfig[] = [
 
 const WEBEX_STORAGE_KEY = '_https://web.webex.com\x00\x01webex-web-client-bounded'
 
+interface ScanResult {
+  token: ExtractedWebexToken | null
+  encryptionKeys: Map<string, string>
+}
+
 export class WebexTokenExtractor {
   private platform: NodeJS.Platform
   private baseDir: string | null
@@ -169,11 +176,17 @@ export class WebexTokenExtractor {
     for (const leveldbDir of profileDirs) {
       this.debug(`Scanning: ${leveldbDir}`)
 
-      const token = await this.extractViaClassicLevelCopy(leveldbDir)
-        ?? this.extractFromRawFiles(leveldbDir)
+      const result = await this.scanViaClassicLevelCopy(leveldbDir)
+        ?? this.scanRawFiles(leveldbDir)
 
-      if (token) {
+      if (result?.token) {
         this.debug(`Found token in: ${leveldbDir}`)
+
+        const token = result.token
+        if (result.encryptionKeys.size > 0) {
+          token.encryptionKeys = result.encryptionKeys
+        }
+
         return token
       }
     }
@@ -182,7 +195,7 @@ export class WebexTokenExtractor {
     return null
   }
 
-  private async extractViaClassicLevelCopy(dbPath: string): Promise<ExtractedWebexToken | null> {
+  private async scanViaClassicLevelCopy(dbPath: string): Promise<ScanResult | null> {
     const tempDir = join(tmpdir(), `webex-leveldb-${Date.now()}-${Math.random().toString(36).slice(2)}`)
 
     try {
@@ -199,7 +212,7 @@ export class WebexTokenExtractor {
         } catch {}
       }
 
-      return await this.extractViaClassicLevel(tempDir)
+      return await this.copyAndScanLevelDB(tempDir)
     } catch {
       return null
     } finally {
@@ -209,8 +222,11 @@ export class WebexTokenExtractor {
     }
   }
 
-  private async extractViaClassicLevel(dbPath: string): Promise<ExtractedWebexToken | null> {
+  private async copyAndScanLevelDB(dbPath: string): Promise<ScanResult | null> {
     let db: ClassicLevel<string, Buffer> | null = null
+    let token: ExtractedWebexToken | null = null
+    const encryptionKeys = new Map<string, string>()
+
     try {
       db = new ClassicLevel(dbPath, { keyEncoding: 'utf8', valueEncoding: 'buffer' })
 
@@ -218,13 +234,21 @@ export class WebexTokenExtractor {
         if (!key.includes('web.webex.com')) continue
 
         const decoded = this.decodeLevelDBValue(value)
-        if (!decoded.includes('"supertoken"') && !decoded.includes('"Credentials"')) continue
 
-        const token = this.extractTokenFromString(decoded)
-        if (token) return token
+        if (!token && (decoded.includes('"supertoken"') || decoded.includes('"Credentials"'))) {
+          token = this.extractTokenFromString(decoded)
+        }
+
+        if (decoded.includes('"Encryption"') && decoded.includes('kms://')) {
+          const found = this.extractEncryptionKeysFromString(decoded)
+          for (const [uri, keyStr] of found) {
+            encryptionKeys.set(uri, keyStr)
+          }
+        }
       }
     } catch (e) {
       this.debug(`ClassicLevel failed: ${e instanceof Error ? e.message : String(e)}`)
+      return null
     } finally {
       if (db) {
         try {
@@ -232,22 +256,15 @@ export class WebexTokenExtractor {
         } catch {}
       }
     }
-    return null
-  }
 
-  private decodeLevelDBValue(buf: Buffer): string {
-    if (buf.length < 2) return buf.toString('utf8')
-    // Chromium localStorage: 0x00 prefix = UTF-16LE, 0x01 prefix = Latin1/UTF-8
-    if (buf[0] === 0x00 && (buf.length - 1) % 2 === 0) {
-      return buf.subarray(1).toString('utf16le')
-    }
-    if (buf[0] === 0x01) {
-      return buf.subarray(1).toString('utf8')
-    }
-    return buf.toString('utf8')
+    if (!token) return null
+    return { token, encryptionKeys }
   }
 
-  private extractFromRawFiles(leveldbDir: string): ExtractedWebexToken | null {
+  private scanRawFiles(leveldbDir: string): ScanResult | null {
+    let token: ExtractedWebexToken | null = null
+    const encryptionKeys = new Map<string, string>()
+
     try {
       const files = readdirSync(leveldbDir)
 
@@ -265,32 +282,48 @@ export class WebexTokenExtractor {
         })
 
       for (const file of sorted) {
-        const token = this.extractFromFile(join(leveldbDir, file))
-        if (token) return token
+        const filePath = join(leveldbDir, file)
+        try {
+          const stat = statSync(filePath)
+          if (stat.size > 50 * 1024 * 1024) continue
+
+          const buffer = readFileSync(filePath)
+          const candidates = [buffer.toString('utf8'), this.stripNullBytes(buffer)]
+
+          for (const content of candidates) {
+            if (!token && (content.includes('"supertoken"') || content.includes('"Credentials"'))) {
+              token = this.extractTokenFromString(content)
+            }
+
+            if (content.includes('"Encryption"') && content.includes('kms://')) {
+              const found = this.extractEncryptionKeysFromString(content)
+              for (const [uri, keyStr] of found) {
+                encryptionKeys.set(uri, keyStr)
+              }
+            }
+          }
+        } catch {
+          // Skip unreadable files
+        }
       }
     } catch {
       this.debug(`Failed to read directory: ${leveldbDir}`)
     }
 
-    return null
+    if (!token) return null
+    return { token, encryptionKeys }
   }
 
-  private extractFromFile(filePath: string): ExtractedWebexToken | null {
-    try {
-      const stat = statSync(filePath)
-      if (stat.size > 50 * 1024 * 1024) return null
-
-      const buffer = readFileSync(filePath)
-      return this.extractTokenFromBuffer(buffer)
-    } catch {
-      return null
+  private decodeLevelDBValue(buf: Buffer): string {
+    if (buf.length < 2) return buf.toString('utf8')
+    // Chromium localStorage: 0x00 prefix = UTF-16LE, 0x01 prefix = Latin1/UTF-8
+    if (buf[0] === 0x00 && (buf.length - 1) % 2 === 0) {
+      return buf.subarray(1).toString('utf16le')
     }
-  }
-
-  private extractTokenFromBuffer(buffer: Buffer): ExtractedWebexToken | null {
-    // Try UTF-8 first, then strip null bytes for Chromium's UTF-16LE localStorage encoding
-    return this.extractTokenFromString(buffer.toString('utf8'))
-      ?? this.extractTokenFromString(this.stripNullBytes(buffer))
+    if (buf[0] === 0x01) {
+      return buf.subarray(1).toString('utf8')
+    }
+    return buf.toString('utf8')
   }
 
   private stripNullBytes(buffer: Buffer): string {
@@ -385,9 +418,43 @@ export class WebexTokenExtractor {
         result.deviceUrl = deviceUrl
       }
 
+      const userId = data?.Device?.['@']?.userId ?? null
+      if (userId && typeof userId === 'string') {
+        result.userId = userId
+      }
+
       return result
     } catch {
       return null
     }
   }
+
+  private extractEncryptionKeysFromString(content: string): Map<string, string> {
+    const keys = new Map<string, string>()
+
+    if (!content.includes('"Encryption"') || !content.includes('kms://')) {
+      return keys
+    }
+
+    // Values in the Encryption map are double-encoded: a kms:// URI key maps to a
+    // JSON string whose content is the serialized key object {"uri":..., "jwk":{...}}.
+    // Pattern: "kms://..." : "{\"uri\":...,\"jwk\":{...}}"
+    const kmsPattern = /"(kms:\/\/[^"]+)"\s*:\s*("(?:[^"\\]|\\.)*")/g
+    let match: RegExpExecArray | null
+
+    while ((match = kmsPattern.exec(content)) !== null) {
+      const uri = match[1]!
+      const rawValue = match[2]!
+      try {
+        const innerStr = JSON.parse(rawValue) as unknown
+        if (typeof innerStr !== 'string') continue
+        const keyObj = JSON.parse(innerStr) as Record<string, unknown>
+        if (keyObj?.jwk) {
+          keys.set(uri, innerStr)
+        }
+      } catch {}
+    }
+
+    return keys
+  }
 }

package/src/platforms/webex/types.ts

@@ -57,6 +57,8 @@ export interface WebexConfig {
   clientSecret?: string
   tokenType?: 'oauth' | 'manual' | 'extracted'
   deviceUrl?: string
+  userId?: string
+  encryptionKeys?: Record<string, string>
 }
 
 export class WebexError extends Error {
@@ -126,4 +128,6 @@ export const WebexConfigSchema = z.object({
   clientSecret: z.string().optional(),
   tokenType: z.enum(['oauth', 'manual', 'extracted']).optional(),
   deviceUrl: z.string().optional(),
+  userId: z.string().optional(),
+  encryptionKeys: z.record(z.string(), z.string()).optional(),
 })

package/src/platforms/webex/typings/node-jose.d.ts

@@ -0,0 +1,27 @@
+export {}
+
+declare module 'node-jose' {
+  namespace JWE {
+    interface JWERecipient {
+      key: JWK.Key
+      header?: Record<string, string | null>
+      reference?: string | null | boolean
+    }
+
+    function createEncrypt(options: EncryptOptions, recipient: JWERecipient): Encryptor
+
+    interface Encryptor {
+      final(data: string | Buffer, encoding?: BufferEncoding): Promise<string>
+    }
+
+    function createDecrypt(key: JWK.Key): Decryptor
+
+    interface Decryptor {
+      decrypt(input: string | Buffer): Promise<DecryptResult>
+    }
+
+    interface DecryptResult {
+      plaintext: Buffer
+    }
+  }
+}

package/src/platforms/wechatbot/cli.ts

@@ -0,0 +1,24 @@
+#!/usr/bin/env bun
+
+import { Command } from 'commander'
+
+import pkg from '../../../package.json' with { type: 'json' }
+import { authCommand, messageCommand, templateCommand, userCommand } from './commands/index'
+
+const program = new Command()
+
+program
+  .name('agent-wechatbot')
+  .description('CLI tool for WeChat Official Account bot integration')
+  .version(pkg.version)
+  .option('--pretty', 'Pretty-print JSON output')
+  .option('--account <id>', 'Account ID to use')
+
+program.addCommand(authCommand)
+program.addCommand(messageCommand)
+program.addCommand(templateCommand)
+program.addCommand(userCommand)
+
+program.parseAsync(process.argv)
+
+export default program