agent-messenger 2.20.2 → 2.20.3

package/skills/agent-channeltalkbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-channeltalkbot
 description: Interact with Channel Talk workspaces using API credentials - send messages, read chats, manage groups and bots
-version: 2.20.2
+version: 2.20.3
 allowed-tools: Bash(agent-channeltalkbot:*)
 metadata:
   openclaw:

package/skills/agent-discord/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-discord
 description: Interact with Discord servers - send messages, read channels, manage reactions
-version: 2.20.2
+version: 2.20.3
 allowed-tools: Bash(agent-discord:*)
 metadata:
   openclaw:

package/skills/agent-discordbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-discordbot
 description: Interact with Discord servers using bot tokens - send messages, read channels, manage reactions
-version: 2.20.2
+version: 2.20.3
 allowed-tools: Bash(agent-discordbot:*)
 metadata:
   openclaw:

package/skills/agent-instagram/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-instagram
 description: Interact with Instagram DMs - send messages, read conversations, manage accounts
-version: 2.20.2
+version: 2.20.3
 allowed-tools: Bash(agent-instagram:*)
 metadata:
   openclaw:

package/skills/agent-kakaotalk/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-kakaotalk
 description: Interact with KakaoTalk - send messages, read chats, manage conversations
-version: 2.20.2
+version: 2.20.3
 allowed-tools: Bash(agent-kakaotalk:*)
 metadata:
   openclaw:

package/skills/agent-line/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-line
 description: Interact with LINE - send messages, read chats, manage conversations
-version: 2.20.2
+version: 2.20.3
 allowed-tools: Bash(agent-line:*)
 metadata:
   openclaw:

package/skills/agent-slack/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-slack
 description: Interact with Slack workspaces - send messages, read channels, manage reactions
-version: 2.20.2
+version: 2.20.3
 allowed-tools: Bash(agent-slack:*)
 metadata:
   openclaw:

package/skills/agent-slackbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-slackbot
 description: Interact with Slack workspaces using bot tokens - send messages, read channels, manage reactions
-version: 2.20.2
+version: 2.20.3
 allowed-tools: Bash(agent-slackbot:*)
 metadata:
   openclaw:

package/skills/agent-teams/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-teams
 description: Interact with Microsoft Teams - send messages, read channels, manage reactions
-version: 2.20.2
+version: 2.20.3
 allowed-tools: Bash(agent-teams:*)
 metadata:
   openclaw:

package/skills/agent-telegram/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-telegram
 description: Interact with Telegram through TDLib - authenticate, inspect chats, and send messages
-version: 2.20.2
+version: 2.20.3
 allowed-tools: Bash(agent-telegram:*)
 ---
 

package/skills/agent-telegrambot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-telegrambot
 description: Interact with Telegram using bot tokens - send messages, read chats, manage reactions
-version: 2.20.2
+version: 2.20.3
 allowed-tools: Bash(agent-telegrambot:*)
 metadata:
   openclaw:

package/skills/agent-webex/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-webex
 description: Interact with Cisco Webex - send messages, read spaces, manage memberships
-version: 2.20.2
+version: 2.20.3
 allowed-tools: Bash(agent-webex:*)
 metadata:
   openclaw:

package/skills/agent-webex/references/authentication.md

@@ -19,7 +19,7 @@ Extracts your first-party Webex session token from a Chromium-based browser wher
 - **Supported browsers**: Chrome, Chrome Canary, Edge, Arc, Brave, Vivaldi, Chromium
 - **Token lifetime**: Depends on Webex session policy (typically hours to days). Re-extract when expired.
 - **Auto-extraction**: The CLI attempts browser extraction automatically when no valid token is stored, so you often don't need to run `auth extract` manually.
-- **End-to-end encryption**: When encryption keys are found in the browser's cache, messages are encrypted client-side (JWE with AES-256-GCM) before sending via the internal conversation API. This ensures messages appear as encrypted in the Webex client. If no keys are found (e.g., the conversation hasn't been opened in the browser), messages fall back to plaintext.
+- **End-to-end encryption**: Messages are encrypted client-side (JWE with AES-256-GCM) before sending via the internal conversation API, so they appear as encrypted in the Webex client. Keys cached from the browser are used directly; for an end-to-end encrypted conversation whose key was not cached at extract time, the key is fetched on demand over the Mercury websocket + KMS flow and persisted for reuse. Only non-encrypted conversations are sent as plaintext.
 - **Best for**: Interactive use, sending messages as yourself without the "via" label
 
 ```bash

package/skills/agent-wechatbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-wechatbot
 description: Interact with WeChat Official Account using API credentials - send messages, manage templates, list followers
-version: 2.20.2
+version: 2.20.3
 allowed-tools: Bash(agent-wechatbot:*)
 metadata:
   openclaw:

package/skills/agent-whatsapp/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-whatsapp
 description: Interact with WhatsApp - send messages, read chats, manage conversations
-version: 2.20.2
+version: 2.20.3
 allowed-tools: Bash(agent-whatsapp:*)
 metadata:
   openclaw:

package/skills/agent-whatsappbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-whatsappbot
 description: Interact with WhatsApp using Cloud API credentials - send messages, manage templates
-version: 2.20.2
+version: 2.20.3
 allowed-tools: Bash(agent-whatsappbot:*)
 metadata:
   openclaw:

package/src/platforms/webex/client.ts

@@ -1,7 +1,8 @@
 import { WebexCredentialManager } from './credential-manager'
 import { WebexEncryptionService } from './encryption'
+import { KmsKeyProvider } from './kms-key-provider'
 import { escapeHtml, markdownToHtml, stripMarkdown } from './markdown-to-html'
-import type { WebexMembership, WebexMessage, WebexPerson, WebexSpace } from './types'
+import type { WebexConfig, WebexMembership, WebexMessage, WebexPerson, WebexSpace } from './types'
 import { WebexError } from './types'
 
 const BASE_URL = 'https://webexapis.com/v1'
@@ -44,16 +45,40 @@ export class WebexClient {
     this.tokenType = config?.tokenType ?? null
     await this.login({ token })
 
-    if (this.tokenType === 'extracted' && config?.encryptionKeys) {
-      const keysMap = new Map(Object.entries(config.encryptionKeys))
-      if (keysMap.size > 0) {
-        this.encryption = new WebexEncryptionService(keysMap)
-      }
+    if (this.tokenType === 'extracted') {
+      const keysMap = new Map(Object.entries(config?.encryptionKeys ?? {}))
+      this.encryption = new WebexEncryptionService(keysMap)
+      const kmsProvider = new KmsKeyProvider({ token })
+      this.encryption.setKeyProvider({
+        fetchKey: async (keyUri: string) => {
+          const serializedKey = await kmsProvider.fetchKey(keyUri)
+          if (serializedKey) {
+            await this.persistEncryptionKey(credManager, keyUri, serializedKey)
+          }
+          return serializedKey
+        },
+        close: () => kmsProvider.close(),
+      })
     }
 
     return this
   }
 
+  async dispose(): Promise<void> {
+    await this.encryption?.close()
+  }
+
+  private async persistEncryptionKey(
+    credManager: WebexCredentialManager,
+    keyUri: string,
+    serializedKey: string,
+  ): Promise<void> {
+    const latestConfig = await credManager.loadConfig()
+    if (!latestConfig) return
+    const encryptionKeys = { ...latestConfig.encryptionKeys, [keyUri]: serializedKey }
+    await credManager.saveConfig({ ...latestConfig, encryptionKeys } satisfies WebexConfig)
+  }
+
   private ensureAuth(): string {
     if (this.token === null) {
       throw new WebexError('Not authenticated. Call .login() first.', 'not_authenticated')
@@ -287,6 +312,9 @@ export class WebexClient {
       if (keyUri) {
         const encryptedDisplayName = await this.encryption.encryptText(keyUri, displayName)
         const encryptedContent = content ? await this.encryption.encryptText(keyUri, content) : undefined
+        if (content && !encryptedContent) {
+          throw new WebexError('Cannot encrypt message for Webex E2E conversation', 'encryption_failed')
+        }
         if (encryptedDisplayName) {
           const object: Record<string, string> = {
             objectType: 'comment',
@@ -297,6 +325,7 @@ export class WebexClient {
           }
           return { object, encryptionKeyUrl: keyUri }
         }
+        throw new WebexError('Cannot encrypt message for Webex E2E conversation', 'encryption_failed')
       }
     }
 

package/src/platforms/webex/commands/message.test.ts

@@ -32,6 +32,7 @@ let mockGetMessage: ReturnType<typeof spyOn>
 let mockDeleteMessage: ReturnType<typeof spyOn>
 let mockEditMessage: ReturnType<typeof spyOn>
 let mockLogin: ReturnType<typeof spyOn>
+let mockDispose: ReturnType<typeof spyOn>
 let consoleLogSpy: ReturnType<typeof spyOn>
 let consoleErrorSpy: ReturnType<typeof spyOn>
 let processExitSpy: ReturnType<typeof spyOn>
@@ -47,6 +48,7 @@ beforeEach(() => {
   mockLogin = protoSpy('login').mockImplementation(async function (this: WebexClient) {
     return this
   })
+  mockDispose = protoSpy('dispose').mockResolvedValue(undefined)
   mockSendMessage = protoSpy('sendMessage').mockResolvedValue(mockMessage)
   mockSendDirectMessage = protoSpy('sendDirectMessage').mockResolvedValue(mockMessage)
   mockListMessages = protoSpy('listMessages').mockResolvedValue([mockMessage, mockMessage2])
@@ -78,6 +80,7 @@ it('calls sendMessage with correct args and outputs result', async () => {
   expect(output).toContain('msg_123')
   expect(output).toContain('space_456')
   expect(output).toContain('user@example.com')
+  expect(mockDispose).toHaveBeenCalled()
 })
 
 it('passes markdown option when --markdown flag is set on send', async () => {
@@ -86,6 +89,14 @@ it('passes markdown option when --markdown flag is set on send', async () => {
   expect(mockSendMessage).toHaveBeenCalledWith('space_456', '**bold**', { markdown: true })
 })
 
+it('disposes the client when send fails', async () => {
+  mockSendMessage.mockRejectedValue(new WebexError('Send failed', 'send_failed'))
+
+  await sendAction('space_456', 'Hello world', { pretty: false })
+
+  expect(mockDispose).toHaveBeenCalled()
+})
+
 it('exits with code 1 when not authenticated on send', async () => {
   mockLogin.mockRejectedValue(new WebexError('No Webex credentials found.', 'no_credentials'))
 
@@ -166,6 +177,7 @@ it('calls editMessage with roomId in args and outputs result', async () => {
   const output = consoleLogSpy.mock.calls[0][0]
   expect(output).toContain('msg_123')
   expect(output).toContain('Updated message')
+  expect(mockDispose).toHaveBeenCalled()
 })
 
 it('passes markdown option to editMessage when --markdown flag is set', async () => {

package/src/platforms/webex/commands/message.ts

@@ -6,14 +6,23 @@ import { formatOutput } from '@/shared/utils/output'
 import { WebexClient } from '../client'
 import type { WebexMessage } from '../types'
 
+async function withWebexClient<T>(run: (client: WebexClient) => Promise<T>): Promise<T> {
+  const client = new WebexClient()
+  try {
+    await client.login()
+    return await run(client)
+  } finally {
+    await client.dispose()
+  }
+}
+
 export async function sendAction(
   spaceId: string,
   text: string,
   options: { markdown?: boolean; pretty?: boolean },
 ): Promise<void> {
   try {
-    const client = await new WebexClient().login()
-    const message = await client.sendMessage(spaceId, text, { markdown: options.markdown })
+    const message = await withWebexClient((client) => client.sendMessage(spaceId, text, { markdown: options.markdown }))
 
     const output = {
       id: message.id,
@@ -31,9 +40,8 @@ export async function sendAction(
 
 export async function listAction(spaceId: string, options: { limit?: number; pretty?: boolean }): Promise<void> {
   try {
-    const client = await new WebexClient().login()
     const limit = options.limit ?? 50
-    const messages = await client.listMessages(spaceId, { max: limit })
+    const messages = await withWebexClient((client) => client.listMessages(spaceId, { max: limit }))
 
     const output = messages.map((msg: WebexMessage) => ({
       id: msg.id,
@@ -51,8 +59,7 @@ export async function listAction(spaceId: string, options: { limit?: number; pre
 
 export async function getAction(messageId: string, options: { pretty?: boolean }): Promise<void> {
   try {
-    const client = await new WebexClient().login()
-    const message = await client.getMessage(messageId)
+    const message = await withWebexClient((client) => client.getMessage(messageId))
 
     const output = {
       id: message.id,
@@ -75,8 +82,7 @@ export async function deleteAction(messageId: string, options: { force?: boolean
       return process.exit(0)
     }
 
-    const client = await new WebexClient().login()
-    await client.deleteMessage(messageId)
+    await withWebexClient((client) => client.deleteMessage(messageId))
 
     console.log(formatOutput({ deleted: messageId }, options.pretty))
   } catch (error) {
@@ -91,10 +97,11 @@ export async function editAction(
   options: { markdown?: boolean; pretty?: boolean },
 ): Promise<void> {
   try {
-    const client = await new WebexClient().login()
-    const message = await client.editMessage(messageId, spaceId, text, {
-      markdown: options.markdown,
-    })
+    const message = await withWebexClient((client) =>
+      client.editMessage(messageId, spaceId, text, {
+        markdown: options.markdown,
+      }),
+    )
 
     const output = {
       id: message.id,
@@ -116,8 +123,9 @@ export async function dmAction(
   options: { markdown?: boolean; pretty?: boolean },
 ): Promise<void> {
   try {
-    const client = await new WebexClient().login()
-    const message = await client.sendDirectMessage(email, text, { markdown: options.markdown })
+    const message = await withWebexClient((client) =>
+      client.sendDirectMessage(email, text, { markdown: options.markdown }),
+    )
 
     const output = {
       id: message.id,

package/src/platforms/webex/encryption.test.ts

@@ -1,4 +1,4 @@
-import { describe, expect, it } from 'bun:test'
+import { describe, expect, it, mock } from 'bun:test'
 
 import * as jose from 'node-jose'
 
@@ -11,12 +11,16 @@ const decodeJweHeader = (jwe: string): Record<string, unknown> => {
   return JSON.parse(json) as Record<string, unknown>
 }
 
-const createKeyring = async (keyUri: string) => {
+const createSerializedKey = async (keyUri: string) => {
   const keystore = jose.JWK.createKeyStore()
   const key = await keystore.generate('oct', 256, { alg: 'A256GCM' })
   const jwk = key.toJSON(true)
+  return JSON.stringify({ uri: keyUri, jwk })
+}
+
+const createKeyring = async (keyUri: string) => {
   const rawKeys = new Map<string, string>()
-  rawKeys.set(keyUri, JSON.stringify({ jwk }))
+  rawKeys.set(keyUri, await createSerializedKey(keyUri))
   return new WebexEncryptionService(rawKeys)
 }
 
@@ -51,4 +55,55 @@ describe('WebexEncryptionService', () => {
 
     expect(plaintext).toBe('round trip')
   })
+
+  it('getKey returns cached key without calling provider when key is present', async () => {
+    const service = await createKeyring(keyUri)
+    const provider = { fetchKey: mock(async () => null as string | null) }
+    service.setKeyProvider(provider)
+
+    const key = await service.getKey(keyUri)
+
+    expect(key).not.toBeNull()
+    expect(provider.fetchKey).not.toHaveBeenCalled()
+  })
+
+  it('getKey calls provider and returns key when key is missing', async () => {
+    const missingKeyUri = 'kms://kms-aore.wbx2.com/keys/0d7a0dfb-0464-40ce-8f3d-e65a33b61561'
+    const serializedKey = await createSerializedKey(missingKeyUri)
+    const service = new WebexEncryptionService(new Map())
+    const provider = { fetchKey: mock(async () => serializedKey) }
+    service.setKeyProvider(provider)
+
+    const key = await service.getKey(missingKeyUri)
+
+    expect(key).not.toBeNull()
+    expect(provider.fetchKey).toHaveBeenCalledWith(missingKeyUri)
+  })
+
+  it('getKey returns null when provider returns null', async () => {
+    const missingKeyUri = 'kms://kms-aore.wbx2.com/keys/13d6256d-f7f1-4b98-8102-4d3d87b2834a'
+    const service = new WebexEncryptionService(new Map())
+    const provider = { fetchKey: mock(async () => null as string | null) }
+    service.setKeyProvider(provider)
+
+    const key = await service.getKey(missingKeyUri)
+
+    expect(key).toBeNull()
+    expect(provider.fetchKey).toHaveBeenCalledWith(missingKeyUri)
+  })
+
+  it('getKey reuses provider result from raw keys after first fetch', async () => {
+    const missingKeyUri = 'kms://kms-aore.wbx2.com/keys/84afb005-5ba5-49c8-bd46-0c5d7ddf1c30'
+    const serializedKey = await createSerializedKey(missingKeyUri)
+    const service = new WebexEncryptionService(new Map())
+    const provider = { fetchKey: mock(async () => serializedKey) }
+    service.setKeyProvider(provider)
+
+    await service.getKey(missingKeyUri)
+    ;(service as unknown as { keyCache: Map<string, jose.JWK.Key> }).keyCache.clear()
+    const key = await service.getKey(missingKeyUri)
+
+    expect(key).not.toBeNull()
+    expect(provider.fetchKey).toHaveBeenCalledTimes(1)
+  })
 })

package/src/platforms/webex/encryption.ts

@@ -1,23 +1,41 @@
 import * as jose from 'node-jose'
 
+export interface WebexKeyProvider {
+  fetchKey(keyUri: string): Promise<string | null>
+  close?(): Promise<void>
+}
+
 export class WebexEncryptionService {
   private rawKeys: Map<string, string>
   private keyCache: Map<string, jose.JWK.Key> = new Map()
+  private keyProvider: WebexKeyProvider | null = null
 
   constructor(serializedKeys: Map<string, string>) {
     this.rawKeys = serializedKeys
   }
 
+  setKeyProvider(provider: WebexKeyProvider): void {
+    this.keyProvider = provider
+  }
+
+  async close(): Promise<void> {
+    await this.keyProvider?.close?.()
+  }
+
   async getKey(keyUri: string): Promise<jose.JWK.Key | null> {
     const cached = this.keyCache.get(keyUri)
     if (cached) return cached
 
-    const raw = this.rawKeys.get(keyUri)
+    let raw = this.rawKeys.get(keyUri)
+    if (!raw && this.keyProvider) {
+      raw = (await this.keyProvider.fetchKey(keyUri)) ?? undefined
+    }
     if (!raw) return null
 
     try {
       const parsed = JSON.parse(raw) as { jwk: object }
       const joseKey = await jose.JWK.asKey(parsed.jwk)
+      this.rawKeys.set(keyUri, raw)
       this.keyCache.set(keyUri, joseKey)
       return joseKey
     } catch {

package/src/platforms/webex/kms-key-provider.ts

@@ -0,0 +1,99 @@
+import { DeviceManager, KmsClient, MercurySocket, noopLogger } from 'webex-message-handler'
+import WebSocket from 'ws'
+
+interface KmsKeyProviderOptions {
+  token: string
+  logger?: { debug(message: string): void }
+}
+
+interface Registration {
+  webSocketUrl: string
+  deviceUrl: string
+  userId: string
+  encryptionServiceUrl: string
+}
+
+type HttpRequest = {
+  url: string
+  method: string
+  headers: Record<string, string>
+  body?: string
+}
+
+export class KmsKeyProvider {
+  private token: string
+  private logger?: { debug(message: string): void }
+  private mercury: MercurySocket | null = null
+  private kms: KmsClient | null = null
+  private readyPromise: Promise<void> | null = null
+
+  constructor(options: KmsKeyProviderOptions) {
+    this.token = options.token
+    this.logger = options.logger
+  }
+
+  async fetchKey(keyUri: string): Promise<string | null> {
+    try {
+      await this.ensureReady()
+      const key = await this.kms?.getKey(keyUri)
+      if (!key) return null
+      return JSON.stringify({ uri: keyUri, jwk: key.toJSON(true) })
+    } catch (error) {
+      this.logger?.debug(`Webex KMS key fetch failed: ${error instanceof Error ? error.message : String(error)}`)
+      await this.close()
+      this.readyPromise = null
+      return null
+    }
+  }
+
+  async close(): Promise<void> {
+    await this.mercury?.disconnect().catch(() => undefined)
+    this.mercury = null
+    this.kms = null
+    this.readyPromise = null
+  }
+
+  private async ensureReady(): Promise<void> {
+    this.readyPromise ??= this.initialize()
+    await this.readyPromise
+  }
+
+  private async initialize(): Promise<void> {
+    const httpDo = async (req: HttpRequest) => {
+      const res = await fetch(req.url, {
+        method: req.method,
+        headers: req.headers,
+        body: req.body,
+      })
+      return {
+        status: res.status,
+        ok: res.ok,
+        json: () => res.json(),
+        text: () => res.text(),
+      }
+    }
+    const wsFactory = (url: string) => new WebSocket(url) as never
+    const dm = new DeviceManager({ logger: noopLogger, httpDo })
+    const reg = (await dm.register(this.token)) as Registration
+    const mercury = new MercurySocket({ logger: noopLogger, wsFactory })
+    const kms = new KmsClient({
+      token: this.token,
+      deviceUrl: reg.deviceUrl,
+      userId: reg.userId,
+      encryptionServiceUrl: reg.encryptionServiceUrl,
+      logger: noopLogger,
+      httpDo,
+    })
+    mercury.on('kms:response', (data: unknown) => kms.handleKmsMessage(data))
+    await mercury.connect(reg.webSocketUrl, this.token)
+    this.mercury = mercury
+    try {
+      await kms.initialize()
+    } catch (error) {
+      await mercury.disconnect().catch(() => undefined)
+      this.mercury = null
+      throw error
+    }
+    this.kms = kms
+  }
+}

package/src/platforms/webex/typings/webex-message-handler.d.ts

@@ -0,0 +1,45 @@
+export {}
+
+declare module 'webex-message-handler' {
+  import type * as jose from 'node-jose'
+
+  type Logger = Record<string, (...args: unknown[]) => void>
+  type HttpRequest = { url: string; method: string; headers: Record<string, string>; body?: string }
+  type HttpResponse = { status: number; ok: boolean; json(): Promise<unknown>; text(): Promise<string> }
+  type HttpDo = (req: HttpRequest) => Promise<HttpResponse>
+
+  export const noopLogger: Logger
+  export const consoleLogger: Logger
+
+  export class DeviceManager {
+    constructor(options: { logger: Logger; httpDo: HttpDo })
+    register(token: string): Promise<{
+      webSocketUrl: string
+      deviceUrl: string
+      userId: string
+      services: unknown
+      encryptionServiceUrl: string
+    }>
+  }
+
+  export class MercurySocket {
+    constructor(options: { logger: Logger; wsFactory: (url: string) => unknown })
+    on(event: 'kms:response', handler: (data: unknown) => void): void
+    connect(webSocketUrl: string, token: string): Promise<void>
+    disconnect(): Promise<void>
+  }
+
+  export class KmsClient {
+    constructor(options: {
+      token: string
+      deviceUrl: string
+      userId: string
+      encryptionServiceUrl: string
+      logger: Logger
+      httpDo: HttpDo
+    })
+    initialize(): Promise<void>
+    getKey(keyUri: string): Promise<jose.JWK.Key | null>
+    handleKmsMessage(data: unknown): void
+  }
+}