agent-messenger 2.20.2 → 2.20.4

package/dist/src/platforms/webex/kms-key-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-key-provider.js","sourceRoot":"","sources":["../../../../src/platforms/webex/kms-key-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAC3F,OAAO,SAAS,MAAM,IAAI,CAAA;AAqB1B,MAAM,OAAO,cAAc;IACjB,KAAK,CAAQ;IACb,MAAM,CAAmC;IACzC,OAAO,GAAyB,IAAI,CAAA;IACpC,GAAG,GAAqB,IAAI,CAAA;IAC5B,YAAY,GAAyB,IAAI,CAAA;IAEjD,YAAY,OAA8B;QACxC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAA;QAC1B,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAA;IAC9B,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,MAAc;QAC3B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,WAAW,EAAE,CAAA;YACxB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,CAAA;YAC1C,IAAI,CAAC,GAAG;gBAAE,OAAO,IAAI,CAAA;YACrB,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QAC/D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,+BAA+B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAA;YAC3G,MAAM,IAAI,CAAC,KAAK,EAAE,CAAA;YAClB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAA;YACxB,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAA;QACvD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAA;QACnB,IAAI,CAAC,GAAG,GAAG,IAAI,CAAA;QACf,IAAI,CAAC,YAAY,GAAG,IAAI,CAAA;IAC1B,CAAC;IAEO,KAAK,CAAC,WAAW;QACvB,IAAI,CAAC,YAAY,KAAK,IAAI,CAAC,UAAU,EAAE,CAAA;QACvC,MAAM,IAAI,CAAC,YAAY,CAAA;IACzB,CAAC;IAEO,KAAK,CAAC,UAAU;QACtB,MAAM,MAAM,GAAG,KAAK,EAAE,GAAgB,EAAE,EAAE;YACxC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE;gBAC/B,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,OAAO,EAAE,GAAG,CAAC,OAAO;gBACpB,IAAI,EAAE,GAAG,CAAC,IAAI;aACf,CAAC,CAAA;YACF,OAAO;gBACL,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,EAAE,EAAE,GAAG,CAAC,EAAE;gBACV,IAAI,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE;gBACtB,IAAI,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE;aACvB,CAAA;QACH,CAAC,CAAA;QACD,MAAM,SAAS,GAAG,CAAC,GAAW,EAAE,EAAE,CAAC,IAAI,SAAS,CAAC,GAAG,CAAU,CAAA;QAC9D,MAAM,EAAE,GAAG,IAAI,aAAa,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC,CAAA;QAC5D,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAiB,CAAA;QAC3D,MAAM,OAAO,GAAG,IAAI,aAAa,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAAA;QACpE,MAAM,GAAG,GAAG,IAAI,SAAS,CAAC;YACxB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,oBAAoB,EAAE,GAAG,CAAC,oBAAoB;YAC9C,MAAM,EAAE,UAAU;YAClB,MAAM;SACP,CAAC,CAAA;QACF,OAAO,CAAC,EAAE,CAAC,cAAc,EAAE,CAAC,IAAa,EAAE,EAAE,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAA;QACzE,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,KAAK,CAAC,CAAA;QACnD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAA;QACtB,IAAI,CAAC;YACH,MAAM,GAAG,CAAC,UAAU,EAAE,CAAA;QACxB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,CAAC,UAAU,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAA;YACjD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAA;YACnB,MAAM,KAAK,CAAA;QACb,CAAC;QACD,IAAI,CAAC,GAAG,GAAG,GAAG,CAAA;IAChB,CAAC;CACF"}

package/docs/content/docs/cli/webex.mdx

@@ -40,7 +40,7 @@ This command:
 - Supported browsers: Chrome, Chrome Canary, Edge, Arc, Brave, Vivaldi, Chromium
 - Supports `--browser-profile <path>` for agent-browser profiles, custom Chrome user data dirs, or portable browser profiles; repeatable and comma-separated values are accepted
 - Auto-extraction runs when no valid token is stored, so manual extraction is rarely needed
-- Messages are encrypted client-side (JWE/AES-256-GCM) when encryption keys are available; falls back to plaintext otherwise. Re-run `auth extract` to refresh keys for new conversations.
+- Messages are encrypted client-side (JWE/AES-256-GCM). Encryption keys are cached at extract time; for end-to-end encrypted conversations whose key is not cached, the key is fetched on demand (Mercury + KMS) and persisted for reuse. Non-encrypted conversations send as plaintext.
 
 ### OAuth Device Grant (Fallback)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-messenger",
-  "version": "2.20.2",
+  "version": "2.20.4",
   "description": "Multi-platform messaging CLI for AI agents (Slack, Discord, Teams, Webex, Telegram, Telegram Bot, WhatsApp, LINE, Instagram, KakaoTalk, Channel Talk)",
   "repository": {
     "type": "git",
@@ -177,6 +177,7 @@
     "qrcode": "^1.5.4",
     "thrift": "^0.20.0",
     "tweetnacl": "^1.0.3",
+    "webex-message-handler": "^0.6.10",
     "ws": "^8.19.0",
     "zod": "^4.3.6"
   },

package/skills/agent-channeltalk/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-channeltalk
 description: Interact with Channel Talk using extracted desktop app or browser credentials - read chats, send messages, search messages, manage groups
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-channeltalk:*)
 metadata:
   openclaw:

package/skills/agent-channeltalkbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-channeltalkbot
 description: Interact with Channel Talk workspaces using API credentials - send messages, read chats, manage groups and bots
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-channeltalkbot:*)
 metadata:
   openclaw:

package/skills/agent-discord/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-discord
 description: Interact with Discord servers - send messages, read channels, manage reactions
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-discord:*)
 metadata:
   openclaw:

package/skills/agent-discordbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-discordbot
 description: Interact with Discord servers using bot tokens - send messages, read channels, manage reactions
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-discordbot:*)
 metadata:
   openclaw:

package/skills/agent-instagram/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-instagram
 description: Interact with Instagram DMs - send messages, read conversations, manage accounts
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-instagram:*)
 metadata:
   openclaw:

package/skills/agent-kakaotalk/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-kakaotalk
 description: Interact with KakaoTalk - send messages, read chats, manage conversations
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-kakaotalk:*)
 metadata:
   openclaw:

package/skills/agent-line/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-line
 description: Interact with LINE - send messages, read chats, manage conversations
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-line:*)
 metadata:
   openclaw:

package/skills/agent-slack/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-slack
 description: Interact with Slack workspaces - send messages, read channels, manage reactions
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-slack:*)
 metadata:
   openclaw:

package/skills/agent-slackbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-slackbot
 description: Interact with Slack workspaces using bot tokens - send messages, read channels, manage reactions
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-slackbot:*)
 metadata:
   openclaw:

package/skills/agent-teams/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-teams
 description: Interact with Microsoft Teams - send messages, read channels, manage reactions
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-teams:*)
 metadata:
   openclaw:

package/skills/agent-telegram/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-telegram
 description: Interact with Telegram through TDLib - authenticate, inspect chats, and send messages
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-telegram:*)
 ---
 

package/skills/agent-telegrambot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-telegrambot
 description: Interact with Telegram using bot tokens - send messages, read chats, manage reactions
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-telegrambot:*)
 metadata:
   openclaw:

package/skills/agent-webex/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-webex
 description: Interact with Cisco Webex - send messages, read spaces, manage memberships
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-webex:*)
 metadata:
   openclaw:

package/skills/agent-webex/references/authentication.md

@@ -19,7 +19,7 @@ Extracts your first-party Webex session token from a Chromium-based browser wher
 - **Supported browsers**: Chrome, Chrome Canary, Edge, Arc, Brave, Vivaldi, Chromium
 - **Token lifetime**: Depends on Webex session policy (typically hours to days). Re-extract when expired.
 - **Auto-extraction**: The CLI attempts browser extraction automatically when no valid token is stored, so you often don't need to run `auth extract` manually.
-- **End-to-end encryption**: When encryption keys are found in the browser's cache, messages are encrypted client-side (JWE with AES-256-GCM) before sending via the internal conversation API. This ensures messages appear as encrypted in the Webex client. If no keys are found (e.g., the conversation hasn't been opened in the browser), messages fall back to plaintext.
+- **End-to-end encryption**: Messages are encrypted client-side (JWE with AES-256-GCM) before sending via the internal conversation API, so they appear as encrypted in the Webex client. Keys cached from the browser are used directly; for an end-to-end encrypted conversation whose key was not cached at extract time, the key is fetched on demand over the Mercury websocket + KMS flow and persisted for reuse. Only non-encrypted conversations are sent as plaintext.
 - **Best for**: Interactive use, sending messages as yourself without the "via" label
 
 ```bash

package/skills/agent-wechatbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-wechatbot
 description: Interact with WeChat Official Account using API credentials - send messages, manage templates, list followers
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-wechatbot:*)
 metadata:
   openclaw:

package/skills/agent-whatsapp/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-whatsapp
 description: Interact with WhatsApp - send messages, read chats, manage conversations
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-whatsapp:*)
 metadata:
   openclaw:

package/skills/agent-whatsappbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-whatsappbot
 description: Interact with WhatsApp using Cloud API credentials - send messages, manage templates
-version: 2.20.2
+version: 2.20.4
 allowed-tools: Bash(agent-whatsappbot:*)
 metadata:
   openclaw:

package/src/platforms/webex/client.ts

@@ -1,7 +1,8 @@
 import { WebexCredentialManager } from './credential-manager'
 import { WebexEncryptionService } from './encryption'
+import { KmsKeyProvider } from './kms-key-provider'
 import { escapeHtml, markdownToHtml, stripMarkdown } from './markdown-to-html'
-import type { WebexMembership, WebexMessage, WebexPerson, WebexSpace } from './types'
+import type { WebexConfig, WebexMembership, WebexMessage, WebexPerson, WebexSpace } from './types'
 import { WebexError } from './types'
 
 const BASE_URL = 'https://webexapis.com/v1'
@@ -44,16 +45,40 @@ export class WebexClient {
     this.tokenType = config?.tokenType ?? null
     await this.login({ token })
 
-    if (this.tokenType === 'extracted' && config?.encryptionKeys) {
-      const keysMap = new Map(Object.entries(config.encryptionKeys))
-      if (keysMap.size > 0) {
-        this.encryption = new WebexEncryptionService(keysMap)
-      }
+    if (this.tokenType === 'extracted') {
+      const keysMap = new Map(Object.entries(config?.encryptionKeys ?? {}))
+      this.encryption = new WebexEncryptionService(keysMap)
+      const kmsProvider = new KmsKeyProvider({ token })
+      this.encryption.setKeyProvider({
+        fetchKey: async (keyUri: string) => {
+          const serializedKey = await kmsProvider.fetchKey(keyUri)
+          if (serializedKey) {
+            await this.persistEncryptionKey(credManager, keyUri, serializedKey)
+          }
+          return serializedKey
+        },
+        close: () => kmsProvider.close(),
+      })
     }
 
     return this
   }
 
+  async dispose(): Promise<void> {
+    await this.encryption?.close()
+  }
+
+  private async persistEncryptionKey(
+    credManager: WebexCredentialManager,
+    keyUri: string,
+    serializedKey: string,
+  ): Promise<void> {
+    const latestConfig = await credManager.loadConfig()
+    if (!latestConfig) return
+    const encryptionKeys = { ...latestConfig.encryptionKeys, [keyUri]: serializedKey }
+    await credManager.saveConfig({ ...latestConfig, encryptionKeys } satisfies WebexConfig)
+  }
+
   private ensureAuth(): string {
     if (this.token === null) {
       throw new WebexError('Not authenticated. Call .login() first.', 'not_authenticated')
@@ -287,6 +312,9 @@ export class WebexClient {
       if (keyUri) {
         const encryptedDisplayName = await this.encryption.encryptText(keyUri, displayName)
         const encryptedContent = content ? await this.encryption.encryptText(keyUri, content) : undefined
+        if (content && !encryptedContent) {
+          throw new WebexError('Cannot encrypt message for Webex E2E conversation', 'encryption_failed')
+        }
         if (encryptedDisplayName) {
           const object: Record<string, string> = {
             objectType: 'comment',
@@ -297,6 +325,7 @@ export class WebexClient {
           }
           return { object, encryptionKeyUrl: keyUri }
         }
+        throw new WebexError('Cannot encrypt message for Webex E2E conversation', 'encryption_failed')
       }
     }
 

package/src/platforms/webex/commands/message.test.ts

@@ -8,6 +8,7 @@ const mockMessage = {
   roomId: 'space_456',
   roomType: 'group' as const,
   text: 'Hello world',
+  html: '<p>Hello <a href="https://example.com">world</a></p>',
   personId: 'person_789',
   personEmail: 'user@example.com',
   created: '2025-01-29T10:00:00.000Z',
@@ -18,6 +19,7 @@ const mockMessage2 = {
   roomId: 'space_456',
   roomType: 'group' as const,
   text: 'Second message',
+  html: '<p>Second message</p>',
   personId: 'person_789',
   personEmail: 'user@example.com',
   created: '2025-01-29T10:01:00.000Z',
@@ -32,6 +34,7 @@ let mockGetMessage: ReturnType<typeof spyOn>
 let mockDeleteMessage: ReturnType<typeof spyOn>
 let mockEditMessage: ReturnType<typeof spyOn>
 let mockLogin: ReturnType<typeof spyOn>
+let mockDispose: ReturnType<typeof spyOn>
 let consoleLogSpy: ReturnType<typeof spyOn>
 let consoleErrorSpy: ReturnType<typeof spyOn>
 let processExitSpy: ReturnType<typeof spyOn>
@@ -47,6 +50,7 @@ beforeEach(() => {
   mockLogin = protoSpy('login').mockImplementation(async function (this: WebexClient) {
     return this
   })
+  mockDispose = protoSpy('dispose').mockResolvedValue(undefined)
   mockSendMessage = protoSpy('sendMessage').mockResolvedValue(mockMessage)
   mockSendDirectMessage = protoSpy('sendDirectMessage').mockResolvedValue(mockMessage)
   mockListMessages = protoSpy('listMessages').mockResolvedValue([mockMessage, mockMessage2])
@@ -78,6 +82,7 @@ it('calls sendMessage with correct args and outputs result', async () => {
   expect(output).toContain('msg_123')
   expect(output).toContain('space_456')
   expect(output).toContain('user@example.com')
+  expect(mockDispose).toHaveBeenCalled()
 })
 
 it('passes markdown option when --markdown flag is set on send', async () => {
@@ -86,6 +91,14 @@ it('passes markdown option when --markdown flag is set on send', async () => {
   expect(mockSendMessage).toHaveBeenCalledWith('space_456', '**bold**', { markdown: true })
 })
 
+it('disposes the client when send fails', async () => {
+  mockSendMessage.mockRejectedValue(new WebexError('Send failed', 'send_failed'))
+
+  await sendAction('space_456', 'Hello world', { pretty: false })
+
+  expect(mockDispose).toHaveBeenCalled()
+})
+
 it('exits with code 1 when not authenticated on send', async () => {
   mockLogin.mockRejectedValue(new WebexError('No Webex credentials found.', 'no_credentials'))
 
@@ -122,6 +135,7 @@ it('calls listMessages with limit and outputs array', async () => {
   const output = consoleLogSpy.mock.calls[0][0]
   expect(output).toContain('msg_123')
   expect(output).toContain('msg_124')
+  expect(output).toContain('https://example.com')
 })
 
 it('calls getMessage with correct id and outputs result', async () => {
@@ -132,6 +146,7 @@ it('calls getMessage with correct id and outputs result', async () => {
   const output = consoleLogSpy.mock.calls[0][0]
   expect(output).toContain('msg_123')
   expect(output).toContain('user@example.com')
+  expect(output).toContain('https://example.com')
 })
 
 it('calls deleteMessage and outputs deleted id when --force flag is set', async () => {
@@ -166,6 +181,7 @@ it('calls editMessage with roomId in args and outputs result', async () => {
   const output = consoleLogSpy.mock.calls[0][0]
   expect(output).toContain('msg_123')
   expect(output).toContain('Updated message')
+  expect(mockDispose).toHaveBeenCalled()
 })
 
 it('passes markdown option to editMessage when --markdown flag is set', async () => {

package/src/platforms/webex/commands/message.ts

@@ -6,24 +6,36 @@ import { formatOutput } from '@/shared/utils/output'
 import { WebexClient } from '../client'
 import type { WebexMessage } from '../types'
 
+function formatMessageOutput(message: WebexMessage) {
+  return {
+    id: message.id,
+    roomId: message.roomId,
+    text: message.text,
+    html: message.html,
+    personEmail: message.personEmail,
+    created: message.created,
+  }
+}
+
+async function withWebexClient<T>(run: (client: WebexClient) => Promise<T>): Promise<T> {
+  const client = new WebexClient()
+  try {
+    await client.login()
+    return await run(client)
+  } finally {
+    await client.dispose()
+  }
+}
+
 export async function sendAction(
   spaceId: string,
   text: string,
   options: { markdown?: boolean; pretty?: boolean },
 ): Promise<void> {
   try {
-    const client = await new WebexClient().login()
-    const message = await client.sendMessage(spaceId, text, { markdown: options.markdown })
-
-    const output = {
-      id: message.id,
-      roomId: message.roomId,
-      text: message.text,
-      personEmail: message.personEmail,
-      created: message.created,
-    }
+    const message = await withWebexClient((client) => client.sendMessage(spaceId, text, { markdown: options.markdown }))
 
-    console.log(formatOutput(output, options.pretty))
+    console.log(formatOutput(formatMessageOutput(message), options.pretty))
   } catch (error) {
     handleError(error as Error)
   }
@@ -31,17 +43,10 @@ export async function sendAction(
 
 export async function listAction(spaceId: string, options: { limit?: number; pretty?: boolean }): Promise<void> {
   try {
-    const client = await new WebexClient().login()
     const limit = options.limit ?? 50
-    const messages = await client.listMessages(spaceId, { max: limit })
+    const messages = await withWebexClient((client) => client.listMessages(spaceId, { max: limit }))
 
-    const output = messages.map((msg: WebexMessage) => ({
-      id: msg.id,
-      roomId: msg.roomId,
-      text: msg.text,
-      personEmail: msg.personEmail,
-      created: msg.created,
-    }))
+    const output = messages.map(formatMessageOutput)
 
     console.log(formatOutput(output, options.pretty))
   } catch (error) {
@@ -51,18 +56,9 @@ export async function listAction(spaceId: string, options: { limit?: number; pre
 
 export async function getAction(messageId: string, options: { pretty?: boolean }): Promise<void> {
   try {
-    const client = await new WebexClient().login()
-    const message = await client.getMessage(messageId)
-
-    const output = {
-      id: message.id,
-      roomId: message.roomId,
-      text: message.text,
-      personEmail: message.personEmail,
-      created: message.created,
-    }
+    const message = await withWebexClient((client) => client.getMessage(messageId))
 
-    console.log(formatOutput(output, options.pretty))
+    console.log(formatOutput(formatMessageOutput(message), options.pretty))
   } catch (error) {
     handleError(error as Error)
   }
@@ -75,8 +71,7 @@ export async function deleteAction(messageId: string, options: { force?: boolean
       return process.exit(0)
     }
 
-    const client = await new WebexClient().login()
-    await client.deleteMessage(messageId)
+    await withWebexClient((client) => client.deleteMessage(messageId))
 
     console.log(formatOutput({ deleted: messageId }, options.pretty))
   } catch (error) {
@@ -91,20 +86,13 @@ export async function editAction(
   options: { markdown?: boolean; pretty?: boolean },
 ): Promise<void> {
   try {
-    const client = await new WebexClient().login()
-    const message = await client.editMessage(messageId, spaceId, text, {
-      markdown: options.markdown,
-    })
-
-    const output = {
-      id: message.id,
-      roomId: message.roomId,
-      text: message.text,
-      personEmail: message.personEmail,
-      created: message.created,
-    }
+    const message = await withWebexClient((client) =>
+      client.editMessage(messageId, spaceId, text, {
+        markdown: options.markdown,
+      }),
+    )
 
-    console.log(formatOutput(output, options.pretty))
+    console.log(formatOutput(formatMessageOutput(message), options.pretty))
   } catch (error) {
     handleError(error as Error)
   }
@@ -116,18 +104,11 @@ export async function dmAction(
   options: { markdown?: boolean; pretty?: boolean },
 ): Promise<void> {
   try {
-    const client = await new WebexClient().login()
-    const message = await client.sendDirectMessage(email, text, { markdown: options.markdown })
-
-    const output = {
-      id: message.id,
-      roomId: message.roomId,
-      text: message.text,
-      personEmail: message.personEmail,
-      created: message.created,
-    }
+    const message = await withWebexClient((client) =>
+      client.sendDirectMessage(email, text, { markdown: options.markdown }),
+    )
 
-    console.log(formatOutput(output, options.pretty))
+    console.log(formatOutput(formatMessageOutput(message), options.pretty))
   } catch (error) {
     handleError(error as Error)
   }

package/src/platforms/webex/encryption.test.ts

@@ -1,4 +1,4 @@
-import { describe, expect, it } from 'bun:test'
+import { describe, expect, it, mock } from 'bun:test'
 
 import * as jose from 'node-jose'
 
@@ -11,12 +11,16 @@ const decodeJweHeader = (jwe: string): Record<string, unknown> => {
   return JSON.parse(json) as Record<string, unknown>
 }
 
-const createKeyring = async (keyUri: string) => {
+const createSerializedKey = async (keyUri: string) => {
   const keystore = jose.JWK.createKeyStore()
   const key = await keystore.generate('oct', 256, { alg: 'A256GCM' })
   const jwk = key.toJSON(true)
+  return JSON.stringify({ uri: keyUri, jwk })
+}
+
+const createKeyring = async (keyUri: string) => {
   const rawKeys = new Map<string, string>()
-  rawKeys.set(keyUri, JSON.stringify({ jwk }))
+  rawKeys.set(keyUri, await createSerializedKey(keyUri))
   return new WebexEncryptionService(rawKeys)
 }
 
@@ -51,4 +55,55 @@ describe('WebexEncryptionService', () => {
 
     expect(plaintext).toBe('round trip')
   })
+
+  it('getKey returns cached key without calling provider when key is present', async () => {
+    const service = await createKeyring(keyUri)
+    const provider = { fetchKey: mock(async () => null as string | null) }
+    service.setKeyProvider(provider)
+
+    const key = await service.getKey(keyUri)
+
+    expect(key).not.toBeNull()
+    expect(provider.fetchKey).not.toHaveBeenCalled()
+  })
+
+  it('getKey calls provider and returns key when key is missing', async () => {
+    const missingKeyUri = 'kms://kms-aore.wbx2.com/keys/0d7a0dfb-0464-40ce-8f3d-e65a33b61561'
+    const serializedKey = await createSerializedKey(missingKeyUri)
+    const service = new WebexEncryptionService(new Map())
+    const provider = { fetchKey: mock(async () => serializedKey) }
+    service.setKeyProvider(provider)
+
+    const key = await service.getKey(missingKeyUri)
+
+    expect(key).not.toBeNull()
+    expect(provider.fetchKey).toHaveBeenCalledWith(missingKeyUri)
+  })
+
+  it('getKey returns null when provider returns null', async () => {
+    const missingKeyUri = 'kms://kms-aore.wbx2.com/keys/13d6256d-f7f1-4b98-8102-4d3d87b2834a'
+    const service = new WebexEncryptionService(new Map())
+    const provider = { fetchKey: mock(async () => null as string | null) }
+    service.setKeyProvider(provider)
+
+    const key = await service.getKey(missingKeyUri)
+
+    expect(key).toBeNull()
+    expect(provider.fetchKey).toHaveBeenCalledWith(missingKeyUri)
+  })
+
+  it('getKey reuses provider result from raw keys after first fetch', async () => {
+    const missingKeyUri = 'kms://kms-aore.wbx2.com/keys/84afb005-5ba5-49c8-bd46-0c5d7ddf1c30'
+    const serializedKey = await createSerializedKey(missingKeyUri)
+    const service = new WebexEncryptionService(new Map())
+    const provider = { fetchKey: mock(async () => serializedKey) }
+    service.setKeyProvider(provider)
+
+    await service.getKey(missingKeyUri)
+    ;(service as unknown as { keyCache: Map<string, jose.JWK.Key> }).keyCache.clear()
+    const key = await service.getKey(missingKeyUri)
+
+    expect(key).not.toBeNull()
+    expect(provider.fetchKey).toHaveBeenCalledTimes(1)
+  })
 })

package/src/platforms/webex/encryption.ts

@@ -1,23 +1,41 @@
 import * as jose from 'node-jose'
 
+export interface WebexKeyProvider {
+  fetchKey(keyUri: string): Promise<string | null>
+  close?(): Promise<void>
+}
+
 export class WebexEncryptionService {
   private rawKeys: Map<string, string>
   private keyCache: Map<string, jose.JWK.Key> = new Map()
+  private keyProvider: WebexKeyProvider | null = null
 
   constructor(serializedKeys: Map<string, string>) {
     this.rawKeys = serializedKeys
   }
 
+  setKeyProvider(provider: WebexKeyProvider): void {
+    this.keyProvider = provider
+  }
+
+  async close(): Promise<void> {
+    await this.keyProvider?.close?.()
+  }
+
   async getKey(keyUri: string): Promise<jose.JWK.Key | null> {
     const cached = this.keyCache.get(keyUri)
     if (cached) return cached
 
-    const raw = this.rawKeys.get(keyUri)
+    let raw = this.rawKeys.get(keyUri)
+    if (!raw && this.keyProvider) {
+      raw = (await this.keyProvider.fetchKey(keyUri)) ?? undefined
+    }
     if (!raw) return null
 
     try {
       const parsed = JSON.parse(raw) as { jwk: object }
       const joseKey = await jose.JWK.asKey(parsed.jwk)
+      this.rawKeys.set(keyUri, raw)
       this.keyCache.set(keyUri, joseKey)
       return joseKey
     } catch {