agent-messenger 2.23.4 → 2.23.5

package/dist/src/platforms/webex/encryption.js.map

@@ -1 +1 @@
-{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../../../src/platforms/webex/encryption.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,WAAW,CAAA;AAOjC,MAAM,OAAO,sBAAsB;IACzB,OAAO,CAAqB;IAC5B,QAAQ,GAA8B,IAAI,GAAG,EAAE,CAAA;IAC/C,WAAW,GAA4B,IAAI,CAAA;IAEnD,YAAY,cAAmC;QAC7C,IAAI,CAAC,OAAO,GAAG,cAAc,CAAA;IAC/B,CAAC;IAED,cAAc,CAAC,QAA0B;QACvC,IAAI,CAAC,WAAW,GAAG,QAAQ,CAAA;IAC7B,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,EAAE,CAAA;IACnC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,MAAc;QACzB,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACxC,IAAI,MAAM;YAAE,OAAO,MAAM,CAAA;QAEzB,IAAI,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAClC,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAC7B,GAAG,GAAG,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,SAAS,CAAA;QAC9D,CAAC;QACD,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAA;QAErB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB,CAAA;YACjD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YAChD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;YAC7B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;YAClC,OAAO,OAAO,CAAA;QAChB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,MAAc,EAAE,SAAiB;QACjD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QACrC,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAA;QAErB,IAAI,CAAC;YACH,gFAAgF;YAChF,8EAA8E;YAC9E,OAAO,MAAM,IAAI,CAAC,GAAG,CAAC,aAAa,CACjC,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,EAC5C,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAC9D,CAAC,KAAK,CAAC,SAAS,EAAE,MAAM,CAAC,CAAA;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,MAAc,EAAE,UAAkB;QAClD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QACrC,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAA;QAErB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;YACpE,OAAO,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;CACF"}
+{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../../../src/platforms/webex/encryption.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAEzD,OAAO,KAAK,IAAI,MAAM,WAAW,CAAA;AAuBjC,SAAS,WAAW,CAAC,MAAc;IACjC,OAAO,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;AACrC,CAAC;AAED,MAAM,OAAO,sBAAsB;IACzB,OAAO,CAAqB;IAC5B,QAAQ,GAA8B,IAAI,GAAG,EAAE,CAAA;IAC/C,WAAW,GAA4B,IAAI,CAAA;IAEnD,YAAY,cAAmC;QAC7C,IAAI,CAAC,OAAO,GAAG,cAAc,CAAA;IAC/B,CAAC;IAED,cAAc,CAAC,QAA0B;QACvC,IAAI,CAAC,WAAW,GAAG,QAAQ,CAAA;IAC7B,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,EAAE,CAAA;IACnC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,MAAc;QACzB,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACxC,IAAI,MAAM;YAAE,OAAO,MAAM,CAAA;QAEzB,IAAI,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAClC,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAC7B,GAAG,GAAG,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,SAAS,CAAA;QAC9D,CAAC;QACD,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAA;QAErB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB,CAAA;YACjD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YAChD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;YAC7B,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;YAClC,OAAO,OAAO,CAAA;QAChB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,MAAc,EAAE,SAAiB;QACjD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QACrC,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAA;QAErB,IAAI,CAAC;YACH,gFAAgF;YAChF,8EAA8E;YAC9E,OAAO,MAAM,IAAI,CAAC,GAAG,CAAC,aAAa,CACjC,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,EAC5C,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAC9D,CAAC,KAAK,CAAC,SAAS,EAAE,MAAM,CAAC,CAAA;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,MAAc,EAAE,UAAkB;QAClD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QACrC,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAA;QAErB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;YACpE,OAAO,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,aAAa,CAAC,SAAqB;QACjC,MAAM,GAAG,GAAG,WAAW,CAAC,EAAE,CAAC,CAAA;QAC3B,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAA;QAC1B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;QAEpC,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAA;QACrD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAA;QACvC,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;QACzF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAA;QAE/B,OAAO;YACL,GAAG,EAAE;gBACH,GAAG,EAAE,SAAS;gBACd,GAAG,EAAE,WAAW,CAAC,GAAG,CAAC;gBACrB,EAAE,EAAE,WAAW,CAAC,EAAE,CAAC;gBACnB,GAAG;gBACH,GAAG,EAAE,WAAW,CAAC,GAAG,CAAC;aACtB;YACD,UAAU;SACX,CAAA;IACH,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,MAAc,EAAE,GAAa;QAC5C,IAAI,CAAC,GAAG,CAAC,GAAG;YAAE,OAAO,IAAI,CAAA;QACzB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QACrC,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAA;QAErB,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,GAAG,CAAC,aAAa,CACjC,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,EAC5C,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAC9D,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;CACF"}

package/docs/content/docs/cli/webex.mdx

@@ -203,6 +203,19 @@ agent-webex member list <space-id>
 agent-webex member list abc123 --limit 100
 ```
 
+### File Commands
+
+```bash
+# Upload a local file to a space
+agent-webex file upload <space-id> <path>
+agent-webex file upload abc123 ./report.pdf --text "Latest report"
+agent-webex file upload abc123 ./image.png --text "**Done**" --markdown
+
+# Download a file attachment by content URL or ID
+agent-webex file download <content-url-or-id>
+agent-webex file download <content-url-or-id> ./out.pdf
+```
+
 ### Snapshot Command
 
 Get workspace overview for AI agents (brief by default):

package/docs/content/docs/sdk/webex.mdx

@@ -104,6 +104,18 @@ const limited = await client.listMemberships(roomId, { max: 100 })
 // → WebexMembership[]
 ```
 
+### Files
+
+```typescript
+// Upload a file to a space (optionally with a text comment)
+const msg = await client.uploadFile(roomId, { content: blob, filename: 'report.pdf' }, { text: 'Latest report' })
+// → WebexMessage { id, roomId, files, ... }
+
+// Download a file attachment by content URL or ID
+const { data, filename, contentType } = await client.downloadContent(contentUrlOrId)
+// → { data: ArrayBuffer, filename: string, contentType: string }
+```
+
 ## WebexCredentialManager
 
 Manages Webex credentials stored at `~/.config/agent-messenger/webex-credentials.json`. Files are written with `0o600` permissions. Supports OAuth Device Grant flow, bot tokens, and PATs.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-messenger",
-  "version": "2.23.4",
+  "version": "2.23.5",
   "description": "Multi-platform messaging CLI for AI agents (Slack, Discord, Teams, Webex, Telegram, Telegram Bot, WhatsApp, LINE, Instagram, KakaoTalk, Channel Talk)",
   "repository": {
     "type": "git",

package/skills/agent-channeltalk/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-channeltalk
 description: Interact with Channel Talk using extracted desktop app or browser credentials - read chats, send messages, search messages, manage groups
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-channeltalk:*)
 metadata:
   openclaw:

package/skills/agent-channeltalkbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-channeltalkbot
 description: Interact with Channel Talk workspaces using API credentials - send messages, read chats, manage groups and bots
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-channeltalkbot:*)
 metadata:
   openclaw:

package/skills/agent-discord/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-discord
 description: Interact with Discord servers - send messages, read channels, manage reactions
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-discord:*)
 metadata:
   openclaw:

package/skills/agent-discordbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-discordbot
 description: Interact with Discord servers using bot tokens - send messages, read channels, manage reactions
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-discordbot:*)
 metadata:
   openclaw:

package/skills/agent-instagram/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-instagram
 description: Interact with Instagram DMs - send messages, read conversations, manage accounts
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-instagram:*)
 metadata:
   openclaw:

package/skills/agent-kakaotalk/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-kakaotalk
 description: Interact with KakaoTalk - send messages, read chats, manage conversations
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-kakaotalk:*)
 metadata:
   openclaw:

package/skills/agent-line/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-line
 description: Interact with LINE - send messages, read chats, manage conversations
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-line:*)
 metadata:
   openclaw:

package/skills/agent-slack/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-slack
 description: Interact with Slack workspaces - send messages, read channels, manage reactions
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-slack:*)
 metadata:
   openclaw:

package/skills/agent-slackbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-slackbot
 description: Interact with Slack workspaces using bot tokens - send messages, read channels, manage reactions
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-slackbot:*)
 metadata:
   openclaw:

package/skills/agent-teams/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-teams
 description: Interact with Microsoft Teams - send messages, read channels, manage reactions
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-teams:*)
 metadata:
   openclaw:

package/skills/agent-telegram/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-telegram
 description: Interact with Telegram through TDLib - authenticate, inspect chats, and send messages
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-telegram:*)
 ---
 

package/skills/agent-telegrambot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-telegrambot
 description: Interact with Telegram using bot tokens - send messages, read chats, manage reactions
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-telegrambot:*)
 metadata:
   openclaw:

package/skills/agent-webex/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-webex
 description: Interact with Cisco Webex - send messages, read spaces, manage memberships
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-webex:*)
 metadata:
   openclaw:
@@ -314,6 +314,19 @@ agent-webex member list <space-id>
 agent-webex member list <space-id> --limit 100
 ```
 
+### File Commands
+
+```bash
+# Upload a local file to a space
+agent-webex file upload <space-id> <path>
+agent-webex file upload <space-id> ./report.pdf --text "Latest report"
+agent-webex file upload <space-id> ./image.png --text "**Done**" --markdown
+
+# Download a file attachment by content URL or ID
+agent-webex file download <content-url-or-id>
+agent-webex file download <content-url-or-id> ./out.pdf
+```
+
 ### Snapshot Command
 
 Get workspace overview for AI agents (brief by default):
@@ -451,7 +464,6 @@ See the [Webex SDK documentation](https://agent-messenger.dev/docs/sdk/webex) fo
 
 ## Limitations
 
-- No file upload or download
 - No reactions / emoji support
 - No thread support
 - No message search

package/skills/agent-webexbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-webexbot
 description: Interact with Cisco Webex using bot tokens - send messages, reply in threads, upload and download files, look up people, read spaces, manage memberships, stream real-time events
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-webexbot:*)
 metadata:
   openclaw:

package/skills/agent-wechatbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-wechatbot
 description: Interact with WeChat Official Account using API credentials - send messages, manage templates, list followers
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-wechatbot:*)
 metadata:
   openclaw:

package/skills/agent-whatsapp/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-whatsapp
 description: Interact with WhatsApp - send messages, read chats, manage conversations
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-whatsapp:*)
 metadata:
   openclaw:

package/skills/agent-whatsappbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-whatsappbot
 description: Interact with WhatsApp using Cloud API credentials - send messages, manage templates
-version: 2.23.4
+version: 2.23.5
 allowed-tools: Bash(agent-whatsappbot:*)
 metadata:
   openclaw:

package/src/platforms/webex/cli.ts

@@ -4,7 +4,15 @@ import type { Command as CommandType } from 'commander'
 import { Command } from 'commander'
 
 import pkg from '../../../package.json' with { type: 'json' }
-import { authCommand, memberCommand, messageCommand, snapshotCommand, spaceCommand, whoamiCommand } from './commands'
+import {
+  authCommand,
+  fileCommand,
+  memberCommand,
+  messageCommand,
+  snapshotCommand,
+  spaceCommand,
+  whoamiCommand,
+} from './commands'
 import { ensureWebexAuth } from './ensure-auth'
 
 function isAuthCommand(command: CommandType): boolean {
@@ -26,6 +34,7 @@ program.hook('preAction', async (_thisCommand, actionCommand) => {
 })
 
 program.addCommand(authCommand)
+program.addCommand(fileCommand)
 program.addCommand(memberCommand)
 program.addCommand(messageCommand)
 program.addCommand(snapshotCommand)

package/src/platforms/webex/client.test.ts

@@ -1018,6 +1018,137 @@ describe('WebexClient', () => {
       })
     })
 
+    describe('uploadFile', () => {
+      const mockUploadFlow = () => {
+        // given: the full internal share flow — conv lookup, space, session, PUT, finish, content
+        mockResponse({ id: TEST_CONV_UUID })
+        mockResponse({ spaceUrl: 'https://files.wbx2.com/spaces/sp1' })
+        mockResponse({
+          uploadUrl: 'https://up.wbx2.com/upload/sess1',
+          finishUploadUrl: 'https://up.wbx2.com/upload/sess1/finish',
+        })
+        mockResponse({}, 200)
+        mockResponse({ downloadUrl: 'https://files.wbx2.com/files/f1' })
+        mockResponse({ ...mockActivity(''), verb: 'share' })
+      }
+
+      const file = () => ({ content: new Blob(['hello world']), filename: 'note.txt' })
+
+      it('routes to the internal conversation API instead of the public messages endpoint', async () => {
+        mockUploadFlow()
+
+        const client = await createExtractedClient()
+        await client.uploadFile(TEST_ROOM_ID, file())
+
+        expect(fetchCalls.every((c) => !c.url.includes('webexapis.com/v1/messages'))).toBe(true)
+        expect(fetchCalls.at(-1)?.url).toBe(`${CONV_BASE}/conversations/${TEST_CONV_UUID}/content`)
+        expect(fetchCalls.at(-1)?.options?.method).toBe('POST')
+      })
+
+      it('requests a space, opens an upload session, PUTs the bytes, then finalizes', async () => {
+        mockUploadFlow()
+
+        const client = await createExtractedClient()
+        await client.uploadFile(TEST_ROOM_ID, file())
+
+        expect(fetchCalls[1].url).toBe(`${CONV_BASE}/conversations/${TEST_CONV_UUID}/space`)
+        expect(fetchCalls[1].options?.method).toBe('PUT')
+        expect(fetchCalls[2].url).toBe('https://files.wbx2.com/spaces/sp1/upload_sessions')
+        expect(fetchCalls[3].url).toBe('https://up.wbx2.com/upload/sess1')
+        expect(fetchCalls[3].options?.method).toBe('PUT')
+        expect(fetchCalls[4].url).toBe('https://up.wbx2.com/upload/sess1/finish')
+      })
+
+      it('finalize body carries fileSize and a sha256 fileHash of the uploaded bytes', async () => {
+        mockUploadFlow()
+
+        const client = await createExtractedClient()
+        await client.uploadFile(TEST_ROOM_ID, file())
+
+        const body = JSON.parse(fetchCalls[4].options?.body as string)
+        expect(body.fileSize).toBe(11)
+        expect(body.fileHash).toMatch(/^[0-9a-f]{64}$/)
+      })
+
+      it('share activity references the uploaded file with download url and metadata', async () => {
+        mockUploadFlow()
+
+        const client = await createExtractedClient()
+        await client.uploadFile(TEST_ROOM_ID, file())
+
+        const body = JSON.parse(fetchCalls.at(-1)?.options?.body as string)
+        expect(body.verb).toBe('share')
+        expect(body.object.objectType).toBe('content')
+        expect(body.object.contentCategory).toBe('documents')
+        const item = body.object.files.items[0]
+        expect(item.objectType).toBe('file')
+        expect(item.url).toBe('https://files.wbx2.com/files/f1')
+        expect(item.fileSize).toBe(11)
+        expect(item.mimeType).toBe('text/plain')
+        expect(item.displayName).toBe('note.txt')
+      })
+
+      it('attaches an optional text comment to the share activity', async () => {
+        mockUploadFlow()
+
+        const client = await createExtractedClient()
+        await client.uploadFile(TEST_ROOM_ID, file(), { text: 'see attached' })
+
+        const body = JSON.parse(fetchCalls.at(-1)?.options?.body as string)
+        expect(body.object.displayName).toBe('see attached')
+      })
+
+      it('categorizes images by mime type', async () => {
+        mockUploadFlow()
+
+        const client = await createExtractedClient()
+        await client.uploadFile(TEST_ROOM_ID, { content: new Blob(['x']), filename: 'photo.png' })
+
+        const body = JSON.parse(fetchCalls.at(-1)?.options?.body as string)
+        expect(body.object.contentCategory).toBe('images')
+        expect(body.object.files.items[0].mimeType).toBe('image/png')
+      })
+
+      it('refuses to upload when the server returns an untrusted space url', async () => {
+        mockResponse({ id: TEST_CONV_UUID })
+        mockResponse({ spaceUrl: 'https://evil.example.com/spaces/sp1' })
+
+        const client = await createExtractedClient()
+
+        await expect(client.uploadFile(TEST_ROOM_ID, file())).rejects.toThrow('untrusted host')
+        expect(fetchCalls.every((c) => !c.url.includes('evil.example.com'))).toBe(true)
+      })
+
+      it('refuses to upload when the server returns a non-https upload url', async () => {
+        mockResponse({ id: TEST_CONV_UUID })
+        mockResponse({ spaceUrl: 'https://files.wbx2.com/spaces/sp1' })
+        mockResponse({
+          uploadUrl: 'http://up.wbx2.com/upload/sess1',
+          finishUploadUrl: 'https://up.wbx2.com/upload/sess1/finish',
+        })
+
+        const client = await createExtractedClient()
+
+        await expect(client.uploadFile(TEST_ROOM_ID, file())).rejects.toThrow('untrusted host')
+      })
+
+      it('accepts trusted Webex urls that carry an explicit port', async () => {
+        mockResponse({ id: TEST_CONV_UUID })
+        mockResponse({ spaceUrl: 'https://files.wbx2.com:443/spaces/sp1' })
+        mockResponse({
+          uploadUrl: 'https://up.wbx2.com:443/upload/sess1',
+          finishUploadUrl: 'https://up.wbx2.com:443/upload/sess1/finish',
+        })
+        mockResponse({}, 200)
+        mockResponse({ downloadUrl: 'https://files.wbx2.com/files/f1' })
+        mockResponse({ ...mockActivity(''), verb: 'share' })
+
+        const client = await createExtractedClient()
+
+        await expect(client.uploadFile(TEST_ROOM_ID, file())).resolves.toBeDefined()
+      })
+    })
+
     describe('error handling', () => {
       it('throws WebexError when internal API returns non-OK response', async () => {
         fetchResponses.push(

package/src/platforms/webex/client.ts

@@ -1,5 +1,8 @@
+import { createHash } from 'node:crypto'
+
 import { WebexCredentialManager } from './credential-manager'
 import { WebexEncryptionService } from './encryption'
+import type { WebexScr } from './encryption'
 import {
   decodeWebexId,
   normalizeSdkMembership,
@@ -655,6 +658,11 @@ export class WebexClient {
     options?: { text?: string; markdown?: boolean; parentId?: string },
   ): Promise<WebexMessage> {
     const resolvedRoomId = await this.resolveRoomId(roomId)
+
+    if (this.useInternalAPI) {
+      return this.uploadFileInternal(resolvedRoomId, file, options)
+    }
+
     const resolvedParentId = options?.parentId ? this.resolveMessageId(options.parentId) : undefined
     const form = new FormData()
     form.set('roomId', resolvedRoomId)
@@ -677,6 +685,137 @@ export class WebexClient {
     return normalizeSdkMessage((await response.json()) as WebexMessage)
   }
 
+  private async uploadFileInternal(
+    roomId: string,
+    file: { content: Blob; filename: string },
+    options?: { text?: string; markdown?: boolean; parentId?: string },
+  ): Promise<WebexMessage> {
+    const convUuid = this.decodeConvUuid(roomId)
+    const conversationUrl = `${this.convBaseUrl}/conversations/${convUuid}`
+    const conv = await this.internalRequest<InternalConversation>(
+      `/conversations/${convUuid}?activitiesLimit=0&participantsLimit=0`,
+    )
+    const keyUri = conv.defaultActivityEncryptionKeyUrl
+
+    const bytes = new Uint8Array(await file.content.arrayBuffer())
+    const fileItem = await this.uploadFileContent(conversationUrl, file.filename, bytes, keyUri)
+
+    const object: Record<string, unknown> = {
+      objectType: 'content',
+      contentCategory: contentCategoryFor(fileItem.mimeType),
+      files: { items: [fileItem.item] },
+    }
+    let encryptionKeyUrl: string | undefined
+    if (options?.text) {
+      const built = await this.buildEncryptedObject(convUuid, options.text, { markdown: options.markdown })
+      object.displayName = built.object.displayName
+      if (built.object.content) object.content = built.object.content
+      encryptionKeyUrl = built.encryptionKeyUrl
+    }
+
+    const activity: Record<string, unknown> = {
+      verb: 'share',
+      object,
+      target: { id: convUuid, objectType: 'conversation' },
+      clientTempId: `tmp-${Date.now()}-share`,
+    }
+    if (options?.parentId) {
+      activity.parent = { id: this.toMessageRef(options.parentId), type: 'reply' }
+    }
+    if (encryptionKeyUrl ?? keyUri) {
+      activity.encryptionKeyUrl = encryptionKeyUrl ?? keyUri
+    }
+
+    const result = await this.internalActivityRequest<InternalActivity>(`${conversationUrl}/content`, {
+      method: 'POST',
+      body: JSON.stringify(activity),
+    })
+    return this.activityToMessage(result, roomId)
+  }
+
+  private async uploadFileContent(
+    conversationUrl: string,
+    filename: string,
+    bytes: Uint8Array,
+    keyUri: string | undefined,
+  ): Promise<{ item: Record<string, unknown>; mimeType: string }> {
+    const space = await this.internalActivityRequest<{ spaceUrl: string }>(`${conversationUrl}/space`, {
+      method: 'PUT',
+    })
+
+    let body: Uint8Array
+    let scr: WebexScr | undefined
+    if (this.encryption && keyUri) {
+      const encrypted = this.encryption.encryptBinary(bytes)
+      body = encrypted.ciphertext
+      scr = encrypted.scr
+    } else {
+      body = bytes
+    }
+
+    const downloadUrl = await this.uploadToSpace(space.spaceUrl, body)
+
+    const mimeType = guessMimeType(filename)
+    const item: Record<string, unknown> = {
+      objectType: 'file',
+      displayName: filename,
+      fileSize: bytes.byteLength,
+      mimeType,
+      url: downloadUrl,
+    }
+
+    if (scr && keyUri && this.encryption) {
+      scr.loc = downloadUrl
+      const encryptedScr = await this.encryption.encryptScr(keyUri, scr)
+      if (!encryptedScr) {
+        throw new WebexError('Cannot encrypt file for Webex E2E conversation', 'encryption_failed')
+      }
+      item.scr = encryptedScr
+      item.displayName = (await this.encryption.encryptText(keyUri, filename)) ?? filename
+    }
+
+    return { item, mimeType }
+  }
+
+  private async uploadToSpace(spaceUrl: string, body: Uint8Array): Promise<string> {
+    const session = await this.internalActivityRequest<{ uploadUrl: string; finishUploadUrl: string }>(
+      `${spaceUrl}/upload_sessions`,
+      {
+        method: 'POST',
+        body: JSON.stringify({ uploadProtocol: 'content-length', fileSize: body.byteLength }),
+      },
+    )
+
+    const putResponse = await fetch(assertTrustedWebexUrl(session.uploadUrl), {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/octet-stream', 'Content-Length': String(body.byteLength) },
+      body,
+    })
+    if (!putResponse.ok) {
+      throw new WebexError(`File upload failed: HTTP ${putResponse.status}`, `http_${putResponse.status}`)
+    }
+
+    const fileHash = createHash('sha256').update(body).digest('hex')
+    const finished = await this.internalActivityRequest<{ downloadUrl: string }>(session.finishUploadUrl, {
+      method: 'POST',
+      body: JSON.stringify({ fileSize: body.byteLength, fileHash }),
+    })
+    return finished.downloadUrl
+  }
+
+  private async internalActivityRequest<T>(url: string, init: RequestInit): Promise<T> {
+    const response = await fetch(assertTrustedWebexUrl(url), {
+      ...init,
+      headers: { ...this.internalHeaders, ...(init.headers as Record<string, string>) },
+    })
+    if (!response.ok) {
+      const errorBody = (await response.json().catch(() => null)) as { message?: string } | null
+      throw new WebexError(errorBody?.message ?? `HTTP ${response.status}`, `http_${response.status}`)
+    }
+    if (response.status === 204) return undefined as T
+    return response.json() as Promise<T>
+  }
+
   private async lookupRoomId(uuid: string, fallback: string): Promise<string> {
     try {
       // Page through every room the account belongs to, stopping as soon as the
@@ -816,6 +955,62 @@ function looksLikeUuid(value: string): boolean {
   return /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(value)
 }
 
+function isTrustedWebexHost(host: string): boolean {
+  return (
+    host === 'webex.com' ||
+    host.endsWith('.webex.com') ||
+    host === 'wbx2.com' ||
+    host.endsWith('.wbx2.com') ||
+    host === 'ciscospark.com' ||
+    host.endsWith('.ciscospark.com')
+  )
+}
+
+// Pin server-returned upload URLs to HTTPS Webex hosts: they receive the bearer
+// token (activity calls) and file bytes, so a compromised response must not be
+// able to exfiltrate them to an attacker-controlled host (SSRF/token leak).
+function assertTrustedWebexUrl(url: string): string {
+  let parsed: URL
+  try {
+    parsed = new URL(url)
+  } catch {
+    throw new WebexError(`Invalid Webex URL: ${url}`, 'invalid_url')
+  }
+  if (parsed.protocol !== 'https:' || !isTrustedWebexHost(parsed.hostname)) {
+    throw new WebexError(`Refusing to send request to untrusted host: ${parsed.origin}`, 'untrusted_url')
+  }
+  return parsed.toString()
+}
+
+const MIME_TYPES: Record<string, string> = {
+  png: 'image/png',
+  jpg: 'image/jpeg',
+  jpeg: 'image/jpeg',
+  gif: 'image/gif',
+  webp: 'image/webp',
+  svg: 'image/svg+xml',
+  mp4: 'video/mp4',
+  mov: 'video/quicktime',
+  webm: 'video/webm',
+  pdf: 'application/pdf',
+  txt: 'text/plain',
+  md: 'text/markdown',
+  json: 'application/json',
+  csv: 'text/csv',
+  zip: 'application/zip',
+}
+
+function guessMimeType(filename: string): string {
+  const ext = filename.split('.').pop()?.toLowerCase() ?? ''
+  return MIME_TYPES[ext] ?? 'application/octet-stream'
+}
+
+function contentCategoryFor(mimeType: string): string {
+  if (mimeType.startsWith('image/')) return 'images'
+  if (mimeType.startsWith('video/')) return 'videos'
+  return 'documents'
+}
+
 function looksLikeEmail(value: string): boolean {
   return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value)
 }