agent-messenger 2.23.6 → 2.24.1

package/skills/agent-slack/references/authentication.md

@@ -34,6 +34,35 @@ This command:
 
 Use `--browser-profile <path>` for agent-browser profiles, custom Chrome user data dirs, or portable browser profiles. The option can be repeated or given comma-separated paths, and explicit paths are included even when desktop credentials are also present.
 
+### QR Code Sign-In
+
+When the desktop app isn't installed and browser extraction isn't an option, you can sign in with a QR code from a device where you're already logged into Slack. This runs entirely over HTTP — no browser automation:
+
+```bash
+# In Slack (desktop or web): your name (top-left) → "Sign in on mobile".
+# Right-click the QR code → "Copy Image Address", then pipe it in:
+pbpaste | agent-slack auth qr
+
+# Or pass the data URL directly:
+agent-slack auth qr "data:image/png;base64,iVBORw0KGgo..."
+
+# Show each redirect hop while debugging:
+agent-slack auth qr --debug
+```
+
+How it works:
+
+1. Decodes the QR image (a `data:image/png;base64,...` string) to its one-time `z-app-` login URL
+2. Follows Slack's server-side redirect chain, capturing the session `d` cookie (`xoxd-...`)
+3. Retrieves the matching `xoxc-` client token from the established session
+4. Validates against the Slack API and stores credentials like `auth extract`
+
+Notes:
+
+- The QR link is **single-use** — if it expires, generate a fresh one from Slack's "Sign in on mobile" screen.
+- No Chrome/Chromium or desktop app is required; the flow uses plain HTTP requests.
+- Works with workspaces that allow password/email sign-in. SSO-only / Enterprise Grid workspaces that disable the mobile QR flow are not supported.
+
 ### Platform-Specific Paths
 
 **macOS (Direct Download):**

package/skills/agent-slackbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-slackbot
 description: Interact with Slack workspaces using bot tokens - send messages, read channels, manage reactions
-version: 2.23.6
+version: 2.24.1
 allowed-tools: Bash(agent-slackbot:*)
 metadata:
   openclaw:

package/skills/agent-teams/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-teams
 description: Interact with Microsoft Teams - send messages, read channels, manage reactions
-version: 2.23.6
+version: 2.24.1
 allowed-tools: Bash(agent-teams:*)
 metadata:
   openclaw:

package/skills/agent-telegram/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-telegram
 description: Interact with Telegram through TDLib - authenticate, inspect chats, and send messages
-version: 2.23.6
+version: 2.24.1
 allowed-tools: Bash(agent-telegram:*)
 ---
 

package/skills/agent-telegrambot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-telegrambot
 description: Interact with Telegram using bot tokens - send messages, read chats, manage reactions
-version: 2.23.6
+version: 2.24.1
 allowed-tools: Bash(agent-telegrambot:*)
 metadata:
   openclaw:

package/skills/agent-webex/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-webex
 description: Interact with Cisco Webex - send messages, read spaces, manage memberships
-version: 2.23.6
+version: 2.24.1
 allowed-tools: Bash(agent-webex:*)
 metadata:
   openclaw:

package/skills/agent-webexbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-webexbot
 description: Interact with Cisco Webex using bot tokens - send messages, reply in threads, upload and download files, look up people, read spaces, manage memberships, stream real-time events
-version: 2.23.6
+version: 2.24.1
 allowed-tools: Bash(agent-webexbot:*)
 metadata:
   openclaw:

package/skills/agent-wechatbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-wechatbot
 description: Interact with WeChat Official Account using API credentials - send messages, manage templates, list followers
-version: 2.23.6
+version: 2.24.1
 allowed-tools: Bash(agent-wechatbot:*)
 metadata:
   openclaw:

package/skills/agent-whatsapp/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-whatsapp
 description: Interact with WhatsApp - send messages, read chats, manage conversations
-version: 2.23.6
+version: 2.24.1
 allowed-tools: Bash(agent-whatsapp:*)
 metadata:
   openclaw:

package/skills/agent-whatsappbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-whatsappbot
 description: Interact with WhatsApp using Cloud API credentials - send messages, manage templates
-version: 2.23.6
+version: 2.24.1
 allowed-tools: Bash(agent-whatsappbot:*)
 metadata:
   openclaw:

package/src/platforms/channeltalk/token-extractor.test.ts

@@ -457,8 +457,8 @@ async function createCookieDatabase(
 
   const { createRequire } = await import('node:module')
   const req = createRequire(import.meta.url)
-  const Database = req('better-sqlite3')
-  const db = new Database(dbPath)
+  const { DatabaseSync } = req('node:sqlite')
+  const db = new DatabaseSync(dbPath)
   db.exec('CREATE TABLE cookies (name TEXT, value TEXT, encrypted_value BLOB, host_key TEXT)')
   const statement = db.prepare('INSERT INTO cookies (name, value, encrypted_value, host_key) VALUES (?, ?, ?, ?)')
   for (const row of rows) {

package/src/platforms/kakaotalk/token-extractor.ts

@@ -1,12 +1,11 @@
 import { execSync } from 'node:child_process'
 import { copyFileSync, existsSync, readFileSync, rmSync } from 'node:fs'
-import { createRequire } from 'node:module'
 import { homedir, tmpdir } from 'node:os'
 import { join } from 'node:path'
 
-import type { ExtractedKakaoToken } from './types'
+import { openReadonlyDatabase } from '@/shared/sqlite'
 
-const require = createRequire(import.meta.url)
+import type { ExtractedKakaoToken } from './types'
 
 export class KakaoTokenExtractor {
   private platform: NodeJS.Platform
@@ -106,23 +105,12 @@ export class KakaoTokenExtractor {
       time_stamp: number
     }
 
+    const db = openReadonlyDatabase(dbPath)
     let rows: CacheRow[]
-    if (typeof globalThis.Bun !== 'undefined') {
-      const { Database } = require('bun:sqlite')
-      const db = new Database(dbPath, { readonly: true })
-      try {
-        rows = db.query(sql).all() as CacheRow[]
-      } finally {
-        db.close()
-      }
-    } else {
-      const Database = require('better-sqlite3')
-      const db = new Database(dbPath, { readonly: true })
-      try {
-        rows = db.prepare(sql).all() as CacheRow[]
-      } finally {
-        db.close()
-      }
+    try {
+      rows = db.prepare(sql).all() as CacheRow[]
+    } finally {
+      db.close()
     }
 
     this.debug(`Found ${rows.length} cached request(s) to kakao.com`)
@@ -166,24 +154,13 @@ export class KakaoTokenExtractor {
     `
 
     type CacheRow = { request_object: Uint8Array | Buffer | null; request_key: string }
-    let authRows: CacheRow[]
 
-    if (typeof globalThis.Bun !== 'undefined') {
-      const { Database } = require('bun:sqlite')
-      const db = new Database(dbPath, { readonly: true })
-      try {
-        authRows = db.query(sql).all() as CacheRow[]
-      } finally {
-        db.close()
-      }
-    } else {
-      const Database = require('better-sqlite3')
-      const db = new Database(dbPath, { readonly: true })
-      try {
-        authRows = db.prepare(sql).all() as CacheRow[]
-      } finally {
-        db.close()
-      }
+    const db = openReadonlyDatabase(dbPath)
+    let authRows: CacheRow[]
+    try {
+      authRows = db.prepare(sql).all() as CacheRow[]
+    } finally {
+      db.close()
     }
 
     for (const row of authRows) {

package/src/platforms/slack/commands/auth.ts

@@ -8,7 +8,9 @@ import { debug } from '@/shared/utils/stderr'
 
 import { SlackClient, SlackError } from '../client'
 import { CredentialManager } from '../credential-manager'
-import { refreshCookie, tryWebTokenRefresh } from '../ensure-auth'
+import { refreshCookie, refreshKnownWorkspaceDomains, tryWebTokenRefresh } from '../ensure-auth'
+import type { RefreshResult } from '../ensure-auth'
+import { loginWithQr } from '../qr-http-login'
 import { type ExtractedWorkspace, TokenExtractor } from '../token-extractor'
 
 export function formatCredentialDebug(ws: ExtractedWorkspace, showSecrets?: boolean): string {
@@ -79,6 +81,8 @@ async function extractAction(options: {
 
     const validWorkspaces = []
     const failureReasons: string[] = []
+    const resolvedTeamIds = new Set<string>()
+    const refreshCache = new Map<string, RefreshResult | null>()
     for (const ws of workspaces) {
       if (options.debug) {
         debug(`[debug] Testing credentials for ${ws.workspace_id}...`)
@@ -87,10 +91,14 @@ async function extractAction(options: {
       try {
         const client = await new SlackClient().login({ token: ws.token, cookie: ws.cookie })
         const authInfo = await client.testAuth()
+        if (!authInfo.team_id) throw new SlackError('testAuth returned empty team_id', 'invalid_auth')
         ws.workspace_id = authInfo.team_id
         ws.workspace_name = authInfo.team || ws.workspace_name
-        validWorkspaces.push(ws)
-        await credManager.setWorkspace(ws)
+        if (!resolvedTeamIds.has(ws.workspace_id)) {
+          resolvedTeamIds.add(ws.workspace_id)
+          validWorkspaces.push(ws)
+          await credManager.setWorkspace(ws)
+        }
 
         if (options.debug) {
           debug(`[debug] ✓ Valid: ${authInfo.team} (${authInfo.user})`)
@@ -111,11 +119,12 @@ async function extractAction(options: {
             : `${ws.workspace_id} (trying all known domains)`
           debug(`[debug] Attempting web token refresh for ${target}...`)
         }
-        const refreshed = await tryWebTokenRefresh(ws, workspaceDomains)
-        if (refreshed) {
+        const refreshed = await tryWebTokenRefresh(ws, workspaceDomains, { resolvedTeamIds, refreshCache })
+        if (refreshed && !resolvedTeamIds.has(refreshed.workspace_id)) {
           ws.token = refreshed.token
           ws.workspace_id = refreshed.workspace_id
           ws.workspace_name = refreshed.workspace_name
+          resolvedTeamIds.add(ws.workspace_id)
           validWorkspaces.push(ws)
           await credManager.setWorkspace(ws)
 
@@ -128,6 +137,26 @@ async function extractAction(options: {
       }
     }
 
+    for (const cookie of new Set(workspaces.map((ws) => ws.cookie).filter(Boolean))) {
+      const enumerated = await refreshKnownWorkspaceDomains(cookie, workspaceDomains, {
+        resolvedTeamIds,
+        refreshCache,
+      })
+      for (const result of enumerated) {
+        const ws: ExtractedWorkspace = {
+          workspace_id: result.workspace_id,
+          workspace_name: result.workspace_name,
+          token: result.token,
+          cookie,
+        }
+        validWorkspaces.push(ws)
+        await credManager.setWorkspace(ws)
+        if (options.debug) {
+          debug(`[debug] ✓ Recovered via domain enumeration: ${result.workspace_id}/${result.workspace_name}`)
+        }
+      }
+    }
+
     if (validWorkspaces.length === 0) {
       const errorMessage = getExtractionErrorMessage(failureReasons)
       console.log(
@@ -230,6 +259,70 @@ async function statusAction(options: { pretty?: boolean }): Promise<void> {
   }
 }
 
+async function qrAction(imageArg: string | undefined, options: { pretty?: boolean; debug?: boolean }): Promise<void> {
+  try {
+    const dataUrl = imageArg ?? (await readStdin())
+    if (!dataUrl) {
+      console.log(
+        formatOutput(
+          {
+            error: 'No QR image provided. Pass the copied QR image data URL as an argument, or pipe it via stdin.',
+            hint: 'In Slack: your name (top-left) → "Sign in on mobile" → right-click the QR → Copy Image Address.',
+          },
+          options.pretty,
+        ),
+      )
+      process.exit(1)
+    }
+
+    const debugLog = options.debug ? (msg: string) => debug(`[debug] ${msg}`) : undefined
+    const session = await loginWithQr(dataUrl, { debug: debugLog })
+
+    const client = await new SlackClient().login({ token: session.token, cookie: session.cookie })
+    const authInfo = await client.testAuth()
+
+    const credManager = new CredentialManager()
+    const workspace: ExtractedWorkspace = {
+      workspace_id: authInfo.team_id,
+      workspace_name: authInfo.team || session.workspace,
+      token: session.token,
+      cookie: session.cookie,
+    }
+    await credManager.setWorkspace(workspace)
+
+    const config = await credManager.load()
+    if (!config.current_workspace) {
+      await credManager.setCurrentWorkspace(workspace.workspace_id)
+    }
+
+    console.log(
+      formatOutput(
+        {
+          workspace: `${workspace.workspace_id}/${workspace.workspace_name}`,
+          user: authInfo.user,
+          current: (await credManager.load()).current_workspace,
+        },
+        options.pretty,
+      ),
+    )
+  } catch (error) {
+    handleError(error as Error)
+  }
+}
+
+function readStdin(): Promise<string> {
+  if (process.stdin.isTTY) return Promise.resolve('')
+  return new Promise((resolve) => {
+    let data = ''
+    process.stdin.setEncoding('utf8')
+    process.stdin.on('data', (chunk) => {
+      data += chunk
+    })
+    process.stdin.on('end', () => resolve(data))
+    process.stdin.on('error', () => resolve(data))
+  })
+}
+
 export function getExtractionErrorMessage(failureReasons: string[]): string {
   if (failureReasons.includes('missing_cookie')) {
     return 'Cookie extraction failed. Grant Keychain access when prompted, and make sure you are signed into Slack in the desktop app or a supported Chromium browser.'
@@ -260,6 +353,14 @@ export const authCommand = new Command('auth')
       .option('--unsafely-show-secrets', 'Show full token and cookie values in debug output')
       .action((options: BrowserProfileOption & Parameters<typeof extractAction>[0]) => extractAction(options)),
   )
+  .addCommand(
+    new Command('qr')
+      .description('Sign in by pasting a QR code from Slack\u2019s "Sign in on mobile" screen')
+      .argument('[image]', 'QR image data URL (data:image/png;base64,...); read from stdin if omitted')
+      .option('--pretty', 'Pretty print JSON output')
+      .option('--debug', 'Show debug output for troubleshooting')
+      .action(qrAction),
+  )
   .addCommand(
     new Command('logout')
       .description('Logout from workspace')

package/src/platforms/slack/ensure-auth.test.ts

@@ -2,7 +2,7 @@ import { afterEach, beforeEach, describe, expect, spyOn, it } from 'bun:test'
 
 import { SlackClient } from './client'
 import { CredentialManager } from './credential-manager'
-import { ensureSlackAuth, refreshTokenFromWeb } from './ensure-auth'
+import { ensureSlackAuth, refreshKnownWorkspaceDomains, refreshTokenFromWeb, tryWebTokenRefresh } from './ensure-auth'
 import { TokenExtractor } from './token-extractor'
 
 let getWorkspaceSpy: ReturnType<typeof spyOn>
@@ -358,8 +358,8 @@ describe('ensureSlackAuth', () => {
     )
   })
 
-  it('stops trying domains once a refresh+verify succeeds', async () => {
-    // given — exact-match domain succeeds on first attempt; the fallback domain must not be fetched
+  it('enumerates all known domains to recover every authenticatable workspace', async () => {
+    // given — one stale extracted token, but the cookie is valid for two workspaces
     extractSpy.mockResolvedValue([
       { workspace_id: 'T_TARGET', workspace_name: 'target', token: 'xoxc-stale', cookie: 'xoxd-valid' },
     ])
@@ -368,21 +368,27 @@ describe('ensureSlackAuth', () => {
       T_OTHER: 'other-domain',
     })
 
-    fetchSpy.mockResolvedValue(new Response('<html>"api_token":"xoxc-fresh"</html>', { status: 200 }))
+    fetchSpy.mockImplementation((url: string) => {
+      if (url.startsWith('https://target-domain.slack.com/')) {
+        return Promise.resolve(new Response('<html>"api_token":"xoxc-fresh-target"</html>', { status: 200 }))
+      }
+      if (url.startsWith('https://other-domain.slack.com/')) {
+        return Promise.resolve(new Response('<html>"api_token":"xoxc-fresh-other"</html>', { status: 200 }))
+      }
+      return Promise.resolve(new Response('', { status: 500 }))
+    })
 
     authResponseByToken({
-      'xoxc-fresh': { team_id: 'T_TARGET', team: 'Target' },
+      'xoxc-fresh-target': { team_id: 'T_TARGET', team: 'Target' },
+      'xoxc-fresh-other': { team_id: 'T_OTHER', team: 'Other' },
     })
 
     // when
     await ensureSlackAuth()
 
-    // then — the exact-match domain is tried, fallback domain is not
-    expect(fetchSpy).toHaveBeenCalledWith(
-      'https://target-domain.slack.com/ssb/redirect',
-      expect.objectContaining({ headers: { Cookie: 'd=xoxd-valid' } }),
-    )
-    expect(fetchSpy).not.toHaveBeenCalledWith('https://other-domain.slack.com/ssb/redirect', expect.anything())
+    // then — both workspaces are recovered from the single cookie, each saved once
+    const savedIds = setWorkspaceSpy.mock.calls.map((c) => (c[0] as { workspace_id: string }).workspace_id)
+    expect(savedIds.sort()).toEqual(['T_OTHER', 'T_TARGET'])
   })
 
   it('returns failure when no known domain validates the cookie', async () => {
@@ -496,26 +502,131 @@ describe('ensureSlackAuth', () => {
     expect(refreshCalls.length).toBe(2)
   })
 
-  it('caps domain attempts at MAX_DOMAIN_ATTEMPTS', async () => {
-    // given — 20 candidate domains; only the first 16 should be attempted
-    extractSpy.mockResolvedValue([
-      { workspace_id: 'unknown', workspace_name: 'unknown', token: 'xoxc-stale', cookie: 'xoxd-valid' },
-    ])
+  it('caps single-candidate fallback at MAX_DOMAIN_ATTEMPTS', async () => {
+    // given — 20 candidate domains; the per-token fallback only probes the first 16
     const manyDomains: Record<string, string> = {}
     for (let i = 0; i < 20; i++) manyDomains[`T_${i}`] = `dom${i}`
-    getWorkspaceDomainsSpy.mockReturnValue(manyDomains)
-
     fetchSpy.mockResolvedValue(new Response('', { status: 500 }))
     testAuthSpy.mockRejectedValue(new Error('invalid_auth'))
 
     // when
-    await ensureSlackAuth()
+    await tryWebTokenRefresh(
+      { workspace_id: 'unknown', workspace_name: 'unknown', token: 'xoxc-stale', cookie: 'xoxd-valid' },
+      manyDomains,
+    )
 
     // then — exactly 16 refresh attempts
     const refreshCalls = fetchSpy.mock.calls.filter((c) => String(c[0]).includes('/ssb/redirect'))
     expect(refreshCalls.length).toBe(16)
   })
 
+  it('enumerates ALL known domains without the MAX_DOMAIN_ATTEMPTS cap', async () => {
+    // given — 20 candidate domains; enumeration must probe every one
+    const manyDomains: Record<string, string> = {}
+    for (let i = 0; i < 20; i++) manyDomains[`T_${i}`] = `dom${i}`
+    fetchSpy.mockResolvedValue(new Response('', { status: 500 }))
+    testAuthSpy.mockRejectedValue(new Error('invalid_auth'))
+
+    // when
+    await refreshKnownWorkspaceDomains('xoxd-valid', manyDomains)
+
+    // then — all 20 domains attempted
+    const refreshCalls = fetchSpy.mock.calls.filter((c) => String(c[0]).includes('/ssb/redirect'))
+    expect(refreshCalls.length).toBe(20)
+  })
+
+  it('dedupes by verified team_id even when no context is supplied', async () => {
+    // given — two domains whose cookie verifies to the same team_id, called without a context set
+    getWorkspaceDomainsSpy.mockReturnValue({})
+    fetchSpy.mockImplementation((url: string) => {
+      if (url.startsWith('https://primary.slack.com/')) {
+        return Promise.resolve(new Response('<html>"api_token":"xoxc-fresh-primary"</html>', { status: 200 }))
+      }
+      if (url.startsWith('https://alias.slack.com/')) {
+        return Promise.resolve(new Response('<html>"api_token":"xoxc-fresh-alias"</html>', { status: 200 }))
+      }
+      return Promise.resolve(new Response('', { status: 500 }))
+    })
+    authResponseByToken({
+      'xoxc-fresh-primary': { team_id: 'T_SAME', team: 'Same' },
+      'xoxc-fresh-alias': { team_id: 'T_SAME', team: 'Same' },
+    })
+
+    // when
+    const results = await refreshKnownWorkspaceDomains('xoxd-valid', { T_A: 'primary', T_B: 'alias' })
+
+    // then — the duplicate team is returned only once
+    expect(results.map((r) => r.workspace_id)).toEqual(['T_SAME'])
+  })
+
+  it('recovers all workspaces from one cookie when only one token is extracted', async () => {
+    // given — extractor yields one token deduped into two entries (one with a team id, one unknown),
+    // both sharing a single cookie that is valid for five workspaces
+    extractSpy.mockResolvedValue([
+      { workspace_id: 'T1', workspace_name: 'unknown', token: 'xoxc-shared', cookie: 'xoxd-valid' },
+      { workspace_id: 'unknown', workspace_name: 'unknown', token: 'xoxc-shared', cookie: 'xoxd-valid' },
+    ])
+    getWorkspaceDomainsSpy.mockReturnValue({
+      T1: 'one',
+      T2: 'two',
+      T3: 'three',
+      T4: 'four',
+      T5: 'five',
+    })
+
+    const domainToToken: Record<string, string> = {
+      one: 'xoxc-fresh-1',
+      two: 'xoxc-fresh-2',
+      three: 'xoxc-fresh-3',
+      four: 'xoxc-fresh-4',
+      five: 'xoxc-fresh-5',
+    }
+    fetchSpy.mockImplementation((url: string) => {
+      const domain = String(url).match(/https:\/\/([^.]+)\.slack\.com/)?.[1] ?? ''
+      const token = domainToToken[domain]
+      return Promise.resolve(
+        token
+          ? new Response(`<html>"api_token":"${token}"</html>`, { status: 200 })
+          : new Response('', { status: 500 }),
+      )
+    })
+    authResponseByToken({
+      'xoxc-shared': new Error('invalid_auth'),
+      'xoxc-fresh-1': { team_id: 'T1', team: 'one' },
+      'xoxc-fresh-2': { team_id: 'T2', team: 'two' },
+      'xoxc-fresh-3': { team_id: 'T3', team: 'three' },
+      'xoxc-fresh-4': { team_id: 'T4', team: 'four' },
+      'xoxc-fresh-5': { team_id: 'T5', team: 'five' },
+    })
+
+    // when
+    await ensureSlackAuth()
+
+    // then — all five teams recovered, each saved exactly once
+    const savedIds = setWorkspaceSpy.mock.calls.map((c) => (c[0] as { workspace_id: string }).workspace_id)
+    expect(savedIds.sort()).toEqual(['T1', 'T2', 'T3', 'T4', 'T5'])
+  })
+
+  it('keeps a valid extracted token without overwriting it via enumeration', async () => {
+    // given — a single extracted token that authenticates directly
+    extractSpy.mockResolvedValue([
+      { workspace_id: 'T1', workspace_name: 'ws1', token: 'xoxc-good', cookie: 'xoxd-valid' },
+    ])
+    getWorkspaceDomainsSpy.mockReturnValue({ T1: 'one' })
+    authResponseByToken({
+      'xoxc-good': { team_id: 'T1', team: 'ws1' },
+      'xoxc-fresh-1': { team_id: 'T1', team: 'ws1' },
+    })
+    fetchSpy.mockResolvedValue(new Response('<html>"api_token":"xoxc-fresh-1"</html>', { status: 200 }))
+
+    // when
+    await ensureSlackAuth()
+
+    // then — saved once with the original valid token, not the web-refreshed one
+    expect(setWorkspaceSpy).toHaveBeenCalledTimes(1)
+    expect(setWorkspaceSpy).toHaveBeenCalledWith(expect.objectContaining({ workspace_id: 'T1', token: 'xoxc-good' }))
+  })
+
   it('skips web refresh when workspace has no cookie', async () => {
     // given — cookie is empty
     extractSpy.mockResolvedValue([

package/src/platforms/slack/ensure-auth.ts

@@ -50,6 +50,23 @@ export async function ensureSlackAuth(): Promise<void> {
       }
     }
 
+    for (const cookie of new Set(workspaces.map((ws) => ws.cookie).filter(Boolean))) {
+      const enumerated = await refreshKnownWorkspaceDomains(cookie, workspaceDomains, {
+        resolvedTeamIds,
+        refreshCache,
+      })
+      for (const result of enumerated) {
+        const ws: ExtractedWorkspace = {
+          workspace_id: result.workspace_id,
+          workspace_name: result.workspace_name,
+          token: result.token,
+          cookie,
+        }
+        await credManager.setWorkspace(ws)
+        validWorkspaces.push(ws)
+      }
+    }
+
     const config = await credManager.load()
     if (!config.current_workspace && validWorkspaces.length > 0) {
       await credManager.setCurrentWorkspace(validWorkspaces[0].workspace_id)
@@ -78,6 +95,40 @@ export type RefreshContext = {
   refreshCache?: Map<string, RefreshResult | null>
 }
 
+// A single valid Slack `d` cookie can authenticate every workspace the user is signed into.
+// Given the workspace->domain map from root-state.json, enumerate ALL known domains via web
+// refresh so that workspaces without their own extracted xoxc token are still recovered. The
+// number of recoverable workspaces must not be bounded by the number of extracted token blobs.
+export async function refreshKnownWorkspaceDomains(
+  cookie: string,
+  workspaceDomains: Record<string, string>,
+  context: RefreshContext = {},
+): Promise<RefreshResult[]> {
+  if (!cookie) return []
+
+  const resolvedTeamIds = context.resolvedTeamIds ?? new Set<string>()
+  const results: RefreshResult[] = []
+  for (const domain of Object.values(workspaceDomains)) {
+    if (!SLACK_DOMAIN_REGEX.test(domain)) continue
+
+    const cacheKey = `${cookie}\u0000${domain}`
+    let result: RefreshResult | null
+    const cached = context.refreshCache?.get(cacheKey)
+    if (cached !== undefined) {
+      result = cached
+    } else {
+      result = await refreshAndVerify(cookie, domain, domain)
+      context.refreshCache?.set(cacheKey, result)
+    }
+
+    if (!result) continue
+    if (resolvedTeamIds.has(result.workspace_id)) continue
+    resolvedTeamIds.add(result.workspace_id)
+    results.push(result)
+  }
+  return results
+}
+
 export async function tryWebTokenRefresh(
   ws: ExtractedWorkspace,
   workspaceDomains: Record<string, string>,
@@ -145,9 +196,13 @@ async function refreshAndVerify(cookie: string, domain: string, fallbackName: st
 
 const TOKEN_REGEX = /"api_token":"(xoxc-[a-zA-Z0-9-]+)"/
 
-export async function refreshTokenFromWeb(domain: string, cookie: string): Promise<string | null> {
+export async function refreshTokenFromWeb(
+  domain: string,
+  cookie: string,
+  fetchImpl: typeof fetch = fetch,
+): Promise<string | null> {
   try {
-    const response = await fetch(`https://${domain}.slack.com/ssb/redirect`, {
+    const response = await fetchImpl(`https://${domain}.slack.com/ssb/redirect`, {
       headers: { Cookie: `d=${cookie}` },
       redirect: 'follow',
     })