npm - agent-messenger - Versions diffs - 2.9.0 → 2.10.1 - Mend

agent-messenger 2.9.0 → 2.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (118) hide show

package/src/platforms/teams/token-extractor.ts CHANGED Viewed

@@ -55,9 +55,11 @@ export class TeamsTokenExtractor {
   private platform: NodeJS.Platform
   private decryptor: ChromiumCookieDecryptor
   private cookieReader: ChromiumCookieReader
+  private debugLog: ((message: string) => void) | null
-  constructor(platform?: NodeJS.Platform, keyCache?: DerivedKeyCache) {
+  constructor(platform?: NodeJS.Platform, keyCache?: DerivedKeyCache, debugLog?: (message: string) => void) {
     this.platform = platform ?? process.platform
+    this.debugLog = debugLog ?? null
     const resolvedKeyCache = keyCache ?? new DerivedKeyCache()
     this.decryptor = new ChromiumCookieDecryptor({
@@ -69,6 +71,10 @@ export class TeamsTokenExtractor {
     this.cookieReader = new ChromiumCookieReader()
   }
+  private debug(message: string): void {
+    this.debugLog?.(message)
+  }
   getDesktopCookiesPaths(): TeamsCookiePath[] {
     switch (this.platform) {
       case 'darwin': {
@@ -86,8 +92,11 @@ export class TeamsTokenExtractor {
         )
         return [
           { path: join(ebWebViewBase, 'WV2Profile_tfw', 'Cookies'), accountType: 'work' },
+          { path: join(ebWebViewBase, 'WV2Profile_tfw', 'Network', 'Cookies'), accountType: 'work' },
           { path: join(ebWebViewBase, 'WV2Profile_tfl', 'Cookies'), accountType: 'personal' },
+          { path: join(ebWebViewBase, 'WV2Profile_tfl', 'Network', 'Cookies'), accountType: 'personal' },
           { path: join(ebWebViewBase, 'Default', 'Cookies'), accountType: 'work' },
+          { path: join(ebWebViewBase, 'Default', 'Network', 'Cookies'), accountType: 'work' },
           {
             path: join(homedir(), 'Library', 'Application Support', 'Microsoft', 'Teams', 'Cookies'),
             accountType: 'work',
@@ -115,8 +124,11 @@ export class TeamsTokenExtractor {
         )
         return [
           { path: join(ebWebViewBase, 'WV2Profile_tfw', 'Cookies'), accountType: 'work' },
+          { path: join(ebWebViewBase, 'WV2Profile_tfw', 'Network', 'Cookies'), accountType: 'work' },
           { path: join(ebWebViewBase, 'WV2Profile_tfl', 'Cookies'), accountType: 'personal' },
+          { path: join(ebWebViewBase, 'WV2Profile_tfl', 'Network', 'Cookies'), accountType: 'personal' },
           { path: join(ebWebViewBase, 'Default', 'Cookies'), accountType: 'work' },
+          { path: join(ebWebViewBase, 'Default', 'Network', 'Cookies'), accountType: 'work' },
           { path: join(appdata, 'Microsoft', 'Teams', 'Cookies'), accountType: 'work' },
         ]
       }
@@ -197,17 +209,38 @@ export class TeamsTokenExtractor {
   private async extractFromCookiesDB(): Promise<ExtractedTeamsToken[]> {
     const results: ExtractedTeamsToken[] = []
     const seenAccountTypes = new Set<TeamsAccountType>()
+    const allPaths = this.getTeamsCookiesPaths()
+    this.debug(`Scanning ${allPaths.length} candidate cookie path(s)`)
+    for (const { path: dbPath, accountType } of allPaths) {
+      if (!dbPath) continue
+      if (!existsSync(dbPath)) {
+        this.debug(`  [skip] ${dbPath} (not found)`)
+        continue
+      }
+      if (seenAccountTypes.has(accountType)) {
+        this.debug(`  [skip] ${dbPath} (already have ${accountType} account)`)
+        continue
+      }
-    for (const { path: dbPath, accountType } of this.getTeamsCookiesPaths()) {
-      if (!dbPath || !existsSync(dbPath) || seenAccountTypes.has(accountType)) continue
+      this.debug(`  [try]  ${dbPath} (${accountType})`)
       const token = await this.copyAndExtract(dbPath)
       if (token && this.isValidSkypeToken(token)) {
+        this.debug(`  [ok]   Extracted valid token (${token.length} chars)`)
         results.push({ token, accountType })
         seenAccountTypes.add(accountType)
+      } else if (token) {
+        this.debug(`  [fail] Token too short (${token.length} chars, need >=50)`)
+      } else {
+        this.debug(`  [fail] No token extracted`)
       }
     }
+    this.debug(`Extraction complete: ${results.length} token(s) found`)
     return results
   }
@@ -216,11 +249,26 @@ export class TeamsTokenExtractor {
     try {
       tempPath = this.copyDatabaseToTemp(dbPath, dbPath)
-      const localStatePath =
-        this.platform === 'win32' ? (findLocalStatePath(dbPath) ?? this.getLocalStatePath()) : undefined
+      let localStatePath: string | undefined
+      if (this.platform === 'win32') {
+        localStatePath = findLocalStatePath(dbPath) ?? undefined
+        if (localStatePath) {
+          this.debug(`    Local State (from cookie path): ${localStatePath}`)
+        } else {
+          localStatePath = this.getLocalStatePath()
+          if (existsSync(localStatePath)) {
+            this.debug(`    Local State (fallback): ${localStatePath}`)
+          } else {
+            this.debug(`    Local State not found (tried fallback: ${localStatePath})`)
+            localStatePath = undefined
+          }
+        }
+      }
       return await this.extractFromSQLite(tempPath, localStatePath)
-    } catch {
+    } catch (error) {
+      this.debug(`    Copy/extract error: ${(error as Error).message}`)
       return null
     } finally {
       this.cleanupTempFile(tempPath)
@@ -231,27 +279,50 @@ export class TeamsTokenExtractor {
     try {
       for (const hostPattern of TEAMS_HOST_PATTERNS) {
         const sql = `
-          SELECT encrypted_value
+          SELECT value, encrypted_value
           FROM cookies
           WHERE name = '${SKYPETOKEN_COOKIE_NAME}'
           AND host_key LIKE '%${hostPattern}%'
           LIMIT 1
         `
-        type CookieRow = { encrypted_value?: Uint8Array | Buffer } | null
+        type CookieRow = { value?: string; encrypted_value?: Uint8Array | Buffer } | null
         const row = await this.cookieReader.queryFirst<CookieRow>(dbPath, sql)
-        if (!row?.encrypted_value) continue
+        if (!row) continue
+        if (row.value && row.value.length >= 50) {
+          this.debug(`    Found plaintext cookie for ${hostPattern} (${row.value.length} chars)`)
+          return row.value
+        }
+        if (!row.encrypted_value || row.encrypted_value.length === 0) {
+          this.debug(`    No cookie data for ${hostPattern}`)
+          continue
+        }
+        const encBuf = Buffer.from(row.encrypted_value)
+        const isEncrypted = this.isEncryptedValue(encBuf)
+        this.debug(
+          `    Found cookie for ${hostPattern}: ${encBuf.length} bytes, encrypted=${isEncrypted}, prefix=${encBuf.subarray(0, 3).toString('utf8')}`,
+        )
-        const decryptedBuf = this.decryptor.decryptCookieRaw(Buffer.from(row.encrypted_value), localStatePath)
-        if (!decryptedBuf) continue
+        const decryptedBuf = this.decryptor.decryptCookieRaw(encBuf, localStatePath)
+        if (!decryptedBuf) {
+          this.debug(`    Decryption failed`)
+          continue
+        }
+        this.debug(`    Decrypted: ${decryptedBuf.length} bytes`)
         const token = this.postProcessDecrypted(decryptedBuf)
         if (this.isValidSkypeToken(token)) return token
+        this.debug(`    Post-process result not a valid token (${token.length} chars)`)
       }
       return null
-    } catch {
+    } catch (error) {
+      this.debug(`    SQLite query error: ${(error as Error).message}`)
       return null
     }
   }

package/src/platforms/teams/types.test.ts CHANGED Viewed

@@ -203,6 +203,7 @@ test('TeamsConfigSchema validates config with multiple accounts', () => {
       work: {
         token: 'work_token',
         token_expires_at: '2024-01-01T00:00:00.000Z',
+        region: 'emea',
         account_type: 'work',
         user_name: 'Work User',
         current_team: '19:abc123@thread.tacv2',
@@ -224,6 +225,22 @@ test('TeamsConfigSchema validates config with multiple accounts', () => {
   expect(result.success).toBe(true)
 })
+test('TeamsConfigSchema rejects invalid region', () => {
+  const result = TeamsConfigSchema.safeParse({
+    current_account: 'work',
+    accounts: {
+      work: {
+        token: 'token_value',
+        region: 'invalid',
+        account_type: 'work',
+        current_team: null,
+        teams: {},
+      },
+    },
+  })
+  expect(result.success).toBe(false)
+})
 test('TeamsConfigSchema rejects missing required fields', () => {
   const result = TeamsConfigSchema.safeParse({
     current_account: null,

package/src/platforms/teams/types.ts CHANGED Viewed

@@ -55,9 +55,12 @@ export interface TeamsCredentials {
 export type TeamsAccountType = 'work' | 'personal'
+export type TeamsRegion = 'amer' | 'emea' | 'apac'
 export interface TeamsAccount {
   token: string
   token_expires_at?: string
+  region?: TeamsRegion
   account_type: TeamsAccountType
   user_name?: string
   current_team: string | null
@@ -141,9 +144,12 @@ export const TeamsCredentialsSchema = z.object({
 export const TeamsAccountTypeSchema = z.enum(['work', 'personal'])
+export const TeamsRegionSchema = z.enum(['amer', 'emea', 'apac'])
 export const TeamsAccountSchema = z.object({
   token: z.string(),
   token_expires_at: z.string().optional(),
+  region: TeamsRegionSchema.optional(),
   account_type: TeamsAccountTypeSchema,
   user_name: z.string().optional(),
   current_team: z.string().nullable(),

package/src/platforms/webex/client.test.ts CHANGED Viewed

@@ -1,6 +1,9 @@
 import { afterEach, beforeEach, describe, expect, test } from 'bun:test'
+import * as jose from 'node-jose'
 import { WebexClient } from './client'
+import { WebexEncryptionService } from './encryption'
 import { WebexError } from './types'
 describe('WebexClient', () => {
@@ -56,6 +59,17 @@ describe('WebexClient', () => {
       await expect(new WebexClient().login({ token: '' })).rejects.toThrow(WebexError)
       await expect(new WebexClient().login({ token: '' })).rejects.toThrow('Token is required')
     })
+    test('accepts deviceUrl and tokenType', async () => {
+      const client = await new WebexClient().login({
+        token: 'test-token',
+        deviceUrl: 'https://wdm-r.wbx2.com/wdm/api/v1/devices/dev-1',
+        tokenType: 'extracted',
+      })
+      expect(client).toBeInstanceOf(WebexClient)
+      expect((client as any).deviceUrl).toBe('https://wdm-r.wbx2.com/wdm/api/v1/devices/dev-1')
+      expect((client as any).tokenType).toBe('extracted')
+    })
   })
   describe('testAuth', () => {
@@ -84,6 +98,59 @@ describe('WebexClient', () => {
       const client = await new WebexClient().login({ token: 'bad-token' })
       await expect(client.testAuth()).rejects.toThrow(WebexError)
     })
+    test('falls back to internal API when public API fails for extracted tokens', async () => {
+      // given - public API rejects, internal API succeeds
+      mockResponse({ message: 'Unauthorized' }, 401)
+      fetchResponses.push(
+        new Response(JSON.stringify({ id: 'conv-1', activities: { items: [] } }), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        }),
+      )
+      const client = await new WebexClient().login({
+        token: 'extracted-token',
+        deviceUrl: 'https://wdm-r.wbx2.com/wdm/api/v1/devices/dev-1',
+        tokenType: 'extracted',
+      })
+      // when
+      const person = await client.testAuth()
+      // then - succeeds via internal API
+      expect(fetchCalls.length).toBe(2)
+      expect(fetchCalls[0].url).toBe('https://webexapis.com/v1/people/me')
+      expect(fetchCalls[1].url).toContain('conv-r.wbx2.com/conversation/api/v1/conversations')
+      expect(person).toBeTruthy()
+    })
+    test('throws when both public and internal APIs fail for extracted tokens', async () => {
+      // given - both APIs reject
+      mockResponse({ message: 'Unauthorized' }, 401)
+      fetchResponses.push(
+        new Response(JSON.stringify({ message: 'Unauthorized' }), {
+          status: 401,
+          headers: { 'Content-Type': 'application/json' },
+        }),
+      )
+      const client = await new WebexClient().login({
+        token: 'bad-extracted-token',
+        deviceUrl: 'https://wdm-r.wbx2.com/wdm/api/v1/devices/dev-1',
+        tokenType: 'extracted',
+      })
+      await expect(client.testAuth()).rejects.toThrow(WebexError)
+    })
+    test('does not use internal API fallback for non-extracted tokens', async () => {
+      mockResponse({ message: 'Unauthorized' }, 401)
+      const client = await new WebexClient().login({ token: 'bad-token' })
+      await expect(client.testAuth()).rejects.toThrow(WebexError)
+      expect(fetchCalls.length).toBe(1)
+    })
   })
   describe('listSpaces', () => {
@@ -402,10 +469,11 @@ describe('WebexClient', () => {
     })
     const createExtractedClient = async () => {
-      const client = await new WebexClient().login({ token: 'extracted-token' })
-      ;(client as any).deviceUrl = TEST_DEVICE_URL
-      ;(client as any).tokenType = 'extracted'
-      return client
+      return new WebexClient().login({
+        token: 'extracted-token',
+        deviceUrl: TEST_DEVICE_URL,
+        tokenType: 'extracted',
+      })
     }
     describe('sendMessage', () => {
@@ -419,7 +487,7 @@ describe('WebexClient', () => {
         expect(fetchCalls[0].options?.method).toBe('POST')
       })
-      test('body has verb, object type, displayName, and content', async () => {
+      test('body has verb, object type, and displayName (no content for plain text)', async () => {
         mockResponse(mockActivity('Hello world'))
         const client = await createExtractedClient()
@@ -429,7 +497,7 @@ describe('WebexClient', () => {
         expect(body.verb).toBe('post')
         expect(body.object.objectType).toBe('comment')
         expect(body.object.displayName).toBe('Hello world')
-        expect(body.object.content).toBe('Hello world')
+        expect(body.object.content).toBeUndefined()
       })
       test('body has target with decoded conv UUID and conversation type', async () => {
@@ -488,7 +556,7 @@ describe('WebexClient', () => {
         expect(body.object.markdown).toBeUndefined()
       })
-      test('markdown option does not affect plain text messages', async () => {
+      test('plain text messages omit content field', async () => {
         mockResponse(mockActivity('Hello world'))
         const client = await createExtractedClient()
@@ -496,7 +564,7 @@ describe('WebexClient', () => {
         const body = JSON.parse(fetchCalls[0].options?.body as string)
         expect(body.object.displayName).toBe('Hello world')
-        expect(body.object.content).toBe('Hello world')
+        expect(body.object.content).toBeUndefined()
       })
     })
@@ -620,8 +688,11 @@ describe('WebexClient', () => {
     })
     describe('editMessage', () => {
+      const mockEditActivity = (text: string, parentId = 'activity-123') =>
+        mockActivity(text, { parent: { id: parentId, type: 'edit' } })
       test('posts activity with verb post and parent edit reference', async () => {
-        mockResponse(mockActivity('Edited text'))
+        mockResponse(mockEditActivity('Edited text'))
         const client = await createExtractedClient()
         await client.editMessage('activity-123', TEST_ROOM_ID, 'Edited text')
@@ -631,8 +702,8 @@ describe('WebexClient', () => {
         expect(body.parent).toEqual({ id: 'activity-123', type: 'edit' })
       })
-      test('body has object with comment type and new text', async () => {
-        mockResponse(mockActivity('Edited text'))
+      test('plain text edit populates both displayName and content to avoid auto-tombstone', async () => {
+        mockResponse(mockEditActivity('Edited text'))
         const client = await createExtractedClient()
         await client.editMessage('activity-123', TEST_ROOM_ID, 'Edited text')
@@ -643,8 +714,18 @@ describe('WebexClient', () => {
         expect(body.object.content).toBe('Edited text')
       })
+      test('clientTempId uses -edit suffix to match Webex web client format', async () => {
+        mockResponse(mockEditActivity('Edited text'))
+        const client = await createExtractedClient()
+        await client.editMessage('activity-123', TEST_ROOM_ID, 'Edited text')
+        const body = JSON.parse(fetchCalls[0].options?.body as string)
+        expect(body.clientTempId).toMatch(/^tmp-\d+-edit$/)
+      })
       test('target has decoded conv UUID', async () => {
-        mockResponse(mockActivity('Edited text'))
+        mockResponse(mockEditActivity('Edited text'))
         const client = await createExtractedClient()
         await client.editMessage('activity-123', TEST_ROOM_ID, 'Edited text')
@@ -654,7 +735,7 @@ describe('WebexClient', () => {
       })
       test('markdown option converts content to HTML and strips displayName', async () => {
-        mockResponse(mockActivity('italic text'))
+        mockResponse(mockEditActivity('italic text'))
         const client = await createExtractedClient()
         await client.editMessage('activity-123', TEST_ROOM_ID, '_italic text_', { markdown: true })
@@ -664,6 +745,69 @@ describe('WebexClient', () => {
         expect(body.object.content).toBe('<em>italic text</em>')
         expect(body.object.markdown).toBeUndefined()
       })
+      test('tolerates responses that omit parent (minimal success shape)', async () => {
+        mockResponse(mockActivity('Edited text'))
+        const client = await createExtractedClient()
+        const message = await client.editMessage('activity-123', TEST_ROOM_ID, 'Edited text')
+        expect(message.id).toBe('activity-123')
+      })
+      test('throws when server returns activity linked to a different parent', async () => {
+        mockResponse(mockEditActivity('Edited text', 'activity-999'))
+        const client = await createExtractedClient()
+        await expect(client.editMessage('activity-123', TEST_ROOM_ID, 'Edited text')).rejects.toThrow(/Edit rejected/)
+      })
+    })
+    describe('encrypted send and edit', () => {
+      const TEST_KEY_URI = 'kms://kms-aore.wbx2.com/keys/test-key-id'
+      const decodeJweHeader = (jwe: string): Record<string, unknown> => {
+        const [header = ''] = jwe.split('.')
+        const padded = header + '='.repeat((4 - (header.length % 4)) % 4)
+        return JSON.parse(Buffer.from(padded, 'base64url').toString('utf8')) as Record<string, unknown>
+      }
+      const createEncryptedClient = async () => {
+        const keystore = jose.JWK.createKeyStore()
+        const key = await keystore.generate('oct', 256, { alg: 'A256GCM' })
+        const rawKeys = new Map<string, string>([[TEST_KEY_URI, JSON.stringify({ jwk: key.toJSON(true) })]])
+        const service = new WebexEncryptionService(rawKeys)
+        const client = await createExtractedClient()
+        ;(client as unknown as { encryption: WebexEncryptionService }).encryption = service
+        return client
+      }
+      test('plain text send omits content field on encrypted path (preserves prior fix)', async () => {
+        mockResponse({ id: TEST_CONV_UUID, defaultActivityEncryptionKeyUrl: TEST_KEY_URI })
+        mockResponse(mockActivity('Hello world'))
+        const client = await createEncryptedClient()
+        await client.sendMessage(TEST_ROOM_ID, 'Hello world')
+        const body = JSON.parse(fetchCalls[1].options?.body as string)
+        expect(body.object.content).toBeUndefined()
+        expect(body.object.displayName.startsWith('eyJ')).toBe(true)
+        expect(body.encryptionKeyUrl).toBe(TEST_KEY_URI)
+      })
+      test('plain text edit encrypts both displayName and content with kid in JWE header', async () => {
+        mockResponse({ id: TEST_CONV_UUID, defaultActivityEncryptionKeyUrl: TEST_KEY_URI })
+        mockResponse(mockActivity('Edited text', { parent: { id: 'activity-123', type: 'edit' } }))
+        const client = await createEncryptedClient()
+        await client.editMessage('activity-123', TEST_ROOM_ID, 'Edited text')
+        const body = JSON.parse(fetchCalls[1].options?.body as string)
+        expect(body.object.displayName.startsWith('eyJ')).toBe(true)
+        expect(body.object.content.startsWith('eyJ')).toBe(true)
+        expect(body.encryptionKeyUrl).toBe(TEST_KEY_URI)
+        expect(decodeJweHeader(body.object.displayName).kid).toBe(TEST_KEY_URI)
+        expect(decodeJweHeader(body.object.content).kid).toBe(TEST_KEY_URI)
+      })
     })
     describe('sendDirectMessage', () => {

package/src/platforms/webex/client.ts CHANGED Viewed

@@ -21,12 +21,14 @@ export class WebexClient {
   private globalRateLimitUntil: number = 0
   private encryption: WebexEncryptionService | null = null
-  async login(credentials?: { token: string }): Promise<this> {
+  async login(credentials?: { token: string; deviceUrl?: string; tokenType?: string }): Promise<this> {
     if (credentials) {
       if (!credentials.token) {
         throw new WebexError('Token is required', 'missing_token')
       }
       this.token = credentials.token
+      if (credentials.deviceUrl !== undefined) this.deviceUrl = credentials.deviceUrl
+      if (credentials.tokenType !== undefined) this.tokenType = credentials.tokenType
       return this
     }
@@ -161,9 +163,28 @@ export class WebexClient {
   }
   async testAuth(): Promise<WebexPerson> {
+    if (this.useInternalAPI) {
+      try {
+        return await this.request<WebexPerson>('GET', '/people/me')
+      } catch (err) {
+        const isAuthError = err instanceof WebexError && (err.code === 'http_401' || err.code === 'http_403')
+        if (!isAuthError) throw err
+        await this.testAuthInternal()
+        return { id: '', emails: [], displayName: '', orgId: '', type: 'person', created: '' } as WebexPerson
+      }
+    }
     return this.request<WebexPerson>('GET', '/people/me')
   }
+  private async testAuthInternal(): Promise<void> {
+    if (!this.deviceUrl) {
+      throw new WebexError('No device URL available for internal API validation', 'no_device_url')
+    }
+    await this.internalRequest<InternalConversation>(
+      '/conversations?participantsLimit=0&activitiesLimit=0&conversationsLimit=1',
+    )
+  }
   async listSpaces(options?: { type?: string; max?: number }): Promise<WebexSpace[]> {
     const params = new URLSearchParams()
     if (options?.type) params.set('type', options.type)
@@ -248,10 +269,15 @@ export class WebexClient {
   private async buildEncryptedObject(
     convUuid: string,
     text: string,
-    options?: { markdown?: boolean },
+    options?: { markdown?: boolean; forEdit?: boolean },
   ): Promise<{ object: Record<string, string>; encryptionKeyUrl?: string }> {
     const displayName = options?.markdown ? stripMarkdown(text) : text
-    const content = options?.markdown ? markdownToHtml(text) : text
+    let content: string | undefined
+    if (options?.markdown) {
+      content = markdownToHtml(text)
+    } else if (options?.forEdit) {
+      content = text
+    }
     if (this.encryption) {
       const conv = await this.internalRequest<InternalConversation>(
@@ -260,21 +286,25 @@ export class WebexClient {
       const keyUri = conv.defaultActivityEncryptionKeyUrl
       if (keyUri) {
         const encryptedDisplayName = await this.encryption.encryptText(keyUri, displayName)
-        const encryptedContent = await this.encryption.encryptText(keyUri, content)
-        if (encryptedDisplayName && encryptedContent) {
-          return {
-            object: {
-              objectType: 'comment',
-              displayName: encryptedDisplayName,
-              content: encryptedContent,
-            },
-            encryptionKeyUrl: keyUri,
+        const encryptedContent = content ? await this.encryption.encryptText(keyUri, content) : undefined
+        if (encryptedDisplayName) {
+          const object: Record<string, string> = {
+            objectType: 'comment',
+            displayName: encryptedDisplayName,
+          }
+          if (encryptedContent) {
+            object.content = encryptedContent
           }
+          return { object, encryptionKeyUrl: keyUri }
         }
       }
     }
-    return { object: { objectType: 'comment', displayName, content } }
+    const object: Record<string, string> = { objectType: 'comment', displayName }
+    if (content) {
+      object.content = content
+    }
+    return { object }
   }
   private async sendMessageInternal(
@@ -349,6 +379,11 @@ export class WebexClient {
     if (this.useInternalAPI) {
       const activity = await this.internalRequest<InternalActivity>(`/activities/${messageId}`)
       const convId = activity.target?.id ?? ''
+      // Internal API responses don't carry the cluster shard (e.g. `us-west-2_r`) the
+      // public roomId encoding requires. The `unknown` placeholder is a sentinel — it
+      // round-trips through other internal API calls because they decode only the
+      // conversation UUID suffix. Callers that need a public-API-safe roomId should
+      // obtain it from `listSpaces()` or pass it through from a prior `sendMessage`.
       const roomId = convId ? Buffer.from(`ciscospark://urn:TEAM:unknown/ROOM/${convId}`).toString('base64') : ''
       return this.activityToMessage(activity, roomId)
     }
@@ -381,14 +416,17 @@ export class WebexClient {
   ): Promise<WebexMessage> {
     if (this.useInternalAPI) {
       const convUuid = this.decodeConvUuid(roomId)
-      const { object, encryptionKeyUrl } = await this.buildEncryptedObject(convUuid, text, options)
+      const { object, encryptionKeyUrl } = await this.buildEncryptedObject(convUuid, text, {
+        ...options,
+        forEdit: true,
+      })
       const activity: Record<string, unknown> = {
         verb: 'post',
         object,
         target: { id: convUuid, objectType: 'conversation' },
         parent: { id: messageId, type: 'edit' },
-        clientTempId: `tmp-${Date.now()}`,
+        clientTempId: `tmp-${Date.now()}-edit`,
       }
       if (encryptionKeyUrl) {
@@ -399,6 +437,16 @@ export class WebexClient {
         method: 'POST',
         body: JSON.stringify(activity),
       })
+      // Tolerate responses that omit `parent` (server may return minimal shape) —
+      // only fail on an explicit mismatch between the echoed parent and the edited id.
+      if (result.parent && result.parent.id !== messageId) {
+        throw new WebexError(
+          `Edit rejected: server linked the new activity ${result.id} to ${result.parent.id} instead of ${messageId}.`,
+          'edit_failed',
+        )
+      }
       return this.activityToMessage(result, roomId)
     }
     const body = options?.markdown ? { roomId, markdown: text } : { roomId, text }
@@ -443,6 +491,7 @@ interface InternalActivity {
     encryptionKeyUrl?: string
   }
   target?: { id: string; encryptionKeyUrl?: string }
+  parent?: { id: string; type: string }
   published: string
   encryptionKeyUrl?: string
 }