feishu-user-plugin 1.3.6 → 1.3.8

package/src/auth/profile-router.js

@@ -0,0 +1,248 @@
+// src/auth/profile-router.js — multi-profile auto-switch middleware (v1.3.8).
+//
+// Wraps the MCP CallToolRequestSchema dispatcher. For READ-ONLY tools that
+// fail with a permission-denied / forbidden error, we transparently retry the
+// call with another profile (if more than one is configured) and remember the
+// winner via credentials.profileHints.
+//
+// Intentionally DOES NOT touch write paths. A user wanting auto-switch on a
+// write must opt in explicitly: pass `via_profile: "auto"` in the tool args.
+//
+// What this owns:
+//   - READ_ONLY_TOOLS whitelist (name prefix + manage_bitable_* read-action override)
+//   - SWITCH_TRIGGERING_PATTERNS (error code / message regex set)
+//   - extractResourceKey(name, args) — resourceKey for hinting
+//   - profileOrder(name, args, hints, ctx) — ordered list of profiles to try
+//   - withProfileRouting(ctx, name, args, callHandler) — the main wrapper
+//
+// What it does NOT own:
+//   - The actual setActiveProfile / cache-invalidate (delegated to ctx).
+//   - Persistence of hints (delegates to auth/credentials).
+
+const credentials = require('./credentials');
+
+// --- Whitelist ---
+
+const READ_ONLY_PREFIXES = ['read_', 'list_', 'get_', 'search_', 'download_'];
+
+// Explicit allowlist for manage_*/check_* tools whose action arg is read-only.
+// Each entry: tool name → predicate(args) returns true if THIS call is read-only.
+const READ_ONLY_OVERRIDES = {
+  manage_bitable_app:    (a) => a?.action === 'get_meta',
+  manage_bitable_table:  (a) => a?.action === 'list',
+  manage_bitable_field:  (a) => a?.action === 'list',
+  manage_bitable_view:   (a) => a?.action === 'list',
+  manage_bitable_record: (a) => a?.action === 'search',
+};
+
+function isReadOnlyCall(name, args) {
+  if (READ_ONLY_PREFIXES.some(p => name.startsWith(p))) return true;
+  const override = READ_ONLY_OVERRIDES[name];
+  if (override && override(args)) return true;
+  return false;
+}
+
+// --- Error classification ---
+
+const SWITCH_CODES = new Set([
+  91403,    // wiki / docx no permission
+  1254301,  // bitable no permission
+  1254000,  // bitable access denied
+  99991672, // OAuth scope not granted (user-side)
+  403,      // generic HTTP forbidden
+]);
+
+const SWITCH_PATTERNS = [
+  /access[_ ]?denied/i,
+  /permission[_ ]?denied/i,
+  /docx_no_permission/i,
+  /no permission/i,
+  /not authorized/i,
+  /forbidden/i,
+  /HTTP 403/i,
+];
+
+function shouldSwitchOnError(err) {
+  const msg = (err?.message || String(err) || '').toLowerCase();
+  // Code-form: "(91403)", "code=1254301", "(HTTP 403, ...)"
+  const codeMatch = msg.match(/\b(?:code[=(]|http\s+)(\d+)/i) || msg.match(/\((\d{3,7})(?:,|\))/);
+  if (codeMatch) {
+    const code = parseInt(codeMatch[1], 10);
+    if (SWITCH_CODES.has(code)) return { yes: true, reason: `code=${code}` };
+  }
+  for (const re of SWITCH_PATTERNS) {
+    if (re.test(msg)) return { yes: true, reason: re.source };
+  }
+  return { yes: false, reason: null };
+}
+
+// --- Resource key extraction ---
+
+// Mapping: arg field name → resourceKey kind. Order matters — first match wins.
+const RESOURCE_FIELDS = [
+  { field: 'document_id', kind: 'doc' },
+  { field: 'doc_token',   kind: 'doc' },
+  { field: 'app_token',   kind: 'app' },
+  { field: 'space_id',    kind: 'wiki' },
+  { field: 'node_token',  kind: 'wiki' },
+  { field: 'wiki_token',  kind: 'wiki' },
+  { field: 'chat_id',     kind: 'chat' },
+  { field: 'user_id',     kind: 'user' },
+  { field: 'open_id',     kind: 'user' },
+  { field: 'file_token',  kind: 'file' },
+  { field: 'image_token', kind: 'file' },
+  { field: 'message_id',  kind: 'msg' },
+];
+
+function extractResourceKey(args) {
+  if (!args || typeof args !== 'object') return null;
+  for (const { field, kind } of RESOURCE_FIELDS) {
+    const v = args[field];
+    if (typeof v === 'string' && v) return `${kind}:${v}`;
+  }
+  return null;
+}
+
+// --- Profile order ---
+
+function profileOrder(name, args, ctx) {
+  const all = ctx.listProfiles();
+  if (all.length <= 1) return all;
+  const active = ctx.getActiveProfile();
+  const resourceKey = extractResourceKey(args);
+  const hints = credentials.getProfileHints();
+  const hinted = resourceKey ? hints[resourceKey] : null;
+
+  // Order: [hinted (if !active && exists), active, ...rest]
+  // We always try active first when there's no hint or the hint matches active —
+  // this preserves "your current profile is the default attempt" UX. When the
+  // hint differs from active, we skip active for the FIRST attempt because the
+  // hint is empirically known to work (or used to).
+  const order = [];
+  const seen = new Set();
+  const push = (p) => { if (p && all.includes(p) && !seen.has(p)) { order.push(p); seen.add(p); } };
+
+  if (hinted && hinted !== active) push(hinted);
+  push(active);
+  for (const p of [...all].sort()) push(p);
+  return order;
+}
+
+// --- Main wrapper ---
+
+async function withProfileRouting(ctx, name, args, callHandler) {
+  // Bail out early when there's nothing to switch to or this is a write.
+  const all = ctx.listProfiles();
+  const isMultiProfile = all.length > 1;
+
+  // Explicit override: via_profile arg pins (or unlocks auto-switch on writes).
+  let viaProfileArg = null;
+  if (args && typeof args === 'object' && typeof args.via_profile === 'string') {
+    viaProfileArg = args.via_profile;
+  }
+
+  const allowAuto = isMultiProfile && (
+    isReadOnlyCall(name, args) || viaProfileArg === 'auto'
+  );
+
+  if (!allowAuto) {
+    // Single-profile or write: just call once.
+    if (viaProfileArg && viaProfileArg !== 'auto') {
+      // Explicit pin
+      if (!all.includes(viaProfileArg)) {
+        return { content: [{ type: 'text', text: `via_profile: "${viaProfileArg}" not found. Available: ${all.join(', ')}.` }], isError: true };
+      }
+      const wasActive = ctx.getActiveProfile();
+      if (viaProfileArg !== wasActive) ctx.setActiveProfile(viaProfileArg);
+      try {
+        return await callHandler();
+      } finally {
+        // Restore active for subsequent calls in same session — explicit pin
+        // is per-call, not a session toggle.
+        if (viaProfileArg !== wasActive) ctx.setActiveProfile(wasActive);
+      }
+    }
+    return callHandler();
+  }
+
+  // Auto-switch loop.
+  const order = profileOrder(name, args, ctx);
+  const wasActive = ctx.getActiveProfile();
+  const failures = [];
+  let switchedFrom = null;
+  let switchedReason = null;
+
+  for (let i = 0; i < order.length; i++) {
+    const profile = order[i];
+    if (i > 0) {
+      // Switching away from previous profile.
+      if (!switchedFrom) switchedFrom = wasActive;
+      ctx.setActiveProfile(profile);
+      console.error(`[feishu-user-plugin] profile-router: ${order[i - 1]} → ${profile} on ${name} (${switchedReason || 'first attempt failed'})`);
+    } else if (profile !== wasActive) {
+      // Hinted profile differs from active — switch on first attempt too.
+      switchedFrom = wasActive;
+      ctx.setActiveProfile(profile);
+      console.error(`[feishu-user-plugin] profile-router: ${wasActive} → ${profile} on ${name} (hint match)`);
+    }
+
+    try {
+      const res = await callHandler();
+      // Detect handler-level isError responses (not all errors throw).
+      if (res?.isError && res.content?.[0]?.text) {
+        const decision = shouldSwitchOnError({ message: res.content[0].text });
+        if (decision.yes && i + 1 < order.length) {
+          failures.push({ profile, error: res.content[0].text.slice(0, 200) });
+          switchedReason = decision.reason;
+          continue;
+        }
+      }
+      // Success — cache hint if we switched, then return.
+      if (switchedFrom && profile !== switchedFrom) {
+        const rk = extractResourceKey(args);
+        if (rk) {
+          try { credentials.setProfileHint(rk, profile); }
+          catch (e) { console.error(`[feishu-user-plugin] profile-router: hint persist failed (${e.message})`); }
+        }
+        // Annotate response.
+        if (res?.content?.[0]?.type === 'text' && typeof res.content[0].text === 'string') {
+          res.content[0].text = `[autoSwitched: ${switchedFrom} → ${profile} on ${rk || 'no-key'}]\n` + res.content[0].text;
+        }
+      }
+      // Restore active to whatever the user had — auto-switch is per-call.
+      if (switchedFrom) ctx.setActiveProfile(wasActive);
+      return res;
+    } catch (err) {
+      const decision = shouldSwitchOnError(err);
+      failures.push({ profile, error: err.message });
+      if (!decision.yes || i + 1 >= order.length) {
+        if (switchedFrom) ctx.setActiveProfile(wasActive);
+        // Compose a comprehensive error if all profiles failed.
+        if (failures.length > 1) {
+          const lines = failures.map(f => `  ${f.profile}: ${f.error}`).join('\n');
+          throw new Error(`All ${failures.length} profiles failed on ${name}:\n${lines}`);
+        }
+        throw err;
+      }
+      switchedReason = decision.reason;
+      // Loop to next profile.
+    }
+  }
+
+  if (switchedFrom) ctx.setActiveProfile(wasActive);
+  // Should not reach: loop returns on success or throws.
+  throw new Error(`profile-router: exhausted ${order.length} profiles on ${name}`);
+}
+
+module.exports = {
+  withProfileRouting,
+  isReadOnlyCall,
+  shouldSwitchOnError,
+  extractResourceKey,
+  profileOrder,
+  // Constants exposed for tests.
+  READ_ONLY_PREFIXES,
+  READ_ONLY_OVERRIDES,
+  SWITCH_CODES,
+  SWITCH_PATTERNS,
+};

package/src/auth/uat.js

@@ -0,0 +1,231 @@
+// src/auth/uat.js — UAT lifecycle: refresh, cross-process file lock, persist.
+//
+// State lives on the LarkOfficialClient instance (this._uat, this._uatRefresh,
+// this._uatExpires). These functions take `client` as first arg and mutate its
+// fields. Lifted out of clients/official/base.js for clarity; called only from
+// there.
+//
+// What this owns:
+//   - decodeTokenExpiry(token) — JWT exp parsing
+//   - getValidUAT(client) — returns current UAT, refreshes if expiring
+//   - refreshUAT(client) — full refresh dance with file lock + persist
+//   - withUAT(client, fn) — wrapper that retries fn once on auth-error codes
+//   - uatREST(client, method, path, opts) — generic UAT REST helper
+//   - asUserOrApp(client, opts) — UAT-first, bot-fallback wrapper
+//   - persistUAT(client) — writes through auth/credentials
+//   - adoptPersistedUATIfNewer(client) — peer-rotation adoption
+//   - acquireRefreshLock / releaseRefreshLock — cross-process advisory lock
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const { fetchWithTimeout } = require('../utils');
+
+function decodeTokenExpiry(token) {
+  try {
+    const payload = token?.split('.')?.[1];
+    if (!payload) return 0;
+    const data = JSON.parse(Buffer.from(payload, 'base64url').toString('utf8'));
+    return typeof data.exp === 'number' ? data.exp : 0;
+  } catch (_) {
+    return 0;
+  }
+}
+
+async function getValidUAT(client) {
+  if (!client._uat) throw new Error('No user_access_token. Run: npx feishu-user-plugin oauth');
+  const now = Math.floor(Date.now() / 1000);
+  if (!client._uatExpires) client._uatExpires = decodeTokenExpiry(client._uat);
+  if (client._uatExpires > 0 && client._uatExpires <= now + 300) {
+    return refreshUAT(client);
+  }
+  return client._uat;
+}
+
+function adoptPersistedUATIfNewer(client) {
+  try {
+    const { readCredentials } = require('./credentials');
+    const creds = readCredentials();
+    const token = creds.LARK_USER_ACCESS_TOKEN;
+    const refresh = creds.LARK_USER_REFRESH_TOKEN;
+    if (!token && !refresh) return false;
+    const expires = parseInt(creds.LARK_UAT_EXPIRES || '0') || decodeTokenExpiry(token);
+    const changed = (token && token !== client._uat)
+      || (refresh && refresh !== client._uatRefresh)
+      || (expires && expires !== client._uatExpires);
+    if (!changed) return false;
+    if (token) client._uat = token;
+    if (refresh) client._uatRefresh = refresh;
+    client._uatExpires = expires || 0;
+    console.error('[feishu-user-plugin] UAT adopted latest persisted token before refresh');
+    return true;
+  } catch (e) {
+    console.error(`[feishu-user-plugin] UAT persisted-token check failed: ${e.message}`);
+    return false;
+  }
+}
+
+function uatLockPath() {
+  return path.join(os.homedir(), '.claude', 'feishu-uat-refresh.lock');
+}
+
+async function acquireRefreshLock(lockPath, { staleMs = 30000, pollMs = 200, timeoutMs = 20000 } = {}) {
+  try { fs.mkdirSync(path.dirname(lockPath), { recursive: true }); } catch (_) {}
+  const start = Date.now();
+  while (Date.now() - start < timeoutMs) {
+    try {
+      const fd = fs.openSync(lockPath, 'wx');
+      fs.writeSync(fd, `${process.pid}\n${Date.now()}\n`);
+      fs.closeSync(fd);
+      return true;
+    } catch (e) {
+      if (e.code !== 'EEXIST') throw e;
+      try {
+        const stat = fs.statSync(lockPath);
+        if (Date.now() - stat.mtimeMs > staleMs) {
+          try { fs.unlinkSync(lockPath); } catch (_) {}
+          continue;
+        }
+      } catch (_) { /* lock vanished — retry */ }
+      await new Promise(r => setTimeout(r, pollMs));
+    }
+  }
+  return false;
+}
+
+function releaseRefreshLock(lockPath) {
+  try { fs.unlinkSync(lockPath); } catch (_) {}
+}
+
+async function refreshUAT(client) {
+  const lockPath = uatLockPath();
+  const acquired = await acquireRefreshLock(lockPath);
+  if (!acquired) {
+    console.error('[feishu-user-plugin] UAT refresh lock timed out; proceeding without mutual exclusion');
+  }
+  try {
+    const now = Math.floor(Date.now() / 1000);
+    if (adoptPersistedUATIfNewer(client) && client._uatExpires > now + 300) {
+      return client._uat;
+    }
+    if (!client._uatRefresh) throw new Error('UAT expired and no refresh token. Run: npx feishu-user-plugin oauth');
+    const res = await fetchWithTimeout('https://open.feishu.cn/open-apis/authen/v2/oauth/token', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({
+        grant_type: 'refresh_token',
+        client_id: client.appId,
+        client_secret: client.appSecret,
+        refresh_token: client._uatRefresh,
+      }),
+    });
+    const data = await res.json();
+    const tokenData = data.access_token ? data : data.data;
+    if (!tokenData?.access_token) throw new Error(`UAT refresh failed: ${JSON.stringify(data)}. Run: npx feishu-user-plugin oauth`);
+    client._uat = tokenData.access_token;
+    client._uatRefresh = tokenData.refresh_token || client._uatRefresh;
+    const expiresIn = typeof tokenData.expires_in === 'number' && tokenData.expires_in > 0 ? tokenData.expires_in : 7200;
+    client._uatExpires = Math.floor(Date.now() / 1000) + expiresIn;
+    persistUAT(client);
+    console.error('[feishu-user-plugin] UAT refreshed successfully');
+    return client._uat;
+  } finally {
+    if (acquired) releaseRefreshLock(lockPath);
+  }
+}
+
+function persistUAT(client) {
+  const { persistToConfig } = require('./credentials');
+  persistToConfig({
+    LARK_USER_ACCESS_TOKEN: client._uat,
+    LARK_USER_REFRESH_TOKEN: client._uatRefresh,
+    LARK_UAT_EXPIRES: String(client._uatExpires),
+  });
+}
+
+async function withUAT(client, fn) {
+  let uat = await getValidUAT(client);
+  const data = await fn(uat);
+  if (data.code === 99991668 || data.code === 99991663 || data.code === 99991677) {
+    if (data.code === 99991668 && typeof data.msg === 'string' && /not support/i.test(data.msg)) {
+      return data;
+    }
+    uat = await refreshUAT(client);
+    return fn(uat);
+  }
+  return data;
+}
+
+async function uatREST(client, method, urlPath, { body, query } = {}) {
+  let qs = '';
+  if (query) {
+    const sp = new URLSearchParams();
+    for (const [k, v] of Object.entries(query)) {
+      if (v === undefined || v === null) continue;
+      if (Array.isArray(v)) { for (const item of v) sp.append(k, String(item)); }
+      else sp.append(k, String(v));
+    }
+    const str = sp.toString();
+    if (str) qs = '?' + str;
+  }
+  const url = 'https://open.feishu.cn' + urlPath + qs;
+  return withUAT(client, async (uat) => {
+    const headers = { 'Authorization': `Bearer ${uat}` };
+    const init = { method, headers };
+    if (body !== undefined) {
+      headers['content-type'] = 'application/json';
+      init.body = JSON.stringify(body);
+    }
+    const res = await fetchWithTimeout(url, init);
+    return res.json();
+  });
+}
+
+async function asUserOrApp(client, { uatPath, method = 'GET', body, query, sdkFn, label }) {
+  let uatSummary = null;
+  if (client.hasUAT) {
+    try {
+      const data = await uatREST(client, method, uatPath, { body, query });
+      if (data.code === 0) {
+        data._viaUser = true;
+        return data;
+      }
+      uatSummary = `as user: code=${data.code} msg=${data.msg}`;
+      console.error(`[feishu-user-plugin] ${label} ${uatSummary}, retrying as app`);
+    } catch (err) {
+      uatSummary = `as user: ${err.message}`;
+      console.error(`[feishu-user-plugin] ${label} as user threw (${err.message}), retrying as app`);
+    }
+  }
+  try {
+    const appData = await client._safeSDKCall(sdkFn, label);
+    if (appData && typeof appData === 'object') {
+      appData._viaUser = false;
+      if (uatSummary) {
+        appData._fallbackWarning = `⚠️  UAT 不可用 (${uatSummary}),本次操作以 bot 身份执行。资源归属于共享 bot「Claude聊天助手」,不是你。恢复方法:运行 \`npx feishu-user-plugin oauth\` 后重启 Claude Code / Codex。`;
+      } else if (!client.hasUAT) {
+        appData._fallbackWarning = `⚠️  未配置 UAT,本次操作以 bot 身份执行。资源归属于共享 bot「Claude聊天助手」,不是你。想让资源归你所有,先跑 \`npx feishu-user-plugin oauth\` 然后重启 Claude Code / Codex。`;
+      }
+    }
+    return appData;
+  } catch (appErr) {
+    if (uatSummary) {
+      const err = new Error(`${label} failed on both identities. ${uatSummary}. as app: ${appErr.message}`);
+      err.uatSummary = uatSummary;
+      err.appError = appErr;
+      throw err;
+    }
+    throw appErr;
+  }
+}
+
+module.exports = {
+  decodeTokenExpiry,
+  getValidUAT,
+  refreshUAT,
+  withUAT,
+  uatREST,
+  asUserOrApp,
+  persistUAT,
+  adoptPersistedUATIfNewer,
+};

package/src/cli.js

@@ -25,6 +25,17 @@ switch (cmd) {
   case 'keepalive':
     keepalive();
     break;
+  case 'list-prompts': {
+    const { listPrompts } = require('./prompts');
+    for (const p of listPrompts()) {
+      console.log(`/${p.name} — ${p.description}`);
+      for (const a of (p.arguments || [])) console.log(`  - ${a.name}${a.required ? ' (required)' : ''}: ${a.description}`);
+    }
+    break;
+  }
+  case 'migrate':
+    migrate();
+    break;
   case 'help':
   case '--help':
   case '-h':
@@ -46,6 +57,9 @@ Commands:
   oauth       Run OAuth flow to obtain user_access_token
   status      Check authentication status
   keepalive   Refresh cookie + UAT to prevent expiration (for cron jobs)
+  migrate     One-time consolidation: copy creds from harness configs into
+              ~/.feishu-user-plugin/credentials.json (single source of truth).
+              Dry-run by default. Add --confirm to actually write.
   help        Show this help
 
 Setup options:
@@ -53,6 +67,9 @@ Setup options:
   --app-secret <s>    App Secret (non-interactive mode)
   --cookie <c>        Cookie string (optional)
   --client <target>   Config target: claude (default), codex, or both
+  --pointer-only      Write only FEISHU_PLUGIN_PROFILE=default to harness env.
+                      Real creds live in ~/.feishu-user-plugin/credentials.json
+                      (run "migrate --confirm" first if not yet migrated).
 
 Quick Start (Claude Code):
   1. npx feishu-user-plugin setup
@@ -70,17 +87,23 @@ Auto-renewal (optional):
 `);
 }
 
+function migrate() {
+  const { migrate: runMigrate } = require('./auth/credentials');
+  const confirm = process.argv.includes('--confirm');
+  const result = runMigrate({ dryRun: !confirm });
+  process.exit(result.ok ? 0 : 1);
+}
+
 async function keepalive() {
-  const { LarkUserClient } = require('./client');
-  const { LarkOfficialClient } = require('./official');
-  const { findMcpConfig, persistToConfig } = require('./config');
+  const { LarkUserClient } = require('./clients/user');
+  const { LarkOfficialClient } = require('./clients/official');
+  const { readCredentials, persistToConfig } = require('./auth/credentials');
 
-  const found = findMcpConfig();
-  if (!found) {
-    console.error('[keepalive] No config found. Run: npx feishu-user-plugin setup');
+  const creds = readCredentials();
+  if (!creds.LARK_COOKIE && !creds.LARK_APP_ID) {
+    console.error('[keepalive] No credentials found. Run: npx feishu-user-plugin setup');
     process.exit(1);
   }
-  const creds = found.serverEnv;
   let ok = true;
 
   // 1. Refresh Cookie
@@ -124,18 +147,27 @@ async function keepalive() {
 }
 
 async function checkStatus() {
-  const { LarkUserClient } = require('./client');
-  const { LarkOfficialClient } = require('./official');
+  const { LarkUserClient } = require('./clients/user');
+  const { LarkOfficialClient } = require('./clients/official');
   const { findMcpConfig } = require('./config');
+  const { readCanonical, getActiveProfileName, listProfileNames, readCredentials } = require('./auth/credentials');
 
+  const canonical = readCanonical();
   const found = findMcpConfig();
-  const creds = found ? found.serverEnv : {};
+  const creds = readCredentials();
 
   console.log('=== feishu-user-plugin Auth Status ===\n');
-  if (found) {
-    console.log(`Config: ${found.configPath}${found.projectPath ? ` (project: ${found.projectPath})` : ''}`);
+  if (canonical) {
+    const path = require('path');
+    const os = require('os');
+    console.log(`Source: ${path.join(os.homedir(), '.feishu-user-plugin', 'credentials.json')} (canonical)`);
+    console.log(`Active profile: ${getActiveProfileName()}`);
+    console.log(`Available profiles: ${listProfileNames().join(', ')}`);
+  } else if (found) {
+    console.log(`Source: ${found.configPath}${found.projectPath ? ` (project: ${found.projectPath})` : ''} (legacy)`);
+    console.log('Tip: run `npx feishu-user-plugin migrate --confirm` to consolidate creds into ~/.feishu-user-plugin/credentials.json.');
   } else {
-    console.log('Config: NOT FOUND (run: npx feishu-user-plugin setup)');
+    console.log('Source: NOT FOUND (run: npx feishu-user-plugin setup)');
   }
   console.log('');