feishu-user-plugin 1.3.8 → 1.3.9

package/src/oauth.js

@@ -14,9 +14,44 @@
 
 const http = require('http');
 const { execSync } = require('child_process');
-const { readCredentials, persistToConfig } = require('./config');
+const credentialsModule = require('./auth/credentials');
+const legacyConfig = require('./config');
 
-const creds = readCredentials();
+// v1.3.9: profile-aware. Accepts `--profile <name>` (defaults to credentials.json::active);
+// reads APP_ID/SECRET from that profile, persists UAT back to that profile.
+// When credentials.json doesn't exist, falls back to legacy harness env path
+// (which is what v1.3.6 → v1.3.8 did).
+function _parseTargetProfile() {
+  const argv = process.argv.slice(2);
+  for (let i = 0; i < argv.length; i++) {
+    if (argv[i] === '--profile' && argv[i + 1]) return argv[++i];
+  }
+  return null;
+}
+
+const TARGET_PROFILE = _parseTargetProfile();
+const _hasCanonical = !!credentialsModule.readCanonical();
+let creds;
+let profileLabel;
+if (_hasCanonical) {
+  const targetName = TARGET_PROFILE || credentialsModule.getActiveProfileName();
+  try {
+    creds = credentialsModule.getActiveProfileEnv(targetName);
+    profileLabel = `credentials.json::profiles[${targetName}]`;
+  } catch (e) {
+    console.error(`OAuth target profile error: ${e.message}`);
+    console.error(`Available: ${credentialsModule.listProfileNames().join(', ')}`);
+    process.exit(1);
+  }
+  if (TARGET_PROFILE) console.log(`OAuth target profile: ${TARGET_PROFILE}`);
+} else {
+  if (TARGET_PROFILE) {
+    console.error(`--profile flag given but credentials.json doesn't exist. Run \`npx feishu-user-plugin migrate --confirm\` first, or remove --profile to use legacy env path.`);
+    process.exit(1);
+  }
+  creds = legacyConfig.readCredentials();
+  profileLabel = 'harness env (legacy)';
+}
 const APP_ID = creds.LARK_APP_ID;
 const APP_SECRET = creds.LARK_APP_SECRET;
 const PORT = 9997;
@@ -118,12 +153,18 @@ function saveToken(tokenData) {
     LARK_UAT_EXPIRES: String(Math.floor(Date.now() / 1000 + (typeof tokenData.expires_in === 'number' && tokenData.expires_in > 0 ? tokenData.expires_in : 7200))),
   };
 
-  const ok = persistToConfig(updates);
+  let ok = false;
+  if (_hasCanonical) {
+    const targetName = TARGET_PROFILE || credentialsModule.getActiveProfileName();
+    ok = credentialsModule.persistProfileUpdate(targetName, updates);
+    if (ok) console.log(`Tokens written to ${profileLabel}`);
+  } else {
+    ok = legacyConfig.persistToConfig(updates);
+    if (ok) console.log(`Tokens written to ${profileLabel}`);
+  }
   if (!ok) {
-    console.error('WARNING: Tokens could not be saved to config. Copy them manually:');
-    for (const [k, v] of Object.entries(updates)) {
-      console.error(`  ${k}=${v}`);
-    }
+    console.error('WARNING: Tokens could not be saved. Copy them manually:');
+    for (const [k, v] of Object.entries(updates)) console.error(`  ${k}=${v}`);
   }
 }
 

package/src/resolver.js

@@ -144,8 +144,18 @@ async function resolveToken(input, official) {
   return r.obj_token;
 }
 
+/**
+ * Clear the wiki-node resolution cache. Called by the profile-sync hook in
+ * server.js when the active profile changes, so that wiki nodes belonging to
+ * the previous profile's app credentials don't poison lookups for the new one.
+ */
+function clearCache() {
+  _cache.clear();
+}
+
 module.exports = {
   parseFeishuInput,
   resolveToObj,
   resolveToken,
+  clearCache,
 };

package/src/server.js

@@ -13,6 +13,8 @@
 //   - Config discovery / persistence: src/config/*.
 
 const path = require('path');
+const fs = require('fs');
+const os = require('os');
 const { Server } = require('@modelcontextprotocol/sdk/server/index.js');
 const { StdioServerTransport } = require('@modelcontextprotocol/sdk/server/stdio.js');
 const { CallToolRequestSchema, ListToolsRequestSchema, ListPromptsRequestSchema, GetPromptRequestSchema } = require('@modelcontextprotocol/sdk/types.js');
@@ -65,9 +67,28 @@ const HANDLERS = Object.fromEntries(TOOL_MODULES.flatMap((m) => Object.entries(m
 // When credentials.json exists, switching also persists the active field so
 // cross-process MCP servers see the same active profile after restart.
 
+const events = require('./events');
+
+const FEISHU_HOME = path.join(os.homedir(), '.feishu-user-plugin');
+const EVENTS_LOG_PATH = path.join(FEISHU_HOME, 'events.jsonl');
+
 let userClient = null;
 let officialClient = null;
 let wsServer = null;
+let ownerHandle = null;       // returned by tryClaim when isOwner
+let ownerHeartbeatTimer = null;
+let nonOwnerPollTimer = null;
+let _ownerStartCallbacks = [];
+
+function _onBecomeOwner(cb) { _ownerStartCallbacks.push(cb); }
+
+function _stopHeartbeat() {
+  if (ownerHeartbeatTimer) { clearInterval(ownerHeartbeatTimer); ownerHeartbeatTimer = null; }
+}
+function _stopNonOwnerPoll() {
+  if (nonOwnerPollTimer) { clearInterval(nonOwnerPollTimer); nonOwnerPollTimer = null; }
+}
+
 function getEventBuffer() {
   return wsServer ? wsServer.buffer : null;
 }
@@ -75,12 +96,19 @@ function getEventBuffer() {
 // from the persisted active profile (credentials.json) at boot, but in-process
 // switches may diverge from the persisted active until the next server restart.
 //
-// Profile selection precedence (v1.3.8 E.1):
-//   1. process.env.FEISHU_PLUGIN_PROFILE — harness pointer
-//   2. credentials.json::active — single-file persisted active
+// Profile selection precedence (v1.3.9 A.2 — SSOT):
+//   1. credentials.json::active — single-file persisted active (canonical SSOT)
+//   2. process.env.FEISHU_PLUGIN_PROFILE — harness pointer (bootstrap-only, when
+//      credentials.json does not exist)
 //   3. 'default' — legacy zero-config path
-let currentProfile = process.env.FEISHU_PLUGIN_PROFILE
-  || credentials.getActiveProfileName();
+// Note: FEISHU_PLUGIN_PROFILE in the harness env is now a bootstrap pointer only.
+// Once credentials.json exists, its `active` field is authoritative; cross-process
+// sync propagates active-profile changes without a server restart.
+let currentProfile = credentials.getActiveProfileName();
+if (!credentials.readCanonical() && process.env.FEISHU_PLUGIN_PROFILE) {
+  // Bootstrap-only: legacy env users without canonical credentials file.
+  currentProfile = process.env.FEISHU_PLUGIN_PROFILE;
+}
 
 function profileEnv(name) {
   return credentials.getActiveProfileEnv(name);
@@ -134,6 +162,157 @@ function loadUATFromEnv(client, env) {
   client._uatExpires = expires || client._decodeTokenExpiry(token);
 }
 
+// --- Owner control loop (v1.3.9 A.1) ---
+
+async function _claimAndStart() {
+  const claim = events.owner.tryClaim(FEISHU_HOME, { info: { role: 'ws_owner' } });
+  if (!claim.isOwner) {
+    // Become non-owner: poll lock health every 30s, attempt takeover when stale.
+    if (!nonOwnerPollTimer) {
+      nonOwnerPollTimer = setInterval(() => {
+        const info = events.owner.readOwnerInfo(FEISHU_HOME);
+        if (!info.exists || !info.alive) {
+          _claimAndStart().catch((e) => console.error(`[feishu-user-plugin] takeover attempt failed: ${e.message}`));
+        }
+      }, events.owner.TAKEOVER_POLL_INTERVAL_MS);
+      nonOwnerPollTimer.unref?.();
+    }
+    return;
+  }
+
+  ownerHandle = claim;
+  _stopNonOwnerPoll();
+  // Repair tail before WS starts pushing events
+  try { events.log.repairTail(EVENTS_LOG_PATH); } catch (_) {}
+
+  // Start WS with current active profile and its events list.
+  const profileName = currentProfile;
+  let activeEnv;
+  try { activeEnv = profileEnv(profileName); } catch (_) { return; }
+  if (!activeEnv.LARK_APP_ID || !activeEnv.LARK_APP_SECRET) return;
+
+  const eventsList = _getProfileEventsList(profileName);
+  wsServer = events.createWSServer({
+    appId: activeEnv.LARK_APP_ID,
+    appSecret: activeEnv.LARK_APP_SECRET,
+    registrations: eventsList,
+    logPath: EVENTS_LOG_PATH,
+    initialProfile: profileName,
+  });
+  wsServer.start().catch((e) => console.error(`[feishu-user-plugin] WS start error: ${e.message}`));
+
+  // Heartbeat + check active changes every 15s.
+  let lastCredMtime = _credMtime();
+  ownerHeartbeatTimer = setInterval(() => {
+    if (ownerHandle) ownerHandle.heartbeat();
+    const m = _credMtime();
+    if (m !== null && m !== lastCredMtime) {
+      lastCredMtime = m;
+      _maybeReconfigure().catch((e) => console.error(`[feishu-user-plugin] reconfigure failed: ${e.message}`));
+    }
+    // Defer-rotate check
+    try {
+      const snap = events.cursor.readSnapshot(FEISHU_HOME);
+      const SOFT_CAP = 10 * 1024 * 1024;
+      const HARD_CAP = 20 * 1024 * 1024;
+      const rot = events.log.maybeRotate(EVENTS_LOG_PATH, snap.cursor.offset, SOFT_CAP);
+      if (rot.rotated) {
+        events.cursor.resetCursorTo(FEISHU_HOME, 0);
+      } else if (snap.fileSize > HARD_CAP) {
+        events.log.forceRotate(EVENTS_LOG_PATH, snap.fileSize);
+        events.cursor.resetCursorTo(FEISHU_HOME, 0);
+      }
+      // Also clean up old .dropped files daily-ish (every heartbeat is cheap)
+      events.log.cleanupDropped(EVENTS_LOG_PATH, 7);
+    } catch (e) {
+      console.error(`[feishu-user-plugin] rotation check failed: ${e.message}`);
+    }
+  }, events.owner.HEARTBEAT_INTERVAL_MS);
+  ownerHeartbeatTimer.unref?.();
+
+  for (const cb of _ownerStartCallbacks) {
+    try { cb(); } catch (_) {}
+  }
+}
+
+function _credMtime() {
+  try {
+    const p = path.join(FEISHU_HOME, 'credentials.json');
+    return fs.statSync(p).mtimeMs;
+  } catch (_) { return null; }
+}
+
+// Cross-process active-profile sync (v1.3.9 A.2).
+// Each tool call: stat credentials.json; if mtime changed AND active differs
+// from in-memory currentProfile, do an in-process setActiveProfile().
+// _credMtimeBaseline starts null — first call sets the baseline without syncing.
+let _credMtimeBaseline = null;
+
+function _syncActiveProfileFromDisk() {
+  const m = _credMtime();
+  if (m === null) return; // no credentials.json — nothing to sync
+  if (_credMtimeBaseline === null) { _credMtimeBaseline = m; return; }
+  if (m === _credMtimeBaseline) return; // unchanged
+  _credMtimeBaseline = m;
+  let newActive;
+  try { newActive = credentials.getActiveProfileName(); } catch (_) { return; }
+  if (newActive === currentProfile) return;
+  console.error(`[feishu-user-plugin] active profile changed on disk: ${currentProfile} → ${newActive}`);
+  // Use the same setActiveProfile flow that switch_profile uses, except don't
+  // re-write credentials.json (which it already reflects the change).
+  try {
+    credentials.getActiveProfileEnv(newActive); // validate profile exists
+    currentProfile = newActive;
+    userClient = null;
+    officialClient = null;
+    // resolver.js has a wiki-node resolution cache; clear it on profile switch
+    // so wiki nodes belonging to the previous app-id don't cross-contaminate.
+    require('./resolver').clearCache();
+  } catch (e) {
+    console.error(`[feishu-user-plugin] sync to "${newActive}" failed: ${e.message}; staying on "${currentProfile}"`);
+  }
+}
+
+async function _maybeReconfigure() {
+  if (!ownerHandle || !wsServer) return;
+  const newActive = credentials.getActiveProfileName();
+  const newEvents = _getProfileEventsList(newActive);
+  const status = wsServer.getStatus();
+  const sameProfile = status.wsProfile === newActive;
+  const sameEvents = JSON.stringify(status.subscribed_events) === JSON.stringify(newEvents);
+  if (sameProfile && sameEvents) return;
+
+  console.error(`[feishu-user-plugin] WS reconfigure: profile ${status.wsProfile}→${newActive}, events ${status.subscribed_events.length}→${newEvents.length}`);
+
+  // Tear down + rebuild because registrations are fixed at construction.
+  await wsServer.stop();
+  let activeEnv;
+  try { activeEnv = profileEnv(newActive); } catch (_) { return; }
+  if (!activeEnv.LARK_APP_ID || !activeEnv.LARK_APP_SECRET) return;
+  wsServer = events.createWSServer({
+    appId: activeEnv.LARK_APP_ID,
+    appSecret: activeEnv.LARK_APP_SECRET,
+    registrations: newEvents,
+    logPath: EVENTS_LOG_PATH,
+    initialProfile: newActive,
+  });
+  await wsServer.start();
+}
+
+function _getProfileEventsList(profileName) {
+  const canonical = credentials.readCanonical();
+  if (canonical && canonical.profiles[profileName]?.events) {
+    return canonical.profiles[profileName].events.slice();
+  }
+  // Bootstrap: env override
+  const env = process.env.FEISHU_PLUGIN_EXTRA_EVENTS;
+  if (env) {
+    const list = env.split(',').map(s => s.trim()).filter(Boolean);
+    if (list.length) return ['im.message.receive_v1', ...list];
+  }
+  return ['im.message.receive_v1'];
+}
+
 // Resolver helper: turn document_id / app_token / wiki node / Feishu URL into
 // a native token. No-op for already-native inputs. See src/resolver.js.
 async function resolveDocId(input) {
@@ -158,11 +337,45 @@ function buildCtx() {
       currentProfile = n;
       userClient = null;
       officialClient = null;
+      // Clear resolver cache so wiki-node lookups don't carry over from the old profile.
+      require('./resolver').clearCache();
       // Persist the active-field flip when credentials.json exists so peer MCP
-      // servers see the new active profile on next read. Tolerated when no file.
-      try { credentials.setActiveProfile(n); } catch (_) {}
+      // servers see the new active profile on next read. The credentials module
+      // throws if credentials.json doesn't exist OR if `n` isn't in profiles[];
+      // the first is benign (legacy mode), the second is a real bug — log it
+      // either way at warn level instead of swallowing silently.
+      try { credentials.setActiveProfile(n); }
+      catch (e) {
+        const cred = credentials.readCanonical();
+        if (cred) {
+          console.error(`[feishu-user-plugin] WARN: setActiveProfile("${n}") failed to persist to credentials.json: ${e.message}. In-memory currentProfile updated anyway, but other MCP processes won't see the switch.`);
+        }
+      }
+      // Re-baseline mtime so _syncActiveProfileFromDisk doesn't immediately
+      // trigger a redundant sync on the next tool call after we just wrote.
+      _credMtimeBaseline = _credMtime();
     },
     resolveDocId,
+    getWsServer: () => wsServer,
+    requestClaim: async ({ force = false } = {}) => {
+      const claim = events.owner.tryClaim(FEISHU_HOME, { info: { role: 'ws_owner' }, force });
+      if (claim.isOwner) {
+        ownerHandle = claim;
+        await _claimAndStart();
+        return { ok: true, became_owner: true };
+      }
+      return { ok: false, reason: 'lock_active_no_force', owner_pid: claim.ownerInfo?.pid };
+    },
+    requestReconfigure: async () => {
+      const before = wsServer?.getStatus() || {};
+      await _maybeReconfigure();
+      const after = wsServer?.getStatus() || {};
+      return {
+        prev_subscriptions: before.subscribed_events || [],
+        next_subscriptions: after.subscribed_events || [],
+        no_change: JSON.stringify(before.subscribed_events) === JSON.stringify(after.subscribed_events) && before.wsProfile === after.wsProfile,
+      };
+    },
   };
 }
 
@@ -176,6 +389,9 @@ const server = new Server(
 server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: TOOLS }));
 
 server.setRequestHandler(CallToolRequestSchema, async (request) => {
+  // Cross-process active-profile sync (v1.3.9 A.2): if another MCP process
+  // wrote a new `active` field to credentials.json, pick it up before dispatch.
+  _syncActiveProfileFromDisk();
   const { name, arguments: args } = request.params;
   const handler = HANDLERS[name];
   if (!handler) {
@@ -211,8 +427,18 @@ process.on('uncaughtException', (err) => {
 process.on('unhandledRejection', (reason) => {
   console.error('[feishu-user-plugin] Unhandled rejection:', reason);
 });
-process.on('SIGTERM', () => { try { wsServer?.stop(); } catch {} process.exit(0); });
-process.on('SIGINT',  () => { try { wsServer?.stop(); } catch {} process.exit(0); });
+process.on('SIGTERM', () => {
+  _stopHeartbeat(); _stopNonOwnerPoll();
+  try { wsServer?.stop(); } catch {}
+  try { ownerHandle?.release(); } catch {}
+  process.exit(0);
+});
+process.on('SIGINT', () => {
+  _stopHeartbeat(); _stopNonOwnerPoll();
+  try { wsServer?.stop(); } catch {}
+  try { ownerHandle?.release(); } catch {}
+  process.exit(0);
+});
 
 // --- main ---
 
@@ -222,9 +448,11 @@ async function main() {
 
   // Startup diagnostics — use the resolved active-profile env so users on
   // credentials.json (where process.env may not have LARK_*) get accurate flags.
-  // If FEISHU_PLUGIN_PROFILE was set, validate the name exists. If not, fail
-  // loud — silently falling back to "default" would mask a typo'd harness env.
-  if (process.env.FEISHU_PLUGIN_PROFILE) {
+  // Bootstrap-only validation: when credentials.json doesn't exist and
+  // FEISHU_PLUGIN_PROFILE is set, validate the name against known legacy profiles.
+  // If credentials.json exists, FEISHU_PLUGIN_PROFILE is ignored — the file's
+  // `active` field is the SSOT and cross-process sync keeps it up to date.
+  if (!credentials.readCanonical() && process.env.FEISHU_PLUGIN_PROFILE) {
     const known = credentials.listProfileNames();
     if (!known.includes(currentProfile)) {
       console.error(`[feishu-user-plugin] FATAL: FEISHU_PLUGIN_PROFILE="${currentProfile}" not found. Known: ${known.join(', ')}.`);
@@ -275,24 +503,15 @@ async function main() {
     }
   }
 
-  // --- Real-time events (v1.3.8 C.3) ---
-  // Boot WS only when APP_ID/SECRET are valid. WS uses app credentials
-  // (not UAT), so cookie-only setups don't get realtime.
+  // --- Real-time events (v1.3.9 — owner-arbitrated) ---
   if (hasApp) {
-    try {
-      const { createWSServer } = require('./events');
-      wsServer = createWSServer({
-        appId: activeEnv.LARK_APP_ID,
-        appSecret: activeEnv.LARK_APP_SECRET,
-        registrations: ['im.message.receive_v1'],
-      });
-      // Start asynchronously — don't block MCP serving on WS handshake.
-      wsServer.start().catch((e) => {
-        console.error(`[feishu-user-plugin] WS deferred start error: ${e.message}`);
-      });
-    } catch (e) {
-      console.error(`[feishu-user-plugin] WS init failed: ${e.message}. Continuing without realtime.`);
-    }
+    _claimAndStart().catch((e) => {
+      console.error(`[feishu-user-plugin] owner claim failed: ${e.message}; will retry every 30s`);
+      if (!nonOwnerPollTimer) {
+        nonOwnerPollTimer = setInterval(_claimAndStart, events.owner.TAKEOVER_POLL_INTERVAL_MS);
+        nonOwnerPollTimer.unref?.();
+      }
+    });
   } else {
     console.error('[feishu-user-plugin] WS not started — APP_ID/SECRET missing. Realtime events (get_new_events) will return empty.');
   }

package/src/setup.js

@@ -10,9 +10,12 @@
  */
 
 const readline = require('readline');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
 const { findMcpConfig, writeNewConfig } = require('./config');
 
-// Parse CLI args: --app-id, --app-secret, --cookie, --client
+// Parse CLI args: --app-id, --app-secret, --cookie, --client, --force, --profile
 function parseArgs() {
   const args = {};
   const argv = process.argv.slice(2);
@@ -21,7 +24,10 @@ function parseArgs() {
     else if (argv[i] === '--app-secret' && argv[i + 1]) args.appSecret = argv[++i];
     else if (argv[i] === '--cookie' && argv[i + 1]) args.cookie = argv[++i];
     else if (argv[i] === '--client' && argv[i + 1]) args.client = argv[++i];
-    else if (argv[i] === '--pointer-only') args.pointerOnly = true;
+    else if (argv[i] === '--pointer-only') args.pointerOnly = true; // kept for backward compat; now implicit default
+    else if (argv[i] === '--force') args.force = true;
+    else if (argv[i] === '--profile' && argv[i + 1]) args.profile = argv[++i];
+    else if (argv[i] === '--activate') args.activate = true;
   }
   return args;
 }
@@ -151,34 +157,102 @@ async function main() {
   }
   if (!client) client = 'claude';
 
-  // If credentials.json exists, recommend pointer-only — the env block in
-  // harness configs becomes redundant (and divergent on UAT refresh).
-  const { readCanonical } = require('./auth/credentials');
-  const hasCanonical = !!readCanonical();
-  let pointerOnly = !!cliArgs.pointerOnly;
-  if (hasCanonical && !pointerOnly && !nonInteractive) {
-    console.log('\n--- Pointer-only mode ---');
-    console.log('Detected ~/.feishu-user-plugin/credentials.json. You can write only');
-    console.log('FEISHU_PLUGIN_PROFILE=default to the harness env (recommended for clean configs).');
-    const ans = (await ask('Use pointer-only mode? (y/N): ')).trim().toLowerCase();
-    pointerOnly = (ans === 'y' || ans === 'yes');
-  }
+  // --- 4-state SSOT matrix (v1.3.9 A.3) ---
+  // Determines how credentials.json is created/updated based on current state.
+  //
+  //   State 1 (fresh):        credentials.json absent, no harness LARK_* env → create fresh
+  //   State 2 (auto-migrate): credentials.json absent, harness LARK_* env exists → migrate
+  //   State 3 (preserve):     credentials.json present, no --app-id → touch nothing in file
+  //   State 4 (update):       credentials.json present, --app-id given → update/add profile
+  const credentials = require('./auth/credentials');
+  const credsPath = path.join(os.homedir(), '.feishu-user-plugin', 'credentials.json');
+  const credsExist = !!credentials.readCanonical();
+  const targetProfile = cliArgs.profile || 'default';
+  const harnessHasLark = !!(existingEnv.LARK_APP_ID || existingEnv.LARK_COOKIE || existingEnv.LARK_USER_ACCESS_TOKEN);
 
-  // Write config
-  console.log('\n--- Writing Config ---');
+  let mode;
+  if (!credsExist && !harnessHasLark) mode = 'fresh';
+  else if (!credsExist && harnessHasLark) mode = 'auto-migrate';
+  else if (credsExist && !cliArgs.appId) mode = 'preserve';
+  else mode = 'update';
+  console.log(`\nSetup mode: ${mode}`);
 
-  const env = {
-    LARK_COOKIE: cookie,
-    LARK_APP_ID: appId,
-    LARK_APP_SECRET: appSecret,
-    LARK_USER_ACCESS_TOKEN: hasUAT ? existingUAT : 'SETUP_NEEDED',
-    LARK_USER_REFRESH_TOKEN: hasUAT ? (existingRT || '') : '',
-  };
+  if (mode === 'fresh' || mode === 'update') {
+    // Gather profile values — only include keys that have real values.
+    const profileValues = {};
+    if (appId) profileValues.LARK_APP_ID = appId;
+    if (appSecret) profileValues.LARK_APP_SECRET = appSecret;
+    if (cookie && cookie !== 'SETUP_NEEDED') profileValues.LARK_COOKIE = cookie;
+    else if (existingEnv.LARK_COOKIE && existingEnv.LARK_COOKIE !== 'SETUP_NEEDED') profileValues.LARK_COOKIE = existingEnv.LARK_COOKIE;
+    if (existingEnv.LARK_USER_ACCESS_TOKEN && existingEnv.LARK_USER_ACCESS_TOKEN !== 'SETUP_NEEDED') profileValues.LARK_USER_ACCESS_TOKEN = existingEnv.LARK_USER_ACCESS_TOKEN;
+    if (existingEnv.LARK_USER_REFRESH_TOKEN) profileValues.LARK_USER_REFRESH_TOKEN = existingEnv.LARK_USER_REFRESH_TOKEN;
 
-  const result = writeNewConfig(env, undefined, undefined, client, { pointerOnly });
+    if (mode === 'fresh') {
+      fs.mkdirSync(path.dirname(credsPath), { recursive: true, mode: 0o700 });
+      const data = { version: 1, active: targetProfile, profiles: { [targetProfile]: profileValues }, profileHints: {} };
+      fs.writeFileSync(credsPath, JSON.stringify(data, null, 2) + '\n', { mode: 0o600 });
+      console.log(`Created ${credsPath} with profile "${targetProfile}"`);
+    } else {
+      // mode === 'update'
+      const canonical = credentials.readCanonical();
+      const profileExists = !!(canonical && canonical.profiles[targetProfile]);
+      if (profileExists && targetProfile === 'default' && !cliArgs.force && !cliArgs.profile) {
+        console.error(`Profile "default" already exists. Pass --force to overwrite, or --profile <name> to create a new profile.`);
+        rl.close();
+        process.exit(1);
+      }
+      if (profileExists && cliArgs.profile && !cliArgs.force) {
+        console.error(`Profile "${targetProfile}" already exists. Pass --force to overwrite, or pick a different --profile name.`);
+        rl.close();
+        process.exit(1);
+      }
+      canonical.profiles[targetProfile] = { ...(canonical.profiles[targetProfile] || {}), ...profileValues };
+      // v1.3.9 fix: only flip credentials.json::active when --activate is given.
+      // Without --activate, adding/updating a non-active profile leaves the
+      // current active alone (least-surprise: "I added work2, default is still
+      // active, I'll switch when I want via MCP switch_profile").
+      if (cliArgs.activate || (cliArgs.force && targetProfile === canonical.active)) {
+        canonical.active = targetProfile;
+      }
+      fs.writeFileSync(credsPath, JSON.stringify(canonical, null, 2) + '\n', { mode: 0o600 });
+      console.log(`Updated profile "${targetProfile}" in ${credsPath}`);
+      if (cliArgs.activate) console.log(`  → active profile flipped to "${targetProfile}"`);
+      else if (canonical.active !== targetProfile) {
+        console.log(`  → active profile unchanged ("${canonical.active}"). Pass --activate to flip, or use switch_profile MCP tool at runtime.`);
+      }
+      if (cliArgs.force) console.warn(`  warning: overwrote existing profile credentials with --force`);
+    }
+  } else if (mode === 'auto-migrate') {
+    // Run migrate to consolidate harness env → credentials.json, then optionally
+    // override the default profile with any explicitly provided --app-id.
+    const result = credentials.migrate({ dryRun: false });
+    if (!result.ok) {
+      console.error('Auto-migrate failed; aborting setup.');
+      rl.close();
+      process.exit(1);
+    }
+    if (cliArgs.appId) {
+      credentials.persistProfileUpdate('default', { LARK_APP_ID: appId, LARK_APP_SECRET: appSecret });
+      console.log('Updated default profile with new app credentials.');
+    }
+  }
+  // mode === 'preserve': credentials.json is unchanged; we only update the harness pointer.
+
+  // --- Write harness config ---
+  // Always write pointer-only env to harness configs (v1.3.9 SSOT).
+  // The harness env block only needs FEISHU_PLUGIN_PROFILE; all real creds
+  // live in credentials.json.
+  console.log('\n--- Writing Config ---');
+  // v1.3.9 fix: harness env pointer should reflect what credentials.json::active
+  // will end up as, not blindly the targetProfile (which would mislead users
+  // who added a non-active profile via --profile alt without --activate).
+  const finalCanonical = credentials.readCanonical();
+  const harnessActive = finalCanonical?.active || targetProfile;
+  const pointerEnv = { FEISHU_PLUGIN_PROFILE: harnessActive };
+  const result = writeNewConfig(pointerEnv, undefined, undefined, client, { pointerOnly: true });
   if (result.configPath) console.log(`Written to ${result.configPath} (Claude Code)`);
   if (result.codexConfigPath) console.log(`Written to ${result.codexConfigPath} (Codex)`);
-  if (pointerOnly) console.log('Mode: pointer-only (env block contains only FEISHU_PLUGIN_PROFILE)');
+  console.log(`Mode: pointer-only (env block contains only FEISHU_PLUGIN_PROFILE=${targetProfile})`);
 
   // Summary
   console.log('\n' + '='.repeat(60));

package/src/test-all.js

@@ -266,14 +266,6 @@ async function main() {
     // 31. create_folder (skip)
     log('create_folder', 'SKIP', 'skipped to avoid creating unnecessary folders');
 
-    // 32. find_user
-    try {
-      const res = await officialClient.findUserByIdentity({ emails: 'test@test.com' });
-      log('find_user', 'PASS', `returned ${(res.userList || []).length} users (expected 0 for test email)`);
-    } catch (e) {
-      log('find_user', 'FAIL', e.message);
-    }
-
     // ========== UAT Tests ==========
 
     if (officialClient.hasUAT) {
@@ -321,4 +313,15 @@ async function main() {
   }
 }
 
-main().catch(console.error);
+main().catch(console.error).finally(() => {
+  // Fixture-based unit test — runs regardless of credential availability
+  require('./test-read-doc-markdown').run();
+  require('./test-switch-profile').run().catch(e => {
+    console.error('switch-profile-e2e: FAIL', e);
+    process.exitCode = 1;
+  });
+  require('./test-events-lockfile').run();
+  require('./test-events-log').run();
+  require('./test-events-cursor').run();
+  require('./test-events-owner').run();
+});