feishu-user-plugin 1.3.8 → 1.3.9

package/src/tools/messaging-user.js

@@ -1,10 +1,12 @@
 // src/tools/messaging-user.js — User-identity (cookie-based) messaging plus
-// batch_send fan-out and the v1.3.6 bot-default send_card_as_user.
+// batch_send fan-out. send_card_as_user lives here (historical naming) but
+// always routes through bot — user-identity card sending is server-side
+// disabled in Feishu at the cookie auth tier.
 //
-// All send_*_as_user handlers route through ctx.getUserClient() (cookie identity).
-// batch_send mixes user + bot identities per target. send_card_as_user currently
-// delegates to bot via ctx.getOfficialClient() — the "as_user" suffix is reserved
-// for v1.3.7's reverse-engineered cookie path; default flips when that lands.
+// All send_*_as_user handlers route through ctx.getUserClient() (cookie identity)
+// EXCEPT send_card_as_user which delegates to bot via ctx.getOfficialClient().
+// The "as_user" suffix on the card tool is historical — v1.3.9 confirmed the
+// cookie protobuf path for CARD is server-side disabled, brute-force exhausted.
 
 const { text, sendResult, json } = require('./_registry');
 
@@ -115,12 +117,17 @@ const schemas = [
   },
   {
     name: 'send_image_as_user',
-    description: '[User Identity] Send an image as the logged-in user. Requires image_key (upload via Official API first).',
+    description: '[User Identity, v1.3.9] Send an image as the logged-in user (NOT bot). Requires image_key from a prior upload_image call. Cookie-protobuf wire format requires both imageKey + thumbnailKey — when no separate thumbnail is provided, plugin defaults thumbnailKey to imageKey (Feishu accepts this for messenger-uploaded images). Width/height/mime/size are optional metadata; Feishu auto-derives display sizing on its side.',
     inputSchema: {
       type: 'object',
       properties: {
         chat_id: { type: 'string', description: 'Target chat ID. Numeric preferred; oc_xxx is auto-resolved (v1.3.7 C1.4).' },
         image_key: { type: 'string', description: 'Image key from upload (img_v2_xxx or img_v3_xxx)' },
+        thumbnail_key: { type: 'string', description: 'Optional separate thumbnail image key. Defaults to image_key when omitted.' },
+        width: { type: 'number', description: 'Optional image width in pixels.' },
+        height: { type: 'number', description: 'Optional image height in pixels.' },
+        mime: { type: 'string', description: 'Optional MIME type (e.g. "image/png").' },
+        size: { type: 'number', description: 'Optional file size in bytes.' },
         root_id: { type: 'string', description: 'Thread root message ID (optional)' },
       },
       required: ['chat_id', 'image_key'],
@@ -160,13 +167,12 @@ const schemas = [
   },
   {
     name: 'send_card_as_user',
-    description: '[v1.3.6+: bot-routed default] Send an interactive card to a chat. **Identity defaults to BOT** because user-identity card sending requires reverse-engineering the Feishu web protobuf (deferred to v1.3.9; v1.3.8 shipped the capture/decode tooling). The tool name keeps the "as_user" suffix so callers don\'t have to migrate when v1.3.9 lands; once user-identity is implemented the default flips. Pass `card` as a JSON object (Feishu card schema). To force bot explicitly set via="bot".',
+    description: '[v1.3.9+: bot-only] Send an interactive Feishu card to a chat via bot identity (Official API). User-identity cookie protobuf path is server-side disabled at the auth tier — confirmed by exhaustive brute-force in v1.3.9, see scripts/explore-card-protobuf.js. The "as_user" suffix is historical naming kept for backward compat; the tool always routes through bot. Pass `card` as a JSON object (Feishu card schema, see https://open.feishu.cn/cardkit).',
     inputSchema: {
       type: 'object',
       properties: {
         chat_id: { type: 'string', description: 'Target chat_id (oc_xxx) or open_id' },
         card: { description: 'Feishu card JSON. See https://open.feishu.cn/cardkit for the schema; build cards visually then paste the resulting JSON here.' },
-        via: { type: 'string', enum: ['bot', 'user'], description: 'Identity to send as. Default "bot". "user" returns an explicit not-yet-implemented error in v1.3.6.' },
       },
       required: ['chat_id', 'card'],
     },
@@ -264,7 +270,14 @@ const handlers = {
   async send_image_as_user(args, ctx) {
     const c = await ctx.getUserClient();
     const chatId = await _resolveCookieChatId(args.chat_id, ctx);
-    const r = await c.sendImage(chatId, args.image_key, { rootId: args.root_id });
+    const r = await c.sendImage(chatId, args.image_key, {
+      rootId: args.root_id,
+      thumbnailKey: args.thumbnail_key,
+      width: args.width,
+      height: args.height,
+      mime: args.mime,
+      size: args.size,
+    });
     return sendResult(r, `Image sent to ${args.chat_id}`);
   },
   async send_file_as_user(args, ctx) {
@@ -280,12 +293,8 @@ const handlers = {
     return sendResult(r, `Post sent to ${args.chat_id}`);
   },
   async send_card_as_user(args, ctx) {
-    const via = args.via || 'bot';
-    if (via === 'user') {
-      return text('send_card_as_user via="user" is not implemented in v1.3.6 — user-identity card sending requires reverse-engineering the Feishu web protobuf and is scheduled for v1.3.7. Use via="bot" (default) for now.');
-    }
     const r = await ctx.getOfficialClient().sendMessageAsBot(args.chat_id, 'interactive', args.card);
-    return text(`Card sent (${via}): ${r.messageId}`);
+    return text(`Card sent (bot): ${r.messageId}`);
   },
 };
 

package/src/tools/profile.js

@@ -1,24 +1,29 @@
-// src/tools/profile.js — multi-account profile management (v1.3.6).
+// src/tools/profile.js — multi-account profile management.
 //
-// LARK_PROFILES_JSON env var registers extra credential sets; this module
-// exposes them via list_profiles + switch_profile so callers can hot-swap
-// between accounts/tenants without restarting the MCP server.
+// v1.3.9 SSOT: profiles live in ~/.feishu-user-plugin/credentials.json under
+// `profiles[]`. Switching writes `active` field; cross-process MCP picks it up
+// via dispatcher mtime hook (~10μs/call) within ms.
+//
+// Legacy LARK_PROFILES_JSON env still works as a back-compat fallback when
+// credentials.json doesn't exist. New profiles should be added via
+// `npx feishu-user-plugin setup --profile <name> --app-id ... --app-secret ... --cookie ...`,
+// then optionally `npx feishu-user-plugin oauth --profile <name>` for UAT.
 
 const { text, json } = require('./_registry');
 
 const schemas = [
   {
     name: 'list_profiles',
-    description: '[Plugin] List all available identity profiles (sets of LARK_COOKIE/APP_ID/APP_SECRET/UAT). The "default" profile uses the top-level env vars; additional profiles come from LARK_PROFILES_JSON. Marks the currently active profile.',
+    description: '[Plugin] List all available identity profiles (each profile has its own LARK_COOKIE / APP_ID / APP_SECRET / UAT). v1.3.9 SSOT: profiles live in ~/.feishu-user-plugin/credentials.json::profiles. Legacy fallback: LARK_PROFILES_JSON env var. Marks the currently active profile.',
     inputSchema: { type: 'object', properties: {} },
   },
   {
     name: 'switch_profile',
-    description: '[Plugin] Switch the active identity profile. Subsequent tool calls use the new profile\'s credentials. Cached client instances are reset so the next call rebuilds against the new creds.',
+    description: '[Plugin v1.3.9] Switch the active identity profile. Atomically writes credentials.json::active; cached clients in this process are invalidated; cross-process MCPs (Codex / another Claude Code) auto-sync via dispatcher mtime check on next tool call (~10μs). To add a new profile, run `npx feishu-user-plugin setup --profile <name> --app-id ... --app-secret ... --cookie ...` then `npx feishu-user-plugin oauth --profile <name>` for UAT.',
     inputSchema: {
       type: 'object',
       properties: {
-        name: { type: 'string', description: 'Profile name. "default" for top-level env vars; any key from LARK_PROFILES_JSON otherwise.' },
+        name: { type: 'string', description: 'Profile name. Use "default" for the primary profile; other names come from credentials.json or LARK_PROFILES_JSON.' },
       },
       required: ['name'],
     },