npm - liangzimixin - Versions diffs - 0.2.6 → 0.2.7 - Mend

liangzimixin 0.2.6 → 0.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.cjs CHANGED Viewed

@@ -2233,7 +2233,7 @@ var require_websocket = __commonJS({
     var http = require("http");
     var net = require("net");
     var tls = require("tls");
-    var { randomBytes: randomBytes3, createHash } = require("crypto");
+    var { randomBytes: randomBytes2, createHash } = require("crypto");
     var { Duplex, Readable } = require("stream");
     var { URL: URL2 } = require("url");
     var PerMessageDeflate = require_permessage_deflate();
@@ -2763,7 +2763,7 @@ var require_websocket = __commonJS({
         }
       }
       const defaultPort = isSecure ? 443 : 80;
-      const key = randomBytes3(16).toString("base64");
+      const key = randomBytes2(16).toString("base64");
       const request = isSecure ? https.request : http.request;
       const protocolSet = /* @__PURE__ */ new Set();
       let perMessageDeflate;
@@ -3658,7 +3658,7 @@ __export(index_exports, {
   startPlugin: () => startPlugin
 });
 module.exports = __toCommonJS(index_exports);
-var import_node_path2 = require("path");
+var import_node_path3 = require("path");
 var import_node_os = require("os");
 // node_modules/zod/v4/classic/external.js
@@ -17454,6 +17454,14 @@ var AccountConfigSchema = external_exports.object({
   "quantum-appId": external_exports.string().min(1, "quantum-appId \u4E0D\u80FD\u4E3A\u7A7A"),
   /** 🔴 量子服务密钥 — 用于量子密钥分发 */
   "quantum-appSecret": external_exports.string().min(1, "quantum-appSecret \u4E0D\u80FD\u4E3A\u7A7A"),
+  /** 🔴 PIN 口令 — 保护本地敏感数据 (切勿泄露, 修改后需删除旧密钥数据) */
+  pin: external_exports.string().min(1, "pin \u4E0D\u80FD\u4E3A\u7A7A"),
+  /**
+   * 🟡 量子密服地址 — 默认生产环境
+   * 测试环境: http://223.244.14.238:8552
+   * 生产环境: https://cmsp.zdxlz.com:8552
+   */
+  "quantum-url": external_exports.string().url().optional().default("https://cmsp.zdxlz.com:8552"),
   /**
    * 🟡 Bot 自己的用户 ID — 用于 anti-loop 检查
    * 如果不填，需要通过其他 API 在运行时获取。
@@ -17465,6 +17473,8 @@ var AccountConfigSchema = external_exports.object({
   quantumAccount: raw["quantum-account"],
   quantumAppId: raw["quantum-appId"],
   quantumAppSecret: raw["quantum-appSecret"],
+  pin: raw.pin,
+  quantumUrl: raw["quantum-url"],
   botUserId: raw.botUserId
 }));
 var DEFAULT_INTERNAL_CONFIG = {
@@ -17483,10 +17493,7 @@ var DEFAULT_INTERNAL_CONFIG = {
     }
   },
   auth: {
-    serverUrl: process.env.LZMX_AUTH_URL || "https://seal.example.com",
-    clientName: "liangzimixin",
-    scopes: ["openid", "im_sdk", "data_operate", "offline_access"],
-    autoRegister: true,
+    serverUrl: process.env.LZMX_AUTH_URL || "https://imtwo.zdxlz.com/open-apis/v1",
     refreshAheadMs: 3e5
   },
   crypto: {
@@ -17974,7 +17981,7 @@ async function resolveAndUploadMedia(params) {
       };
     }
     const msgType = fileType;
-    const contentPayload = fileType === "file" ? { fileKey: uploadResult.fileKey, filename: fileName, size: uploadResult.fileSize } : { fileKey: uploadResult.fileKey };
+    const contentPayload = fileType === "file" ? { fileId: uploadResult.fileKey, fileName, size: uploadResult.fileSize } : { fileId: uploadResult.fileKey };
     await messagePipe.sendMessage({
       chatId,
       senderId: chatId,
@@ -17984,7 +17991,7 @@ async function resolveAndUploadMedia(params) {
     });
     log3.info("media:sent", {
       chatId,
-      fileKey: uploadResult.fileKey,
+      fileId: uploadResult.fileKey,
       msgType
     });
     return {
@@ -18111,20 +18118,20 @@ ${body}` : body || raw.content;
     }
     case "image": {
       const c = parsed;
-      fileId = c?.fileKey;
+      fileId = c?.fileId;
       text = c?.altText ?? (fileId ? `![image](${fileId})` : "[image]");
       break;
     }
     case "file": {
       const c = parsed;
-      fileId = c?.fileKey;
-      fileName = c?.filename;
+      fileId = c?.fileId;
+      fileName = c?.fileName;
       text = fileName ? `[File: ${fileName}]` : "[file]";
       break;
     }
     case "voice": {
       const c = parsed;
-      fileId = c?.fileKey;
+      fileId = c?.fileId;
       const durationMs = c?.duration;
       const durationStr = durationMs != null ? ` ${(durationMs / 1e3).toFixed(1)}s` : "";
       text = `[Voice${durationStr}]`;
@@ -18132,7 +18139,7 @@ ${body}` : body || raw.content;
     }
     case "video": {
       const c = parsed;
-      fileId = c?.fileKey;
+      fileId = c?.fileId;
       const durationMs = c?.duration;
       const durationStr = durationMs != null ? ` ${(durationMs / 1e3).toFixed(1)}s` : "";
       text = `[Video${durationStr}]`;
@@ -18454,7 +18461,7 @@ var QUANTUM_IM_CONFIG_JSON_SCHEMA = {
   title: "\u91CF\u5B50\u5BC6\u4FE1 IM \u63D2\u4EF6\u914D\u7F6E",
   description: "\u5BC6\u4FE1 IM Channel \u63D2\u4EF6\uFF0C\u652F\u6301\u91CF\u5B50\u52A0\u5BC6\u7684\u5B89\u5168\u5373\u65F6\u901A\u4FE1\u3002",
   type: "object",
-  required: ["appId", "appSecret", "quantum-account", "quantum-appId", "quantum-appSecret"],
+  required: ["appId", "appSecret", "quantum-account", "quantum-appId", "quantum-appSecret", "pin"],
   properties: {
     appId: {
       type: "string",
@@ -18488,6 +18495,19 @@ var QUANTUM_IM_CONFIG_JSON_SCHEMA = {
       minLength: 1,
       format: "password"
     },
+    pin: {
+      type: "string",
+      title: "PIN \u53E3\u4EE4",
+      description: "\u4FDD\u62A4\u672C\u5730\u654F\u611F\u6570\u636E\u7684\u53E3\u4EE4\uFF0C\u7531\u7528\u6237\u81EA\u5B9A\u4E49\uFF08\u5207\u52FF\u6CC4\u9732\uFF0C\u4FEE\u6539\u540E\u8BF7\u5220\u9664\u65E7\u5BC6\u94A5\u6570\u636E\uFF09",
+      minLength: 1,
+      format: "password"
+    },
+    "quantum-url": {
+      type: "string",
+      title: "\u91CF\u5B50\u5BC6\u670D\u5730\u5740",
+      description: "\u91CF\u5B50\u5BC6\u94A5\u7BA1\u7406\u670D\u52A1\u5730\u5740\u3002\u6D4B\u8BD5\u73AF\u5883: http://223.244.14.238:8552\uFF0C\u751F\u4EA7\u73AF\u5883: https://cmsp.zdxlz.com:8552",
+      default: "https://cmsp.zdxlz.com:8552"
+    },
     botUserId: {
       type: "string",
       title: "Bot \u7528\u6237 ID",
@@ -18581,6 +18601,7 @@ var quantumImOnboarding = {
         "\u8BF7\u51C6\u5907\u4EE5\u4E0B\u4FE1\u606F:",
         "  1. \u5E73\u53F0\u7533\u8BF7\u7684 appId \u548C appSecret",
         "  2. \u91CF\u5B50\u52A0\u5BC6\u670D\u52A1\u7684\u8D26\u6237\u3001appId \u548C appSecret",
+        "  3. \u4FDD\u62A4\u672C\u5730\u5BC6\u94A5\u6570\u636E\u7684 PIN \u53E3\u4EE4",
         "",
         "\u5982\u6709\u7591\u95EE\u8BF7\u8054\u7CFB\u5E73\u53F0\u7BA1\u7406\u5458\u83B7\u53D6\u3002"
       ].join("\n"),
@@ -18612,6 +18633,36 @@ var quantumImOnboarding = {
       initialValue: existing["quantum-appSecret"] ?? void 0,
       validate: required2
     });
+    const pin = await prompter.text({
+      message: "PIN \u53E3\u4EE4 (\u4FDD\u62A4\u672C\u5730\u654F\u611F\u6570\u636E, \u5207\u52FF\u6CC4\u9732)",
+      initialValue: existing.pin ?? void 0,
+      validate: required2
+    });
+    const urlChoice = await prompter.select({
+      message: "\u91CF\u5B50\u5BC6\u670D\u73AF\u5883",
+      options: [
+        { value: "https://cmsp.zdxlz.com:8552", label: "\u751F\u4EA7\u73AF\u5883", hint: "https://cmsp.zdxlz.com:8552" },
+        { value: "http://223.244.14.238:8552", label: "\u6D4B\u8BD5\u73AF\u5883", hint: "http://223.244.14.238:8552" },
+        { value: "custom", label: "\u81EA\u5B9A\u4E49\u5730\u5740" }
+      ],
+      initialValue: existing["quantum-url"] ?? "https://cmsp.zdxlz.com:8552"
+    });
+    let quantumUrl = urlChoice;
+    if (urlChoice === "custom") {
+      quantumUrl = await prompter.text({
+        message: "\u8BF7\u8F93\u5165\u91CF\u5B50\u5BC6\u670D\u5730\u5740",
+        placeholder: "https://your-server:8552",
+        validate: (v) => {
+          if (!v.trim()) return "\u4E0D\u80FD\u4E3A\u7A7A";
+          try {
+            new URL(v);
+          } catch {
+            return "\u8BF7\u8F93\u5165\u5408\u6CD5\u7684 URL";
+          }
+          return void 0;
+        }
+      });
+    }
     const channels = cfg.channels ?? {};
     const channelCfg = channels[CHANNEL_ID] ?? {};
     const accounts = channelCfg.accounts ?? {};
@@ -18629,7 +18680,9 @@ var quantumImOnboarding = {
               appSecret: appSecret.trim(),
               "quantum-account": quantumAccount.trim(),
               "quantum-appId": quantumAppId.trim(),
-              "quantum-appSecret": quantumAppSecret.trim()
+              "quantum-appSecret": quantumAppSecret.trim(),
+              pin: pin.trim(),
+              "quantum-url": quantumUrl.trim()
             }
           }
         }
@@ -18812,104 +18865,83 @@ var quantumImPlugin = {
   }
 };
-// src/crypto/quantun-plug-mock.ts
-var import_node_crypto = require("crypto");
-var log14 = createLogger("crypto/quantun-plug-mock");
-var MOCK_KEY = Buffer.alloc(32, 0);
-MOCK_KEY.write("quantum-mock-key-2026", 0);
-var MOCK_KEY_ID = "mock-key-v1";
-var initialized = false;
-var quantunPlugMock = {
-  /**
-   * 初始化 Mock SDK
-   * 幂等操作 — 重复调用不会报错
-   */
-  async init() {
-    if (initialized) return;
-    initialized = true;
-    log14.warn("\u26A0\uFE0F MOCK MODE \u2014 \u4F7F\u7528 AES-256-GCM \u6A21\u62DF\u91CF\u5B50\u52A0\u5BC6");
-  },
-  /**
-   * 加密明文 → 密文 + 密钥标识
-   *
-   * 内部流程:
-   *   1. 生成 12 字节随机 IV (确保每次加密结果不同)
-   *   2. AES-256-GCM 加密明文
-   *   3. 获取 16 字节 AuthTag (认证标签,防篡改)
-   *   4. 拼接 [IV(12) | Tag(16) | Ciphertext] → Base64 编码
-   */
-  async encrypt(plaintext, mode) {
-    if (!initialized) {
-      throw new Error("quantunPlug not initialized \u2014 call init() first");
-    }
-    const iv = (0, import_node_crypto.randomBytes)(12);
-    const cipher = (0, import_node_crypto.createCipheriv)("aes-256-gcm", MOCK_KEY, iv);
-    const encrypted = Buffer.concat([
-      cipher.update(plaintext, "utf-8"),
-      cipher.final()
-    ]);
-    const tag = cipher.getAuthTag();
-    const combined = Buffer.concat([iv, tag, encrypted]);
-    return {
-      ciphertext: combined.toString("base64"),
-      keyId: MOCK_KEY_ID
-    };
-  },
-  /**
-   * 解密密文 → 明文
-   *
-   * 内部流程:
-   *   1. Base64 解码
-   *   2. 拆分 IV(12) + Tag(16) + Ciphertext
-   *   3. AES-256-GCM 解密 + AuthTag 验证
-   *   4. 返回 UTF-8 明文
-   *
-   * @throws AuthTag 验证失败时抛出异常 (数据被篡改)
-   */
-  async decrypt(ciphertext, keyId, mode) {
-    if (!initialized) {
-      throw new Error("quantunPlug not initialized \u2014 call init() first");
-    }
-    const combined = Buffer.from(ciphertext, "base64");
-    const iv = combined.subarray(0, 12);
-    const tag = combined.subarray(12, 28);
-    const encrypted = combined.subarray(28);
-    const decipher = (0, import_node_crypto.createDecipheriv)("aes-256-gcm", MOCK_KEY, iv);
-    decipher.setAuthTag(tag);
-    const decrypted = Buffer.concat([
-      decipher.update(encrypted),
-      decipher.final()
-      // 此处 Tag 验证失败会抛出异常
-    ]);
-    return {
-      plaintext: decrypted.toString("utf-8")
-    };
-  }
+// src/crypto/quantun-plug-adapter.ts
+var import_node_module = require("module");
+var import_meta = {};
+var log14 = createLogger("crypto/quantun-plug-adapter");
+var SM4_MODE = {
+  ECB_NOPADDING: 1,
+  ECB_PKCS7PADDING: 2,
+  CBC_NOPADDING: 3,
+  CBC_PKCS7PADDING: 4
 };
-var quantun_plug_mock_default = quantunPlugMock;
+var DEFAULT_ENCRYPT_MODE = SM4_MODE.CBC_PKCS7PADDING;
+var require2 = (0, import_node_module.createRequire)(import_meta.url);
+var quantunPlug = null;
+try {
+  quantunPlug = require2("./sdk/index.min.cjs");
+  log14.info("Quantum SDK loaded from sdk/index.min.cjs");
+} catch (err) {
+  const msg = err instanceof Error ? err.message : String(err);
+  log14.warn("Quantum SDK missing, only passthrough mode will work:", msg);
+}
+var quantun_plug_adapter_default = quantunPlug;
+// src/crypto/quantum-config-writer.ts
+var import_node_fs = require("fs");
+var import_node_path = require("path");
+var import_node_url = require("url");
+var import_meta2 = {};
+var log15 = createLogger("crypto/quantum-config-writer");
+var QUANTUM_JSON_PATH = (0, import_node_path.join)(
+  (0, import_node_path.dirname)((0, import_node_url.fileURLToPath)(import_meta2.url)),
+  "sdk",
+  "quantum.json"
+);
+function writeQuantumConfig(credentials) {
+  const sdkConfig = {
+    account: credentials.quantumAccount,
+    appID: credentials.quantumAppId,
+    pin: credentials.pin,
+    authCode: credentials.quantumAppSecret,
+    url: credentials.quantumUrl
+  };
+  (0, import_node_fs.writeFileSync)(QUANTUM_JSON_PATH, JSON.stringify(sdkConfig, null, 2), "utf-8");
+  log15.info("quantum.json written to", QUANTUM_JSON_PATH);
+}
 // src/crypto/crypto-engine.ts
-var log15 = createLogger("crypto/crypto-engine");
+var log16 = createLogger("crypto/crypto-engine");
 var PASSTHROUGH_KEY_ID = "passthrough";
+var FILE_CHUNK_SIZE = 10 * 1024 * 1024;
+var FILE_DECRYPT_CHUNK_SIZE = FILE_CHUNK_SIZE + 16;
 var CryptoEngine = class _CryptoEngine {
-  /** 底层量子加密 SDK 实例 (Mock 或真实), 透传模式下为 null */
+  /** 底层量子加密 SDK 实例, 透传模式下为 null */
   plug;
   /** SDK 是否已完成初始化 */
-  initialized = false;
+  initialized;
   /** 是否为透传模式 (不加密, 明文直接透传) */
   passthrough;
+  /** 用户凭据 — 用于生成 quantum.json (透传模式下为 undefined) */
+  credentials;
   /**
-   * 构造加密引擎 (加密模式)
+   * 构造加密引擎
    *
-   * 当前默认使用 Mock SDK。
-   * 待真实 SDK 交付后，此处替换为 require('./quantunPlug.ejs')。
+   * @param opts - 构造选项
+   * @param opts.passthrough - true 为透传模式 (不加密); false 为加密模式 (默认)
+   * @param opts.credentials - 用户凭据 (加密模式必需, 用于生成 quantum.json)
    *
-   * 如需透传模式，请使用静态方法 CryptoEngine.createPassthrough()。
+   * 请使用静态工厂方法:
+   *   - new CryptoEngine({ credentials })          → 加密模式, 使用量子 SDK
+   *   - CryptoEngine.createPassthrough() → 透传模式, 无需 init()
    */
-  constructor() {
-    this.plug = quantun_plug_mock_default;
-    this.passthrough = false;
-    log15.info("CryptoEngine created (mock mode)");
+  constructor(opts = {}) {
+    const { passthrough = false, credentials } = opts;
+    this.passthrough = passthrough;
+    this.credentials = credentials;
+    this.plug = passthrough ? null : quantun_plug_adapter_default;
+    this.initialized = passthrough;
+    log16.info(`CryptoEngine created (${passthrough ? "passthrough mode \u2014 crypto disabled" : "quantum SDK mode"})`);
   }
   /**
    * 创建透传模式的加密引擎 (静态工厂方法)
@@ -18923,17 +18955,12 @@ var CryptoEngine = class _CryptoEngine {
    * 上层模块 (TokenStore, MessagePipe) 无需感知加密是否开启。
    */
   static createPassthrough() {
-    const instance = Object.create(_CryptoEngine.prototype);
-    instance.plug = null;
-    instance.passthrough = true;
-    instance.initialized = true;
-    log15.info("CryptoEngine created (passthrough mode \u2014 crypto disabled)");
-    return instance;
+    return new _CryptoEngine({ passthrough: true });
   }
   /**
    * 初始化加密引擎
    *
-   * 加密模式: 调用 SDK 的 init() 方法完成密钥协商等初始化操作。
+   * 加密模式: 调用 SDK 的 init() 方法完成密服入网、密钥协商等初始化操作。
    * 透传模式: 空操作 (already initialized)。
    * 幂等操作 — 重复调用安全。
    */
@@ -18943,29 +18970,37 @@ var CryptoEngine = class _CryptoEngine {
       this.initialized = true;
       return;
     }
+    if (!this.plug) {
+      throw new Error("Quantum encryption SDK is missing. Cannot initialize in encryption mode (check dist/index.min.cjs).");
+    }
+    if (this.credentials) {
+      writeQuantumConfig(this.credentials);
+    }
     await this.plug.init();
     this.initialized = true;
-    log15.info("CryptoEngine initialized \u2713");
+    log16.info("CryptoEngine initialized \u2713");
   }
   /**
    * 加密明文
    *
-   * 加密模式: 调用底层 SDK 加密, 返回 Base64 密文 + keyId
+   * 加密模式: 调用底层 SDK 加密 (SM4_CBC_PKCS7PADDING), 返回密文 + keyId
    * 透传模式: 直接返回明文作为 "密文", keyId = 'passthrough'
    *
+   * 注意: SDK 返回驼峰 cipherText, 此方法对外统一为小写 ciphertext
+   *
    * @param plaintext - 要加密的明文字符串
    * @returns { ciphertext: 密文字符串, keyId: 密钥标识 }
    * @throws 加密模式下未初始化时抛出错误
    */
   async encrypt(plaintext) {
-    this.ensureInitialized();
     if (this.passthrough) {
-      log15.debug("Encrypt (passthrough)", { length: plaintext.length });
+      log16.debug("Encrypt (passthrough)", { length: plaintext.length });
       return { ciphertext: plaintext, keyId: PASSTHROUGH_KEY_ID };
     }
-    const result = await this.plug.encrypt(plaintext, 1);
-    log15.debug("Encrypted", { length: plaintext.length, keyId: result.keyId });
-    return result;
+    const plug = this.requirePlug();
+    const result = await plug.encrypt(plaintext, DEFAULT_ENCRYPT_MODE);
+    log16.debug("Encrypted", { length: plaintext.length, keyId: result.keyId });
+    return { ciphertext: result.cipherText, keyId: result.keyId };
   }
   /**
    * 解密密文
@@ -18979,14 +19014,100 @@ var CryptoEngine = class _CryptoEngine {
    * @throws 加密模式下未初始化、密文损坏或 keyId 不匹配时抛出错误
    */
   async decrypt(ciphertext, keyId) {
-    this.ensureInitialized();
     if (this.passthrough) {
-      log15.debug("Decrypt (passthrough)", { keyId });
+      log16.debug("Decrypt (passthrough)", { keyId });
       return ciphertext;
     }
-    const result = await this.plug.decrypt(ciphertext, keyId, 1);
-    log15.debug("Decrypted", { keyId });
-    return result.plaintext;
+    const plug = this.requirePlug();
+    const result = await plug.decrypt(ciphertext, keyId, DEFAULT_ENCRYPT_MODE);
+    log16.debug("Decrypted", { keyId });
+    return result.plainText;
+  }
+  /**
+   * 加密文件数据
+   *
+   * 自动处理 10MB 分片编排:
+   *   - ≤10MB: 单次调用 SDK encryptFile
+   *   - >10MB: 按 10MB 分片, 首片无需传密钥参数, 后续片传入前一片返回的 { keyId, sessionKey, fillKey }
+   *
+   * 透传模式: 直接返回原数据
+   *
+   * @param fileData - 文件数据 Buffer
+   * @returns { fileBuffer: 加密后的文件 Buffer, keyId: 密钥标识 }
+   */
+  async encryptFile(fileData) {
+    if (this.passthrough) {
+      log16.debug("EncryptFile (passthrough)", { size: fileData.length });
+      return { fileBuffer: fileData, keyId: PASSTHROUGH_KEY_ID };
+    }
+    if (fileData.length === 0) {
+      return { fileBuffer: Buffer.alloc(0), keyId: PASSTHROUGH_KEY_ID };
+    }
+    const chunks = [];
+    const total = Math.ceil(fileData.length / FILE_CHUNK_SIZE);
+    let keyId;
+    let sessionKey;
+    let fillKey;
+    const plug = this.requirePlug();
+    log16.debug("EncryptFile", { size: fileData.length, chunks: total });
+    for (let i = 0; i < total; i++) {
+      const start = i * FILE_CHUNK_SIZE;
+      const end = Math.min(start + FILE_CHUNK_SIZE, fileData.length);
+      const chunk = fileData.subarray(start, end);
+      const result = await plug.encryptFile(chunk, DEFAULT_ENCRYPT_MODE, {
+        keyId,
+        sessionKey,
+        fillKey
+      });
+      chunks.push(result.fileBuffer);
+      keyId = result.keyId;
+      sessionKey = result.sessionKey;
+      fillKey = result.fillKey;
+    }
+    log16.debug("EncryptFile done", { keyId, chunks: total });
+    return { fileBuffer: Buffer.concat(chunks), keyId: keyId ?? "" };
+  }
+  /**
+   * 解密文件数据
+   *
+   * 自动处理 (10MB + 16) 分片编排:
+   *   - ≤(10MB+16): 单次调用 SDK decryptFile
+   *   - >(10MB+16): 按 (10MB+16) 分片, 首片传 keyId, 后续片传入前一片返回的 { sessionKey, fillKey }
+   *
+   * 透传模式: 直接返回原数据
+   *
+   * @param fileData - 加密后的文件 Buffer
+   * @param keyId    - 加密时返回的密钥标识
+   * @returns 解密后的文件 Buffer
+   */
+  async decryptFile(fileData, keyId) {
+    if (this.passthrough) {
+      log16.debug("DecryptFile (passthrough)", { keyId });
+      return fileData;
+    }
+    if (fileData.length === 0) {
+      return Buffer.alloc(0);
+    }
+    const plug = this.requirePlug();
+    const chunks = [];
+    const total = Math.ceil(fileData.length / FILE_DECRYPT_CHUNK_SIZE);
+    let sessionKey;
+    let fillKey;
+    log16.debug("DecryptFile", { size: fileData.length, chunks: total, keyId });
+    for (let i = 0; i < total; i++) {
+      const start = i * FILE_DECRYPT_CHUNK_SIZE;
+      const end = Math.min(start + FILE_DECRYPT_CHUNK_SIZE, fileData.length);
+      const chunk = fileData.subarray(start, end);
+      const result = await plug.decryptFile(chunk, keyId, DEFAULT_ENCRYPT_MODE, {
+        sessionKey,
+        fillKey
+      });
+      chunks.push(result.fileBuffer);
+      sessionKey = result.sessionKey;
+      fillKey = result.fillKey;
+    }
+    log16.debug("DecryptFile done", { keyId, chunks: total });
+    return Buffer.concat(chunks);
   }
   /**
    * 查询当前是否为透传模式
@@ -18996,25 +19117,26 @@ var CryptoEngine = class _CryptoEngine {
     return this.passthrough;
   }
   /**
-   * 确保引擎已初始化
-   * 未初始化时抛出明确错误，避免难以排查的 SDK 内部异常
+   * 确保引擎已初始化，同时返回非空 plug 实例
+   * （通过 init() 守卫保证：加密模式下 init() 成功后 plug 一定非 null）
    */
-  ensureInitialized() {
+  requirePlug() {
     if (!this.initialized) {
       throw new Error("CryptoEngine not initialized \u2014 call init() first");
     }
+    return this.plug;
   }
 };
 // src/auth/oauth-client.ts
-var log16 = createLogger("auth/oauth-client");
-var SealApiError = class extends Error {
+var log17 = createLogger("auth/oauth-client");
+var ApiError = class extends Error {
   constructor(status, body, endpoint) {
-    super(`Seal API error: ${status} on ${endpoint}`);
+    super(`API error: ${status} on ${endpoint}`);
     this.status = status;
     this.body = body;
     this.endpoint = endpoint;
-    this.name = "SealApiError";
+    this.name = "ApiError";
   }
 };
 var TokenAcquireError = class extends Error {
@@ -19031,28 +19153,21 @@ function sleep(ms) {
   return new Promise((resolve2) => setTimeout(resolve2, ms));
 }
 var DEFAULT_TIMEOUT_MS = 3e4;
-var SealClient = class {
+var GRANT_TYPE = "client_credentials";
+var SCOPE = "client_credentials refresh_token";
+var OAuthClient = class {
   baseUrl;
-  clientId;
-  clientSecret;
-  clientName;
-  scopes;
+  appId;
+  appSecret;
   constructor(config2) {
-    this.baseUrl = config2.serverUrl.replace(/\/+$/, "");
-    this.clientId = config2.clientId;
-    this.clientSecret = config2.clientSecret;
-    this.clientName = config2.clientName;
-    this.scopes = config2.scopes;
-    log16.info("SealClient initialized", { serverUrl: this.baseUrl, clientName: config2.clientName });
+    this.baseUrl = config2.baseUrl.replace(/\/+$/, "");
+    this.appId = config2.appId;
+    this.appSecret = config2.appSecret;
+    log17.info("OAuthClient initialized", { baseUrl: this.baseUrl, appId: sanitize(this.appId) });
   }
   // ── 通用 HTTP 请求 ──
   /**
    * 统一 HTTP 请求封装 — 含超时、日志脱敏和错误处理
-   * @param method - HTTP 方法
-   * @param path - 请求路径 (如 '/seal/client/register')
-   * @param options - 请求选项
-   * @returns 解析后的 JSON 响应
-   * @throws SealApiError — HTTP 非 2xx 响应
    */
   async request(method, path2, options = {}) {
     const url2 = `${this.baseUrl}${path2}`;
@@ -19068,7 +19183,7 @@ var SealClient = class {
         bodyStr = JSON.stringify(options.body);
       }
     }
-    log16.debug("HTTP request", { method, url: url2 });
+    log17.debug("HTTP request", { method, url: url2 });
     const response = await fetch(url2, {
       method,
       headers,
@@ -19083,110 +19198,39 @@ var SealClient = class {
       } catch {
         parsedBody = responseBody;
       }
-      log16.error("HTTP error", { method, url: url2, status: response.status });
-      throw new SealApiError(response.status, parsedBody, path2);
+      log17.error("HTTP error", { method, url: url2, status: response.status });
+      throw new ApiError(response.status, parsedBody, path2);
     }
-    log16.debug("HTTP response", { method, url: url2, status: response.status });
+    log17.debug("HTTP response", { method, url: url2, status: response.status });
     try {
       return JSON.parse(responseBody);
     } catch {
-      throw new SealApiError(response.status, responseBody, path2);
+      throw new ApiError(response.status, responseBody, path2);
     }
   }
   // ── 公共方法 ──
-  /** 判断是否已注册 (有 clientId + clientSecret) */
-  isRegistered() {
-    return !!(this.clientId && this.clientSecret);
-  }
-  /** 更新 clientId / clientSecret (注册成功后或从持久化加载后调用) */
-  setCredentials(clientId, clientSecret) {
-    this.clientId = clientId;
-    this.clientSecret = clientSecret;
-    log16.info("Credentials updated", { clientId: sanitize(clientId) });
-  }
   /**
-   * 动态注册客户端 → POST /seal/client/register
+   * 获取访问令牌 → POST /auth/token (client_credentials)
    *
-   * 首次运行时自动调用，获取 clientId 和 clientSecret。
-   * 注册成功后自动更新内部凭据。
-   */
-  async register(params) {
-    const body = {
-      client_name: params.clientName,
-      scopes: params.scopes,
-      authentication_methods: params.authMethods ?? ["client_secret_post"],
-      grant_types: params.grantTypes ?? ["authorization_code", "client_credentials", "refresh_token"],
-      redirect_uris: params.redirectUris ?? ["https://placeholder.local"],
-      logout_redirect_uris: [],
-      client_settings: {
-        "settings.client.require-authorization-consent": true
-      }
-    };
-    if (params.tokenSettings) {
-      const ts = {};
-      if (params.tokenSettings.accessTokenTtl) {
-        ts["settings.token.access-token-time-to-live"] = params.tokenSettings.accessTokenTtl;
-      }
-      if (params.tokenSettings.refreshTokenTtl) {
-        ts["settings.token.refresh-token-time-to-live"] = params.tokenSettings.refreshTokenTtl;
-      }
-      if (params.tokenSettings.accessTokenFormat) {
-        ts["settings.token.access-token-format"] = params.tokenSettings.accessTokenFormat;
-      }
-      if (params.tokenSettings.reuseRefreshTokens !== void 0) {
-        ts["settings.token.reuse-refresh-tokens"] = params.tokenSettings.reuseRefreshTokens;
-      }
-      ts["settings.token.authorization-code-time-to-live"] = "300";
-      body.token_settings = ts;
-    }
-    log16.info("Registering OAuth client", { clientName: params.clientName });
-    const response = await this.request(
-      "POST",
-      "/seal/client/register",
-      { body, contentType: "json" }
-    );
-    const registration = {
-      clientId: response.client_id,
-      clientSecret: response.client_secret,
-      clientSecretExpiresAt: response.client_secret_expires_at ?? "",
-      clientIdIssuedAt: response.client_id_issued_at ?? "",
-      scopes: response.scopes ?? params.scopes
-    };
-    this.setCredentials(registration.clientId, registration.clientSecret);
-    log16.info("OAuth client registered", {
-      clientId: sanitize(registration.clientId),
-      clientSecret: sanitize(registration.clientSecret),
-      scopes: registration.scopes,
-      expiresAt: registration.clientSecretExpiresAt
-    });
-    return registration;
-  }
-  /**
-   * 获取访问令牌 → POST /seal/oauth2/token (client_credentials)
+   * 请求参数 (x-www-form-urlencoded):
+   *   - grant_type: client_credentials (写死)
+   *   - client_id: appId
+   *   - client_secret: appSecret
+   *   - scope: client_credentials refresh_token (写死)
    *
-   * 使用客户端凭证模式获取 Access Token。
-   * 前置条件: clientId 和 clientSecret 必须存在 (通过 register 或 setCredentials 设置)
-   *
-   * @param scope - 请求的权限范围 (空格分隔)，不传则使用注册时的全部 scope
    * @returns TokenData 包含 access_token、过期时间等
-   * @throws Error — clientId/clientSecret 未设置
-   * @throws SealApiError — HTTP 错误
+   * @throws ApiError — HTTP 错误
    */
-  async getToken(scope) {
-    if (!this.clientId || !this.clientSecret) {
-      throw new Error("Cannot get token: clientId and clientSecret are required. Call register() or setCredentials() first.");
-    }
+  async getToken() {
     const params = new URLSearchParams();
-    params.set("grant_type", "client_credentials");
-    params.set("client_id", this.clientId);
-    params.set("client_secret", this.clientSecret);
-    if (scope) {
-      params.set("scope", scope);
-    }
-    log16.info("Requesting access token", { clientId: sanitize(this.clientId) });
+    params.set("grant_type", GRANT_TYPE);
+    params.set("client_id", this.appId);
+    params.set("client_secret", this.appSecret);
+    params.set("scope", SCOPE);
+    log17.info("Requesting access token", { appId: sanitize(this.appId) });
     const response = await this.request(
       "POST",
-      "/seal/oauth2/token",
+      "/auth/token",
       { body: params, contentType: "form" }
     );
     const now = Date.now();
@@ -19197,32 +19241,28 @@ var SealClient = class {
       expiresIn,
       scope: response.scope ?? "",
       refreshToken: void 0,
-      // Seal 不返回 refresh_token
       grantedAt: now,
       expiresAt: now + expiresIn * 1e3
     };
-    log16.info("Access token acquired", {
+    log17.info("Access token acquired", {
       accessToken: sanitize(tokenData.accessToken),
       expiresIn: tokenData.expiresIn,
       scope: tokenData.scope
     });
     return tokenData;
   }
-  /**
-   * 令牌校验 → GET /seal/oauth2/introspect
-   * 暂不实现 — 保留接口签名，后续需要时再补充
-   */
-  async introspect(_token) {
-    throw new Error("introspect() not implemented yet \u2014 Seal introspect API \u6682\u4E0D\u4F7F\u7528");
+  /** 获取 baseUrl (供其他模块复用) */
+  getBaseUrl() {
+    return this.baseUrl;
   }
 };
 // src/auth/token-store.ts
 var import_promises = require("fs/promises");
-var import_node_fs = require("fs");
-var import_node_path = require("path");
-var import_node_crypto2 = require("crypto");
-var log17 = createLogger("auth/token-store");
+var import_node_fs2 = require("fs");
+var import_node_path2 = require("path");
+var import_node_crypto = require("crypto");
+var log18 = createLogger("auth/token-store");
 var TokenStore = class {
   /** 存储目录路径 */
   storageDir;
@@ -19237,7 +19277,7 @@ var TokenStore = class {
   constructor(storageDir, crypto) {
     this.storageDir = storageDir;
     this.crypto = crypto;
-    log17.info("TokenStore initialized", { storageDir });
+    log18.info("TokenStore initialized", { storageDir });
   }
   /**
    * 确保存储目录存在并设置正确的权限。
@@ -19245,9 +19285,9 @@ var TokenStore = class {
    */
   async ensureDir() {
     if (this.dirEnsured) return;
-    if (!(0, import_node_fs.existsSync)(this.storageDir)) {
+    if (!(0, import_node_fs2.existsSync)(this.storageDir)) {
       await (0, import_promises.mkdir)(this.storageDir, { recursive: true, mode: 448 });
-      log17.debug("Storage directory created", { dir: this.storageDir });
+      log18.debug("Storage directory created", { dir: this.storageDir });
     }
     this.dirEnsured = true;
   }
@@ -19256,7 +19296,7 @@ var TokenStore = class {
    * @param key - 存储键名 (如 'token', 'credentials')
    */
   filePath(key) {
-    return (0, import_node_path.join)(this.storageDir, `${key}.enc`);
+    return (0, import_node_path2.join)(this.storageDir, `${key}.enc`);
   }
   /**
    * 保存 Token — 加密写入文件
@@ -19277,12 +19317,12 @@ var TokenStore = class {
     const storage = { ciphertext, keyId };
     const storageJson = JSON.stringify(storage);
     const targetPath = this.filePath(key);
-    const tmpSuffix = (0, import_node_crypto2.randomBytes)(4).toString("hex");
+    const tmpSuffix = (0, import_node_crypto.randomBytes)(4).toString("hex");
     const tmpPath = `${targetPath}.${tmpSuffix}.tmp`;
     try {
       await (0, import_promises.writeFile)(tmpPath, storageJson, { mode: 384 });
       await (0, import_promises.rename)(tmpPath, targetPath);
-      log17.debug("Token saved", { key, path: targetPath });
+      log18.debug("Token saved", { key, path: targetPath });
     } catch (err) {
       try {
         await (0, import_promises.unlink)(tmpPath);
@@ -19304,8 +19344,8 @@ var TokenStore = class {
    */
   async load(key) {
     const filePath = this.filePath(key);
-    if (!(0, import_node_fs.existsSync)(filePath)) {
-      log17.debug("Token file not found", { key, path: filePath });
+    if (!(0, import_node_fs2.existsSync)(filePath)) {
+      log18.debug("Token file not found", { key, path: filePath });
       return null;
     }
     try {
@@ -19313,10 +19353,10 @@ var TokenStore = class {
       const storage = JSON.parse(raw);
       const json2 = await this.crypto.decrypt(storage.ciphertext, storage.keyId);
       const data = JSON.parse(json2);
-      log17.debug("Token loaded", { key, path: filePath });
+      log18.debug("Token loaded", { key, path: filePath });
       return data;
     } catch (err) {
-      log17.warn("Failed to load token (corrupted or key mismatch), treating as empty", {
+      log18.warn("Failed to load token (corrupted or key mismatch), treating as empty", {
         key,
         error: err instanceof Error ? err.message : String(err)
       });
@@ -19332,7 +19372,7 @@ var TokenStore = class {
     const filePath = this.filePath(key);
     try {
       await (0, import_promises.unlink)(filePath);
-      log17.debug("Token file cleared", { key, path: filePath });
+      log18.debug("Token file cleared", { key, path: filePath });
     } catch (err) {
       if (err.code !== "ENOENT") {
         throw err;
@@ -19342,17 +19382,15 @@ var TokenStore = class {
 };
 // src/auth/token-manager.ts
-var log18 = createLogger("auth/token-manager");
+var log19 = createLogger("auth/token-manager");
 var DEFAULT_REFRESH_AHEAD_MS = 5 * 60 * 1e3;
 var MAX_RETRIES = 3;
 var RETRY_BASE_MS = 1e3;
 var TokenManager = class {
-  sealClient;
+  oauthClient;
   tokenStore;
   /** Token 过期前提前刷新的时间 (ms) */
   refreshAheadMs;
-  /** 自动注册的参数 */
-  autoRegisterParams;
   // ── 内存缓存 ──
   /** 内存中缓存的 access_token */
   cachedToken = null;
@@ -19366,11 +19404,10 @@ var TokenManager = class {
   /** 定时刷新器句柄 */
   refreshTimer = null;
   constructor(deps) {
-    this.sealClient = deps.sealClient;
+    this.oauthClient = deps.oauthClient;
     this.tokenStore = deps.tokenStore;
     this.refreshAheadMs = deps.refreshAheadMs ?? DEFAULT_REFRESH_AHEAD_MS;
-    this.autoRegisterParams = deps.autoRegisterParams;
-    log18.info("TokenManager initialized", { refreshAheadMs: this.refreshAheadMs });
+    log19.info("TokenManager initialized", { refreshAheadMs: this.refreshAheadMs });
   }
   // ── 核心方法 ──
   /**
@@ -19388,7 +19425,7 @@ var TokenManager = class {
       return this.cachedToken;
     }
     if (this.refreshLock) {
-      log18.debug("Waiting for concurrent token acquisition");
+      log19.debug("Waiting for concurrent token acquisition");
       return this.refreshLock;
     }
     this.refreshLock = this._acquireTokenWithRetry();
@@ -19398,13 +19435,6 @@ var TokenManager = class {
       this.refreshLock = null;
     }
   }
-  /**
-   * 令牌自省 — 暂不实现，后续补充。
-   * 返回的 identity_id 用于 gate.ts 的 anti-loop 检查 (bot 自己的 ID)。
-   */
-  async introspect() {
-    throw new Error("introspect() not implemented yet \u2014 Seal introspect API \u6682\u4E0D\u4F7F\u7528");
-  }
   /** 检查当前令牌是否包含指定的 scope */
   hasScope(scope) {
     if (!this.cachedScope) return false;
@@ -19421,13 +19451,13 @@ var TokenManager = class {
     this.cachedToken = null;
     this.cachedScope = null;
     this.currentTokenData = null;
-    log18.info("Token revoked and cleared");
+    log19.info("Token revoked and cleared");
   }
   /** 清理定时器和并发锁 — 优雅关闭时调用 */
   shutdown() {
     this.clearRefreshTimer();
     this.refreshLock = null;
-    log18.info("TokenManager shutdown");
+    log19.info("TokenManager shutdown");
   }
   // ── 内部方法 ──
   /**
@@ -19435,26 +19465,26 @@ var TokenManager = class {
    *
    * 重试策略:
    *   - 网络错误 / 5xx → 重试 (最多 3 次)
-   *   - 401/403 → 不重试 (client_secret 可能无效)
+   *   - 401/403 → 不重试 (凭证可能无效)
    */
   async _acquireTokenWithRetry() {
     for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
       try {
         return await this._acquireToken();
       } catch (err) {
-        if (err instanceof SealApiError && (err.status === 401 || err.status === 403)) {
-          log18.error("Token acquire failed with auth error, not retrying", { status: err.status });
+        if (err instanceof ApiError && (err.status === 401 || err.status === 403)) {
+          log19.error("Token acquire failed with auth error, not retrying", { status: err.status });
           throw err;
         }
         if (attempt === MAX_RETRIES) {
-          log18.error("Token acquire failed after all retries", { attempts: attempt + 1 });
+          log19.error("Token acquire failed after all retries", { attempts: attempt + 1 });
           throw new TokenAcquireError(
             `Token acquire failed after ${attempt + 1} attempts`,
             { cause: err instanceof Error ? err : void 0 }
           );
         }
         const delay = RETRY_BASE_MS * Math.pow(2, attempt);
-        log18.warn("Token acquire failed, retrying", {
+        log19.warn("Token acquire failed, retrying", {
           attempt: attempt + 1,
           maxRetries: MAX_RETRIES,
           retryInMs: delay,
@@ -19470,63 +19500,27 @@ var TokenManager = class {
    *
    * 流程:
    *   1. 尝试从 TokenStore 加载缓存
-   *   2. 检查是否需要注册客户端
-   *   3. 调用 SealClient.getToken() 获取新 Token
-   *   4. 保存到内存缓存 + TokenStore
-   *   5. 设置定时刷新器
+   *   2. 调用 OAuthClient.getToken() 获取新 Token
+   *   3. 保存到内存缓存 + TokenStore
+   *   4. 设置定时刷新器
    */
   async _acquireToken() {
     try {
       const stored = await this.tokenStore.load("token");
       if (stored && !this.isTokenHardExpired(stored)) {
-        log18.info("Token loaded from store (still valid)");
+        log19.info("Token loaded from store (still valid)");
         this.updateCache(stored);
         this.scheduleRefresh(stored);
         return stored.accessToken;
       }
       if (stored) {
-        log18.info("Stored token has expired, acquiring new one");
+        log19.info("Stored token has expired, acquiring new one");
       }
     } catch {
-      log18.warn("Failed to load token from store, acquiring new one");
+      log19.warn("Failed to load token from store, acquiring new one");
     }
-    if (!this.sealClient.isRegistered()) {
-      try {
-        const savedCreds = await this.tokenStore.load("credentials");
-        if (savedCreds?.clientId && savedCreds?.clientSecret) {
-          this.sealClient.setCredentials(
-            savedCreds.clientId,
-            savedCreds.clientSecret
-          );
-          log18.info("Credentials loaded from store");
-        }
-      } catch {
-        log18.debug("No saved credentials found");
-      }
-    }
-    if (!this.sealClient.isRegistered()) {
-      if (!this.autoRegisterParams) {
-        throw new Error("SealClient not registered and autoRegisterParams not provided. Call setCredentials() or enable autoRegister.");
-      }
-      log18.info("Auto-registering OAuth client");
-      const registration = await this.sealClient.register({
-        clientName: this.autoRegisterParams.clientName,
-        scopes: this.autoRegisterParams.scopes,
-        tokenSettings: this.autoRegisterParams.tokenSettings ? {
-          accessTokenTtl: this.autoRegisterParams.tokenSettings.accessTokenTtl,
-          refreshTokenTtl: this.autoRegisterParams.tokenSettings.refreshTokenTtl,
-          accessTokenFormat: this.autoRegisterParams.tokenSettings.accessTokenFormat
-        } : void 0
-      });
-      await this.tokenStore.save("credentials", {
-        clientId: registration.clientId,
-        clientSecret: registration.clientSecret,
-        clientSecretExpiresAt: registration.clientSecretExpiresAt
-      });
-      log18.info("OAuth client registered and credentials saved");
-    }
-    log18.info("Acquiring new access token");
-    const tokenData = await this.sealClient.getToken();
+    log19.info("Acquiring new access token via POST /auth/token");
+    const tokenData = await this.oauthClient.getToken();
     this.updateCache(tokenData);
     await this.tokenStore.save("token", tokenData);
     this.scheduleRefresh(tokenData);
@@ -19556,22 +19550,22 @@ var TokenManager = class {
     this.clearRefreshTimer();
     const refreshInMs = tokenData.expiresAt - this.refreshAheadMs - Date.now();
     if (refreshInMs <= 0) {
-      log18.debug("Token already within refresh window, not scheduling timer");
+      log19.debug("Token already within refresh window, not scheduling timer");
       return;
     }
-    log18.debug("Scheduling token refresh", {
+    log19.debug("Scheduling token refresh", {
       refreshInMs,
       refreshAt: new Date(Date.now() + refreshInMs).toISOString()
     });
     this.refreshTimer = setTimeout(async () => {
       try {
-        log18.info("Scheduled token refresh triggered");
+        log19.info("Scheduled token refresh triggered");
         this.cachedToken = null;
         this.currentTokenData = null;
         await this.getValidToken();
-        log18.info("Scheduled token refresh completed");
+        log19.info("Scheduled token refresh completed");
       } catch (err) {
-        log18.error("Scheduled token refresh failed", {
+        log19.error("Scheduled token refresh failed", {
           error: err instanceof Error ? err.message : String(err)
         });
       }
@@ -19599,13 +19593,13 @@ var wrapper_default = import_websocket.default;
 // src/transport/ws-client.ts
 var import_node_events = require("events");
-var log19 = createLogger("transport/ws-client");
+var log20 = createLogger("transport/ws-client");
 var WSClient = class extends import_node_events.EventEmitter {
   /** 底层 WebSocket 实例 */
   ws = null;
   constructor() {
     super();
-    log19.info("WSClient initialized");
+    log20.info("WSClient initialized");
   }
   /**
    * 连接到 WebSocket 服务器并绑定事件。
@@ -19621,11 +19615,11 @@ var WSClient = class extends import_node_events.EventEmitter {
       this.ws = null;
     }
     const { url: url2, protocols, headers } = options;
-    log19.info("ws:connecting", { url: url2 });
+    log20.info("ws:connecting", { url: url2 });
     return new Promise((resolve2, reject) => {
       const ws = new wrapper_default(url2, protocols, { headers });
       ws.on("open", () => {
-        log19.info("ws:connected", { url: url2 });
+        log20.info("ws:connected", { url: url2 });
         this.emit("open");
         resolve2();
       });
@@ -19633,11 +19627,11 @@ var WSClient = class extends import_node_events.EventEmitter {
         this.emit("message", data);
       });
       ws.on("close", (code, reason) => {
-        log19.info("ws:closed", { code, reason: reason.toString() });
+        log20.info("ws:closed", { code, reason: reason.toString() });
         this.emit("close", code, reason.toString());
       });
       ws.on("error", (err) => {
-        log19.error("ws:error", { error: err.message });
+        log20.error("ws:error", { error: err.message });
         this.emit("error", err);
         if (this.ws !== ws) {
           reject(err);
@@ -19649,7 +19643,7 @@ var WSClient = class extends import_node_events.EventEmitter {
   /** 发送数据到服务器 — 前置检查连接状态 */
   send(data) {
     if (!this.ws || this.ws.readyState !== wrapper_default.OPEN) {
-      log19.warn("ws:send skipped, not connected", { readyState: this.ws?.readyState });
+      log20.warn("ws:send skipped, not connected", { readyState: this.ws?.readyState });
       return;
     }
     this.ws.send(data);
@@ -19660,7 +19654,7 @@ var WSClient = class extends import_node_events.EventEmitter {
       this.ws.removeAllListeners();
       this.ws.close(code, reason);
       this.ws = null;
-      log19.info("ws:close requested", { code, reason });
+      log20.info("ws:close requested", { code, reason });
     }
   }
   /** 当前连接状态 (0=CONNECTING, 1=OPEN, 2=CLOSING, 3=CLOSED) */
@@ -19670,7 +19664,7 @@ var WSClient = class extends import_node_events.EventEmitter {
 };
 // src/transport/dedup.ts
-var log20 = createLogger("transport/dedup");
+var log21 = createLogger("transport/dedup");
 var MessageDedup = class {
   /** 去重缓存生存时间 (ms) */
   ttlMs;
@@ -19681,7 +19675,7 @@ var MessageDedup = class {
   constructor(config2) {
     this.ttlMs = config2?.ttlMs ?? 3e5;
     this.maxEntries = config2?.maxEntries ?? 5e3;
-    log20.info("MessageDedup initialized", { ttlMs: this.ttlMs, maxEntries: this.maxEntries });
+    log21.info("MessageDedup initialized", { ttlMs: this.ttlMs, maxEntries: this.maxEntries });
   }
   /**
    * 检查消息是否重复。
@@ -19716,8 +19710,8 @@ var MessageDedup = class {
 };
 // src/transport/message-pipe.ts
-var import_node_crypto3 = require("crypto");
-var log21 = createLogger("transport/message-pipe");
+var import_node_crypto2 = require("crypto");
+var log22 = createLogger("transport/message-pipe");
 var MessagePipe = class {
   wsClient;
   dedup;
@@ -19736,15 +19730,15 @@ var MessagePipe = class {
     this.messageServiceBaseUrl = deps.messageServiceBaseUrl;
     this.wsClient.on("message", (rawData) => {
       this.handleInbound(rawData).catch((err) => {
-        log21.error("inbound:error", { step: "handleInbound", error: err.message });
+        log22.error("inbound:error", { step: "handleInbound", error: err.message });
       });
     });
-    log21.info("MessagePipe initialized");
+    log22.info("MessagePipe initialized");
   }
   /** 注册入站消息回调 — 解密后的消息会通过此回调传给 L4 层 */
   onMessage(callback) {
     this.messageCallback = callback;
-    log21.info("Inbound message callback registered");
+    log22.info("Inbound message callback registered");
   }
   /**
    * 出站发送 — 通过 HTTP API 发送消息到 IM 服务器。
@@ -19764,7 +19758,7 @@ var MessagePipe = class {
     }
     const result = await this.callMessageApi("/messages/v1/send", body, "outbound");
     if (!result) return;
-    log21.info("outbound:sent", {
+    log22.info("outbound:sent", {
       chatId: msg.chatId,
       senderId: msg.senderId,
       msgType: msg.msgType,
@@ -19788,7 +19782,7 @@ var MessagePipe = class {
     };
     const result = await this.callMessageApi("/messages/v1/recall", body, "recall");
     if (!result) return;
-    log21.info("recall:sent", {
+    log22.info("recall:sent", {
       messageId: params.messageId,
       requestId: result.request_id
     });
@@ -19815,7 +19809,7 @@ var MessagePipe = class {
         body: JSON.stringify(body)
       });
       if (!resp.ok) {
-        log21.error(`${logTag}:http-error`, {
+        log22.error(`${logTag}:http-error`, {
           status: resp.status,
           statusText: resp.statusText,
           url: url2
@@ -19824,7 +19818,7 @@ var MessagePipe = class {
       }
       const result = await resp.json();
       if (result.code !== 0) {
-        log21.error(`${logTag}:api-error`, {
+        log22.error(`${logTag}:api-error`, {
           code: result.code,
           msg: result.msg,
           requestId: result.request_id
@@ -19833,7 +19827,7 @@ var MessagePipe = class {
       }
       return result;
     } catch (err) {
-      log21.error(`${logTag}:network-error`, {
+      log22.error(`${logTag}:network-error`, {
         url: url2,
         error: err.message
       });
@@ -19855,7 +19849,7 @@ var MessagePipe = class {
     try {
       frame = JSON.parse(String(rawData));
     } catch (err) {
-      log21.warn("inbound:json-parse-error", { error: err.message });
+      log22.warn("inbound:json-parse-error", { error: err.message });
       return;
     }
     const timestamp = frame["X-CTQ-Timestamp"];
@@ -19864,9 +19858,9 @@ var MessagePipe = class {
     if (timestamp && nonce && signature) {
       const token = await this.tokenFn();
       const signatureInput = timestamp + nonce + frame.data;
-      const expected = (0, import_node_crypto3.createHmac)("sha256", token).update(signatureInput).digest("hex");
+      const expected = (0, import_node_crypto2.createHmac)("sha256", token).update(signatureInput).digest("hex");
       if (expected !== signature) {
-        log21.warn("inbound:signature-fail", { timestamp, nonce });
+        log22.warn("inbound:signature-fail", { timestamp, nonce });
         return;
       }
     }
@@ -19880,30 +19874,37 @@ var MessagePipe = class {
     try {
       callbackData = JSON.parse(dataStr);
     } catch (err) {
-      log21.warn("inbound:data-parse-error", { error: err.message });
+      log22.warn("inbound:data-parse-error", { error: err.message });
       return;
     }
-    if (callbackData.eventType !== "MessageReceived") {
-      log21.debug("inbound:event-ignored", { eventType: callbackData.eventType });
+    if (callbackData.eventType !== "callback:direct") {
+      log22.debug("inbound:event-ignored", { eventType: callbackData.eventType });
       return;
     }
-    const msg = callbackData.content;
-    log21.debug("inbound:frame", { messageId: msg.messageId, eventType: callbackData.eventType });
+    const msg = {
+      messageId: callbackData.msgUid,
+      chatId: callbackData.groupId || callbackData.userId,
+      senderId: callbackData.userId,
+      msgType: callbackData.type,
+      content: JSON.stringify(callbackData.content),
+      timestamp: Date.now()
+    };
+    log22.debug("inbound:frame", { messageId: msg.messageId, eventType: callbackData.eventType });
     if (this.dedup.isDuplicate(msg.messageId)) {
-      log21.debug("inbound:dedup-hit", { messageId: msg.messageId });
+      log22.debug("inbound:dedup-hit", { messageId: msg.messageId });
       return;
     }
-    log21.info("inbound:verified", { messageId: msg.messageId, chatId: msg.chatId });
+    log22.info("inbound:verified", { messageId: msg.messageId, chatId: msg.chatId });
     if (this.messageCallback) {
       this.messageCallback(msg);
     } else {
-      log21.warn("inbound:no-callback", { messageId: msg.messageId });
+      log22.warn("inbound:no-callback", { messageId: msg.messageId });
     }
   }
 };
 // src/transport/connection-manager.ts
-var log22 = createLogger("transport/connection-manager");
+var log23 = createLogger("transport/connection-manager");
 function sleep2(ms) {
   return new Promise((resolve2) => setTimeout(resolve2, ms));
 }
@@ -19933,7 +19934,7 @@ var ConnectionManager = class {
       reconnectMaxMs: options?.reconnectMaxMs ?? 6e4,
       maxReconnectAttempts: options?.maxReconnectAttempts ?? 10
     };
-    log22.info("ConnectionManager initialized", this.options);
+    log23.info("ConnectionManager initialized", this.options);
   }
   /**
    * 启动连接 — 连接 WS + 开始心跳 + 注册重连逻辑
@@ -19948,29 +19949,33 @@ var ConnectionManager = class {
     this.running = true;
     this.reconnectAttempts = 0;
     const token = await tokenFn();
+    const wsUrl = url2.replace(/\/+$/, "") + "/events/stream";
     await this.client.connect({
-      url: url2,
+      url: wsUrl,
       token,
-      headers: this.appId ? { "X-App-ID": this.appId } : void 0
+      headers: {
+        "Authorization": token,
+        ...this.appId ? { "X-App-ID": this.appId } : {}
+      }
     });
     this.client.on("close", () => {
       if (this.running) {
-        log22.warn("ws:disconnected, scheduling reconnect");
+        log23.warn("ws:disconnected, scheduling reconnect");
         this.scheduleReconnect();
       }
     });
     this.client.on("error", (err) => {
-      log22.error("ws:connection-error", { error: err.message });
+      log23.error("ws:connection-error", { error: err.message });
     });
     this.startHeartbeat();
-    log22.info("ConnectionManager started \u2713", { url: url2 });
+    log23.info("ConnectionManager started \u2713", { url: url2 });
   }
   /** 启动心跳保活 — 定时检查连接状态 */
   startHeartbeat() {
     this.stopHeartbeat();
     this.heartbeatTimer = setInterval(() => {
       if (this.client.readyState !== wrapper_default.OPEN) {
-        log22.warn("heartbeat: connection not open, scheduling reconnect");
+        log23.warn("heartbeat: connection not open, scheduling reconnect");
         this.scheduleReconnect();
       }
     }, this.options.heartbeatIntervalMs);
@@ -19998,30 +20003,34 @@ var ConnectionManager = class {
         this.options.reconnectBaseMs * 2 ** this.reconnectAttempts,
         this.options.reconnectMaxMs
       );
-      log22.info("ws:reconnecting", { attempt: this.reconnectAttempts + 1, delayMs: delay });
+      log23.info("ws:reconnecting", { attempt: this.reconnectAttempts + 1, delayMs: delay });
       await sleep2(delay);
       if (!this.running) return;
       this.reconnectAttempts++;
       try {
         const token = await this.tokenFn();
+        const wsUrl = this.url.replace(/\/+$/, "") + "/events/stream";
         await this.client.connect({
-          url: this.url,
+          url: wsUrl,
           token,
-          headers: this.appId ? { "X-App-ID": this.appId } : void 0
+          headers: {
+            "Authorization": token,
+            ...this.appId ? { "X-App-ID": this.appId } : {}
+          }
         });
         this.reconnectAttempts = 0;
         this.startHeartbeat();
-        log22.info("ws:reconnected", { attempt: this.reconnectAttempts, url: this.url });
+        log23.info("ws:reconnected", { attempt: this.reconnectAttempts, url: this.url });
         return;
       } catch (err) {
-        log22.warn("ws:reconnect-failed", {
+        log23.warn("ws:reconnect-failed", {
           attempt: this.reconnectAttempts,
           error: err.message
         });
       }
     }
     if (this.running) {
-      log22.error("ws:max-reconnect-reached", {
+      log23.error("ws:max-reconnect-reached", {
         maxAttempts: this.options.maxReconnectAttempts
       });
     }
@@ -20031,7 +20040,7 @@ var ConnectionManager = class {
     this.running = false;
     this.stopHeartbeat();
     this.client.close(1e3, "shutdown");
-    log22.info("ConnectionManager stopped");
+    log23.info("ConnectionManager stopped");
   }
   /** 当前是否已连接 (WebSocket readyState === OPEN) */
   get isConnected() {
@@ -20040,7 +20049,7 @@ var ConnectionManager = class {
 };
 // src/push/cockatoo-client.ts
-var log23 = createLogger("push/cockatoo-client");
+var log24 = createLogger("push/cockatoo-client");
 var DEFAULT_TIMEOUT_MS2 = 3e4;
 var CockatooPushError = class extends Error {
   constructor(status, body, endpoint) {
@@ -20074,7 +20083,7 @@ var CockatooClient = class {
     const base = config2.endpoint.replace(/\/+$/, "");
     this.pushUrl = `${base}/api/v1/push`;
     this.healthUrl = `${base}/health`;
-    log23.info("CockatooClient initialized", { endpoint: config2.endpoint });
+    log24.info("CockatooClient initialized", { endpoint: config2.endpoint });
   }
   /**
    * 推送消息到 Cockatoo 服务。
@@ -20105,7 +20114,7 @@ var CockatooClient = class {
       }
       throw new CockatooPushError(resp.status, body, this.pushUrl);
     }
-    log23.debug("push:sent", { type: payload.type });
+    log24.debug("push:sent", { type: payload.type });
   }
   /**
    * 执行一次健康检查。
@@ -20123,11 +20132,11 @@ var CockatooClient = class {
       });
       const isHealthy = resp.ok;
       if (!isHealthy) {
-        log23.warn("health-check:unhealthy", { status: resp.status });
+        log24.warn("health-check:unhealthy", { status: resp.status });
       }
       return isHealthy;
     } catch (err) {
-      log23.warn("health-check:error", { error: err.message });
+      log24.warn("health-check:error", { error: err.message });
       return false;
     }
   }
@@ -20139,7 +20148,7 @@ var CockatooClient = class {
         this.healthy = await this.healthCheck();
       } catch {
         this.healthy = false;
-        log23.warn("Cockatoo health check failed");
+        log24.warn("Cockatoo health check failed");
       }
     }, this.config.healthCheckIntervalMs ?? 6e4);
     if (typeof this.healthCheckTimer === "object" && "unref" in this.healthCheckTimer) {
@@ -20160,7 +20169,7 @@ var CockatooClient = class {
 };
 // src/push/push-queue.ts
-var log24 = createLogger("push/push-queue");
+var log25 = createLogger("push/push-queue");
 var RETRY_BASE_MS2 = 1e3;
 var PushQueue = class {
   client;
@@ -20202,7 +20211,7 @@ var PushQueue = class {
     this.unhealthyRetryMs = config2?.unhealthyRetryMs ?? 5e3;
     this.drainOnStop = config2?.drainOnStop ?? false;
     this.drainTimeoutMs = config2?.drainTimeoutMs ?? 5e3;
-    log24.info("PushQueue initialized", {
+    log25.info("PushQueue initialized", {
       maxSize: this.maxSize,
       retryAttempts: this.retryAttempts,
       processIntervalMs: this.processIntervalMs
@@ -20213,7 +20222,7 @@ var PushQueue = class {
   start() {
     if (this.running) return;
     this.running = true;
-    log24.info("PushQueue started");
+    log25.info("PushQueue started");
     this.scheduleNext(0);
   }
   /**
@@ -20227,10 +20236,10 @@ var PushQueue = class {
     this.running = false;
     this.clearTimer();
     if (this.drainOnStop && this.queue.length > 0) {
-      log24.info("PushQueue draining", { remaining: this.queue.length });
+      log25.info("PushQueue draining", { remaining: this.queue.length });
       await this.drain();
     }
-    log24.info("PushQueue stopped", {
+    log25.info("PushQueue stopped", {
       remaining: this.queue.length,
       sent: this.sentCount,
       dropped: this.droppedCount,
@@ -20245,13 +20254,13 @@ var PushQueue = class {
     if (this.queue.length >= this.maxSize) {
       const dropped = this.queue.shift();
       this.droppedCount++;
-      log24.warn("queue:full, dropping oldest", {
+      log25.warn("queue:full, dropping oldest", {
         droppedType: dropped?.payload.type,
         queueSize: this.queue.length
       });
     }
     this.queue.push({ payload, retries: 0, eligibleAt: 0 });
-    log24.debug("queue:enqueued", { type: payload.type, queueSize: this.queue.length });
+    log25.debug("queue:enqueued", { type: payload.type, queueSize: this.queue.length });
   }
   /** 当前队列长度 */
   get size() {
@@ -20276,7 +20285,7 @@ var PushQueue = class {
     this.clearTimer();
     this.processTimer = setTimeout(() => {
       this.tick().catch((err) => {
-        log24.error("tick:unexpected-error", { error: err.message });
+        log25.error("tick:unexpected-error", { error: err.message });
         if (this.running) {
           this.scheduleNext(this.idleIntervalMs);
         }
@@ -20298,7 +20307,7 @@ var PushQueue = class {
   async tick() {
     if (!this.running) return;
     if (!this.client.isHealthy) {
-      log24.debug("tick:service-unhealthy, pausing");
+      log25.debug("tick:service-unhealthy, pausing");
       this.scheduleNext(this.unhealthyRetryMs);
       return;
     }
@@ -20318,7 +20327,7 @@ var PushQueue = class {
     try {
       await this.processItem(item);
     } catch (err) {
-      log24.error("tick:process-unexpected", { error: err.message });
+      log25.error("tick:process-unexpected", { error: err.message });
     } finally {
       this.processing = false;
     }
@@ -20337,14 +20346,14 @@ var PushQueue = class {
     try {
       await this.client.push(item.payload);
       this.sentCount++;
-      log24.debug("push:success", {
+      log25.debug("push:success", {
         type: item.payload.type,
         retries: item.retries
       });
     } catch (err) {
       if (err instanceof CockatooPushError && err.isClientError) {
         this.droppedCount++;
-        log24.warn("push:4xx-dropped", {
+        log25.warn("push:4xx-dropped", {
           type: item.payload.type,
           status: err.status,
           retries: item.retries
@@ -20353,7 +20362,7 @@ var PushQueue = class {
       }
       if (item.retries >= this.retryAttempts) {
         this.droppedCount++;
-        log24.error("push:max-retries-dropped", {
+        log25.error("push:max-retries-dropped", {
           type: item.payload.type,
           retries: item.retries,
           error: err.message
@@ -20366,7 +20375,7 @@ var PushQueue = class {
       item.eligibleAt = Date.now() + backoffMs;
       this.queue.push(item);
       const errorDetail = err instanceof CockatooPushError ? `HTTP ${err.status}` : err.message;
-      log24.warn("push:retry-enqueued", {
+      log25.warn("push:retry-enqueued", {
         type: item.payload.type,
         retries: item.retries,
         backoffMs,
@@ -20390,22 +20399,22 @@ var PushQueue = class {
       try {
         await this.client.push(item.payload);
         this.sentCount++;
-        log24.debug("drain:sent", { type: item.payload.type });
+        log25.debug("drain:sent", { type: item.payload.type });
       } catch (err) {
         this.droppedCount++;
-        log24.warn("drain:dropped", {
+        log25.warn("drain:dropped", {
           type: item.payload.type,
           error: err.message
         });
       }
     }
     if (this.queue.length > 0) {
-      log24.warn("drain:timeout", {
+      log25.warn("drain:timeout", {
         remaining: this.queue.length,
         timeoutMs: this.drainTimeoutMs
       });
     } else {
-      log24.info("drain:complete");
+      log25.info("drain:complete");
     }
   }
   // ── 内部工具 ──
@@ -20419,43 +20428,32 @@ var PushQueue = class {
 };
 // src/index.ts
-var log25 = createLogger("plugin");
+var log26 = createLogger("plugin");
 async function startPlugin(accountConfig, internalOverrides) {
   const config2 = buildPluginConfig(accountConfig, internalOverrides);
-  log25.info("Config built \u2713", { pluginId: config2.pluginId });
+  log26.info("Config built \u2713", { pluginId: config2.pluginId });
   let cryptoEngine;
   if (config2.crypto.enabled) {
-    cryptoEngine = new CryptoEngine();
+    cryptoEngine = new CryptoEngine({ credentials: accountConfig });
     await cryptoEngine.init();
-    log25.info("Crypto initialized \u2713");
+    log26.info("Crypto initialized \u2713");
   } else {
     cryptoEngine = CryptoEngine.createPassthrough();
-    log25.info("Crypto passthrough mode \u2713 (disabled by config)");
-  }
-  const sealClient = new SealClient({
-    serverUrl: config2.auth.serverUrl,
-    clientName: config2.auth.clientName,
-    clientId: config2.auth.clientId,
-    clientSecret: config2.auth.clientSecret,
-    scopes: config2.auth.scopes
+    log26.info("Crypto passthrough mode \u2713 (disabled by config)");
+  }
+  const oauthClient = new OAuthClient({
+    baseUrl: config2.auth.serverUrl,
+    appId: accountConfig.appId,
+    appSecret: accountConfig.appSecret
   });
-  const tokenStorePath = (0, import_node_path2.join)((0, import_node_os.homedir)(), TOKEN_STORE_DIR, "tokens");
+  const tokenStorePath = (0, import_node_path3.join)((0, import_node_os.homedir)(), TOKEN_STORE_DIR, "tokens");
   const tokenStore = new TokenStore(tokenStorePath, cryptoEngine);
   const tokenManager = new TokenManager({
-    sealClient,
+    oauthClient,
     tokenStore,
-    refreshAheadMs: config2.auth.refreshAheadMs,
-    autoRegisterParams: config2.auth.autoRegister ? {
-      clientName: config2.auth.clientName,
-      scopes: config2.auth.scopes,
-      tokenSettings: config2.auth.tokenSettings ? {
-        accessTokenTtl: config2.auth.tokenSettings.accessTokenTtl,
-        refreshTokenTtl: config2.auth.tokenSettings.refreshTokenTtl,
-        accessTokenFormat: config2.auth.tokenSettings.accessTokenFormat
-      } : void 0
-    } : void 0
+    refreshAheadMs: config2.auth.refreshAheadMs
   });
-  log25.info("Auth initialized \u2713");
+  log26.info("Auth initialized \u2713");
   let pushQueue = null;
   let cockatooClient = null;
   if (config2.push?.enabled) {
@@ -20470,7 +20468,7 @@ async function startPlugin(accountConfig, internalOverrides) {
     });
     cockatooClient.startHealthCheck();
     pushQueue.start();
-    log25.info("Push initialized \u2713");
+    log26.info("Push initialized \u2713");
   }
   const wsClient = new WSClient();
   const dedup = new MessageDedup(config2.transport.dedup);
@@ -20488,8 +20486,8 @@ async function startPlugin(accountConfig, internalOverrides) {
     reconnectMaxMs: config2.transport.reconnectMaxMs,
     maxReconnectAttempts: config2.transport.maxReconnectAttempts
   });
-  log25.info("Transport initialized \u2713");
-  log25.info("Plugin started \u2713");
+  log26.info("Transport initialized \u2713");
+  log26.info("Plugin started \u2713");
   return {
     config: config2,
     messagePipe,
@@ -20497,12 +20495,12 @@ async function startPlugin(accountConfig, internalOverrides) {
     tokenManager,
     pushQueue,
     shutdown: async () => {
-      log25.info("Shutting down...");
+      log26.info("Shutting down...");
       await connectionManager.stop();
       if (pushQueue) await pushQueue.stop();
       if (cockatooClient) cockatooClient.stopHealthCheck();
       tokenManager.shutdown();
-      log25.info("Shutdown complete \u2713");
+      log26.info("Shutdown complete \u2713");
     }
   };
 }
@@ -20512,7 +20510,7 @@ var plugin = {
   description: "Quantum-encrypted IM channel plugin",
   register(api) {
     api.registerChannel({ plugin: quantumImPlugin });
-    log25.info("plugin registered \u2713");
+    log26.info("plugin registered \u2713");
   }
 };
 var index_default = plugin;