liangzimixin 0.3.73 → 0.3.74

package/dist/index.cjs

@@ -18972,7 +18972,9 @@ async function resolveMedia(params) {
     sdkRuntime,
     maxBytes = 30 * 1024 * 1024,
     allowPrivateNetwork = false,
-    timeoutMs
+    timeoutMs,
+    messagePipe,
+    fileEncryptionMeta
   } = params;
   const client = createHttpClient({ baseUrl: serverUrl, tokenManager, timeoutMs });
   log11.info("download:getUrl", { fileId });
@@ -18989,9 +18991,15 @@ async function resolveMedia(params) {
     url: downloadInfo.fileUrl,
     ssrfPolicy: { allowPrivateNetwork }
   });
+  let fileBuffer = Buffer.from(fetched.buffer);
+  if (fileEncryptionMeta && messagePipe) {
+    log11.info("download:decrypting", { fileId, keyId: fileEncryptionMeta.keyId, encryptedSize: fileBuffer.length });
+    fileBuffer = Buffer.from(await messagePipe.decryptFile(fileBuffer, fileEncryptionMeta.keyId, fileEncryptionMeta.iv));
+    log11.info("download:decrypted", { fileId, encryptedSize: fetched.buffer.length, decryptedSize: fileBuffer.length });
+  }
   const contentType = fetched.contentType || downloadInfo.mimeType;
   const saved = await sdkRuntime.channel.media.saveMediaBuffer(
-    fetched.buffer,
+    fileBuffer,
     contentType,
     "inbound",
     maxBytes,
@@ -19035,7 +19043,9 @@ async function resolveContent(context, deps) {
       sdkRuntime: deps.sdkRuntime,
       maxBytes: deps.maxBytes,
       allowPrivateNetwork: deps.allowPrivateNetwork,
-      timeoutMs: deps.timeoutMs
+      timeoutMs: deps.timeoutMs,
+      messagePipe: deps.messagePipe,
+      fileEncryptionMeta: deps.fileEncryptionMeta
     });
     log12.info("resolveContent:downloaded", {
       fileId: context.fileId,
@@ -19394,7 +19404,9 @@ var InboundPipeline = class {
         sdkRuntime: core,
         maxBytes: this.deps.pluginConfig.file.maxFileSizeMb * 1024 * 1024,
         allowPrivateNetwork: this.deps.pluginConfig.file.allowPrivateNetwork,
-        timeoutMs: this.deps.pluginConfig.file.fetchTimeoutMs
+        timeoutMs: this.deps.pluginConfig.file.fetchTimeoutMs,
+        messagePipe: this.deps.messagePipe,
+        fileEncryptionMeta: msg.fileEncryptionMeta
       });
       const payload = buildInboundPayload(msg, resolvedContent, this.deps.pluginConfig);
       const { sdkConfig } = this.deps;
@@ -21072,6 +21084,48 @@ var MessagePipe = class _MessagePipe {
     });
     return { encryptedBuffer, keyId, iv };
   }
+  /**
+   * 解密文件 Buffer — 按分片解密，返回解密后的 Buffer。
+   * 用于入站加密文件消息的下载后解密。
+   *
+   * 如果 CryptoEngine 为透传模式，直接返回原始 buffer。
+   *
+   * @param buffer - 加密的文件 Buffer
+   * @param keyId  - 加密时的密钥标识 (来自 extraContent.sessionId)
+   * @param iv     - 初始化向量 (来自 extraContent.cryptoIv)
+   * @returns 解密后的 Buffer
+   */
+  async decryptFile(buffer, keyId, iv) {
+    const chunkSize = 10 * 1024 * 1024 + 16;
+    const totalChunks = Math.ceil(buffer.length / chunkSize);
+    let sessionKey = "";
+    let fillKey = "";
+    const decryptedChunks = [];
+    for (let i = 0; i < totalChunks; i++) {
+      const start = i * chunkSize;
+      const end = Math.min(start + chunkSize, buffer.length);
+      const chunk = buffer.subarray(start, end);
+      const options = sessionKey ? { sessionKey, fillKey } : void 0;
+      const result = await this.crypto.decryptFileChunk(chunk, keyId, iv, options);
+      decryptedChunks.push(result.fileBuffer);
+      sessionKey = result.sessionKey;
+      fillKey = result.fillKey;
+      log25.debug("\u{1F513} \u6587\u4EF6\u5206\u7247\u89E3\u5BC6", {
+        chunk: `${i + 1}/${totalChunks}`,
+        encryptedSize: chunk.length,
+        decryptedSize: result.fileBuffer.length,
+        keyId
+      });
+    }
+    const decryptedBuffer = Buffer.concat(decryptedChunks);
+    log25.info("\u{1F513} \u6587\u4EF6\u89E3\u5BC6\u5B8C\u6210", {
+      encryptedSize: buffer.length,
+      decryptedSize: decryptedBuffer.length,
+      totalChunks,
+      keyId
+    });
+    return decryptedBuffer;
+  }
   /** 文件类消息类型集合 — 这些类型的加密消息保留原始 content（文件元数据） */
   static FILE_MSG_TYPES = /* @__PURE__ */ new Set(["image", "file", "voice", "video"]);
   /**
@@ -21384,10 +21438,17 @@ var MessagePipe = class _MessagePipe {
     });
     const extraContent = callbackData.extraContent;
     let isEncrypted = false;
+    let fileEncryptionMeta;
     if (typeof extraContent === "string" && extraContent.length > 0) {
       try {
         const parsed = JSON.parse(extraContent);
-        isEncrypted = Boolean(parsed.encryptMsg);
+        if (parsed.encryptMsg) {
+          isEncrypted = true;
+        } else if (parsed.sessionId) {
+          isEncrypted = true;
+          fileEncryptionMeta = { keyId: parsed.sessionId, iv: parsed.cryptoIv ?? "" };
+          log25.info("\u{1F512} \u5165\u7AD9\u6587\u4EF6\u6D88\u606F\u5DF2\u6807\u8BB0\u52A0\u5BC6", { msgUid: callbackData.msgUid, keyId: parsed.sessionId });
+        }
       } catch {
         log25.debug("\u2139\uFE0F extraContent \u4E0D\u662F\u6709\u6548 JSON\uFF0C\u89C6\u4E3A\u660E\u6587", { msgUid: callbackData.msgUid });
       }
@@ -21468,7 +21529,8 @@ var MessagePipe = class _MessagePipe {
       msgType: callbackData.type,
       content: JSON.stringify(contentObj),
       timestamp: Date.now(),
-      isEncrypted
+      isEncrypted,
+      fileEncryptionMeta
     };
     log25.debug("\u{1F4E8} \u89E3\u6790 WS \u5E27", { messageId: msg.messageId, eventType: callbackData.eventType });
     if (this.dedup.isDuplicate(msg.messageId)) {

package/dist/index.d.cts

@@ -195,6 +195,11 @@ interface InboundMessage {
     replyToMessageId?: string;
     /** 入站消息是否经过加密 — 用于决定回复是否也需要加密 */
     isEncrypted?: boolean;
+    /** 文件加密元数据 — 入站文件消息解密所需的 keyId/iv (来自 extraContent.sessionId + cryptoIv) */
+    fileEncryptionMeta?: {
+        keyId: string;
+        iv: string;
+    };
 }
 /** 出站消息 — 插件向 IM 服务器发送的消息 */
 interface OutboundMessage {
@@ -922,6 +927,18 @@ declare class MessagePipe {
         keyId: string;
         iv: string;
     }>;
+    /**
+     * 解密文件 Buffer — 按分片解密，返回解密后的 Buffer。
+     * 用于入站加密文件消息的下载后解密。
+     *
+     * 如果 CryptoEngine 为透传模式，直接返回原始 buffer。
+     *
+     * @param buffer - 加密的文件 Buffer
+     * @param keyId  - 加密时的密钥标识 (来自 extraContent.sessionId)
+     * @param iv     - 初始化向量 (来自 extraContent.cryptoIv)
+     * @returns 解密后的 Buffer
+     */
+    decryptFile(buffer: Buffer, keyId: string, iv: string): Promise<Buffer>;
     /** 文件类消息类型集合 — 这些类型的加密消息保留原始 content（文件元数据） */
     private static readonly FILE_MSG_TYPES;
     /**

package/dist/setup-entry.cjs

@@ -19970,6 +19970,48 @@ var MessagePipe = class _MessagePipe {
     });
     return { encryptedBuffer, keyId, iv };
   }
+  /**
+   * 解密文件 Buffer — 按分片解密，返回解密后的 Buffer。
+   * 用于入站加密文件消息的下载后解密。
+   *
+   * 如果 CryptoEngine 为透传模式，直接返回原始 buffer。
+   *
+   * @param buffer - 加密的文件 Buffer
+   * @param keyId  - 加密时的密钥标识 (来自 extraContent.sessionId)
+   * @param iv     - 初始化向量 (来自 extraContent.cryptoIv)
+   * @returns 解密后的 Buffer
+   */
+  async decryptFile(buffer, keyId, iv) {
+    const chunkSize = 10 * 1024 * 1024 + 16;
+    const totalChunks = Math.ceil(buffer.length / chunkSize);
+    let sessionKey = "";
+    let fillKey = "";
+    const decryptedChunks = [];
+    for (let i = 0; i < totalChunks; i++) {
+      const start = i * chunkSize;
+      const end = Math.min(start + chunkSize, buffer.length);
+      const chunk = buffer.subarray(start, end);
+      const options = sessionKey ? { sessionKey, fillKey } : void 0;
+      const result = await this.crypto.decryptFileChunk(chunk, keyId, iv, options);
+      decryptedChunks.push(result.fileBuffer);
+      sessionKey = result.sessionKey;
+      fillKey = result.fillKey;
+      log16.debug("\u{1F513} \u6587\u4EF6\u5206\u7247\u89E3\u5BC6", {
+        chunk: `${i + 1}/${totalChunks}`,
+        encryptedSize: chunk.length,
+        decryptedSize: result.fileBuffer.length,
+        keyId
+      });
+    }
+    const decryptedBuffer = Buffer.concat(decryptedChunks);
+    log16.info("\u{1F513} \u6587\u4EF6\u89E3\u5BC6\u5B8C\u6210", {
+      encryptedSize: buffer.length,
+      decryptedSize: decryptedBuffer.length,
+      totalChunks,
+      keyId
+    });
+    return decryptedBuffer;
+  }
   /** 文件类消息类型集合 — 这些类型的加密消息保留原始 content（文件元数据） */
   static FILE_MSG_TYPES = /* @__PURE__ */ new Set(["image", "file", "voice", "video"]);
   /**
@@ -20282,10 +20324,17 @@ var MessagePipe = class _MessagePipe {
     });
     const extraContent = callbackData.extraContent;
     let isEncrypted = false;
+    let fileEncryptionMeta;
     if (typeof extraContent === "string" && extraContent.length > 0) {
       try {
         const parsed = JSON.parse(extraContent);
-        isEncrypted = Boolean(parsed.encryptMsg);
+        if (parsed.encryptMsg) {
+          isEncrypted = true;
+        } else if (parsed.sessionId) {
+          isEncrypted = true;
+          fileEncryptionMeta = { keyId: parsed.sessionId, iv: parsed.cryptoIv ?? "" };
+          log16.info("\u{1F512} \u5165\u7AD9\u6587\u4EF6\u6D88\u606F\u5DF2\u6807\u8BB0\u52A0\u5BC6", { msgUid: callbackData.msgUid, keyId: parsed.sessionId });
+        }
       } catch {
         log16.debug("\u2139\uFE0F extraContent \u4E0D\u662F\u6709\u6548 JSON\uFF0C\u89C6\u4E3A\u660E\u6587", { msgUid: callbackData.msgUid });
       }
@@ -20366,7 +20415,8 @@ var MessagePipe = class _MessagePipe {
       msgType: callbackData.type,
       content: JSON.stringify(contentObj),
       timestamp: Date.now(),
-      isEncrypted
+      isEncrypted,
+      fileEncryptionMeta
     };
     log16.debug("\u{1F4E8} \u89E3\u6790 WS \u5E27", { messageId: msg.messageId, eventType: callbackData.eventType });
     if (this.dedup.isDuplicate(msg.messageId)) {
@@ -21360,7 +21410,9 @@ async function resolveMedia(params) {
     sdkRuntime,
     maxBytes = 30 * 1024 * 1024,
     allowPrivateNetwork = false,
-    timeoutMs
+    timeoutMs,
+    messagePipe,
+    fileEncryptionMeta
   } = params;
   const client = createHttpClient({ baseUrl: serverUrl, tokenManager, timeoutMs });
   log24.info("download:getUrl", { fileId });
@@ -21377,9 +21429,15 @@ async function resolveMedia(params) {
     url: downloadInfo.fileUrl,
     ssrfPolicy: { allowPrivateNetwork }
   });
+  let fileBuffer = Buffer.from(fetched.buffer);
+  if (fileEncryptionMeta && messagePipe) {
+    log24.info("download:decrypting", { fileId, keyId: fileEncryptionMeta.keyId, encryptedSize: fileBuffer.length });
+    fileBuffer = Buffer.from(await messagePipe.decryptFile(fileBuffer, fileEncryptionMeta.keyId, fileEncryptionMeta.iv));
+    log24.info("download:decrypted", { fileId, encryptedSize: fetched.buffer.length, decryptedSize: fileBuffer.length });
+  }
   const contentType = fetched.contentType || downloadInfo.mimeType;
   const saved = await sdkRuntime.channel.media.saveMediaBuffer(
-    fetched.buffer,
+    fileBuffer,
     contentType,
     "inbound",
     maxBytes,
@@ -21423,7 +21481,9 @@ async function resolveContent(context, deps) {
       sdkRuntime: deps.sdkRuntime,
       maxBytes: deps.maxBytes,
       allowPrivateNetwork: deps.allowPrivateNetwork,
-      timeoutMs: deps.timeoutMs
+      timeoutMs: deps.timeoutMs,
+      messagePipe: deps.messagePipe,
+      fileEncryptionMeta: deps.fileEncryptionMeta
     });
     log25.info("resolveContent:downloaded", {
       fileId: context.fileId,
@@ -21770,7 +21830,9 @@ var InboundPipeline = class {
         sdkRuntime: core,
         maxBytes: this.deps.pluginConfig.file.maxFileSizeMb * 1024 * 1024,
         allowPrivateNetwork: this.deps.pluginConfig.file.allowPrivateNetwork,
-        timeoutMs: this.deps.pluginConfig.file.fetchTimeoutMs
+        timeoutMs: this.deps.pluginConfig.file.fetchTimeoutMs,
+        messagePipe: this.deps.messagePipe,
+        fileEncryptionMeta: msg.fileEncryptionMeta
       });
       const payload = buildInboundPayload(msg, resolvedContent, this.deps.pluginConfig);
       const { sdkConfig } = this.deps;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "liangzimixin",
-  "version": "0.3.73",
+  "version": "0.3.74",
   "description": "Quantum-encrypted IM channel plugin for OpenClaw",
   "type": "module",
   "main": "dist/index.cjs",

package/scripts/liangzimixin_install.bat

@@ -7,7 +7,7 @@ REM  liangzimixin install script (Windows)
 REM  Usage: liangzimixin_install.bat <appId> <appSecret> [quantumAccount]
 REM ============================================================
 
-set "SCRIPT_VERSION=0.3.73"
+set "SCRIPT_VERSION=0.3.74"
 set "NPM_PACKAGE=liangzimixin"
 
 set "SKIP_SELF_UPDATE=0"

package/scripts/liangzimixin_install.sh

@@ -6,7 +6,7 @@ set -euo pipefail
 #  用法: ./liangzimixin_install.sh <appId> <appSecret> [quantumAccount]
 # ============================================================
 
-SCRIPT_VERSION="0.3.73"
+SCRIPT_VERSION="0.3.74"
 NPM_PACKAGE="liangzimixin"
 
 # ── 颜色 ──────────────────────────────────────────────────────