liangzimixin 0.3.73 → 0.3.75

package/dist/index.cjs

@@ -18972,7 +18972,9 @@ async function resolveMedia(params) {
     sdkRuntime,
     maxBytes = 30 * 1024 * 1024,
     allowPrivateNetwork = false,
-    timeoutMs
+    timeoutMs,
+    messagePipe,
+    fileEncryptionMeta
   } = params;
   const client = createHttpClient({ baseUrl: serverUrl, tokenManager, timeoutMs });
   log11.info("download:getUrl", { fileId });
@@ -18989,9 +18991,15 @@ async function resolveMedia(params) {
     url: downloadInfo.fileUrl,
     ssrfPolicy: { allowPrivateNetwork }
   });
+  let fileBuffer = Buffer.from(fetched.buffer);
+  if (fileEncryptionMeta && messagePipe) {
+    log11.info("download:decrypting", { fileId, keyId: fileEncryptionMeta.keyId, encryptedSize: fileBuffer.length });
+    fileBuffer = Buffer.from(await messagePipe.decryptFile(fileBuffer, fileEncryptionMeta.keyId, fileEncryptionMeta.iv));
+    log11.info("download:decrypted", { fileId, encryptedSize: fetched.buffer.length, decryptedSize: fileBuffer.length });
+  }
   const contentType = fetched.contentType || downloadInfo.mimeType;
   const saved = await sdkRuntime.channel.media.saveMediaBuffer(
-    fetched.buffer,
+    fileBuffer,
     contentType,
     "inbound",
     maxBytes,
@@ -19035,7 +19043,9 @@ async function resolveContent(context, deps) {
       sdkRuntime: deps.sdkRuntime,
       maxBytes: deps.maxBytes,
       allowPrivateNetwork: deps.allowPrivateNetwork,
-      timeoutMs: deps.timeoutMs
+      timeoutMs: deps.timeoutMs,
+      messagePipe: deps.messagePipe,
+      fileEncryptionMeta: deps.fileEncryptionMeta
     });
     log12.info("resolveContent:downloaded", {
       fileId: context.fileId,
@@ -19394,7 +19404,9 @@ var InboundPipeline = class {
         sdkRuntime: core,
         maxBytes: this.deps.pluginConfig.file.maxFileSizeMb * 1024 * 1024,
         allowPrivateNetwork: this.deps.pluginConfig.file.allowPrivateNetwork,
-        timeoutMs: this.deps.pluginConfig.file.fetchTimeoutMs
+        timeoutMs: this.deps.pluginConfig.file.fetchTimeoutMs,
+        messagePipe: this.deps.messagePipe,
+        fileEncryptionMeta: msg.fileEncryptionMeta
       });
       const payload = buildInboundPayload(msg, resolvedContent, this.deps.pluginConfig);
       const { sdkConfig } = this.deps;
@@ -20563,6 +20575,16 @@ var TokenManager = class {
   isAuthorized() {
     return this.cachedToken !== null;
   }
+  /**
+   * 失效当前内存缓存的 Token — 下次 getValidToken() 将重新获取。
+   * 用于出站 HTTP 收到 401 时主动清除可能已过期的 Token。
+   * 注意: 不清除文件存储，_acquireToken 会重新获取并覆盖。
+   */
+  invalidate() {
+    this.cachedToken = null;
+    this.currentTokenData = null;
+    log21.info("Token invalidated (will re-acquire on next call)");
+  }
   /** 废置并清除所有令牌 (包括文件存储和内存缓存) */
   async revokeAndClear() {
     this.clearRefreshTimer();
@@ -20966,6 +20988,8 @@ var MessagePipe = class _MessagePipe {
   crypto;
   /** 获取最新 access_token 的回调 (用于 HMAC 验签和出站 Bearer 认证) */
   tokenFn;
+  /** 失效当前 Token 缓存的回调 — 收到 401 时调用，强制下次 tokenFn 重新获取 */
+  invalidateTokenFn;
   /** 消息服务 API 基础地址 (用于出站发送/撤回) */
   messageServiceBaseUrl;
   /** L4 层注册的入站消息回调 */
@@ -20985,6 +21009,7 @@ var MessagePipe = class _MessagePipe {
     this.dedup = deps.dedup;
     this.crypto = deps.crypto;
     this.tokenFn = deps.tokenFn;
+    this.invalidateTokenFn = deps.invalidateTokenFn;
     this.messageServiceBaseUrl = deps.messageServiceBaseUrl;
     this.quantumAccount = deps.quantumAccount;
     this.encryptionMode = deps.encryptionMode;
@@ -21072,6 +21097,48 @@ var MessagePipe = class _MessagePipe {
     });
     return { encryptedBuffer, keyId, iv };
   }
+  /**
+   * 解密文件 Buffer — 按分片解密，返回解密后的 Buffer。
+   * 用于入站加密文件消息的下载后解密。
+   *
+   * 如果 CryptoEngine 为透传模式，直接返回原始 buffer。
+   *
+   * @param buffer - 加密的文件 Buffer
+   * @param keyId  - 加密时的密钥标识 (来自 extraContent.sessionId)
+   * @param iv     - 初始化向量 (来自 extraContent.cryptoIv)
+   * @returns 解密后的 Buffer
+   */
+  async decryptFile(buffer, keyId, iv) {
+    const chunkSize = 10 * 1024 * 1024 + 16;
+    const totalChunks = Math.ceil(buffer.length / chunkSize);
+    let sessionKey = "";
+    let fillKey = "";
+    const decryptedChunks = [];
+    for (let i = 0; i < totalChunks; i++) {
+      const start = i * chunkSize;
+      const end = Math.min(start + chunkSize, buffer.length);
+      const chunk = buffer.subarray(start, end);
+      const options = sessionKey ? { sessionKey, fillKey } : void 0;
+      const result = await this.crypto.decryptFileChunk(chunk, keyId, iv, options);
+      decryptedChunks.push(result.fileBuffer);
+      sessionKey = result.sessionKey;
+      fillKey = result.fillKey;
+      log25.debug("\u{1F513} \u6587\u4EF6\u5206\u7247\u89E3\u5BC6", {
+        chunk: `${i + 1}/${totalChunks}`,
+        encryptedSize: chunk.length,
+        decryptedSize: result.fileBuffer.length,
+        keyId
+      });
+    }
+    const decryptedBuffer = Buffer.concat(decryptedChunks);
+    log25.info("\u{1F513} \u6587\u4EF6\u89E3\u5BC6\u5B8C\u6210", {
+      encryptedSize: buffer.length,
+      decryptedSize: decryptedBuffer.length,
+      totalChunks,
+      keyId
+    });
+    return decryptedBuffer;
+  }
   /** 文件类消息类型集合 — 这些类型的加密消息保留原始 content（文件元数据） */
   static FILE_MSG_TYPES = /* @__PURE__ */ new Set(["image", "file", "voice", "video"]);
   /**
@@ -21246,6 +21313,11 @@ var MessagePipe = class _MessagePipe {
         url: url2,
         body
       });
+      if (resp.status === 401 && this.invalidateTokenFn) {
+        log25.warn(`${logTag}:token-expired, invalidating cached token for retry`);
+        this.invalidateTokenFn();
+        return { code: -1, msg: `HTTP ${resp.status}`, _retryable: true };
+      }
       return { code: -1, msg: `HTTP ${resp.status}`, _retryable: resp.status >= 500 };
     }
     const result = await resp.json();
@@ -21281,7 +21353,7 @@ var MessagePipe = class _MessagePipe {
       const result = await this._callMessageApiOnce(url2, body, logTag);
       if (result && "_retryable" in result) {
         if (result._retryable) {
-          log25.warn(`${logTag}:retrying after 5xx`, { url: url2 });
+          log25.warn(`${logTag}:retrying after ${result.msg}`, { url: url2 });
           await new Promise((r) => setTimeout(r, 1e3));
           try {
             const retryResult = await this._callMessageApiOnce(url2, body, `${logTag}:retry`);
@@ -21384,10 +21456,17 @@ var MessagePipe = class _MessagePipe {
     });
     const extraContent = callbackData.extraContent;
     let isEncrypted = false;
+    let fileEncryptionMeta;
     if (typeof extraContent === "string" && extraContent.length > 0) {
       try {
         const parsed = JSON.parse(extraContent);
-        isEncrypted = Boolean(parsed.encryptMsg);
+        if (parsed.encryptMsg) {
+          isEncrypted = true;
+        } else if (parsed.sessionId) {
+          isEncrypted = true;
+          fileEncryptionMeta = { keyId: parsed.sessionId, iv: parsed.cryptoIv ?? "" };
+          log25.info("\u{1F512} \u5165\u7AD9\u6587\u4EF6\u6D88\u606F\u5DF2\u6807\u8BB0\u52A0\u5BC6", { msgUid: callbackData.msgUid, keyId: parsed.sessionId });
+        }
       } catch {
         log25.debug("\u2139\uFE0F extraContent \u4E0D\u662F\u6709\u6548 JSON\uFF0C\u89C6\u4E3A\u660E\u6587", { msgUid: callbackData.msgUid });
       }
@@ -21468,7 +21547,8 @@ var MessagePipe = class _MessagePipe {
       msgType: callbackData.type,
       content: JSON.stringify(contentObj),
       timestamp: Date.now(),
-      isEncrypted
+      isEncrypted,
+      fileEncryptionMeta
     };
     log25.debug("\u{1F4E8} \u89E3\u6790 WS \u5E27", { messageId: msg.messageId, eventType: callbackData.eventType });
     if (this.dedup.isDuplicate(msg.messageId)) {
@@ -22199,6 +22279,7 @@ async function startPlugin(accountConfig, internalOverrides) {
     dedup,
     crypto: cryptoEngine,
     tokenFn: () => tokenManager.getValidToken(),
+    invalidateTokenFn: () => tokenManager.invalidate(),
     messageServiceBaseUrl: config2.message.messageServiceBaseUrl,
     quantumAccount: accountConfig.quantumAccount,
     encryptionMode: accountConfig.encryptionMode,

package/dist/index.d.cts

@@ -195,6 +195,11 @@ interface InboundMessage {
     replyToMessageId?: string;
     /** 入站消息是否经过加密 — 用于决定回复是否也需要加密 */
     isEncrypted?: boolean;
+    /** 文件加密元数据 — 入站文件消息解密所需的 keyId/iv (来自 extraContent.sessionId + cryptoIv) */
+    fileEncryptionMeta?: {
+        keyId: string;
+        iv: string;
+    };
 }
 /** 出站消息 — 插件向 IM 服务器发送的消息 */
 interface OutboundMessage {
@@ -645,6 +650,12 @@ declare class TokenManager {
     hasScope(scope: string): boolean;
     /** 检查是否已授权 (是否持有有效令牌) */
     isAuthorized(): boolean;
+    /**
+     * 失效当前内存缓存的 Token — 下次 getValidToken() 将重新获取。
+     * 用于出站 HTTP 收到 401 时主动清除可能已过期的 Token。
+     * 注意: 不清除文件存储，_acquireToken 会重新获取并覆盖。
+     */
+    invalidate(): void;
     /** 废置并清除所有令牌 (包括文件存储和内存缓存) */
     revokeAndClear(): Promise<void>;
     /** 清理定时器和并发锁 — 优雅关闭时调用 */
@@ -861,6 +872,8 @@ declare class MessagePipe {
     private readonly crypto;
     /** 获取最新 access_token 的回调 (用于 HMAC 验签和出站 Bearer 认证) */
     private readonly tokenFn;
+    /** 失效当前 Token 缓存的回调 — 收到 401 时调用，强制下次 tokenFn 重新获取 */
+    private readonly invalidateTokenFn?;
     /** 消息服务 API 基础地址 (用于出站发送/撤回) */
     private readonly messageServiceBaseUrl;
     /** L4 层注册的入站消息回调 */
@@ -881,6 +894,8 @@ declare class MessagePipe {
         crypto: CryptoEngine;
         /** TokenManager.getValidToken — 用于验签和出站认证 */
         tokenFn: () => Promise<string>;
+        /** TokenManager.invalidate — 收到 401 时清除 Token 缓存 */
+        invalidateTokenFn?: () => void;
         /** 消息服务 API 基础地址 */
         messageServiceBaseUrl: string;
         /** 量子账户标识 — 用于判断是否具备解密能力 */
@@ -922,6 +937,18 @@ declare class MessagePipe {
         keyId: string;
         iv: string;
     }>;
+    /**
+     * 解密文件 Buffer — 按分片解密，返回解密后的 Buffer。
+     * 用于入站加密文件消息的下载后解密。
+     *
+     * 如果 CryptoEngine 为透传模式，直接返回原始 buffer。
+     *
+     * @param buffer - 加密的文件 Buffer
+     * @param keyId  - 加密时的密钥标识 (来自 extraContent.sessionId)
+     * @param iv     - 初始化向量 (来自 extraContent.cryptoIv)
+     * @returns 解密后的 Buffer
+     */
+    decryptFile(buffer: Buffer, keyId: string, iv: string): Promise<Buffer>;
     /** 文件类消息类型集合 — 这些类型的加密消息保留原始 content（文件元数据） */
     private static readonly FILE_MSG_TYPES;
     /**

package/dist/setup-entry.cjs

@@ -19461,6 +19461,16 @@ var TokenManager = class {
   isAuthorized() {
     return this.cachedToken !== null;
   }
+  /**
+   * 失效当前内存缓存的 Token — 下次 getValidToken() 将重新获取。
+   * 用于出站 HTTP 收到 401 时主动清除可能已过期的 Token。
+   * 注意: 不清除文件存储，_acquireToken 会重新获取并覆盖。
+   */
+  invalidate() {
+    this.cachedToken = null;
+    this.currentTokenData = null;
+    log12.info("Token invalidated (will re-acquire on next call)");
+  }
   /** 废置并清除所有令牌 (包括文件存储和内存缓存) */
   async revokeAndClear() {
     this.clearRefreshTimer();
@@ -19864,6 +19874,8 @@ var MessagePipe = class _MessagePipe {
   crypto;
   /** 获取最新 access_token 的回调 (用于 HMAC 验签和出站 Bearer 认证) */
   tokenFn;
+  /** 失效当前 Token 缓存的回调 — 收到 401 时调用，强制下次 tokenFn 重新获取 */
+  invalidateTokenFn;
   /** 消息服务 API 基础地址 (用于出站发送/撤回) */
   messageServiceBaseUrl;
   /** L4 层注册的入站消息回调 */
@@ -19883,6 +19895,7 @@ var MessagePipe = class _MessagePipe {
     this.dedup = deps.dedup;
     this.crypto = deps.crypto;
     this.tokenFn = deps.tokenFn;
+    this.invalidateTokenFn = deps.invalidateTokenFn;
     this.messageServiceBaseUrl = deps.messageServiceBaseUrl;
     this.quantumAccount = deps.quantumAccount;
     this.encryptionMode = deps.encryptionMode;
@@ -19970,6 +19983,48 @@ var MessagePipe = class _MessagePipe {
     });
     return { encryptedBuffer, keyId, iv };
   }
+  /**
+   * 解密文件 Buffer — 按分片解密，返回解密后的 Buffer。
+   * 用于入站加密文件消息的下载后解密。
+   *
+   * 如果 CryptoEngine 为透传模式，直接返回原始 buffer。
+   *
+   * @param buffer - 加密的文件 Buffer
+   * @param keyId  - 加密时的密钥标识 (来自 extraContent.sessionId)
+   * @param iv     - 初始化向量 (来自 extraContent.cryptoIv)
+   * @returns 解密后的 Buffer
+   */
+  async decryptFile(buffer, keyId, iv) {
+    const chunkSize = 10 * 1024 * 1024 + 16;
+    const totalChunks = Math.ceil(buffer.length / chunkSize);
+    let sessionKey = "";
+    let fillKey = "";
+    const decryptedChunks = [];
+    for (let i = 0; i < totalChunks; i++) {
+      const start = i * chunkSize;
+      const end = Math.min(start + chunkSize, buffer.length);
+      const chunk = buffer.subarray(start, end);
+      const options = sessionKey ? { sessionKey, fillKey } : void 0;
+      const result = await this.crypto.decryptFileChunk(chunk, keyId, iv, options);
+      decryptedChunks.push(result.fileBuffer);
+      sessionKey = result.sessionKey;
+      fillKey = result.fillKey;
+      log16.debug("\u{1F513} \u6587\u4EF6\u5206\u7247\u89E3\u5BC6", {
+        chunk: `${i + 1}/${totalChunks}`,
+        encryptedSize: chunk.length,
+        decryptedSize: result.fileBuffer.length,
+        keyId
+      });
+    }
+    const decryptedBuffer = Buffer.concat(decryptedChunks);
+    log16.info("\u{1F513} \u6587\u4EF6\u89E3\u5BC6\u5B8C\u6210", {
+      encryptedSize: buffer.length,
+      decryptedSize: decryptedBuffer.length,
+      totalChunks,
+      keyId
+    });
+    return decryptedBuffer;
+  }
   /** 文件类消息类型集合 — 这些类型的加密消息保留原始 content（文件元数据） */
   static FILE_MSG_TYPES = /* @__PURE__ */ new Set(["image", "file", "voice", "video"]);
   /**
@@ -20144,6 +20199,11 @@ var MessagePipe = class _MessagePipe {
         url: url2,
         body
       });
+      if (resp.status === 401 && this.invalidateTokenFn) {
+        log16.warn(`${logTag}:token-expired, invalidating cached token for retry`);
+        this.invalidateTokenFn();
+        return { code: -1, msg: `HTTP ${resp.status}`, _retryable: true };
+      }
       return { code: -1, msg: `HTTP ${resp.status}`, _retryable: resp.status >= 500 };
     }
     const result = await resp.json();
@@ -20179,7 +20239,7 @@ var MessagePipe = class _MessagePipe {
       const result = await this._callMessageApiOnce(url2, body, logTag);
       if (result && "_retryable" in result) {
         if (result._retryable) {
-          log16.warn(`${logTag}:retrying after 5xx`, { url: url2 });
+          log16.warn(`${logTag}:retrying after ${result.msg}`, { url: url2 });
           await new Promise((r) => setTimeout(r, 1e3));
           try {
             const retryResult = await this._callMessageApiOnce(url2, body, `${logTag}:retry`);
@@ -20282,10 +20342,17 @@ var MessagePipe = class _MessagePipe {
     });
     const extraContent = callbackData.extraContent;
     let isEncrypted = false;
+    let fileEncryptionMeta;
     if (typeof extraContent === "string" && extraContent.length > 0) {
       try {
         const parsed = JSON.parse(extraContent);
-        isEncrypted = Boolean(parsed.encryptMsg);
+        if (parsed.encryptMsg) {
+          isEncrypted = true;
+        } else if (parsed.sessionId) {
+          isEncrypted = true;
+          fileEncryptionMeta = { keyId: parsed.sessionId, iv: parsed.cryptoIv ?? "" };
+          log16.info("\u{1F512} \u5165\u7AD9\u6587\u4EF6\u6D88\u606F\u5DF2\u6807\u8BB0\u52A0\u5BC6", { msgUid: callbackData.msgUid, keyId: parsed.sessionId });
+        }
       } catch {
         log16.debug("\u2139\uFE0F extraContent \u4E0D\u662F\u6709\u6548 JSON\uFF0C\u89C6\u4E3A\u660E\u6587", { msgUid: callbackData.msgUid });
       }
@@ -20366,7 +20433,8 @@ var MessagePipe = class _MessagePipe {
       msgType: callbackData.type,
       content: JSON.stringify(contentObj),
       timestamp: Date.now(),
-      isEncrypted
+      isEncrypted,
+      fileEncryptionMeta
     };
     log16.debug("\u{1F4E8} \u89E3\u6790 WS \u5E27", { messageId: msg.messageId, eventType: callbackData.eventType });
     if (this.dedup.isDuplicate(msg.messageId)) {
@@ -21174,6 +21242,7 @@ async function startPlugin(accountConfig, internalOverrides) {
     dedup,
     crypto: cryptoEngine,
     tokenFn: () => tokenManager.getValidToken(),
+    invalidateTokenFn: () => tokenManager.invalidate(),
     messageServiceBaseUrl: config2.message.messageServiceBaseUrl,
     quantumAccount: accountConfig.quantumAccount,
     encryptionMode: accountConfig.encryptionMode,
@@ -21360,7 +21429,9 @@ async function resolveMedia(params) {
     sdkRuntime,
     maxBytes = 30 * 1024 * 1024,
     allowPrivateNetwork = false,
-    timeoutMs
+    timeoutMs,
+    messagePipe,
+    fileEncryptionMeta
   } = params;
   const client = createHttpClient({ baseUrl: serverUrl, tokenManager, timeoutMs });
   log24.info("download:getUrl", { fileId });
@@ -21377,9 +21448,15 @@ async function resolveMedia(params) {
     url: downloadInfo.fileUrl,
     ssrfPolicy: { allowPrivateNetwork }
   });
+  let fileBuffer = Buffer.from(fetched.buffer);
+  if (fileEncryptionMeta && messagePipe) {
+    log24.info("download:decrypting", { fileId, keyId: fileEncryptionMeta.keyId, encryptedSize: fileBuffer.length });
+    fileBuffer = Buffer.from(await messagePipe.decryptFile(fileBuffer, fileEncryptionMeta.keyId, fileEncryptionMeta.iv));
+    log24.info("download:decrypted", { fileId, encryptedSize: fetched.buffer.length, decryptedSize: fileBuffer.length });
+  }
   const contentType = fetched.contentType || downloadInfo.mimeType;
   const saved = await sdkRuntime.channel.media.saveMediaBuffer(
-    fetched.buffer,
+    fileBuffer,
     contentType,
     "inbound",
     maxBytes,
@@ -21423,7 +21500,9 @@ async function resolveContent(context, deps) {
       sdkRuntime: deps.sdkRuntime,
       maxBytes: deps.maxBytes,
       allowPrivateNetwork: deps.allowPrivateNetwork,
-      timeoutMs: deps.timeoutMs
+      timeoutMs: deps.timeoutMs,
+      messagePipe: deps.messagePipe,
+      fileEncryptionMeta: deps.fileEncryptionMeta
     });
     log25.info("resolveContent:downloaded", {
       fileId: context.fileId,
@@ -21770,7 +21849,9 @@ var InboundPipeline = class {
         sdkRuntime: core,
         maxBytes: this.deps.pluginConfig.file.maxFileSizeMb * 1024 * 1024,
         allowPrivateNetwork: this.deps.pluginConfig.file.allowPrivateNetwork,
-        timeoutMs: this.deps.pluginConfig.file.fetchTimeoutMs
+        timeoutMs: this.deps.pluginConfig.file.fetchTimeoutMs,
+        messagePipe: this.deps.messagePipe,
+        fileEncryptionMeta: msg.fileEncryptionMeta
       });
       const payload = buildInboundPayload(msg, resolvedContent, this.deps.pluginConfig);
       const { sdkConfig } = this.deps;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "liangzimixin",
-  "version": "0.3.73",
+  "version": "0.3.75",
   "description": "Quantum-encrypted IM channel plugin for OpenClaw",
   "type": "module",
   "main": "dist/index.cjs",

package/scripts/liangzimixin_install.bat

@@ -7,7 +7,7 @@ REM  liangzimixin install script (Windows)
 REM  Usage: liangzimixin_install.bat <appId> <appSecret> [quantumAccount]
 REM ============================================================
 
-set "SCRIPT_VERSION=0.3.73"
+set "SCRIPT_VERSION=0.3.75"
 set "NPM_PACKAGE=liangzimixin"
 
 set "SKIP_SELF_UPDATE=0"

package/scripts/liangzimixin_install.sh

@@ -6,7 +6,7 @@ set -euo pipefail
 #  用法: ./liangzimixin_install.sh <appId> <appSecret> [quantumAccount]
 # ============================================================
 
-SCRIPT_VERSION="0.3.73"
+SCRIPT_VERSION="0.3.75"
 NPM_PACKAGE="liangzimixin"
 
 # ── 颜色 ──────────────────────────────────────────────────────