openclaw-channel-dmwork 0.5.13 → 0.5.14

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openclaw-channel-dmwork",
-  "version": "0.5.13",
+  "version": "0.5.14",
   "description": "DMWork channel plugin for OpenClaw via WuKongIM WebSocket",
   "main": "index.ts",
   "type": "module",

package/src/channel.ts

@@ -125,16 +125,26 @@ function getOrCreateGroupCacheTimestamps(accountId: string): Map<string, number>
 }
 
 
-// --- Group → Account mapping: tracks which account each group was received from ---
+// --- Group → Account mapping: tracks which accounts are active in each group ---
 // Used by handleAction to resolve the correct account when framework passes wrong accountId
-const _groupToAccount = new Map<string, string>(); // groupNo → accountId
+// A group may have multiple bots (1:N), so we store a Set of accountIds per group.
+const _groupToAccount = new Map<string, Set<string>>(); // groupNo → Set<accountId>
 
 export function registerGroupToAccount(groupNo: string, accountId: string): void {
-  _groupToAccount.set(groupNo, accountId);
+  let accounts = _groupToAccount.get(groupNo);
+  if (!accounts) {
+    accounts = new Set<string>();
+    _groupToAccount.set(groupNo, accounts);
+  }
+  accounts.add(accountId);
 }
 
 export function resolveAccountForGroup(groupNo: string): string | undefined {
-  return _groupToAccount.get(groupNo);
+  const accounts = _groupToAccount.get(groupNo);
+  if (!accounts || accounts.size === 0) return undefined;
+  // Only resolve when exactly one bot owns the group; multi-bot → ambiguous
+  if (accounts.size === 1) return accounts.values().next().value;
+  return undefined;
 }
 
 // --- Cache cleanup: evict groups inactive for >4 hours ---
@@ -253,11 +263,14 @@ export const dmworkPlugin: ChannelPlugin<ResolvedDmworkAccount> = {
     handleAction: async (ctx: any) => {
       // Resolve correct accountId: framework may pass wrong one when agent has multiple accounts.
       // Use currentChannelId to look up which account actually owns the group.
+      // When multiple bots share the same group, do NOT correct — the caller's accountId is authoritative.
       let accountId = ctx.accountId ?? DEFAULT_ACCOUNT_ID;
       const currentChannelId = ctx.toolContext?.currentChannelId;
       if (currentChannelId) {
         const rawGroupNo = currentChannelId.replace(/^dmwork:/, '');
         const correctAccountId = resolveAccountForGroup(rawGroupNo);
+        // Only correct when resolveAccountForGroup returns a definitive answer
+        // (exactly one bot owns the group); multi-bot → undefined → no correction
         if (correctAccountId && correctAccountId !== accountId) {
           ctx.log?.info?.(`dmwork: handleAction accountId corrected: ${accountId} → ${correctAccountId} (group=${rawGroupNo})`);
           accountId = correctAccountId;

package/src/multi-bot-isolation.test.ts

@@ -0,0 +1,208 @@
+/**
+ * Tests for multi-bot accountId isolation fix.
+ *
+ * Verifies that when multiple bots share the same OpenClaw Gateway process,
+ * messages are sent from the correct bot account — not from whichever bot
+ * last processed a message in the same group.
+ */
+import { describe, it, expect, vi, beforeEach } from "vitest";
+
+// We need to reset module state between tests since _groupToAccount is module-level
+beforeEach(() => {
+  vi.resetModules();
+});
+
+// ─── registerGroupToAccount / resolveAccountForGroup unit tests ─────────────
+
+describe("registerGroupToAccount + resolveAccountForGroup", () => {
+  it("single bot — resolveAccountForGroup returns the registered accountId", async () => {
+    const { registerGroupToAccount, resolveAccountForGroup } = await import("./channel.js");
+
+    registerGroupToAccount("group-001", "botA");
+
+    expect(resolveAccountForGroup("group-001")).toBe("botA");
+  });
+
+  it("multi-bot same group — resolveAccountForGroup returns undefined", async () => {
+    const { registerGroupToAccount, resolveAccountForGroup } = await import("./channel.js");
+
+    registerGroupToAccount("group-001", "botA");
+    registerGroupToAccount("group-001", "botB");
+
+    expect(resolveAccountForGroup("group-001")).toBeUndefined();
+  });
+
+  it("unregistered group — resolveAccountForGroup returns undefined", async () => {
+    const { resolveAccountForGroup } = await import("./channel.js");
+
+    expect(resolveAccountForGroup("group-unknown")).toBeUndefined();
+  });
+
+  it("duplicate registration of same bot is idempotent", async () => {
+    const { registerGroupToAccount, resolveAccountForGroup } = await import("./channel.js");
+
+    registerGroupToAccount("group-001", "botA");
+    registerGroupToAccount("group-001", "botA");
+
+    // Still size 1 → should return the accountId
+    expect(resolveAccountForGroup("group-001")).toBe("botA");
+  });
+
+  it("different groups with different bots resolve independently", async () => {
+    const { registerGroupToAccount, resolveAccountForGroup } = await import("./channel.js");
+
+    registerGroupToAccount("group-001", "botA");
+    registerGroupToAccount("group-002", "botB");
+
+    expect(resolveAccountForGroup("group-001")).toBe("botA");
+    expect(resolveAccountForGroup("group-002")).toBe("botB");
+  });
+});
+
+// ─── handleAction correction logic tests ─────────────────────────────────────
+
+// Mock dependencies that handleAction calls
+vi.mock("./actions.js", () => ({
+  handleDmworkMessageAction: vi.fn(async () => ({ ok: true })),
+  parseTarget: vi.fn(() => ({ channelId: "test", channelType: 2 })),
+}));
+
+vi.mock("./agent-tools.js", () => ({
+  createDmworkManagementTools: vi.fn(() => []),
+}));
+
+vi.mock("./group-md.js", () => ({
+  getOrCreateGroupMdCache: vi.fn(() => new Map()),
+  registerBotGroupIds: vi.fn(),
+  getKnownGroupIds: vi.fn(() => new Set()),
+}));
+
+vi.mock("./api-fetch.js", () => ({
+  registerBot: vi.fn(),
+  sendMessage: vi.fn(),
+  sendHeartbeat: vi.fn(),
+  sendMediaMessage: vi.fn(),
+  inferContentType: vi.fn(),
+  ensureTextCharset: vi.fn((s: string) => s),
+  fetchBotGroups: vi.fn(async () => []),
+  getGroupMd: vi.fn(),
+  getGroupMembers: vi.fn(),
+  parseImageDimensions: vi.fn(),
+  parseImageDimensionsFromFile: vi.fn(),
+  getUploadCredentials: vi.fn(),
+  uploadFileToCOS: vi.fn(),
+}));
+
+describe("handleAction multi-bot isolation", () => {
+  it("single bot — corrects wrong accountId to the sole owner", async () => {
+    const { dmworkPlugin, registerGroupToAccount } = await import("./channel.js");
+    const { handleDmworkMessageAction } = await import("./actions.js");
+
+    // Only botA is in group-001
+    registerGroupToAccount("group-001", "botA");
+
+    const ctx = {
+      accountId: "wrongBot",
+      action: "send" as const,
+      channel: "dmwork",
+      params: { target: "group:group-001", text: "hello" },
+      toolContext: { currentChannelId: "dmwork:group-001" },
+      cfg: {
+        channels: {
+          dmwork: {
+            accounts: {
+              botA: { botToken: "tokenA", apiUrl: "http://api" },
+              wrongBot: { botToken: "tokenWrong", apiUrl: "http://api" },
+            },
+          },
+        },
+      },
+      log: { info: vi.fn() },
+    };
+
+    await dmworkPlugin.actions!.handleAction!(ctx as any);
+
+    // handleDmworkMessageAction should have been called with botA's token
+    expect(handleDmworkMessageAction).toHaveBeenCalledWith(
+      expect.objectContaining({ botToken: "tokenA" }),
+    );
+    // Correction log should have fired
+    expect(ctx.log.info).toHaveBeenCalledWith(
+      expect.stringContaining("accountId corrected"),
+    );
+  });
+
+  it("multi-bot same group — does NOT override ctx.accountId", async () => {
+    const { dmworkPlugin, registerGroupToAccount } = await import("./channel.js");
+    const { handleDmworkMessageAction } = await import("./actions.js");
+
+    // Both botA and botB are in group-001
+    registerGroupToAccount("group-001", "botA");
+    registerGroupToAccount("group-001", "botB");
+
+    const ctx = {
+      accountId: "botA",
+      action: "send" as const,
+      channel: "dmwork",
+      params: { target: "group:group-001", text: "hello from A" },
+      toolContext: { currentChannelId: "dmwork:group-001" },
+      cfg: {
+        channels: {
+          dmwork: {
+            accounts: {
+              botA: { botToken: "tokenA", apiUrl: "http://api" },
+              botB: { botToken: "tokenB", apiUrl: "http://api" },
+            },
+          },
+        },
+      },
+      log: { info: vi.fn() },
+    };
+
+    await dmworkPlugin.actions!.handleAction!(ctx as any);
+
+    // Should use botA's token (the caller's original accountId), NOT botB's
+    expect(handleDmworkMessageAction).toHaveBeenCalledWith(
+      expect.objectContaining({ botToken: "tokenA" }),
+    );
+    // No correction log should have fired
+    expect(ctx.log.info).not.toHaveBeenCalledWith(
+      expect.stringContaining("accountId corrected"),
+    );
+  });
+
+  it("single bot — correct accountId is not re-corrected", async () => {
+    const { dmworkPlugin, registerGroupToAccount } = await import("./channel.js");
+    const { handleDmworkMessageAction } = await import("./actions.js");
+
+    registerGroupToAccount("group-001", "botA");
+
+    const ctx = {
+      accountId: "botA", // already correct
+      action: "send" as const,
+      channel: "dmwork",
+      params: { target: "group:group-001", text: "hello" },
+      toolContext: { currentChannelId: "dmwork:group-001" },
+      cfg: {
+        channels: {
+          dmwork: {
+            accounts: {
+              botA: { botToken: "tokenA", apiUrl: "http://api" },
+            },
+          },
+        },
+      },
+      log: { info: vi.fn() },
+    };
+
+    await dmworkPlugin.actions!.handleAction!(ctx as any);
+
+    expect(handleDmworkMessageAction).toHaveBeenCalledWith(
+      expect.objectContaining({ botToken: "tokenA" }),
+    );
+    // No correction needed
+    expect(ctx.log.info).not.toHaveBeenCalledWith(
+      expect.stringContaining("accountId corrected"),
+    );
+  });
+});

package/node_modules/crypto-js/CONTRIBUTING.md

@@ -1,28 +0,0 @@
-# Contribution
-
-# Git Flow 
-
-The crypto-js project uses [git flow](https://github.com/nvie/gitflow) to manage branches. 
-Do your changes on the `develop` or even better on a `feature/*` branch. Don't do any changes on the `master` branch.
-
-# Pull request
-
-Target your pull request on `develop` branch. Other pull request won't be accepted.
-
-# How to build
-
-1. Clone
-
-2. Run
-
-    ```sh
-    npm install
-    ```
-
-3. Run
-
-    ```sh
-    npm run build
-    ```
-    
-4. Check `build` folder

package/node_modules/crypto-js/LICENSE

@@ -1,24 +0,0 @@
-# License
-
-[The MIT License (MIT)](http://opensource.org/licenses/MIT)
-
-Copyright (c) 2009-2013 Jeff Mott  
-Copyright (c) 2013-2016 Evan Vosberg
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.

package/node_modules/crypto-js/README.md

@@ -1,275 +0,0 @@
-# crypto-js
-
-JavaScript library of crypto standards.
-
-## Discontinued
-
-Active development of CryptoJS has been discontinued. This library is no longer maintained.
-
-Nowadays, NodeJS and modern browsers have a native `Crypto` module. The latest version of CryptoJS already uses the native Crypto module for random number generation, since `Math.random()` is not crypto-safe. Further development of CryptoJS would result in it only being a wrapper of native Crypto. Therefore, development and maintenance has been discontinued, it is time to go for the native `crypto` module.
-
-## Node.js (Install)
-
-Requirements:
-
-- Node.js
-- npm (Node.js package manager)
-
-```bash
-npm install crypto-js
-```
-
-### Usage
-
-ES6 import for typical API call signing use case:
-
-```javascript
-import sha256 from 'crypto-js/sha256';
-import hmacSHA512 from 'crypto-js/hmac-sha512';
-import Base64 from 'crypto-js/enc-base64';
-
-const message, nonce, path, privateKey; // ...
-const hashDigest = sha256(nonce + message);
-const hmacDigest = Base64.stringify(hmacSHA512(path + hashDigest, privateKey));
-```
-
-Modular include:
-
-```javascript
-var AES = require("crypto-js/aes");
-var SHA256 = require("crypto-js/sha256");
-...
-console.log(SHA256("Message"));
-```
-
-Including all libraries, for access to extra methods:
-
-```javascript
-var CryptoJS = require("crypto-js");
-console.log(CryptoJS.HmacSHA1("Message", "Key"));
-```
-
-## Client (browser)
-
-Requirements:
-
-- Node.js
-- Bower (package manager for frontend)
-
-```bash
-bower install crypto-js
-```
-
-### Usage
-
-Modular include:
-
-```javascript
-require.config({
-    packages: [
-        {
-            name: 'crypto-js',
-            location: 'path-to/bower_components/crypto-js',
-            main: 'index'
-        }
-    ]
-});
-
-require(["crypto-js/aes", "crypto-js/sha256"], function (AES, SHA256) {
-    console.log(SHA256("Message"));
-});
-```
-
-Including all libraries, for access to extra methods:
-
-```javascript
-// Above-mentioned will work or use this simple form
-require.config({
-    paths: {
-        'crypto-js': 'path-to/bower_components/crypto-js/crypto-js'
-    }
-});
-
-require(["crypto-js"], function (CryptoJS) {
-    console.log(CryptoJS.HmacSHA1("Message", "Key"));
-});
-```
-
-### Usage without RequireJS
-
-```html
-<script type="text/javascript" src="path-to/bower_components/crypto-js/crypto-js.js"></script>
-<script type="text/javascript">
-    var encrypted = CryptoJS.AES(...);
-    var encrypted = CryptoJS.SHA256(...);
-</script>
-```
-
-## API
-
-See: https://cryptojs.gitbook.io/docs/
-
-### AES Encryption
-
-#### Plain text encryption
-
-```javascript
-var CryptoJS = require("crypto-js");
-
-// Encrypt
-var ciphertext = CryptoJS.AES.encrypt('my message', 'secret key 123').toString();
-
-// Decrypt
-var bytes  = CryptoJS.AES.decrypt(ciphertext, 'secret key 123');
-var originalText = bytes.toString(CryptoJS.enc.Utf8);
-
-console.log(originalText); // 'my message'
-```
-
-#### Object encryption
-
-```javascript
-var CryptoJS = require("crypto-js");
-
-var data = [{id: 1}, {id: 2}]
-
-// Encrypt
-var ciphertext = CryptoJS.AES.encrypt(JSON.stringify(data), 'secret key 123').toString();
-
-// Decrypt
-var bytes  = CryptoJS.AES.decrypt(ciphertext, 'secret key 123');
-var decryptedData = JSON.parse(bytes.toString(CryptoJS.enc.Utf8));
-
-console.log(decryptedData); // [{id: 1}, {id: 2}]
-```
-
-### List of modules
-
-
-- ```crypto-js/core```
-- ```crypto-js/x64-core```
-- ```crypto-js/lib-typedarrays```
-
----
-
-- ```crypto-js/md5```
-- ```crypto-js/sha1```
-- ```crypto-js/sha256```
-- ```crypto-js/sha224```
-- ```crypto-js/sha512```
-- ```crypto-js/sha384```
-- ```crypto-js/sha3```
-- ```crypto-js/ripemd160```
-
----
-
-- ```crypto-js/hmac-md5```
-- ```crypto-js/hmac-sha1```
-- ```crypto-js/hmac-sha256```
-- ```crypto-js/hmac-sha224```
-- ```crypto-js/hmac-sha512```
-- ```crypto-js/hmac-sha384```
-- ```crypto-js/hmac-sha3```
-- ```crypto-js/hmac-ripemd160```
-
----
-
-- ```crypto-js/pbkdf2```
-
----
-
-- ```crypto-js/aes```
-- ```crypto-js/tripledes```
-- ```crypto-js/rc4```
-- ```crypto-js/rabbit```
-- ```crypto-js/rabbit-legacy```
-- ```crypto-js/evpkdf```
-
----
-
-- ```crypto-js/format-openssl```
-- ```crypto-js/format-hex```
-
----
-
-- ```crypto-js/enc-latin1```
-- ```crypto-js/enc-utf8```
-- ```crypto-js/enc-hex```
-- ```crypto-js/enc-utf16```
-- ```crypto-js/enc-base64```
-
----
-
-- ```crypto-js/mode-cfb```
-- ```crypto-js/mode-ctr```
-- ```crypto-js/mode-ctr-gladman```
-- ```crypto-js/mode-ofb```
-- ```crypto-js/mode-ecb```
-
----
-
-- ```crypto-js/pad-pkcs7```
-- ```crypto-js/pad-ansix923```
-- ```crypto-js/pad-iso10126```
-- ```crypto-js/pad-iso97971```
-- ```crypto-js/pad-zeropadding```
-- ```crypto-js/pad-nopadding```
-
-
-## Release notes
-
-### 4.2.0
-
-Change default hash algorithm and iteration's for PBKDF2 to prevent weak security by using the default configuration.
-
-Custom KDF Hasher
-
-Blowfish support
-
-### 4.1.1
-
-Fix module order in bundled release.
-
-Include the browser field in the released package.json.
-
-### 4.1.0
-
-Added url safe variant of base64 encoding. [357](https://github.com/brix/crypto-js/pull/357)
-
-Avoid webpack to add crypto-browser package. [364](https://github.com/brix/crypto-js/pull/364)
-
-### 4.0.0
-
-This is an update including breaking changes for some environments.
-
-In this version `Math.random()` has been replaced by the random methods of the native crypto module.
-
-For this reason CryptoJS might not run in some JavaScript environments without native crypto module. Such as IE 10 or before or React Native.
-
-### 3.3.0
-
-Rollback, `3.3.0` is the same as `3.1.9-1`.
-
-The move of using native secure crypto module will be shifted to a new `4.x.x` version. As it is a breaking change the impact is too big for a minor release.
-
-### 3.2.1
-
-The usage of the native crypto module has been fixed. The import and access of the native crypto module has been improved.
-
-### 3.2.0
-
-In this version `Math.random()` has been replaced by the random methods of the native crypto module.
-
-For this reason CryptoJS might does not run in some JavaScript environments without native crypto module. Such as IE 10 or before.
-
-If it's absolute required to run CryptoJS in such an environment, stay with `3.1.x` version. Encrypting and decrypting stays compatible. But keep in mind `3.1.x` versions still use `Math.random()` which is cryptographically not secure, as it's not random enough. 
-
-This version came along with `CRITICAL` `BUG`. 
-
-DO NOT USE THIS VERSION! Please, go for a newer version!
-
-### 3.1.x
-
-The `3.1.x` are based on the original CryptoJS, wrapped in CommonJS modules.
-
-