zalo-agent-cli 1.6.0 → 1.6.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "zalo-agent-cli",
-  "version": "1.6.0",
+  "version": "1.6.2",
   "description": "CLI tool for Zalo automation — multi-account, proxy, bank transfers, QR payments, Official Account API v3.0",
   "type": "module",
   "bin": {
@@ -18,7 +18,8 @@
     "lint:fix": "eslint src/ --fix",
     "format": "prettier --write src/",
     "format:check": "prettier --check src/",
-    "release": "npm version patch -m 'release: v%s' && git push origin main --tags"
+    "release": "npm version patch -m 'release: v%s' && git push origin main --tags",
+    "prepublishOnly": "npm run lint && npm test"
   },
   "keywords": [
     "zalo",
@@ -48,7 +49,8 @@
     "express": "^5.2.1",
     "https-proxy-agent": "^8.0.0",
     "node-fetch": "^3.3.0",
-    "zca-js": "^2.1.1",
+    "undici": "^7.24.6",
+    "zca-js": "^2.1.2",
     "zod": "^4.3.6"
   },
   "devDependencies": {

package/src/commands/listen.js

@@ -65,7 +65,10 @@ export function registerListenCommand(program) {
                     method: "POST",
                     headers: { "Content-Type": "application/json" },
                     body: JSON.stringify(data),
-                }).catch(() => {});
+                    signal: AbortSignal.timeout(5000),
+                }).catch((e) => {
+                    console.error(`[listen] Webhook failed: ${e.message}`);
+                });
             }
 
             // Setup save directory if --save flag provided
@@ -84,7 +87,9 @@ export function registerListenCommand(program) {
                 const line = JSON.stringify({ ...data, savedAt: new Date().toISOString() }) + "\n";
                 try {
                     appendFileSync(filepath, line, "utf-8");
-                } catch {}
+                } catch (e) {
+                    console.error(`[listen] Save failed: ${e.message}`);
+                }
             }
 
             /** Output event as JSON or human-readable, save locally, then post to webhook */
@@ -276,7 +281,9 @@ export function registerListenCommand(program) {
                 process.on("SIGINT", () => {
                     try {
                         getApi().listener.stop();
-                    } catch {}
+                    } catch (e) {
+                        console.error(`[listen] Stop failed: ${e.message}`);
+                    }
                     info(`Stopped. Uptime: ${uptime()}, events: ${eventCount}, reconnects: ${reconnectCount}`);
                     if (saveDir) info(`Messages saved to: ${saveDir}`);
                     resolve();

package/src/commands/mcp.js

@@ -56,6 +56,7 @@ export function registerMCPCommands(program) {
         .option("--config <path>", "Config file path (default: ~/.zalo-agent-cli/mcp-config.json)")
         .option("--http <port>", "Use HTTP transport on specified port (default: stdio)")
         .option("--auth <token>", "Bearer token for HTTP auth (only with --http)")
+        .option("--host <address>", "HTTP bind address (default: 127.0.0.1, only with --http)")
         .action(async (opts) => {
             // Perform login explicitly here — preAction hook skips "mcp"
             try {
@@ -84,11 +85,17 @@ export function registerMCPCommands(program) {
             }
 
             // Start MCP server — stdio (default) or HTTP
+            let httpServer = null;
             try {
                 if (opts.http) {
                     const port = Number(opts.http);
+                    if (!Number.isInteger(port) || port < 1 || port > 65535) {
+                        console.error(`[mcp] Invalid port: ${opts.http}. Must be 1-65535.`);
+                        process.exit(1);
+                    }
                     const deps = { api: getApi(), buffer, filter, config, nameCache };
-                    createHTTPServer(registerTools, deps, port, opts.auth || null);
+                    const authToken = opts.auth?.trim() || null;
+                    httpServer = createHTTPServer(registerTools, deps, port, authToken, opts.host || "127.0.0.1");
                     console.error(`[mcp] HTTP server started on port ${port}`);
                 } else {
                     await createMCPServer(getApi(), buffer, filter, config, nameCache);
@@ -195,6 +202,16 @@ export function registerMCPCommands(program) {
                 process.exit(1);
             }
 
+            // Graceful shutdown on SIGINT
+            process.on("SIGINT", () => {
+                try {
+                    getApi().listener.stop();
+                } catch {}
+                notifier?.destroy();
+                httpServer?.close();
+                process.exit(0);
+            });
+
             // Keep process alive (MCP server runs on stdio — process must not exit)
             await new Promise(() => {});
         });

package/src/core/zalo-client.js

@@ -6,7 +6,7 @@
 import fs from "fs";
 import { Zalo, LoginQRCallbackEventType } from "zca-js";
 import { HttpsProxyAgent } from "https-proxy-agent";
-import nodefetch from "node-fetch";
+import { ProxyAgent } from "undici";
 import { getActive } from "./accounts.js";
 import { loadCredentials } from "./credentials.js";
 import { info } from "../utils/output.js";
@@ -91,6 +91,15 @@ export function isLoggedIn() {
     return _api !== null;
 }
 
+/**
+ * Create a proxy-aware fetch that uses undici ProxyAgent dispatcher.
+ * Native Node.js fetch ignores the `agent` option — must use `dispatcher`.
+ */
+function createProxyFetch(proxyUrl) {
+    const dispatcher = new ProxyAgent(proxyUrl);
+    return (url, init = {}) => fetch(url, { ...init, dispatcher });
+}
+
 /** Create a Zalo instance with optional proxy. Suppress logs in JSON mode. */
 function createZalo(proxyUrl) {
     const opts = {
@@ -99,8 +108,9 @@ function createZalo(proxyUrl) {
         imageMetadataGetter: readImageMetadata,
     };
     if (proxyUrl) {
+        // HttpsProxyAgent for WebSocket (ws lib), ProxyAgent dispatcher for HTTP fetch
         opts.agent = new HttpsProxyAgent(proxyUrl);
-        opts.polyfill = nodefetch;
+        opts.polyfill = createProxyFetch(proxyUrl);
     }
     return new Zalo(opts);
 }

package/src/mcp/mcp-http-transport.js

@@ -4,9 +4,16 @@
  */
 
 import express from "express";
+import { timingSafeEqual } from "crypto";
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import { dirname, join } from "path";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const pkg = JSON.parse(readFileSync(join(__dirname, "../../package.json"), "utf8"));
+
 /**
  * Create HTTP MCP server with optional bearer token auth.
  * @param {Function} registerToolsFn - Registers tools on a McpServer instance
@@ -15,7 +22,7 @@ import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/
  * @param {string|null} authToken - Bearer token (null = no auth)
  * @returns {import("http").Server}
  */
-export function createHTTPServer(registerToolsFn, deps, port, authToken) {
+export function createHTTPServer(registerToolsFn, deps, port, authToken, host = "127.0.0.1") {
     const app = express();
     app.use(express.json());
 
@@ -23,8 +30,10 @@ export function createHTTPServer(registerToolsFn, deps, port, authToken) {
     if (authToken) {
         app.use((req, res, next) => {
             if (req.path === "/health") return next();
-            const token = req.headers.authorization?.slice(7); // strip "Bearer "
-            if (token !== authToken) {
+            const token = req.headers.authorization?.slice(7) || "";
+            const expected = Buffer.from(authToken, "utf8");
+            const received = Buffer.from(token, "utf8");
+            if (expected.length !== received.length || !timingSafeEqual(expected, received)) {
                 return res.status(401).json({ error: "Unauthorized" });
             }
             next();
@@ -34,7 +43,7 @@ export function createHTTPServer(registerToolsFn, deps, port, authToken) {
     // MCP endpoint — stateless, fresh server+transport per request
     app.post("/mcp", async (req, res) => {
         try {
-            const server = new McpServer({ name: "zalo-agent", version: "1.0.0" });
+            const server = new McpServer({ name: "zalo-agent", version: pkg.version });
             registerToolsFn(server, deps.api, deps.buffer, deps.filter, deps.config, deps.nameCache);
 
             const transport = new StreamableHTTPServerTransport({
@@ -69,7 +78,7 @@ export function createHTTPServer(registerToolsFn, deps, port, authToken) {
         });
     });
 
-    return app.listen(port, "0.0.0.0", () => {
-        console.error(`MCP HTTP server listening on port ${port}`);
+    return app.listen(port, host, () => {
+        console.error(`MCP HTTP server listening on ${host}:${port}`);
     });
 }

package/src/mcp/mcp-server.js

@@ -3,10 +3,16 @@
  * Creates and connects the McpServer instance for Claude Code integration.
  */
 
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+import { dirname, join } from "path";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { registerTools } from "./mcp-tools.js";
 
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const pkg = JSON.parse(readFileSync(join(__dirname, "../../package.json"), "utf8"));
+
 /**
  * Create and start MCP server with stdio transport.
  * All logs MUST use console.error() — stdout is reserved for MCP protocol.
@@ -20,7 +26,7 @@ import { registerTools } from "./mcp-tools.js";
 export async function createMCPServer(api, buffer, filter, config, nameCache) {
     const server = new McpServer({
         name: "zalo-agent",
-        version: "1.0.0",
+        version: pkg.version,
     });
 
     registerTools(server, api, buffer, filter, config, nameCache);

package/src/mcp/mcp-tools.js

@@ -117,11 +117,9 @@ export function registerTools(server, api, buffer, filter, config, nameCache) {
         async ({ type }) => {
             try {
                 const stats = buffer.getStats(0);
-                // Enrich each stat entry with threadType by peeking at the first buffered message.
-                // buffer._threads is a Map<threadId, { messages: Array, lastActivity: number }>
+                // Enrich each stat entry with threadType and thread name
                 const enriched = stats.map((t) => {
-                    const thread = buffer._threads.get(t.threadId);
-                    const threadType = thread?.messages?.[0]?.threadType ?? "unknown";
+                    const threadType = buffer.getThreadType(t.threadId) ?? "unknown";
                     const cached = nameCache?.get(t.threadId);
                     return {
                         ...t,

package/src/mcp/media-downloader.js

@@ -7,7 +7,7 @@
 import { mkdirSync, writeFileSync } from "fs";
 import { join } from "path";
 import { platform } from "os";
-import { exec } from "child_process";
+import { execFile } from "child_process";
 import { CONFIG_DIR } from "../core/credentials.js";
 
 /** Default download directory when not configured */
@@ -123,9 +123,11 @@ function buildFileName(message, ext) {
  * @param {string} filePath
  */
 export function openFile(filePath) {
+    const isWin = platform() === "win32";
     const cmds = { darwin: "open", win32: "start", linux: "xdg-open" };
     const cmd = cmds[platform()] || "xdg-open";
-    exec(`${cmd} "${filePath}"`, (err) => {
+    // Windows "start" is a cmd.exe builtin — needs shell: true
+    execFile(cmd, isWin ? ["", filePath] : [filePath], { shell: isWin }, (err) => {
         if (err) console.error(`[media-dl] Failed to open viewer: ${err.message}`);
     });
 }

package/src/mcp/message-buffer.js

@@ -94,6 +94,16 @@ export class MessageBuffer {
         return stats;
     }
 
+    /**
+     * Get thread type from first buffered message.
+     * @param {string} threadId
+     * @returns {string|null}
+     */
+    getThreadType(threadId) {
+        const thread = this._threads.get(threadId);
+        return thread?.messages?.[0]?.threadType ?? null;
+    }
+
     /**
      * Evict messages that exceed maxSize or maxAge for a given thread.
      * @param {string} threadId

package/src/mcp/message-buffer.test.js

@@ -265,6 +265,32 @@ describe("MessageBuffer getStats", () => {
     });
 });
 
+describe("MessageBuffer getThreadType", () => {
+    it("returns threadType from first buffered message", () => {
+        const buf = new MessageBuffer();
+        buf.push("t1", { text: "hi", threadType: "dm", timestamp: Date.now() });
+        buf.push("t1", { text: "hey", threadType: "dm", timestamp: Date.now() });
+        assert.equal(buf.getThreadType("t1"), "dm");
+    });
+
+    it("returns null for unknown thread", () => {
+        const buf = new MessageBuffer();
+        assert.equal(buf.getThreadType("nonexistent"), null);
+    });
+
+    it("returns null when thread exists but messages have no threadType", () => {
+        const buf = new MessageBuffer();
+        buf.push("t1", { text: "hi", timestamp: Date.now() });
+        assert.equal(buf.getThreadType("t1"), null);
+    });
+
+    it("returns group for group thread", () => {
+        const buf = new MessageBuffer();
+        buf.push("g1", { text: "hello", threadType: "group", timestamp: Date.now() });
+        assert.equal(buf.getThreadType("g1"), "group");
+    });
+});
+
 describe("MessageBuffer edge cases", () => {
     it("empty read on fresh buffer returns empty array and cursor 0", () => {
         const buf = new MessageBuffer();