From 23c90aeed41b691b94e2e3aae6439ad22f1b9e72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andrej=20Trogrli=C4=87?= Date: Thu, 23 Apr 2026 19:42:06 +0200 Subject: [PATCH] fix(feishu): keep setup entry off runtime SDK (#70339) Load Feishu setup surfaces through a setup-only barrel so onboarding does not import the Lark SDK before bundled runtime deps are staged.\n\nThanks @andrejtr.\n\nCo-authored-by: andrejtr <64274971+andrejtr@users.noreply.github.com> --- CHANGELOG.md | 1 + extensions/feishu/setup-api.ts | 1 + extensions/feishu/setup-entry.test.ts | 14 ++++++++++++++ extensions/feishu/setup-entry.ts | 2 +- 4 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 extensions/feishu/setup-entry.test.ts diff --git a/CHANGELOG.md b/CHANGELOG.md index caf36fe92d2..b6431ff08dd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ Docs: https://docs.openclaw.ai ### Fixes - MCP/tools: stop the ACPX OpenClaw tools bridge from listing or invoking owner-only tools such as `cron`, closing a privilege-escalation path for non-owner MCP callers. (#70698) Thanks @vincentkoc. +- Feishu/onboarding: load Feishu setup surfaces through a setup-only barrel so first-run setup no longer imports Feishu's Lark SDK before bundled runtime deps are staged. (#70339) Thanks @andrejtr. - WhatsApp/security: keep contact/vCard/location structured-object free text out of the inline message body and render it through fenced untrusted metadata JSON, limiting hidden prompt-injection payloads in names, phone fields, and location labels/comments. - Group-chat/security: keep channel-sourced group names and participant labels out of inline group system prompts and render them through fenced untrusted metadata JSON. - Plugins/startup: restore bundled plugin `openclaw/plugin-sdk/*` resolution from packaged installs and external runtime-deps stage roots, so Telegram/Discord no longer crash-loop with `Cannot find package 'openclaw'` after missing dependency repair. diff --git a/extensions/feishu/setup-api.ts b/extensions/feishu/setup-api.ts index 8d44582cd03..6ccdd8f17e4 100644 --- a/extensions/feishu/setup-api.ts +++ b/extensions/feishu/setup-api.ts @@ -1,2 +1,3 @@ +export { feishuPlugin } from "./src/channel.js"; export { feishuSetupAdapter } from "./src/setup-core.js"; export { feishuSetupWizard } from "./src/setup-surface.js"; diff --git a/extensions/feishu/setup-entry.test.ts b/extensions/feishu/setup-entry.test.ts new file mode 100644 index 00000000000..fd090bc5f4c --- /dev/null +++ b/extensions/feishu/setup-entry.test.ts @@ -0,0 +1,14 @@ +import { describe, expect, it, vi } from "vitest"; + +vi.mock("@larksuiteoapi/node-sdk", () => { + throw new Error("setup entry must not load the Feishu SDK"); +}); + +describe("feishu setup entry", () => { + it("loads the setup plugin without importing Feishu runtime dependencies", async () => { + const { default: setupEntry } = await import("./setup-entry.js"); + + expect(setupEntry.kind).toBe("bundled-channel-setup-entry"); + expect(setupEntry.loadSetupPlugin({ installRuntimeDeps: false })?.id).toBe("feishu"); + }); +}); diff --git a/extensions/feishu/setup-entry.ts b/extensions/feishu/setup-entry.ts index ec75c552ab7..41216a676d9 100644 --- a/extensions/feishu/setup-entry.ts +++ b/extensions/feishu/setup-entry.ts @@ -3,7 +3,7 @@ import { defineBundledChannelSetupEntry } from "openclaw/plugin-sdk/channel-entr export default defineBundledChannelSetupEntry({ importMetaUrl: import.meta.url, plugin: { - specifier: "./api.js", + specifier: "./setup-api.js", exportName: "feishuPlugin", }, secrets: {