fix(plugin-sdk): restore zalouser facade

docs/.generated/plugin-sdk-api-baseline.sha256

@@ -1,2 +1,2 @@
-d26a70c9ea3bd277135a1712556f07195fb464b5cd846d04f18c2166c319a73d  plugin-sdk-api-baseline.json
-9fe2cb122fb3de17eaaf54c7768f268aa689063cf9091bd4b0be9422550a70a8  plugin-sdk-api-baseline.jsonl
+9262e43a0171f4c38a0590fe36d80b13382beee4a1be1ae2ffb109ace5f37b31  plugin-sdk-api-baseline.json
+c7385f6584052938fe9cce00ae5f9d90cb3b08f943cc82122235f18a1213439b  plugin-sdk-api-baseline.jsonl

docs/plugins/sdk-subpaths.md

@@ -86,6 +86,7 @@ For the plugin authoring guide, see [Plugin SDK overview](/plugins/sdk-overview)
     | `plugin-sdk/direct-dm` | Shared direct-DM auth/guard helpers |
     | `plugin-sdk/discord` | Deprecated Discord compatibility facade for published `@openclaw/discord@2026.3.13` and tracked owner compatibility; new plugins should use generic channel SDK subpaths |
     | `plugin-sdk/telegram-account` | Deprecated Telegram account-resolution compatibility facade for tracked owner compatibility; new plugins should use injected runtime helpers or generic channel SDK subpaths |
+    | `plugin-sdk/zalouser` | Deprecated Zalo Personal compatibility facade for published Lark/Zalo packages that still import sender command authorization; new plugins should use `plugin-sdk/command-auth` |
     | `plugin-sdk/interactive-runtime` | Semantic message presentation, delivery, and legacy interactive reply helpers. See [Message Presentation](/plugins/message-presentation) |
     | `plugin-sdk/channel-inbound` | Compatibility barrel for inbound debounce, mention matching, mention-policy helpers, and envelope helpers |
     | `plugin-sdk/channel-inbound-debounce` | Narrow inbound debounce helpers |

package.json

@@ -1234,6 +1234,10 @@
       "types": "./dist/plugin-sdk/web-media.d.ts",
       "default": "./dist/plugin-sdk/web-media.js"
     },
+    "./plugin-sdk/zalouser": {
+      "types": "./dist/plugin-sdk/zalouser.d.ts",
+      "default": "./dist/plugin-sdk/zalouser.js"
+    },
     "./plugin-sdk/zod": {
       "types": "./dist/plugin-sdk/zod.d.ts",
       "default": "./dist/plugin-sdk/zod.js"

scripts/lib/plugin-sdk-entrypoints.json

@@ -291,5 +291,6 @@
   "webhook-request-guards",
   "webhook-path",
   "web-media",
+  "zalouser",
   "zod"
 ]

src/plugin-sdk/entrypoints.ts

@@ -18,6 +18,7 @@ export const supportedBundledFacadeSdkEntrypoints = [
   "qa-runner-runtime",
   "telegram-account",
   "tts-runtime",
+  "zalouser",
 ] as const;
 
 // Plugin-owned surfaces that are intentionally public and documented for third-party plugins.

src/plugin-sdk/zalouser.ts

@@ -0,0 +1,13 @@
+/**
+ * @deprecated Compatibility facade for published Lark/Zalo packages that imported
+ * command authorization through `openclaw/plugin-sdk/zalouser`.
+ */
+export {
+  resolveSenderCommandAuthorization,
+  resolveSenderCommandAuthorizationWithRuntime,
+} from "./command-auth.js";
+export type {
+  CommandAuthorizationRuntime,
+  ResolveSenderCommandAuthorizationParams,
+  ResolveSenderCommandAuthorizationWithRuntimeParams,
+} from "./command-auth.js";

src/plugins/contracts/plugin-sdk-subpaths.test.ts

@@ -1334,6 +1334,15 @@ describe("plugin-sdk subpath exports", () => {
     }
   });
 
+  it("keeps the Zalouser command-auth compatibility facade importable", async () => {
+    const zalouserSdk = await importResolvedPluginSdkSubpath("openclaw/plugin-sdk/zalouser");
+    const commandAuthSdk = await importResolvedPluginSdkSubpath("openclaw/plugin-sdk/command-auth");
+
+    expect(zalouserSdk.resolveSenderCommandAuthorization).toBe(
+      commandAuthSdk.resolveSenderCommandAuthorization,
+    );
+  });
+
   it("exports single-provider plugin entry helpers from the dedicated subpath", () => {
     expect(typeof providerEntrySdk.defineSingleProviderPluginEntry).toBe("function");
   });