2026-03-04 02:32:54 -05:00
|
|
|
import type { BaseProbeResult } from "openclaw/plugin-sdk/bluebubbles";
|
2026-03-02 20:58:20 -06:00
|
|
|
import { normalizeSecretInputString } from "./secret-input.js";
|
2026-01-18 03:17:30 +00:00
|
|
|
import { buildBlueBubblesApiUrl, blueBubblesFetchWithTimeout } from "./types.js";
|
|
|
|
|
|
2026-02-15 11:34:21 -06:00
|
|
|
export type BlueBubblesProbe = BaseProbeResult & {
|
2026-01-18 03:17:30 +00:00
|
|
|
status?: number | null;
|
|
|
|
|
};
|
|
|
|
|
|
2026-01-20 00:43:56 -08:00
|
|
|
export type BlueBubblesServerInfo = {
|
|
|
|
|
os_version?: string;
|
|
|
|
|
server_version?: string;
|
|
|
|
|
private_api?: boolean;
|
|
|
|
|
helper_connected?: boolean;
|
|
|
|
|
proxy_service?: string;
|
|
|
|
|
detected_icloud?: string;
|
|
|
|
|
computer_id?: string;
|
|
|
|
|
};
|
|
|
|
|
|
fix: comprehensive BlueBubbles and channel cleanup (#11093)
* feat(bluebubbles): auto-strip markdown from outbound messages (#7402)
* fix(security): add timeout to webhook body reading (#6762)
Adds 30-second timeout to readBody() in voice-call, bluebubbles, and nostr
webhook handlers. Prevents Slow-Loris DoS (CWE-400, CVSS 7.5).
Merged with existing maxBytes protection in voice-call.
* fix(security): unify Error objects and lint fixes in webhook timeouts (#6762)
* fix: prevent plugins from auto-enabling without user consent (#3961)
Changes default plugin enabled state from true to false in enablePluginEntry().
Preserves existing enabled:true values. Fixes #3932.
* fix: apply hierarchical mediaMaxMb config to all channels (#8749)
Generalizes resolveAttachmentMaxBytes() to use account → channel → global
config resolution for all channels, not just BlueBubbles. Fixes #7847.
* fix(bluebubbles): sanitize attachment filenames against header injection (#10333)
Strip ", \r, \n, and \\ from filenames after path.basename() to prevent
multipart Content-Disposition header injection (CWE-93, CVSS 5.4).
Also adds sanitization to setGroupIconBlueBubbles which had zero filename
sanitization.
* fix(lint): exclude extensions/ from Oxlint preflight check (#9313)
Extensions use PluginRuntime|null patterns that trigger
no-redundant-type-constituents because PluginRuntime resolves to any.
Excluding extensions/ from Oxlint unblocks user upgrades.
Re-applies the approach from closed PR #10087.
* fix(bluebubbles): add tempGuid to createNewChatWithMessage payload (#7745)
Non-Private-API mode (AppleScript) requires tempGuid in send payloads.
The main sendMessageBlueBubbles already had it, but createNewChatWithMessage
was missing it, causing 400 errors for new chat creation without Private API.
* fix: send stop-typing signal when run ends with NO_REPLY (#8785)
Adds onCleanup callback to the typing controller that fires when the
controller is cleaned up while typing was active (e.g., after NO_REPLY).
Channels using createTypingCallbacks automatically get stop-typing on
cleanup. This prevents the typing indicator from lingering in group chats
when the agent decides not to reply.
* fix(telegram): deduplicate skill commands in multi-agent setup (#5717)
Two fixes:
1. Skip duplicate workspace dirs when listing skill commands across agents.
Multiple agents sharing the same workspace would produce duplicate commands
with _2, _3 suffixes.
2. Clear stale commands via deleteMyCommands before registering new ones.
Commands from deleted skills now get cleaned up on restart.
* fix: add size limits to unbounded in-memory caches (#4948)
Adds max-size caps with oldest-entry eviction to prevent OOM in
long-running deployments:
- BlueBubbles serverInfoCache: 64 entries (already has TTL)
- Google Chat authCache: 32 entries
- Matrix directRoomCache: 1024 entries
- Discord presenceCache: 5000 entries per account
* fix: address review concerns (#11093)
- Chain deleteMyCommands → setMyCommands to prevent race condition (#5717)
- Rename enablePluginEntry to registerPluginEntry (now sets enabled: false)
- Add Slow-Loris timeout test for readJsonBody (#6023)
2026-02-07 05:00:55 -08:00
|
|
|
/** Cache server info by account ID to avoid repeated API calls.
|
|
|
|
|
* Size-capped to prevent unbounded growth (#4948). */
|
|
|
|
|
const MAX_SERVER_INFO_CACHE_SIZE = 64;
|
2026-01-20 00:43:56 -08:00
|
|
|
const serverInfoCache = new Map<string, { info: BlueBubblesServerInfo; expires: number }>();
|
2026-01-20 00:46:48 -08:00
|
|
|
const CACHE_TTL_MS = 10 * 60 * 1000; // 10 minutes
|
|
|
|
|
|
|
|
|
|
function buildCacheKey(accountId?: string): string {
|
|
|
|
|
return accountId?.trim() || "default";
|
|
|
|
|
}
|
2026-01-20 00:43:56 -08:00
|
|
|
|
|
|
|
|
/**
|
2026-01-20 00:46:48 -08:00
|
|
|
* Fetch server info from BlueBubbles API and cache it.
|
2026-01-20 00:43:56 -08:00
|
|
|
* Returns cached result if available and not expired.
|
|
|
|
|
*/
|
|
|
|
|
export async function fetchBlueBubblesServerInfo(params: {
|
|
|
|
|
baseUrl?: string | null;
|
|
|
|
|
password?: string | null;
|
2026-01-20 00:46:48 -08:00
|
|
|
accountId?: string;
|
2026-01-20 00:43:56 -08:00
|
|
|
timeoutMs?: number;
|
|
|
|
|
}): Promise<BlueBubblesServerInfo | null> {
|
2026-03-02 20:58:20 -06:00
|
|
|
const baseUrl = normalizeSecretInputString(params.baseUrl);
|
|
|
|
|
const password = normalizeSecretInputString(params.password);
|
2026-01-31 22:13:48 +09:00
|
|
|
if (!baseUrl || !password) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
2026-01-20 00:43:56 -08:00
|
|
|
|
2026-01-20 00:46:48 -08:00
|
|
|
const cacheKey = buildCacheKey(params.accountId);
|
2026-01-20 00:43:56 -08:00
|
|
|
const cached = serverInfoCache.get(cacheKey);
|
|
|
|
|
if (cached && cached.expires > Date.now()) {
|
|
|
|
|
return cached.info;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const url = buildBlueBubblesApiUrl({ baseUrl, path: "/api/v1/server/info", password });
|
|
|
|
|
try {
|
|
|
|
|
const res = await blueBubblesFetchWithTimeout(url, { method: "GET" }, params.timeoutMs ?? 5000);
|
2026-01-31 22:13:48 +09:00
|
|
|
if (!res.ok) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
2026-01-20 00:43:56 -08:00
|
|
|
const payload = (await res.json().catch(() => null)) as Record<string, unknown> | null;
|
|
|
|
|
const data = payload?.data as BlueBubblesServerInfo | undefined;
|
|
|
|
|
if (data) {
|
|
|
|
|
serverInfoCache.set(cacheKey, { info: data, expires: Date.now() + CACHE_TTL_MS });
|
fix: comprehensive BlueBubbles and channel cleanup (#11093)
* feat(bluebubbles): auto-strip markdown from outbound messages (#7402)
* fix(security): add timeout to webhook body reading (#6762)
Adds 30-second timeout to readBody() in voice-call, bluebubbles, and nostr
webhook handlers. Prevents Slow-Loris DoS (CWE-400, CVSS 7.5).
Merged with existing maxBytes protection in voice-call.
* fix(security): unify Error objects and lint fixes in webhook timeouts (#6762)
* fix: prevent plugins from auto-enabling without user consent (#3961)
Changes default plugin enabled state from true to false in enablePluginEntry().
Preserves existing enabled:true values. Fixes #3932.
* fix: apply hierarchical mediaMaxMb config to all channels (#8749)
Generalizes resolveAttachmentMaxBytes() to use account → channel → global
config resolution for all channels, not just BlueBubbles. Fixes #7847.
* fix(bluebubbles): sanitize attachment filenames against header injection (#10333)
Strip ", \r, \n, and \\ from filenames after path.basename() to prevent
multipart Content-Disposition header injection (CWE-93, CVSS 5.4).
Also adds sanitization to setGroupIconBlueBubbles which had zero filename
sanitization.
* fix(lint): exclude extensions/ from Oxlint preflight check (#9313)
Extensions use PluginRuntime|null patterns that trigger
no-redundant-type-constituents because PluginRuntime resolves to any.
Excluding extensions/ from Oxlint unblocks user upgrades.
Re-applies the approach from closed PR #10087.
* fix(bluebubbles): add tempGuid to createNewChatWithMessage payload (#7745)
Non-Private-API mode (AppleScript) requires tempGuid in send payloads.
The main sendMessageBlueBubbles already had it, but createNewChatWithMessage
was missing it, causing 400 errors for new chat creation without Private API.
* fix: send stop-typing signal when run ends with NO_REPLY (#8785)
Adds onCleanup callback to the typing controller that fires when the
controller is cleaned up while typing was active (e.g., after NO_REPLY).
Channels using createTypingCallbacks automatically get stop-typing on
cleanup. This prevents the typing indicator from lingering in group chats
when the agent decides not to reply.
* fix(telegram): deduplicate skill commands in multi-agent setup (#5717)
Two fixes:
1. Skip duplicate workspace dirs when listing skill commands across agents.
Multiple agents sharing the same workspace would produce duplicate commands
with _2, _3 suffixes.
2. Clear stale commands via deleteMyCommands before registering new ones.
Commands from deleted skills now get cleaned up on restart.
* fix: add size limits to unbounded in-memory caches (#4948)
Adds max-size caps with oldest-entry eviction to prevent OOM in
long-running deployments:
- BlueBubbles serverInfoCache: 64 entries (already has TTL)
- Google Chat authCache: 32 entries
- Matrix directRoomCache: 1024 entries
- Discord presenceCache: 5000 entries per account
* fix: address review concerns (#11093)
- Chain deleteMyCommands → setMyCommands to prevent race condition (#5717)
- Rename enablePluginEntry to registerPluginEntry (now sets enabled: false)
- Add Slow-Loris timeout test for readJsonBody (#6023)
2026-02-07 05:00:55 -08:00
|
|
|
// Evict oldest entries if cache exceeds max size
|
|
|
|
|
if (serverInfoCache.size > MAX_SERVER_INFO_CACHE_SIZE) {
|
|
|
|
|
const oldest = serverInfoCache.keys().next().value;
|
|
|
|
|
if (oldest !== undefined) {
|
|
|
|
|
serverInfoCache.delete(oldest);
|
|
|
|
|
}
|
|
|
|
|
}
|
2026-01-20 00:43:56 -08:00
|
|
|
}
|
|
|
|
|
return data ?? null;
|
|
|
|
|
} catch {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-20 00:46:48 -08:00
|
|
|
/**
|
|
|
|
|
* Get cached server info synchronously (for use in listActions).
|
|
|
|
|
* Returns null if not cached or expired.
|
|
|
|
|
*/
|
|
|
|
|
export function getCachedBlueBubblesServerInfo(accountId?: string): BlueBubblesServerInfo | null {
|
|
|
|
|
const cacheKey = buildCacheKey(accountId);
|
|
|
|
|
const cached = serverInfoCache.get(cacheKey);
|
|
|
|
|
if (cached && cached.expires > Date.now()) {
|
|
|
|
|
return cached.info;
|
|
|
|
|
}
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-13 21:15:56 -08:00
|
|
|
/**
|
|
|
|
|
* Read cached private API capability for a BlueBubbles account.
|
|
|
|
|
* Returns null when capability is unknown (for example, before first probe).
|
|
|
|
|
*/
|
|
|
|
|
export function getCachedBlueBubblesPrivateApiStatus(accountId?: string): boolean | null {
|
|
|
|
|
const info = getCachedBlueBubblesServerInfo(accountId);
|
|
|
|
|
if (!info || typeof info.private_api !== "boolean") {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
return info.private_api;
|
|
|
|
|
}
|
|
|
|
|
|
2026-02-22 12:08:08 +01:00
|
|
|
export function isBlueBubblesPrivateApiStatusEnabled(status: boolean | null): boolean {
|
|
|
|
|
return status === true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
export function isBlueBubblesPrivateApiEnabled(accountId?: string): boolean {
|
|
|
|
|
return isBlueBubblesPrivateApiStatusEnabled(getCachedBlueBubblesPrivateApiStatus(accountId));
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-20 00:43:56 -08:00
|
|
|
/**
|
|
|
|
|
* Parse macOS version string (e.g., "15.0.1" or "26.0") into major version number.
|
|
|
|
|
*/
|
|
|
|
|
export function parseMacOSMajorVersion(version?: string | null): number | null {
|
2026-01-31 22:13:48 +09:00
|
|
|
if (!version) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
2026-01-20 00:43:56 -08:00
|
|
|
const match = /^(\d+)/.exec(version.trim());
|
|
|
|
|
return match ? Number.parseInt(match[1], 10) : null;
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-20 00:46:48 -08:00
|
|
|
/**
|
|
|
|
|
* Check if the cached server info indicates macOS 26 or higher.
|
|
|
|
|
* Returns false if no cached info is available (fail open for action listing).
|
|
|
|
|
*/
|
|
|
|
|
export function isMacOS26OrHigher(accountId?: string): boolean {
|
|
|
|
|
const info = getCachedBlueBubblesServerInfo(accountId);
|
2026-01-31 22:13:48 +09:00
|
|
|
if (!info?.os_version) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2026-01-20 00:46:48 -08:00
|
|
|
const major = parseMacOSMajorVersion(info.os_version);
|
|
|
|
|
return major !== null && major >= 26;
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-20 00:43:56 -08:00
|
|
|
/** Clear the server info cache (for testing) */
|
|
|
|
|
export function clearServerInfoCache(): void {
|
|
|
|
|
serverInfoCache.clear();
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-18 03:17:30 +00:00
|
|
|
export async function probeBlueBubbles(params: {
|
|
|
|
|
baseUrl?: string | null;
|
|
|
|
|
password?: string | null;
|
|
|
|
|
timeoutMs?: number;
|
|
|
|
|
}): Promise<BlueBubblesProbe> {
|
2026-03-02 20:58:20 -06:00
|
|
|
const baseUrl = normalizeSecretInputString(params.baseUrl);
|
|
|
|
|
const password = normalizeSecretInputString(params.password);
|
2026-01-31 22:13:48 +09:00
|
|
|
if (!baseUrl) {
|
|
|
|
|
return { ok: false, error: "serverUrl not configured" };
|
|
|
|
|
}
|
|
|
|
|
if (!password) {
|
|
|
|
|
return { ok: false, error: "password not configured" };
|
|
|
|
|
}
|
2026-01-18 03:17:30 +00:00
|
|
|
const url = buildBlueBubblesApiUrl({ baseUrl, path: "/api/v1/ping", password });
|
|
|
|
|
try {
|
2026-01-31 21:13:13 +09:00
|
|
|
const res = await blueBubblesFetchWithTimeout(url, { method: "GET" }, params.timeoutMs);
|
2026-01-18 03:17:30 +00:00
|
|
|
if (!res.ok) {
|
|
|
|
|
return { ok: false, status: res.status, error: `HTTP ${res.status}` };
|
|
|
|
|
}
|
|
|
|
|
return { ok: true, status: res.status };
|
|
|
|
|
} catch (err) {
|
|
|
|
|
return {
|
|
|
|
|
ok: false,
|
|
|
|
|
status: null,
|
|
|
|
|
error: err instanceof Error ? err.message : String(err),
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
}
|