mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-06 22:09:44 +02:00
* feat(integrations): add platform-agnostic channel foundation Introduce server/internal/integrations/channel — the contract every inbound IM integration implements, so the core never learns a platform's event JSON. Four pieces: - Channel interface (Type/Connect/Disconnect/Send/Capabilities) + Factory + Config (channel_type + opaque JSON blob, maps to channel_installation). - Normalized InboundMessage/OutboundMessage envelopes + Source/MediaRef/ ReplyCtx/MsgType/ChatType. Envelope holds only cross-platform-true fields; platform specifics live in Raw, read only by the adapter. - Capability bitmask: declaration only, no degrade logic in core. - Registry: Type->Factory map, last-writer-wins, concurrency-safe. Pure package (no DB/network/platform deps). Foundation for MUL-3515; the lark cutover + lark_*->channel_* generalization land in follow-up PRs. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * feat(channel): generalize lark_* tables into channel_* (DB layer) Migration 123 creates channel_installation / channel_user_binding / channel_chat_session_binding / channel_inbound_message_dedup / channel_inbound_audit / channel_outbound_card_message / channel_binding_token. Each carries a channel_type discriminator and a JSONB config for platform-specific identifiers/credentials; cross-platform columns stay flat. Existing Feishu rows are backfilled (channel_type= 'feishu', app_secret_encrypted via base64). NO foreign keys / cascades (MUL-3515 §4) — integrity moves to the app layer in the cutover. queries/channel.sql ports the lark query surface to channel_*, JSONB-aware, plus DeleteChannelUserBindingsByWorkspaceMember / DeleteChannelChatSessionBindingBySession for the app-layer cleanup that replaces the removed cascades. lark_* tables/queries are left in place here and removed once the Go cutover lands, so this commit ships green on its own. Verified: sqlc generate, go build ./..., full migrate chain (1..123) on Postgres 17, and a real-data backfill spot-check (base64 round-trip, NULL-strip, functional unique index on (channel_type, app_id)). MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * fix(channel): name app_id query param + multi-IM install key + null-safe binding merge Addresses review on MUL-3515 (PR #4412): - GetChannelInstallationByAppID: explicitly name params and cast app_id to ::text so sqlc emits AppID string. A bare $2 next to `config ->> 'app_id'` was mis-attributed to the JSONB config column, generating Config []byte. - channel_installation uniqueness -> (workspace_id, agent_id, channel_type), with the UpsertChannelInstallation conflict key matched. Lets one agent hold one installation per IM (feishu + slack + ...) instead of a later install clobbering an earlier one. Behaviorally identical in the current feishu-only world; "one agent, at most one IM overall" stays an app-layer rule per MUL-3515 §4, not a DB constraint. - CreateChannelUserBinding merges jsonb_strip_nulls(EXCLUDED.config) so a re-bind carrying {"union_id": null} no longer erases an already-captured union_id, restoring the old COALESCE(EXCLUDED.union_id, ...) semantics. Regenerated with sqlc v1.31.1. Verified on PG17: re-install replaces in place, feishu+slack coexist, null re-bind keeps union_id, real union_id wins. Co-authored-by: multica-agent <github@multica.ai> * feat(lark): channel-backed Feishu store + fix base64 backfill wrapping Cutover step 1 of switching the lark Go code from lark_* onto the channel_* tables (MUL-3515). Introduces the JSONB config boundary the rest of the cutover sits on, and fixes a latent backfill bug surfaced while building it. - migration 123: strip newlines from the app_secret_encrypted base64 backfill. PostgreSQL encode(...,'base64') MIME-wraps at 76 chars, and a secretbox- sealed ~72-byte secret exceeds that. Go's encoding/json decodes a JSON string into []byte with base64.StdEncoding, which rejects embedded newlines, so without the strip every migrated installation would fail to decrypt its app secret once reads move to channel_installation.config. - store.go: flat domain types (Installation / UserBinding / ChatSessionBinding) with field parity to the retired db.Lark* rows, plus the feishu config codec. Row->domain mappers decode the JSONB config; the secret decoder is whitespace-tolerant so legacy MIME-wrapped data still round-trips, while the encoder emits unwrapped base64. Binding config encodes an absent union_id as "{}" so the upsert's jsonb_strip_nulls merge never clobbers a stored union_id. - store_test.go: 72-byte secret round-trip, MIME-wrapped tolerance, optional null-strip, and flat-column preservation. Verified on PG17. Field parity keeps the upcoming ~190 db.LarkInstallation call sites a mechanical rename. No call sites switched yet; behavior unchanged. Co-authored-by: multica-agent <github@multica.ai> * feat(lark): route inbound integration onto channel_* + explicit membership checks Cutover step 2 (MUL-3515): switch the Feishu Go code from the lark_* queries to channel_* via a ChannelStore adapter, and replace the removed member foreign key with explicit application-layer membership checks. No user-visible behavior change. - channel_store.go: ChannelStore embeds *db.Queries and SHADOWS the ~24 lark query methods with channel_*-backed equivalents, keeping the db.Lark* signatures so the dispatcher/hub/services and their ~20k lines of tests stay untouched; the feishu JSONB config is (de)coded by store.go. Adds IsWorkspaceMember and a tx-aware WithTx. Only production wiring swaps *db.Queries for *ChannelStore. - Membership re-check (§4 removed the lark_user_binding -> member FK, so a binding row no longer proves current membership): * the dispatcher inbound identity step verifies membership after the binding lookup; a former member's stale binding is dropped as non_workspace_member + audited and never reaches chat_session (§4.3 safety property). * RedeemAndBind and BindInstallerTx replace the now-dead FK (23503) branch with an explicit IsWorkspaceMember gate, preserving the existing ErrBindingNotWorkspaceMember outcome without burning the token. - router wires the ChannelStore into the patcher, typing indicator, dispatcher, hub, and the union_id/region backfills; constructor-based services wrap *db.Queries internally so their signatures and nil-check tests are unchanged. Verified: go build ./... ; go vet ; gofmt ; go test -race ./internal/integrations/... (full lark suite green unchanged + new membership drop/error tests). Adapter field mappings (secret base64, union_id RMW, chat-id/open-id remaps, dedup, token, card) checked end-to-end against a PG17 channel_* schema. lark_* tables and queries remain (unused at runtime) until the S3 cleanup-hooks and S4 drop-tables/rename commits. Co-authored-by: multica-agent <github@multica.ai> * fix(channel): renumber generalization migration 123 -> 124 main merged 123_issue_stage after this branch forked, so the branch's 123_channel_generalization now collides on the migration number. The runner keys schema_migrations by full version string and would still apply both, but a duplicate number is a merge hazard and convention violation, so move the channel migration to the next free slot (124). issue_stage (ALTER issue ADD COLUMN stage) and the channel generalization touch disjoint tables; verified on PG17 that 123_issue_stage applies cleanly on a DB already carrying 124_channel_generalization, so the two are order-independent. sqlc regenerated (v1.31.1): only the migration-number comment changed. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * feat(channel): prune channel bindings on member removal + chat session delete MUL-3515 §4 dropped every channel_* foreign key, so the old ON DELETE CASCADE that cleared a user's channel_user_binding when they left a workspace, and a chat's channel_chat_session_binding when its chat_session was deleted, no longer fires. Re-establish that integrity in the application layer, inside the existing transactions: revokeAndRemoveMember -> DeleteChannelUserBindingsByWorkspaceMember, DeleteChatSession -> DeleteChannelChatSessionBindingBySession. Adds real-DB tests for both paths, including a scoping check that a remaining member's binding survives the prune. Verified on PG17: both new tests plus the existing revocation tests and the full handler package pass. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * fix(channel): scope Lark/Feishu store reads to channel_type='feishu' The S2 cutover routed the Feishu integration onto channel_*, but the Lark-facing ChannelStore wrappers read installation / chat-session-binding / outbound-card rows across ALL channel_type values. Once a second IM exists, that would let the Lark hub supervise a non-Feishu installation, the Lark install list show it, /lark/installations/{id} revoke another channel's row, and the outbound patcher / typing indicator act on a non-Feishu chat binding or card. Add a channel_type predicate to the six read/list channel queries and pass channelTypeFeishu from every wrapper: GetChannelInstallation, GetChannelInstallationInWorkspace, ListChannelInstallationsByWorkspace, ListActiveChannelInstallations, GetChannelChatSessionBindingBySession, GetChannelOutboundCardByTask. The S3 cleanup deletes (DeleteChannelUserBindingsByWorkspaceMember / DeleteChannelChatSessionBindingBySession) stay all-channel on purpose: a member leaving or a chat_session being deleted should clear every IM's binding. Adds a real-DB test that seeds a Slack installation/binding/card next to the Feishu ones and asserts the Lark wrappers never return them. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * refactor(channel): replace db.Lark* translation layer with lark domain types S2 introduced ChannelStore as a translation layer that read/wrote channel_* but kept the retired db.Lark* struct/param shapes so the dispatcher/hub/services and their ~20k lines of tests did not have to change. This collapses that layer: the store now takes and returns the package's flat domain types (Installation, UserBinding, ChatSessionBinding, InboundMessageDedup, BindingTokenRow, OutboundCardMessage) and the *Params types in params.go, with channel-neutral field names (ChannelUserID / ChannelChatID / ...). All call sites, fakes, and tests move to the domain types. No behavior change: only channel_* is read/written (as before); db.Lark* is now unused, and the lark_* tables + queries/lark.sql are removed in the next commit. Verified on PG17: go build / vet / gofmt clean, go test -race ./internal/integrations/... green (the ~20k-line fake suite), and the lark + handler suites pass. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * refactor(channel): drop lark_* tables and queries (remove old path) The Go cutover (previous commit) moved the lark package entirely onto channel_* and the domain types, leaving the lark_* tables, queries/lark.sql, and the generated db.Lark* models unused. Remove them per the design (§5: replace, do not keep both): migration 125 drops the seven lark_* tables (data already lives in channel_* since migration 124), and queries/lark.sql is deleted + sqlc regenerated, removing the db.Lark* models and lark query methods. The 125 down recreates the authoritative pre-drop schema (bot_union_id, region, per-installation dedup PK, thread-reply columns). Verified on PG17: fresh migrate up ends with lark_* gone + channel_* present; isolated 125 down/up round-trips correctly; go build / vet / gofmt clean; go test -race ./internal/integrations/... and the handler suite pass. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * fix(migrations): remove trailing blank line at EOF of 125 down migration git diff --check flagged a blank line at EOF of 125_drop_lark_tables.down.sql (a pg_dump-generation artifact). Whitespace only; the recreate SQL is unchanged. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * refactor(channel): defer lark_* table drop to a follow-up migration Preflight deploy review: dropping lark_* in the same release that cuts over (old migration 125) is not rollback/rolling-safe — the v0.3.27 release still reads lark_*, so a rolling deploy or a post-deploy code rollback would hit "relation does not exist". Remove the drop and keep the old tables for one release (standard expand/contract): migration 124 already backfilled lark_* -> channel_*, the new code reads/writes only channel_*, and the physical drop moves to a separate cleanup migration once this ships and is observed. The lark_* tables remain in the schema, so sqlc regenerates the (now unused) db.Lark* models; queries/lark.sql stays deleted (the new code uses channel_*). No code path reads lark_* — only the destructive drop is deferred, keeping the design's no-compat-layer / no-dual-write rule while being deploy-safe. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * fix(channel): skip orphaned installations in hub-boot active scan Preflight deploy review: channel_installation dropped the workspace/agent FK (MUL-3515 §4), so unlike lark_installation it does not cascade away when its workspace is deleted or its agent is hard-deleted (e.g. runtime teardown). The hub-boot query then keeps opening a WebSocket for a bot whose owner is gone. JOIN ListActiveChannelInstallations to live workspace + agent so an orphaned installation is never connected, uniformly for every deletion path. The JOIN matches the old ON DELETE CASCADE semantics (row existence, not agent archival), so an archived-but-present agent's installation is still listed; the orphaned row's encrypted secret is thereby never decrypted/used. Tests: a real-DB handler test asserts a deleted-workspace/agent installation and a non-Feishu one are both excluded; the lark scope test's active-list assertion moved there since the JOIN now needs real workspace/agent fixtures. (Physically deleting dormant orphaned channel rows on workspace/agent deletion is a separate app-layer-cleanup follow-up.) MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * docs(channel): document non-rolling cutover constraint for the lark->channel migration Elon deploy review: keeping the lark_* tables (deferred drop) stops old v0.3.27 code from crashing, but is not full expand/contract. Migration 124 is a one-time backfill; afterwards new code runs on channel_* (lease + dedup on channel_*) while pre-cutover code runs on lark_* (lease + dedup on lark_*). If both run concurrently during a rolling deploy, each side claims the same Feishu bot's WS lease on its own table and double-processes inbound events. This release therefore requires a NON-ROLLING cutover (stop the old hub before applying migration 124 + starting new code; rollback is not lossless once new code writes channel_*). Documented where deployers/reviewers see it: migration 124 header gains a ROLLOUT note; the channel_store.go header is corrected (lark_* tables are retained one release for rollback safety, not "gone"; the store still never touches them). Comment-only — no schema/codegen/behavior change. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * feat(lark): add MULTICA_LARK_HUB_DISABLED switch for the channel cutover The lark_*->channel_* cutover needs a way to make the Feishu bot briefly unavailable WITHOUT taking down the whole multica-api process — the Lark hub is a goroutine inside it, not a separate Deployment. MULTICA_LARK_HUB_DISABLED=true parks the hub at startup: the API serves HTTP normally but never claims a WS lease or opens a Feishu connection. Rollout (see migration 124 ROLLOUT note): ship the new release with the flag SET so new pods run API-only while old pods (hub on lark_*) drain during the rolling deploy — the two hubs never overlap. After the old pods are gone and migration 124 has run, flip the flag off; the new hub comes up on channel_*. The old backend does NOT need this switch — its hub stops when k8s terminates the old pods, not via a flag. Nil-ing LarkHub reuses the existing not-configured path so both the startup start and the shutdown join skip it. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * docs(channel): point migration 124 ROLLOUT note at the hub-disable switch Refine the rollout note to use MULTICA_LARK_HUB_DISABLED for a bot-only cutover (new pods serve API with the hub parked while old pods drain; flip the switch off after the migration), instead of the earlier whole-API recreate. Comment-only. MUL-3515 Co-authored-by: multica-agent <github@multica.ai> * docs(channel): fix migration 124 rollout order and document self-host cutover The previous ROLLOUT note shipped the new (channel_*) build before running migration 124, so the channel_*-backed HTTP paths (installation list/install/revoke, chat-session delete, member revoke) would 500 in the window between new-pod boot and the deferred migration. Restate the runbook around two explicit invariants — channel_* must exist before the new build serves those paths, and the old/new hubs must never overlap — and order the steps so channel_* is created first (park old hub -> snapshot -> deploy parked new build -> unpark). Document that default self-host (entrypoint migrate + single-replica Recreate) satisfies both invariants automatically and needs no manual steps; only prd / multi-replica rolling self-host needs the switch procedure. Clarify in main.go that the hub-park switch is generation-agnostic (parks whichever hub the build carries), which is what enables the preparatory release. Refs MUL-3515 Co-authored-by: multica-agent <github@multica.ai> --------- Co-authored-by: J <j@multica.ai> Co-authored-by: multica-agent <github@multica.ai>
348 lines
12 KiB
Go
348 lines
12 KiB
Go
package lark
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"sort"
|
|
"strings"
|
|
)
|
|
|
|
// LarkJSONFrameDecoder decodes the JSON event payload Lark nests
|
|
// inside a long-conn data Frame. The outer binary Frame envelope
|
|
// (ws_frame.go) is stripped by the connector; the decoder only sees
|
|
// the bytes from Frame.Payload, which Lark formats as the standard
|
|
// event-subscription envelope: {schema, header, event}.
|
|
//
|
|
// Three outcomes:
|
|
//
|
|
// - (msg, true, nil) — `im.message.receive_v1` event. The Hub
|
|
// forwards through the Dispatcher.
|
|
// - (zero, false, nil) — heartbeat-shaped JSON or an event_type we
|
|
// don't yet handle (im.chat.access_event_v1, etc.). The connector
|
|
// drops these silently and still sends a 200 ACK to Lark so the
|
|
// server stops resending.
|
|
// - (zero, false, err) — malformed JSON or schema we couldn't
|
|
// parse. The connector logs + drops the single frame; the WS
|
|
// connection stays up because one bad payload shouldn't amplify
|
|
// into a reconnect storm.
|
|
//
|
|
// The decoder is stateless and goroutine-safe — a single instance
|
|
// serves every supervisor goroutine.
|
|
type LarkJSONFrameDecoder struct{}
|
|
|
|
func NewLarkJSONFrameDecoder() *LarkJSONFrameDecoder { return &LarkJSONFrameDecoder{} }
|
|
|
|
// Decode implements FrameDecoder.
|
|
func (d *LarkJSONFrameDecoder) Decode(payload []byte, inst Installation) (InboundMessage, bool, error) {
|
|
if len(payload) == 0 {
|
|
return InboundMessage{}, false, nil
|
|
}
|
|
var env larkEventEnvelope
|
|
if err := json.Unmarshal(payload, &env); err != nil {
|
|
return InboundMessage{}, false, fmt.Errorf("envelope: %w", err)
|
|
}
|
|
|
|
// Lark long-conn data frames are always v2 event envelopes
|
|
// (schema "2.0"). The legacy webhook v1 "type":"event_callback"
|
|
// shape is not used on long-conn — we accept it defensively in
|
|
// case Lark adds a back-compat mode, but the canonical path is
|
|
// schema-driven.
|
|
if env.Type != "" && env.Type != "event_callback" {
|
|
return InboundMessage{}, false, nil
|
|
}
|
|
|
|
if env.Header.EventType != "im.message.receive_v1" {
|
|
return InboundMessage{}, false, nil
|
|
}
|
|
|
|
if env.Event == nil {
|
|
return InboundMessage{}, false, errors.New("event_callback with empty event payload")
|
|
}
|
|
var evt larkMessageReceiveEvent
|
|
if err := json.Unmarshal(env.Event, &evt); err != nil {
|
|
return InboundMessage{}, false, fmt.Errorf("event: %w", err)
|
|
}
|
|
|
|
msg := InboundMessage{
|
|
EventType: env.Header.EventType,
|
|
EventID: env.Header.EventID,
|
|
AppID: env.Header.AppID,
|
|
ChatID: ChatID(evt.Message.ChatID),
|
|
ChatType: normalizeChatType(evt.Message.ChatType),
|
|
MessageID: evt.Message.MessageID,
|
|
SenderOpenID: OpenID(evt.Sender.SenderID.OpenID),
|
|
MessageType: evt.Message.MessageType,
|
|
CreateTime: evt.Message.CreateTime,
|
|
// parent_id / root_id are populated by Lark only in reply
|
|
// scenarios. The enricher keys quoted-reply expansion off
|
|
// ParentID (the directly quoted message); RootID is carried for
|
|
// completeness / future thread handling.
|
|
ParentID: evt.Message.ParentID,
|
|
RootID: evt.Message.RootID,
|
|
// thread_id is present only when the message lives inside a Lark
|
|
// topic (话题). The outbound patcher uses it to decide whether to
|
|
// reply back into that thread; empty means a normal chat message.
|
|
ThreadID: evt.Message.ThreadID,
|
|
}
|
|
|
|
botUnionID := ""
|
|
if inst.BotUnionID.Valid {
|
|
botUnionID = inst.BotUnionID.String
|
|
}
|
|
|
|
// text + post are flattened synchronously here (no external calls —
|
|
// the decoder must stay fast and dependency-free). merge_forward
|
|
// leaves Body empty: it needs an HTTP round-trip to expand and is
|
|
// handled downstream by the enricher, which keys off MessageType.
|
|
// Other types (image, file, …) also leave Body empty in this MVP;
|
|
// attachment ingestion is a separate issue.
|
|
switch evt.Message.MessageType {
|
|
case "text", "post":
|
|
msg.Body = resolveMentions(flattenContent(evt.Message.MessageType, evt.Message.Content),
|
|
evt.Message.Mentions, inst.BotOpenID, botUnionID)
|
|
}
|
|
|
|
// Snapshot the user's own text as the command source BEFORE any
|
|
// enrichment runs. The enricher rewrites Body (prepending quoted /
|
|
// forwarded context) but never touches CommandBody, so `/issue …`
|
|
// is still parsed against what the user actually typed.
|
|
msg.CommandBody = msg.Body
|
|
|
|
if msg.ChatType == ChatTypeGroup {
|
|
msg.AddressedToBot = containsMention(evt.Message.Mentions, inst.BotOpenID, botUnionID)
|
|
}
|
|
|
|
return msg, true, nil
|
|
}
|
|
|
|
// larkEventEnvelope mirrors the outer JSON Lark wraps every push in.
|
|
type larkEventEnvelope struct {
|
|
Schema string `json:"schema"`
|
|
Type string `json:"type"`
|
|
Header larkEventHeader `json:"header"`
|
|
Event json.RawMessage `json:"event"`
|
|
}
|
|
|
|
type larkEventHeader struct {
|
|
EventID string `json:"event_id"`
|
|
EventType string `json:"event_type"`
|
|
CreateTime string `json:"create_time"`
|
|
AppID string `json:"app_id"`
|
|
TenantKey string `json:"tenant_key"`
|
|
}
|
|
|
|
// larkMessageReceiveEvent is the documented payload of
|
|
// im.message.receive_v1.
|
|
type larkMessageReceiveEvent struct {
|
|
Sender struct {
|
|
SenderID struct {
|
|
OpenID string `json:"open_id"`
|
|
UnionID string `json:"union_id"`
|
|
UserID string `json:"user_id"`
|
|
} `json:"sender_id"`
|
|
SenderType string `json:"sender_type"`
|
|
TenantKey string `json:"tenant_key"`
|
|
} `json:"sender"`
|
|
Message struct {
|
|
MessageID string `json:"message_id"`
|
|
ChatID string `json:"chat_id"`
|
|
ChatType string `json:"chat_type"`
|
|
MessageType string `json:"message_type"`
|
|
Content string `json:"content"`
|
|
Mentions []larkMention `json:"mentions"`
|
|
CreateTime string `json:"create_time"`
|
|
// ParentID / RootID are only present when the message is a
|
|
// reply / quote. ParentID is the directly quoted message;
|
|
// RootID is the root of the reply tree.
|
|
ParentID string `json:"parent_id"`
|
|
RootID string `json:"root_id"`
|
|
// ThreadID is present only for messages inside a Lark topic
|
|
// (话题). Lark omits it for plain chat messages, so its presence
|
|
// is the signal that an @-mention happened inside a thread.
|
|
ThreadID string `json:"thread_id"`
|
|
} `json:"message"`
|
|
}
|
|
|
|
type larkMention struct {
|
|
Key string `json:"key"`
|
|
ID struct {
|
|
OpenID string `json:"open_id"`
|
|
UnionID string `json:"union_id"`
|
|
UserID string `json:"user_id"`
|
|
} `json:"id"`
|
|
Name string `json:"name"`
|
|
}
|
|
|
|
// resolveMentions substitutes Lark's `@_user_N` placeholders so the
|
|
// agent receives a body that reads naturally and does not require
|
|
// resolving the mentions array itself. The bot's OWN mention is
|
|
// stripped (the dispatcher already routes the event on
|
|
// AddressedToBot — re-emitting `@<bot>` in front of every message
|
|
// makes both the chat transcript and any downstream LLM context
|
|
// noisier without adding signal). Other participants render as
|
|
// `@<displayName>`, falling back to leaving the placeholder alone
|
|
// when name is empty (defensive — Lark always populates it in
|
|
// practice).
|
|
//
|
|
// Replacement is a single-pass token scan, not naive ReplaceAll. Two
|
|
// reasons:
|
|
//
|
|
// - Prefix collision: a chat with eleven @-mentions exposes keys
|
|
// `@_user_1` and `@_user_10`; ReplaceAll for `@_user_1` would
|
|
// mangle the substring of `@_user_10`. We sort keys by length
|
|
// DESC and try the longest match at each scan position so the
|
|
// longer placeholder always wins.
|
|
//
|
|
// - Whitespace fidelity: when we strip the bot mention we only
|
|
// touch a single space immediately adjacent to it — either the
|
|
// space after the placeholder, or, if there is none, a single
|
|
// trailing space already in the output. Tabs, indentation, code
|
|
// blocks, table pipes, and any other intentional whitespace in
|
|
// the user's message are preserved verbatim.
|
|
func resolveMentions(text string, mentions []larkMention, botOpenID, botUnionID string) string {
|
|
if text == "" || len(mentions) == 0 {
|
|
return text
|
|
}
|
|
// Filter empty keys and sort longest first so `@_user_10` is
|
|
// matched before `@_user_1` at any scan position.
|
|
sorted := make([]larkMention, 0, len(mentions))
|
|
for _, m := range mentions {
|
|
if m.Key != "" {
|
|
sorted = append(sorted, m)
|
|
}
|
|
}
|
|
sort.SliceStable(sorted, func(i, j int) bool {
|
|
return len(sorted[i].Key) > len(sorted[j].Key)
|
|
})
|
|
|
|
out := make([]byte, 0, len(text))
|
|
i := 0
|
|
for i < len(text) {
|
|
var matched *larkMention
|
|
for idx := range sorted {
|
|
if strings.HasPrefix(text[i:], sorted[idx].Key) {
|
|
matched = &sorted[idx]
|
|
break
|
|
}
|
|
}
|
|
if matched == nil {
|
|
out = append(out, text[i])
|
|
i++
|
|
continue
|
|
}
|
|
end := i + len(matched.Key)
|
|
switch {
|
|
case isBotMention(*matched, botOpenID, botUnionID):
|
|
// Strip: eat one adjacent space (after the placeholder
|
|
// preferred; else backtrack one space we already emitted)
|
|
// so the seam is not left with a double space or a
|
|
// dangling leading space. Tabs / newlines / other chars
|
|
// are untouched.
|
|
if end < len(text) && text[end] == ' ' {
|
|
end++
|
|
} else if n := len(out); n > 0 && out[n-1] == ' ' {
|
|
out = out[:n-1]
|
|
}
|
|
case matched.Name != "":
|
|
out = append(out, '@')
|
|
out = append(out, matched.Name...)
|
|
default:
|
|
// Unknown mention — leave the placeholder intact so the
|
|
// agent at least sees a stable token.
|
|
out = append(out, matched.Key...)
|
|
}
|
|
i = end
|
|
}
|
|
return string(out)
|
|
}
|
|
|
|
// isBotMention identifies whether a payload mention refers to THIS
|
|
// bot. Stays in lockstep with containsMention: when union_id is
|
|
// known we trust it exclusively (open_id is structurally inverted
|
|
// in multi-bot groups — matching on it would re-introduce the
|
|
// MUL-2671 routing bug). Only when union_id is missing do we fall
|
|
// back to open_id, which is correct in single-bot installs and the
|
|
// best we can do in pre-backfill rows.
|
|
func isBotMention(m larkMention, botOpenID, botUnionID string) bool {
|
|
if botUnionID != "" {
|
|
return m.ID.UnionID == botUnionID
|
|
}
|
|
if botOpenID == "" {
|
|
return false
|
|
}
|
|
return m.ID.OpenID == botOpenID
|
|
}
|
|
|
|
func extractTextBody(content string) string {
|
|
if content == "" {
|
|
return ""
|
|
}
|
|
var doc struct {
|
|
Text string `json:"text"`
|
|
}
|
|
if err := json.Unmarshal([]byte(content), &doc); err != nil {
|
|
return ""
|
|
}
|
|
return doc.Text
|
|
}
|
|
|
|
func normalizeChatType(t string) ChatType {
|
|
switch strings.ToLower(t) {
|
|
case "p2p":
|
|
return ChatTypeP2P
|
|
case "group":
|
|
return ChatTypeGroup
|
|
default:
|
|
return ChatType(t)
|
|
}
|
|
}
|
|
|
|
// containsMention answers "was THIS bot @-mentioned in this group event".
|
|
//
|
|
// The bot's stable identifier across WS perspectives is `union_id` —
|
|
// see MUL-2671 group-@-mention triage. In a Lark group with several
|
|
// Multica bots, each bot's WS receives the event, and Lark fills
|
|
// `mentions[].id.open_id` with the per-app form for whichever bot it
|
|
// is talking to: bot X's WS sees X's payload-form open_id when bot Y
|
|
// was @-ed, and a different payload-form open_id when X itself was
|
|
// the target. Only `union_id` is consistent across both WS streams.
|
|
//
|
|
// Match order:
|
|
//
|
|
// 1. When we know the bot's `union_id` (captured by GetBotInfo at
|
|
// install time, persisted in lark_installation.bot_union_id),
|
|
// compare against `mentions[].id.union_id`. This is the correct
|
|
// path and is unambiguous in multi-bot deployments.
|
|
//
|
|
// 2. When `union_id` is unknown — single-bot installs created
|
|
// before migration 112, or contact-scope-restricted operators
|
|
// where /contact/v3/users denied the lookup — fall back to the
|
|
// per-app `open_id` comparison. This is structurally inverted
|
|
// in multi-bot group chats but is fine for the p2p/single-bot
|
|
// case the WS sees most of the time, and avoids hard-failing
|
|
// pre-backfill installations.
|
|
//
|
|
// Empty inputs short-circuit to false rather than matching every
|
|
// mention; that defends against an installation row that somehow
|
|
// has both identifiers blank.
|
|
func containsMention(mentions []larkMention, botOpenID, botUnionID string) bool {
|
|
if botUnionID != "" {
|
|
for _, m := range mentions {
|
|
if m.ID.UnionID == botUnionID {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
if botOpenID == "" {
|
|
return false
|
|
}
|
|
for _, m := range mentions {
|
|
if m.ID.OpenID == botOpenID {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|