feat: 飞书凭证迁入 agents.json

[lishuceo]

Summary

• 每个 agent 内嵌 feishu: { appId, appSecret } 字段，一个文件看到全貌
• 系统启动时从 agents.json 自动推导 bot 账号和路由规则（单/多 bot 自动判断）
• 移除 .env 中的 FEISHU_APP_ID、FEISHU_APP_SECRET、BOT_ACCOUNTS、AGENT_BINDINGS
• Onboarding agent 将飞书凭证直接写入 agents.json，不再写 .env

Test plan

• 新机器部署：setup.sh → npm run onboard → 飞书 key 写入 agents.json → npm run dev
• /config 命令显示正确的 feishu appId
• npx vitest run 全部通过（1320 passed，1 pre-existing flaky failure）

🤖 Generated with Claude Code

[claude]

Claude finished @lishuceo's task in 2m 5s —— View job

---

PR Review: feat: 飞书凭证迁入 agents.json

• Check for previous review comments
• Read PR diff and all changed files
• Analyze for bugs, security, and architecture issues
• Post inline comments and summary

---

⚠️ Issues Found

Overall: The migration direction is sound — consolidating Feishu credentials into agents.json simplifies configuration and makes the multi-agent setup more self-documenting. The schema additions, config-loader extensions, and startup flow rework are well-structured. However, there are a few issues to address:

#	Severity	File	Issue	Confidence
1	🔴 Critical	src/feishu/client.ts:907	Multi-bot mode crashes: initDefaultClient() is only called in single-bot branch, but the feishuClient proxy throws when _defaultClient is undefined. Any code using feishuClient outside AsyncLocalStorage context in multi-bot mode (e.g., OAuth feishuClient.raw) will crash.	90
2	🟡 Warning	src/feishu/oauth.ts:37-38	Empty HMAC key degrades security: getPrimaryAppSecret() returns '' if no bot accounts exist, silently signing OAuth states with an empty key. Should throw instead.	82
3	🟡 Warning	src/feishu/oauth.ts:38	Repeated computation: deriveBotAccounts() rebuilds a full Map from all agents on every signState()/verifyState() call. Should cache.	80
4	🟡 Warning	src/feishu/event-handler.ts:689	Per-message overhead: deriveBindings() iterates all agents and builds arrays on every incoming message. Should cache and invalidate on config reload.	78

What looks good:

• Clean Zod schema additions for FeishuAccountSchema and AgentBindingSchema
• Proper deduplication logic in deriveBotAccounts() (by appId)
• Explicit bindings take precedence over auto-derived ones (spread order)
• Test updates correctly reflect the new source of truth
• startServer() parameter design cleanly separates single/multi-bot paths

[claude]

Claude finished @lishuceo's task in 2m 51s —— View job

---

PR Re-review: feat: 飞书凭证迁入 agents.json

• Check previous review comments and resolve fixed issues
• Read current state of all changed files
• Analyze for new bugs, security, and architecture issues
• Post summary

---

⚠️ Issues Found — 4 previous issues still unresolved

All 4 issues from the previous review remain unfixed after the latest push (2826257). Replied to each thread with current status.

#	Severity	File	Issue	Status
1	🔴 Critical	src/feishu/client.ts:907	Multi-bot mode crashes: initDefaultClient() only called in single-bot branch. Any feishuClient usage outside AsyncLocalStorage context in multi-bot mode throws. Concrete crash paths: interrupted session notifications (index.ts:193), cron sendMessage fallback to 'default' (index.ts:131), OAuth feishuClient.raw (oauth.ts:113).	Still exists
2	🟡 Warning	src/feishu/oauth.ts:37-38	Empty HMAC key degrades security: getPrimaryAppSecret() returns '' if no bot accounts, silently signing with vacuous key.	Still exists
3	🟡 Warning	src/feishu/oauth.ts:38	Repeated computation: deriveBotAccounts() rebuilds full Map on every signState()/verifyState() call.	Still exists
4	🟡 Warning	src/feishu/event-handler.ts:689	Per-message overhead: deriveBindings() iterates all agents on every incoming message without caching.	Still exists

No new issues found

The fix: 移除 index.ts 中未使用的 isMultiBotMode 导入 commit (2826257) is a clean import cleanup — no new issues introduced.

What looks good:

• Clean Zod schema additions (FeishuAccountSchema, AgentBindingSchema)
• Proper deduplication in deriveBotAccounts() by appId
• Explicit bindings take precedence over auto-derived (spread order in index.ts:59)
• Test updates correctly reflect the new source of truth (deriveBotAccounts mock)
• .env.example cleanup is thorough — clear migration comment at top
• No credential leakage risk in logging (all log calls only output accountId/agentId, never secrets)

Recommendation: Fix the 🔴 critical issue (#1) before merging — multi-bot mode will crash at runtime on several code paths. The simplest fix: always call initDefaultClient() with the primary bot's credentials, even in multi-bot mode.

[claude]

Claude finished @lishuceo's task in 2m 22s —— View job

---

PR Re-review: feat: 飞书凭证迁入 agents.json

• Check previous review comments and current diff
• Read current state of all affected files
• Check if 4 previous issues are resolved
• Look for new issues in latest changes
• Reply to previous comments and resolve fixed threads
• Post final summary

---

✅ All 4 previous issues fixed — no new issues found

Commit 2237f40 ("fix: address PR review — multi-bot initDefaultClient + 缓存优化 + OAuth 安全") properly addresses all previously flagged issues:

#	Previous Issue	Fix	Verified
1	🔴 Multi-bot mode _defaultClient uninitialized	initDefaultClient() now called at index.ts:148 before the multi-bot/single-bot branch	✅
2	🟡 Empty HMAC key in OAuth	getPrimaryAppSecret() now throws instead of returning ''	✅
3	🟡 deriveBotAccounts() recomputed per-call	Returns cached cachedBotAccounts, recomputed only on load/reload	✅
4	🟡 deriveBindings() per-message overhead	Returns cached cachedDerivedBindings, recomputed only on load/reload	✅

All 4 review threads have been resolved.

Overall assessment: The fix commit is clean and well-structured. The caching approach in config-loader.ts (lines 43-45, 203-204, 305-355) correctly invalidates on reload while eliminating per-request overhead. The initDefaultClient placement ensures both single-bot and multi-bot modes work correctly. LGTM.

[claude]

PR Re-review: feat: 飞书凭证迁入 agents.json

• Check previous inline review comments and resolve fixed threads
• Review new changes since last review (d7d81ab)
• Read all affected files for context
• Post summary

[claude]

Claude finished @lishuceo's task in 1m 22s —— View job

---

PR Re-review: feat: 飞书凭证迁入 agents.json

• Check for previous inline review comments and resolve fixed threads
• Review new changes since last review (d7d81ab, 2ff51d5, a31922b)
• Read all affected files for context
• Post summary

---

✅ LGTM — All previous issues fixed, no new issues found

3 new commits since last review (all clean):

Commit	Description	Assessment
d7d81ab	Add description field to agent config	Schema, types, merge logic, and /config display all correctly wired. Optional field, no breaking change.
2ff51d5	Delete pm.example.md and .gitkeep files	Clean removal of unused placeholder files.
a31922b	Semantic placeholders in team.example.md	Replaces fake Alice/Bob/Carol data with onboarding-friendly templates. Good UX improvement.

Previous 4 issues (all resolved in 2237f40):

1. 🔴 Multi-bot _defaultClient uninitialized → initDefaultClient() now called before mode branch
2. 🟡 Empty HMAC key → getPrimaryAppSecret() throws on missing accounts
3. 🟡 deriveBotAccounts() per-call recomputation → Cached at load/reload time
4. 🟡 deriveBindings() per-message overhead → Cached at load/reload time

What looks good across the full PR:

• Clean description field addition: Zod schema → type → merge logic → /config display, all consistent
• Caching strategy in config-loader.ts (lines 43-45, 203-205) correctly invalidates on reload
• initDefaultClient placement at index.ts:148 ensures both single/multi-bot modes work
• No credential leakage in logs (only accountId/agentId logged, never secrets)
• Example config with semantic placeholders is a nice onboarding improvement

[claude]

PR Re-review: feat: 飞书凭证迁入 agents.json

• Check previous inline review comments and resolve fixed threads
• Review latest changes since last review (cd415bf)
• Read all affected files for context
• Post summary

[claude]

Claude finished @lishuceo's task in 1m 46s —— View job

---

PR Re-review: feat: 飞书凭证迁入 agents.json

• Check previous inline review comments and resolve fixed threads
• Review latest changes since last review (cd415bf, 84ac72c)
• Read all affected files for context
• Post summary

---

✅ LGTM — All 4 previous issues fixed, 1 minor issue found

4 previous issues (all resolved in 2237f40, threads already resolved):

1. 🔴 Multi-bot _defaultClient uninitialized → initDefaultClient() now called before mode branch at index.ts:148
2. 🟡 Empty HMAC key → getPrimaryAppSecret() throws on missing accounts
3. 🟡 deriveBotAccounts() per-call recomputation → Cached at load/reload time (config-loader.ts:204)
4. 🟡 deriveBindings() per-message overhead → Cached at load/reload time (config-loader.ts:205)

2 new commits since last review (both clean):

Commit	Description	Assessment
cd415bf	Merge permission & event subscription into one onboarding step	Cleaner UX — fewer round-trips. Required/recommended labels are a nice touch.
84ac72c	Reorder onboarding: Bot persona before team info	Sensible — personality is more immediately relevant than org structure.

1 new minor issue (not in diff, can't inline comment):

#	Severity	File	Issue	Confidence
1	🟡 Warning	src/onboarding/bootstrap.ts:151	Stale Phase 6 validation: Step 1 says "读取 .env 确认关键配置已就绪（FEISHU_APP_ID, FEISHU_APP_SECRET, ANTHROPIC_API_KEY 非空非占位符）" — but this PR moved FEISHU_APP_ID/FEISHU_APP_SECRET from .env to agents.json. The onboarding agent will look for values that no longer exist in .env. Should check agents.json for feishu credentials instead.	88

Fix this →

What looks good across the full PR:

• Clean caching strategy in config-loader.ts (lines 43-45, 203-205) — invalidates correctly on reload
• initDefaultClient at index.ts:148 ensures both single/multi-bot modes work
• Onboarding flow improvements: merged permission/event step reduces user round-trips; persona-first ordering is more natural
• No credential leakage in logs (only accountId/agentId logged, never secrets)
• Semantic placeholders in team.example.md and cleanup of unused .gitkeep/pm.example.md

[claude]

Claude finished @lishuceo's task in 2m 26s —— View job

---

PR Re-review: feat: 飞书凭证迁入 agents.json

• Check previous inline review comments and resolve fixed threads
• Review latest changes since last review (94ed5b4)
• Read all affected files for context
• Post summary

---

✅ All 4 previous issues fixed, 1 minor issue persists

4 previous issues (all resolved in 2237f40, all threads already resolved):

#	Previous Issue	Fix	Verified
1	🔴 Multi-bot _defaultClient uninitialized	initDefaultClient() called at index.ts:148 before mode branch	✅
2	🟡 Empty HMAC key in OAuth	getPrimaryAppSecret() throws on missing accounts (oauth.ts:39)	✅
3	🟡 deriveBotAccounts() per-call recomputation	Cached at load/reload time (config-loader.ts:204)	✅
4	🟡 deriveBindings() per-message overhead	Cached at load/reload time (config-loader.ts:205)	✅

1 issue still present (flagged in last review, not in diff so can't inline comment):

#	Severity	File	Issue	Confidence
1	🟡 Warning	src/onboarding/bootstrap.ts:151	Stale Phase 6 validation: Step 1 says "读取 .env 确认关键配置已就绪（FEISHU_APP_ID, FEISHU_APP_SECRET, ANTHROPIC_API_KEY 非空非占位符）" — but this PR moved feishu credentials from .env to agents.json. The onboarding agent will incorrectly look for values that no longer exist in .env. Should check agents.json for feishu credentials and only check .env for ANTHROPIC_API_KEY.	85

Fix this →

3 new commits since last full review (all clean):

Commit	Description	Assessment
cd415bf	Merge permission & event subscription into one onboarding step	Cleaner UX, fewer round-trips
84ac72c	Reorder onboarding: Bot persona before team info	Sensible ordering
94ed5b4	Bootstrap test adapts to template placeholder changes	Test-only, clean

What looks good across the full PR:

• Clean Zod schema additions (FeishuAccountSchema, AgentBindingSchema, description field)
• Caching in config-loader.ts correctly invalidates on reload while eliminating per-request overhead
• initDefaultClient at index.ts:148 ensures both single/multi-bot modes work
• No credential leakage in logs (only accountId/agentId logged, never secrets)
• Onboarding flow improvements: merged permission/event step, persona-first ordering
• Test updates correctly reflect new source of truth (deriveBotAccounts mock in oauth.test.ts)

Recommendation: Fix the 🟡 Phase 6 issue before merging — it's a low-risk prompt bug but will confuse the onboarding agent on fresh deploys.