feat(dingtalk): QR-code device-flow authorization for setup wizard

[teknium1]

Summary

Salvages #8345 (meng93 — authorship preserved) + 15 new regression tests + an OpenClaw branding disclosure.

Adds QR-code device-flow authorization to hermes gateway setup for DingTalk, eliminating the manual developer-console workflow. Users scan a QR with the DingTalk mobile app and Client ID / Client Secret are returned automatically.

Why this path

Per design discussion with @teknium1:

• Tested source="hermes" live (option B): DingTalk's /app/registration/begin accepts any source at the API layer but the returned verification_uri_complete is hardcoded to https://open-dev.dingtalk.com/openapp/registration/openClaw?user_code=.... Confirmed against the real endpoint — we cannot use our own source string until DingTalk-Real-AI registers a Hermes template server-side. Issue Feature: Switchable Agent Modes — Named Profiles with Tool Restrictions, Personas & Per-Project Config (inspired by Roo Code) #482 on their repo (filed today asking about Hermes support) has no official response yet.
• Going with openClaw identity for now (option C): Takes the onboarding win. Nous will follow up with Alibaba/DingTalk-Real-AI via a direct channel to register a Hermes-specific source so we can eventually swap the token. The disclosure below makes the interim UX honest with users.

What's in

meng93's commit (0bbb6f0) — cherry-picked with authorship preserved:

• hermes_cli/dingtalk_auth.py (new, 292 lines) — three-step device flow (init → begin → poll) + compact half-block QR renderer + auto-install of qrcode pip dep.
• hermes_cli/gateway.py — rewrites _setup_dingtalk() to offer QR scan (default) or manual credential entry, plus dispatch wiring in gateway_setup().
• gateway/config.py — env-var → PlatformConfig bridge for DINGTALK_CLIENT_ID, DINGTALK_CLIENT_SECRET, and optional DINGTALK_HOME_CHANNEL (matches the pattern used by other platforms).

Intentionally dropped from meng93's PR:

• gateway/platforms/dingtalk.py SDK-compat fixes — already on main via fix(dingtalk): support dingtalk-stream 0.24+ SDK (async process, CallbackMessage, oapi webhooks, TextContent) #11471. Resolved the cherry-pick conflict by keeping current main's version.

My follow-up (b7ba865):

• 15 regression tests in tests/hermes_cli/test_dingtalk_auth.py covering _api_post error paths, begin_registration chaining + missing-field errors, polling loop success/failure/callback, QR renderer fallback, and env-var config overrides.
• One-line disclosure in dingtalk_qr_auth():

  Note: the scan page is branded 'OpenClaw' — DingTalk's
        ecosystem onboarding bridge. Safe to use.
  

• Added meng93 to scripts/release.py AUTHOR_MAP.

Tests

• tests/hermes_cli/test_dingtalk_auth.py — 15 passed (new)
• tests/hermes_cli/test_dingtalk_auth.py + test_dingtalk.py + test_config.py — 85 passed combined
• E2E against real oapi.dingtalk.com — loaded module from worktree, called begin_registration() live, got a real device_code + verification_uri_complete back. Didn't complete the QR scan (requires a human + DingTalk mobile app) but the full protocol up to QR display works.

Authorship

Commit 0bbb6f0a preserves meng93 <yiweimeng.dlut@hotmail.com> as author. Merge with --rebase to keep attribution.

PRs #9610 and #10004 ship word-for-word identical dingtalk_auth.py code — they're copies of meng93's earlier submission (meng93: Apr 12, audanye-sudo: Apr 14, PeterGuy326: Apr 15). On merge they'll be closed with credit to all three, with primary credit to meng93 as the original author.

Follow-ups (post-merge)

1. @teknium1 to reach out to DingTalk-Real-AI via their Alibaba contact to register hermes as a sanctioned source token.
2. When sanctioned, flip REGISTRATION_SOURCE default from openClaw → hermes and remove the disclosure. The DINGTALK_REGISTRATION_SOURCE env var already exists as an escape hatch.

Closes

Closes #8345, #9610, #10004 on merge.

[github-actions]

⚠️ Supply Chain Risk Detected

This PR contains patterns commonly associated with supply chain attacks. This does not mean the PR is malicious — but these patterns require careful human review before merging.

⚠️ WARNING: Outbound network calls (POST/PUT)

Outbound POST/PUT requests in new code could be data exfiltration. Verify the destination URLs are legitimate.

Matches (first 10):

362:+        resp = requests.post(url, json=payload, timeout=15)

---

Automated scan triggered by supply-chain-audit. If this is a false positive, a maintainer can approve after manual review.

[meng93]

@teknium1 Hi! The follow-up items you outlined in this PR have now been fully implemented.

1. Registration source switch → PR #12907

Now that the Hermes source token has been officially sanctioned by DingTalk-Real-AI, this PR flips the DINGTALK_REGISTRATION_SOURCE default from openClaw to HERMES, updates the user-facing disclosure copy, and adds source normalization logic. The env var escape hatch remains fully intact.

2. New platform capabilities → PR #12769

Adds several missing capabilities to the DingTalk adapter:

• Proactive messaging (text / markdown / card)
• Full media pipeline (image / file / audio / video upload & send)
• Global card API QPS throttle (20 QPS token bucket) + per-card 800ms edit debounce
• Per-session inbound serialization queue
• Quoted-reply extraction (with forward-compatible interactiveCard handling)
• Fix for cross-adapter websockets monkey-patch conflict

---

Both PRs are tested and ready to go. Would love to get these merged soon so DingTalk users can benefit from the sanctioned Hermes identity and the full feature set as quickly as possible. 🚀

Again, really appreciate your original design on this PR — the clear follow-up checklist and the DINGTALK_REGISTRATION_SOURCE env var escape hatch made the transition incredibly smooth. Great engineering foresight! 👏