fix(ms teams): preserve proactive conversation payload

[sahilsatralkar]

Summary

Describe the problem and fix in 2–5 bullets:

If this PR fixes a plugin beta-release blocker, title it fix(<plugin-id>): beta blocker - <summary> and link the matching Beta blocker: <plugin-name> - <summary> issue labeled beta-blocker. Contributors cannot label PRs, so the title is the PR-side signal for maintainers and automation.

• Problem: Microsoft Teams proactive sends could return HTTP 403 after the Teams SDK migration because the proactive adapter rebuilt a reduced conversation payload instead of preserving the stored Teams
  conversation reference details.
• Why it matters: user-facing proactive sends can silently regress after inbound capture succeeds, which breaks normal OpenClaw-to-Teams delivery for existing conversations.
• What changed: the custom Teams SDK adapter now threads the stored conversation payload through proactive continueConversation sends, and regression coverage was added at the adapter, send-helper, and stored-
  reference layers.
• What did NOT change (scope boundary): no config changes, no auth/token flow changes, no inbound webhook handling changes, and no broader Teams monitor/runtime cleanup beyond the proactive-send path.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related [Bug] Microsoft Teams: HTTP 403 on proactive messages in v2026.3.31 + RSC consent blocks bot installation in team #58774
• This PR fixes a bug or regression

Root Cause / Regression History (if applicable)

For bug fixes or regressions, explain why this happened, not just what changed. Otherwise write N/A. If the cause is unclear, write Unknown.

• Root cause: the Teams SDK migration replaced the previous CloudAdapter proactive send path with a custom adapter path that rebuilt conversation as { id, conversationType }, dropping other stored Teams
  conversation metadata needed by the downstream send transport.
• Missing detection / guardrail: there was no focused regression test for proactive ctx.sendActivity(...) using the stored conversation reference, and no higher-level send-helper test asserting the preserved
  proactive transport payload.
• Prior context (git blame, prior PR, issue, or refactor if known): regression window appears after the Teams SDK migration introduced in v2026.3.31; v2026.3.23-2 still used @microsoft/agents-hosting
  CloudAdapter.
• Why this regressed now: the migration kept proactive send compatibility at a high level but narrowed the outgoing conversation payload in the custom adapter implementation.
• If unknown, what was ruled out: ruled out simple appId forwarding and token acquisition issues in the changed path; the issue is in the proactive send payload shape.

Regression Test Plan (if applicable)

For bug fixes or regressions, name the smallest reliable test coverage that should have caught this. Otherwise write N/A.

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file:
  - extensions/msteams/src/sdk.test.ts
  - extensions/msteams/src/send.test.ts
  - extensions/msteams/src/messenger.test.ts
  • Scenario the test should lock in: a stored Teams conversation reference with conversation metadata is used for proactive top-level sends, the adapter forwards that payload unchanged into the SDK client send
    path, and 403 failures are still surfaced as actionable send errors.
  • Why this is the smallest reliable guardrail: the bug lives at the adapter/send seam, so adapter-only coverage plus one send-helper path catches the regression without requiring live Teams traffic.
  • Existing test that already covers this (if any): existing coverage only partially covered proactive delete behavior; it did not lock proactive sendActivity(...) payload preservation.
  • If no new test is added, why not: N/A

User-visible / Behavior Changes

List user-visible changes (including defaults/config).
If none, write None.

Teams proactive sends should resume working for previously stored conversation references that require the full conversation payload, instead of failing with HTTP 403 after the SDK migration.

Diagram (if applicable)

For UI changes or non-trivial logic flows, include a small ASCII diagram reviewers can scan quickly. Otherwise write N/A.

Before:
[stored Teams conversation ref] -> [custom proactive adapter rebuilds reduced conversation object] -> [Teams send path loses metadata] -> [HTTP 403]

After:
[stored Teams conversation ref] -> [custom proactive adapter preserves stored conversation payload] -> [SDK client send uses full metadata] -> [delivery succeeds]

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS agent workspace
• Runtime/container: Node 22.22.1 local shell
• Model/provider: N/A
• Integration/channel (if any): Microsoft Teams
• Relevant config (redacted): stored Teams conversation reference with conversation.id, conversationType, tenantId, serviceUrl, agent, user

Steps

1. Store a Teams conversation reference from inbound traffic.
2. Trigger a proactive top-level send through the MSTeams send helper.
3. Observe the adapter path that calls continueConversation and ctx.sendActivity(...).

Expected

• The proactive send path preserves the stored Teams conversation payload and delivery succeeds.

Actual

• The post-migration adapter rebuilt a reduced conversation object, which could cause proactive sends to fail with HTTP 403.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • Ran pnpm test -- extensions/msteams/src/sdk.test.ts extensions/msteams/src/send.test.ts under Node 22 and confirmed the focused proactive-send regression coverage passes.
  • Ran local Codex review against origin/main; no findings were reported for the modified code paths.
• Edge cases checked:
  • proactive send preserves conversation metadata
  • proactive send helper still wraps HTTP 403 errors clearly
  • stored conversation reference normalization still strips ;messageid=... while preserving conversationType and tenantId
• What you did not verify:
  • full pnpm build / repo-wide gates due unrelated existing src/agents/skills/local-loader.ts type failures on the current base
  • full pnpm test:extension msteams in this sandbox because socket-binding tests fail with listen EPERM

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps:

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk: preserving the full stored conversation payload could include fields the send transport does not expect in some edge cases.
  • Mitigation: the change keeps the existing conversation id validation, limits the change to the proactive adapter send path, and adds focused regression coverage around the outgoing payload shape.

[greptile-apps]

Greptile Summary

This PR fixes a proactive-send regression in the Microsoft Teams integration introduced by the Teams SDK migration: the custom adapter was rebuilding a reduced conversation object ({ id, conversationType: "personal" }) instead of forwarding the full stored conversation reference, causing HTTP 403 failures for channel and group-chat proactive sends that require tenantId and the correct conversationType.

Key changes:

• createSendContext in sdk.ts now accepts a single conversation?: MSTeamsConversationDetails parameter (replacing separate conversationId/conversationType params), and passes the full object directly into the outgoing API activity payload instead of rebuilding it.
• createProcessContext and continueConversation are updated to forward the full conversation object from the inbound activity / stored reference, rather than extracting individual fields.
• The default conversationType: "personal" that was silently applied to all sends without a stored type is now dropped — the outgoing payload reflects the actual stored metadata.
• Regression coverage added at three layers: adapter (sdk.test.ts), send-helper integration (send.test.ts), and stored-reference normalization (messenger.test.ts).

One minor finding: the ?? fallback in params.conversation ?? { id: conversationId } (sdk.ts line 224) is unreachable dead code — the guard above it already exits if params.conversation is absent — and can be simplified to just params.conversation.

Confidence Score: 5/5

• Safe to merge; the fix is well-scoped and correctly targeted, with focused regression coverage at each seam. The one remaining finding is a trivial dead-code style issue.
• All remaining findings are P2 style/cleanup suggestions. The core logic change (passing reference.conversation rather than rebuilding a reduced object) is correct, backward-compatible, and covered by unit tests. No auth, config, or inbound-webhook paths are touched.
• No files require special attention beyond the minor dead-code note in sdk.ts line 224.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: extensions/msteams/src/sdk.ts
Line: 224

Comment:
**Unreachable fallback branch in `??` expression**

The `??` fallback `{ id: conversationId }` can never be evaluated. When we reach this line, `apiClient` must be truthy — which is only possible when both `params.serviceUrl` and `conversationId` are truthy (see the `apiClient` initialisation logic above). `conversationId` is derived from `params.conversation?.id`, so if `params.conversation` were falsy/undefined, `conversationId` would also be undefined, `apiClient` would be `undefined`, and the `if (!apiClient || !conversationId)` guard at line 214 would have already returned `{ id: "unknown" }` before this point.

In practice, `params.conversation` is always truthy here, so the `??` fallback is dead code that can mislead future readers into thinking `params.conversation` may be absent at this point.

```suggestion
        conversation: params.conversation,
```

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix(msteams): preserve proactive convers..." | Re-trigger Greptile}

[clawsweeper]

Thanks for the context here. I did a careful shell check against current main, and this is already implemented.

Close as implemented on main. The Teams proactive-send 403 regression behind this PR is already fixed in current main by the shipped tenant/AAD forwarding path, with regression coverage for inbound capture and proactive forwarding; the fix was introduced by 2b5b581 and is contained in v2026.4.10.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review details

Best possible solution:

Close this PR and keep the shipped v2026.4.10 implementation as the canonical fix; any future need to preserve additional opaque Teams conversation fields should be tracked as a narrower new bug with a concrete payload field and failing Teams behavior.

Do we have a high-confidence way to reproduce the issue?

Yes. The repro path is a stored Teams channel/group conversation reference followed by a proactive top-level send; current main has regression tests for tenant capture from inbound channelData and proactive forwarding through the send path.

Is this the best way to solve the issue?

Yes for the reported regression, but the PR is no longer the best change to land because current main already solves the user-visible 403 failure with explicit tenantId/aadObjectId forwarding and focused tests. Preserving every opaque conversation property would need a separate demonstrated Teams requirement.

Security review:

Security review cleared: The PR only changes the Microsoft Teams plugin send payload construction and tests, with no new dependencies, permissions, secrets handling, workflow changes, or new network destinations.

What I checked:

• current adapter forwards proactive routing metadata: Current main derives tenantId from the proactive reference, carries recipient AAD/user IDs, and passes those fields into createSendContext for outbound Teams sends. (extensions/msteams/src/sdk.ts:557, 099037cca6f5)
• current conversation reference preserves required Teams fields: buildConversationReference normalizes the stored conversation id while forwarding conversationType, tenantId, top-level tenantId, and aadObjectId into the proactive reference. (extensions/msteams/src/messenger.ts:135, 099037cca6f5)
• regression tests cover the reported 403 path: Current tests explicitly cover [Bug] Microsoft Teams: HTTP 403 on proactive messages in v2026.3.31 + RSC consent blocks bot installation in team #58774 by asserting channelData.tenant.id capture and tenantId/aadObjectId propagation through sendMSTeamsMessages proactive sends. (extensions/msteams/src/messenger.test.ts:774, 099037cca6f5)
• fix provenance: GitHub commit metadata identifies 2b5b581 as fix(msteams): include tenantId and aadObjectId on proactive sends (#58774) (#63949), touching sdk.ts, messenger.ts, conversation-store.ts, and regression tests. (2b5b58194b7e)
• release provenance: Remote tag v2026.4.10 exists, GitHub compare shows that tag contains 2b5b581, and the release changelog section for 2026.4.10 lists [Bug] Microsoft Teams: HTTP 403 on proactive messages in v2026.3.31 + RSC consent blocks bot installation in team #58774 in the Microsoft Teams fix cluster. (CHANGELOG.md:2095, 2b5b58194b7e)

Likely related people:

• sudie-codes: GitHub commit history shows sudie-codes authored the shipped proactive-send fix for [Bug] Microsoft Teams: HTTP 403 on proactive messages in v2026.3.31 + RSC consent blocks bot installation in team #58774, including tenantId/aadObjectId forwarding and tests in the central Teams send files. (role: introduced shipped fix; confidence: high; commits: 2b5b58194b7e; files: extensions/msteams/src/sdk.ts, extensions/msteams/src/messenger.ts, extensions/msteams/src/conversation-store.ts)
• steipete: Recent GitHub history shows multiple maintenance commits on the same Teams SDK, messenger, send, and authz-test files after the proactive-send fix, plus release preparation in the shipped line. (role: recent maintainer; confidence: medium; commits: b3bc60ae259b, 7f3f108521f4, 8866544ffefb; files: extensions/msteams/src/sdk.ts, extensions/msteams/src/messenger.ts, extensions/msteams/src/send.ts)
• BradGroux: Related tracker context routes Microsoft ecosystem cleanup through BradGroux, and recent Teams commits in the same area include BradGroux as co-author on adjacent Teams send and auth work. (role: adjacent Teams maintainer context; confidence: low; commits: 26f633b604fd, 784318799bf0, ba1b8424f48e; files: extensions/msteams/src/sdk.ts, extensions/msteams/src/messenger.ts, extensions/msteams/src/send.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 099037cca6f5; fix evidence: release v2026.4.10, commit 2b5b58194b7e.