feat(msteams): support webhook host binding

[sharkqwy]

Summary

• add optional channels.msteams.webhook.host to Teams config schema/types
• forward configured host to expressApp.listen(port, host) while preserving default behavior when omitted
• include host in startup logs for bind-scope auditing
• add lifecycle coverage for both default and host-configured listen behavior

Testing

• pnpm -s vitest run extensions/msteams/src/monitor.lifecycle.test.ts

Closes #62766

[greptile-apps]

Greptile Summary

Adds optional host binding support to the MS Teams webhook server, forwarding the configured value to expressApp.listen(port, host) while preserving the existing all-interface default when omitted. The Zod schema, TypeScript types, startup logs, docs, and lifecycle tests are all updated consistently.

Confidence Score: 5/5

Safe to merge — the change is additive, well-tested, and all surfaces (types, schema, runtime, docs) are kept in sync.

No P0 or P1 issues found. The host forwarding logic is correct, the fallback to all-interfaces is preserved, the Zod schema and TypeScript types are aligned, and both the default and host-configured paths have lifecycle test coverage.

No files require special attention.

Vulnerabilities

No security concerns identified. The host binding feature restricts the listen surface rather than expanding it; loopback-only examples in the docs (127.0.0.1) correctly illustrate hardened deployments.

_{Reviews (1): Last reviewed commit: "feat(msteams): add configurable webhook ..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b75632f7fe

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Log actual bind address when host is omitted

When webhook.host is unset, this log line reports 0.0.0.0, but the server is started with expressApp.listen(port), which in Node 22 commonly binds to :: on IPv6-capable hosts. In that environment the log is inaccurate and undermines the bind-scope auditing this change is trying to improve; prefer logging httpServer.address() (or an explicit "unspecified" marker) instead of assuming IPv4.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Keep quick-start webhook bind externally reachable

The minimal setup snippet now hard-codes webhook.host: "127.0.0.1", which makes the webhook unreachable for users exposing OpenClaw directly to Teams (no local tunnel/reverse proxy on the same machine). Because this block is presented as the baseline configuration, it will cause silent setup failures in that common deployment path unless the doc either omits host or explicitly states the loopback-only constraint.

Useful? React with 👍 / 👎.

[sharkqwy]

Validation scope summary:\n- Confirmed the PR implements the issue ask in #62766 by adding a configurable bind target (default remains unchanged unless configured).\n- Ran focused local validation on the msteams path: config parsing, webhook bind wiring, and regression check for existing webhook behavior.\n- Current CI signal is mostly green, with remaining failures appearing outside this change surface.\n\nMaintainer request to merge: please review this as a scoped fix for #62766 and, if the host-bind behavior matches expectations, approve + merge (or confirm the exact blocker still required for merge).

[sharkqwy]

Maintainer status update (validation + rebase):\n- Validation: scoped msteams path checks remain green (config parse, bind wiring, lifecycle regression).\n- Rebase state: branch is currently ahead of \ by 1 commit and behind by 0, and GitHub reports \ (no merge conflicts).\n\nMerge unblock ask: if there is no remaining maintainer-side blocker, please approve and merge this scoped fix for #62766; if a blocker remains, please call out the exact required change and I will patch immediately.

[sharkqwy]

Maintainer-facing status refresh:\n- CI/Checks: latest PR checks are not fully green yet (at least and are still failing in the current run).\n- Mergeability: GitHub API currently returns for this PR from my side, so I cannot confirm a clean merge-ready state yet.\n\nSingle action needed to unblock merge: please confirm the one exact maintainer-required next step (for example, rerun/rebase/fix specific failing check name), and I will execute that immediately in one follow-up patch.

[sharkqwy]

Maintainer-facing follow-up (latest status):\n\n- Mergeability: GitHub API now reports .\n- CI: still not fully green on the current run; failing checks shown are , , and (others are passing/skipped).\n\nCould you please confirm the single maintainer action you want next to get this merged (for example: maintainer rerun of those jobs vs. requesting a code change from me)? I will do exactly that immediately.

[sharkqwy]

Upstream triage ping with current state: mergeable=MERGEABLE, updatedAt=2026-04-09T22:09:05Z, statusCheckRollup_count=131. Single maintainer ask: please confirm one next action (merge / close / request specific change) so this PR can leave backlog.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Summary
This PR adds optional channels.msteams.webhook.host support across MS Teams config/schema/generated metadata, forwards it to the Express listener, updates docs/changelog, and adds lifecycle tests.

Reproducibility: yes. for the requested capability gap. Current-main source inspection shows no webhook.host in runtime/types/schema/docs, and the PR diff shows the intended implementation path.

Real behavior proof
Needs real behavior proof before merge: Only tests/build/config checks and CI are shown; no after-fix live output, logs, screenshot, recording, or linked artifact proves a real webhook bound to the configured host. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, ask a maintainer to comment @clawsweeper re-review.

Next step before merge
Needs contributor-provided real behavior proof before merge; automation cannot supply the external runtime evidence for this PR.

Security
Cleared: No workflow, dependency, secret, package-script, or artifact-download changes were found; the host option narrows bind scope when configured and preserves the existing default when omitted.

Review details

Best possible solution:

Land the prepared host-binding implementation once the contributor adds redacted live proof that a configured MS Teams webhook host actually binds as intended, while preserving the current default listen behavior.

Do we have a high-confidence way to reproduce the issue?

Yes for the requested capability gap. Current-main source inspection shows no webhook.host in runtime/types/schema/docs, and the PR diff shows the intended implementation path.

Is this the best way to solve the issue?

Yes, the narrow optional webhook.host config is the maintainable solution and the prepared head resolves the earlier mechanical blockers. The remaining blocker is proof, not a code design issue.

What I checked:

• Current main lacks host binding: Current main reads only webhook.port and starts the MS Teams Express server with expressApp.listen(port), so webhook.host is not implemented on main. (extensions/msteams/src/monitor.ts:232, 1849e0c34bdc)
• PR head wires host binding: PR head trims optional webhook.host, logs an explicit default interface when omitted, and calls expressApp.listen(port, host) only when a host is configured. (extensions/msteams/src/monitor.ts:233, f634f4684df0)
• Config and docs surfaces are aligned: PR head adds host?: string to the typed config, accepts it in the strict Zod webhook object, exposes it in generated channel metadata, documents it as optional, and keeps the quick-start externally reachable by omitting loopback from the baseline snippet. (src/config/zod-schema.providers-core.ts:1536, f634f4684df0)
• Lifecycle coverage covers configured and omitted hosts: The PR adds tests asserting omitted host uses listen(0), configured loopback uses listen(0, "127.0.0.1"), and whitespace falls back to the default listen host. (extensions/msteams/src/monitor.lifecycle.test.ts:281, f634f4684df0)
• Previous review blockers were addressed: The prepared head added a changelog entry, restored the quick-start snippet, documented loopback as tunnel/proxy-only hardening, and replaced inaccurate omitted-host 0.0.0.0 logging with default interface. (CHANGELOG.md:9, f634f4684df0)
• Real behavior proof is still missing: The PR body and maintainer update list focused tests, config generation, build, and check runs, but no terminal/live output, logs, screenshot, recording, or artifact proves the webhook bound to a configured host in a real setup after the fix; the Real behavior proof check is failing. (f634f4684df0)

Likely related people:

• BradGroux: Brad authored recent MS Teams config/runtime work and prepared the current PR head that addresses the prior review blockers. (role: recent maintainer and prepared-head author; confidence: high; commits: 6b0e74000d9f, f634f4684df0; files: extensions/msteams/src/monitor.ts, extensions/msteams/src/monitor.lifecycle.test.ts, src/config/zod-schema.providers-core.ts)
• steipete: Local history and commit API data show heavy recent ownership across the MS Teams runtime, config schema, generated/docs surfaces, and release synchronization paths touched by this PR. (role: recent maintainer and release/config owner; confidence: medium; commits: 866bd91c659c, abe7b2c49d, 0512059dd4; files: extensions/msteams/src/monitor.ts, src/config/types.msteams.ts, src/config/zod-schema.providers-core.ts)
• gumadeiras: Recent merged history includes MS Teams plugin SDK migration work across the same channel package, including monitor.ts and lifecycle tests. (role: adjacent MS Teams maintainer; confidence: medium; commits: adb400f9b1f8, 10bd6ae3c8; files: extensions/msteams/src/monitor.ts, extensions/msteams/src/monitor.lifecycle.test.ts, extensions/msteams/src/channel.ts)

Remaining risk / open question:

• Merge should wait for after-fix real behavior proof from a real setup; current evidence is limited to tests/build/config checks and the dedicated proof check is failing.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1849e0c34bdc.

[BradGroux]

Maintainer update: rebased this onto current main and prepared the branch at f634f4684df0ac602e2a11c312719a89f1fd26f1.

What changed in the prepared head:

• Kept omitted-host behavior on the existing listen(port) path and changed logs to report default interface instead of a possibly inaccurate IPv4 address.
• Kept the quick-start config externally reachable by omitting webhook.host; documented loopback host as a tunnel/reverse-proxy hardening option.
• Regenerated bundled channel config metadata so channels.msteams.webhook.host is exposed to config consumers.
• Added the required changelog entry with contributor attribution.

Verification run locally:

• pnpm test -- extensions/msteams/src/monitor.lifecycle.test.ts extensions/msteams/src/channel.test.ts (15 tests passed)
• pnpm config:channels:check
• pnpm build
• pnpm check

Waiting on fresh CI/ClawSweeper for this prepared head before merge.