fix(msteams): handle fileConsent/invoke callback for bot-to-user file upload (#55386)

[sudie-codes]

Summary

Bot-to-user file uploads via openclaw message send --media were silently failing because the fileConsent/invoke callback was never handled across processes. The CLI sender registered the pending upload in its own memory, but the webhook receiver ran in a different process and never saw it.

Fix

• New filesystem-backed pending upload store (pending-uploads-fs.ts) under <stateDir>/msteams-pending-uploads/ so CLI sender and webhook receiver share state
• fileConsent/invoke handler: on accept → PUT file to upload URL + send FileInfoCard; on decline → drop pending upload
• Graceful degradation if FS store is unavailable

Test plan

• 17 new tests (store primitives, accept/decline paths, cross-process, missing upload)
• 589 msteams tests passing

Fixes #55386

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR fixes a cross-process bug in the MSTeams fileConsent/invoke flow: the CLI message send --media path stored pending uploads in an in-memory Map, but the invoke callback arrived in the long-running monitor webhook process where that Map is empty. The fix introduces a filesystem-backed pending upload store under <stateDir>/msteams-pending-uploads/ with file-lock-protected index updates, TTL-based pruning, and a safety-first UUID path guard. The monitor handler now checks both stores (memory first, then FS) and cleans up from the correct one. Tests cover store primitives, cross-process round-trips, accept/decline paths, and cross-conversation security checks.

Confidence Score: 5/5

Safe to merge — the core fix is correct, tests are comprehensive, and remaining findings are P2 quality-only concerns.

No P0 or P1 issues found. The malformed-accept edge case (else branch conflation) and the missing isSafeUploadId guard on pruned keys are both P2 suggestions — neither affects the primary file-upload path or introduces a practical data-loss or security risk under normal Teams behaviour.

extensions/msteams/src/monitor-handler.ts (else branch logic) and extensions/msteams/src/pending-uploads-fs.ts (pruneExpired key validation)

Comments Outside Diff (1)

1. extensions/msteams/src/monitor-handler.ts, line 264-314 (link)

   Malformed accept falls through to decline branch

   When consentResponse.action === "accept" but consentResponse.uploadInfo is absent (a malformed Teams invoke), execution falls to the else branch, which logs "user declined file consent" and calls removeResolvedPendingUpload. This silently deletes the pending upload without ever completing the transfer, making a retry impossible without resending the file.

   In practice Teams always supplies uploadInfo on accept, but a defensive split would make intent and error handling explicit:

   if (consentResponse.action === "accept") {
     if (!consentResponse.uploadInfo) {
       log.debug?.("accept invoke missing uploadInfo, ignoring", { uploadId });
       return true; // leave pending upload intact for a potential retry
     }
     if (pendingFile) {
       // ... upload path
     } else {
       await context.sendActivity(expiredUploadMessage);
     }
   } else {
     // User declined
     log.debug?.("user declined file consent", { uploadId });
     await removeResolvedPendingUpload(uploadId, pendingFile?.source, fsStore, log);
   }

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: extensions/msteams/src/monitor-handler.ts
   Line: 264-314
   
   Comment:
   **Malformed accept falls through to decline branch**
   
   When `consentResponse.action === "accept"` but `consentResponse.uploadInfo` is absent (a malformed Teams invoke), execution falls to the `else` branch, which logs "user declined file consent" and calls `removeResolvedPendingUpload`. This silently deletes the pending upload without ever completing the transfer, making a retry impossible without resending the file.
   
   In practice Teams always supplies `uploadInfo` on accept, but a defensive split would make intent and error handling explicit:
   
   ```typescript
   if (consentResponse.action === "accept") {
     if (!consentResponse.uploadInfo) {
       log.debug?.("accept invoke missing uploadInfo, ignoring", { uploadId });
       return true; // leave pending upload intact for a potential retry
     }
     if (pendingFile) {
       // ... upload path
     } else {
       await context.sendActivity(expiredUploadMessage);
     }
   } else {
     // User declined
     log.debug?.("user declined file consent", { uploadId });
     await removeResolvedPendingUpload(uploadId, pendingFile?.source, fsStore, log);
   }
   ```
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: extensions/msteams/src/monitor-handler.ts
Line: 264-314

Comment:
**Malformed accept falls through to decline branch**

When `consentResponse.action === "accept"` but `consentResponse.uploadInfo` is absent (a malformed Teams invoke), execution falls to the `else` branch, which logs "user declined file consent" and calls `removeResolvedPendingUpload`. This silently deletes the pending upload without ever completing the transfer, making a retry impossible without resending the file.

In practice Teams always supplies `uploadInfo` on accept, but a defensive split would make intent and error handling explicit:

```typescript
if (consentResponse.action === "accept") {
  if (!consentResponse.uploadInfo) {
    log.debug?.("accept invoke missing uploadInfo, ignoring", { uploadId });
    return true; // leave pending upload intact for a potential retry
  }
  if (pendingFile) {
    // ... upload path
  } else {
    await context.sendActivity(expiredUploadMessage);
  }
} else {
  // User declined
  log.debug?.("user declined file consent", { uploadId });
  await removeResolvedPendingUpload(uploadId, pendingFile?.source, fsStore, log);
}
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: extensions/msteams/src/pending-uploads-fs.ts
Line: 88-103

Comment:
**Index keys not validated before blob unlink in pruneExpired**

`pruneExpired` collects `id` values directly from `Object.entries(index.entries)` and passes them to `unlinkBlobIfPresent` without running `isSafeUploadId`. A tampered `index.json` with a path-traversal key would cause `blobPath(storeDir, id)` to resolve outside the store directory. `isSafeUploadId` already exists for exactly this purpose — consider applying it to pruned keys as well:

```typescript
for (const [id, entry] of Object.entries(index.entries)) {
  if (!isSafeUploadId(id)) {
    expired.push(id); // drop invalid keys from the index but skip blob unlink
    continue;
  }
  if (nowMs - entry.createdAt > ttlMs) {
    expired.push(id);
    continue;
  }
  kept[id] = entry;
}
```

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix(msteams): handle fileConsent/invoke ..." | Re-trigger Greptile}

[greptile-apps]

Index keys not validated before blob unlink in pruneExpired

pruneExpired collects id values directly from Object.entries(index.entries) and passes them to unlinkBlobIfPresent without running isSafeUploadId. A tampered index.json with a path-traversal key would cause blobPath(storeDir, id) to resolve outside the store directory. isSafeUploadId already exists for exactly this purpose — consider applying it to pruned keys as well:

for (const [id, entry] of Object.entries(index.entries)) {
  if (!isSafeUploadId(id)) {
    expired.push(id); // drop invalid keys from the index but skip blob unlink
    continue;
  }
  if (nowMs - entry.createdAt > ttlMs) {
    expired.push(id);
    continue;
  }
  kept[id] = entry;
}

Prompt To Fix With AI

This is a comment left during a code review.
Path: extensions/msteams/src/pending-uploads-fs.ts
Line: 88-103

Comment:
**Index keys not validated before blob unlink in pruneExpired**

`pruneExpired` collects `id` values directly from `Object.entries(index.entries)` and passes them to `unlinkBlobIfPresent` without running `isSafeUploadId`. A tampered `index.json` with a path-traversal key would cause `blobPath(storeDir, id)` to resolve outside the store directory. `isSafeUploadId` already exists for exactly this purpose — consider applying it to pruned keys as well:

```typescript
for (const [id, entry] of Object.entries(index.entries)) {
  if (!isSafeUploadId(id)) {
    expired.push(id); // drop invalid keys from the index but skip blob unlink
    continue;
  }
  if (nowMs - entry.createdAt > ttlMs) {
    expired.push(id);
    continue;
  }
  kept[id] = entry;
}
```

How can I resolve this? If you propose a fix, please make it concise.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3f34fb7255

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Write pending-upload blobs with 0600 permissions

The new filesystem store writes raw attachment bytes with fs.promises.writeFile(...) defaults, which creates files using process umask (commonly world/group-readable like 0644), and mkdir(..., { recursive: true }) also defaults to permissive directory modes. In deployments where OPENCLAW_STATE_DIR (or its parents) is shared/traversable by other users, pending uploads can be read before consent is handled, exposing sensitive file contents; this path should use explicit restrictive modes for both directory and blob files.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Fallback to in-memory consent store when FS write fails

This path now always persists pending uploads to disk before sending the consent card, but there is no fallback if that write fails (for example read-only/unavailable state dir), so sendMessageMSTeams aborts and sends nothing. That is a regression for in-process sends (such as outbound/action flows in the running gateway) where the existing in-memory pending-upload store would still allow consent handling to work even without filesystem persistence.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cbed48138e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Keep buildActivity inside retry loop

sendMessageInContext now builds the activity before entering sendWithRetry, so retries only wrap ctx.sendActivity. buildActivity includes non-trivial prep steps (including OneDrive/SharePoint upload paths) that can fail transiently, and those failures now bypass the configured retry path entirely. In environments where media upload/auth calls intermittently return retryable failures, this regresses reliability by failing the whole send on the first error instead of retrying the full attempt.

Useful? React with 👍 / 👎.