fix(msteams): bind bot framework service urls

[eleqtrizit]

Summary

Fix Microsoft Teams Bot Framework authentication so inbound tokens are bound to the activity serviceUrl, and keep media bearer tokens scoped to explicitly auth-allowlisted hosts.

Changes

• Validate the Bot Framework JWT serviceurl/serviceUrl claim against the inbound Activity body serviceUrl.
• Parse the bounded webhook JSON body before full JWT validation while keeping the cheap Bearer pre-gate and payload-size handling.
• Strip media Authorization on initial and redirect fetches unless the target host is auth-allowlisted.
• Apply the auth-allowlist header helper to Bot Framework attachment metadata and view downloads.
• Extend Microsoft Teams monitor, SDK, and attachment tests for the new service URL and authorization behavior.
• Rebase onto current upstream/main (e339586750) so the merged outbound serviceUrl allowlist from fix(msteams): block untrusted Teams service URLs #87334 and latest CI fixes remain in the final branch.

Validation

• node scripts/run-vitest.mjs extensions/msteams/src/attachments/bot-framework.test.ts extensions/msteams/src/attachments/shared.test.ts extensions/msteams/src/monitor.lifecycle.test.ts extensions/msteams/src/sdk.test.ts extensions/msteams/src/send-context.test.ts extensions/msteams/src/monitor-handler/message-handler.authz.test.ts - 6 files passed, 151 tests passed.
• node scripts/run-vitest.mjs extensions/msteams - 66 files passed, 940 tests passed.
• git diff --check upstream/main...HEAD - passed.
• git merge-base --is-ancestor 62550710bfec2b16e2b0049df6efd0e05efe0c1a HEAD - passed; fix(msteams): block untrusted Teams service URLs #87334 is included in the rebased branch ancestry.

Behavior addressed: Microsoft Teams Bot Framework requests are accepted only when the JWT service URL claim matches the Activity body, outbound/proactive Bot Framework service URLs remain restricted to the Microsoft Teams allowlist from #87334, and media bearer tokens are sent only to auth-allowlisted hosts.
Real environment tested: Local Codex worktree rebased onto upstream/main e339586750 with the repo Vitest wrapper. Live Microsoft Teams tenant proof was not available in this container.
Exact steps or command run after this patch: node scripts/run-vitest.mjs extensions/msteams/src/attachments/bot-framework.test.ts extensions/msteams/src/attachments/shared.test.ts extensions/msteams/src/monitor.lifecycle.test.ts extensions/msteams/src/sdk.test.ts extensions/msteams/src/send-context.test.ts extensions/msteams/src/monitor-handler/message-handler.authz.test.ts; node scripts/run-vitest.mjs extensions/msteams; git diff --check upstream/main...HEAD; git merge-base --is-ancestor 62550710bfec2b16e2b0049df6efd0e05efe0c1a HEAD.
Evidence after fix: Targeted Teams auth/media/outbound tests passed with 6 files / 151 tests; the full Microsoft Teams extension Vitest lane passed with 66 files / 940 tests; diff check passed; #87334's merge commit is present in HEAD ancestry.
Observed result after fix: Mocked valid serviceurl and Activity serviceUrl matches are accepted, mismatches/missing/malformed service URLs reject, untrusted media hosts do not receive Authorization, and the rebased SDK/send-context/monitor-handler tests keep the outbound serviceUrl allowlist behavior from #87334 intact.
What was not tested: Redacted live Microsoft Teams/Bot Framework webhook or media-download traffic. This environment has no MSTEAMS/Azure/Bot Framework credentials or Teams channel config, and the local Crabbox wrapper fails its basic binary sanity check, so tenant-level proof must be run from a credentialed maintainer environment.

Notes

• Maintainer approval for the intentional fail-closed compatibility change is recorded in fix(msteams): bind bot framework service urls #87160 (comment).
• No production credentials, tenant IDs, tokens, or live message contents are included.
• No CHANGELOG.md update.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed May 27, 2026, 3:46 PM ET / 19:46 UTC.

Summary
The PR binds inbound Bot Framework JWT serviceurl/serviceUrl claims to Activity serviceUrl and scopes Bot Framework attachment bearer tokens to auth-allowlisted hosts.

PR surface: Source +93, Tests +248. Total +341 across 8 files.

Reproducibility: no. live repro was established. Source inspection shows current main validates the bearer token before parsing Activity.serviceUrl, while PR head binds the verified serviceurl/serviceUrl claim to the parsed body value.

Review metrics: 1 noteworthy metric.

• Auth paths tightened: 2 tightened. Inbound JWT serviceUrl binding and Bot Framework attachment bearer-host scoping can reject traffic current main accepts, so maintainers should review compatibility and proof before merge.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🐚 platinum hermit
Result: blocked until real behavior proof from a real setup is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Add redacted live Teams/Bot Framework webhook or media-download proof showing a valid request succeeds and a mismatched serviceUrl fails.
• Get explicit maintainer confirmation for the fail-closed compatibility behavior before merge.

Proof guidance:
Needs real behavior proof before merge: Needs real behavior proof before merge: the PR body shows local Vitest/diff-check proof but no redacted live Teams/Bot Framework webhook or media-download logs, terminal output, recording, or linked artifact; contributors should redact IPs, API keys, phone numbers, tenant details, and non-public endpoints, then update the PR body to trigger re-review or ask a maintainer to comment @clawsweeper re-review.

Risk before merge

• This intentionally tightens inbound Microsoft Teams Bot Framework auth, so existing tenant traffic with missing, malformed, query/fragment-bearing, or claim-mismatched serviceUrl will now fail with 401.
• Bot Framework attachment bearer tokens are withheld unless the initial and redirect hosts are auth-allowlisted; valid but undocumented Microsoft media hosts would stop downloading until maintainers update the allowlist with redacted evidence.
• The PR body contains local Vitest and diff-check proof only; the external PR still needs credentialed, redacted Teams webhook or media-download evidence before merge.

Maintainer options:

1. Require credentialed Teams proof (recommended)
   Before merge, require redacted live Teams/Bot Framework webhook or media-download logs, terminal output, or a recording that shows valid traffic still succeeds and mismatched serviceUrl traffic fails closed.
2. Confirm the fail-closed decision
   A maintainer should explicitly confirm that rejecting missing, malformed, or claim-mismatched serviceUrl values is the intended upgrade behavior for existing Teams users.
3. Accept allowlist fallout
   Maintainers may accept that undocumented serviceUrl or media hosts will require follow-up allowlist updates backed by redacted live evidence.

Next step before merge
Human review is needed for live Teams proof and the compatibility decision; there is no narrow automated code repair identified.

Security
Cleared: Dedicated security pass found no new dependency, workflow, secret, or supply-chain concern; the diff hardens Teams token binding and bearer forwarding, with upgrade proof risk tracked separately.

Review details

Best possible solution:

Land the scoped hardening only after maintainer confirmation of the fail-closed compatibility choice and redacted real Teams/Bot Framework proof that valid webhook and media flows still work.

Do we have a high-confidence way to reproduce the issue?

No live repro was established. Source inspection shows current main validates the bearer token before parsing Activity.serviceUrl, while PR head binds the verified serviceurl/serviceUrl claim to the parsed body value.

Is this the best way to solve the issue?

Yes, the patch is a narrow Microsoft Teams plugin hardening path and matches the upstream Bot Framework serviceUrl claim contract. It still needs real tenant proof and maintainer sign-off because the fail-closed behavior is upgrade-sensitive.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against b789e71e57d9.

Label changes

Label justifications:

• P1: This touches Microsoft Teams Bot Framework authentication and token forwarding for a real channel workflow with security and compatibility impact.
• merge-risk: 🚨 compatibility: The PR intentionally changes which inbound serviceUrl shapes and media hosts are accepted, which can break existing tenant traffic on upgrade.
• merge-risk: 🚨 auth-provider: The PR changes Bot Framework JWT validation and bearer-token forwarding rules, directly affecting Teams auth and credential use.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: Needs real behavior proof before merge: the PR body shows local Vitest/diff-check proof but no redacted live Teams/Bot Framework webhook or media-download logs, terminal output, recording, or linked artifact; contributors should redact IPs, API keys, phone numbers, tenant details, and non-public endpoints, then update the PR body to trigger re-review or ask a maintainer to comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +93, Tests +248. Total +341 across 8 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	4	114	21	+93
Tests	4	274	26	+248
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	8	388	47	+341

What I checked:

• Repository policy applied: Root AGENTS.md and extensions/AGENTS.md were read; the relevant guidance treats plugin auth, fail-closed behavior, and channel proof as compatibility-sensitive review surfaces. (AGENTS.md:14, b789e71e57d9)
• Current main accepts without serviceUrl binding: Current main creates the Bot Framework JWT validator before JSON parsing and calls validate(authHeader) without passing Activity serviceUrl, so the signed service URL is not bound to the body. (extensions/msteams/src/monitor.ts:302, b789e71e57d9)
• PR adds body-backed serviceUrl validation: PR head parses bounded JSON after the cheap Bearer gate and passes getActivityServiceUrl(req.body) into JWT validation. (extensions/msteams/src/monitor.ts:311, a67b7284b9d8)
• PR enforces JWT claim matching: PR head normalizes HTTPS service URLs and rejects tokens when the verified serviceurl/serviceUrl claim does not match the Activity serviceUrl. (extensions/msteams/src/sdk.ts:738, a67b7284b9d8)
• PR scopes media Authorization on first hop: PR head strips Authorization from the initial safeFetch request when the URL is outside authorizationAllowHosts, matching the existing redirect-hop rule. (extensions/msteams/src/attachments/shared.ts:574, a67b7284b9d8)
• Dependency contract checked: Microsoft BotBuilder's authenticateChannelTokenWithServiceUrl validates that the identity's serviceurl claim matches the supplied service URL, and AuthenticationConstants.ServiceUrlClaim is serviceurl.

Likely related people:

• eleqtrizit: Authored the merged current-main Teams serviceUrl allowlist in fix(msteams): block untrusted Teams service URLs #87334, which this PR builds on directly. (role: recent area contributor; confidence: high; commits: 62550710bfec; files: extensions/msteams/src/bot-framework-service-url.ts, extensions/msteams/src/sdk.ts, extensions/msteams/src/send-context.ts)
• Beandon13: Recent history for sdk.ts includes Teams Bot Framework JWT/network error handling in the same validator and monitor path. (role: adjacent feature contributor; confidence: medium; commits: eecda912ee75; files: extensions/msteams/src/sdk.ts, extensions/msteams/src/monitor.ts)
• vincentkoc: Recent history for attachments/shared.ts shows Microsoft Teams attachment helper work near the safeFetch and media handling surface this PR changes. (role: recent adjacent contributor; confidence: medium; commits: f3f6a866cae1; files: extensions/msteams/src/attachments/shared.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

• The egg game starts only after the PR passes the real-behavior proof check.
• Before that, no creature or rarity is rolled. The treat waits for real proof.
• This is still just collectible flavor: proof affects review readiness, not creature quality.

[eleqtrizit]

Maintainer approval for the intentional compatibility change:

I approve this PR's fail-closed Microsoft Teams behavior as an intentional auth hardening change. Specifically, inbound Bot Framework activities with missing, malformed, query/fragment-bearing, or JWT-claim-mismatched serviceUrl values should return 401, and Bot Framework attachment bearer tokens should only be sent to explicitly auth-allowlisted hosts.

Compatibility note: if a valid Microsoft Teams tenant exposes a previously undocumented Bot Framework service URL or media host, we should treat that as an allowlist update with redacted live evidence rather than reopening broad token forwarding.

This approval does not replace the separate live Teams/Bot Framework proof request; that still needs credentialed, redacted webhook or media-download evidence before merge.