fix(msteams): require admin for group actions

[eleqtrizit]

Summary

Tightens Microsoft Teams group-management message actions so add/remove/rename operations require an owner-authorized requester or an operator.admin gateway caller before Microsoft Graph mutations run.

Changes

• Marks addParticipant, removeParticipant, and renameGroup as Teams actions that require a trusted requester sender in Teams tool contexts.
• Adds a handler-level authorization gate for those group-management actions before runtime Graph calls are loaded.
• Adds regression coverage for trusted-requester declaration, non-owner/non-admin denial, owner success, and operator.admin success.

Validation

• corepack pnpm install --frozen-lockfile
• corepack pnpm format -- extensions/msteams/src/channel.ts extensions/msteams/src/channel.actions.test.ts
• node scripts/run-vitest.mjs extensions/msteams/src/channel.actions.test.ts extensions/msteams/src/channel.test.ts src/channels/plugins/message-actions.security.test.ts
• node scripts/run-oxlint.mjs --tsconfig config/tsconfig/oxlint.extensions.json extensions/msteams/src/channel.ts extensions/msteams/src/channel.actions.test.ts
• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode local clean: no accepted/actionable findings

Notes

• No CHANGELOG.md update.
• No live Teams Graph call was run; validation uses plugin-level mocked Graph runtime coverage for the authorization boundary.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 9, 2026, 3:17 PM ET / 19:17 UTC.

Summary
The PR adds a Microsoft Teams plugin authorization gate and trusted-requester declaration for addParticipant, removeParticipant, and renameGroup, with regression tests for denial and owner/operator.admin allow paths.

PR surface: Source +27, Tests +167. Total +194 across 2 files.

Reproducibility: yes. from source inspection: current main exposes the three Teams group-management actions and dispatches them to Graph runtime calls without this owner/admin guard. I did not run a live Teams tenant mutation in this read-only review.

Review metrics: 1 noteworthy metric.

• Teams group actions gated: 3 changed. addParticipant, removeParticipant, and renameGroup move from callable Graph mutations to owner/operator.admin-only behavior, which is the main compatibility decision before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Maintainer signoff on the fail-closed behavior for shipped Teams group-management actions.

Risk before merge

• [P1] Merging intentionally fails closed for three Teams group-management actions, so non-owner/non-admin automations that currently add/remove participants or rename Teams groups will now receive an authorization error before Graph mutation.

Maintainer options:

1. Accept the fail-closed Teams gate (recommended)
   A maintainer can approve landing after acknowledging that non-owner/non-admin add/remove/rename calls now fail before Microsoft Graph is reached.
2. Pause for a compatibility path
   If those group-management automations must remain callable, hold this PR and design an opt-in or migration path instead.

Next step before merge

• No automated repair is needed; a maintainer must handle the protected label and accept or reject the fail-closed Teams compatibility change.

Security
Cleared: The diff tightens authorization before Teams Graph mutations and does not add dependency, workflow, credential, or supply-chain risk.

Review details

Best possible solution:

Land the plugin-owned auth gate after a maintainer explicitly accepts the fail-closed behavior for non-owner/non-admin Teams group-management calls.

Do we have a high-confidence way to reproduce the issue?

Yes from source inspection: current main exposes the three Teams group-management actions and dispatches them to Graph runtime calls without this owner/admin guard. I did not run a live Teams tenant mutation in this read-only review.

Is this the best way to solve the issue?

Yes for code shape: the guard lives in the Teams plugin handler before Graph runtime loading and uses the existing trusted-sender and gateway scope contracts. The remaining issue is maintainer acceptance of the intentional fail-closed compatibility change.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8b84e951e5a6.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The contributor supplied redacted terminal output from PR head showing the denied non-owner path and owner/operator.admin allow paths at the real Teams action boundary, with only the external Graph mutation boundary stubbed.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The contributor supplied redacted terminal output from PR head showing the denied non-owner path and owner/operator.admin allow paths at the real Teams action boundary, with only the external Graph mutation boundary stubbed.
• remove rating: 🧂 unranked krab: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: 📣 needs proof: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P1: The PR changes a security-sensitive Microsoft Teams group-management workflow that can mutate membership and group names.
• merge-risk: 🚨 compatibility: Existing Teams group-management callers without owner or operator.admin authority will start receiving an authorization error instead of mutating Graph state.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The contributor supplied redacted terminal output from PR head showing the denied non-owner path and owner/operator.admin allow paths at the real Teams action boundary, with only the external Graph mutation boundary stubbed.
• proof: sufficient: Contributor real behavior proof is sufficient. The contributor supplied redacted terminal output from PR head showing the denied non-owner path and owner/operator.admin allow paths at the real Teams action boundary, with only the external Graph mutation boundary stubbed.

Evidence reviewed

PR surface:

Source +27, Tests +167. Total +194 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	27	0	+27
Tests	1	167	0	+167
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	194	0	+194

What I checked:

• PR auth gate: PR head adds MSTEAMS_GROUP_MANAGEMENT_ACTIONS, rejects those actions unless senderIsOwner or operator.admin is present, and runs the check before lazy-loading the Teams runtime. (extensions/msteams/src/channel.ts:92, 07905fde41d1)
• Current main behavior: Current main advertises addParticipant, removeParticipant, and renameGroup and dispatches them to Graph runtime calls without an owner/admin auth branch. (extensions/msteams/src/channel.ts:395, 8b84e951e5a6)
• Graph mutation surface: The three guarded actions mutate Microsoft Graph membership or chat/channel names, so the changed boundary is security-sensitive. (extensions/msteams/src/graph-group-management.ts:44, 8b84e951e5a6)
• Shared trusted-sender contract: The shared dispatcher supports plugin-declared trusted requester requirements and rejects tool-driven calls without requesterSenderId before invoking plugin handlers. (src/channels/plugins/message-action-dispatch.ts:23, 8b84e951e5a6)
• Gateway owner/admin contract: Gateway message.action passes requesterSenderId, clamps senderIsOwner for non-admin clients, and passes gatewayClientScopes into channel action dispatch. (src/gateway/server-methods/send.ts:531, 8b84e951e5a6)
• PR tests: PR tests cover trusted-requester discovery, non-owner/operator.write denial with no runtime call, owner success, and operator.admin success. (extensions/msteams/src/channel.actions.test.ts:380, 07905fde41d1)

Likely related people:

• sudie-codes: Auth-sensitive Teams group-management actions were introduced by the merged group-management PR, whose commits added addParticipant, removeParticipant, renameGroup, and their tests. (role: introduced behavior; confidence: high; commits: f71ee71787c7, e48d52dff900, 197c335f99cf; files: extensions/msteams/src/channel.ts, extensions/msteams/src/graph-group-management.ts, extensions/msteams/src/channel.actions.test.ts)
• BradGroux: The group-management PR discussion shows BradGroux reviewed the Teams Graph changes, and follow-up commits restored plugin contracts and guardrails around that surface. (role: reviewer and adjacent fixer; confidence: medium; commits: 256ac029dcc8, 278a2061ad6b, 776075e3c142; files: extensions/msteams/src/channel.ts, extensions/msteams/src/graph-group-management.ts)
• steipete: A later merged Teams security-hardening PR touched graph-group-management role validation, OData escaping, attachment fetch hardening, and setup OAuth launch behavior. (role: recent security hardening contributor; confidence: medium; commits: c56b56e514f8; files: extensions/msteams/src/graph-group-management.ts, extensions/msteams/src/setup-surface.ts, extensions/msteams/src/attachments/shared.ts)
• vincentkoc: Current-main blame on the Teams action exposure and Graph mutation paths points to a broad carry-forward commit by Vincent Koc, so this is a useful current-code routing signal even though older PR history is richer. (role: current-main carry-forward contributor; confidence: medium; commits: b08e1109c67e; files: extensions/msteams/src/channel.ts, extensions/msteams/src/graph-group-management.ts, src/channels/plugins/message-action-dispatch.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[eleqtrizit]

Real behavior proof

• Behavior addressed: Microsoft Teams addParticipant, removeParticipant, and renameGroup message actions now fail closed unless the request is owner-authorized or the Gateway caller has operator.admin; Teams tool contexts also declare that these group-management actions require a trusted requester sender.
• Real environment tested: local OpenClaw checkout on PR head 07905fde41d1ef6281de8e4a440f1378d1a352ad, Node 22.22.2, loading the real extensions/msteams/src/channel.ts source through node --import tsx. The proof intercepted only the dynamic ./channel.runtime.js Microsoft Graph boundary so no real tenant membership/name mutation was performed.
• Exact steps or command run after this patch: node --import tsx /tmp/msteams-proof.Y7Oq57.mjs
• Evidence after fix:

trusted-requester gate addParticipant/msteams: true
non-owner operator.write denied: {"isError":true,"content":[{"type":"text","text":"Microsoft Teams group management requires an owner or operator.admin requester."}],"details":{"error":"Microsoft Teams group management requires an owner or operator.admin requester."}}
Graph addParticipant calls after denial: 0
owner addParticipant allowed: {"content":[{"type":"text","text":"{\"ok\":true,\"channel\":\"msteams\",\"action\":\"addParticipant\",\"added\":{\"chatId\":\"conversation:19:redacted@thread.tacv2\",\"userId\":\"redacted-user\"}}"}],"details":{"ok":true,"channel":"msteams","action":"addParticipant","added":{"chatId":"conversation:19:redacted@thread.tacv2","userId":"redacted-user"}}}
Graph addParticipant calls after owner path: 1
operator.admin removeParticipant allowed: {"content":[{"type":"text","text":"{\"ok\":true,\"channel\":\"msteams\",\"action\":\"removeParticipant\",\"removed\":{\"chatId\":\"conversation:19:redacted@thread.tacv2\",\"userId\":\"redacted-user\"}}"}],"details":{"ok":true,"channel":"msteams","action":"removeParticipant","removed":{"chatId":"conversation:19:redacted@thread.tacv2","userId":"redacted-user"}}}
Graph removeParticipant calls after admin path: 1
operator.admin renameGroup allowed: {"content":[{"type":"text","text":"{\"ok\":true,\"channel\":\"msteams\",\"action\":\"renameGroup\",\"renamed\":{\"chatId\":\"conversation:19:redacted@thread.tacv2\",\"newName\":\"Redacted group\"}}"}],"details":{"ok":true,"channel":"msteams","action":"renameGroup","renamed":{"chatId":"conversation:19:redacted@thread.tacv2","newName":"Redacted group"}}}
Graph renameGroup calls after admin path: 1

• Observed result after fix: a non-owner operator.write request returns the new authorization error and does not call the Graph mutation boundary. Owner-authorized addParticipant succeeds and reaches the Graph boundary once. operator.admin removeParticipant and renameGroup succeed and each reach the Graph boundary once.
• What was not tested: no live Microsoft Teams tenant / Microsoft Graph mutation was executed because this environment has no Teams credentials and we should not mutate a real tenant for proof. The external Graph boundary was stubbed; the plugin authorization and action-return behavior used the real PR source.
• Proof limitations or environment constraints: this is redacted local runtime proof, not a live Graph proof. It covers the ClawSweeper-requested denied non-owner path plus owner and operator.admin success paths at the OpenClaw Teams action boundary.
• Before evidence: current main had the same three actions wired directly to Graph runtime calls without the owner/admin gate; this PR adds MSTEAMS_GROUP_MANAGEMENT_ACTIONS, requiresTrustedRequesterSender, and requireMSTeamsGroupManagementAuthorization before the calls at extensions/msteams/src/channel.ts.

Compatibility/security-boundary decision: I accept the intentional fail-closed behavior for these three shipped Teams group-management actions. Existing non-owner/non-admin automations that add, remove, or rename Teams groups should now receive the authorization error instead of mutating Teams state; owner-authorized and operator.admin workflows remain allowed.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27229358437
• Updated: 2026-06-09T19:18:09.977Z

[eleqtrizit]

Summary of Checks

Relevance

Multiple independent assessments confirmed the vulnerability is in scope: the Teams plugin's group-management actions (addParticipant, removeParticipant, renameGroup) execute Microsoft Graph mutations without authorization checks, while the Discord plugin already has an equivalent guard. The issue is unfixed on current main and the latest shipped release.

Compatibility

The fix follows the established Discord plugin pattern using the existing requiresTrustedRequesterSender hook and senderIsOwner/gatewayClientScopes context fields — no new core permission model, config keys, env vars, protocol messages, or dependency changes were introduced. Authorized owner/admin workflows continue to work. The only newly rejected behavior is the vulnerable lower-scope path, which is the intended security boundary.

ClawSweeper

ClawSweeper initially blocked the PR requiring real behavior proof and maintainer acceptance of the fail-closed compatibility change. Both requirements were satisfied: redacted real runtime proof was posted showing non-owner denial and authorized owner/admin success paths, and the fail-closed impact was explicitly accepted.

Code Reviews Completed

The implementation was reviewed against code quality standards: proper use of existing plugin SDK hooks, defense-in-depth with both dispatcher-level and handler-level checks, clean plugin boundary compliance, clear error messages, early-return patterns, and comprehensive regression tests covering trusted-requester declaration, non-owner/non-admin denial, owner success, and operator.admin success.

Proof

• Behavioral proof: A redacted local runtime proof demonstrated that non-owner operator.write callers are denied with the correct error and make zero Graph calls, while owner and operator.admin callers succeed and reach the Graph boundary.
• Test proof: All 48 tests across the Teams action tests, channel tests, and message-actions security tests pass.
• CI proof: CI is passing — the only failed shard was an unrelated gateway startup/restart test that never ran its test command (infrastructure setup failure, not related to the Teams changes).