fix(messaging): harden Teams onboarding plan

Author: sandl99

agents/hermes/policy-additions.yaml

@@ -300,9 +300,6 @@ network_policies:
         rules:
           - allow: { method: GET, path: "/**" }
           - allow: { method: POST, path: "/**" }
-          - allow: { method: PATCH, path: "/**" }
-          - allow: { method: PUT, path: "/**" }
-          - allow: { method: DELETE, path: "/**" }
       - host: teams.microsoft.com
         port: 443
         protocol: rest

nemoclaw-blueprint/policies/presets/teams.yaml

@@ -55,9 +55,6 @@ network_policies:
         rules:
           - allow: { method: GET, path: "/**" }
           - allow: { method: POST, path: "/**" }
-          - allow: { method: PATCH, path: "/**" }
-          - allow: { method: PUT, path: "/**" }
-          - allow: { method: DELETE, path: "/**" }
       # Read-only Teams/Office media surfaces referenced by Teams messages.
       - host: teams.microsoft.com
         port: 443

src/lib/messaging/applier/build/messaging-build-applier.mts

@@ -112,6 +112,12 @@ type HermesUvPackageInstall = {
   readonly spec: string;
 };
 
+function isPinnedHermesUvPackageSpec(spec: string): boolean {
+  return /^[A-Za-z0-9][A-Za-z0-9_.-]*(?:\[[A-Za-z0-9][A-Za-z0-9_.-]*(?:,[A-Za-z0-9][A-Za-z0-9_.-]*)*\])?==[A-Za-z0-9][A-Za-z0-9_.!+~-]*$/.test(
+    spec,
+  );
+}
+
 export class MessagingBuildApplierError extends Error {}
 
 export const DEFAULT_MESSAGING_RUNTIME_PLAN_PATH =
@@ -885,13 +891,13 @@ function readHermesUvPipPackageInstall(
   }
   if (typeof install.spec !== "string" || install.spec.trim().length === 0) {
     throw new MessagingBuildApplierError(
-      `Messaging package-install output ${outputId} must include a Hermes Python package name`,
+      `Messaging package-install output ${outputId} must include a Hermes Python package spec`,
     );
   }
   const spec = install.spec.trim();
-  if (!/^[A-Za-z0-9_.-]+$/.test(spec)) {
+  if (!isPinnedHermesUvPackageSpec(spec)) {
     throw new MessagingBuildApplierError(
-      `Messaging package-install output ${outputId} has an unsafe Hermes Python package name`,
+      `Messaging package-install output ${outputId} must use a safe exact-pinned Hermes Python package spec`,
     );
   }
   return { spec };
@@ -1389,6 +1395,7 @@ function installHermesMessagingUvPackages(plan: MessagingBuildPlan | null, env:
       "--python",
       "/opt/hermes/.venv/bin/python",
       "--no-cache",
+      "--",
       ...selectedPackages,
     ],
     env,

src/lib/messaging/channels/manifests.test.ts

@@ -680,6 +680,7 @@ describe("built-in channel manifests", () => {
     expect(tenantId.envAliases).toEqual(["TEAMS_TENANT_ID"]);
     expect(allowedUsers.envKey).toBe("TEAMS_ALLOWED_USERS");
     expect(allowedUsers.envAliases).toEqual(["MSTEAMS_ALLOWED_USERS"]);
+    expect(allowedUsers.required).toBe(true);
     expect(webhookPort.envKey).toBe("MSTEAMS_PORT");
     expect(webhookPort.envAliases).toEqual(["TEAMS_PORT"]);
     expect(webhookPort).toMatchObject({ kind: "config", defaultValue: "3978" });
@@ -746,6 +747,7 @@ describe("built-in channel manifests", () => {
         {
           id: "allowedUsers",
           kind: "config",
+          required: true,
         },
         {
           id: "webhookPort",
@@ -770,14 +772,14 @@ describe("built-in channel manifests", () => {
       id: "hermesTeamsAppsPackage",
       agent: "hermes",
       manager: "hermes-uv-pip",
-      spec: "microsoft-teams-apps",
+      spec: "microsoft-teams-apps==2.0.13.4",
       required: true,
     });
     expect(teamsManifest.agentPackages).toContainEqual({
       id: "hermesAiohttpPackage",
       agent: "hermes",
       manager: "hermes-uv-pip",
-      spec: "aiohttp",
+      spec: "aiohttp==3.14.1",
       required: true,
     });
     expect(teamsManifest.state).toEqual({

src/lib/messaging/channels/metadata.test.ts

@@ -159,14 +159,14 @@ describe("built-in messaging channel metadata", () => {
         packageId: "hermesTeamsAppsPackage",
         agents: ["hermes"],
         manager: "hermes-uv-pip",
-        spec: "microsoft-teams-apps",
+        spec: "microsoft-teams-apps==2.0.13.4",
       },
       {
         channelId: "teams",
         packageId: "hermesAiohttpPackage",
         agents: ["hermes"],
         manager: "hermes-uv-pip",
-        spec: "aiohttp",
+        spec: "aiohttp==3.14.1",
       },
     ]);
   });

src/lib/messaging/channels/teams/manifest.ts

@@ -55,14 +55,13 @@ export const teamsManifest = {
     {
       id: "allowedUsers",
       kind: "config",
-      required: false,
+      required: true,
       envKey: "TEAMS_ALLOWED_USERS",
       envAliases: ["MSTEAMS_ALLOWED_USERS"],
       statePath: "allowedIds.teams",
       prompt: {
         label: "Microsoft Teams AAD Object IDs (comma-separated allowlist)",
         help: "Recommended: run `teams status --verbose` and enter the Azure AD object IDs allowed to use the bot.",
-        emptyValueMessage: "bot will rely on agent-side pairing or upstream defaults",
       },
     },
     {
@@ -194,14 +193,14 @@ export const teamsManifest = {
       id: "hermesTeamsAppsPackage",
       agent: "hermes",
       manager: "hermes-uv-pip",
-      spec: "microsoft-teams-apps",
+      spec: "microsoft-teams-apps==2.0.13.4",
       required: true,
     },
     {
       id: "hermesAiohttpPackage",
       agent: "hermes",
       manager: "hermes-uv-pip",
-      spec: "aiohttp",
+      spec: "aiohttp==3.14.1",
       required: true,
     },
   ],
@@ -283,6 +282,7 @@ export const teamsManifest = {
         {
           id: "allowedUsers",
           kind: "config",
+          required: true,
         },
         {
           id: "webhookPort",

src/lib/messaging/compiler/manifest-compiler.test.ts

@@ -419,7 +419,7 @@ describe("ManifestCompiler", () => {
         required: true,
         value: {
           manager: "hermes-uv-pip",
-          spec: "microsoft-teams-apps",
+          spec: "microsoft-teams-apps==2.0.13.4",
         },
       },
       {
@@ -429,7 +429,7 @@ describe("ManifestCompiler", () => {
         required: true,
         value: {
           manager: "hermes-uv-pip",
-          spec: "aiohttp",
+          spec: "aiohttp==3.14.1",
         },
       },
     ]);
@@ -507,6 +507,7 @@ describe("ManifestCompiler", () => {
       {
         MSTEAMS_APP_ID: "test-teams-app-id",
         MSTEAMS_TENANT_ID: "test-teams-tenant-id",
+        TEAMS_ALLOWED_USERS: "00000000-0000-0000-0000-000000000001",
         MSTEAMS_PORT: undefined,
         TEAMS_PORT: undefined,
         TEAMS_REQUIRE_MENTION: undefined,
@@ -550,6 +551,34 @@ describe("ManifestCompiler", () => {
     expect(JSON.stringify(plan.agentRender)).toContain('"requireMention":true');
   });
 
+  it("keeps Microsoft Teams disabled when no explicit user allowlist is provided", async () => {
+    const plan = await withEnv(
+      {
+        MSTEAMS_APP_ID: "test-teams-app-id",
+        MSTEAMS_TENANT_ID: "test-teams-tenant-id",
+        TEAMS_ALLOWED_USERS: undefined,
+      },
+      () =>
+        compiler().compile({
+          sandboxName: "demo",
+          agent: "openclaw",
+          workflow: "rebuild",
+          isInteractive: false,
+          configuredChannels: ["teams"],
+          credentialAvailability: {
+            MSTEAMS_APP_PASSWORD: true,
+          },
+        }),
+    );
+
+    expect(plan.channels.find((channel) => channel.channelId === "teams")).toMatchObject({
+      active: false,
+      configured: true,
+      disabled: true,
+    });
+    expect(JSON.stringify(plan.agentRender)).not.toContain("channels.msteams");
+  });
+
   it("uses the configured Microsoft Teams webhook port for host forwarding", async () => {
     const plan = await withEnv(
       {
@@ -681,8 +710,9 @@ describe("ManifestCompiler", () => {
     });
     expect(plan.disabledChannels).toEqual(["wechat"]);
     expect(plan.networkPolicy.entries.map((entry) => entry.channelId)).toEqual(["wechat"]);
-    expect(plan.agentRender.map((render) => render.channelId)).toEqual(["wechat", "wechat"]);
-    expect(plan.healthChecks.map((entry) => entry.channelId)).toEqual(["wechat"]);
+    expect(plan.agentRender).toEqual([]);
+    expect(plan.buildSteps).toEqual([]);
+    expect(plan.healthChecks).toEqual([]);
   });
 
   it("runs enrollment hooks before returning the final channel input plan", async () => {
@@ -762,7 +792,7 @@ describe("ManifestCompiler", () => {
     expect(plan.runtimeSetup).toEqual({ nodePreloads: [], envAliases: [], secretScans: [] });
     expect(plan.credentialBindings.map((binding) => binding.channelId)).toEqual(["telegram"]);
     expect(plan.networkPolicy.entries.map((entry) => entry.channelId)).toEqual(["telegram"]);
-    expect(plan.agentRender.map((render) => render.channelId)).toEqual(["telegram", "telegram"]);
+    expect(plan.agentRender).toEqual([]);
     expect(plan.buildSteps).toEqual([]);
     expect(plan.stateUpdates.map((entry) => entry.channelId)).toEqual([
       "telegram",
@@ -771,7 +801,7 @@ describe("ManifestCompiler", () => {
       "telegram",
       "telegram",
     ]);
-    expect(plan.healthChecks.map((entry) => entry.channelId)).toEqual(["telegram"]);
+    expect(plan.healthChecks).toEqual([]);
   });
 
   it("runs non-interactive enrollment hooks to validate and feed reachability checks", async () => {
@@ -1179,7 +1209,7 @@ describe("ManifestCompiler", () => {
     ] satisfies Array<keyof SandboxMessagingPlan>);
   });
 
-  it("records disabled configured channels and leaves applier exclusion to disabledChannels", async () => {
+  it("records disabled configured channels without side-effect plans", async () => {
     const plan = await compiler().compile({
       sandboxName: "demo",
       agent: "openclaw",
@@ -1199,11 +1229,7 @@ describe("ManifestCompiler", () => {
     expect(plan.disabledChannels).toEqual(["telegram"]);
     expect(plan.credentialBindings.map((binding) => binding.channelId)).toEqual(["telegram"]);
     expect(plan.networkPolicy.entries.map((entry) => entry.channelId)).toEqual(["telegram"]);
-    expect(plan.agentRender.map((render) => render.channelId)).toEqual([
-      "telegram",
-      "telegram",
-      "telegram",
-    ]);
+    expect(plan.agentRender).toEqual([]);
     expect(plan.buildSteps).toEqual([]);
     expect(plan.stateUpdates.map((entry) => entry.channelId)).toEqual([
       "telegram",
@@ -1212,7 +1238,7 @@ describe("ManifestCompiler", () => {
       "telegram",
       "telegram",
     ]);
-    expect(plan.healthChecks.map((entry) => entry.channelId)).toEqual(["telegram"]);
+    expect(plan.healthChecks).toEqual([]);
     expect(plan.channels[0]?.hooks.map((hook) => hook.id)).toEqual([
       "telegram-token-paste",
       "telegram-allowlist-aliases",

src/lib/messaging/compiler/manifest-compiler.ts

@@ -64,9 +64,15 @@ export class ManifestCompiler {
       planCredentialBindings(manifest, context, inputRegistry.get(manifest.id) ?? []),
     );
     const networkPolicy = planNetworkPolicy(manifests, context);
+    const channelRegistry = new Map(
+      channels.map((channel) => [channel.channelId, channel] as const),
+    );
+    const activeManifests = manifests.filter(
+      (manifest) => channelRegistry.get(manifest.id)?.active === true,
+    );
     const agentRender = (
       await Promise.all(
-        manifests.map((manifest) =>
+        activeManifests.map((manifest) =>
           planAgentRender(
             manifest,
             context,
@@ -77,12 +83,9 @@ export class ManifestCompiler {
         ),
       )
     ).flat();
-    const channelRegistry = new Map(
-      channels.map((channel) => [channel.channelId, channel] as const),
-    );
     const buildSteps = (
       await Promise.all(
-        manifests.map((manifest) =>
+        activeManifests.map((manifest) =>
           planBuildSteps(
             manifest,
             context.agent,
@@ -95,7 +98,7 @@ export class ManifestCompiler {
     ).flat();
     const runtimeSetup = planRuntimeSetup(manifests, context.agent, channels);
     const stateUpdates = manifests.flatMap((manifest) => planStateUpdates(manifest));
-    const healthChecks = manifests.flatMap((manifest) => planHealthChecks(manifest));
+    const healthChecks = activeManifests.flatMap((manifest) => planHealthChecks(manifest));
 
     return {
       schemaVersion: 1,

src/lib/messaging/compiler/workflow-planner.test.ts

@@ -672,6 +672,7 @@ describe("MessagingWorkflowPlanner", () => {
       {
         MSTEAMS_APP_ID: "test-teams-app-id",
         MSTEAMS_TENANT_ID: "test-teams-tenant-id",
+        TEAMS_ALLOWED_USERS: "00000000-0000-0000-0000-000000000001",
         MSTEAMS_PORT: "3977",
       },
       async () => {

src/lib/onboard/messaging-host-forward.test.ts

@@ -93,6 +93,15 @@ describe("ensureMessagingHostForwardIfConfigured", () => {
     });
   });
 
+  it("fails closed when persisted messaging plans are malformed", () => {
+    expect(
+      resolveMessagingHostForward({
+        ...makePlan(),
+        channels: [null],
+      } as unknown as SandboxMessagingPlan),
+    ).toBeNull();
+  });
+
   it("starts the active messaging host forward", () => {
     const ensureForward = vi.fn(() => true);
     const note = vi.fn();