#21208: feat: update tlon channel/plugin to be more fully featured

## Summary - Problem: Tlon plugin has gone through many changes since the original commit in this repo. Since then we've been working in a standalone repo https://github.com/tloncorp/openclaw-tlon - Why it matters: Tlon plugin was just barely ready, this is a full-fledged version that supports most of what the other plugins support - What changed: Rich text formatting support, image support, thread conversation support, permissioning changes - What did NOT change: Auth/onboarding flows, SSRF protection code, core message sending logic ## Change Type (select all) - [ ] Bug fix - [x] Feature - [x] Refactor - [ ] Docs - [X] Security hardening - [ ] Chore/infra ## Scope (select all touched areas) - [ ] Gateway / orchestration - [ ] Skills / tool execution - [ ] Auth / tokens - [ ] Memory / storage - [x] Integrations - [ ] API / contracts - [ ] UI / DX - [ ] CI/CD / infra ## Linked Issue/PR N/A ## User-visible / Behavior Changes - Rich text formatting support - Image support - Thread conversation support - Slash command support - Bundled skill: allows for doing nearly all operations that you can do through the Tlon app like manage groups, creating channels, managing plugin permissions, modifying profile, etc. - Permissioning changes - `autoAcceptDMInvites`: allows the bot to automatically accept DM requests for more permissive scenarios - `autoAcceptGroupInvites`: allows the bot to automatically accept group request for more permissive scenarios - `ownerShip`: defines who "owns" the bot so that any other interactions can pass through the approval system ## Security Impact (required) - New permissions/capabilities? Yes - Secrets/tokens handling changed? No - New/changed network calls? Yes - uploadFile makes calls to Tlon's storage API (Memex for hosted, S3 for self-hosted) - Command/tool execution surface changed? Yes added Tlon tool for bundled skill - Data access scope changed? No - If any Yes, explain risk + mitigation: Upload calls go through the existing authenticated Tlon session; no new credentials required. Falls back to original URL on failure. ## Repro + Verification ### Environment - OS: macOS - Runtime/container: Node.js - Model/provider: N/A - Integration/channel: Tlon - Relevant config: Tlon plugin with ship URL/code configured ## Steps 1. Configure Tlon plugin with valid ship credentials 2. Send a message with an image URL via the message tool 3. Verify image appears in Tlon chat 4. Send a message requesting rich formatting 5. Receive a message fully formatted ## Expected - Image uploads to Tlon storage and displays correctly - Rich formatting comes through the message correctly ## Actual - Image uploads and displays correctly ✅ - Rich formatting comes through the message correctly ✅ ## Evidence - [x] Trace/log snippets Tests: ✓ extensions/tlon/src/urbit/send.test.ts (1 test) ✓ extensions/tlon/src/monitor/processed-messages.test.ts (1 test) ✓ extensions/tlon/src/urbit/base-url.test.ts (5 tests) ✓ extensions/tlon/src/config-schema.test.ts (2 tests) ✓ extensions/tlon/src/urbit/auth.ssrf.test.ts (2 tests) Test Files 5 passed (5) Tests 11 passed (11) ## Human Verification (required) - **Verified scenarios:** Rich text formatting (bold, italic, code blocks, headers, lists), image uploads via Wikipedia test image - **Edge cases checked:** N/A - **What you did NOT verify:** Other plugins and extensions (their files are untouched) ## Compatibility / Migration - Backward compatible? `Yes` - Config/env changes? `Yes` - Migration needed? `No` ## Failure Recovery (if this breaks) - How to disable/revert this change quickly: Revert to previous version of extensions/tlon - Files/config to restore: extensions/tlon/* - Known bad symptoms: None ## Risks and Mitigations - **Risk:** Anyone using Tlon plugin could see issues if there are unfound issues - **Mitigation:** Most Tlon users are in touch with us for support (or are getting an OpenClaw instance from us) --- **Note:** This PR was AI-assisted (Claude/OpenClaw). Tested locally with real Tlon ship locally. <!-- greptile_comment --> <h3>Greptile Summary</h3> Updated Tlon plugin from minimal implementation to full-featured integration with rich text formatting, image support, thread conversations, and bundled Tlon CLI skill. Added comprehensive approval system for managing DM/channel/group access with owner-based permissioning via `ownerShip` config. **Key changes:** - Rich text formatting via new `story.ts` markdown parser supporting bold, italic, code blocks, links, and images - Image upload/download with integration to Tlon storage API (`@tloncorp/api`) - Thread conversation support with proper reply handling - Approval system (`approval.ts`) for gating bot access - owner receives notifications for DM requests, channel mentions, and group invites - New permissions: `autoAcceptDmInvites`, `autoAcceptGroupInvites`, `ownerShip` - Settings store integration for hot-reloadable config - Bundled Tlon CLI skill (`@tloncorp/tlon-skill`) for advanced operations **Critical security issues found:** - SSRF vulnerabilities in `upload.ts:15` and `media.ts:59` - both use raw `fetch()` without the SSRF protection applied elsewhere in the codebase - Potential command injection in bundled skill (`index.ts:81-84`) - user input passed to `spawn()` without validation <h3>Confidence Score: 2/5</h3> - PR contains critical security vulnerabilities (SSRF and potential command injection) that must be resolved before merge - Score reflects two critical security issues: (1) SSRF vulnerabilities in upload.ts and media.ts that bypass existing protections and could allow internal network access, and (2) potential command injection in the bundled skill. These are high-impact vulnerabilities given the PR's security hardening claims. The functional implementation appears solid with good test coverage, but security gaps are blocking issues. - Critical attention needed: `extensions/tlon/src/urbit/upload.ts` (SSRF), `extensions/tlon/src/monitor/media.ts` (SSRF), `extensions/tlon/index.ts` (command injection). Review the SSRF protection pattern from `auth.ssrf.test.ts` and apply consistently. _{Last reviewed commit: 1524619} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->