de49a8b72c
Merged via squash. Prepared head SHA: f2433790941841ade0efe6292ff4909b2edd6f18 Co-authored-by: huntharo <5617868+huntharo@users.noreply.github.com> Co-authored-by: huntharo <5617868+huntharo@users.noreply.github.com> Reviewed-by: @huntharo
150 lines
4.5 KiB
TypeScript
150 lines
4.5 KiB
TypeScript
import { callGateway } from "../../gateway/call.js";
|
|
import { logVerbose } from "../../globals.js";
|
|
import {
|
|
isTelegramExecApprovalApprover,
|
|
isTelegramExecApprovalClientEnabled,
|
|
} from "../../telegram/exec-approvals.js";
|
|
import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES } from "../../utils/message-channel.js";
|
|
import { requireGatewayClientScopeForInternalChannel } from "./command-gates.js";
|
|
import type { CommandHandler } from "./commands-types.js";
|
|
|
|
const COMMAND_REGEX = /^\/approve(?:\s|$)/i;
|
|
const FOREIGN_COMMAND_MENTION_REGEX = /^\/approve@([^\s]+)(?:\s|$)/i;
|
|
|
|
const DECISION_ALIASES: Record<string, "allow-once" | "allow-always" | "deny"> = {
|
|
allow: "allow-once",
|
|
once: "allow-once",
|
|
"allow-once": "allow-once",
|
|
allowonce: "allow-once",
|
|
always: "allow-always",
|
|
"allow-always": "allow-always",
|
|
allowalways: "allow-always",
|
|
deny: "deny",
|
|
reject: "deny",
|
|
block: "deny",
|
|
};
|
|
|
|
type ParsedApproveCommand =
|
|
| { ok: true; id: string; decision: "allow-once" | "allow-always" | "deny" }
|
|
| { ok: false; error: string };
|
|
|
|
function parseApproveCommand(raw: string): ParsedApproveCommand | null {
|
|
const trimmed = raw.trim();
|
|
if (FOREIGN_COMMAND_MENTION_REGEX.test(trimmed)) {
|
|
return { ok: false, error: "❌ This /approve command targets a different Telegram bot." };
|
|
}
|
|
const commandMatch = trimmed.match(COMMAND_REGEX);
|
|
if (!commandMatch) {
|
|
return null;
|
|
}
|
|
const rest = trimmed.slice(commandMatch[0].length).trim();
|
|
if (!rest) {
|
|
return { ok: false, error: "Usage: /approve <id> allow-once|allow-always|deny" };
|
|
}
|
|
const tokens = rest.split(/\s+/).filter(Boolean);
|
|
if (tokens.length < 2) {
|
|
return { ok: false, error: "Usage: /approve <id> allow-once|allow-always|deny" };
|
|
}
|
|
|
|
const first = tokens[0].toLowerCase();
|
|
const second = tokens[1].toLowerCase();
|
|
|
|
if (DECISION_ALIASES[first]) {
|
|
return {
|
|
ok: true,
|
|
decision: DECISION_ALIASES[first],
|
|
id: tokens.slice(1).join(" ").trim(),
|
|
};
|
|
}
|
|
if (DECISION_ALIASES[second]) {
|
|
return {
|
|
ok: true,
|
|
decision: DECISION_ALIASES[second],
|
|
id: tokens[0],
|
|
};
|
|
}
|
|
return { ok: false, error: "Usage: /approve <id> allow-once|allow-always|deny" };
|
|
}
|
|
|
|
function buildResolvedByLabel(params: Parameters<CommandHandler>[0]): string {
|
|
const channel = params.command.channel;
|
|
const sender = params.command.senderId ?? "unknown";
|
|
return `${channel}:${sender}`;
|
|
}
|
|
|
|
export const handleApproveCommand: CommandHandler = async (params, allowTextCommands) => {
|
|
if (!allowTextCommands) {
|
|
return null;
|
|
}
|
|
const normalized = params.command.commandBodyNormalized;
|
|
const parsed = parseApproveCommand(normalized);
|
|
if (!parsed) {
|
|
return null;
|
|
}
|
|
if (!params.command.isAuthorizedSender) {
|
|
logVerbose(
|
|
`Ignoring /approve from unauthorized sender: ${params.command.senderId || "<unknown>"}`,
|
|
);
|
|
return { shouldContinue: false };
|
|
}
|
|
|
|
if (!parsed.ok) {
|
|
return { shouldContinue: false, reply: { text: parsed.error } };
|
|
}
|
|
|
|
if (params.command.channel === "telegram") {
|
|
if (
|
|
!isTelegramExecApprovalClientEnabled({ cfg: params.cfg, accountId: params.ctx.AccountId })
|
|
) {
|
|
return {
|
|
shouldContinue: false,
|
|
reply: { text: "❌ Telegram exec approvals are not enabled for this bot account." },
|
|
};
|
|
}
|
|
if (
|
|
!isTelegramExecApprovalApprover({
|
|
cfg: params.cfg,
|
|
accountId: params.ctx.AccountId,
|
|
senderId: params.command.senderId,
|
|
})
|
|
) {
|
|
return {
|
|
shouldContinue: false,
|
|
reply: { text: "❌ You are not authorized to approve exec requests on Telegram." },
|
|
};
|
|
}
|
|
}
|
|
|
|
const missingScope = requireGatewayClientScopeForInternalChannel(params, {
|
|
label: "/approve",
|
|
allowedScopes: ["operator.approvals", "operator.admin"],
|
|
missingText: "❌ /approve requires operator.approvals for gateway clients.",
|
|
});
|
|
if (missingScope) {
|
|
return missingScope;
|
|
}
|
|
|
|
const resolvedBy = buildResolvedByLabel(params);
|
|
try {
|
|
await callGateway({
|
|
method: "exec.approval.resolve",
|
|
params: { id: parsed.id, decision: parsed.decision },
|
|
clientName: GATEWAY_CLIENT_NAMES.GATEWAY_CLIENT,
|
|
clientDisplayName: `Chat approval (${resolvedBy})`,
|
|
mode: GATEWAY_CLIENT_MODES.BACKEND,
|
|
});
|
|
} catch (err) {
|
|
return {
|
|
shouldContinue: false,
|
|
reply: {
|
|
text: `❌ Failed to submit approval: ${String(err)}`,
|
|
},
|
|
};
|
|
}
|
|
|
|
return {
|
|
shouldContinue: false,
|
|
reply: { text: `✅ Exec approval ${parsed.decision} submitted for ${parsed.id}.` },
|
|
};
|
|
};
|