import { isTelegramExecApprovalApprover, isTelegramExecApprovalClientEnabled, } from "../../../extensions/telegram/api.js"; import { callGateway } from "../../gateway/call.js"; import { logVerbose } from "../../globals.js"; import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES } from "../../utils/message-channel.js"; import { requireGatewayClientScopeForInternalChannel } from "./command-gates.js"; import type { CommandHandler } from "./commands-types.js"; const COMMAND_REGEX = /^\/approve(?:\s|$)/i; const FOREIGN_COMMAND_MENTION_REGEX = /^\/approve@([^\s]+)(?:\s|$)/i; const DECISION_ALIASES: Record = { allow: "allow-once", once: "allow-once", "allow-once": "allow-once", allowonce: "allow-once", always: "allow-always", "allow-always": "allow-always", allowalways: "allow-always", deny: "deny", reject: "deny", block: "deny", }; type ParsedApproveCommand = | { ok: true; id: string; decision: "allow-once" | "allow-always" | "deny" } | { ok: false; error: string }; function parseApproveCommand(raw: string): ParsedApproveCommand | null { const trimmed = raw.trim(); if (FOREIGN_COMMAND_MENTION_REGEX.test(trimmed)) { return { ok: false, error: "❌ This /approve command targets a different Telegram bot." }; } const commandMatch = trimmed.match(COMMAND_REGEX); if (!commandMatch) { return null; } const rest = trimmed.slice(commandMatch[0].length).trim(); if (!rest) { return { ok: false, error: "Usage: /approve allow-once|allow-always|deny" }; } const tokens = rest.split(/\s+/).filter(Boolean); if (tokens.length < 2) { return { ok: false, error: "Usage: /approve allow-once|allow-always|deny" }; } const first = tokens[0].toLowerCase(); const second = tokens[1].toLowerCase(); if (DECISION_ALIASES[first]) { return { ok: true, decision: DECISION_ALIASES[first], id: tokens.slice(1).join(" ").trim(), }; } if (DECISION_ALIASES[second]) { return { ok: true, decision: DECISION_ALIASES[second], id: tokens[0], }; } return { ok: false, error: "Usage: /approve allow-once|allow-always|deny" }; } function buildResolvedByLabel(params: Parameters[0]): string { const channel = params.command.channel; const sender = params.command.senderId ?? "unknown"; return `${channel}:${sender}`; } export const handleApproveCommand: CommandHandler = async (params, allowTextCommands) => { if (!allowTextCommands) { return null; } const normalized = params.command.commandBodyNormalized; const parsed = parseApproveCommand(normalized); if (!parsed) { return null; } if (!params.command.isAuthorizedSender) { logVerbose( `Ignoring /approve from unauthorized sender: ${params.command.senderId || ""}`, ); return { shouldContinue: false }; } if (!parsed.ok) { return { shouldContinue: false, reply: { text: parsed.error } }; } if (params.command.channel === "telegram") { if ( !isTelegramExecApprovalClientEnabled({ cfg: params.cfg, accountId: params.ctx.AccountId }) ) { return { shouldContinue: false, reply: { text: "❌ Telegram exec approvals are not enabled for this bot account." }, }; } if ( !isTelegramExecApprovalApprover({ cfg: params.cfg, accountId: params.ctx.AccountId, senderId: params.command.senderId, }) ) { return { shouldContinue: false, reply: { text: "❌ You are not authorized to approve exec requests on Telegram." }, }; } } const missingScope = requireGatewayClientScopeForInternalChannel(params, { label: "/approve", allowedScopes: ["operator.approvals", "operator.admin"], missingText: "❌ /approve requires operator.approvals for gateway clients.", }); if (missingScope) { return missingScope; } const resolvedBy = buildResolvedByLabel(params); try { await callGateway({ method: "exec.approval.resolve", params: { id: parsed.id, decision: parsed.decision }, clientName: GATEWAY_CLIENT_NAMES.GATEWAY_CLIENT, clientDisplayName: `Chat approval (${resolvedBy})`, mode: GATEWAY_CLIENT_MODES.BACKEND, }); } catch (err) { return { shouldContinue: false, reply: { text: `❌ Failed to submit approval: ${String(err)}`, }, }; } return { shouldContinue: false, reply: { text: `✅ Exec approval ${parsed.decision} submitted for ${parsed.id}.` }, }; };