fix(telegram): respect plugin requireAuth:false for callback_query in DMs

[kilhyeonjun]

Summary

Fixes #28659

When inlineButtonsScope is "allowlist" (default), the callback_query handler enforces DM authorization regardless of the target plugin command's requireAuth setting. This causes inline buttons to silently fail in DMs for plugins that set requireAuth: false, even though the same command works when typed manually.

Root Cause

In bot-handlers.ts, the callback_query handler resolves authorizationMode based solely on inlineButtonsScope:

const authorizationMode = inlineButtonsScope === "allowlist" ? "callback-allowlist" : "callback-scope";

For callback-allowlist mode, enforceDirectAuthorization: true requires DM senders to pass the pairing/allowlist check. But plugin commands registered with requireAuth: false intentionally opt out of auth — typed /command in DM works because resolveTelegramCommandAuth skips the check when requireAuth: false.

The disconnect: callback_query ignores the plugin's auth setting, blocking inline buttons that the plugin explicitly made public.

Fix

Before the auth check, look up whether the callback data matches a plugin command with requireAuth: false. If so, relax from callback-allowlist to callback-scope mode (which skips DM authorization but still enforces group policy via shouldSkipGroupMessage).

if (authorizationMode === "callback-allowlist" && data.startsWith("/")) {
  const pluginMatch = matchPluginCommand(data);
  if (pluginMatch?.command.requireAuth === false) {
    authorizationMode = "callback-scope";
  }
}

Scope

• Only affects plugin commands that explicitly set requireAuth: false
• Only relaxes from callback-allowlist → callback-scope (group policy still enforced)
• No change to behavior for requireAuth: true (default) plugin commands
• No change to non-plugin callback_query handling (pagination, model selection)

[greptile-apps]

Greptile Summary

Fixes inline buttons failing in DMs for plugins with requireAuth: false. The fix correctly relaxes callback authorization from callback-allowlist to callback-scope when the callback data matches a plugin command that explicitly opts out of auth. This makes inline button behavior consistent with typed commands - both now respect the plugin's requireAuth setting.

Key Changes:

• Added matchPluginCommand lookup before auth check to determine if callback is for a requireAuth: false plugin
• Changed authorizationMode from const to let to allow conditional relaxation
• Group policy enforcement remains intact via shouldSkipGroupMessage

Scope:

• Only affects callbacks starting with "/" (plugin commands)
• Only relaxes auth for plugins with explicit requireAuth: false
• Non-plugin callbacks (pagination, model selection) unaffected

Confidence Score: 5/5

• Safe to merge - fix is well-scoped and maintains security boundaries
• The fix correctly addresses a DM authorization inconsistency for plugin commands. The logic is sound: it only relaxes auth for plugins that explicitly opt out via requireAuth: false, group policy remains enforced, and the behavior now matches typed commands. The implementation is clean, well-commented, and handles edge cases properly (non-command callbacks unaffected, requireAuth defaults handled correctly).
• No files require special attention

_{Last reviewed commit: 65f864e}

[openclaw-barnacle]

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

Closing due to inactivity.
If you believe this PR should be revived, post in #pr-thunderdome-dangerzone on Discord to talk to a maintainer.
That channel is the escape hatch for high-quality PRs that get auto-closed.