fix(exec): harden approval auth and account routing

[scoootscooob]

Summary

• require explicit channel approval authorization before /approve bypasses normal sender auth
• scope Telegram plugin approvals to the originating account and tighten native origin-target validation for Telegram and Discord
• harden the shared approval runtime with payload validation, bounded pending approvals, and safe async error handling
• stop leaking raw Telegram approval callback errors back into chat

Issues

Related: #57460

Testing

• pnpm test -- src/infra/channel-approval-auth.test.ts src/auto-reply/reply/commands.test.ts extensions/telegram/src/exec-approval-resolver.test.ts extensions/telegram/src/bot.test.ts extensions/telegram/src/exec-approvals-handler.test.ts src/infra/exec-approval-channel-runtime.test.ts extensions/discord/src/monitor/exec-approvals.test.ts
• pnpm check
• pnpm build

[aisle-research-bot]

🔒 Aisle Security Analysis

✅ We scanned this PR and did not find any security vulnerabilities.

_{Aisle supplements but does not replace security review.}

---

Analyzed PR: #57650 at commit 5fda7a3

_{Last updated on: 2026-03-30T15:55:42Z}

[greptile-apps]

Greptile Summary

This PR hardens the approval authentication and routing layer across several dimensions: it closes an authorization bypass in the /approve command by requiring explicit channel-level approval authorization (not just the default pass-through), gates the Telegram plugin.approval.resolve fallback behind a new allowPluginFallback flag, scopes Telegram plugin approval delivery to the originating account, tightens origin-target cross-validation for both Telegram and Discord native approvals, and makes the shared approval channel runtime more robust with payload validation, a bounded pending-approvals map, and safe async error handling.

Key changes:

• channel-approval-auth.ts: New explicit field distinguishes a real channel decision from the implicit { authorized: true } default; callers now have enough signal to require affirmative authorization.
• commands-approve.ts: Gate changed from !authorized to !(explicit && authorized) — the implicit default no longer serves as a bypass for non-isAuthorizedSender callers.
• exec-approval-resolver.ts: allowPluginFallback must be explicitly true for the plugin.approval.resolve retry to be attempted; a "not found" error no longer silently escalates.
• bot-handlers.runtime.ts: allowPluginFallback is wired to whether the sender is a known plugin approver; raw gateway error strings are replaced with a sanitized message.
• exec-approvals-handler.ts: resolveBoundTelegramAccountId prevents cross-account plugin approval delivery via a new filter in matchesFilters.
• exec-approval-channel-runtime.ts: Incoming gateway event payloads are validated before processing; pending approvals are capped at 1 000 entries / 30-minute TTL; void promise is replaced with a spawn helper that logs rejections.
• approval-native.ts (Telegram & Discord): Origin-target resolution now validates account-ID and channel-target consistency across both turn-source and session-key sources.

Confidence Score: 5/5

Safe to merge — changes are well-scoped security hardening with comprehensive test coverage and no identified P0/P1 issues.

All changed logic is covered by new unit tests, the security fixes are straightforward and correctly implemented, and no P0/P1 defects were found during review.

No files require special attention.

Important Files Changed

Filename	Overview
src/infra/channel-approval-auth.ts	Adds explicit field to ApprovalCommandAuthorization; returns explicit: false when no channel plugin resolves the authorization, explicit: true when one explicitly does.
src/auto-reply/reply/commands-approve.ts	Fixes the core bypass: the /approve gate now requires explicit && authorized instead of just authorized, so the implicit default no longer lets non-isAuthorizedSender callers through.
src/infra/exec-approval-channel-runtime.ts	Hardens the shared runtime: adds payload schema validation, caps pending approvals at 1000 with a 30-minute TTL, and replaces silent void promise patterns with a spawn helper that logs errors.
extensions/telegram/src/exec-approval-resolver.ts	Gates the plugin.approval.resolve fallback behind an explicit allowPluginFallback flag; a 'not found' error now propagates rather than silently retrying via the plugin endpoint.
extensions/telegram/src/bot-handlers.runtime.ts	Pre-evaluates both approver checks, passes allowPluginFallback: pluginApprovalAuthorizedSender to the resolver, and replaces raw error strings with a sanitized user-facing message.
extensions/telegram/src/approval-native.ts	Splits origin resolution into two functions, adds telegramTargetsMatch cross-validation, and propagates accountId to enable per-account scoping.
extensions/discord/src/approval-native.ts	Tightens Discord origin-target resolution: validates accountId consistency between turn source, session target, and the requesting account, and rejects channel-ID mismatches.
extensions/telegram/src/exec-approvals-handler.ts	Adds resolveBoundTelegramAccountId and uses it in matchesFilters to prevent cross-account plugin approval delivery.

_{Reviews (1): Last reviewed commit: "test(exec): drop unused commands import" | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7eb063e70e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e1b6fe62f7

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9b048c63f7

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

openclaw/extensions/telegram/src/exec-approvals-handler.ts

Line 241 in 5fda7a3

const approvalKind: ApprovalKind = request.id.startsWith("plugin:") ? "plugin" : "exec";

Infer plugin approvals from payload instead of ID prefix

deliverRequested classifies approval kind only via request.id.startsWith("plugin:"), so legacy plugin approvals that use unprefixed IDs are treated as exec approvals. In that case this path builds an exec payload from a plugin request object, which drops plugin title/description context and can render misleading blank command prompts. Since this change also introduces legacy unprefixed-plugin resolve fallback, request-kind detection should use request shape (or event kind) rather than ID prefix.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[scoootscooob]

Superseded by the reviewable split here:

• refactor(exec): unify channel approvals and restore routing/auth #57838
• fix(exec): harden shell-side approval guardrails #57839

Closing this stacked PR so the approval work only has two active review surfaces: one main approval/runtime/routing/auth PR and one shell /approve hardening PR.