LLM/moltbot
1
0
Fork 0
mirror of https://github.com/moltbot/moltbot.git synced 2026-04-24 07:01:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

perf: split telegram audit runtime seams

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-22 00:51:26 +00:00
parent 465bd0cef1
commit 8b7f40580d
11 changed files with 77 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
extensions/telegram/allow-from.ts Normal file
View File

@@ -0,0 +1 @@
export * from "./src/allow-from.js";

6
src/commands/doctor/providers/telegram.ts
View File

@@ -1,9 +1,11 @@
import {
isNumericTelegramUserId,
normalizeTelegramAllowFromEntry,
} from "../../../../extensions/telegram/allow-from.js";
import {
inspectTelegramAccount,
isNumericTelegramUserId,
listTelegramAccountIds,
lookupTelegramChatId,
normalizeTelegramAllowFromEntry,
} from "../../../../extensions/telegram/api.js";
import { resolveCommandSecretRefsViaGateway } from "../../../cli/command-secret-gateway.js";
import { getChannelsCommandSecretTargetIds } from "../../../cli/command-secret-targets.js";

1
src/plugin-sdk/channel-import-guardrails.test.ts
View File

@@ -7,6 +7,7 @@ const ROOT_DIR = resolve(dirname(fileURLToPath(import.meta.url)), "..");
const ALLOWED_EXTENSION_PUBLIC_SURFACES = new Set([
"action-runtime.runtime.js",
"action-runtime-api.js",
"allow-from.js",
"api.js",
"auth-presence.js",
"index.js",

2
src/plugins/runtime/runtime-telegram-contract.ts
View File

@@ -81,7 +81,7 @@ export {
export {
isNumericTelegramUserId,
normalizeTelegramAllowFromEntry,
} from "../../../extensions/telegram/api.js";
} from "../../../extensions/telegram/allow-from.js";
export { fetchTelegramChatId, lookupTelegramChatId } from "../../../extensions/telegram/api.js";
export {
resolveTelegramInlineButtonsScope,

5
src/security/audit-channel.allow-from.runtime.ts Normal file
View File

@@ -0,0 +1,5 @@
import { readChannelAllowFromStore } from "../pairing/pairing-store.js";
export const auditChannelAllowFromRuntime = {
readChannelAllowFromStore,
};

5
src/security/audit-channel.discord.runtime.ts Normal file
View File

@@ -0,0 +1,5 @@
import { isDiscordMutableAllowEntry } from "./mutable-allowlist-detectors.js";
export const auditChannelDiscordRuntime = {
isDiscordMutableAllowEntry,
};

17
src/security/audit-channel.runtime.ts
View File

@@ -1,17 +0,0 @@
import {
isNumericTelegramUserId,
normalizeTelegramAllowFromEntry,
} from "../../extensions/telegram/api.js";
import { readChannelAllowFromStore } from "../pairing/pairing-store.js";
import {
isDiscordMutableAllowEntry,
isZalouserMutableGroupEntry,
} from "./mutable-allowlist-detectors.js";
export const auditChannelRuntime = {
readChannelAllowFromStore,
isDiscordMutableAllowEntry,
isZalouserMutableGroupEntry,
isNumericTelegramUserId,
normalizeTelegramAllowFromEntry,
};

9
src/security/audit-channel.telegram.runtime.ts Normal file
View File

@@ -0,0 +1,9 @@
import {
isNumericTelegramUserId,
normalizeTelegramAllowFromEntry,
} from "../../extensions/telegram/allow-from.js";
export const auditChannelTelegramRuntime = {
isNumericTelegramUserId,
normalizeTelegramAllowFromEntry,
};

35
src/security/audit-channel.ts
View File

@@ -16,9 +16,24 @@ import { normalizeStringEntries } from "../shared/string-normalization.js";
import type { SecurityAuditFinding, SecurityAuditSeverity } from "./audit.js";
import { resolveDmAllowState } from "./dm-policy-shared.js";
const loadAuditChannelRuntimeModule = createLazyRuntimeSurface(
() => import("./audit-channel.runtime.js"),
({ auditChannelRuntime }) => auditChannelRuntime,
const loadAuditChannelDiscordRuntimeModule = createLazyRuntimeSurface(
() => import("./audit-channel.discord.runtime.js"),
({ auditChannelDiscordRuntime }) => auditChannelDiscordRuntime,
);
const loadAuditChannelAllowFromRuntimeModule = createLazyRuntimeSurface(
() => import("./audit-channel.allow-from.runtime.js"),
({ auditChannelAllowFromRuntime }) => auditChannelAllowFromRuntime,
);
const loadAuditChannelTelegramRuntimeModule = createLazyRuntimeSurface(
() => import("./audit-channel.telegram.runtime.js"),
({ auditChannelTelegramRuntime }) => auditChannelTelegramRuntime,
);
const loadAuditChannelZalouserRuntimeModule = createLazyRuntimeSurface(
() => import("./audit-channel.zalouser.runtime.js"),
({ auditChannelZalouserRuntime }) => auditChannelZalouserRuntime,
);
function normalizeAllowFromList(list: Array<string | number> | undefined | null): string[] {
@@ -71,7 +86,7 @@ async function collectInvalidTelegramAllowFromEntries(params: {
return;
}
const { isNumericTelegramUserId, normalizeTelegramAllowFromEntry } =
await loadAuditChannelRuntimeModule();
await loadAuditChannelTelegramRuntimeModule();
for (const entry of params.entries) {
const normalized = normalizeTelegramAllowFromEntry(entry);
if (!normalized || normalized === "*") {
@@ -384,8 +399,8 @@ export async function collectChannelSecurityFindings(params: {
}
if (plugin.id === "discord") {
const { isDiscordMutableAllowEntry, readChannelAllowFromStore } =
await loadAuditChannelRuntimeModule();
const { isDiscordMutableAllowEntry } = await loadAuditChannelDiscordRuntimeModule();
const { readChannelAllowFromStore } = await loadAuditChannelAllowFromRuntimeModule();
const discordCfg =
(account as { config?: Record<string, unknown> } | null)?.config ??
({} as Record<string, unknown>);
@@ -555,7 +570,7 @@ export async function collectChannelSecurityFindings(params: {
}
if (plugin.id === "zalouser") {
const { isZalouserMutableGroupEntry } = await loadAuditChannelRuntimeModule();
const { isZalouserMutableGroupEntry } = await loadAuditChannelZalouserRuntimeModule();
const zalouserCfg =
(account as { config?: Record<string, unknown> } | null)?.config ??
({} as Record<string, unknown>);
@@ -596,7 +611,7 @@ export async function collectChannelSecurityFindings(params: {
}
if (plugin.id === "slack") {
const { readChannelAllowFromStore } = await loadAuditChannelRuntimeModule();
const { readChannelAllowFromStore } = await loadAuditChannelAllowFromRuntimeModule();
const slackCfg =
(account as { config?: Record<string, unknown>; dm?: Record<string, unknown> } | null)
?.config ?? ({} as Record<string, unknown>);
@@ -735,13 +750,13 @@ export async function collectChannelSecurityFindings(params: {
continue;
}
const { readChannelAllowFromStore } = await loadAuditChannelRuntimeModule();
const { readChannelAllowFromStore } = await loadAuditChannelAllowFromRuntimeModule();
const storeAllowFrom = await readChannelAllowFromStore(
"telegram",
process.env,
accountId,
).catch(() => []);
const storeHasWildcard = storeAllowFrom.some((v) => String(v).trim() === "*");
const storeHasWildcard = storeAllowFrom.some((value) => String(value).trim() === "*");
const invalidTelegramAllowFromEntries = new Set<string>();
await collectInvalidTelegramAllowFromEntries({
entries: storeAllowFrom,

5
src/security/audit-channel.zalouser.runtime.ts Normal file
View File

@@ -0,0 +1,5 @@
import { isZalouserMutableGroupEntry } from "./mutable-allowlist-detectors.js";
export const auditChannelZalouserRuntime = {
isZalouserMutableGroupEntry,
};

22
src/security/audit.test.ts
View File

@@ -57,7 +57,27 @@ function stubChannelPlugin(params: {
);
return enabled ? ["default"] : [];
}),
inspectAccount: params.inspectAccount,
inspectAccount:
params.inspectAccount ??
((cfg, accountId) => {
const resolvedAccountId =
typeof accountId === "string" && accountId ? accountId : "default";
let account: { config?: Record<string, unknown> } | undefined;
try {
account = params.resolveAccount(cfg, resolvedAccountId) as
| { config?: Record<string, unknown> }
| undefined;
} catch {
return null;
}
const config = account?.config ?? {};
return {
accountId: resolvedAccountId,
enabled: params.isEnabled?.(account, cfg) ?? true,
configured: params.isConfigured?.(account, cfg) ?? true,
config,
};
}),
resolveAccount: (cfg, accountId) => params.resolveAccount(cfg, accountId),
isEnabled: (account, cfg) => params.isEnabled?.(account, cfg) ?? true,
isConfigured: (account, cfg) => params.isConfigured?.(account, cfg) ?? true,