refactor: share native approval delivery helpers

2026-04-24 07:01:49 +00:00 · 2026-03-30 07:15:23 +09:00
parent 5ef42fc856
commit f8dc4305a5
6 changed files with 259 additions and 71 deletions
--- a/docs/tools/exec-approvals.md
+++ b/docs/tools/exec-approvals.md
@@ -398,7 +398,7 @@ Microsoft Teams in addition to the existing Web UI and terminal UI flows.

 This shared text-command path uses the normal channel auth model for that conversation. If the
 originating chat can already send commands and receive replies, approval requests no longer need a
-separate channel-specific approval client just to stay pending.
+separate native delivery adapter just to stay pending.

 Discord and Telegram also support same-chat `/approve`, but those channels still use their
 resolved approver list for authorization even when native approval delivery is disabled.
--- a/extensions/discord/src/channel.ts
+++ b/extensions/discord/src/channel.ts
@@ -5,6 +5,7 @@ import {
  createNestedAllowlistOverrideResolver,
 } from "openclaw/plugin-sdk/allowlist-config-edit";
 import {
+  createApproverRestrictedNativeApprovalAdapter,
  buildPluginApprovalRequestMessage,
  buildPluginApprovalResolvedMessage,
  type PluginApprovalRequest,
@@ -299,20 +300,6 @@ function buildDiscordCrossContextComponents(params: {
  return [new DiscordUiContainer({ cfg: params.cfg, accountId: params.accountId, components })];
 }

-function hasDiscordExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
-  return listDiscordAccountIds(cfg).some((accountId) => {
-    const execApprovals = resolveDiscordAccount({ cfg, accountId }).config.execApprovals;
-    if (
-      !execApprovals?.enabled ||
-      getDiscordExecApprovalApprovers({ cfg, accountId }).length === 0
-    ) {
-      return false;
-    }
-    const target = execApprovals.target ?? "dm";
-    return target === "dm" || target === "both";
-  });
-}
-
 const resolveDiscordAllowlistGroupOverrides = createNestedAllowlistOverrideResolver({
  resolveRecord: (account: ResolvedDiscordAccount) => account.config.guilds,
  outerLabel: (guildKey) => `guild ${guildKey}`,
@@ -493,30 +480,25 @@ export const discordPlugin: ChannelPlugin<ResolvedDiscordAccount, DiscordProbe>
        },
      },
      execApprovals: {
-        authorizeCommand: ({ cfg, accountId, senderId, kind }) =>
-          isDiscordExecApprovalApprover({ cfg, accountId, senderId })
-            ? { authorized: true }
-            : {
-                authorized: false,
-                reason:
-                  kind === "plugin"
-                    ? "❌ You are not authorized to approve plugin requests on Discord."
-                    : "❌ You are not authorized to approve exec requests on Discord.",
-              },
-        getInitiatingSurfaceState: ({ cfg, accountId }) =>
-          getDiscordExecApprovalApprovers({ cfg, accountId }).length > 0
-            ? { kind: "enabled" }
-            : { kind: "disabled" },
+        ...createApproverRestrictedNativeApprovalAdapter({
+          channel: "discord",
+          channelLabel: "Discord",
+          listAccountIds: listDiscordAccountIds,
+          hasApprovers: ({ cfg, accountId }) =>
+            getDiscordExecApprovalApprovers({ cfg, accountId }).length > 0,
+          isExecAuthorizedSender: ({ cfg, accountId, senderId }) =>
+            isDiscordExecApprovalApprover({ cfg, accountId, senderId }),
+          isNativeDeliveryEnabled: ({ cfg, accountId }) =>
+            isDiscordExecApprovalClientEnabled({ cfg, accountId }),
+          resolveNativeDeliveryMode: ({ cfg, accountId }) =>
+            resolveDiscordAccount({ cfg, accountId }).config.execApprovals?.target ?? "dm",
+        }),
        shouldSuppressLocalPrompt: ({ cfg, accountId, payload }) =>
          shouldSuppressLocalDiscordExecApprovalPrompt({
            cfg,
            accountId,
            payload,
          }),
-        hasConfiguredDmRoute: ({ cfg }) => hasDiscordExecApprovalDmRoute(cfg),
-        shouldSuppressForwardingFallback: ({ cfg, target }) =>
-          (normalizeMessageChannel(target.channel) ?? target.channel) === "discord" &&
-          isDiscordExecApprovalClientEnabled({ cfg, accountId: target.accountId }),
        buildPluginPendingPayload: ({ cfg, request, target, nowMs }) => {
          const text = formatDiscordApprovalPreview(
            buildPluginApprovalRequestMessage(request, nowMs),
--- a/extensions/telegram/src/channel.ts
+++ b/extensions/telegram/src/channel.ts
@@ -2,7 +2,10 @@ import {
  buildDmGroupAccountAllowlistAdapter,
  createNestedAllowlistOverrideResolver,
 } from "openclaw/plugin-sdk/allowlist-config-edit";
-import { buildPluginApprovalRequestMessage } from "openclaw/plugin-sdk/approval-runtime";
+import {
+  buildPluginApprovalRequestMessage,
+  createApproverRestrictedNativeApprovalAdapter,
+} from "openclaw/plugin-sdk/approval-runtime";
 import { createPairingPrefixStripper } from "openclaw/plugin-sdk/channel-pairing";
 import { createAllowlistProviderRouteAllowlistWarningCollector } from "openclaw/plugin-sdk/channel-policy";
 import { attachChannelToResult } from "openclaw/plugin-sdk/channel-send-result";
@@ -47,10 +50,7 @@ import {
  listTelegramDirectoryGroupsFromConfig,
  listTelegramDirectoryPeersFromConfig,
 } from "./directory-config.js";
-import {
-  buildTelegramExecApprovalPendingPayload,
-  shouldSuppressTelegramExecApprovalForwardingFallback,
-} from "./exec-approval-forwarding.js";
+import { buildTelegramExecApprovalPendingPayload } from "./exec-approval-forwarding.js";
 import {
  getTelegramExecApprovalApprovers,
  isTelegramExecApprovalApprover,
@@ -325,16 +325,6 @@ function resolveTelegramOutboundSessionRoute(params: {
  };
 }

-function hasTelegramExecApprovalDmRoute(cfg: OpenClawConfig): boolean {
-  return listTelegramAccountIds(cfg).some((accountId) => {
-    if (!isTelegramExecApprovalClientEnabled({ cfg, accountId })) {
-      return false;
-    }
-    const target = resolveTelegramExecApprovalTarget({ cfg, accountId });
-    return target === "dm" || target === "both";
-  });
-}
-
 const telegramMessageActions: ChannelMessageActionAdapter = {
  describeMessageTool: (ctx) =>
    getTelegramRuntime().channel.telegram.messageActions?.describeMessageTool?.(ctx) ?? null,
@@ -460,29 +450,24 @@ export const telegramPlugin = createChatChannelPlugin({
      },
    },
    execApprovals: {
-      authorizeCommand: ({ cfg, accountId, senderId, kind }) => {
-        const params = { cfg, accountId, senderId };
-        const authorized =
-          kind === "plugin"
-            ? isTelegramExecApprovalApprover(params)
-            : isTelegramExecApprovalAuthorizedSender(params);
-        return authorized
-          ? { authorized: true }
-          : {
-              authorized: false,
-              reason:
-                kind === "plugin"
-                  ? "❌ You are not authorized to approve plugin requests on Telegram."
-                  : "❌ You are not authorized to approve exec requests on Telegram.",
-            };
-      },
-      getInitiatingSurfaceState: ({ cfg, accountId }) =>
-        getTelegramExecApprovalApprovers({ cfg, accountId }).length > 0
-          ? { kind: "enabled" }
-          : { kind: "disabled" },
-      hasConfiguredDmRoute: ({ cfg }) => hasTelegramExecApprovalDmRoute(cfg),
-      shouldSuppressForwardingFallback: (params) =>
-        shouldSuppressTelegramExecApprovalForwardingFallback(params),
+      ...createApproverRestrictedNativeApprovalAdapter({
+        channel: "telegram",
+        channelLabel: "Telegram",
+        listAccountIds: listTelegramAccountIds,
+        hasApprovers: ({ cfg, accountId }) =>
+          getTelegramExecApprovalApprovers({ cfg, accountId }).length > 0,
+        isExecAuthorizedSender: ({ cfg, accountId, senderId }) =>
+          isTelegramExecApprovalAuthorizedSender({ cfg, accountId, senderId }),
+        isPluginAuthorizedSender: ({ cfg, accountId, senderId }) =>
+          isTelegramExecApprovalApprover({ cfg, accountId, senderId }),
+        isNativeDeliveryEnabled: ({ cfg, accountId }) =>
+          isTelegramExecApprovalClientEnabled({ cfg, accountId }),
+        resolveNativeDeliveryMode: ({ cfg, accountId }) =>
+          resolveTelegramExecApprovalTarget({ cfg, accountId }),
+        requireMatchingTurnSourceChannel: true,
+        resolveSuppressionAccountId: ({ target, request }) =>
+          target.accountId?.trim() || request.request.turnSourceAccountId?.trim() || undefined,
+      }),
      buildPendingPayload: ({ request, nowMs }) =>
        buildTelegramExecApprovalPendingPayload({ request, nowMs }),
      beforeDeliverPending: async ({ cfg, target, payload }) => {
--- a/src/plugin-sdk/approval-delivery-helpers.test.ts
+++ b/src/plugin-sdk/approval-delivery-helpers.test.ts
@@ -0,0 +1,121 @@
+import { describe, expect, it, vi } from "vitest";
+import { createApproverRestrictedNativeApprovalAdapter } from "./approval-delivery-helpers.js";
+
+describe("createApproverRestrictedNativeApprovalAdapter", () => {
+  it("uses approver-restricted authorization for exec and plugin commands", () => {
+    const adapter = createApproverRestrictedNativeApprovalAdapter({
+      channel: "discord",
+      channelLabel: "Discord",
+      listAccountIds: () => ["work"],
+      hasApprovers: ({ accountId }) => accountId === "work",
+      isExecAuthorizedSender: ({ senderId }) => senderId === "exec-owner",
+      isPluginAuthorizedSender: ({ senderId }) => senderId === "plugin-owner",
+      isNativeDeliveryEnabled: () => true,
+      resolveNativeDeliveryMode: () => "dm",
+    });
+
+    expect(
+      adapter.authorizeCommand({
+        cfg: {} as never,
+        accountId: "work",
+        senderId: "exec-owner",
+        kind: "exec",
+      }),
+    ).toEqual({ authorized: true });
+
+    expect(
+      adapter.authorizeCommand({
+        cfg: {} as never,
+        accountId: "work",
+        senderId: "plugin-owner",
+        kind: "plugin",
+      }),
+    ).toEqual({ authorized: true });
+
+    expect(
+      adapter.authorizeCommand({
+        cfg: {} as never,
+        accountId: "work",
+        senderId: "someone-else",
+        kind: "plugin",
+      }),
+    ).toEqual({
+      authorized: false,
+      reason: "❌ You are not authorized to approve plugin requests on Discord.",
+    });
+  });
+
+  it("reports initiating-surface state and DM routing from configured approvers", () => {
+    const adapter = createApproverRestrictedNativeApprovalAdapter({
+      channel: "telegram",
+      channelLabel: "Telegram",
+      listAccountIds: () => ["dm-only", "channel-only", "disabled", "no-approvers"],
+      hasApprovers: ({ accountId }) => accountId !== "no-approvers",
+      isExecAuthorizedSender: () => true,
+      isNativeDeliveryEnabled: ({ accountId }) => accountId !== "disabled",
+      resolveNativeDeliveryMode: ({ accountId }) =>
+        accountId === "channel-only" ? "channel" : "dm",
+    });
+
+    expect(adapter.getInitiatingSurfaceState({ cfg: {} as never, accountId: "dm-only" })).toEqual({
+      kind: "enabled",
+    });
+    expect(
+      adapter.getInitiatingSurfaceState({ cfg: {} as never, accountId: "no-approvers" }),
+    ).toEqual({ kind: "disabled" });
+    expect(adapter.hasConfiguredDmRoute({ cfg: {} as never })).toBe(true);
+  });
+
+  it("suppresses forwarding fallback only for matching native-delivery surfaces", () => {
+    const isNativeDeliveryEnabled = vi.fn(
+      ({ accountId }: { accountId?: string | null }) => accountId === "topic-1",
+    );
+    const adapter = createApproverRestrictedNativeApprovalAdapter({
+      channel: "telegram",
+      channelLabel: "Telegram",
+      listAccountIds: () => [],
+      hasApprovers: () => true,
+      isExecAuthorizedSender: () => true,
+      isNativeDeliveryEnabled,
+      resolveNativeDeliveryMode: () => "both",
+      requireMatchingTurnSourceChannel: true,
+      resolveSuppressionAccountId: ({ request }) =>
+        request.request.turnSourceAccountId?.trim() || undefined,
+    });
+
+    expect(
+      adapter.shouldSuppressForwardingFallback({
+        cfg: {} as never,
+        target: { channel: "telegram" },
+        request: {
+          request: { turnSourceChannel: "telegram", turnSourceAccountId: " topic-1 " },
+        } as never,
+      }),
+    ).toBe(true);
+
+    expect(
+      adapter.shouldSuppressForwardingFallback({
+        cfg: {} as never,
+        target: { channel: "telegram" },
+        request: {
+          request: { turnSourceChannel: "slack", turnSourceAccountId: "topic-1" },
+        } as never,
+      }),
+    ).toBe(false);
+
+    expect(
+      adapter.shouldSuppressForwardingFallback({
+        cfg: {} as never,
+        target: { channel: "slack" },
+        request: {
+          request: { turnSourceChannel: "telegram", turnSourceAccountId: "topic-1" },
+        } as never,
+      }),
+    ).toBe(false);
+
+    expect(isNativeDeliveryEnabled).toHaveBeenCalledWith({
+      cfg: {} as never,
+      accountId: "topic-1",
+    });
+  });
+});
--- a/src/plugin-sdk/approval-delivery-helpers.ts
+++ b/src/plugin-sdk/approval-delivery-helpers.ts
@@ -0,0 +1,99 @@
+import type { OpenClawConfig } from "./config-runtime.js";
+import { normalizeMessageChannel } from "./routing.js";
+
+type ApprovalKind = "exec" | "plugin";
+type NativeApprovalDeliveryMode = "dm" | "channel" | "both";
+
+type ApprovalAdapterParams = {
+  cfg: OpenClawConfig;
+  accountId?: string | null;
+  senderId?: string | null;
+};
+
+type DeliverySuppressionParams = {
+  cfg: OpenClawConfig;
+  target: { channel: string; accountId?: string | null };
+  request: { request: { turnSourceChannel?: string | null; turnSourceAccountId?: string | null } };
+};
+
+export function createApproverRestrictedNativeApprovalAdapter(params: {
+  channel: string;
+  channelLabel: string;
+  listAccountIds: (cfg: OpenClawConfig) => string[];
+  hasApprovers: (params: ApprovalAdapterParams) => boolean;
+  isExecAuthorizedSender: (params: ApprovalAdapterParams) => boolean;
+  isPluginAuthorizedSender?: (params: ApprovalAdapterParams) => boolean;
+  isNativeDeliveryEnabled: (params: { cfg: OpenClawConfig; accountId?: string | null }) => boolean;
+  resolveNativeDeliveryMode: (params: {
+    cfg: OpenClawConfig;
+    accountId?: string | null;
+  }) => NativeApprovalDeliveryMode;
+  requireMatchingTurnSourceChannel?: boolean;
+  resolveSuppressionAccountId?: (params: DeliverySuppressionParams) => string | undefined;
+}) {
+  const pluginSenderAuth = params.isPluginAuthorizedSender ?? params.isExecAuthorizedSender;
+
+  return {
+    authorizeCommand: ({
+      cfg,
+      accountId,
+      senderId,
+      kind,
+    }: {
+      cfg: OpenClawConfig;
+      accountId?: string | null;
+      senderId?: string | null;
+      kind: ApprovalKind;
+    }) => {
+      const authorized =
+        kind === "plugin"
+          ? pluginSenderAuth({ cfg, accountId, senderId })
+          : params.isExecAuthorizedSender({ cfg, accountId, senderId });
+      return authorized
+        ? { authorized: true }
+        : {
+            authorized: false,
+            reason: `❌ You are not authorized to approve ${kind} requests on ${params.channelLabel}.`,
+          };
+    },
+    getInitiatingSurfaceState: ({
+      cfg,
+      accountId,
+    }: {
+      cfg: OpenClawConfig;
+      accountId?: string | null;
+    }) =>
+      params.hasApprovers({ cfg, accountId })
+        ? ({ kind: "enabled" } as const)
+        : ({ kind: "disabled" } as const),
+    hasConfiguredDmRoute: ({ cfg }: { cfg: OpenClawConfig }) =>
+      params.listAccountIds(cfg).some((accountId) => {
+        if (!params.hasApprovers({ cfg, accountId })) {
+          return false;
+        }
+        if (!params.isNativeDeliveryEnabled({ cfg, accountId })) {
+          return false;
+        }
+        const target = params.resolveNativeDeliveryMode({ cfg, accountId });
+        return target === "dm" || target === "both";
+      }),
+    shouldSuppressForwardingFallback: (input: DeliverySuppressionParams) => {
+      const channel = normalizeMessageChannel(input.target.channel) ?? input.target.channel;
+      if (channel !== params.channel) {
+        return false;
+      }
+      if (params.requireMatchingTurnSourceChannel) {
+        const turnSourceChannel = normalizeMessageChannel(input.request.request.turnSourceChannel);
+        if (turnSourceChannel !== params.channel) {
+          return false;
+        }
+      }
+      const resolvedAccountId = params.resolveSuppressionAccountId?.(input);
+      const accountId =
+        (resolvedAccountId === undefined
+          ? input.target.accountId?.trim()
+          : resolvedAccountId.trim()) || undefined;
+      return params.isNativeDeliveryEnabled({ cfg: input.cfg, accountId });
+    },
+  };
+}
--- a/src/plugin-sdk/approval-runtime.ts
+++ b/src/plugin-sdk/approval-runtime.ts
@@ -31,3 +31,4 @@ export {
  type PluginApprovalRequestPayload,
  type PluginApprovalResolved,
 } from "../infra/plugin-approvals.js";
+export { createApproverRestrictedNativeApprovalAdapter } from "./approval-delivery-helpers.js";