@nordbyte/nordrelay 0.5.1 → 0.6.0

package/dist/runtime-cache.js

@@ -0,0 +1,57 @@
+export class RuntimeSnapshotCache {
+    entries = new Map();
+    async get(key, ttlMs, producer) {
+        const now = Date.now();
+        const entry = this.entries.get(key);
+        const hasFreshValue = entry?.value !== undefined && ttlMs > 0 && now - entry.refreshedAt <= ttlMs;
+        if (hasFreshValue) {
+            return {
+                value: entry.value,
+                refreshedAt: new Date(entry.refreshedAt).toISOString(),
+                stale: false,
+            };
+        }
+        if (entry?.value !== undefined) {
+            if (!entry.refresh) {
+                entry.refresh = producer()
+                    .then((value) => {
+                    entry.value = value;
+                    entry.refreshedAt = Date.now();
+                    return value;
+                })
+                    .catch(() => entry.value)
+                    .finally(() => {
+                    entry.refresh = undefined;
+                });
+            }
+            return {
+                value: entry.value,
+                refreshedAt: new Date(entry.refreshedAt).toISOString(),
+                stale: true,
+            };
+        }
+        const pending = entry?.refresh ?? producer();
+        this.entries.set(key, { refresh: pending, refreshedAt: now });
+        try {
+            const value = await pending;
+            const refreshedAt = Date.now();
+            this.entries.set(key, { value, refreshedAt });
+            return {
+                value,
+                refreshedAt: new Date(refreshedAt).toISOString(),
+                stale: false,
+            };
+        }
+        catch (error) {
+            this.entries.delete(key);
+            throw error;
+        }
+    }
+    invalidate(key) {
+        if (key) {
+            this.entries.delete(key);
+            return;
+        }
+        this.entries.clear();
+    }
+}

package/dist/session-locks.js

@@ -22,14 +22,17 @@ export class SessionLockStore {
         }
         return lock;
     }
-    set(contextKey, ownerId, ownerName, ttlMs) {
+    set(contextKey, owner, ttlMs) {
         const payload = this.readPayload();
+        const now = Date.now();
         const lock = {
             contextKey,
-            ownerId,
-            ownerName,
-            createdAt: Date.now(),
-            expiresAt: ttlMs > 0 ? Date.now() + ttlMs : undefined,
+            ownerUserId: owner.userId,
+            ownerLabel: owner.label,
+            ownerChannel: owner.channel,
+            ownerChannelUserId: owner.channelUserId,
+            createdAt: now,
+            expiresAt: ttlMs > 0 ? now + ttlMs : undefined,
         };
         payload.locks[contextKey] = lock;
         this.store.write(payload);
@@ -67,7 +70,7 @@ export function canWriteWithLock(lock, userId, isAdmin) {
     if (!lock) {
         return true;
     }
-    return isAdmin || userId === lock.ownerId;
+    return isAdmin || Boolean(userId && userId === lock.ownerUserId);
 }
 function isSessionLock(value) {
     if (!value || typeof value !== "object" || Array.isArray(value)) {
@@ -75,7 +78,7 @@ function isSessionLock(value) {
     }
     const candidate = value;
     return typeof candidate.contextKey === "string" &&
-        Number.isInteger(candidate.ownerId) &&
+        typeof candidate.ownerUserId === "string" &&
         typeof candidate.createdAt === "number" &&
         (candidate.expiresAt === undefined || typeof candidate.expiresAt === "number");
 }

package/dist/state-backend.js

@@ -79,5 +79,8 @@ function tryCreateSqliteDocumentStore(options) {
                 "ON CONFLICT(key) DO UPDATE SET json = excluded.json, updated_at = excluded.updated_at",
             ].join(" ")).run(options.sqliteKey, JSON.stringify(value), new Date().toISOString());
         },
+        close() {
+            db.close();
+        },
     };
 }

package/dist/support-bundle.js

@@ -118,6 +118,7 @@ function relevantEnvironment() {
     const prefixes = [
         "NORDRELAY_",
         "TELEGRAM_",
+        "DISCORD_",
         "CODEX_",
         "PI_",
         "HERMES_",
@@ -178,7 +179,8 @@ function systemInfo() {
     };
 }
 function detectNpmVersion(npm) {
-    const result = spawnSync(npm.command, [...npm.argsPrefix, "--version"], {
+    const args = [...npm.argsPrefix, "--version"];
+    const result = spawnSync(npm.shell ? formatShellCommand(npm.command, args) : npm.command, npm.shell ? [] : args, {
         encoding: "utf8",
         shell: npm.shell,
         timeout: 3000,
@@ -189,6 +191,21 @@ function detectNpmVersion(npm) {
     }
     return String(result.stdout || "").trim() || null;
 }
+function formatShellCommand(command, args) {
+    return [command, ...args].map(quoteWindowsCmdArg).join(" ");
+}
+function quoteWindowsCmdArg(value) {
+    if (value.length === 0) {
+        return "\"\"";
+    }
+    if (!/[\s"&|<>()^%]/.test(value)) {
+        return value;
+    }
+    return `"${value
+        .replace(/%/g, "%%")
+        .replace(/(\\*)"/g, '$1$1\\"')
+        .replace(/(\\+)$/g, "$1$1")}"`;
+}
 function formatTimestamp(date) {
     return [
         date.getFullYear(),

package/dist/telegram-access-commands.js

@@ -29,6 +29,7 @@ export function registerTelegramAccessCommands(deps) {
                 action: "auth_login_failed",
                 status: "denied",
                 contextKey: String(ctx.chat.id),
+                actor: telegramAuditActor(ctx),
                 actorId: ctx.from.id,
                 description: "Telegram link rate limited",
                 detail: `${seconds}s retry-after`,
@@ -51,7 +52,8 @@ export function registerTelegramAccessCommands(deps) {
                 action: "telegram_linked",
                 status: "ok",
                 contextKey: String(ctx.chat.id),
-                actorId: ctx.from.id,
+                actor: telegramAuditActor(ctx, linked),
+                actorId: linked.user.id,
                 actorRole: linked.groups.map((group) => group.name).join(", "),
                 description: `Linked ${linked.user.email}`,
             });
@@ -65,6 +67,7 @@ export function registerTelegramAccessCommands(deps) {
                 action: "auth_login_failed",
                 status: "failed",
                 contextKey: String(ctx.chat.id),
+                actor: telegramAuditActor(ctx),
                 actorId: ctx.from.id,
                 description: "Telegram link failed",
                 detail: message,
@@ -112,7 +115,8 @@ export function registerTelegramAccessCommands(deps) {
             action: "telegram_chat_updated",
             status: "ok",
             contextKey: String(ctx.chat.id),
-            actorId: ctx.from?.id,
+            actor: telegramAuditActor(ctx, authUser),
+            actorId: authUser.user.id,
             actorRole: getUserRole(ctx),
             description: `Registered Telegram chat ${chat.chatId}`,
         });
@@ -121,3 +125,12 @@ export function registerTelegramAccessCommands(deps) {
         });
     });
 }
+function telegramAuditActor(ctx, authUser) {
+    return {
+        channel: "telegram",
+        id: authUser?.user.id ?? (ctx.from?.id !== undefined ? `telegram:${ctx.from.id}` : undefined),
+        label: authUser?.user.displayName || authUser?.user.email || ctx.from?.username || (ctx.from?.id !== undefined ? String(ctx.from.id) : undefined),
+        username: authUser?.user.email ?? ctx.from?.username,
+        channelUserId: ctx.from?.id !== undefined ? String(ctx.from.id) : undefined,
+    };
+}

package/dist/telegram-access-middleware.js

@@ -31,6 +31,7 @@ export function createTelegramAccessMiddleware(options) {
                 action: "permission_denied",
                 status: "denied",
                 contextKey: typeof chatId === "number" ? String(chatId) : "telegram",
+                actor: telegramAuditActor(ctx),
                 actorId: fromId,
                 description: "Telegram account is not linked",
             });
@@ -50,7 +51,8 @@ export function createTelegramAccessMiddleware(options) {
                 action: "permission_denied",
                 status: "denied",
                 contextKey: typeof chatId === "number" ? String(chatId) : "telegram",
-                actorId: fromId,
+                actor: telegramAuditActor(ctx, authUser),
+                actorId: authUser.user.id,
                 actorRole: getUserRole(contextUsers, ctx),
                 description: "Telegram chat is not enabled or outside user scope",
             });
@@ -69,7 +71,8 @@ export function createTelegramAccessMiddleware(options) {
                 action: "permission_denied",
                 status: "denied",
                 contextKey: typeof chatId === "number" ? String(chatId) : "telegram",
-                actorId: fromId,
+                actor: telegramAuditActor(ctx, authUser),
+                actorId: authUser.user.id,
                 actorRole: getUserRole(contextUsers, ctx),
                 description: commandName ? `Unsupported command /${commandName}` : "Unsupported callback",
             });
@@ -87,7 +90,8 @@ export function createTelegramAccessMiddleware(options) {
                 action: "permission_denied",
                 status: "denied",
                 contextKey: typeof chatId === "number" ? String(chatId) : "telegram",
-                actorId: fromId,
+                actor: telegramAuditActor(ctx, authUser),
+                actorId: authUser.user.id,
                 actorRole: getUserRole(contextUsers, ctx),
                 description: `${permission} required`,
             });
@@ -102,6 +106,15 @@ export function createTelegramAccessMiddleware(options) {
         await next();
     };
 }
+function telegramAuditActor(ctx, authUser) {
+    return {
+        channel: "telegram",
+        id: authUser?.user.id ?? (ctx.from?.id !== undefined ? `telegram:${ctx.from.id}` : undefined),
+        label: authUser?.user.displayName || authUser?.user.email || ctx.from?.username || (ctx.from?.id !== undefined ? String(ctx.from.id) : undefined),
+        username: authUser?.user.email ?? ctx.from?.username,
+        channelUserId: ctx.from?.id !== undefined ? String(ctx.from.id) : undefined,
+    };
+}
 function getUserRole(contextUsers, ctx) {
     const authUser = contextUsers.get(ctx);
     return authUser?.groups.map((group) => group.name).join(", ") || "unauthenticated";

package/dist/telegram-agent-commands.js

@@ -99,6 +99,14 @@ export function registerTelegramAgentCommands(options) {
             return;
         }
         const result = await options.startAgentLogin(info);
+        options.appendActivity?.(ctx, {
+            status: result.success ? "info" : "failed",
+            type: result.success ? "login_started" : "login_failed",
+            threadId: info?.threadId ?? null,
+            workspace: info?.workspace,
+            agentId: options.agentIdForAuth(info),
+            detail: redactText(result.message),
+        });
         if (result.success) {
             await safeReply(ctx, `<b>🔑 Login initiated.</b>\n\n<code>${escapeHTML(redactText(result.message))}</code>`, {
                 fallbackText: `🔑 Login initiated.\n\n${redactText(result.message)}`,
@@ -156,6 +164,14 @@ export function registerTelegramAgentCommands(options) {
             return;
         }
         const result = await options.startAgentLogout(info);
+        options.appendActivity?.(ctx, {
+            status: result.success ? "info" : "failed",
+            type: result.success ? "logout_completed" : "logout_failed",
+            threadId: info?.threadId ?? null,
+            workspace: info?.workspace,
+            agentId: options.agentIdForAuth(info),
+            detail: redactText(result.message),
+        });
         if (result.success) {
             await safeReply(ctx, `<b>🔓 Logged out.</b>\n\n${escapeHTML(redactText(result.message))}`, {
                 fallbackText: `🔓 Logged out.\n\n${redactText(result.message)}`,
@@ -189,6 +205,15 @@ export function registerTelegramAgentCommands(options) {
         try {
             const session = await options.registry.switchAgent(contextKey, selectedAgent);
             const info = session.getInfo();
+            options.appendActivity?.(ctx, {
+                status: "info",
+                type: "agent_switch",
+                contextKey,
+                threadId: info.threadId,
+                workspace: info.workspace,
+                agentId: info.agentId,
+                detail: labelOf(info),
+            });
             const html = [`<b>Agent switched to ${escapeHTML(labelOf(info))}.</b>`, "", renderSessionInfoHTML(info)].join("\n");
             const plain = [`Agent switched to ${labelOf(info)}.`, "", renderSessionInfoPlain(info)].join("\n");
             if (messageId) {

package/dist/telegram-artifact-commands.js

@@ -35,6 +35,16 @@ export function registerTelegramArtifactCommands(options) {
                 const removed = await removeArtifactTurn(workspace, selected.turnId);
                 const text = removed ? `Deleted artifact turn: ${selected.turnId}` : `Artifact turn not found: ${selected.turnId}`;
                 await safeReply(ctx, escapeHTML(text), { fallbackText: text });
+                if (removed) {
+                    options.appendActivity?.(ctx, {
+                        status: "info",
+                        type: "artifact_deleted",
+                        threadId: contextSession.session.getInfo().threadId,
+                        workspace,
+                        agentId: contextSession.session.getInfo().agentId,
+                        detail: selected.turnId,
+                    });
+                }
                 return;
             }
             const filtered = filterArtifactReports(reports, argument);
@@ -64,9 +74,25 @@ export function registerTelegramArtifactCommands(options) {
                 return;
             }
             if (shouldZip) {
+                options.appendActivity?.(ctx, {
+                    status: "info",
+                    type: "artifact_zip_sent",
+                    threadId: contextSession.session.getInfo().threadId,
+                    workspace,
+                    agentId: contextSession.session.getInfo().agentId,
+                    detail: selected.turnId,
+                });
                 await options.deliverArtifactReportZip(ctx, ctx.chat.id, selected, ctx.message?.message_thread_id);
             }
             else {
+                options.appendActivity?.(ctx, {
+                    status: "info",
+                    type: "artifacts_sent",
+                    threadId: contextSession.session.getInfo().threadId,
+                    workspace,
+                    agentId: contextSession.session.getInfo().agentId,
+                    detail: selected.turnId,
+                });
                 await options.deliverArtifactReport(ctx, ctx.chat.id, selected, ctx.message?.message_thread_id);
             }
             return;
@@ -111,6 +137,17 @@ export function registerTelegramArtifactCommands(options) {
         if (action === "delete_confirm") {
             const removed = await removeArtifactTurn(workspace, turnId);
             await ctx.answerCallbackQuery({ text: removed ? "Deleted" : "Already gone" });
+            if (removed) {
+                const info = contextSession.session.getInfo();
+                options.appendActivity?.(ctx, {
+                    status: "info",
+                    type: "artifact_deleted",
+                    threadId: info.threadId,
+                    workspace,
+                    agentId: info.agentId,
+                    detail: turnId,
+                });
+            }
             const html = removed
                 ? `<b>Deleted artifact turn:</b> <code>${escapeHTML(turnId)}</code>`
                 : `<b>Artifact turn not found:</b> <code>${escapeHTML(turnId)}</code>`;
@@ -129,6 +166,15 @@ export function registerTelegramArtifactCommands(options) {
             return;
         }
         await ctx.answerCallbackQuery({ text: action === "zip" ? "Sending ZIP..." : "Sending artifacts..." });
+        const info = contextSession.session.getInfo();
+        options.appendActivity?.(ctx, {
+            status: "info",
+            type: action === "zip" ? "artifact_zip_sent" : "artifacts_sent",
+            threadId: info.threadId,
+            workspace,
+            agentId: info.agentId,
+            detail: turnId,
+        });
         if (action === "zip") {
             await options.deliverArtifactReportZip(ctx, chatId, report, ctx.callbackQuery.message?.message_thread_id);
         }

package/dist/telegram-diagnostics-command.js

@@ -1,11 +1,10 @@
 import { getAgentDiagnostics } from "./agent-activity.js";
 import { formatQuietHours } from "./bot-preferences.js";
-import { logTailRequests, parseLogsCommand, renderLogTailsAction, } from "./channel-actions.js";
+import { cliPathOptions } from "./channel-command-service.js";
 import { checkAuthStatus } from "./codex-auth.js";
 import { contextKeyFromCtx } from "./context-key.js";
-import { escapeHTML } from "./format.js";
-import { getConnectorHealth, getVersionChecks, readConnectorState, readFormattedLogTail, } from "./operations.js";
-import { formatCliPathHTML, formatCliPathPlain, renderAgentDiagnostics, renderDiagnosticsHTML, renderDiagnosticsPlain, renderHealthHTML, renderHealthPlain, renderVersionCheckHTML, renderVersionCheckPlain, } from "./bot-rendering.js";
+import { getConnectorHealth, } from "./operations.js";
+import { renderAgentDiagnostics, renderDiagnosticsHTML, renderDiagnosticsPlain, renderHealthHTML, renderHealthPlain, } from "./bot-rendering.js";
 import { getTelegramRateLimitMetrics } from "./telegram-rate-limit.js";
 import { safeReply } from "./telegram-output.js";
 export function registerTelegramDiagnosticsCommands(options) {
@@ -20,38 +19,7 @@ export function registerTelegramDiagnosticsCommands(options) {
         await safeReply(ctx, html, { fallbackText: plain });
     });
     options.bot.command("version", async (ctx) => {
-        const health = await getConnectorHealth(cliPathOptions(options.config));
-        const state = await readConnectorState();
-        const versions = await getVersionChecks(cliPathOptions(options.config));
-        const plain = [
-            renderVersionCheckPlain(versions.nordrelay),
-            `Runtime status: ${state.status ?? "unknown"}`,
-            formatCliPathPlain("Codex CLI", health.codexCliPath, health.codexCli),
-            renderVersionCheckPlain(versions.codex),
-            formatCliPathPlain("Pi CLI", health.piCliPath, health.piCli),
-            renderVersionCheckPlain(versions.pi),
-            formatCliPathPlain("Hermes CLI", health.hermesCliPath, health.hermesCli),
-            renderVersionCheckPlain(versions.hermes),
-            formatCliPathPlain("OpenClaw CLI", health.openClawCliPath, health.openClawCli),
-            renderVersionCheckPlain(versions.openclaw),
-            formatCliPathPlain("Claude Code CLI", health.claudeCodeCliPath, health.claudeCodeCli),
-            renderVersionCheckPlain(versions.claudeCode),
-        ].join("\n");
-        const html = [
-            renderVersionCheckHTML(versions.nordrelay),
-            `<b>Runtime status:</b> <code>${escapeHTML(state.status ?? "unknown")}</code>`,
-            formatCliPathHTML("Codex CLI", health.codexCliPath, health.codexCli),
-            renderVersionCheckHTML(versions.codex),
-            formatCliPathHTML("Pi CLI", health.piCliPath, health.piCli),
-            renderVersionCheckHTML(versions.pi),
-            formatCliPathHTML("Hermes CLI", health.hermesCliPath, health.hermesCli),
-            renderVersionCheckHTML(versions.hermes),
-            formatCliPathHTML("OpenClaw CLI", health.openClawCliPath, health.openClawCli),
-            renderVersionCheckHTML(versions.openclaw),
-            formatCliPathHTML("Claude Code CLI", health.claudeCodeCliPath, health.claudeCodeCli),
-            renderVersionCheckHTML(versions.claudeCode),
-        ].join("\n");
-        await safeReply(ctx, html, { fallbackText: plain });
+        await options.replyChannelAction(ctx, await options.commandService.renderVersion());
     });
     options.bot.command("diagnostics", async (ctx) => {
         const health = await getConnectorHealth(cliPathOptions(options.config));
@@ -84,19 +52,6 @@ export function registerTelegramDiagnosticsCommands(options) {
     options.bot.command("logs", async (ctx) => {
         const rawText = ctx.message?.text ?? "";
         const argument = rawText.replace(/^\/logs(?:@\w+)?\s*/i, "").trim();
-        const logRequest = parseLogsCommand(argument);
-        const logs = await Promise.all(logTailRequests(logRequest.target).map(async (request) => ({
-            title: request.title,
-            tail: await readFormattedLogTail(logRequest.lines, request.path),
-        })));
-        await options.replyChannelAction(ctx, renderLogTailsAction(logs));
+        await options.replyChannelAction(ctx, await options.commandService.renderLogs(argument));
     });
 }
-function cliPathOptions(config) {
-    return {
-        piCliPath: config.piCliPath,
-        hermesCliPath: config.hermesCliPath,
-        openClawCliPath: config.openClawCliPath,
-        claudeCodeCliPath: config.claudeCodeCliPath,
-    };
-}

package/dist/telegram-general-commands.js

@@ -1,9 +1,5 @@
-import { listAgentAdapterDescriptors } from "./agent-adapter.js";
-import { enabledAgents } from "./agent-factory.js";
 import { renderWelcomeFirstTime, renderWelcomeReturning, renderHelpMessage, } from "./bot-ui.js";
 import { authHelpText, capabilitiesOf, labelOf, } from "./bot-rendering.js";
-import { renderAgentsAction, renderChannelsAction, } from "./channel-actions.js";
-import { listChannelDescriptors } from "./channel-adapter.js";
 import { escapeHTML } from "./format.js";
 import { spawnConnectorRestart } from "./operations.js";
 import { renderLaunchSummaryHTML, renderLaunchSummaryPlain, renderSessionInfoHTML, renderSessionInfoPlain, } from "./session-format.js";
@@ -36,10 +32,10 @@ export function registerTelegramGeneralCommands(options) {
         await safeReply(ctx, help.html, { fallbackText: help.plain });
     });
     options.bot.command("channels", async (ctx) => {
-        await options.replyChannelAction(ctx, renderChannelsAction(listChannelDescriptors()));
+        await options.replyChannelAction(ctx, options.commandService.renderChannels());
     });
     options.bot.command("agents", async (ctx) => {
-        await options.replyChannelAction(ctx, renderAgentsAction(listAgentAdapterDescriptors(), enabledAgents(options.config)));
+        await options.replyChannelAction(ctx, options.commandService.renderAgents());
     });
     options.bot.command("restart", async (ctx) => {
         await safeReply(ctx, escapeHTML("Restarting connector..."), {

package/dist/telegram-operational-commands.js

@@ -4,9 +4,10 @@ import { tmpdir } from "node:os";
 import path from "node:path";
 import { InputFile } from "grammy";
 import { getAgentActivityLog } from "./agent-activity.js";
-import { capabilitiesOf, filterActivityEvents, formatLocalDateTime, formatLockOwner, formatTelegramName, labelOf, parseActivityOptions, renderActivityTimeline, renderAuditEvents, renderProgressHTML, renderProgressPlain, renderSessionLocks, } from "./bot-rendering.js";
+import { capabilitiesOf, filterActivityEvents, formatLocalDateTime, formatLockOwner, labelOf, parseActivityOptions, renderActivityTimeline, renderAuditEvents, renderProgressHTML, renderProgressPlain, renderSessionLocks, } from "./bot-rendering.js";
 import { escapeHTML } from "./format.js";
 import { renderSessionInfoHTML, renderSessionInfoPlain } from "./session-format.js";
+import { canWriteWithLock } from "./session-locks.js";
 import { chatBucket, safeReply } from "./telegram-output.js";
 import { telegramRateLimiter } from "./telegram-rate-limit.js";
 export function registerTelegramOperationalCommands(options) {
@@ -72,21 +73,27 @@ export function registerTelegramOperationalCommands(options) {
     });
     bot.command("lock", async (ctx) => {
         const contextSession = await options.getContextSession(ctx, { deferThreadStart: true });
-        if (!contextSession || !ctx.from) {
+        if (!contextSession) {
             return;
         }
         const { contextKey, session } = contextSession;
+        const owner = options.getLockOwner(ctx);
+        if (!owner) {
+            const text = "You must be authenticated before locking a session.";
+            await safeReply(ctx, escapeHTML(text), { fallbackText: text });
+            return;
+        }
         const existing = lockStore.get(contextKey);
-        if (existing && existing.ownerId !== ctx.from.id && !options.isAdminUser(ctx)) {
+        if (existing && !canWriteWithLock(existing, owner.userId, options.isAdminUser(ctx))) {
             const text = `Session is already locked by ${formatLockOwner(existing)}.`;
             await safeReply(ctx, escapeHTML(text), { fallbackText: text });
             return;
         }
-        const lock = lockStore.set(contextKey, ctx.from.id, formatTelegramName(ctx), config.sessionLockTtlMs);
+        const lock = lockStore.set(contextKey, owner, config.sessionLockTtlMs);
         options.auditContext(ctx, contextKey, session, {
             action: "lock_updated",
             status: "ok",
-            detail: `locked by ${lock.ownerId}`,
+            detail: `locked by ${lock.ownerUserId}`,
         });
         const text = `Session locked by ${formatLockOwner(lock)}${lock.expiresAt ? ` until ${formatLocalDateTime(new Date(lock.expiresAt))}` : ""}.`;
         await safeReply(ctx, escapeHTML(text), { fallbackText: text });
@@ -98,7 +105,8 @@ export function registerTelegramOperationalCommands(options) {
         }
         const { contextKey, session } = contextSession;
         const lock = lockStore.get(contextKey);
-        if (lock && lock.ownerId !== ctx.from?.id && !options.isAdminUser(ctx)) {
+        const owner = options.getLockOwner(ctx);
+        if (lock && !canWriteWithLock(lock, owner?.userId, options.isAdminUser(ctx))) {
             const text = `Only ${formatLockOwner(lock)} or an admin can unlock this session.`;
             await safeReply(ctx, escapeHTML(text), { fallbackText: text });
             return;