claude-remote-guard 1.0.0

package/dist/lib/supabase.js

@@ -0,0 +1,169 @@
+import { createClient } from '@supabase/supabase-js';
+// Patterns that may contain sensitive information
+const SENSITIVE_PATTERNS = [
+    { pattern: /([?&])(api[_-]?key|token|secret|password|auth|key|access[_-]?token)=([^&\s'"]+)/gi, replacement: '$1$2=[REDACTED]' },
+    { pattern: /(Authorization:\s*)(Bearer\s+)?[^\s'"]+/gi, replacement: '$1$2[REDACTED]' },
+    { pattern: /(export\s+)?(AWS_SECRET_ACCESS_KEY|AWS_ACCESS_KEY_ID|API_KEY|SECRET_KEY|PRIVATE_KEY|DATABASE_URL|DB_PASSWORD|SLACK_TOKEN|GITHUB_TOKEN|NPM_TOKEN)=([^\s'"]+)/gi, replacement: '$1$2=[REDACTED]' },
+    { pattern: /:\/\/([^:]+):([^@]+)@/g, replacement: '://$1:[REDACTED]@' },
+    { pattern: /(Basic\s+)[A-Za-z0-9+/=]{20,}/gi, replacement: '$1[REDACTED]' },
+];
+function maskSensitiveInfo(text) {
+    let masked = text;
+    for (const { pattern, replacement } of SENSITIVE_PATTERNS) {
+        masked = masked.replace(pattern, replacement);
+    }
+    return masked;
+}
+let supabaseClient = null;
+export function initializeSupabase(config) {
+    if (supabaseClient) {
+        return supabaseClient;
+    }
+    supabaseClient = createClient(config.supabase.url, config.supabase.anonKey);
+    return supabaseClient;
+}
+export function getSupabaseClient() {
+    if (!supabaseClient) {
+        throw new Error('Supabase not initialized. Call initializeSupabase first.');
+    }
+    return supabaseClient;
+}
+export async function createRequest(requestId, request) {
+    const client = getSupabaseClient();
+    // Mask sensitive information before storing in database
+    const maskedCommand = maskSensitiveInfo(request.command);
+    const { error } = await client.from('approval_requests').insert({
+        id: requestId,
+        command: maskedCommand,
+        danger_reason: request.dangerReason,
+        severity: request.severity,
+        cwd: request.cwd,
+        status: 'pending',
+    });
+    if (error) {
+        throw new Error(`Failed to create request: ${error.message}`);
+    }
+}
+export async function updateRequestStatus(requestId, status, resolvedBy) {
+    const client = getSupabaseClient();
+    const updates = {
+        status,
+        resolved_at: new Date().toISOString(),
+    };
+    if (resolvedBy) {
+        updates.resolved_by = resolvedBy;
+    }
+    const { error } = await client.from('approval_requests').update(updates).eq('id', requestId);
+    if (error) {
+        throw new Error(`Failed to update request status: ${error.message}`);
+    }
+}
+export async function getRequest(requestId) {
+    const client = getSupabaseClient();
+    const { data, error } = await client
+        .from('approval_requests')
+        .select('*')
+        .eq('id', requestId)
+        .single();
+    if (error) {
+        if (error.code === 'PGRST116') {
+            return null; // Not found
+        }
+        throw new Error(`Failed to get request: ${error.message}`);
+    }
+    return data;
+}
+export function listenForApproval(requestId, timeoutMs, onResolved) {
+    const client = getSupabaseClient();
+    let resolved = false;
+    let timeoutId = null;
+    let channel = null;
+    // Subscribe to realtime changes
+    channel = client
+        .channel(`approval-${requestId}`)
+        .on('postgres_changes', {
+        event: 'UPDATE',
+        schema: 'public',
+        table: 'approval_requests',
+        filter: `id=eq.${requestId}`,
+    }, (payload) => {
+        const newStatus = payload.new.status;
+        if (newStatus && newStatus !== 'pending' && !resolved) {
+            resolved = true;
+            if (timeoutId) {
+                clearTimeout(timeoutId);
+            }
+            cleanup();
+            onResolved(newStatus);
+        }
+    })
+        .subscribe();
+    // Set timeout
+    timeoutId = setTimeout(async () => {
+        if (!resolved) {
+            resolved = true;
+            cleanup();
+            // Update status to timeout in Supabase
+            try {
+                await updateRequestStatus(requestId, 'timeout');
+            }
+            catch (err) {
+                // Log error but don't block the timeout flow
+                console.error(`[Claude Guard] Failed to update timeout status for ${requestId}:`, err);
+            }
+            onResolved('timeout');
+        }
+    }, timeoutMs);
+    // Cleanup function
+    function cleanup() {
+        if (channel) {
+            client.removeChannel(channel);
+            channel = null;
+        }
+    }
+    // Return cleanup function
+    return () => {
+        if (!resolved) {
+            resolved = true;
+            if (timeoutId) {
+                clearTimeout(timeoutId);
+            }
+            cleanup();
+        }
+    };
+}
+export async function cleanupOldRequests(maxAgeMs = 24 * 60 * 60 * 1000) {
+    const client = getSupabaseClient();
+    const cutoff = new Date(Date.now() - maxAgeMs).toISOString();
+    const { data, error } = await client
+        .from('approval_requests')
+        .delete()
+        .lt('created_at', cutoff)
+        .select('id');
+    if (error) {
+        throw new Error(`Failed to cleanup old requests: ${error.message}`);
+    }
+    return data?.length ?? 0;
+}
+export async function testConnection(config) {
+    try {
+        const client = initializeSupabase(config);
+        // Try to query the table (will fail if table doesn't exist or no access)
+        const { error } = await client.from('approval_requests').select('id').limit(1);
+        if (error) {
+            return { ok: false, error: error.message };
+        }
+        return { ok: true };
+    }
+    catch (error) {
+        const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+        return { ok: false, error: errorMessage };
+    }
+}
+export async function shutdownSupabase() {
+    if (supabaseClient) {
+        await supabaseClient.removeAllChannels();
+        supabaseClient = null;
+    }
+}
+//# sourceMappingURL=supabase.js.map

package/dist/lib/supabase.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"supabase.js","sourceRoot":"","sources":["../../src/lib/supabase.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAmC,MAAM,uBAAuB,CAAC;AAItF,kDAAkD;AAClD,MAAM,kBAAkB,GAAoD;IAC1E,EAAE,OAAO,EAAE,mFAAmF,EAAE,WAAW,EAAE,iBAAiB,EAAE;IAChI,EAAE,OAAO,EAAE,2CAA2C,EAAE,WAAW,EAAE,gBAAgB,EAAE;IACvF,EAAE,OAAO,EAAE,+JAA+J,EAAE,WAAW,EAAE,iBAAiB,EAAE;IAC5M,EAAE,OAAO,EAAE,wBAAwB,EAAE,WAAW,EAAE,mBAAmB,EAAE;IACvE,EAAE,OAAO,EAAE,iCAAiC,EAAE,WAAW,EAAE,cAAc,EAAE;CAC5E,CAAC;AAEF,SAAS,iBAAiB,CAAC,IAAY;IACrC,IAAI,MAAM,GAAG,IAAI,CAAC;IAClB,KAAK,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,kBAAkB,EAAE,CAAC;QAC1D,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAgBD,IAAI,cAAc,GAA0B,IAAI,CAAC;AAEjD,MAAM,UAAU,kBAAkB,CAAC,MAAc;IAC/C,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,cAAc,GAAG,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC5E,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,SAAiB,EACjB,OAAmF;IAEnF,MAAM,MAAM,GAAG,iBAAiB,EAAE,CAAC;IAEnC,wDAAwD;IACxD,MAAM,aAAa,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEzD,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,MAAM,CAAC;QAC9D,EAAE,EAAE,SAAS;QACb,OAAO,EAAE,aAAa;QACtB,aAAa,EAAE,OAAO,CAAC,YAAY;QACnC,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,MAAM,EAAE,SAAS;KAClB,CAAC,CAAC;IAEH,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,6BAA6B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAChE,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,SAAiB,EACjB,MAAsB,EACtB,UAAmB;IAEnB,MAAM,MAAM,GAAG,iBAAiB,EAAE,CAAC;IAEnC,MAAM,OAAO,GAA6B;QACxC,MAAM;QACN,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACtC,CAAC;IAEF,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,CAAC,WAAW,GAAG,UAAU,CAAC;IACnC,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IAE7F,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,oCAAoC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,SAAiB;IAChD,MAAM,MAAM,GAAG,iBAAiB,EAAE,CAAC;IAEnC,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM;SACjC,IAAI,CAAC,mBAAmB,CAAC;SACzB,MAAM,CAAC,GAAG,CAAC;SACX,EAAE,CAAC,IAAI,EAAE,SAAS,CAAC;SACnB,MAAM,EAAE,CAAC;IAEZ,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,KAAK,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,CAAC,YAAY;QAC3B,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,0BAA0B,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,OAAO,IAAuB,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,SAAiB,EACjB,SAAiB,EACjB,UAA4C;IAE5C,MAAM,MAAM,GAAG,iBAAiB,EAAE,CAAC;IAEnC,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,SAAS,GAA0B,IAAI,CAAC;IAC5C,IAAI,OAAO,GAA2B,IAAI,CAAC;IAE3C,gCAAgC;IAChC,OAAO,GAAG,MAAM;SACb,OAAO,CAAC,YAAY,SAAS,EAAE,CAAC;SAChC,EAAE,CACD,kBAAkB,EAClB;QACE,KAAK,EAAE,QAAQ;QACf,MAAM,EAAE,QAAQ;QAChB,KAAK,EAAE,mBAAmB;QAC1B,MAAM,EAAE,SAAS,SAAS,EAAE;KAC7B,EACD,CAAC,OAAO,EAAE,EAAE;QACV,MAAM,SAAS,GAAI,OAAO,CAAC,GAAuB,CAAC,MAAM,CAAC;QAE1D,IAAI,SAAS,IAAI,SAAS,KAAK,SAAS,IAAI,CAAC,QAAQ,EAAE,CAAC;YACtD,QAAQ,GAAG,IAAI,CAAC;YAChB,IAAI,SAAS,EAAE,CAAC;gBACd,YAAY,CAAC,SAAS,CAAC,CAAC;YAC1B,CAAC;YACD,OAAO,EAAE,CAAC;YACV,UAAU,CAAC,SAAS,CAAC,CAAC;QACxB,CAAC;IACH,CAAC,CACF;SACA,SAAS,EAAE,CAAC;IAEf,cAAc;IACd,SAAS,GAAG,UAAU,CAAC,KAAK,IAAI,EAAE;QAChC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,QAAQ,GAAG,IAAI,CAAC;YAChB,OAAO,EAAE,CAAC;YAEV,uCAAuC;YACvC,IAAI,CAAC;gBACH,MAAM,mBAAmB,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;YAClD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,6CAA6C;gBAC7C,OAAO,CAAC,KAAK,CAAC,sDAAsD,SAAS,GAAG,EAAE,GAAG,CAAC,CAAC;YACzF,CAAC;YAED,UAAU,CAAC,SAAS,CAAC,CAAC;QACxB,CAAC;IACH,CAAC,EAAE,SAAS,CAAC,CAAC;IAEd,mBAAmB;IACnB,SAAS,OAAO;QACd,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;YAC9B,OAAO,GAAG,IAAI,CAAC;QACjB,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,OAAO,GAAG,EAAE;QACV,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,QAAQ,GAAG,IAAI,CAAC;YAChB,IAAI,SAAS,EAAE,CAAC;gBACd,YAAY,CAAC,SAAS,CAAC,CAAC;YAC1B,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,WAAmB,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;IAC7E,MAAM,MAAM,GAAG,iBAAiB,EAAE,CAAC;IACnC,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAE7D,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM;SACjC,IAAI,CAAC,mBAAmB,CAAC;SACzB,MAAM,EAAE;SACR,EAAE,CAAC,YAAY,EAAE,MAAM,CAAC;SACxB,MAAM,CAAC,IAAI,CAAC,CAAC;IAEhB,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,mCAAmC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IACtE,CAAC;IAED,OAAO,IAAI,EAAE,MAAM,IAAI,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAc;IACjD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAE1C,yEAAyE;QACzE,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAE/E,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC;QAC7C,CAAC;QAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;QAC9E,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;IAC5C,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,cAAc,CAAC,iBAAiB,EAAE,CAAC;QACzC,cAAc,GAAG,IAAI,CAAC;IACxB,CAAC;AACH,CAAC"}

package/package.json

@@ -0,0 +1,67 @@
+{
+  "name": "claude-remote-guard",
+  "version": "1.0.0",
+  "description": "Remote approval system for Claude Code CLI using Slack and Supabase",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "guard": "dist/bin/cli.js",
+    "claude-guard-hook": "dist/bin/hook.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "lint": "eslint src --ext .ts",
+    "lint:fix": "eslint src --ext .ts --fix",
+    "format": "prettier --write \"src/**/*.ts\"",
+    "test": "vitest",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "claude",
+    "claude-code",
+    "cli",
+    "hook",
+    "slack",
+    "supabase",
+    "approval",
+    "security"
+  ],
+  "author": "paduck86",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/paduck86/claude-remote-guard.git"
+  },
+  "homepage": "https://github.com/paduck86/claude-remote-guard#readme",
+  "bugs": {
+    "url": "https://github.com/paduck86/claude-remote-guard/issues"
+  },
+  "dependencies": {
+    "@supabase/supabase-js": "^2.39.0",
+    "chalk": "^5.3.0",
+    "commander": "^12.0.0",
+    "inquirer": "^9.2.0",
+    "uuid": "^9.0.0"
+  },
+  "devDependencies": {
+    "@types/inquirer": "^9.0.7",
+    "@types/node": "^20.11.0",
+    "@types/uuid": "^9.0.8",
+    "@typescript-eslint/eslint-plugin": "^7.0.0",
+    "@typescript-eslint/parser": "^7.0.0",
+    "eslint": "^8.57.0",
+    "eslint-config-prettier": "^9.1.0",
+    "prettier": "^3.2.0",
+    "typescript": "^5.3.0",
+    "vitest": "^1.2.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "files": [
+    "dist",
+    "supabase"
+  ]
+}

package/supabase/functions/slack-callback/index.ts

@@ -0,0 +1,198 @@
+// Supabase Edge Function for Slack Interactive Callbacks
+// Deploy: supabase functions deploy slack-callback
+//
+// Required environment variables:
+// - SLACK_SIGNING_SECRET: Your Slack app's signing secret
+// - SUPABASE_URL: Auto-provided by Supabase
+// - SUPABASE_SERVICE_ROLE_KEY: Auto-provided by Supabase
+
+import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
+import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
+
+interface SlackAction {
+  action_id: string;
+  value: string;
+}
+
+interface SlackUser {
+  id: string;
+  username: string;
+  name: string;
+}
+
+interface SlackPayload {
+  type: string;
+  user: SlackUser;
+  actions: SlackAction[];
+  response_url: string;
+}
+
+// HMAC-SHA256 signature verification for Slack requests
+async function verifySlackSignature(
+  body: string,
+  timestamp: string,
+  signature: string,
+  signingSecret: string
+): Promise<boolean> {
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(signingSecret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
+
+  const baseString = `v0:${timestamp}:${body}`;
+  const signatureBuffer = await crypto.subtle.sign('HMAC', key, encoder.encode(baseString));
+  const computedSignature = 'v0=' + Array.from(new Uint8Array(signatureBuffer))
+    .map(b => b.toString(16).padStart(2, '0'))
+    .join('');
+
+  // Timing-safe comparison
+  if (computedSignature.length !== signature.length) {
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < computedSignature.length; i++) {
+    result |= computedSignature.charCodeAt(i) ^ signature.charCodeAt(i);
+  }
+  return result === 0;
+}
+
+serve(async (req: Request) => {
+  // Only allow POST from Slack
+  if (req.method !== 'POST') {
+    return new Response('Method not allowed', { status: 405 });
+  }
+
+  try {
+    // Get Slack signing secret
+    const signingSecret = Deno.env.get('SLACK_SIGNING_SECRET');
+    if (!signingSecret) {
+      console.error('Missing SLACK_SIGNING_SECRET environment variable');
+      return new Response('Server configuration error', { status: 500 });
+    }
+
+    // Get signature headers
+    const slackSignature = req.headers.get('x-slack-signature');
+    const slackTimestamp = req.headers.get('x-slack-request-timestamp');
+
+    if (!slackSignature || !slackTimestamp) {
+      console.error('Missing Slack signature headers');
+      return new Response('Unauthorized', { status: 401 });
+    }
+
+    // Check timestamp to prevent replay attacks (5 minute window)
+    const currentTime = Math.floor(Date.now() / 1000);
+    const requestTime = parseInt(slackTimestamp, 10);
+    if (Math.abs(currentTime - requestTime) > 300) {
+      console.error('Request timestamp too old');
+      return new Response('Unauthorized', { status: 401 });
+    }
+
+    // Read body as text for signature verification
+    const bodyText = await req.text();
+
+    // Verify signature
+    const isValid = await verifySlackSignature(bodyText, slackTimestamp, slackSignature, signingSecret);
+    if (!isValid) {
+      console.error('Invalid Slack signature');
+      return new Response('Unauthorized', { status: 401 });
+    }
+
+    // Parse form data from body text
+    const params = new URLSearchParams(bodyText);
+    const payloadStr = params.get('payload');
+
+    if (!payloadStr) {
+      return new Response('Invalid payload', { status: 400 });
+    }
+
+    const payload: SlackPayload = JSON.parse(payloadStr);
+
+    // Validate payload type
+    if (payload.type !== 'block_actions') {
+      return new Response('Unsupported interaction type', { status: 400 });
+    }
+
+    // Get action details
+    const action = payload.actions[0];
+    if (!action) {
+      return new Response('No action found', { status: 400 });
+    }
+
+    const { action_id, value: requestId } = action;
+    const resolvedBy = payload.user.username || payload.user.name || payload.user.id;
+
+    // Determine status based on action
+    let status: 'approved' | 'rejected';
+    if (action_id === 'approve_command') {
+      status = 'approved';
+    } else if (action_id === 'reject_command') {
+      status = 'rejected';
+    } else {
+      return new Response('Unknown action', { status: 400 });
+    }
+
+    // Initialize Supabase client with service role key
+    const supabaseUrl = Deno.env.get('SUPABASE_URL');
+    const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');
+
+    if (!supabaseUrl || !supabaseServiceKey) {
+      console.error('Missing Supabase environment variables');
+      return new Response('Server configuration error', { status: 500 });
+    }
+
+    const supabase = createClient(supabaseUrl, supabaseServiceKey);
+
+    // Update the approval request
+    const { data, error } = await supabase
+      .from('approval_requests')
+      .update({
+        status,
+        resolved_at: new Date().toISOString(),
+        resolved_by: resolvedBy,
+      })
+      .eq('id', requestId)
+      .eq('status', 'pending') // Only update if still pending
+      .select('id');
+
+    if (error) {
+      console.error('Failed to update request:', error);
+      return new Response('Failed to update request', { status: 500 });
+    }
+
+    // Verify that a row was actually updated
+    if (!data || data.length === 0) {
+      console.error('Request not found or already resolved:', requestId);
+      return new Response('Request not found or already resolved', { status: 404 });
+    }
+
+    // Send response back to Slack to update the message
+    const responseMessage =
+      status === 'approved'
+        ? `:white_check_mark: *Approved* by @${resolvedBy}`
+        : `:x: *Rejected* by @${resolvedBy}`;
+
+    // Respond to Slack's response_url to update the original message
+    if (payload.response_url) {
+      await fetch(payload.response_url, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          replace_original: false,
+          text: responseMessage,
+        }),
+      });
+    }
+
+    return new Response('OK', {
+      status: 200,
+      headers: { 'Content-Type': 'text/plain' },
+    });
+  } catch (error) {
+    console.error('Error processing request:', error);
+    return new Response('Internal server error', { status: 500 });
+  }
+});

package/supabase/functions/telegram-callback/index.ts

@@ -0,0 +1,209 @@
+// Supabase Edge Function for Telegram Bot Callbacks
+// Deploy: supabase functions deploy telegram-callback
+//
+// Required environment variables:
+// - TELEGRAM_BOT_TOKEN: Your Telegram bot token
+// - TELEGRAM_WEBHOOK_SECRET: Secret token for webhook verification (set via setWebhook API)
+// - SUPABASE_URL: Auto-provided by Supabase
+// - SUPABASE_SERVICE_ROLE_KEY: Auto-provided by Supabase
+
+import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
+import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
+
+// Timing-safe string comparison to prevent timing attacks
+function timingSafeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) {
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return result === 0;
+}
+
+interface TelegramUser {
+  id: number;
+  first_name: string;
+  last_name?: string;
+  username?: string;
+}
+
+interface TelegramMessage {
+  message_id: number;
+  chat: {
+    id: number;
+  };
+}
+
+interface CallbackQuery {
+  id: string;
+  from: TelegramUser;
+  message?: TelegramMessage;
+  data?: string;
+}
+
+interface TelegramUpdate {
+  update_id: number;
+  callback_query?: CallbackQuery;
+}
+
+serve(async (req: Request) => {
+  // Only allow POST
+  if (req.method !== 'POST') {
+    return new Response('Method not allowed', { status: 405 });
+  }
+
+  try {
+    const botToken = Deno.env.get('TELEGRAM_BOT_TOKEN');
+    if (!botToken) {
+      console.error('Missing TELEGRAM_BOT_TOKEN environment variable');
+      return new Response('Server configuration error', { status: 500 });
+    }
+
+    // Verify webhook secret token (set via setWebhook API with secret_token parameter)
+    const webhookSecret = Deno.env.get('TELEGRAM_WEBHOOK_SECRET');
+    if (!webhookSecret) {
+      console.error('Missing TELEGRAM_WEBHOOK_SECRET environment variable');
+      return new Response('Server configuration error', { status: 500 });
+    }
+
+    const headerToken = req.headers.get('X-Telegram-Bot-Api-Secret-Token');
+    if (!headerToken || !timingSafeEqual(headerToken, webhookSecret)) {
+      console.error('Invalid or missing Telegram webhook secret token');
+      return new Response('Unauthorized', { status: 401 });
+    }
+
+    const update: TelegramUpdate = await req.json();
+
+    // Only handle callback queries (button presses)
+    if (!update.callback_query) {
+      return new Response('OK', { status: 200 });
+    }
+
+    const callbackQuery = update.callback_query;
+    const callbackData = callbackQuery.data;
+
+    if (!callbackData) {
+      return new Response('No callback data', { status: 400 });
+    }
+
+    // Parse callback data: "approve:requestId" or "reject:requestId"
+    const [action, requestId] = callbackData.split(':');
+
+    if (!action || !requestId) {
+      return new Response('Invalid callback data format', { status: 400 });
+    }
+
+    if (action !== 'approve' && action !== 'reject') {
+      return new Response('Unknown action', { status: 400 });
+    }
+
+    const status = action === 'approve' ? 'approved' : 'rejected';
+    const resolvedBy = callbackQuery.from.username ||
+                       `${callbackQuery.from.first_name}${callbackQuery.from.last_name ? ' ' + callbackQuery.from.last_name : ''}` ||
+                       String(callbackQuery.from.id);
+
+    // Initialize Supabase client
+    const supabaseUrl = Deno.env.get('SUPABASE_URL');
+    const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');
+
+    if (!supabaseUrl || !supabaseServiceKey) {
+      console.error('Missing Supabase environment variables');
+      return new Response('Server configuration error', { status: 500 });
+    }
+
+    const supabase = createClient(supabaseUrl, supabaseServiceKey);
+
+    // Update the approval request
+    const { data, error } = await supabase
+      .from('approval_requests')
+      .update({
+        status,
+        resolved_at: new Date().toISOString(),
+        resolved_by: resolvedBy,
+      })
+      .eq('id', requestId)
+      .eq('status', 'pending')
+      .select('id');
+
+    if (error) {
+      console.error('Failed to update request:', error);
+      // Answer callback query with error
+      await answerCallbackQuery(botToken, callbackQuery.id, '❌ Failed to update request');
+      return new Response('Failed to update request', { status: 500 });
+    }
+
+    // Check if request was found and updated
+    if (!data || data.length === 0) {
+      await answerCallbackQuery(botToken, callbackQuery.id, '⚠️ Request not found or already resolved');
+      return new Response('OK', { status: 200 });
+    }
+
+    // Answer callback query with success
+    const emoji = status === 'approved' ? '✅' : '❌';
+    const actionText = status === 'approved' ? 'Approved' : 'Rejected';
+    await answerCallbackQuery(botToken, callbackQuery.id, `${emoji} ${actionText}`);
+
+    // Edit original message to remove buttons and show result
+    if (callbackQuery.message) {
+      await editMessageReplyMarkup(
+        botToken,
+        callbackQuery.message.chat.id,
+        callbackQuery.message.message_id,
+        `\n\n${emoji} *${actionText}* by @${resolvedBy}`,
+      );
+    }
+
+    return new Response('OK', { status: 200 });
+  } catch (error) {
+    console.error('Error processing request:', error);
+    return new Response('Internal server error', { status: 500 });
+  }
+});
+
+async function answerCallbackQuery(
+  botToken: string,
+  callbackQueryId: string,
+  text: string
+): Promise<void> {
+  await fetch(`https://api.telegram.org/bot${botToken}/answerCallbackQuery`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      callback_query_id: callbackQueryId,
+      text,
+      show_alert: false,
+    }),
+  });
+}
+
+async function editMessageReplyMarkup(
+  botToken: string,
+  chatId: number,
+  messageId: number,
+  appendText: string
+): Promise<void> {
+  // Remove inline keyboard
+  await fetch(`https://api.telegram.org/bot${botToken}/editMessageReplyMarkup`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      chat_id: chatId,
+      message_id: messageId,
+      reply_markup: { inline_keyboard: [] },
+    }),
+  });
+
+  // Send follow-up message with result
+  await fetch(`https://api.telegram.org/bot${botToken}/sendMessage`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      chat_id: chatId,
+      reply_to_message_id: messageId,
+      text: appendText.replace(/[_*\[\]()~`>#+\-=|{}.!\\]/g, '\\$&'),
+      parse_mode: 'MarkdownV2',
+    }),
+  });
+}