telegram-approval-buttons 4.0.3 → 4.1.0

package/CHANGELOG.md

@@ -5,6 +5,25 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.1.0] - 2026-02-20
+
+### Changed
+- **Performance: O(1) approval resolution lookup** — `detectApprovalResult()` now extracts UUIDs via regex and performs a direct `Map.has()` lookup instead of iterating all pending entries. The old O(n) linear scan is replaced with O(1) hash lookup for full UUIDs, with a fallback prefix scan only for truncated IDs.
+
+### Added
+- **Gateway denial detection** — New `resolveAction()` function and `RE_GATEWAY_DENIAL` regex detect when the gateway auto-denies an approval due to timeout (`Exec denied.*approval-timeout`). The plugin now immediately cleans up stale Telegram buttons when the gateway reports a timeout, instead of waiting for the stale cleanup timer.
+- **Robust short hex matching** — Short approval IDs are now matched via `\b([a-f0-9]{8,})\b` regex with `startsWith()` prefix matching, supporting variable-length truncated IDs instead of the previous hardcoded 8-char `slice()`.
+
+### Fixed
+- Synced `openclaw.plugin.json` manifest version with `package.json` (was stuck at 4.0.2)
+- Updated header comment in `index.ts` to reflect current version
+
+## [4.0.3] - 2026-02-16
+
+### Fixed
+- Auto-detect `botToken` key from `channels.telegram.botToken` in addition to `channels.telegram.token`
+- Improved README setup documentation with clearer quick start instructions
+
 ## [4.0.2] - 2026-02-15
 
 ### Added

package/README.md

@@ -114,7 +114,7 @@ Uptime: 1m
 ## Prerequisites
 
 - **OpenClaw ≥ 2026.2.9** installed and running
-- **Node.js ≥ 22** (uses built-in `fetch`)
+- **Node.js ≥ 20** (uses built-in `fetch`)
 - **Telegram configured** in your `openclaw.json` (bot token + `allowFrom`)
 - **Exec approvals targeting Telegram** — see Step 2 above
 

package/SECURITY.md

@@ -0,0 +1,39 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| 4.x     | ✅ Active  |
+| < 4.0   | ❌ EOL     |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this plugin, please report it responsibly:
+
+1. **Do NOT open a public issue** — this could expose the vulnerability to others
+2. **Email**: [francojair81@gmail.com](mailto:francojair81@gmail.com)
+3. **Include**:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact
+   - Suggested fix (if you have one)
+
+I will acknowledge your report within **48 hours** and aim to release a fix within **7 days** for critical issues.
+
+## Security Model
+
+This plugin runs **in-process** with the OpenClaw Gateway as trusted code:
+
+- **No external network calls** except to the Telegram Bot API (`api.telegram.org`)
+- **No data persistence** — all approval state is in-memory and lost on restart
+- **No credential storage** — bot token and chat ID are read from OpenClaw's config at runtime
+- **Input validation** — callback query data is validated against the pending approvals map; unknown IDs are silently ignored
+- **HTML escaping** — all user-supplied text is escaped before Telegram HTML rendering to prevent injection
+
+## Best Practices for Users
+
+- Keep your OpenClaw instance and this plugin updated
+- Use `plugins.allow` allowlists to restrict which plugins can load
+- Review the source code before installing any community plugin
+- Never share your bot token or chat ID publicly

package/index.ts

@@ -1,5 +1,5 @@
 // ─────────────────────────────────────────────────────────────────────────────
-// telegram-approval-buttons · index.ts (v4.0.2)
+// telegram-approval-buttons · index.ts (v4.1.0)
 // Plugin entry point — orchestration only, all logic lives in lib/
 //
 // Adds inline keyboard buttons to exec approval messages in Telegram.
@@ -30,7 +30,7 @@ import {
 
 // ── Constants ───────────────────────────────────────────────────────────────
 
-const PLUGIN_VERSION = "4.0.3";
+const PLUGIN_VERSION = "4.1.0";
 const TAG = "telegram-approval-buttons";
 
 // ── Plugin registration ─────────────────────────────────────────────────────

package/lib/approval-parser.ts

@@ -9,6 +9,9 @@ import type { ApprovalAction, ApprovalInfo, ApprovalResolution, SentApproval } f
 
 const RE_APPROVAL_MARKER = /Exec approval required/i;
 const RE_ID = /ID:\s*([a-f0-9-]+)/i;
+const RE_UUID = /([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})/i;
+const RE_SHORT_HEX = /\b([a-f0-9]{8,})\b/i;
+const RE_GATEWAY_DENIAL = /Exec denied.*approval-timeout/i;
 const RE_COMMAND_BLOCK = /Command:\s*`{0,3}\n?(.+?)\n?`{0,3}(?:\n|$)/is;
 const RE_COMMAND_INLINE = /Command:\s*(.+)/i;
 const RE_CWD = /CWD:\s*(.+)/i;
@@ -50,25 +53,56 @@ export function parseApprovalText(text: string): ApprovalInfo | null {
 /**
  * Detect if an outgoing message indicates an approval was resolved.
  *
- * Checks whether the message text references any pending approval ID
- * (full UUID or first 8 chars) and attempts to determine the action.
+ * Uses O(1) Map lookup instead of iterating all pending entries:
+ * 1. Extract full UUID from text via regex → direct Map.has() (O(1))
+ * 2. Fallback: extract short hex ID (8+ chars) → scan pending by prefix
+ *
+ * Also detects gateway-initiated denials (approval-timeout) so the
+ * plugin can immediately clean up stale buttons in Telegram.
  */
 export function detectApprovalResult(
   text: string,
   pending: ReadonlyMap<string, SentApproval>,
 ): ApprovalResolution | null {
-  for (const [id] of pending) {
-    const shortId = id.slice(0, 8);
-    if (!text.includes(id) && !text.includes(shortId)) continue;
+  if (pending.size === 0) return null;
+
+  // Fast path: full UUID → O(1) Map lookup
+  const fullMatch = text.match(RE_UUID);
+  if (fullMatch) {
+    const id = fullMatch[1];
+    if (pending.has(id)) {
+      return { id, action: resolveAction(text) };
+    }
+  }
 
-    const action = inferAction(text);
-    return { id, action };
+  // Slow path: short hex ID (8+ chars) → prefix scan on pending keys
+  // This handles messages that only reference a truncated approval ID
+  const shortMatch = text.match(RE_SHORT_HEX);
+  if (shortMatch) {
+    const shortId = shortMatch[1];
+    for (const [pendingId] of pending) {
+      if (pendingId.startsWith(shortId)) {
+        return { id: pendingId, action: resolveAction(text) };
+      }
+    }
   }
+
   return null;
 }
 
 // ─── Internal ───────────────────────────────────────────────────────────────
 
+/**
+ * Determine the approval action from message text.
+ * Checks gateway denial first, then infers from keywords.
+ * Order matters: check most specific patterns first.
+ */
+function resolveAction(text: string): ApprovalAction {
+  // Gateway-initiated denial takes priority (unambiguous signal)
+  if (RE_GATEWAY_DENIAL.test(text)) return "deny";
+  return inferAction(text);
+}
+
 /**
  * Infer the approval action from message text.
  * Order matters: check most specific patterns first.

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "telegram-approval-buttons",
   "name": "Telegram Approval Buttons",
   "description": "Adds inline keyboard buttons to exec approval messages in Telegram. Tap to approve/deny without typing commands.",
-  "version": "4.0.2",
+  "version": "4.1.0",
   "configSchema": {
     "type": "object",
     "additionalProperties": false,

package/package.json

@@ -1,10 +1,13 @@
 {
   "name": "telegram-approval-buttons",
-  "version": "4.0.3",
+  "version": "4.1.0",
   "description": "Inline keyboard buttons for exec approval messages in Telegram — tap to approve/deny without typing commands",
   "type": "module",
   "main": "index.ts",
   "license": "MIT",
+  "engines": {
+    "node": ">=20.0.0"
+  },
   "scripts": {
     "test": "vitest run",
     "test:watch": "vitest"
@@ -34,7 +37,8 @@
     "lib/",
     "openclaw.plugin.json",
     "README.md",
-    "CHANGELOG.md"
+    "CHANGELOG.md",
+    "SECURITY.md"
   ],
   "devDependencies": {
     "@types/node": "^25.2.3",