fix(skills): scope skill-command APIs to respect agent allowlists (#32155)

* refactor(skills): use explicit skill-command scope APIs * test(skills): cover scoped listing and telegram allowlist * fix(skills): add mergeSkillFilters edge-case tests and simplify dead code Cover unrestricted-co-tenant and empty-allowlist merge paths in skill-commands tests. Remove dead ternary in bot-handlers pagination. Add clarifying comments on undefined vs [] filter semantics. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor(skills): collapse scope functions into single listSkillCommandsForAgents Replace listSkillCommandsForAgentIds, listSkillCommandsForAllAgents, and the deprecated listSkillCommandsForAgents with a single function that accepts optional agentIds and falls back to all agents when omitted. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(skills): harden realpathSync race and add missing test coverage - Wrap fs.realpathSync in try-catch to gracefully skip workspaces that disappear between existsSync and realpathSync (TOCTOU race). - Log verbose diagnostics for missing/unresolvable workspace paths. - Add test for overlapping allowlists deduplication on shared workspaces. - Add test for graceful skip of missing workspaces. - Add test for pagination callback without agent suffix (default agent). - Clean up temp directories in skill-commands tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(telegram): warn when nativeSkillsEnabled but no agent route is bound Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: use runtime.log instead of nonexistent runtime.warn Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-10 22:14:34 +00:00 · 2026-03-03 02:00:05 +03:00
parent 02eeb08e04
commit a81704e622
6 changed files with 365 additions and 19 deletions
--- a/src/telegram/bot.test.ts
+++ b/src/telegram/bot.test.ts
@@ -294,6 +294,38 @@ describe("createTelegramBot", () => {
    );
  });

+  it("falls back to default agent for pagination callbacks without agent suffix", async () => {
+    onSpy.mockClear();
+    listSkillCommandsForAgents.mockClear();
+
+    createTelegramBot({ token: "tok" });
+    const callbackHandler = onSpy.mock.calls.find((call) => call[0] === "callback_query")?.[1] as (
+      ctx: Record<string, unknown>,
+    ) => Promise<void>;
+    expect(callbackHandler).toBeDefined();
+
+    await callbackHandler({
+      callbackQuery: {
+        id: "cbq-no-suffix",
+        data: "commands_page_2",
+        from: { id: 9, first_name: "Ada", username: "ada_bot" },
+        message: {
+          chat: { id: 1234, type: "private" },
+          date: 1736380800,
+          message_id: 14,
+        },
+      },
+      me: { username: "openclaw_bot" },
+      getFile: async () => ({ download: async () => new Uint8Array() }),
+    });
+
+    expect(listSkillCommandsForAgents).toHaveBeenCalledWith({
+      cfg: expect.any(Object),
+      agentIds: ["main"],
+    });
+    expect(editMessageTextSpy).toHaveBeenCalledTimes(1);
+  });
+
  it("blocks pagination callbacks when allowlist rejects sender", async () => {
    onSpy.mockClear();
    editMessageTextSpy.mockClear();