fix(heartbeat): block owner-only auth inheritance for exec events (#57652)

2026-05-05 15:50:25 +00:00 · 2026-03-31 09:06:51 +09:00
parent 91f7a6b0fd
commit a30214a624
7 changed files with 37 additions and 4 deletions
--- a/src/auto-reply/command-control.test.ts
+++ b/src/auto-reply/command-control.test.ts
@@ -194,6 +194,27 @@ describe("resolveCommandAuthorization", () => {
    expect(auth.ownerList).toEqual(["123"]);
  });

+  it("suppresses inherited owner status when the context forbids it", () => {
+    const cfg = {
+      channels: { telegram: { allowFrom: ["owner-123"] } },
+    } as OpenClawConfig;
+
+    const auth = resolveCommandAuthorization({
+      ctx: {
+        Provider: "exec-event",
+        Surface: "telegram",
+        OriginatingChannel: "telegram",
+        From: "owner-123",
+        To: "owner-123",
+        ForceSenderIsOwnerFalse: true,
+      } as MsgContext,
+      cfg,
+      commandAuthorized: true,
+    });
+
+    expect(auth.senderIsOwner).toBe(false);
+  });
+
  it("does not infer a provider from channel allowlists for webchat command contexts", () => {
    const cfg = {
      channels: { whatsapp: { allowFrom: ["+15551234567"] } },