From bac3d26fe76b5f8ee25ef952d314a94628eabc0c Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Fri, 17 Apr 2026 16:17:01 +0100
Subject: [PATCH] perf: narrow Matrix reaction approval imports

---
 .../matrix/src/approval-reaction-auth.ts      | 45 +++++++++++++++++++
 .../src/matrix/monitor/reaction-events.ts     | 13 ++----
 2 files changed, 48 insertions(+), 10 deletions(-)
 create mode 100644 extensions/matrix/src/approval-reaction-auth.ts

diff --git a/extensions/matrix/src/approval-reaction-auth.ts b/extensions/matrix/src/approval-reaction-auth.ts
new file mode 100644
index 00000000000..88850994649
--- /dev/null
+++ b/extensions/matrix/src/approval-reaction-auth.ts
@@ -0,0 +1,45 @@
+import { resolveApprovalApprovers } from "openclaw/plugin-sdk/approval-auth-runtime";
+import { normalizeMatrixApproverId } from "./approval-ids.js";
+import { resolveMatrixAccount } from "./matrix/accounts.js";
+import type { CoreConfig } from "./types.js";
+
+type MatrixApprovalReactionKind = "exec" | "plugin";
+
+function normalizeMatrixExecApproverId(value: string | number): string | undefined {
+  const normalized = normalizeMatrixApproverId(value);
+  return normalized === "*" ? undefined : normalized;
+}
+
+function getMatrixApprovalReactionApprovers(params: {
+  cfg: CoreConfig;
+  accountId?: string | null;
+  approvalKind: MatrixApprovalReactionKind;
+}): string[] {
+  const account = resolveMatrixAccount(params).config;
+  if (params.approvalKind === "plugin") {
+    return resolveApprovalApprovers({
+      allowFrom: account.dm?.allowFrom,
+      normalizeApprover: normalizeMatrixApproverId,
+    });
+  }
+  return resolveApprovalApprovers({
+    explicit: account.execApprovals?.approvers,
+    allowFrom: account.dm?.allowFrom,
+    normalizeApprover: normalizeMatrixExecApproverId,
+  });
+}
+
+export function isMatrixApprovalReactionAuthorizedSender(params: {
+  cfg: CoreConfig;
+  accountId?: string | null;
+  senderId?: string | null;
+  approvalKind: MatrixApprovalReactionKind;
+}): boolean {
+  const normalizedSenderId = params.senderId
+    ? normalizeMatrixApproverId(params.senderId)
+    : undefined;
+  if (!normalizedSenderId) {
+    return false;
+  }
+  return getMatrixApprovalReactionApprovers(params).includes(normalizedSenderId);
+}
diff --git a/extensions/matrix/src/matrix/monitor/reaction-events.ts b/extensions/matrix/src/matrix/monitor/reaction-events.ts
index f6dc4822a02..05cf24801aa 100644
--- a/extensions/matrix/src/matrix/monitor/reaction-events.ts
+++ b/extensions/matrix/src/matrix/monitor/reaction-events.ts
@@ -1,5 +1,5 @@
 import { getSessionBindingService } from "openclaw/plugin-sdk/session-binding-runtime";
-import { matrixApprovalCapability } from "../../approval-native.js";
+import { isMatrixApprovalReactionAuthorizedSender } from "../../approval-reaction-auth.js";
 import {
   resolveMatrixApprovalReactionTarget,
   unregisterMatrixApprovalReactionTarget,
@@ -40,15 +40,8 @@ async function maybeResolveMatrixApprovalReaction(params: {
   if (!params.target) {
     return false;
   }
-  if (
-    !matrixApprovalCapability.authorizeActorAction?.({
-      cfg: params.cfg,
-      accountId: params.accountId,
-      senderId: params.senderId,
-      action: "approve",
-      approvalKind: params.target.approvalId.startsWith("plugin:") ? "plugin" : "exec",
-    })?.authorized
-  ) {
+  const approvalKind = params.target.approvalId.startsWith("plugin:") ? "plugin" : "exec";
+  if (!isMatrixApprovalReactionAuthorizedSender({ ...params, approvalKind })) {
     return false;
   }
   try {