* "fix(telegram): surface media placeholder and file_id when download fails"
* fix: unify telegram media placeholder selection
* fix: preserve telegram media context on captioned download failures (#59948) (thanks @v1p0r)
---------
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
Fix three bugs preventing inline image downloads in Teams 1:1 DM chats: wrong conversation ID format for Graph API, missing media URL extraction, and incorrect content type detection.
Fixes#24797
Thanks @Ted-developer
* test(telegram): add URL construction tests for custom apiRoot
Add comprehensive test cases to verify that file download URLs are correctly
constructed when using a custom apiRoot configuration for local Bot API servers.
Tests validate:
- Document downloads use the custom apiRoot in the constructed URL
- Sticker downloads use the custom apiRoot in the constructed URL
- SSRF policy correctly includes the custom hostname
This ensures issue #59512 (Telegram file downloads with local Bot API) is
properly covered by regression tests.
* refactor(telegram): improve media resolution code quality
Apply KISS and YAGNI principles to reduce code duplication and improve maintainability:
1. Extract media metadata resolution
- Consolidate resolveMediaFileRef(), resolveTelegramFileName(), and
resolveTelegramMimeType() into single resolveMediaMetadata() function
- Returns typed MediaMetadata object with fileRef, fileName, mimeType
- Reduces duplication and improves readability
2. Add logging for apiRoot parsing failures
- Log when custom apiRoot URL parsing fails in buildTelegramMediaSsrfPolicy()
- Helps debug configuration issues with local Bot API servers
3. Fix missing apiRoot in buffered messages
- Add telegramCfg.apiRoot parameter to resolveMedia() calls in
bot-handlers.buffers.ts (lines 150-159, 189)
- Ensures reply media in buffered contexts respects custom apiRoot config
- Fixes inconsistency where runtime handler passed apiRoot but buffers didn't
These changes improve code quality while maintaining backward compatibility and
ensuring issue #59512 (Telegram file downloads with local Bot API) works correctly
in all contexts.
* fix(telegram): resolve bot review issues
Address critical issues identified by Greptile code review:
1. Define telegramCfg in bot-handlers.buffers.ts
- Extract telegramCfg from cfg.channels?.telegram
- Fixes ReferenceError when accessing telegramCfg.apiRoot
- Ensures buffered message handlers can access apiRoot configuration
2. Restore type safety for MediaMetadata.fileRef
- Change from 'unknown' to proper union type
- Preserves type information for downstream file_id access
- Prevents TypeScript strict mode compilation errors
These fixes ensure the PR compiles correctly and handles buffered
media downloads with custom apiRoot configuration.
* fix(telegram): use optional chaining for telegramCfg.apiRoot
TypeScript strict mode requires optional chaining when accessing
properties on potentially undefined objects. Changed telegramCfg.apiRoot
to telegramCfg?.apiRoot to handle cases where telegramCfg is undefined.
Fixes TypeScript errors:
- TS18048: 'telegramCfg' is possibly 'undefined' (line 160)
- TS18048: 'telegramCfg' is possibly 'undefined' (line 191)
* fix(telegram): add missing optional chaining on line 191
Complete the fix for telegramCfg optional chaining.
Previous commit only fixed line 160, but line 191 also needs
the same fix to prevent TS18048 error.
* fix: cover buffered Telegram apiRoot downloads (#59544) (thanks @SARAMALI15792)
---------
Co-authored-by: Ayaan Zaidi <hi@obviy.us>
When a thread reply's turn context is revoked and falls back to proactive messaging, the normalized conversation ID lost the thread suffix, causing replies to land in the channel root instead of the original thread.
Reconstructs the threaded conversation ID (`;messageid=<activityId>`) for channel conversations in the proactive fallback path, while correctly leaving group chat conversations flat.
Fixes#27189
Thanks @hyojin
* fix(google): separate oauth state from pkce verifier
* fix(google): drop unused oauth callback state arg
* docs(changelog): add #59116 google oauth state fix
---------
Co-authored-by: Jacob Tomlinson <jtomlinson@nvidia.com>
Install a Playwright route handler before `page.goto()` so navigations
to private/internal IPs are intercepted and aborted mid-redirect instead
of being checked post-hoc after the request already reached the internal
host. Blocked targets are permanently marked and rejected for subsequent
tool calls.
Thanks @pgondhi987
Reject invalid diffs viewerBaseUrl values during manifest config validation,
not later during plugin registration.
Keep runtime normalization intact and add manifest-level coverage so bad
protocols and query/hash values fail fast.
