HCL 4e45a663e7 fix(telegram): prevent silent wrong-bot routing when accountId not in config ...

When a non-default accountId is specified but not found in the accounts
config, resolveTelegramToken() falls through to channel-level defaults
(botToken, tokenFile, env) — silently routing messages via the wrong
bot's token. This is a cross-bot message leak with no error or warning.

Root cause: extensions/telegram/src/token.ts:44-46, resolveAccountCfg()
returns undefined for unknown accountIds but code continues to fallbacks.
Introduced in e5bca0832f when Telegram moved to extensions/.

Fix: return { token: "", source: "none" } with a diagnostic log when
a non-default accountId is not found. Existing behavior for known
accounts (with or without per-account tokens) preserved.

Test: added "does not fall through when non-default accountId not in
config" — 1/1 new, 10/10 existing unaffected.

Closes #49383

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: HCL <chenglunhu@gmail.com>

2026-03-20 23:24:40 +05:30

..

src

fix(telegram): prevent silent wrong-bot routing when accountId not in config

2026-03-20 23:24:40 +05:30

api.ts

refactor: route extension seams through public apis

2026-03-19 03:20:10 +00:00

index.ts

refactor: clean extension api boundaries

2026-03-17 09:38:21 -07:00

openclaw.plugin.json

chore: Run pnpm format:fix.

2026-01-31 21:13:13 +09:00

package.json

refactor: move bundled channel deps to plugin packages

2026-03-19 00:24:44 +00:00

runtime-api.ts

Main recovery: restore formatter and contract checks (#49570)

2026-03-18 00:30:01 -07:00

setup-entry.ts

refactor: clean extension api boundaries

2026-03-17 09:38:21 -07:00