fix(channels/telegram): return 'off' on unresolved SecretRef instead of default scope

lonexreb · lonexreb · commit 20709114df00 · 2026-05-05T13:11:21.000-05:00
Codex follow-up on PR #75445 noted: returning DEFAULT_INLINE_BUTTONS_SCOPE ('allowlist') when resolveTelegramAccount throws on an unresolved SecretRef silently advertises inline-button capability even when the account is configured with capabilities.inlineButtons: 'off'. Prompt-prep paths like agentPrompt.messageToolCapabilities then prompt the model to generate inline-button payloads the runtime cannot honor. Return 'off' instead — strictly conservative for the prompt-discovery use case. The runtime send path still uses the resolved snapshot, so a real configured account gets the right capability there. Update the regression tests to assert the exact value rather than just non-throwing.
diff --git a/extensions/telegram/src/inline-buttons.test.ts b/extensions/telegram/src/inline-buttons.test.ts
@@ -96,7 +96,7 @@ describe("resolveTelegramInlineButtonsScope (#75433 SecretRef tolerance)", () =>
   // snapshot has resolved channel credentials. Returning a benign default
   // instead of throwing keeps the embedded reply run alive.
 
-  it("returns the safe default scope when botToken is an unresolved SecretRef", () => {
+  it('returns "off" when botToken is an unresolved SecretRef so prompt prep does not advertise an unverified inline-buttons capability', () => {
     const cfg = {
       channels: {
         telegram: {
@@ -105,14 +105,17 @@ describe("resolveTelegramInlineButtonsScope (#75433 SecretRef tolerance)", () =>
       },
     } as unknown as OpenClawConfig;
 
-    expect(() => resolveTelegramInlineButtonsScope({ cfg })).not.toThrow();
-    // The DEFAULT_INLINE_BUTTONS_SCOPE is "all" — the contract is just that
-    // we do not crash. Verify isTelegramInlineButtonsEnabled also tolerates
-    // the same condition (used by describeMessageTool's buttonsEnabled flag).
-    expect(() => isTelegramInlineButtonsEnabled({ cfg })).not.toThrow();
+    // Codex follow-up on PR #75445: the previous fallback returned the
+    // default scope ("allowlist") which prompted the model to generate inline
+    // button payloads even when the account had `capabilities.inlineButtons:
+    // "off"`. The conservative fallback returns "off" so prompt-prep paths
+    // (e.g. agentPrompt.messageToolCapabilities) cannot misreport capability;
+    // the runtime send path uses the resolved snapshot and re-asks.
+    expect(resolveTelegramInlineButtonsScope({ cfg })).toBe("off");
+    expect(isTelegramInlineButtonsEnabled({ cfg })).toBe(false);
   });
 
-  it("returns the safe default scope when scoped account token is an unresolved SecretRef", () => {
+  it('returns "off" when scoped account token is an unresolved SecretRef', () => {
     const cfg = {
       channels: {
         telegram: {
@@ -125,7 +128,7 @@ describe("resolveTelegramInlineButtonsScope (#75433 SecretRef tolerance)", () =>
       },
     } as unknown as OpenClawConfig;
 
-    expect(() => resolveTelegramInlineButtonsScope({ cfg, accountId: "ops" })).not.toThrow();
-    expect(() => isTelegramInlineButtonsEnabled({ cfg, accountId: "ops" })).not.toThrow();
+    expect(resolveTelegramInlineButtonsScope({ cfg, accountId: "ops" })).toBe("off");
+    expect(isTelegramInlineButtonsEnabled({ cfg, accountId: "ops" })).toBe(false);
   });
 });
diff --git a/extensions/telegram/src/inline-buttons.ts b/extensions/telegram/src/inline-buttons.ts
@@ -63,15 +63,19 @@ export function resolveTelegramInlineButtonsScope(params: {
   // Embedded prompt prep calls this from raw config before the active runtime
   // snapshot has resolved channel credentials. If channels.telegram.botToken is
   // a non-env SecretRef, `resolveTelegramAccount` throws an unresolved-SecretRef
-  // error (#75433). Treat that as "no inline-button capability for prompt
-  // discovery" instead of crashing the embedded reply run; the runtime send
-  // path uses the resolved snapshot.
+  // error (#75433). Treat that as "inline buttons disabled for prompt
+  // discovery" — return "off" rather than the default "allowlist" so the
+  // model never advertises inline-button support when the account hasn't been
+  // resolved yet (the runtime send path uses the resolved snapshot, so a real
+  // configured account still gets the right capability there). Returning
+  // "allowlist" here would prompt the model to generate inline-button payloads
+  // even when capabilities.inlineButtons is configured "off".
   let account: ReturnType<typeof resolveTelegramAccount>;
   try {
     account = resolveTelegramAccount({ cfg: params.cfg, accountId: params.accountId });
   } catch (err) {
     if (err instanceof Error && /unresolved SecretRef/i.test(err.message)) {
-      return DEFAULT_INLINE_BUTTONS_SCOPE;
+      return "off";
     }
     throw err;
   }
