fix: preserve command auth resolution errors on empty inferred allowlists

obviyus · obviyus · commit 17c1ee7716e3 · 2026-03-24T08:38:27.000+05:30
diff --git a/src/auto-reply/command-auth.ts b/src/auto-reply/command-auth.ts
@@ -69,11 +69,9 @@ function resolveProviderFromContext(
         accountId: ctx.AccountId,
         allowFrom: resolvedAllowFrom.allowFrom,
       });
-      if (allowFrom.length === 0) {
-        return null;
-      }
       return {
         providerId: plugin.id,
+        allowFrom,
         hadResolutionError: resolvedAllowFrom.hadResolutionError,
       };
     })
@@ -82,11 +80,16 @@ function resolveProviderFromContext(
         value,
       ): value is {
         providerId: ChannelId;
+        allowFrom: string[];
         hadResolutionError: boolean;
       } => Boolean(value),
     );
-  if (configured.length === 1) {
-    return configured[0];
+  const inferred = configured.filter((entry) => entry.allowFrom.length > 0);
+  if (inferred.length === 1) {
+    return {
+      providerId: inferred[0].providerId,
+      hadResolutionError: inferred[0].hadResolutionError,
+    };
   }
   return {
     providerId: undefined,
@@ -450,6 +453,9 @@ export function resolveCommandAuthorization(params: {
   const plugin = providerId ? getChannelPlugin(providerId) : undefined;
   const from = (ctx.From ?? "").trim();
   const to = (ctx.To ?? "").trim();
+  const commandsAllowFromConfigured = Boolean(
+    cfg.commands?.allowFrom && typeof cfg.commands.allowFrom === "object",
+  );
 
   // Check if commands.allowFrom is configured (separate command authorization)
   const commandsAllowFromList = resolveCommandsAllowFromList({
@@ -565,10 +571,12 @@ export function resolveCommandAuthorization(params: {
   // If commands.allowFrom is configured, use it for command authorization
   // Otherwise, fall back to existing behavior (channel allowFrom + owner checks)
   let isAuthorizedSender: boolean;
-  if (commandsAllowFromList !== null) {
+  if (commandsAllowFromList !== null || (providerResolutionError && commandsAllowFromConfigured)) {
     // commands.allowFrom is configured - use it for authorization
-    const commandsAllowAll = commandsAllowFromList.some((entry) => entry.trim() === "*");
-    const matchedCommandsAllowFrom = commandsAllowFromList.length
+    const commandsAllowAll =
+      !providerResolutionError &&
+      Boolean(commandsAllowFromList?.some((entry) => entry.trim() === "*"));
+    const matchedCommandsAllowFrom = commandsAllowFromList?.length
       ? senderCandidates.find((candidate) => commandsAllowFromList.includes(candidate))
       : undefined;
     isAuthorizedSender =
diff --git a/src/auto-reply/command-control.test.ts b/src/auto-reply/command-control.test.ts
@@ -487,7 +487,6 @@ describe("resolveCommandAuthorization", () => {
 
       expect(deniedAuth.isAuthorizedSender).toBe(false);
     });
-
     it("fails closed when provider inference hits unresolved SecretRef allowlists", () => {
       setActivePluginRegistry(
         createTestRegistry([
@@ -538,6 +537,51 @@ describe("resolveCommandAuthorization", () => {
       expect(auth.isAuthorizedSender).toBe(false);
     });
 
+    it("preserves provider resolution errors when inferred fallback allowFrom is empty", () => {
+      setActivePluginRegistry(
+        createTestRegistry([
+          {
+            pluginId: "telegram",
+            plugin: {
+              ...createOutboundTestPlugin({
+                id: "telegram",
+                outbound: { deliveryMode: "direct" },
+              }),
+              config: {
+                listAccountIds: () => ["default"],
+                resolveAccount: () => ({}),
+                resolveAllowFrom: () => {
+                  throw new Error("channels.telegram.botToken: unresolved SecretRef");
+                },
+                formatAllowFrom: ({ allowFrom }: { allowFrom: Array<string | number> }) =>
+                  allowFrom.map((entry) => String(entry).trim()).filter(Boolean),
+              },
+            },
+            source: "test",
+          },
+        ]),
+      );
+
+      const auth = resolveCommandAuthorization({
+        ctx: {
+          SenderId: "123",
+        } as MsgContext,
+        cfg: {
+          commands: {
+            allowFrom: {
+              telegram: ["123"],
+            },
+          },
+          channels: {
+            telegram: {},
+          },
+        } as OpenClawConfig,
+        commandAuthorized: true,
+      });
+
+      expect(auth.providerId).toBeUndefined();
+      expect(auth.isAuthorizedSender).toBe(false);
+    });
     it("does not let an unrelated provider resolution error poison inferred commands.allowFrom", () => {
       setActivePluginRegistry(
         createTestRegistry([
