#17357: feat(telegram): implement telegram poll action,persistent answer routing, fixed some vulnerabilities

# Openclaw Contribution This file summarizes the changes made to the Openclaw project. ## Vulnerability Fix A medium-severity vulnerability was identified in the `request` package. This package was a transitive dependency of the `matrix` extension. The `request` package is deprecated and has a known Server-Side Request Forgery (SSRF) vulnerability (GHSA-p8p7-x288-28g6). To mitigate this vulnerability, the `request` package was replaced with the `got` package using a `pnpm` override in the root `package.json` file. ### Verification The following steps were taken to verify the fix: 1. **Tests:** The extension test suite was run to ensure that the change did not break any existing functionality. All tests passed. 2. **Audit:** `pnpm audit` was run after the change to confirm that the vulnerability was no longer present. The audit reported no vulnerabilities. ## Telegram Poll Plugin Verification Use these steps to verify the Telegram poll plugin flow end-to-end. ### 1. Configure Telegram and start gateway ```powershell cd openclaw openclaw config set channels.telegram.botToken "<YOUR_BOT_TOKEN>" openclaw config set channels.telegram.enabled true pnpm dev ``` ### 2. Check channel health In a second terminal: ```powershell cd openclaw openclaw channels status --probe ``` Expected: Telegram account is configured/enabled/connected. ### 3. Send a basic poll from CLI ```powershell cd openclaw openclaw message poll --channel telegram --target "<chat_id_or_telegram:chat_id>" --poll-question "Lunch?" --poll-option "Pizza" --poll-option "Sushi" ``` Expected: poll appears in Telegram chat. ### 4. Verify Telegram poll options Silent delivery: ```powershell cd openclaw openclaw message poll --channel telegram --target "<chat>" --poll-question "Silent test?" --poll-option "A" --poll-option "B" --silent ``` Duration in seconds (valid range 5-600): ```powershell cd openclaw openclaw message poll --channel telegram --target "<chat>" --poll-question "Duration?" --poll-option "A" --poll-option "B" --poll-duration-seconds 60 ``` Anonymous poll: ```powershell cd openclaw openclaw message poll --channel telegram --target "<chat>" --poll-question "Anon?" --poll-option "Yes" --poll-option "No" --poll-anonymous ``` Public poll (if exposed in your CLI surface): ```powershell cd openclaw openclaw message poll --channel telegram --target "<chat>" --poll-question "Public?" --poll-option "Yes" --poll-option "No" --poll-public ``` ### 5. Vote in Telegram and confirm inbound handling 1. Vote on the poll in Telegram. 2. Confirm bot sends an acknowledgement message ("Got it. You selected: ..."). 3. Confirm poll-answer event is routed into OpenClaw session/system events. ### 6. Check logs for handler errors Look at gateway logs and ensure there are no poll handler errors such as: `telegram poll answer handler failed` ### 7. Negative validation checks One option only (should fail): ```powershell cd openclaw openclaw message poll --channel telegram --target "<chat>" --poll-question "Bad" --poll-option "OnlyOne" ``` Expected: validation error requiring at least two options. Out-of-range duration (should fail): ```powershell cd openclaw openclaw message poll --channel telegram --target "<chat>" --poll-question "Bad duration" --poll-option "A" --poll-option "B" --poll-duration-seconds 601 ``` Expected: validation error for duration range. ### 8. Optional local test suite verification ```powershell cd openclaw pnpm -s vitest run src/telegram/send.poll.test.ts src/telegram/allowed-updates.test.ts src/telegram/poll-answer-cache.test.ts src/channels/plugins/actions/telegram.test.ts src/channels/plugins/outbound/telegram.test.ts pnpm -s tsc -p tsconfig.json --noEmit ``` successfully created one and one poll cast feature, for agent, where agent have access to what user casted!! <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds Telegram poll functionality with persistent answer routing to agent sessions, including CLI support and agent tools. Changes default poll behavior to non-anonymous (public votes) and converts `durationHours` to seconds, which always exceeds Telegram's 600s limit. The `request` → `got` override addresses an SSRF vulnerability but breaks API compatibility with the matrix extension's callback-based interface. - Implements complete poll lifecycle: sending via `sendPollTelegram`, receiving answers via `poll_answer` handler, caching context in `poll-answer-cache.ts`, and routing events to agent sessions - Adds `poll` action to telegram plugin with validation for options (min 2), mutual exclusivity of `pollAnonymous`/`pollPublic`, and duration handling - New `poll-confirmation` skill enables agents to use polls for user decision-making - Test coverage added for poll sending, answer caching, and outbound adapter - The vulnerability fix may cause runtime failures in matrix extension due to incompatible API replacement <h3>Confidence Score: 2/5</h3> - This PR has a critical logical error that breaks `durationHours` functionality and a potentially breaking API compatibility issue - The `durationHours` conversion logic has a bug that always causes validation failures (confirmed by test on line 65-77 of send.poll.test.ts). Additionally, the `request` → `got` override resolves an audit finding but breaks API compatibility with `request-promise` used by the matrix bot SDK, which may cause runtime errors. The poll implementation itself is well-structured with good test coverage, but these two issues need resolution before merge. - src/telegram/send.ts (critical durationHours logic bug), package.json (API compatibility concern with matrix extension) _{Last reviewed commit: aa0c915} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->