feat: Telegram Bridge MCP Server for remote control#11147
feat: Telegram Bridge MCP Server for remote control#11147roomote[bot] wants to merge 1 commit intomainfrom
Conversation
This PR implements the foundation for Issue #11146 - Native Telegram Bot Integration for Remote Control. Changes: - Add ApproveAsk and DenyAsk commands to IPC types - Add IPC command handlers in extension for approve/deny - Create @roo-code/telegram-bridge MCP server package - Add Telegram bot integration with approve/deny buttons - Add tests for new IPC commands The Telegram Bridge MCP Server allows users to: - Receive Roo Code messages on Telegram in real-time - Approve/reject tool operations via inline buttons - Send new instructions from Telegram - Monitor task status remotely
Review completed with 2 issues found.
Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues. |
![roomote[bot]](https://avatars.githubusercontent.com/in/1546624?s=60&v=4){kind=small}
| // Handle callback queries (button clicks) | ||
| this.bot.on("callback_query", async (query) => { | ||
| if (!query.data || !query.message) return | ||
|
|
||
| const [action, approvalId] = query.data.split(":") |
There was a problem hiding this comment.
Security issue: The callback_query handler does not validate that the callback originates from the authorized chat ID. While the message handler at line 162 properly checks msg.chat.id.toString() !== this.options.chatId, this handler processes callbacks from any user who interacts with the bot. If an unauthorized user has access to the bot and can guess or brute-force an approvalId (which uses Date.now() plus a short random string), they could approve or deny operations remotely.
| // Handle callback queries (button clicks) | |
| this.bot.on("callback_query", async (query) => { | |
| if (!query.data || !query.message) return | |
| const [action, approvalId] = query.data.split(":") | |
| this.bot.on("callback_query", async (query) => { | |
| if (!query.data || !query.message) return | |
| // Validate callback comes from authorized chat | |
| if (query.message.chat.id.toString() !== this.options.chatId) { | |
| return | |
| } | |
| const [action, approvalId] = query.data.split(":") |
Fix it with Roo Code or mention @roomote and request a fix.
| } | ||
|
|
||
| private async handleCommand(text: string): Promise<void> { | ||
| const [command, ...args] = text.split(" ") |
There was a problem hiding this comment.
Minor code quality issue: The args variable is destructured but never used. Consider removing it or prefixing with underscore to indicate intentional non-use.
| const [command, ...args] = text.split(" ") | |
| const [command] = text.split(" ") |
Fix it with Roo Code or mention @roomote and request a fix.
1 participant
Summary
This PR attempts to address Issue #11146 - Native Telegram Bot Integration for Remote Control.
Changes
IPC Types (
packages/types/src/ipc.ts)ApproveAskandDenyAskcommands toTaskCommandNameenumIPC Client (
packages/ipc/src/ipc-client.ts)approveAsk()anddenyAsk()helper methodsExtension API (
src/extension/api.ts)ApproveAskandDenyAskIPC commandsapproveCurrentAsk()anddenyCurrentAsk()methodsTelegram Bridge MCP Server (
packages/telegram-bridge/)@roo-code/telegram-bridge/help,/status,/cancel)Features
Testing
ApproveAskandDenyAsk)Next Steps (for future PRs)
Related
Closes #11146
Feedback and guidance are welcome!
Important
Introduces a Telegram Bridge MCP Server for Roo Code, enabling remote control via Telegram with new IPC commands for task approval and denial.
@roo-code/telegram-bridgefor remote control via Telegram./help,/status,/cancel.ipc.ts):ApproveAskandDenyAsktoTaskCommandName.taskCommandSchemato include new commands.ipc-client.ts):approveAsk()anddenyAsk()methods.api.ts):ApproveAskandDenyAskcommands.approveCurrentAsk()anddenyCurrentAsk()methods.ApproveAskandDenyAskinipc.test.ts.This description was created by
for c7d31ae. You can customize this summary. It will automatically update as commits are pushed.