mirror of
https://github.com/chenhg5/cc-connect.git
synced 2026-07-08 07:51:12 +08:00
Permission responses synthesized by inline-button / card-action paths (Telegram callback_query, Feishu card_action, QQBot interaction button, bridge web admin card_action) used to fall through to the agent's prompt stream as the literal string "allow" / "deny" when the interactive state or pending permission was missing — typically because the user tapped an old card after a session reset, bot restart, or card-message redelivery. Add an IsPermissionResponse flag on core.Message, set it on every synthesized permission callback path, and have handlePendingPermission drop such messages silently (returning true) when no matching interactive state / pending request exists. Plain text "allow" / "deny" typed by a real user continues to flow through the normal message handler. This rebuilds owner PR #826 against current main; the original commit only covered Telegram + Feishu and missed the QQBot + bridge paths flagged in review. Request-ID validation is deferred as a follow-up: it requires changing button data formats across every platform and the engine signature, which is larger than a focused bug fix. Co-authored-by: Claude <noreply@anthropic.com>