feat: add dm allowlist match metadata logs

Co-authored-by: thewilloftheshadow <thewilloftheshadow@users.noreply.github.com>

src/telegram/bot-access.ts

@@ -5,6 +5,12 @@ export type NormalizedAllowFrom = {
   hasEntries: boolean;
 };
 
+export type AllowFromMatch = {
+  allowed: boolean;
+  matchKey?: string;
+  matchSource?: "wildcard" | "id" | "username";
+};
+
 export const normalizeAllowFrom = (list?: Array<string | number>): NormalizedAllowFrom => {
   const entries = (list ?? []).map((value) => String(value).trim()).filter(Boolean);
   const hasWildcard = entries.includes("*");
@@ -40,3 +46,27 @@ export const isSenderAllowed = (params: {
   if (!username) return false;
   return allow.entriesLower.some((entry) => entry === username || entry === `@${username}`);
 };
+
+export const resolveSenderAllowMatch = (params: {
+  allow: NormalizedAllowFrom;
+  senderId?: string;
+  senderUsername?: string;
+}): AllowFromMatch => {
+  const { allow, senderId, senderUsername } = params;
+  if (allow.hasWildcard) {
+    return { allowed: true, matchKey: "*", matchSource: "wildcard" };
+  }
+  if (!allow.hasEntries) return { allowed: false };
+  if (senderId && allow.entries.includes(senderId)) {
+    return { allowed: true, matchKey: senderId, matchSource: "id" };
+  }
+  const username = senderUsername?.toLowerCase();
+  if (!username) return { allowed: false };
+  const entry = allow.entriesLower.find(
+    (candidate) => candidate === username || candidate === `@${username}`,
+  );
+  if (entry) {
+    return { allowed: true, matchKey: entry, matchSource: "username" };
+  }
+  return { allowed: false };
+};

src/telegram/bot-message-context.ts

@@ -34,7 +34,12 @@ import {
   hasBotMention,
   resolveTelegramForumThreadId,
 } from "./bot/helpers.js";
-import { firstDefined, isSenderAllowed, normalizeAllowFrom } from "./bot-access.js";
+import {
+  firstDefined,
+  isSenderAllowed,
+  normalizeAllowFrom,
+  resolveSenderAllowMatch,
+} from "./bot-access.js";
 import { upsertTelegramPairingRequest } from "./pairing-store.js";
 import type { TelegramContext } from "./bot/types.js";
 
@@ -174,14 +179,16 @@ export const buildTelegramMessageContext = async ({
     if (dmPolicy !== "open") {
       const candidate = String(chatId);
       const senderUsername = msg.from?.username ?? "";
+      const allowMatch = resolveSenderAllowMatch({
+        allow: effectiveDmAllow,
+        senderId: candidate,
+        senderUsername,
+      });
+      const allowMatchMeta = `matchKey=${allowMatch.matchKey ?? "none"} matchSource=${
+        allowMatch.matchSource ?? "none"
+      }`;
       const allowed =
-        effectiveDmAllow.hasWildcard ||
-        (effectiveDmAllow.hasEntries &&
-          isSenderAllowed({
-            allow: effectiveDmAllow,
-            senderId: candidate,
-            senderUsername,
-          }));
+        effectiveDmAllow.hasWildcard || (effectiveDmAllow.hasEntries && allowMatch.allowed);
       if (!allowed) {
         if (dmPolicy === "pairing") {
           try {
@@ -207,6 +214,8 @@ export const buildTelegramMessageContext = async ({
                   username: from?.username,
                   firstName: from?.first_name,
                   lastName: from?.last_name,
+                  matchKey: allowMatch.matchKey ?? "none",
+                  matchSource: allowMatch.matchSource ?? "none",
                 },
                 "telegram pairing request",
               );
@@ -228,7 +237,9 @@ export const buildTelegramMessageContext = async ({
             logVerbose(`telegram pairing reply failed for chat ${chatId}: ${String(err)}`);
           }
         } else {
-          logVerbose(`Blocked unauthorized telegram sender ${candidate} (dmPolicy=${dmPolicy})`);
+          logVerbose(
+            `Blocked unauthorized telegram sender ${candidate} (dmPolicy=${dmPolicy}, ${allowMatchMeta})`,
+          );
         }
         return null;
       }