telegram: require strict integer ids for destructive paths

extensions/telegram/src/channel-actions.ts

@@ -70,6 +70,7 @@ function readTelegramMessageIdParam(
   const messageId = readNumberParam(params, "messageId", {
     required,
     integer: true,
+    strict: true,
   });
   if (required && typeof messageId !== "number") {
     throw new Error("messageId is required.");
@@ -79,8 +80,8 @@ function readTelegramMessageIdParam(
 
 function readTelegramTopicIdParam(params: Record<string, unknown>): number | undefined {
   return (
-    readNumberParam(params, "topicId", { integer: true }) ??
-    readNumberParam(params, "threadId", { integer: true })
+    readNumberParam(params, "topicId", { integer: true, strict: true }) ??
+    readNumberParam(params, "threadId", { integer: true, strict: true })
   );
 }
 

src/channels/plugins/actions/actions.test.ts

@@ -913,6 +913,28 @@ describe("telegramMessageActions", () => {
     expect(handleTelegramAction).not.toHaveBeenCalled();
   });
 
+  it("rejects non-integer topic-delete ids before telegram-actions", async () => {
+    const cfg = telegramCfg();
+    const handleAction = telegramMessageActions.handleAction;
+    if (!handleAction) {
+      throw new Error("telegram handleAction unavailable");
+    }
+
+    await expect(
+      handleAction({
+        channel: "telegram",
+        action: "topic-delete",
+        params: {
+          to: "-1001234567890",
+          topicId: "271abc",
+        },
+        cfg,
+      }),
+    ).rejects.toThrow(/threadId\/topicId is required for action=topic-delete/i);
+
+    expect(handleTelegramAction).not.toHaveBeenCalled();
+  });
+
   it("forwards trusted mediaLocalRoots for send", async () => {
     const cfg = telegramCfg();
     await telegramMessageActions.handleAction?.({