feat: scaffold plug-n-play telegram bot on cloudflare workers

grammY-based bot with a module plugin system loaded from the MODULES env var. Three command visibility levels (public/protected/private) share a unified command namespace with conflict detection at registry build. - 4 initial modules (util, wordle, loldle, misc); util fully implemented, others are stubs proving the plugin system end-to-end - util: /info (chat/thread/sender ids) + /help (pure renderer over the registry, HTML parse mode, escapes user-influenced strings) - KVStore interface with CFKVStore and a per-module prefixing factory; getJSON/putJSON convenience helpers; other backends drop in via one file - Webhook at POST /webhook with secret-token validation via grammY's webhookCallback; no admin HTTP surface - Post-deploy register script (npm run deploy = wrangler deploy && node --env-file=.env.deploy scripts/register.js) for setWebhook and setMyCommands; --dry-run flag for preview - 56 vitest unit tests across 7 suites covering registry, db wrapper, dispatcher, help renderer, validators, and HTML escaper - biome for lint + format; phased implementation plan under plans/
2026-04-17 19:22:09 +00:00 · 2026-04-11 09:49:06 +07:00
parent e76ad8c0ee
commit c4314f21df
51 changed files with 6928 additions and 1 deletions
--- a/src/util/escape-html.js
+++ b/src/util/escape-html.js
@@ -0,0 +1,21 @@
+/**
+ * @file escape-html — minimal HTML entity escaper for Telegram HTML parse mode.
+ *
+ * Telegram's HTML parse mode needs only four characters escaped: &, <, >, ".
+ * Keep this as a tiny hand-rolled function — pulling in a library for four
+ * replacements is YAGNI.
+ *
+ * @see https://core.telegram.org/bots/api#html-style
+ */
+
+/**
+ * @param {unknown} s — coerced to string.
+ * @returns {string}
+ */
+export function escapeHtml(s) {
+  return String(s)
+    .replaceAll("&", "&amp;")
+    .replaceAll("<", "&lt;")
+    .replaceAll(">", "&gt;")
+    .replaceAll('"', "&quot;");
+}