fix: adapt landed fixups to current type and approval constraints

src/config/io.eacces.test.ts

@@ -19,7 +19,7 @@ function makeEaccesFs(configPath: string) {
       writeFile: () => Promise.resolve(),
       appendFile: () => Promise.resolve(),
     },
-  } as unknown as typeof import("node:fs").default;
+  } as unknown as typeof import("node:fs");
 }
 
 describe("config io EACCES handling", () => {

src/gateway/node-invoke-system-run-approval.test.ts

@@ -145,6 +145,7 @@ describe("sanitizeSystemRunParamsForForwarding", () => {
     const record = approvalManager.create(
       {
         host: "node",
+        nodeId: "node-1",
         command: "echo SAFE",
         cwd: null,
         agentId: null,
@@ -170,6 +171,7 @@ describe("sanitizeSystemRunParamsForForwarding", () => {
     };
 
     const first = sanitizeSystemRunParamsForForwarding({
+      nodeId: "node-1",
       rawParams: params,
       client,
       execApprovalManager: approvalManager,
@@ -178,6 +180,7 @@ describe("sanitizeSystemRunParamsForForwarding", () => {
     expectAllowOnceForwardingResult(first);
 
     const second = sanitizeSystemRunParamsForForwarding({
+      nodeId: "node-1",
       rawParams: params,
       client,
       execApprovalManager: approvalManager,

src/telegram/bot/delivery.ts

@@ -40,7 +40,7 @@ const TELEGRAM_MEDIA_SSRF_POLICY = {
   // resolution maps to private/internal ranges in restricted networks.
   allowedHostnames: ["api.telegram.org"],
   allowRfc2544BenchmarkRange: true,
-} as const;
+};
 
 export async function deliverReplies(params: {
   replies: ReplyPayload[];