Skip to content

fix(telegram): stage managed bot until owner capture#1119

Merged
artemgetmann merged 5 commits into
mainfrom
fix/telegram-onboarding-staged-owner
Jul 8, 2026
Merged

fix(telegram): stage managed bot until owner capture#1119
artemgetmann merged 5 commits into
mainfrom
fix/telegram-onboarding-staged-owner

Conversation

@artemgetmann

@artemgetmann artemgetmann commented Jul 8, 2026

Copy link
Copy Markdown
Owner

Review Fast Path

  • User path fixed: Jarvis managed Telegram setup -> user creates bot -> first DM becomes owner allowlist, not a pairing/access-not-configured prompt.
  • Proof: swift test --package-path apps/macos --no-parallel --filter 'TelegramSetupBootstrapTests|ConsumerSetupResumeTests' passed 32 tests; pnpm exec vitest run src/config/config.allowlist-requires-allowfrom.test.ts passed 15 tests; /tmp/jarvis-backend-telegram-venv/bin/python -m pytest services/jarvis-backend/tests/test_app.py passed 48 tests; git diff --check passed.
  • Shared-state footgun removed: managed child bot token is staged with Telegram polling disabled until the owner sender id is captured; disabled staged config is schema-valid; expired backend setup rows retain diagnostics but scrub child bot tokens.
  • Still hurts: live E2E could not complete in this run because the current backend setup expired before a child bot token was issued; @jarvis_f866035f_bot was created/messaged under an already-expired setup, and @jarvis_9773392b_bot did not exist.

Why This Matters

A user can do the right thing in Telegram and still end up with a silent or developer-looking bot if Jarvis enables polling before it knows who the owner is, or if the backend setup expires/deletes before the app retrieves the child token.

This PR fixes both product failure shapes:

  • The macOS app no longer enables the managed Telegram bot until it has a trusted owner sender id.
  • The config schema now accepts the intentional disabled/staged Telegram state.
  • The backend gives users a 24-hour approval window and preserves expired setup evidence for clear recovery without retaining expired child bot tokens.

Scope Boundary

Changed:

  • Managed Telegram token staging in the macOS setup store.
  • Setup pause/timeout recovery so it stays in allowlist mode instead of pairing mode.
  • Config validation for disabled staged Telegram allowlist configs.
  • Backend managed Telegram setup TTL, expired-row retention, and expired token scrubbing.
  • Regression tests for staged config, owner-id enablement, schema validity, expiry, retention, and token scrub.

Did not change:

  • BotFather/newbot provider protocol.
  • Public Telegram Bot API calls outside managed setup.
  • Backend deployment or Render config.
  • Live shared Jarvis runtime.

Verification

Local:

swift test --package-path apps/macos --no-parallel --filter 'TelegramSetupBootstrapTests|ConsumerSetupResumeTests'
# 32 tests passed

pnpm exec vitest run src/config/config.allowlist-requires-allowfrom.test.ts
# 1 file passed, 15 tests passed

node --import tsx -e 'import { validateConfigObject } from "./src/config/config.js"; const res = validateConfigObject({channels:{telegram:{enabled:false,botToken:"fake",dmPolicy:"allowlist",accounts:{default:{botToken:"fake"}}}}}); console.log(JSON.stringify(res)); if (!res.ok) process.exit(1);'
# ok:true

/tmp/jarvis-backend-telegram-venv/bin/python -m pytest services/jarvis-backend/tests/test_app.py
# 48 passed

git diff --check
# passed

Live investigation evidence from this run:

  • Backend setup tgms_bZwEFrpVl2ByKllgOP3HTA for jarvis_9773392b_bot returned pending until expiry, then 410 Telegram setup expired.
  • Telegram userbot confirmed @jarvis_f866035f_bot had outgoing /start and hi from user id 1336356696.
  • Telegram userbot confirmed @jarvis_9773392b_bot did not exist, so no child token could be issued for the current setup.

Security Impact

  • New permissions/capabilities? No.
  • Secrets/tokens handling changed? Yes: managed child bot tokens are persisted disabled until sender trust is known, and expired retained setup rows scrub child tokens.
  • New/changed network calls? No.
  • Command/tool execution surface changed? No.
  • Data access scope changed? No.

Human Verification

  • Verified scenarios: managed status stages child token disabled; restore keeps unknown owner staged; restore enables only after owner id; final owner allowlist config; disabled staged config is schema-valid; backend TTL/expiry/retention; expired connected setup scrubs child token.
  • Edge cases checked: expired setup returns 410 without deleting row; recently expired setup survives next prune/start with token scrubbed; missing setup still clears stale app state.
  • Not verified: post-merge deployed backend plus fresh live Telegram roundtrip, because the available live setup expired before token issuance.

AI Assistance

  • AI-assisted
  • Testing degree: targeted + live investigation, not full live E2E

@artemgetmann artemgetmann marked this pull request as ready for review July 8, 2026 11:01
@artemgetmann artemgetmann merged commit 37c9025 into main Jul 8, 2026
29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant