Summary
In Telegram group chats, write_file is being authorized with:
userId = group:telegram:<group_id>
instead of the actual sender's Telegram user ID.
This breaks file-writer authorization in groups and causes write_file to fail before file creation.
Affected versions
Reproduced on:
Expected
For Telegram group messages:
- group should remain the session/scope
- sender should remain the acting user
So file-writer checks should use:
- scope =
group:telegram:<group_id>
- user =
<sender_user_id>
Actual
write_file fails with:
permission denied: only file writers can modify files in this group. Use /addwriter to get write access
Runtime/tool context shows the wrong principal:
{
"userId": "group:telegram:<groupid>",
"channel": "telegram",
"sessionKey": "agent:<agent>:telegram:group:<groupid>"
}
This suggests group runs are assigning user_id to the group principal instead of the sender user.
Minimal evidence
[INFO] inbound: scheduling message (main lane) ... peerkind=group ... userid=group:telegram:<groupid>
[INFO] tool call ... tool=writefile
[WARN] tool error ... permission denied: only file writers can modify files in this group ...
Tool result:json
{
"type": "tool.result",
"payload": {
"name": "writefile",
"iserror": true,
"result": "permission denied: only file writers can modify files in this group. Use /addwriter to get write access"
},
"userId": "group:telegram:<group_id>",
"channel": "telegram"
}
Likely root cause
Telegram group inbound/runtime context appears to collapse:
- group scope/session
- acting user
into the same principal.
commands_writers.go seems to treat:
- group = scope
- sender = actor
But the tool runtime appears to treat:
- group = scope
- group = actor
Suggested fix
For Telegram group runs, keep these separate:
- session/scope →
group:telegram:<group_id>
- acting user → actual Telegram sender user ID
Then run write_file auth against the sender user within the group scope.
Summary
In Telegram group chats,
write_fileis being authorized with:userId = group:telegram:<group_id>instead of the actual sender's Telegram user ID.
This breaks file-writer authorization in groups and causes
write_fileto fail before file creation.Affected versions
Reproduced on:
v3.6.0v3.7.1Expected
For Telegram group messages:
So file-writer checks should use:
group:telegram:<group_id><sender_user_id>Actual
write_filefails with:permission denied: only file writers can modify files in this group. Use /addwriter to get write accessRuntime/tool context shows the wrong principal:
This suggests group runs are assigning
user_idto the group principal instead of the sender user.Minimal evidence
Likely root cause
Telegram group inbound/runtime context appears to collapse:
into the same principal.
commands_writers.goseems to treat:But the tool runtime appears to treat:
Suggested fix
For Telegram group runs, keep these separate:
group:telegram:<group_id>Then run
write_fileauth against the sender user within the group scope.