fix(telegram): extend chat-scoped allowlist to channel posts

[teknium1]

From post-merge audit of PR #28523 (#25327 salvage, handle channel post updates).

Context

PR #28523 added channel-post routing through effective_message. Channel posts work in two auth scenarios today:

1. Operator adds the channel id to TELEGRAM_ALLOWED_USERS (works because _build_message_event sets user_id = str(chat.id) when there's no from_user for channel posts).
2. GATEWAY_ALLOW_ALL_USERS=true.

But the chat-scoped TELEGRAM_GROUP_ALLOWED_CHATS allowlist (intended to authorize entire chats by id) only matches source.chat_type in {'group', 'forum'} at gateway/run.py:6089. So operators who'd intuitively put their channel id in TELEGRAM_GROUP_ALLOWED_CHATS get a silent rejection.

Proposed fix

Extend the chat-scoped check to include "channel":

# gateway/run.py around line 6089
if source.chat_type in {"group", "forum", "channel"} and source.chat_id:
    chat_allowlist_env = {
        Platform.TELEGRAM: "TELEGRAM_GROUP_ALLOWED_CHATS",
        ...

OR introduce a separate TELEGRAM_CHANNEL_ALLOWED_CHATS env var if we want to keep group-vs-channel auth distinct.

Severity

Low-medium. Operators already have two working paths; this is a UX polish + docs update so the obvious-looking env var actually does what its name implies.

Related docs to update

• website/docs/reference/environment-variables.md
• website/docs/user-guide/messaging/telegram.md (channel section if any)