fix(telegram): enforce gateway auth for inline approval callbacks (#17862)

[teknium1]

Salvage of #17862 by @johnncenae onto current main.

Summary

Telegram inline button callbacks (approval, slash-confirm, update-prompt) now delegate authorization to GatewayRunner._is_user_authorized() when a runner is attached, with the existing TELEGRAM_ALLOWED_USERS env check as a fallback.

Previously the callback path returned True when TELEGRAM_ALLOWED_USERS was unset, completely bypassing global gateway policy (GATEWAY_ALLOW_ALL_USERS=false, per-chat whitelists via TELEGRAM_GROUP_ALLOWED_CHATS, DM pairing, etc.). A user blocked by global policy could still press approval/confirm/update-prompt buttons.

Changes

• TelegramAdapter._is_callback_user_authorized(...) — now an instance method that builds a SessionSource (chat_id, chat_type, thread_id, user_id, user_name), hands it to the runner's auth, and falls back to the env-only check if no runner is attached
• Three callback handlers (exec approval, slash-confirm, update-prompt) now pass callback chat/thread/user context into the helper
• Two regression tests: approval callback + update-prompt callback both reject runner-denied users and preserve state

Validation

scripts/run_tests.sh tests/gateway/test_telegram_approval_buttons.py tests/gateway/test_telegram_group_gating.py tests/gateway/test_telegram_format.py tests/gateway/test_telegram_webhook_secret.py → 120/120 passed.

Follow-up (separate concern, NOT in this PR)

Model picker callbacks (mp:/mm:/mb:/mx:/mg:) at telegram.py:1809 have no auth check at all — they only check that a picker state exists for the chat. That's a different design question (who's authorized to change the chat's model after someone else ran /model?) and is out of scope here.

Closes #17862.

[alt-glitch]

Supersedes #17862 (salvaged). Likely supersedes #18016 as well (same auth delegation fix).