fix(telegram): add user-level access control for groups and DMs

[xandersbell]

Summary

Add TELEGRAM_ALLOWED_USERS and TELEGRAM_GROUP_ALLOWED_USERS support to the Telegram adapter, mirroring the existing WeChat implementation (fixes #7651).

Problem

Hermes's Telegram integration has no user-level access control. Any Telegram user can add the bot to their own group and trigger it via @mention — there is no way to restrict access to specific users.

Solution

Read TELEGRAM_ALLOWED_USERS and TELEGRAM_GROUP_ALLOWED_USERS environment variables (or config.yaml allow_from / group_allow_from fields) and check sender user ID before processing any message:

• TELEGRAM_ALLOWED_USERS: whitelist of Telegram user IDs who can DM the bot
• TELEGRAM_GROUP_ALLOWED_USERS: whitelist of Telegram user IDs who can @mention the bot in groups
• "*" wildcard disables the check (backwards-compatible default)

Changes

File	Change
gateway/platforms/telegram.py	__init__: add _allow_from, _group_allow_from; add _coerce_list static method; _should_process_message: add user allowlist checks before existing trigger logic
tests/gateway/test_telegram_group_gating.py	5 new tests: whitelist accept/reject for groups and DMs, wildcard behavior

Usage

# DM: only user 6043083374 can interact
TELEGRAM_ALLOWED_USERS=123456

# Groups: only user 6043083374 can @mention in groups
TELEGRAM_GROUP_ALLOWED_USERS=123456

# Allow all users
TELEGRAM_ALLOWED_USERS=*

Or in config.yaml:

telegram:
  allow_from: "123456"
  group_allow_from: "123456"

Testing

All 11 tests pass (including 5 new ones):

tests/gateway/test_telegram_group_gating.py ........... 11 passed

Refs

• Fixes Telegram: Missing user-level access control — any user can trigger bot via @mention in any group #7651

[AllardQuek]

Why was this PR closed?

[xandersbell]

Why was this PR closed?

acctually, I forgot, maybe my AI agent closed it by some reasons that I dont know ^_^

[xandersbell]

seems synced then lost the codes in the main branch, I see File Changed 0 for now.

[xandersbell]

Follow-up: I reopened this fix as a fresh PR here:

• fix(telegram): support group user allowlist #17686

Root cause for this old PR showing Files changed 0: its head branch was xandersbell:main; that fork main was later synced/force-pushed to upstream main, so the original fix commit disappeared from the PR diff.

The new PR uses a dedicated branch (fix/telegram-user-allowlist) and implements the fix against current main.