dmPolicy allowFrom / groupAllowFrom not filtering incoming messages — foreign users reach agents

[producedbysavant]

Summary

channels.telegram.allowFrom and groupAllowFrom do not prevent messages from non-allowlisted users from reaching bound agents. The agent receives, processes, and attempts to reply to foreign users, wasting tokens and creating delivery failures.

Configuration

"channels": {
  "telegram": {
    "dmPolicy": "allowlist",
    "allowFrom": ["1144466778"],
    "groupPolicy": "allowlist",
    "groupAllowFrom": ["1144466778"],
    "groups": {
      "-1003956954389": {
        "requireMention": true,
        "groupPolicy": "allowlist"
      }
    }
  }
}

Observed Behavior

1. User 1725321322 ("dj chuk+") sent a message — the orchestrator agent received it, processed it (spent ~$0.006 in DeepSeek tokens), and generated a full reply about Tarantino movies. Delivery failed with "chat not found" because the bot hasn't started a DM with this user.

2. User 999598842 — same issue earlier, multiple delivery attempts (183+ failed entries in the queue), all failing with "chat not found".

Expected Behavior

Messages from users NOT in allowFrom / groupAllowFrom should be silently dropped before reaching any agent. No tokens should be spent, no responses generated, no delivery attempts made.

Log Evidence

session dfccdd63: deliveryContext.to = "1725321322"
agent processed foreign message, generated NO_REPLY response
multiple 400 Bad Request: chat not found for 1725321322
183+ failed delivery entries for 999598842

Impact

• Token waste: every foreign message costs DeepSeek API tokens
• Delivery queue pollution: failed deliveries accumulate and block reconnect drains
• Session corruption: concurrent access to session files from foreign messages triggers EmbeddedAttemptSessionTakeoverError
• Agent instructions to "never reply to non-owner" are model-dependent and unreliable

Related

Also observed: sub-agents (analyst) spawned via sessions_spawn lack read/write tools when using an explicit tools.allow list. The orchestrator's sub-agents inherit a restricted tool set that breaks file-based workflows. Workaround: manually add read, write, exec to the agent's tools.allow list.

[clawsweeper]

Thanks for the context here. I did a careful shell check against current main, and this is already implemented.

Close: current main and v2026.6.1 already gate Telegram DM and group senders by allowFrom/groupAllowFrom before agent dispatch, with shipped regression coverage for unauthorized group senders.

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review details

Best possible solution:

Keep the shipped Telegram ingress gates; if unauthorized senders still reach dispatch on v2026.6.1 or newer, handle it as a new narrowly reproduced report with account scope, binding, and gateway logs.

Do we have a high-confidence way to reproduce the issue?

No; current source and shipped tests show unauthorized Telegram DM and group senders are dropped before agent dispatch, so I did not establish a failing current-main reproduction path.

Is this the best way to solve the issue?

Yes; enforcing allowlists at Telegram ingress before message dispatch is the right boundary and avoids relying on model instructions to reject foreign users.

Security review:

Security review cleared: Current shipped Telegram access gates block the reported unauthorized sender path before agent dispatch, so no unresolved security issue remains in main.

AGENTS.md: found and applied where relevant.

What I checked:

• Current DM ingress gate: Current main calls enforceTelegramDmAccess while building the Telegram message context and returns null before dispatch when access is denied. (extensions/telegram/src/bot-message-context.ts:360, 1c0d7c8a5785)
• Current DM policy denial: enforceTelegramDmAccess only returns true for an allow decision; unauthorized allowlist/open/pairing cases return false or pairing-only handling instead of agent dispatch. (extensions/telegram/src/dm-access.ts:90, 1c0d7c8a5785)
• Current group pre-dispatch gate: Current main runs shouldSkipGroupMessage before recording and processing the inbound Telegram message, so denied group senders return before agent dispatch. (extensions/telegram/src/bot-handlers.runtime.ts:2830, 1c0d7c8a5785)
• Current group allowlist logic: groupPolicy=allowlist requires configured sender entries or an explicit chat allowance, and returns group-policy-allowlist-unauthorized when the sender does not match the effective group allowlist. (extensions/telegram/src/group-access.ts:176, 1c0d7c8a5785)
• Shipped regression coverage: The Telegram bot tests cover an unauthorized sender under groupPolicy=allowlist and a mismatched groupAllowFrom access group, both expecting zero replies. (extensions/telegram/src/bot.create-telegram-bot.test.ts:2299, 1c0d7c8a5785)
• Docs contract: Telegram docs state that allowFrom/groupAllowFrom use numeric Telegram user IDs, groups use negative chat IDs under channels.telegram.groups, and dmPolicy allowlist requires allowFrom entries. Public docs: docs/channels/telegram.md. (docs/channels/telegram.md:116, 1c0d7c8a5785)

Likely related people:

• Vincent Koc: Current-main blame and v2026.6.1 release provenance for the Telegram access tests and gate code point to Vincent Koc-authored proof commits in this checkout. (role: recent area contributor; confidence: high; commits: 2e08f0f4221f, 4d142b185ea9; files: extensions/telegram/src/bot-handlers.runtime.ts, extensions/telegram/src/bot-message-context.ts, extensions/telegram/src/bot.create-telegram-bot.test.ts)
• scoootscooob: The Telegram implementation and its access modules/tests were moved into extensions/telegram in commit e5bca08. (role: feature mover; confidence: medium; commits: e5bca0832fbd; files: extensions/telegram/src/bot-access.ts, extensions/telegram/src/group-access.ts, extensions/telegram/src/dm-access.ts)
• Jacob Tomlinson: Commit 269282a hardened Telegram DM authorization for callbacks in the same handler area. (role: adjacent auth hardening contributor; confidence: medium; commits: 269282ac69ab; files: extensions/telegram/src/bot-handlers.runtime.ts, extensions/telegram/src/bot.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1c0d7c8a5785; fix evidence: release v2026.6.1, commit 2e08f0f4221f.

[producedbysavant]

Still reproducible on v2026.6.1

The issue was closed as "already implemented" but I can confirm it's still happening on a production v2026.6.1 installation with dmPolicy: "allowlist" and allowFrom: ["1144466778"].

What I found in the installed code

There are two call sites for enforceTelegramDmAccess:

1. bot-handlers.runtime.ts:2847 (built: bot-r6hl6ztC.js:3347) — the early gate in the message handler:

if (!event.isGroup && (hasInboundMedia(event.msg) || hasReplyTargetMedia(event.msg))) {
    if (!await enforceTelegramDmAccess({...})) return;
}

This gate only fires for media messages. Plain text messages skip it entirely.

2. bot-message-context.ts:361 (built: bot-r6hl6ztC.js:4452) — the context builder gate in buildTelegramMessageContext:

if (!await enforceTelegramDmAccess({...})) return null;

This is unconditional and should block unauthorized senders before dispatchTelegramMessage.

But it's still happening

Despite the second gate being unconditional, messages from unauthorized users (1725321322, 999598842, 8140725665) still reach agents, consume DeepSeek tokens, and generate "chat not found" delivery failures. 11+ messages accumulated in delivery-queue/failed/ as a result.

Possible causes

• resolveTelegramDmAllow might be resolving store-backed allow entries that include previously-allowed senders
• The effectiveDmPolicy resolution in buildTelegramMessageContext might not match the configured dmPolicy
• There might be a race between store-backed allow entries and the configured allowFrom

Request

Please re-verify with a clean install (no prior store-backed allow entries) and plain text messages from unauthorized senders. The clawsweeper analysis confirmed the code exists but the runtime behavior does not match the expectation.