dmPolicy allowFrom not enforced for Telegram text messages — unauthorized users reach agents

[producedbysavant]

Summary

dmPolicy: "allowlist" + allowFrom does not prevent text messages from unauthorized Telegram users from reaching bound agents. The DM access check in bot-handlers.runtime.ts is gated behind hasInboundMedia, allowing plain text messages to bypass ingress filtering entirely.

Version

v2026.6.1 (latest stable) — installed via npm, running on Node.js v24.15.0, Bun binary runtime.

Configuration

"channels": {
  "telegram": {
    "dmPolicy": "allowlist",
    "allowFrom": ["1144466778"],
    "groupPolicy": "allowlist",
    "groupAllowFrom": ["1144466778"]
  }
}

Reproduction

1. Configure dmPolicy: "allowlist" with allowFrom: ["<owner_id>"]
2. Have a non-allowlisted user send a plain text DM (no media, no reply-to-media) to the bot
3. The message reaches the bound agent, which processes it and generates a reply
4. Delivery fails with 400: chat not found because bot hasn't started DM with the unauthorized user
5. Failed delivery enters send_attempt_started state and blocks reconnect drain with refusing blind replay without adapter reconciliation

Root Cause

Two call sites for enforceTelegramDmAccess:

1. extensions/telegram/src/bot-handlers.runtime.ts:2847 — BUGGY GATE

if (!event.isGroup && (hasInboundMedia(event.msg) || hasReplyTargetMedia(event.msg))) {
    if (!await enforceTelegramDmAccess({...})) return;
}

DM access is ONLY checked for messages with media or reply-to-media. Plain text messages skip this check entirely and proceed directly to processInboundMessage → agent dispatch.

2. extensions/telegram/src/bot-message-context.ts:361 — CONTEXT BUILDER GATE

if (!await enforceTelegramDmAccess({...})) return null;

This is unconditional and SHOULD block unauthorized senders before dispatchTelegramMessage. However, it does not prevent the agent from processing the message and spending tokens — it only prevents the dispatch. In practice, unauthorized users still reach agent processing.

Impact (measured over 13 days on a production instance)

Metric	Value
Failed deliveries in DB	1,884
Unique unauthorized targets	72
Entries NOT in allowFrom	1,876 / 1,884 (99.6%)
Top spurious target	Bot's own ID (8243344628): 845 entries
Time span	2026-05-24 to 2026-06-05
Peak day	June 4: 406 entries

Secondary effects

• Token waste: every foreign message consumes DeepSeek API tokens for processing + reply generation
• Delivery queue pollution: 1,884 stuck entries block the Telegram reconnect drain with refusing blind replay without adapter reconciliation
• Session corruption: concurrent session access from foreign messages triggers EmbeddedAttemptSessionTakeoverError
• Legitimate message delay: reconnect drain retries block delivery of legitimate owner messages

Related

• dmPolicy allowFrom / groupAllowFrom not filtering incoming messages — foreign users reach agents #91006 — closed by clawsweeper as "already implemented in main and v2026.6.1" but the fix is incomplete (the hasInboundMedia gate in bot-handlers.runtime.ts was not removed)

Expected Behavior

Messages from users NOT in allowFrom should be silently dropped at the channel ingress level — before any agent dispatch, token consumption, or reply generation. The enforceTelegramDmAccess call in bot-handlers.runtime.ts:2847 should NOT be gated behind hasInboundMedia.

Suggested Fix

Remove the hasInboundMedia gate in bot-handlers.runtime.ts:

- if (!event.isGroup && (hasInboundMedia(event.msg) || hasReplyTargetMedia(event.msg))) {
-     if (!await enforceTelegramDmAccess({...})) return;
- }
+ if (!event.isGroup) {
+     if (!await enforceTelegramDmAccess({...})) return;
+ }

The context builder gate in bot-message-context.ts serves as a second line of defense for any paths that might bypass the handler-level check.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 7, 2026, 12:22 PM ET / 16:22 UTC.

Summary
Keep open: current main and v2026.6.1 still have the reported handler-level Telegram DM access check gated behind media predicates, so the requested ingress-boundary fix is not implemented. A later context-builder guard appears to prevent some final dispatch for unauthorized plain text, so the exact downstream token/delivery symptoms still need live proof, but the missing pre-processing allowlist enforcement is real enough to track.

Reproducibility: yes. for the handler-level gap: current source still skips the early DM access check for plain-text Telegram DMs. No live proof was established for all reported downstream database/token symptoms, and the later context-builder gate appears to reduce final dispatch impact.

Next step
The likely fix is small and clear, but the item is security-boundary-sensitive and the downstream production symptoms need maintainer-prioritized proof before promotion.

Security
Needs attention: The issue concerns a concrete Telegram DM allowlist enforcement boundary and should receive security-aware maintainer review before repair/ship.

Review details

Best possible solution:

Land a narrow Telegram authorization fix that enforces enforceTelegramDmAccess for every non-group inbound message before dedupe, buffering, media handling, or message processing, while keeping the context-builder guard as defense in depth.

Do we have a high-confidence way to reproduce the issue?

Yes for the handler-level gap: current source still skips the early DM access check for plain-text Telegram DMs. No live proof was established for all reported downstream database/token symptoms, and the later context-builder gate appears to reduce final dispatch impact.

Is this the best way to solve the issue?

Yes, the suggested shape is likely the best narrow fix: remove the media-only condition around the existing handler-level DM access enforcement and add focused regression coverage. The fix should not add config or change group/pairing semantics.

AGENTS.md: found and applied where relevant.

Remaining risk / open question:

• The review did not run a live Telegram reproduction, and source inspection shows a later context-builder guard that likely prevents dispatchTelegramMessage for unauthorized plain-text DMs; the exact token-spend and stuck-delivery symptoms still need runtime proof.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 66b91d78feb3.

Label changes

Label changes:

• add P1: The issue reports a shipped Telegram allowlist enforcement gap with unauthorized users reaching agent-facing ingress paths.
• add impact:security: The affected behavior is an inbound Telegram DM allowlist boundary.
• add impact:message-loss: The report includes failed Telegram deliveries and queue pollution delaying legitimate messages.
• add impact:session-state: The report links unauthorized Telegram traffic to session takeover/state contention symptoms.
• add issue-rating: 🐚 platinum hermit: Current issue advisory state selects this label.
• add clawsweeper:needs-live-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:needs-maintainer-review: Current issue advisory state selects this label.
• add clawsweeper:needs-security-review: Current issue advisory state selects this label.

Label justifications:

• P1: The issue reports a shipped Telegram allowlist enforcement gap with unauthorized users reaching agent-facing ingress paths.
• impact:security: The affected behavior is an inbound Telegram DM allowlist boundary.
• impact:message-loss: The report includes failed Telegram deliveries and queue pollution delaying legitimate messages.
• impact:session-state: The report links unauthorized Telegram traffic to session takeover/state contention symptoms.

Evidence reviewed

Security concerns:

• [medium] Plain-text DMs skip the early Telegram allowlist gate — extensions/telegram/src/bot-handlers.runtime.ts:2847
  The handler-level enforceTelegramDmAccess call is guarded by media checks, so unauthorized plain-text DMs are not rejected at the documented pre-processing ingress boundary.
  Confidence: 0.78

What I checked:

• Current handler gate: handleInboundMessageLike only calls enforceTelegramDmAccess for non-group messages when hasInboundMedia(event.msg) or hasReplyTargetMedia(event.msg) is true, so a plain-text DM skips this handler-level check. (extensions/telegram/src/bot-handlers.runtime.ts:2847, 66b91d78feb3)
• Second-line context guard: buildTelegramMessageContext calls enforceTelegramDmAccess unconditionally and returns null before dispatch when it blocks, which narrows the proven impact but does not provide the requested pre-processing ingress gate. (extensions/telegram/src/bot-message-context.ts:360, 66b91d78feb3)
• Dispatch occurs only after context: createTelegramMessageProcessor returns false when context building returns null; dispatchTelegramMessage is only called after a non-null context and onDispatchStart. (extensions/telegram/src/bot-message.ts:121, 66b91d78feb3)
• Documented contract: Security docs say current DM-capable channels support a DM policy that gates inbound DMs before the message is processed, and allowlist blocks unknown senders. Public docs: docs/gateway/security/index.md. (docs/gateway/security/index.md:552, 66b91d78feb3)
• Latest release still affected: The v2026.6.1 release tag contains the same media-gated handler-level DM access check. (extensions/telegram/src/bot-handlers.runtime.ts:2846, 2e08f0f4221f)
• Existing test coverage is media-focused: Current Telegram bot tests cover blocking unauthorized DM media before download, but the inspected nearby coverage does not prove the same handler-level block for unauthorized plain-text DMs. (extensions/telegram/src/bot.create-telegram-bot.test.ts:1553, 66b91d78feb3)

Likely related people:

• Peter Steinberger: Commit cd5c2f4 introduced bot-handlers.runtime.ts with the same media-gated DM access branch. (role: introduced behavior; confidence: medium; commits: cd5c2f4cb2c2; files: extensions/telegram/src/bot-handlers.runtime.ts)
• Vincent Koc: Recent current-main and release history/blame on the Telegram handler and context files points to commits carrying this area forward, including 9fb8d87 and 2e08f0f. (role: recent area contributor; confidence: medium; commits: 9fb8d87f91f8, 2e08f0f4221f; files: extensions/telegram/src/bot-handlers.runtime.ts, extensions/telegram/src/bot-message-context.ts)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[producedbysavant]

Root Cause Identified

After extensive live debugging on a production v2026.6.1 instance, the root cause is definitively identified:

The Bug (handler level)

extensions/telegram/src/bot-handlers.runtime.ts:2847 — enforceTelegramDmAccess is gated behind hasInboundMedia, allowing plain-text DMs from unauthorized users to bypass the ingress check. This was correctly identified earlier.

Additional Vector: Telethon Bridge Reply Routing

A second, more impactful vector was discovered: the OpenClaw telethon-bridge gateway (gateway.mjs). When forwarding messages from a user's Telegram account to the agent:

1. The bridge calls openclaw agent --message <text> --channel telegram --to <original_sender_chat_id> --deliver
2. --to is set to the original sender's chat_id, not the owner's
3. The agent processes the message and the reply is delivered to the unauthorized user
4. This bypasses dmPolicy entirely — the message comes through the CLI agent path, not the channel ingress path

This explains why 999598842, 5233163354, 1668567974 and others were able to have full bidirectional conversations with the orchestrator agent despite dmPolicy: "allowlist" with allowFrom: ["1144466778"].

Fix Applied (workaround)

1. gateway.mjs: Changed --to from original sender's chat_id to owner's chat_id. Non-owner messages get a [from Name in chat_type] prefix for context.
2. gateway.mjs: Added filter to only forward messages from the owner's chat_id to the agent.
3. bot-r6hl6ztC.js: Removed hasInboundMedia gate around enforceTelegramDmAccess.
4. bot-r6hl6ztC.js: Added hardcoded sender ID check in enforceTelegramDmAccess for dmPolicy: "allowlist".

Result

• 0 failed deliveries since fix applied
• All outbound messages now go exclusively to chatId=1144466778
• No token waste, no queue pollution

Recommended Upstream Fix

1. Fix the hasInboundMedia gate in bot-handlers.runtime.ts
2. Document that openclaw agent --to bypasses DM policy — consider adding a --dm-policy flag or respecting the channel config in CLI agent invocations