fix: retry Telegram inbound media downloads over IPv4 fallback

[frankekn]

Summary

• Problem: fresh installs on IPv6-broken hosts can reach Telegram generally but still fail when downloading inbound media from api.telegram.org/file/....
• Why it matters: the first user-visible symptom is "can't send images to the bot", which looks like Telegram media is broken right after setup.
• What changed: reuse Telegram's existing IPv4 fallback classification for SSRF-guarded inbound file downloads, and retry those downloads once with an IPv4-only dispatcher policy.
• What did NOT change (scope boundary): this PR does not change the separate media-group partial-failure behavior that already has its own red baseline test.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• None

User-visible / Behavior Changes

• Telegram inbound media downloads now retry once with IPv4-only transport when the initial guarded file fetch fails with the same dual-stack/network errors already handled by the main Telegram transport path.
• No config changes are required; existing channels.telegram.network.* settings continue to apply.

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) No
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS
• Runtime/container: local git worktree on origin/main snapshot 6a812b621, Node v25.8.1, pnpm 10.23.0
• Model/provider: N/A
• Integration/channel (if any): Telegram inbound media download path
• Relevant config (redacted): default Telegram transport plus channels.telegram.network.* fallback behavior

Steps

1. Create a Telegram transport with Node 22+ style fallback settings.
2. Attempt an inbound media download through the SSRF-guarded file fetch path.
3. Make the first fetch fail with a dual-stack network error like EHOSTUNREACH.

Expected

• The guarded file download retries once with IPv4-only transport and succeeds.

Actual

• Before this change, only Bot API calls had sticky IPv4 fallback; inbound file downloads reused the base dispatcher policy and failed fast.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • Added and ran a targeted regression test proving SSRF-guarded Telegram file downloads retry with family: 4 after an initial fetch failed/EHOSTUNREACH path.
  • Re-ran existing Telegram transport and media retry suites.
  • Ran repo pnpm check and pnpm build in a clean detached worktree branch.
• Edge cases checked:
  • Existing explicit-proxy/direct transport policy preservation tests still pass.
  • Existing direct-message fallback warning test still passes.
• What you did not verify:
  • Live Telegram manual repro against a real bot/account in this worktree.
  • The separate media-group partial-failure regression; it remains red before and after this change.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert commit cd441b72a73f3d551190327e02c4055e353f8c95
• Files/config to restore: src/media/fetch.ts, src/telegram/fetch.ts, src/telegram/bot/delivery.resolve-media.ts, src/media/fetch.telegram-network.test.ts, CHANGELOG.md
• Known bad symptoms reviewers should watch for: unexpected retries on non-Telegram guarded fetches, or Telegram inbound media still failing without the retry test proving family: 4 dispatch

Risks and Mitigations

• Risk: retry classification could become broader than intended if reused outside Telegram media.
  • Mitigation: the retry hook is only wired from Telegram media download call sites and reuses the existing Telegram-specific fallback classifier.

[greptile-apps]

Greptile Summary

This PR adds an IPv4 fallback retry for SSRF-guarded Telegram inbound file downloads, mirroring the existing fallback logic that was already present for Bot API calls. It does this by extracting and exposing the private shouldRetryWithIpv4Fallback classifier, computing the fallback dispatcher policy eagerly in resolveTelegramTransport, and wiring both into the fetchRemoteMedia call in downloadAndSaveTelegramFile.

Key changes:

• src/telegram/fetch.ts: Exports shouldRetryTelegramIpv4Fallback, adds fallbackPinnedDispatcherPolicy to TelegramTransport, and refactors resolveStickyIpv4Dispatcher to reuse the now-upfront-computed fallback policy (eliminating a duplicate resolveTelegramDispatcherPolicy call).
• src/media/fetch.ts: Extends FetchMediaOptions with optional fallbackDispatcherPolicy / shouldRetryFetchError and implements a nested try/catch retry inside the SSRF-guarded fetch path. MediaFetchError now also accepts and forwards a cause option in two wrapping sites.
• src/telegram/bot/delivery.resolve-media.ts: Passes fallbackPinnedDispatcherPolicy and shouldRetryTelegramIpv4Fallback into fetchRemoteMedia, scoped to the Telegram file-download call site only. Because sourceFetch (not the resolvedFetch wrapper) is used, there is no risk of double-retry with the existing Bot API fallback.
• One thing to watch: when both the primary and fallback fetches fail, only the fallback error is preserved as MediaFetchError.cause — the original trigger error is silently discarded, which can make production diagnosis harder.

Confidence Score: 4/5

• This PR is safe to merge; the retry logic is narrowly scoped to Telegram inbound media and reuses a well-tested classifier.
• The change is small and tightly scoped: new options in fetchRemoteMedia are opt-in and only wired from the one Telegram download call site. The shouldRetryTelegramIpv4Fallback classifier was already battle-tested for Bot API calls and its error-matching logic (requiring both "fetch failed" message and a known network code) is not trivially broadened. The test correctly validates the dispatcher options on both attempts. The only minor concern is that the original primary-fetch error is lost when the fallback also fails, which could complicate production diagnosis but does not affect runtime correctness.
• src/media/fetch.ts — the double-failure error-chaining gap is worth revisiting if a future maintainer adds more retry callers.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/media/fetch.ts
Line: 122-131

Comment:
**Original error silently discarded on double failure**

When the primary fetch fails and triggers the IPv4 fallback, and the fallback fetch also fails, the original error (the one that caused the retry) is lost. The outer `catch` at line 136 only sees the fallback error. In a production debugging scenario this makes it impossible to distinguish "failed before retrying" from "failed on both primary and fallback" without adding separate log instrumentation.

Consider preserving the primary error as a suppressed cause:

```suggestion
    } catch (err) {
      if (
        fallbackDispatcherPolicy &&
        typeof shouldRetryFetchError === "function" &&
        shouldRetryFetchError(err)
      ) {
        try {
          result = await runGuardedFetch(fallbackDispatcherPolicy);
        } catch (fallbackErr) {
          const combined = new Error(
            `Fallback fetch also failed: ${String(fallbackErr)}`,
            { cause: fallbackErr },
          );
          (combined as { primaryError?: unknown }).primaryError = err;
          throw combined;
        }
      } else {
        throw err;
      }
```

At a minimum, documenting the known data-loss here would help future maintainers understand why only the fallback error shows up in production error traces.

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: cd441b7}

[frankekn]

Landed.

• Merged commit: 7a53eb7
• Source head: 724ca4c