fix(telegram): validate replyToMessageId before sending to Telegram API

[hydro13]

Summary

• Add shared normalizeTelegramReplyToMessageId() normalizer in outbound-params.ts
• Apply at all four Telegram API sinks: direct send, bot delivery, draft stream, bot helpers
• Rejects non-numeric strings, NaN, mixed-content strings ("123abc"), whitespace
• Prevents GrammyError 400 when non-numeric values from session metadata slip through

Root Cause

Telegram's Bot API expects reply_to_message_id to be a numeric integer. Multiple call sites passed the value through without validation, trusting typed boundaries. When runtime values like session metadata IDs ("session-meta-id") reached the API, Grammy rejected the send.

Change Type

• Bug fix

Testing

139 tests pass across 3 test files. New regression test covers:

• Non-numeric string ("session-meta-id") → omitted
• Mixed-content string ("123abc") → omitted
• NaN → omitted
• Verified for both sendMessage and sendSticker paths

Fixes #37222

[greptile-apps]

Greptile Summary

This PR centralises reply_to_message_id validation into a single normalizeTelegramReplyToMessageId() helper and applies it at all four Telegram API call sites (send.ts, delivery.send.ts, draft-stream.ts, bot/helpers.ts). The fix prevents the GrammyError 400 that occurred when non-numeric session-metadata strings reached the Bot API.

• outbound-params.ts — new normalizeTelegramReplyToMessageId(unknown) replaces ad-hoc guards at each call site; the legacy parseTelegramReplyToMessageId is now a thin delegating wrapper, preserving the public API.
• bot/helpers.ts — resolveTelegramReplyId becomes a one-liner; the old Number(raw) path that could return floats (e.g. \"123.5\" → 123.5) is removed in favour of the strict integer regex.
• send.ts — Math.trunc(params.replyToMessageId) guard replaced; previously a string like \"session-meta-id\" would silently produce NaN and be forwarded as message_id.
• send.test.ts — new parameterised regression test covers \"session-meta-id\", \"123abc\", and NaN for both sendMessageTelegram and sendStickerTelegram.

The implementation looks correct and complete. No critical issues found.

Confidence Score: 5/5

Safe to merge — the fix is narrowly scoped, all four send paths are covered, and 139 tests pass.

All findings are P2 or lower. The core validation logic is correct, the regex /^-?\d+$/ rejects every described invalid input, the normalizer is applied consistently across all sinks, and the regression test directly reproduces the bug. No breaking contract changes for callers of the exported functions.

No files require special attention.

Important Files Changed

Filename	Overview
extensions/telegram/src/outbound-params.ts	Introduces normalizeTelegramReplyToMessageId(unknown) as the single source of truth for reply-ID validation; delegates the legacy parseTelegramReplyToMessageId to it.
extensions/telegram/src/bot/helpers.ts	resolveTelegramReplyId is now a one-liner delegating to normalizeTelegramReplyToMessageId; removes the old Number(raw) path that could return floats.
extensions/telegram/src/bot/delivery.send.ts	buildTelegramSendParams validates replyToMessageId through the normalizer before placing it into API params.
extensions/telegram/src/draft-stream.ts	createTelegramDraftStream now validates replyToMessageId through the normalizer; rest of streaming logic unchanged.
extensions/telegram/src/send.ts	buildTelegramThreadReplyParams now calls normalizeTelegramReplyToMessageId instead of the bare Math.trunc guard, covering the NaN/non-numeric bypass.
extensions/telegram/src/send.test.ts	New regression test covers session-meta-id, 123abc, and NaN for both sendMessageTelegram and sendStickerTelegram paths.

_{Reviews (1): Last reviewed commit: "fix(telegram): validate replyToMessageId..." | Re-trigger Greptile}