fix(telegram): persist native command metadata to target sessions

[GaosCode]

Summary

• Problem: Telegram native commands were persisting inbound session metadata to the slash envelope key (agent:<agent>:telegram:slash:<user>) even when the command was targeting a bound topic/helper session.
• Why it matters: this let slash-shaped keys get backfilled with group/topic metadata, matching the fake alias pattern reported in [Bug]: Telegram helper-agent slash:<user> session keys are incorrectly mapped to group:<group_id>:topic:1 sessions #57509.
• What changed: Telegram native command metadata persistence now prefers CommandTargetSessionKey, and regression coverage now asserts the persisted key matches the actual target session in private, helper-topic, configured ACP topic binding, and bound-topic-session flows.
• What did NOT change (scope boundary): this PR does not change model fallback behavior, session restore/indexing outside the Telegram native-command path, or Slack/Discord native command handling.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: Telegram helper-agent slash:<user> session keys are incorrectly mapped to group:<group_id>:topic:1 sessions #57509
• Related #
• This PR fixes a bug or regression

Root Cause / Regression History (if applicable)

• Root cause: extensions/telegram/src/bot-native-commands.ts always persisted inbound session metadata using ctxPayload.SessionKey, which is the slash envelope key, instead of the actual chat target session.
• Missing detection / guardrail: the existing Telegram session-metadata tests asserted the old slash-key behavior and did not verify that metadata followed CommandTargetSessionKey.
• Prior context (git blame, prior PR, issue, or refactor if known): issue [Bug]: Telegram helper-agent slash:<user> session keys are incorrectly mapped to group:<group_id>:topic:1 sessions #57509 reported helper-agent Telegram slash keys being projected to topic/group session shells.
• Why this regressed now: native command delivery already separated slash envelope routing from target-session mutation, but metadata persistence did not follow the same target-session rule.
• If unknown, what was ruled out: ruled out a general Telegram slash-session issue by reproducing the problem specifically in helper-topic / configured-binding paths and fixing the implicated persistence callsite.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: extensions/telegram/src/bot-native-commands.session-meta.test.ts
• Scenario the test should lock in: Telegram native commands must persist session metadata to the same target session named by CommandTargetSessionKey, including helper-topic and ACP-bound topic flows.
• Why this is the smallest reliable guardrail: it exercises the real Telegram native-command routing and session-metadata persistence seam without needing a live Telegram bot.
• Existing test that already covers this (if any): none before this change; the file had related coverage but it locked in the wrong key.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

Telegram helper/topic native commands no longer create or refresh fake telegram:slash:<user> session entries with topic/group metadata through this code path.

[greptile-apps]

Greptile Summary

This PR fixes a bug where Telegram native command metadata was persisted to the slash envelope key (agent:<agent>:telegram:slash:<user>) instead of the resolved target session key, causing group/topic metadata to backfill slash-shaped session keys in helper-topic and configured ACP binding flows.

Changes:

• extensions/telegram/src/bot-native-commands.ts: A single-line fix introduces sessionMetaKey that prefers CommandTargetSessionKey (the actual routing target) over SessionKey (the slash envelope) when recording inbound session metadata.
• extensions/telegram/src/bot-native-commands.session-meta.test.ts: Test assertions updated from the old slash-key behavior to the corrected target-session-key behavior; new assertions added for helper-topic and ACP-bound topic paths.

The fix is minimal and scoped correctly. The production change (CommandTargetSessionKey?.trim() || SessionKey || route.sessionKey) is a well-ordered fallback that ensures the slash envelope key is only used as a fallback when no explicit target session is set. The updated tests now directly lock in the invariant: session metadata must be persisted to the same key that the dispatch context routes to.

Confidence Score: 5/5

Safe to merge — the production change is a single targeted fix with no side effects on unrelated paths, and the new tests correctly lock in the corrected behavior across all affected routing scenarios.

The production fix is minimal (one new variable, one call-site change). The fallback chain is correct and well-ordered. All four routing paths (private DM, helper-topic, configured ACP binding, bound-topic-session) are covered by tests that assert the new behavior. No P0 or P1 issues found.

No files require special attention.

Important Files Changed

Filename	Overview
extensions/telegram/src/bot-native-commands.ts	Single targeted fix: session metadata now persisted to CommandTargetSessionKey instead of the slash envelope SessionKey.
extensions/telegram/src/bot-native-commands.session-meta.test.ts	Test assertions updated to lock in the corrected target-session-key behavior across all four routing paths.

_{Reviews (1): Last reviewed commit: "fix(telegram): persist native command me..." | Re-trigger Greptile}

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep this PR open. Current main still persists Telegram native-command inbound session metadata to the slash envelope session key, while the same context already carries CommandTargetSessionKey for the routed or bound target session. The PR remains a focused implementation candidate for the bug described by #57509, not work already implemented on main.

Best possible solution:

Keep the PR open and have a maintainer review, land, or replace it with an equivalent narrow fix that persists Telegram native command metadata to the target session key, with session-meta regression coverage for private, helper-topic, configured ACP topic binding, and runtime bound-topic-session flows.

What I checked:

• Current main still writes metadata to SessionKey: Telegram native command handling computes commandSessionKey and commandTargetSessionKey, stores both on ctxPayload, but recordInboundSessionMetaSafe still receives ctxPayload.SessionKey ?? route.sessionKey. That is the slash envelope path this PR changes. (extensions/telegram/src/bot-native-commands.ts:999, 891c7d9f1c1f)
• Target contract makes the keys distinct: resolveNativeCommandSessionTargets returns sessionKey as the native slash envelope and commandTargetSessionKey as the routed target session when there is no bound session, so using SessionKey is not equivalent to using the target key. (src/channels/native-command-session-targets.ts:15, 891c7d9f1c1f)
• Current regression test still locks in old behavior: The configured ACP topic-binding test verifies dispatch targets the bound session, but still expects session metadata to be recorded under agent:codex:telegram:slash:200. The PR's intended test update is not present on main. (extensions/telegram/src/bot-native-commands.session-meta.test.ts:752, 891c7d9f1c1f)
• Docs align with target-session routing: The slash command docs describe Telegram native commands as using telegram:slash: while targeting the chat session through CommandTargetSessionKey, matching the invariant this PR is trying to enforce for metadata persistence. Public docs: docs/tools/slash-commands.md. (docs/tools/slash-commands.md:441, 891c7d9f1c1f)
• Related report context matches the PR: The provided GitHub context shows [Bug]: Telegram helper-agent slash:<user> session keys are incorrectly mapped to group:<group_id>:topic:1 sessions #57509 reported helper-agent telegram:slash: keys being backfilled with group/topic metadata, and this PR explicitly targets that metadata persistence path. The related issue is closed, but current main still has the implicated callsite behavior. (891c7d9f1c1f)
• Security review pass: The provided PR metadata shows changes only in extensions/telegram/src/bot-native-commands.ts and extensions/telegram/src/bot-native-commands.session-meta.test.ts. No CI workflows, dependency sources, lockfiles, package metadata, install/build/release scripts, downloaded artifacts, or secret-handling paths are changed. (ab07c819f3c3)

Remaining risk / open question:

• Closing this PR without an equivalent fix would leave current main writing Telegram native-command metadata to slash envelope sessions for routed helper/topic/bound-session flows.
• This was a read-only review, so no tests were executed; the PR should still receive normal maintainer validation before merge.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 891c7d9f1c1f.

[obviyus]

Verified the Telegram native-command metadata bug: slash-command envelope sessions were getting the metadata instead of the routed target session.

Maintainer follow-up: distilled the metadata write to use commandTargetSessionKey directly and added the Unreleased changelog entry.

Local gate: pnpm test extensions/telegram/src/bot-native-commands.session-meta.test.ts plus targeted oxfmt --check.

[obviyus]

Landed on main.

• Landed source commit: 4a32117
• Merge commit: b79e617

Thanks @GaosCode.