#13521: telegram: require webhook secret in runtime webhook mode

by davidahmann open 2026-02-10 16:49 View on GitHub →

channel: telegram docker stale

## Summary - require a non-empty `webhookSecret` at runtime when Telegram webhook mode is enabled - enforce the guard in both `monitorTelegramProvider` and `startTelegramWebhook` - add regression tests for webhook secret required/allowed paths ## Why Issue #13116 reports that webhook mode could be started without a secret through runtime options, which leaves a spoofable ingress path. This change fail-closes webhook startup unless a secret is provided. ## Validation - `pnpm vitest run src/telegram/webhook.test.ts src/telegram/monitor.test.ts` Closes #13116.  <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR tightens Telegram webhook-mode startup by requiring a non-empty `webhookSecret` at runtime and adds regression coverage for both the monitor entrypoint and the webhook server entrypoint. Key behavior changes: - `monitorTelegramProvider` now trims and rejects webhook mode when `webhookSecret` is empty/missing, and passes the trimmed secret through to `startTelegramWebhook`. - `startTelegramWebhook` now fail-fast throws when `secret` is missing/blank and uses the trimmed secret for both the grammY webhook handler and `setWebhook` registration. - Tests were updated/added to cover the required/allowed paths. <h3>Confidence Score: 3/5</h3> - Not safe to merge until tests and call-site typing issues are addressed - The core security guard is sensible, but the webhook test currently asserts the wrong error string and will fail, and the monitor webhook call uses an unsafe `as RuntimeEnv` cast that weakens type guarantees at the integration boundary. - src/telegram/webhook.test.ts, src/telegram/monitor.ts  <sub>(4/5) You can add custom instructions or style guidelines for the agent [here](https://app.greptile.com/review/github)!</sub> **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8)) - Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13))