feat(telegram): promo bot + channel-chat moderation gate #99
Reference in New Issue
Block a user
Delete Branch "feature/telegram-promo-bot-chat-moderation"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
What
A second standalone promo bot in the bot container (answers
/startwith a localized message + a URL button into the main bot's Mini App) and a moderated discussion chat gate: the main bot grants write access on join when the Telegram user is registered and neither admin-suspended nor holding a newchat_mutedrole, and revokes/grants on the matching moderation change for a member currently in the chat.Eligibility =
registered AND NOT suspended AND NOT chat_muted(the game suspension dominates), resolved once in the backend and reached two ways: the bot's join-time unaryResolveChatEligibilityover the existing mTLS bot-link, and a backendchat_access_changedevent -> gateway ->ChatGatecommand (idempotent; a temporary-block-expiry sweeper may over-emit). The block/unblock path is guarded bygetChatMember, since bots cannot list members.Operational setup (lands with the Stage 18 prod cutover)
can_restrict_members) and set the group default to no-send.TEST_/PROD_deploy vars:TELEGRAM_PROMO_BOT_TOKEN(secret),TELEGRAM_BOT_USERNAME,TELEGRAM_CHAT_ID; the promo link reuses the existing*_VITE_TELEGRAM_LINKasTELEGRAM_BOT_LINK. The operator toggleschat_mutedfrom the user card's role dropdown.Why a URL button (not web_app)
A
web_appbutton signsinitDatawith the sending (promo) bot's token, which the main bot's validator rejects -- so the cross-bot launch is at.me/<bot>?startappURL.No schema change
chat_mutedreuses the data-drivenaccount_rolestable -> no migration, no jetgen, no contour DB wipe.Verified locally
gofmt clean; build/vet/unit for all four modules; the full backend integration suite (
-tags integration); proto codegen idempotent;docker compose configvalid.Two follow-ups from a contour test where a user joined the chat, then registered, and got no write access — with silent logs. Observability: log every chat_member update (chat id, configured id, user, old->new status), the eligibility result and the grant outcome; plus a startup self-check that warns loudly when the bot is not an administrator in the chat with the restrict-members ("Ban users") right — the common misconfiguration, previously invisible in the logs. Grant on first registration: a user who joins the moderated chat BEFORE registering is covered by no chat_member event, so the join-time grant never fires for them. ProvisionTelegram now reports first contact, and the Telegram auth handler emits chat_access_changed on it, so the gateway re-evaluates and grants write access if the user is already in the chat.New commits pushed, approval review dismissed automatically according to repository settings