Summary

• Problem: isolated Telegram DM sessions under session.dmScope: "per-channel-peer" need regression coverage to ensure lastRoute writes stay scoped to the isolated direct session instead of agent:main:main.
• Why it matters: without coverage, future routing changes can regress into duplicate replies from the main session and the isolated session.
• What changed: added Telegram regression tests for default main-session DM routing, isolated per-channel-peer DM routing, DM topic thread IDs, and group-message no-op behavior; also cleaned up existing detect-secrets false positives and a provider-config test typing issue that otherwise kept this PR red in CI.
• What did NOT change (scope boundary): no Telegram runtime behavior changes.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Fixes [Bug]: agent:main:main session responds to Telegram DMs alongside telegram session #40005

User-visible / Behavior Changes

• None. This PR adds regression coverage and CI-unblocking cleanup only.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS: macOS
• Runtime/container: Node.js / pnpm test runner
• Model/provider: N/A
• Integration/channel (if any): Telegram DM routing
• Relevant config (redacted): session.dmScope: "per-channel-peer"

Steps

1. Build Telegram inbound context for a private chat under default dmScope.
2. Build Telegram inbound context for a private chat under session.dmScope: "per-channel-peer".
3. Inspect recordInboundSession(...).updateLastRoute.sessionKey.
4. Run targeted tests for web-search, git-commit, and models-config helpers to verify the CI-unblocking cleanup.

Expected

• Default dmScope: updateLastRoute.sessionKey === agent:main:main
• Isolated dmScope: updateLastRoute.sessionKey === agent:main:telegram:direct:<senderId>
• pnpm check no longer fails on src/agents/models-config.merge.test.ts
• detect-secrets false positives are removed from the files touched in this PR

Actual

• Covered by regression tests and local targeted test runs.

Evidence

Attach at least one:

• Passing test coverage
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: Telegram DM updateLastRoute behavior for default main-session scope, isolated per-channel-peer scope, DM topic thread IDs, and group-message no-op path.
• Verified local targeted tests: src/telegram/bot-message-context.dm-topic-threadid.test.ts, src/routing/resolve-route.test.ts, src/agents/tools/web-search.test.ts, src/infra/git-commit.test.ts, src/agents/models-config.merge.test.ts.
• Edge cases checked: isolated direct session uses Telegram sender-derived peer id (42) rather than chat id (1234) in the session key.
• What you did not verify: live Telegram bot traffic against a real bot token.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert commit 23aa31a74.
• Files/config to restore: src/telegram/bot-message-context.dm-topic-threadid.test.ts, src/agents/models-config.merge.test.ts, src/agents/tools/web-search.ts, src/agents/tools/web-search.test.ts, src/infra/git-commit.test.ts, docs/perplexity.md, docs/tools/web.md, test-fixtures/talk-config-contract.json
• Known bad symptoms reviewers should watch for: Telegram isolated-DM route policy no longer writing lastRoute to the isolated direct session, or PR check/secrets failing on the known false-positive set.

Risks and Mitigations

• Risk: the PR scope is broader than Telegram-only because CI is currently blocked by existing false positives and a test typing issue on top of this base commit.
  • Mitigation: all non-Telegram changes are limited to tests/docs/fixtures and false-positive cleanup; there are no production behavior changes beyond renaming a local helper parameter from apiKeySource to authSource.