feat(telegram): support custom apiRoot for alternative API endpoints#48842
Merged
obviyus merged 6 commits intoopenclaw:mainfrom Mar 21, 2026
Merged
feat(telegram): support custom apiRoot for alternative API endpoints#48842obviyus merged 6 commits intoopenclaw:mainfrom
obviyus merged 6 commits intoopenclaw:mainfrom
Conversation
openclaw-barnacle
bot
added
channel: telegram
Cypherm
force-pushed
the
feat/telegram-api-root-v2
branch
from
f9bcd0b to
48a5bd9
Compare
Contributor
Greptile SummaryThis PR exposes grammy's
Confidence Score: 4/5
Prompt To Fix All With AIThis is a comment left during a code review.
Path: extensions/telegram/src/probe.ts
Line: 7
Comment:
**Unused constant left behind**
`TELEGRAM_API_BASE` is defined but never referenced after the refactoring — its only use was `const base = `${TELEGRAM_API_BASE}/bot${token}`;`, which was replaced on line 109 with `resolveTelegramApiBase(options?.apiRoot)`. This is now dead code.
```suggestion
```
How can I resolve this? If you propose a fix, please make it concise.
---
This is a comment left during a code review.
Path: extensions/telegram/src/fetch.ts
Line: 450-453
Comment:
**`apiRoot` accepted but never consumed in the transport function**
`options.apiRoot` is part of the `resolveTelegramTransport` (and `resolveTelegramFetch`) signature, but the value is never read anywhere inside the function body. The transport layer only configures dispatchers; base-URL construction happens at call sites via `resolveTelegramApiBase`. Carrying the unused parameter in the signature can mislead callers into thinking passing `apiRoot` here changes connection behavior.
If the parameter is only there to maintain a uniform options shape, a comment explaining that would clarify intent. Otherwise the parameter should be removed from both `resolveTelegramTransport` and `resolveTelegramFetch`.
How can I resolve this? If you propose a fix, please make it concise.Last reviewed commit: 48a5bd9 |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Cypherm
force-pushed
the
feat/telegram-api-root-v2
branch
2 times, most recently
from
2243832 to
1b80f66
Compare
Cypherm
force-pushed
the
feat/telegram-api-root-v2
branch
3 times, most recently
from
8d379a7 to
712a7bb
Compare
This was referenced Mar 20, 2026
Cypherm
force-pushed
the
feat/telegram-api-root-v2
branch
6 times, most recently
from
7760660 to
6a06d71
Compare
Contributor
Author
|
@obviyus — All Telegram call sites covered: bot, send, probe, audit, media download (with dynamic SSRF policy), api-fetch. Default behavior unchanged when |
openclaw-barnacle
bot
added
commands
Contributor
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9eedbd8a6d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Add `apiRoot` config option to allow users to specify custom Telegram Bot API endpoints (e.g., self-hosted Bot API servers). Threads the configured base URL through all Telegram API call sites: bot creation, send, probe, audit, media download, and api-fetch. Extends SSRF policy to dynamically trust custom apiRoot hostname for media downloads. Closes openclaw#28535 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
obviyus
force-pushed
the
feat/telegram-api-root-v2
branch
from
c25f07c to
c1ba65d
Compare
Contributor
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d8bd3d4f4f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
123
to
+126
| resolveTelegramAllowFromEntries({ | ||
| credentialValue: credentialValues.token, | ||
| entries, | ||
| apiRoot: resolveTelegramAccount({ cfg, accountId }).config.apiRoot, |
There was a problem hiding this comment.
Fresh evidence relative to the earlier chat-id fix: this setup wizard path still calls resolveTelegramAllowFromEntries with only apiRoot. If an account relies on channels.telegram.proxy or channels.telegram.network to reach Telegram, @username resolution from the setup surface ignores those transport overrides, so the allowlist step still fails even though send/probe/audit now use the configured transport.
Useful? React with 👍 / 👎.
JohnJAS
pushed a commit
to JohnJAS/openclaw
that referenced
this pull request
Mar 22, 2026
…penclaw#48842) * feat(telegram): support custom apiRoot for alternative API endpoints Add `apiRoot` config option to allow users to specify custom Telegram Bot API endpoints (e.g., self-hosted Bot API servers). Threads the configured base URL through all Telegram API call sites: bot creation, send, probe, audit, media download, and api-fetch. Extends SSRF policy to dynamically trust custom apiRoot hostname for media downloads. Closes openclaw#28535 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * fix(telegram): thread apiRoot through allowFrom lookups * fix(telegram): honor lookup transport and local file paths * refactor(telegram): unify username lookup plumbing * fix(telegram): restore doctor lookup imports * fix: document Telegram apiRoot support (openclaw#48842) (thanks @Cypherm) --------- Co-authored-by: Cypherm <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]>
pholpaphankorn
pushed a commit
to pholpaphankorn/openclaw
that referenced
this pull request
Mar 22, 2026
…penclaw#48842) * feat(telegram): support custom apiRoot for alternative API endpoints Add `apiRoot` config option to allow users to specify custom Telegram Bot API endpoints (e.g., self-hosted Bot API servers). Threads the configured base URL through all Telegram API call sites: bot creation, send, probe, audit, media download, and api-fetch. Extends SSRF policy to dynamically trust custom apiRoot hostname for media downloads. Closes openclaw#28535 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * fix(telegram): thread apiRoot through allowFrom lookups * fix(telegram): honor lookup transport and local file paths * refactor(telegram): unify username lookup plumbing * fix(telegram): restore doctor lookup imports * fix: document Telegram apiRoot support (openclaw#48842) (thanks @Cypherm) --------- Co-authored-by: Cypherm <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]>
frankekn
pushed a commit
to artwalker/openclaw
that referenced
this pull request
Mar 23, 2026
…penclaw#48842) * feat(telegram): support custom apiRoot for alternative API endpoints Add `apiRoot` config option to allow users to specify custom Telegram Bot API endpoints (e.g., self-hosted Bot API servers). Threads the configured base URL through all Telegram API call sites: bot creation, send, probe, audit, media download, and api-fetch. Extends SSRF policy to dynamically trust custom apiRoot hostname for media downloads. Closes openclaw#28535 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * fix(telegram): thread apiRoot through allowFrom lookups * fix(telegram): honor lookup transport and local file paths * refactor(telegram): unify username lookup plumbing * fix(telegram): restore doctor lookup imports * fix: document Telegram apiRoot support (openclaw#48842) (thanks @Cypherm) --------- Co-authored-by: Cypherm <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]>
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 23, 2026
…penclaw#48842) * feat(telegram): support custom apiRoot for alternative API endpoints Add `apiRoot` config option to allow users to specify custom Telegram Bot API endpoints (e.g., self-hosted Bot API servers). Threads the configured base URL through all Telegram API call sites: bot creation, send, probe, audit, media download, and api-fetch. Extends SSRF policy to dynamically trust custom apiRoot hostname for media downloads. Closes openclaw#28535 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * fix(telegram): thread apiRoot through allowFrom lookups * fix(telegram): honor lookup transport and local file paths * refactor(telegram): unify username lookup plumbing * fix(telegram): restore doctor lookup imports * fix: document Telegram apiRoot support (openclaw#48842) (thanks @Cypherm) --------- Co-authored-by: Cypherm <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]> (cherry picked from commit 6b4c24c)
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 23, 2026
…penclaw#48842) * feat(telegram): support custom apiRoot for alternative API endpoints Add `apiRoot` config option to allow users to specify custom Telegram Bot API endpoints (e.g., self-hosted Bot API servers). Threads the configured base URL through all Telegram API call sites: bot creation, send, probe, audit, media download, and api-fetch. Extends SSRF policy to dynamically trust custom apiRoot hostname for media downloads. Closes openclaw#28535 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * fix(telegram): thread apiRoot through allowFrom lookups * fix(telegram): honor lookup transport and local file paths * refactor(telegram): unify username lookup plumbing * fix(telegram): restore doctor lookup imports * fix: document Telegram apiRoot support (openclaw#48842) (thanks @Cypherm) --------- Co-authored-by: Cypherm <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]> (cherry picked from commit 6b4c24c)
Copilot AI
added a commit
to nathan77886/openclaw
that referenced
this pull request
Mar 24, 2026
…API_HOST Merge upstream/main into the fork, resolving conflicts in Telegram extension files. The upstream added support for config-based apiRoot (openclaw#48842); this merge preserves the fork's TELEGRAM_BOT_API_HOST environment variable approach by making both work together with the following priority: 1. Explicit apiRoot config (channels.telegram.accounts.default.apiRoot) 2. TELEGRAM_BOT_API_HOST environment variable 3. Default https://api.telegram.org Key changes: - fetch.ts: resolveTelegramApiBase(apiRoot?) falls back to env var via api-base.ts - api-fetch.ts: use upstream's richer implementation (threads apiRoot + fetchImpl) - audit-membership-runtime.ts, probe.ts: import from fetch.ts, pass apiRoot - bot.ts, send.ts: resolve via resolveTelegramApiBase(config apiRoot) with env fallback - bot/delivery.resolve-media.ts: buildTelegramMediaSsrfPolicy uses effective API hostname (config or env var)
19 tasks
furaul
pushed a commit
to furaul/openclaw
that referenced
this pull request
Mar 24, 2026
…penclaw#48842) * feat(telegram): support custom apiRoot for alternative API endpoints Add `apiRoot` config option to allow users to specify custom Telegram Bot API endpoints (e.g., self-hosted Bot API servers). Threads the configured base URL through all Telegram API call sites: bot creation, send, probe, audit, media download, and api-fetch. Extends SSRF policy to dynamically trust custom apiRoot hostname for media downloads. Closes openclaw#28535 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * fix(telegram): thread apiRoot through allowFrom lookups * fix(telegram): honor lookup transport and local file paths * refactor(telegram): unify username lookup plumbing * fix(telegram): restore doctor lookup imports * fix: document Telegram apiRoot support (openclaw#48842) (thanks @Cypherm) --------- Co-authored-by: Cypherm <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]>
Interstellar-code
pushed a commit
to Interstellar-code/operator1
that referenced
this pull request
Mar 24, 2026
…penclaw#48842) * feat(telegram): support custom apiRoot for alternative API endpoints Add `apiRoot` config option to allow users to specify custom Telegram Bot API endpoints (e.g., self-hosted Bot API servers). Threads the configured base URL through all Telegram API call sites: bot creation, send, probe, audit, media download, and api-fetch. Extends SSRF policy to dynamically trust custom apiRoot hostname for media downloads. Closes openclaw#28535 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * fix(telegram): thread apiRoot through allowFrom lookups * fix(telegram): honor lookup transport and local file paths * refactor(telegram): unify username lookup plumbing * fix(telegram): restore doctor lookup imports * fix: document Telegram apiRoot support (openclaw#48842) (thanks @Cypherm) --------- Co-authored-by: Cypherm <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]> (cherry picked from commit 6b4c24c)
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 28, 2026
…penclaw#48842) * feat(telegram): support custom apiRoot for alternative API endpoints Add `apiRoot` config option to allow users to specify custom Telegram Bot API endpoints (e.g., self-hosted Bot API servers). Threads the configured base URL through all Telegram API call sites: bot creation, send, probe, audit, media download, and api-fetch. Extends SSRF policy to dynamically trust custom apiRoot hostname for media downloads. Closes openclaw#28535 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * fix(telegram): thread apiRoot through allowFrom lookups * fix(telegram): honor lookup transport and local file paths * refactor(telegram): unify username lookup plumbing * fix(telegram): restore doctor lookup imports * fix: document Telegram apiRoot support (openclaw#48842) (thanks @Cypherm) --------- Co-authored-by: Cypherm <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]> (cherry picked from commit 6b4c24c) # Conflicts: # CHANGELOG.md # extensions/telegram/src/api-fetch.ts # extensions/telegram/src/bot/delivery.resolve-media.ts # extensions/telegram/src/probe.ts # extensions/telegram/src/setup-core.ts # extensions/telegram/src/setup-surface.ts # src/commands/doctor-config-flow.test.ts # src/commands/doctor-config-flow.ts # src/config/schema.help.ts # src/config/schema.labels.ts # src/config/types.telegram.ts # src/config/zod-schema.providers-core.ts
alexey-pelykh
pushed a commit
to remoteclaw/remoteclaw
that referenced
this pull request
Mar 28, 2026
…penclaw#48842) * feat(telegram): support custom apiRoot for alternative API endpoints Add `apiRoot` config option to allow users to specify custom Telegram Bot API endpoints (e.g., self-hosted Bot API servers). Threads the configured base URL through all Telegram API call sites: bot creation, send, probe, audit, media download, and api-fetch. Extends SSRF policy to dynamically trust custom apiRoot hostname for media downloads. Closes openclaw#28535 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> * fix(telegram): thread apiRoot through allowFrom lookups * fix(telegram): honor lookup transport and local file paths * refactor(telegram): unify username lookup plumbing * fix(telegram): restore doctor lookup imports * fix: document Telegram apiRoot support (openclaw#48842) (thanks @Cypherm) --------- Co-authored-by: Cypherm <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: Ayaan Zaidi <[email protected]> (cherry picked from commit 6b4c24c)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Problem: Users behind ISP-level DNS blocks, corporate proxies, or self-hosted Telegram Bot API servers cannot override the hardcoded
api.telegram.orgendpoint.Why it matters: Self-hosted Bot API servers remove the 20MB file download limit and reduce latency. Some networks block
api.telegram.orgentirely. Users need a config-level escape hatch.What changed:
apiRoottoTelegramAccountConfigtype with Zod.url()validationresolveTelegramApiBase()helper infetch.ts(trim, strip trailing slash, default fallback)apiRootthrough all Telegram API call sites: bot creation, send, probe, audit, media download, api-fetchapiRoothostname for media downloadsresolveTelegramApiBaseexportWhat did NOT change:
resolveTelegramTransportsignatures unchangednetwork-errors.tsis untouchedapiRootis not set is identical to beforeChange Type
Scope
Integrations (Telegram extension + config schema)
Linked Issue
Closes #28535
Security Impact
buildTelegramMediaSsrfPolicy()dynamically adds customapiRoothostname to SSRF allowlist — this is intentional and required for media downloads from self-hosted Bot API servers. Invalid URLs are caught by try/catch fallthrough.Human Verification
I personally verified:
pnpm buildpassespnpm check(format + lint) passes — only pre-existing matrix/tlon type errors remainpnpm test -- extensions/telegram— 987/987 tests pass, 2 e2e passTELEGRAM_API_BASEconstant fromprobe.ts(was flagged by Greptile)apiRootfromresolveTelegramTransport/resolveTelegramFetchsignatures — transport handles HOW to connect (dispatcher/proxy), not WHERE (URL)apiRootproduces identical behavior to upstream mainEvidence
git diff --stat upstream/main...HEAD: 16 files changed, 101 insertions(+), 27 deletions(-)What I Did NOT Verify
telegram-bot-api --localinstance) — tested config plumbing and URL construction only--localmode filesystem path responses (local Bot API returns absolute paths instead of HTTP URLs for file downloads — this is a separate transport concern for a follow-up PR)https://proxy.example.com:8443/bot-api/)Failure Recovery
If this breaks in production:
apiRootis set to an invalid/unreachable endpointapiRootfrom config — all paths fall back to defaultapi.telegram.orgapiRootconfig. Accounts without it are completely unaffected.Example usage
🤖 Generated with Claude Code
Co-Authored-By: Claude Opus 4.6 [email protected]