fix: preserve shared telegram token state

Author: TheAngryPit

src/bun/loopndroll-actions-secret-migration.test.ts

@@ -0,0 +1,112 @@
+import { describe, expect, test } from "bun:test";
+import { Database } from "bun:sqlite";
+
+import { redactPersistedTelegramBotToken } from "./loopndroll-actions";
+
+function createTokenStateSchema(db: Database) {
+  db.exec(`
+    create table telegram_update_cursors (
+      bot_token text primary key,
+      last_update_id integer not null,
+      updated_at text not null
+    );
+
+    create table telegram_known_chats (
+      bot_token text not null,
+      chat_id text not null,
+      kind text not null,
+      username text,
+      display_name text not null,
+      updated_at text not null,
+      primary key (bot_token, chat_id)
+    );
+
+    create table session_awaiting_replies (
+      thread_id text not null,
+      bot_token text not null,
+      chat_id text not null,
+      turn_id text,
+      started_at text not null,
+      primary key (thread_id, bot_token, chat_id)
+    );
+
+    create table telegram_delivery_receipts (
+      id text primary key,
+      notification_id text,
+      thread_id text not null,
+      bot_token text not null,
+      chat_id text not null,
+      telegram_message_id integer not null,
+      created_at text not null
+    );
+  `);
+}
+
+describe("telegram bot token state redaction", () => {
+  test("moves token-scoped bridge state to the migration ref without dropping it", () => {
+    const db = new Database(":memory:");
+    createTokenStateSchema(db);
+    db.query(
+      `insert into telegram_update_cursors (bot_token, last_update_id, updated_at)
+       values ('plain-token', 41, '2026-04-30T00:00:00.000Z')`,
+    ).run();
+    db.query(
+      `insert into telegram_known_chats (
+        bot_token,
+        chat_id,
+        kind,
+        username,
+        display_name,
+        updated_at
+      ) values ('plain-token', '123', 'private', 'user', 'User', '2026-04-30T00:00:00.000Z')`,
+    ).run();
+    db.query(
+      `insert into session_awaiting_replies (
+        thread_id,
+        bot_token,
+        chat_id,
+        turn_id,
+        started_at
+      ) values ('thread-1', 'plain-token', '123', 'turn-1', '2026-04-30T00:00:00.000Z')`,
+    ).run();
+    db.query(
+      `insert into telegram_delivery_receipts (
+        id,
+        notification_id,
+        thread_id,
+        bot_token,
+        chat_id,
+        telegram_message_id,
+        created_at
+      ) values ('receipt-1', 'notification-1', 'thread-1', 'plain-token', '123', 10, '2026-04-30T00:00:00.000Z')`,
+    ).run();
+
+    redactPersistedTelegramBotToken(
+      db,
+      "plain-token",
+      "keychain://loopndroll/telegram-bot-token/notification-1",
+    );
+
+    expect(db.query("select count(*) as count from telegram_update_cursors").get()).toEqual({
+      count: 1,
+    });
+    expect(db.query("select bot_token, last_update_id from telegram_update_cursors").get()).toEqual(
+      {
+        bot_token: "keychain://loopndroll/telegram-bot-token/notification-1",
+        last_update_id: 41,
+      },
+    );
+    expect(db.query("select bot_token, chat_id from telegram_known_chats").get()).toEqual({
+      bot_token: "keychain://loopndroll/telegram-bot-token/notification-1",
+      chat_id: "123",
+    });
+    expect(db.query("select bot_token, chat_id from session_awaiting_replies").get()).toEqual({
+      bot_token: "keychain://loopndroll/telegram-bot-token/notification-1",
+      chat_id: "123",
+    });
+    expect(db.query("select bot_token, chat_id from telegram_delivery_receipts").get()).toEqual({
+      bot_token: "keychain://loopndroll/telegram-bot-token/notification-1",
+      chat_id: "123",
+    });
+  });
+});

src/bun/loopndroll-actions.ts

@@ -46,6 +46,7 @@ import {
 import {
   deleteSlackWebhookUrlFromKeychain,
   deleteTelegramBotTokenFromKeychain,
+  getTelegramBotTokenMigrationRef,
   isSlackWebhookUrlKeychainRef,
   isTelegramBotTokenKeychainRef,
   resolveSlackWebhookUrl,
@@ -83,7 +84,7 @@ async function redactSecretsFromManagedLogs(secrets: string[]) {
   }
 }
 
-function redactPersistedTelegramBotToken(
+export function redactPersistedTelegramBotToken(
   client: ReturnType<typeof getLoopndrollDatabase>["client"],
   plaintextBotToken: string,
   botTokenRef: string,
@@ -156,6 +157,28 @@ function redactPersistedTelegramBotToken(
   })();
 }
 
+function deleteTelegramBotTokenFromKeychainIfUnused(
+  db: ReturnType<typeof getLoopndrollDatabase>["db"],
+  botTokenOrRef: string | null | undefined,
+) {
+  if (typeof botTokenOrRef !== "string" || !isTelegramBotTokenKeychainRef(botTokenOrRef)) {
+    return;
+  }
+  const botTokenRef = botTokenOrRef.trim();
+
+  const remainingRef = db
+    .select({ id: notifications.id })
+    .from(notifications)
+    .where(and(eq(notifications.channel, "telegram"), eq(notifications.botToken, botTokenRef)))
+    .limit(1)
+    .get();
+  if (remainingRef) {
+    return;
+  }
+
+  deleteTelegramBotTokenFromKeychain(botTokenRef);
+}
+
 export async function saveDefaultPrompt(defaultPrompt: string) {
   const paths = getLoopndrollPaths();
   const { db } = getLoopndrollDatabase(paths.databasePath);
@@ -262,9 +285,8 @@ export async function updateLoopNotification(notification: UpdateLoopNotificatio
   if (notification.channel === "slack") {
     const previousWebhookUrl =
       currentNotification.channel === "slack" ? currentNotification.webhookUrl : "";
-    if (currentNotification.channel === "telegram") {
-      deleteTelegramBotTokenFromKeychain(currentNotification.botToken);
-    }
+    const previousBotToken =
+      currentNotification.channel === "telegram" ? currentNotification.botToken : "";
     const webhookUrlRef = isSlackWebhookUrlKeychainRef(notification.webhookUrl)
       ? notification.webhookUrl.trim()
       : storeSlackWebhookUrlInKeychain(notification.id, notification.webhookUrl);
@@ -282,6 +304,7 @@ export async function updateLoopNotification(notification: UpdateLoopNotificatio
       })
       .where(eq(notifications.id, notification.id))
       .run();
+    deleteTelegramBotTokenFromKeychainIfUnused(db, previousBotToken);
   } else {
     const previousBotToken =
       currentNotification.channel === "telegram" ? currentNotification.botToken : "";
@@ -308,6 +331,7 @@ export async function updateLoopNotification(notification: UpdateLoopNotificatio
       })
       .where(eq(notifications.id, notification.id))
       .run();
+    deleteTelegramBotTokenFromKeychainIfUnused(db, previousBotToken);
   }
 
   return loadSnapshot(paths);
@@ -364,7 +388,7 @@ export async function deleteLoopNotification(notificationId: string) {
       .where(eq(settings.globalNotificationId, notificationId))
       .run();
   });
-  deleteTelegramBotTokenFromKeychain(existingNotification?.botToken);
+  deleteTelegramBotTokenFromKeychainIfUnused(db, existingNotification?.botToken);
   deleteSlackWebhookUrlFromKeychain(existingNotification?.webhookUrl);
 
   return loadSnapshot(paths);
@@ -378,6 +402,7 @@ export async function migrateNotificationSecretsToKeychain() {
     .from(notifications)
     .orderBy(asc(notifications.createdAt), asc(notifications.id))
     .all();
+  const migratedTelegramBotTokenRefs = new Map<string, string>();
 
   for (const row of existingNotificationRows) {
     const currentNotification = mapNotificationRow(row);
@@ -414,7 +439,16 @@ export async function migrateNotificationSecretsToKeychain() {
       continue;
     }
 
-    const botTokenRef = storeTelegramBotTokenInKeychain(currentNotification.id, botToken);
+    const botTokenMigration = getTelegramBotTokenMigrationRef(
+      currentNotification.id,
+      botToken,
+      migratedTelegramBotTokenRefs,
+    );
+    let botTokenRef = botTokenMigration.ref;
+    if (botTokenMigration.shouldStore) {
+      botTokenRef = storeTelegramBotTokenInKeychain(currentNotification.id, botToken);
+      migratedTelegramBotTokenRefs.set(botToken, botTokenRef);
+    }
     redactPersistedTelegramBotToken(client, botToken, botTokenRef);
     await redactSecretsFromManagedLogs([botToken]);
     db.update(notifications)

src/bun/secret-store.test.ts

@@ -3,6 +3,7 @@ import { describe, expect, test } from "bun:test";
 import {
   createSlackWebhookUrlKeychainRef,
   createTelegramBotTokenKeychainRef,
+  getTelegramBotTokenMigrationRef,
   isSlackWebhookUrlKeychainRef,
   isTelegramBotTokenKeychainRef,
 } from "./secret-store";
@@ -19,6 +20,30 @@ describe("telegram bot token keychain refs", () => {
   test("does not classify plain Telegram tokens as keychain references", () => {
     expect(isTelegramBotTokenKeychainRef("bot-id:opaque-token-value")).toBe(false);
   });
+
+  test("reuses one migration ref for notifications sharing a plaintext bot token", () => {
+    const refsByPlaintextToken = new Map<string, string>();
+
+    const first = getTelegramBotTokenMigrationRef(
+      "notification-1",
+      "bot-id:opaque-token-value",
+      refsByPlaintextToken,
+    );
+    const second = getTelegramBotTokenMigrationRef(
+      "notification-2",
+      "bot-id:opaque-token-value",
+      refsByPlaintextToken,
+    );
+
+    expect(first).toEqual({
+      ref: "keychain://loopndroll/telegram-bot-token/notification-1",
+      shouldStore: true,
+    });
+    expect(second).toEqual({
+      ref: first.ref,
+      shouldStore: false,
+    });
+  });
 });
 
 describe("slack webhook URL keychain refs", () => {

src/bun/secret-store.ts

@@ -45,6 +45,28 @@ export function createSlackWebhookUrlKeychainRef(notificationId: string) {
   return `${SLACK_WEBHOOK_URL_REF_PREFIX}${encodeURIComponent(encodeKeychainAccount(notificationId))}`;
 }
 
+export function getTelegramBotTokenMigrationRef(
+  notificationId: string,
+  botToken: string,
+  refsByPlaintextToken: Map<string, string>,
+) {
+  const normalizedBotToken = botToken.trim();
+  const existingRef = refsByPlaintextToken.get(normalizedBotToken);
+  if (existingRef) {
+    return {
+      ref: existingRef,
+      shouldStore: false,
+    };
+  }
+
+  const ref = createTelegramBotTokenKeychainRef(notificationId);
+  refsByPlaintextToken.set(normalizedBotToken, ref);
+  return {
+    ref,
+    shouldStore: true,
+  };
+}
+
 function runSecurityCommand(args: string[]) {
   const result = spawnSync("/usr/bin/security", args, {
     encoding: "utf8",