bloby-bot 0.61.0 → 0.62.0

package/supervisor/index.ts

@@ -551,8 +551,8 @@ export async function startSupervisor() {
     'POST /api/channels/whatsapp/react',
     'POST /api/channels/send',
     'POST /api/channels/alexa/handle',
-    'POST /api/channels/telegram/connect',
-    'GET /api/channels/telegram/poll',
+    // NOTE: 'POST /api/channels/telegram/connect' is NOT public — it sets the bot token, so it is
+    // gated in-handler (first run open, portal token required once a password is set), like /api/onboard.
     'GET /api/channels/telegram/pair-page',
     'GET /api/channels/telegram/status',
     'POST /api/channels/telegram/configure',
@@ -1361,99 +1361,101 @@ mint();
         return;
       }
 
-      // ── Telegram (relay provisions a per-user bot via "Managed Bots"; the Bloby then
-      //    long-polls Telegram DIRECTLY — the relay is only in the pairing path) ──
+      // ── Telegram (BYO bot — the user pastes a @BotFather token; we validate it and
+      //    long-poll Telegram DIRECTLY. NO relay anywhere in the pairing or message path) ──
 
-      // POST /api/channels/telegram/connect — ask the relay to start provisioning a child bot.
-      // Returns a t.me/newbot deep link the user taps + a sessionId to poll. No token yet.
+      // POST /api/channels/telegram/connect — { botToken }. Sets the agent's bot token, so it is
+      // GATED like /api/onboard: open only on genuine first run (no portal_pass yet); once a portal
+      // password is set it requires a valid Bearer token (the pair-page sends the dashboard's
+      // bloby_token). Without this gate, any unauthenticated caller over the tunnel could inject
+      // their own bot token and hijack the channel (and, via trust-on-first-use, the agent).
       if (req.method === 'POST' && channelPath === '/api/channels/telegram/connect') {
-        (async () => {
-          try {
-            const cfg = loadConfig();
-            if (!cfg.relay?.token) {
-              res.writeHead(400);
-              res.end(JSON.stringify({ ok: false, error: 'no-relay-token' }));
-              return;
-            }
-            const resp = await fetch('https://api.bloby.bot/api/telegram/provision', {
-              method: 'POST',
-              headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${cfg.relay.token}` },
-              body: JSON.stringify({ name: cfg.username || 'Bloby' }),
-            });
-            const data = await resp.json() as { sessionId?: string; deepLink?: string; botUsername?: string; expiresAt?: string; error?: string };
-            if (!resp.ok || !data.sessionId || !data.deepLink) {
-              res.writeHead(resp.status || 500);
-              res.end(JSON.stringify({ ok: false, error: data.error || 'provision-failed' }));
-              return;
-            }
-            res.writeHead(200);
-            res.end(JSON.stringify({ ok: true, sessionId: data.sessionId, deepLink: data.deepLink, botUsername: data.botUsername, expiresAt: data.expiresAt }));
-          } catch (err: any) {
-            log.warn(`[telegram/connect] ${err.message}`);
-            res.writeHead(500);
-            res.end(JSON.stringify({ ok: false, error: err.message }));
-          }
-        })();
-        return;
-      }
+        let body = '';
+        let tooLarge = false;
+        req.on('data', (chunk: Buffer) => {
+          body += chunk.toString();
+          if (body.length > 8_000) { tooLarge = true; req.destroy(); }
+        });
+        req.on('error', () => {
+          if (res.headersSent) return;
+          res.writeHead(400);
+          res.end(JSON.stringify({ ok: false, error: 'read-error' }));
+        });
+        req.on('end', () => {
+          (async () => {
+            try {
+              if (tooLarge) {
+                res.writeHead(413);
+                res.end(JSON.stringify({ ok: false, error: 'body-too-large' }));
+                return;
+              }
+              // Auth gate (matches /api/onboard): internal calls bypass; otherwise require a valid
+              // portal token whenever a password is set. First run (no password) stays open.
+              if (req.headers['x-internal'] !== internalSecret && await isAuthRequired()) {
+                const auth = req.headers.authorization;
+                const tok = auth?.startsWith('Bearer ') ? auth.slice(7) : null;
+                if (!tok || !(await validateToken(tok))) {
+                  res.writeHead(401);
+                  res.end(JSON.stringify({ ok: false, error: 'auth-required' }));
+                  return;
+                }
+              }
 
-      // GET /api/channels/telegram/poll?sessionId=… — poll the relay for the provisioned token.
-      // When ready, persist the child token locally and start the long-poll provider.
-      if (req.method === 'GET' && channelPath === '/api/channels/telegram/poll') {
-        (async () => {
-          try {
-            const sessionId = new URL(req.url || '', 'http://localhost').searchParams.get('sessionId') || '';
-            if (!sessionId) {
-              res.writeHead(400);
-              res.end(JSON.stringify({ ok: false, error: 'missing-sessionId' }));
-              return;
-            }
-            const cfg = loadConfig();
-            if (!cfg.relay?.token) {
-              res.writeHead(400);
-              res.end(JSON.stringify({ ok: false, error: 'no-relay-token' }));
-              return;
-            }
-            const resp = await fetch(`https://api.bloby.bot/api/telegram/provision/${encodeURIComponent(sessionId)}`, {
-              headers: { Authorization: `Bearer ${cfg.relay.token}` },
-            });
-            const data = await resp.json() as { ready?: boolean; token?: string; botUsername?: string; ownerUserId?: string | number; error?: string };
-            if (!resp.ok) {
-              res.writeHead(resp.status);
-              res.end(JSON.stringify({ ok: false, error: data.error || 'poll-failed' }));
-              return;
-            }
-            if (!data.ready || !data.token) {
+              const data = JSON.parse(body || '{}');
+              const botToken = typeof data.botToken === 'string' ? data.botToken.trim() : '';
+              if (!botToken || !/^\d{6,}:[A-Za-z0-9_-]{30,}$/.test(botToken)) {
+                res.writeHead(400);
+                res.end(JSON.stringify({ ok: false, error: 'invalid-token-format' }));
+                return;
+              }
+              // Authoritative validation: ask Telegram who this token belongs to (with a timeout
+              // so a hung TLS connection can't wedge the request / the pair modal).
+              let me: any;
+              try {
+                const r = await fetch(`https://api.telegram.org/bot${encodeURIComponent(botToken)}/getMe`, { signal: AbortSignal.timeout(8000) });
+                me = await r.json().catch(() => ({}));
+              } catch {
+                res.writeHead(502);
+                res.end(JSON.stringify({ ok: false, error: 'telegram-unreachable' }));
+                return;
+              }
+              if (!me || me.ok !== true || !me.result || me.result.is_bot !== true) {
+                res.writeHead(400);
+                res.end(JSON.stringify({ ok: false, error: 'invalid-bot-token' }));
+                return;
+              }
+              const botUsername = me.result.username || undefined;
+              const cfg = loadConfig();
+              if (!cfg.channels) cfg.channels = {};
+              // On a token CHANGE (not a same-token reconnect), drop identity-bound fields so
+              // trust-on-first-use re-adopts the owner against the NEW bot — otherwise a stale
+              // ownerUserId/admins would silently lock out the new operator.
+              const prev = cfg.channels.telegram;
+              const tokenChanged = !!prev?.botToken && prev.botToken !== botToken;
+              cfg.channels.telegram = {
+                ...(prev || {}),
+                enabled: true,
+                mode: prev?.mode || 'channel',
+                botToken,
+                botUsername,
+                ...(tokenChanged ? { ownerUserId: undefined, admins: undefined } : {}),
+              };
+              saveConfig(cfg);
+              // Re-connecting with a new token: tear down any existing provider so init()
+              // reconnects with the new token (init() is a no-op when a provider already exists).
+              await channelManager.disconnectChannel('telegram').catch(() => {});
+              await channelManager.init().catch(() => {});
               res.writeHead(200);
-              res.end(JSON.stringify({ ok: true, ready: false }));
-              return;
+              res.end(JSON.stringify({ ok: true, botUsername }));
+            } catch (err: any) {
+              log.warn(`[telegram/connect] ${err.message}`);
+              if (!res.headersSent) {
+                res.writeHead(500);
+                res.end(JSON.stringify({ ok: false, error: err.message }));
+              }
             }
-
-            // Provisioned — persist the child bot token and bring the channel up.
-            const fresh = loadConfig();
-            if (!fresh.channels) fresh.channels = {};
-            fresh.channels.telegram = {
-              ...(fresh.channels.telegram || {}),
-              enabled: true,
-              mode: fresh.channels.telegram?.mode || 'channel',
-              botToken: data.token,
-              botUsername: data.botUsername || fresh.channels.telegram?.botUsername,
-              ownerUserId: data.ownerUserId != null ? String(data.ownerUserId) : fresh.channels.telegram?.ownerUserId,
-            };
-            saveConfig(fresh);
-            // Re-pairing replaces the token — tear down any existing provider so init() reconnects
-            // with the NEW token (init() is a no-op when a provider is already in the map).
-            await channelManager.disconnectChannel('telegram').catch(() => {});
-            await channelManager.init().catch(() => {});
-
-            res.writeHead(200);
-            res.end(JSON.stringify({ ok: true, ready: true, botUsername: data.botUsername }));
-          } catch (err: any) {
-            log.warn(`[telegram/poll] ${err.message}`);
-            res.writeHead(500);
-            res.end(JSON.stringify({ ok: false, error: err.message }));
-          }
-        })();
+          })();
+        });
         return;
       }
 
@@ -1505,7 +1507,11 @@ mint();
             await channelManager.disconnectChannel('telegram');
             const cfg = loadConfig();
             if (cfg.channels?.telegram) {
+              // "Forget the token" also forgets the identity bound to it, so a future bot re-adopts
+              // its owner cleanly via trust-on-first-use.
               delete cfg.channels.telegram.botToken;
+              delete cfg.channels.telegram.ownerUserId;
+              delete cfg.channels.telegram.admins;
               cfg.channels.telegram.enabled = false;
               saveConfig(cfg);
             }
@@ -1519,7 +1525,7 @@ mint();
         return;
       }
 
-      // POST /api/channels/telegram/reconnect — resume polling an already-provisioned bot
+      // POST /api/channels/telegram/reconnect — resume polling an already-connected bot
       // after a disconnect, without re-pairing (loopback-only).
       if (req.method === 'POST' && channelPath === '/api/channels/telegram/reconnect') {
         (async () => {
@@ -1553,7 +1559,8 @@ mint();
         return;
       }
 
-      // GET /api/channels/telegram/pair-page — inline page: tap to create the bot, then auto-detects link.
+      // GET /api/channels/telegram/pair-page — BYO BotFather token flow: button opens a modal explaining
+      // how to mint a token in @BotFather, takes the pasted token, POSTs {botToken} to /connect.
       if (req.method === 'GET' && channelPath === '/api/channels/telegram/pair-page') {
         res.setHeader('Content-Type', 'text/html');
         const tgStatus = channelManager.getStatus('telegram');
@@ -1580,26 +1587,49 @@ mint();
   .card{background:#2a2a2a;border:1px solid rgba(255,255,255,0.08);border-radius:20px;padding:28px 24px;width:100%;box-shadow:0 0 0 1px rgba(0,105,254,0.1),0 0 20px -5px rgba(0,105,254,0.15);animation:fade-up .5s ease-out both;text-align:center}
   .header{display:flex;flex-direction:column;align-items:center;gap:6px;margin-bottom:18px}
   .badge{display:inline-flex;align-items:center;gap:6px;background:#1a1a1a;border:1px solid rgba(255,255,255,0.08);border-radius:9999px;padding:4px 10px;font-size:11px;color:#888;text-transform:uppercase;letter-spacing:0.6px}
-  .badge::before{content:'';width:8px;height:8px;border-radius:50%;background:linear-gradient(135deg,#0166FF,#009AFE);box-shadow:0 0 8px rgba(74,238,255,0.5)}
+  .badge::before{content:'';width:8px;height:8px;border-radius:50%;background:#229ED9;box-shadow:0 0 8px rgba(34,158,217,0.6)}
   .title{font-family:'Space Grotesk',sans-serif;font-size:22px;font-weight:700;background:linear-gradient(135deg,#0166FF,#009AFE,#4AEEFF);-webkit-background-clip:text;-webkit-text-fill-color:transparent;background-clip:text;margin-top:6px}
   .sub{font-size:13px;color:#999;line-height:1.6;margin-top:6px}
-  .steps{text-align:left;margin:18px 0 6px;animation:fade-up .5s ease-out .2s both}
+  .btn{display:inline-flex;align-items:center;justify-content:center;width:100%;border:none;border-radius:10px;padding:13px 16px;font-size:14px;font-weight:600;cursor:pointer;font-family:inherit;transition:all .2s;text-decoration:none}
+  .btn-tg{background:linear-gradient(135deg,#229ED9,#2AABEE);color:#fff;box-shadow:0 4px 14px -4px rgba(34,158,217,0.5)}
+  .btn-tg:hover{opacity:.92}
+  .btn-tg:disabled{opacity:.5;cursor:not-allowed}
+  .btn-ghost{background:#1a1a1a;border:1px solid rgba(255,255,255,0.1);color:#999}
+  .btn-ghost:hover{border-color:rgba(34,158,217,0.4);color:#f5f5f5}
+  .cta-row{margin-top:8px;animation:fade-up .5s ease-out .15s both}
+  .hint{font-size:12px;color:#666;margin-top:14px;line-height:1.6}
+
+  /* modal */
+  .overlay{position:fixed;inset:0;background:rgba(10,10,10,0.72);backdrop-filter:blur(4px);display:none;align-items:center;justify-content:center;padding:20px;z-index:50}
+  .overlay.open{display:flex;animation:fade-in .2s ease-out both}
+  .modal{background:#2a2a2a;border:1px solid rgba(255,255,255,0.1);border-radius:20px;padding:24px 22px;width:100%;max-width:380px;max-height:90dvh;overflow-y:auto;box-shadow:0 24px 60px -12px rgba(0,0,0,0.6);animation:pop-up .28s cubic-bezier(.34,1.56,.64,1) both}
+  .modal-head{display:flex;align-items:flex-start;justify-content:space-between;gap:12px;margin-bottom:6px}
+  .modal-title{font-family:'Space Grotesk',sans-serif;font-size:18px;font-weight:700;color:#f5f5f5}
+  .modal-x{flex-shrink:0;width:28px;height:28px;border-radius:8px;background:#1a1a1a;border:1px solid rgba(255,255,255,0.08);color:#999;font-size:16px;line-height:1;cursor:pointer;display:flex;align-items:center;justify-content:center;transition:all .2s}
+  .modal-x:hover{color:#f5f5f5;border-color:rgba(34,158,217,0.4)}
+  .modal-sub{font-size:12px;color:#999;line-height:1.6;margin-bottom:16px}
+  .steps{text-align:left;margin:0 0 16px}
   .step{display:flex;gap:12px;font-size:13px;color:#bbb;line-height:1.5;padding:6px 0}
   .step-num{flex-shrink:0;width:22px;height:22px;border-radius:50%;background:#1a1a1a;border:1px solid rgba(255,255,255,0.08);display:flex;align-items:center;justify-content:center;font-size:11px;font-weight:600;color:#888}
   .step b{color:#f5f5f5;font-weight:600}
-  .btn{display:inline-flex;align-items:center;justify-content:center;width:100%;border:none;border-radius:10px;padding:13px 16px;font-size:14px;font-weight:600;cursor:pointer;font-family:inherit;transition:all .2s;text-decoration:none;margin-top:8px}
-  .btn-primary{background:linear-gradient(135deg,#0166FF,#009AFE);color:#fff}
-  .btn-primary:hover{opacity:.92}
-  .btn-disabled{opacity:.5;pointer-events:none}
-  .status{font-size:12px;color:#666;margin-top:14px;display:inline-flex;align-items:center;gap:6px;min-height:1.2em}
-  .status .dot{width:6px;height:6px;border-radius:50%;background:currentColor;animation:pulse 1.6s ease-in-out infinite;opacity:.6}
-  .err{color:#FB4072;font-size:13px;margin-top:12px;min-height:1.2em}
+  .step code{font-family:'Space Grotesk',monospace;color:#2AABEE;background:#1a1a1a;border:1px solid rgba(255,255,255,0.06);border-radius:5px;padding:1px 6px;font-size:12px}
+  .bf-link{display:inline-flex;align-items:center;justify-content:center;gap:7px;width:100%;border:1px solid rgba(34,158,217,0.35);background:#1a1a1a;color:#2AABEE;border-radius:10px;padding:10px 14px;font-size:13px;font-weight:600;text-decoration:none;transition:all .2s;margin-bottom:16px}
+  .bf-link:hover{background:rgba(34,158,217,0.08)}
+  .field-label{font-size:11px;color:#666;text-transform:uppercase;letter-spacing:0.6px;margin-bottom:8px;display:block}
+  .token-input{width:100%;background:#1a1a1a;border:1px solid rgba(255,255,255,0.1);border-radius:10px;padding:12px 14px;color:#f5f5f5;font-family:'Space Grotesk',monospace;font-size:14px;outline:none;transition:border-color .2s}
+  .token-input:focus{border-color:#229ED9}
+  .token-input::placeholder{color:#555;font-family:'Inter',sans-serif}
+  .modal-actions{margin-top:18px}
+  .err{color:#FB4072;font-size:13px;margin-top:12px;min-height:1.2em;text-align:left}
+
   .confetti-wrap{position:fixed;top:0;left:0;width:100%;height:100%;pointer-events:none;overflow:hidden;z-index:0}
   .confetti-dot{position:absolute;width:8px;height:8px;border-radius:50%;top:-10px;animation:confetti-fall 2s ease-out forwards}
   @keyframes confetti-fall{0%{opacity:1;transform:translateY(0) translateX(0) rotate(0) scale(1)}100%{opacity:0;transform:translateY(100vh) translateX(var(--drift)) rotate(360deg) scale(.5)}}
   .video-wrap{margin-bottom:8px;animation:pop-in .5s cubic-bezier(.34,1.56,.64,1) forwards}
   .video-wrap video{width:200px;object-fit:contain;pointer-events:none}
   @keyframes pop-in{0%{transform:scale(0);opacity:0}100%{transform:scale(1);opacity:1}}
+  @keyframes pop-up{0%{transform:translateY(12px) scale(.96);opacity:0}100%{transform:translateY(0) scale(1);opacity:1}}
+  @keyframes fade-in{0%{opacity:0}100%{opacity:1}}
   .text-wrap{text-align:center;animation:fade-up .5s ease-out .3s both}
   .success-sub{font-size:14px;color:#999;line-height:1.5;margin-top:6px}
   @keyframes pulse{0%,100%{opacity:1;transform:scale(1)}50%{opacity:.4;transform:scale(.8)}}
@@ -1614,47 +1644,99 @@ ${alreadyLinked
   <p class="success-sub">Telegram is linked${linkedUsername ? ` to <b style="color:#f5f5f5">@${linkedUsername}</b>` : ''}. Open Telegram and message your bot to start chatting.</p>
   <p class="success-sub" style="margin-top:14px;font-size:12px;color:#666">You can close this page.</p>
 </div>`
-  : `<div class="card" id="pendingCard">
+  : `<div class="card">
   <div class="header">
     <span class="badge">Telegram</span>
     <div class="title">Connect Telegram</div>
-    <p class="sub">Create your own private Telegram bot in two taps — no token, no copy-paste.</p>
+    <p class="sub">Bring your own bot. Create one for free in @BotFather, paste its token, and you're live.</p>
   </div>
-  <div class="steps">
-    <div class="step"><div class="step-num">1</div><div>Tap <b>Create my bot</b> below — Telegram opens with a confirm screen</div></div>
-    <div class="step"><div class="step-num">2</div><div>Tap <b>Create Bot</b> inside Telegram to confirm</div></div>
-    <div class="step"><div class="step-num">3</div><div>Come back here — it links automatically</div></div>
+  <div class="cta-row">
+    <button class="btn btn-tg" id="openModal">Connect Telegram</button>
   </div>
-  <a class="btn btn-primary btn-disabled" id="cta" href="#" target="_blank" rel="noopener">Preparing…</a>
-  <div class="status" id="st"><span class="dot"></span><span id="stText">Getting your link ready…</span></div>
-  <p class="err" id="err"></p>
+  <p class="hint">It takes about a minute and keeps your bot fully private to you.</p>
 </div>`}
 </div>
+
+${alreadyLinked ? '' : `<div class="overlay" id="overlay">
+  <div class="modal" role="dialog" aria-modal="true" aria-labelledby="mTitle">
+    <div class="modal-head">
+      <div class="modal-title" id="mTitle">Get your bot token</div>
+      <button class="modal-x" id="closeModal" aria-label="Close">&times;</button>
+    </div>
+    <p class="modal-sub">Telegram bots are created by a bot called <b style="color:#f5f5f5">@BotFather</b>. Follow these steps, then paste the token below.</p>
+    <div class="steps">
+      <div class="step"><div class="step-num">1</div><div>Open <b>@BotFather</b> in Telegram (button below)</div></div>
+      <div class="step"><div class="step-num">2</div><div>Send <code>/newbot</code></div></div>
+      <div class="step"><div class="step-num">3</div><div>Choose a <b>name</b> and a <b>username</b> ending in <code>bot</code></div></div>
+      <div class="step"><div class="step-num">4</div><div>BotFather replies with a <b>token</b> like <code>1234:AbCdEf…</code> — copy it</div></div>
+    </div>
+    <a class="bf-link" href="https://t.me/BotFather" target="_blank" rel="noopener">Open @BotFather in Telegram &rarr;</a>
+    <label class="field-label" for="token">Paste your bot token</label>
+    <input class="token-input" id="token" type="text" autocomplete="off" autocapitalize="off" autocorrect="off" spellcheck="false" placeholder="1234567890:ABCdefGhIJKlmNoPQRstuVwxyz">
+    <div class="modal-actions">
+      <button class="btn btn-tg" id="connectBtn">Connect</button>
+    </div>
+    <p class="err" id="err"></p>
+  </div>
+</div>`}
+
 <script>
-${alreadyLinked ? `` : `
-let sessionId=null,poller=null;
-async function start(){
-  try{
-    const r=await fetch('/api/channels/telegram/connect',{method:'POST',headers:{'Content-Type':'application/json'},body:'{}'});
-    const d=await r.json();
-    if(!d.ok){document.getElementById('err').textContent=d.error||'Could not start. Try again.';return}
-    sessionId=d.sessionId;
-    const cta=document.getElementById('cta');
-    cta.href=d.deepLink;cta.classList.remove('btn-disabled');cta.textContent='Create my bot';
-    document.getElementById('stText').textContent='Waiting for you to confirm in Telegram…';
-    if(poller)clearInterval(poller);
-    poller=setInterval(poll,2500);
-  }catch(e){document.getElementById('err').textContent=e.message}
-}
-async function poll(){
-  if(!sessionId)return;
-  try{
-    const r=await fetch('/api/channels/telegram/poll?sessionId='+encodeURIComponent(sessionId));
-    const d=await r.json();
-    if(d.ok&&d.ready){clearInterval(poller);location.reload()}
-  }catch(e){/* keep polling */}
-}
-start();
+${alreadyLinked ? '' : `
+(function(){
+  var overlay=document.getElementById('overlay');
+  var input=document.getElementById('token');
+  var btn=document.getElementById('connectBtn');
+  var err=document.getElementById('err');
+  function open(){overlay.classList.add('open');setTimeout(function(){input.focus()},150)}
+  function close(){overlay.classList.remove('open')}
+  document.getElementById('openModal').addEventListener('click',open);
+  document.getElementById('closeModal').addEventListener('click',close);
+  overlay.addEventListener('click',function(e){if(e.target===overlay)close()});
+  document.addEventListener('keydown',function(e){if(e.key==='Escape')close()});
+  input.addEventListener('input',function(){err.textContent='';input.style.borderColor=''});
+  input.addEventListener('keydown',function(e){if(e.key==='Enter')connect()});
+  btn.addEventListener('click',connect);
+
+  function setLoading(on){
+    btn.disabled=on;
+    btn.textContent=on?'Connecting…':'Connect';
+  }
+
+  async function connect(){
+    var token=(input.value||'').trim();
+    err.textContent='';
+    if(!/^\\d{6,}:[A-Za-z0-9_-]{30,}$/.test(token)){
+      err.textContent="That doesn't look like a bot token. Copy the full line BotFather sent you.";
+      input.style.borderColor='#FB4072';
+      return;
+    }
+    setLoading(true);
+    try{
+      var headers={'Content-Type':'application/json'};
+      // Send the dashboard's portal token so the (password-gated) connect endpoint authorizes us.
+      try{var t=localStorage.getItem('bloby_token');if(t)headers['Authorization']='Bearer '+t;}catch(e){}
+      var r=await fetch('/api/channels/telegram/connect',{method:'POST',headers:headers,body:JSON.stringify({botToken:token})});
+      var d=await r.json().catch(function(){return {}});
+      if(!r.ok||!d.ok){
+        err.textContent=friendly(d.error,r.status)||'Could not connect. Check the token and try again.';
+        setLoading(false);
+        return;
+      }
+      btn.textContent='Connected ✓';
+      location.reload();
+    }catch(e){
+      err.textContent='Network error. Try again.';
+      setLoading(false);
+    }
+  }
+
+  function friendly(code,status){
+    if(status===401||/auth-required/i.test(code||''))return 'Please sign in to your Bloby dashboard first, then try again.';
+    if(/invalid.*token|getMe|invalid-bot-token/i.test(code||''))return 'Telegram rejected that token. Make sure you copied the whole line from BotFather.';
+    if(/unreachable|network|502|timeout/i.test(code||''))return 'Could not reach Telegram. Check your connection and try again.';
+    return code||'';
+  }
+})();
 `}
 </script>
 </body></html>`);

package/workspace/skills/telegram/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "telegram",
   "version": "1.0.0",
-  "description": "Telegram channel via a relay-provisioned private bot. Two-tap pairing, direct long-poll, voice/photo, channel/business/assistant modes.",
+  "description": "Telegram channel via your own @BotFather bot token. Paste-token connect, direct long-poll, voice/photo, channel/business/assistant modes.",
   "skills": "./"
 }

package/workspace/skills/telegram/SKILL.md

@@ -1,15 +1,15 @@
 ---
 name: telegram
-description: "Telegram channel for your agent. Two-tap pairing creates a private bot, then your Bloby talks to Telegram directly. Messaging, voice notes, photos, channel/business/assistant modes."
+description: "Telegram channel for your agent. Create a free bot in @BotFather, paste its token, and your Bloby talks to Telegram directly. Messaging, voice notes, photos, channel/business/assistant modes."
 ---
 
 # Telegram
 
 ## What This Is
 
-Gives your agent its own Telegram bot. Connect in two taps (no token, no copy-paste), then send and receive messages, handle voice notes and photos, and switch between personal (channel), business, and assistant modes.
+Gives your agent its own Telegram bot. Your human creates a free bot via Telegram's **@BotFather** and pastes the token into a connect page — then your Bloby sends and receives messages, handles voice notes and photos, and switches between personal (channel), business, and assistant modes.
 
-Under the hood: Bloby's relay provisions a private bot for you via Telegram's "Managed Bots" feature, hands the token to your Bloby, and steps out. From then on **your Bloby talks to Telegram directly** — the relay is never in the message path. It keeps working behind any network with no public URL.
+Under the hood: your Bloby holds the bot token locally and long-polls Telegram **directly** — there's no relay or middle server in the message path. It keeps working behind any network with no public URL, and the bot stays fully private to your human.
 
 ## Dependencies
 
@@ -51,7 +51,7 @@ The format is: `[Telegram | chatId | role | name (optional)]`
 
 ## Channel Config
 
-Your channel configuration lives in `~/.bloby/config.json` under `channels.telegram` — a file the supervisor manages, outside your workspace. It holds the bot token (provisioned at pairing), the bot @username, the owner's Telegram user id, and the mode.
+Your channel configuration lives in `~/.bloby/config.json` under `channels.telegram` — a file the supervisor manages, outside your workspace. It holds the bot token (from @BotFather, saved when your human connects), the bot @username, the owner's Telegram user id, and the mode.
 
 ---
 
@@ -82,17 +82,17 @@ curl -s -X POST http://localhost:7400/api/channels/telegram/configure \
 
 ### 1. Connect Telegram
 
-When your human asks to connect Telegram, give them the pairing page (send it as a relative URL — their browser is already on the right domain). The dashboard renders any `/pair-page` URL as a button:
+When your human asks to connect Telegram, give them the pairing page (send it as a relative URL — their browser is already on the right domain). The dashboard renders this URL as a pretty Telegram button:
 
 ```
 /api/channels/telegram/pair-page
 ```
 
-That page does everything: it asks the relay to provision a private bot, shows a **"Create my bot"** button that opens Telegram, and links automatically once the human taps **Create Bot** inside Telegram. No token, no copy-paste.
+That page walks them through everything: they click **Connect Telegram**, a modal explains how to create a free bot in **@BotFather** (`/newbot` → pick a name + username → copy the token), they paste the token, and click **Connect**. The page posts the token to the supervisor, which validates it and brings the channel up automatically.
 
-The default mode after pairing is **channel** (owner-only).
+The default mode after connecting is **channel** (owner-only). The owner is set automatically the first time your human messages the bot.
 
-You do not need to call `connect` yourself — the pair-page handles provisioning. (`POST /api/channels/telegram/connect` exists if you want to fetch the deep link directly.)
+Don't mention the URL until your human actually asks to connect — then hand them `/api/channels/telegram/pair-page` and let the page do the rest.
 
 ### 2. Choose a Mode
 
@@ -197,8 +197,8 @@ curl -s -X POST http://localhost:7400/api/channels/telegram/logout
 
 ## Human Interaction
 
-- Pairing is two taps: **Create my bot** → **Create Bot** in Telegram. No token or copy-paste.
-- Your human's bot is a normal Telegram contact — they (and anyone they share it with) message it directly.
+- Connecting is one page: **Connect Telegram** → paste the **@BotFather** token → **Connect**. The page handles it.
+- Your human's bot is a normal Telegram contact — they (and anyone they share it with) message it directly. The first person to message it becomes the owner.
 - In business mode, explain that admin user ids get full agent access while everyone else gets the customer-facing skill.
 - Privacy: the bot token is stored locally at `~/.bloby/config.json`. Messages flow directly between this machine and Telegram — they do not pass through Bloby's servers.
 
@@ -210,9 +210,8 @@ curl -s -X POST http://localhost:7400/api/channels/telegram/logout
 |----------|--------|---------|
 | `/api/channels/status` | GET | List all channel statuses |
 | `/api/channels/telegram/status` | GET | Telegram channel status |
-| `/api/channels/telegram/pair-page` | GET | Pairing page (hand this to the human) |
-| `/api/channels/telegram/connect` | POST | Start provisioning, returns the t.me deep link |
-| `/api/channels/telegram/poll?sessionId=…` | GET | Poll provisioning; links when the bot is created |
+| `/api/channels/telegram/pair-page` | GET | Connect page — hand this to the human (renders as a button) |
+| `/api/channels/telegram/connect` | POST | `{"botToken":"123456789:AAH..."}` — validate token + bring the channel up (the page calls this) |
 | `/api/channels/telegram/configure` | POST | Set mode + admins + skill |
 | `/api/channels/telegram/disconnect` | POST | Stop polling (keep token) |
 | `/api/channels/telegram/reconnect` | POST | Resume the same bot after a disconnect |

package/workspace/skills/telegram/skill.json

@@ -5,7 +5,7 @@
   "bloby_human": "Bruno Bertapeli",
   "bloby": "bloby-bruno",
   "author": "newbot-official",
-  "description": "Telegram channel for your agent. Two-tap pairing provisions a private bot (no token copy-paste), then your Bloby talks to Telegram directly. Messaging, voice notes, photos, channel/business/assistant modes.",
+  "description": "Telegram channel for your agent. Create a free bot in @BotFather, paste its token, and your Bloby talks to Telegram directly. Messaging, voice notes, photos, channel/business/assistant modes.",
   "depends": [],
   "env_keys": [],
   "has_telemetry": false,