fix: validate Telegram bot token format during gateway setup (#9843)

The setup wizard accepted any string as a Telegram bot token without validation. Invalid tokens were only caught at runtime when the gateway failed to connect, with no clear error message. Add regex validation for the expected format (<numeric_id>:<hash>) and loop until a valid token is entered or the user cancels.
2026-04-25 00:51:20 +00:00 · 2026-04-15 08:57:15 +08:00 · 2026-04-15 08:57:15 +08:00 · 63548e4fe1
commit 63548e4fe1
parent 92a23479c0
1 changed files with 13 additions and 3 deletions
--- a/hermes_cli/setup.py
+++ b/hermes_cli/setup.py
@ -1611,9 +1611,19 @@ def _setup_telegram():
            return

    print_info("Create a bot via @BotFather on Telegram")
-    token = prompt("Telegram bot token", password=True)
-    if not token:
-        return
+    import re
+
+    while True:
+        token = prompt("Telegram bot token", password=True)
+        if not token:
+            return
+        if not re.match(r"^\d+:[A-Za-z0-9_-]{30,}$", token):
+            print_error(
+                "Invalid token format. Expected: <numeric_id>:<alphanumeric_hash> "
+                "(e.g., 123456789:ABCdefGHI-jklMNOpqrSTUvwxYZ)"
+            )
+            continue
+        break
    save_env_value("TELEGRAM_BOT_TOKEN", token)
    print_success("Telegram token saved")