TeleWatchdog/README.md

# TeleWatchdog

TeleWatchdog is a `Cloudflare Workers` Telegram join-request watchdog for private groups.

It reviews join requests with a simple pipeline:

1. Check whether the applicant has an avatar.
2. Check whether the applicant has a bio.
3. If either is missing, require verification.
4. If both exist, ask an AI model for a binary decision.
5. If the AI returns `approve`, accept the join request immediately.
6. Otherwise, send a verification message with a Telegram Web App button.

Users who need verification can choose either:

- `Cloudflare Turnstile`
- `Telegram WebApp BiometricManager`

If verification is not completed within 10 minutes, a scheduled task declines the request and cleans up the stored state.

## Features

- Telegram `chat_join_request` webhook support
- Cloudflare Worker deployment model
- Telegram Web App verification page
- Turnstile verification
- Telegram biometric verification via `BiometricManager`
- AI-based binary profile review
- Automatic cleanup of expired verification records
- Automatic deletion of verification messages after success or timeout

## Stack

- `Cloudflare Workers`
- `Cloudflare KV`
- `Telegram Bot API`
- `Cloudflare Turnstile`
- OpenAI-compatible chat completion API

## Project Structure

```text
src/index.ts           Main Worker implementation
package.json           Project metadata and scripts
tsconfig.json          TypeScript config
wrangler.toml.example  Example Wrangler config
```

## Required Secrets

Set these with `wrangler secret put`:

- `BOT_TOKEN`
- `TG_WEBHOOK_SECRET`
- `AI_BASE_URL`
- `AI_API_KEY`
- `TURNSTILE_SECRET`

## Required Variables

Set these in `wrangler.toml`:

- `AI_MODEL`
- `TURNSTILE_SITE_KEY`
- `VERIFICATION_ORIGIN`

## KV Setup

Create a KV namespace:

```bash
npx wrangler kv namespace create PENDING_JOINS
```

Copy the returned namespace id into your `wrangler.toml`.

## Local Setup

```bash
npm install
copy wrangler.toml.example wrangler.toml
```

Then edit `wrangler.toml` and add your real values.

## Deploy

```bash
npx wrangler deploy
```

## Telegram Webhook

After deployment, configure the webhook to point to:

```text
https://your-worker-domain/telegram/webhook
```

Example PowerShell:

```powershell
$botToken = "YOUR_BOT_TOKEN"
$secret = "YOUR_TG_WEBHOOK_SECRET"
$body = @{
  url = "https://your-worker-domain/telegram/webhook"
  secret_token = $secret
  allowed_updates = @("chat_join_request")
} | ConvertTo-Json -Compress

Invoke-RestMethod -Method Post -Uri "https://api.telegram.org/bot$botToken/setWebhook" -ContentType "application/json" -Body $body
```

## Telegram Permissions

The bot must:

- be added to the target group
- be an administrator
- have permission to approve join requests

The group must be configured to require approval for join requests.

## Verification Flow

### Auto-approve path

- user has avatar
- user has bio
- AI returns `approve`
- request is approved immediately
- no message is sent to the user

### Verification path

- avatar missing, or
- bio missing, or
- AI returns `challenge`, or
- AI request fails

Then:

- a single verification message is sent
- user opens the Telegram Web App
- user completes Turnstile or biometric verification
- the bot approves the request
- the verification message is deleted
- KV records are deleted

### Timeout path

- request stays pending for 10 minutes
- scheduled Worker declines the join request
- verification message is deleted
- KV records are deleted

## Notes

- Telegram biometric verification here uses `Telegram.WebApp.BiometricManager`, not WebAuthn.
- Telegram Web App `initData` is verified server-side before accepting either verification method.
- Public repository users should create their own Worker domain, Turnstile site, KV namespace, and AI credentials.

## License

Add your preferred license before publishing if needed.