docs(adr): first-class per-platform configuration#1263
Conversation
Propose promoting all gateway-connected platforms (Telegram, LINE, Feishu, WeCom, Google Chat, MS Teams) to top-level config sections, matching the existing [discord] and [slack] structure. Key decisions: - Per-platform [telegram], [line], [feishu], etc. sections - Trust-none default (empty allowed_users = deny all) - Single trust gate at AdapterRouter::handle_message() - Echo sender ID on deny - Deprecate [gateway] catch-all section Tracking: #1262
This comment has been minimized.
This comment has been minimized.
Layer 1 (gateway): Platform authentication mechanisms per adapter - Telegram: secret token + IP range - LINE: HMAC-SHA256 - Feishu: SHA256 signature + encrypt key - WeCom: token signature + AES decrypt - Google Chat: JWT (RS256 via JWKS) - MS Teams: JWT (OpenID Connect) - Slack/Discord: WebSocket token auth Layer 2 (core): Channel/group trust (existing) Layer 3 (core): User trust (this ADR - flip to deny-all)
This comment has been minimized.
This comment has been minimized.
…ity (deny default) Clarify the three layers per review discussion: - L1 platform auth (security, edge) - L2 channel/group/DM scope control — NOT security, default OPEN; the platform already enforces channel membership, so L2 is operator scoping - L3 identity trust — THE security gate, default DENY-ALL, covers all paths - allow_dm is an L2 surface toggle; DMs have no platform membership gate so L3 is their sole protection - L2 must stay open by default for the echo-UID request-access flow to work
This comment has been minimized.
This comment has been minimized.
- Extend TrustConfig with L2 scope fields (allow_all_channels, allow_dm) + surface_allowed(); defaults L2-open / L3-deny - Add 'Trait & Type Changes' section: pass SenderContext in MessageContext, add is_dm to ChannelRef, no new ChatAdapter method/trait (uniform logic) - Note the real refactor = remove scattered trust checks from discord.rs/slack.rs/gateway.rs so the router gate is un-bypassable - Fix architecture diagram gate labels (L2 optional/open, L3 deny default)
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Split the trust/security decision out into a separate ADR (docs/adr/identity-trust-none.md, PR #1264). This ADR now covers only the config schema change: first-class [platform] sections + [gateway] deprecation + migration.
|
LGTM ✅ — Clean, well-scoped ADR that formalizes per-platform config promotion and deprecates the broken What This PR DoesIntroduces an Architecture Decision Record proposing that all gateway-connected platforms (Telegram, LINE, Feishu, WeCom, Google Chat, MS Teams) be promoted to first-class top-level How It WorksSingle new file
Findings
What's Good (🟢)
Baseline Check
|
Implements #1263 for Telegram: every TELEGRAM_* env var now has a [telegram] config field. Config-authoritative with ${} expansion and TELEGRAM_* env fallback when a field is unset (matches [discord]/[slack]). - TelegramConfig + resolve() in openab-core (config > env > default) - AppState gains telegram_streaming + apply_telegram_config() (plain params, no core dependency) - unified_adapter reads resolved streaming instead of env directly - main.rs applies resolved config + webhook_path to the embedded gateway - backward compatible: env-only deployments (no [telegram]) unchanged Refs #1263
Mob review of the ADR (3 independent LLM reviewers: Claude / Codex / agy)These are suggestions — the call on what to apply is yours. Since this PR is an ADR (design, Overall this is a well-structured ADR — clear Trust Pyramid, good "Rejected Alternatives", correct
Blocking concerns (strongly recommend addressing before merge)1.
Consequence: if Implementation Plan step 3 ("wire trust gate into 2. Unified mode breaks the per-platform trust lookup and the echo text. 3. Removing Important suggestions4. The "scattered checks to remove" list is incomplete. §8 step 4 names Discord 5. The ADR doesn't actually require 6. Default-flip should be a transition, not a hard cutover (ruling #5). §6 flips the default 7. Echo-on-deny needs rate-limiting / dedupe / loop-prevention. §4.2/§5 reply to every 8. 9. 10. "All messages logged with sender ID + platform" (issue AC) isn't covered. The ADR only logs 11. Teams sender-ID format looks inconsistent — please verify. §7 labels Teams IDs "AAD Object 12. Echo reliability varies by gateway platform — call out LINE. Sending to an untrusted sender Minor suggestions (nits)
Verification: the [Critical] convergence-point finding (#1) was independently reproduced by all |
ADR proposing first-class per-platform config: promote all gateway-connected platforms (Telegram, LINE, Feishu, WeCom, Google Chat, MS Teams) to top-level
config.tomlsections, matching[discord]and[slack], and deprecate the[gateway]catch-all.Scope (config only)
[telegram],[line],[feishu],[wecom],[googlechat],[teams][gateway]list[gateway]deprecation + migration path + sender-ID formatsSplit note
The trust/security decision (identity trust-none default + L1/L2/L3 trust pyramid + router gate + type changes) was split into its own ADR — #1264 (
docs/adr/identity-trust-none.md) — which depends on this one. Together they close #1262.Doc:
docs/adr/first-class-platform-config.md