fix: preserve unmatched telegram access groups

extensions/telegram/src/access-groups.ts

@@ -28,5 +28,9 @@ export async function expandTelegramAllowFromWithAccessGroups(params: {
             }),
         })
       : allowFrom;
-  return expanded.filter((entry) => parseAccessGroupAllowFromEntry(entry) == null);
+  const originalEntries = new Set(allowFrom);
+  const matched = expanded.some((entry) => !originalEntries.has(entry));
+  return matched
+    ? expanded.filter((entry) => parseAccessGroupAllowFromEntry(entry) == null)
+    : expanded;
 }

extensions/telegram/src/bot.create-telegram-bot.test.ts

@@ -1609,6 +1609,31 @@ describe("createTelegramBot", () => {
       },
       expectedReplyCount: 1,
     },
+    {
+      name: "blocks explicitly configured group when groupAllowFrom access group does not match sender",
+      config: {
+        accessGroups: {
+          operators: {
+            type: "message.senders",
+            members: { telegram: ["111111111"] },
+          },
+        },
+        channels: {
+          telegram: {
+            groupPolicy: "allowlist",
+            groupAllowFrom: ["accessGroup:operators"],
+            groups: { "-100123456789": { requireMention: false } },
+          },
+        },
+      },
+      message: {
+        chat: { id: -100123456789, type: "group", title: "Test Group" },
+        from: { id: 123456789, username: "testuser" },
+        text: "hello",
+        date: 1736380800,
+      },
+      expectedReplyCount: 0,
+    },
     {
       name: "allows group messages from sender access groups in per-group allowFrom",
       config: {