diff --git a/extensions/telegram/src/security.ts b/extensions/telegram/src/security.ts
index 818cbd1f667..15aac107e59 100644
--- a/extensions/telegram/src/security.ts
+++ b/extensions/telegram/src/security.ts
@@ -1,7 +1,17 @@
+import { createScopedDmSecurityResolver } from "openclaw/plugin-sdk/channel-config-helpers";
+import type { ChannelPlugin } from "openclaw/plugin-sdk/channel-core";
 import { createAllowlistProviderRouteAllowlistWarningCollector } from "openclaw/plugin-sdk/channel-policy";
 import type { ResolvedTelegramAccount } from "./accounts.js";
 import { collectTelegramSecurityAuditFindings } from "./security-audit.js";
 
+const resolveTelegramDmPolicy = createScopedDmSecurityResolver<ResolvedTelegramAccount>({
+  channelKey: "telegram",
+  resolvePolicy: (account) => account.config.dmPolicy,
+  resolveAllowFrom: (account) => account.config.allowFrom,
+  policyPathSuffix: "dmPolicy",
+  normalizeEntry: (raw) => raw.replace(/^(telegram|tg):/i, ""),
+});
+
 const collectTelegramSecurityWarnings =
   createAllowlistProviderRouteAllowlistWarningCollector<ResolvedTelegramAccount>({
     providerConfigPresent: (cfg) => cfg.channels?.telegram !== undefined,
@@ -24,13 +34,7 @@ const collectTelegramSecurityWarnings =
   });
 
 export const telegramSecurityAdapter = {
-  dm: {
-    channelKey: "telegram",
-    resolvePolicy: (account: ResolvedTelegramAccount) => account.config.dmPolicy,
-    resolveAllowFrom: (account: ResolvedTelegramAccount) => account.config.allowFrom,
-    policyPathSuffix: "dmPolicy",
-    normalizeEntry: (raw: string) => raw.replace(/^(telegram|tg):/i, ""),
-  },
+  resolveDmPolicy: resolveTelegramDmPolicy,
   collectWarnings: collectTelegramSecurityWarnings,
   collectAuditFindings: collectTelegramSecurityAuditFindings,
-};
+} satisfies NonNullable<ChannelPlugin<ResolvedTelegramAccount>["security"]>;
diff --git a/src/channels/plugins/read-only.ts b/src/channels/plugins/read-only.ts
index 1b1f01c39df..c92ab403f66 100644
--- a/src/channels/plugins/read-only.ts
+++ b/src/channels/plugins/read-only.ts
@@ -135,7 +135,7 @@ export function listReadOnlyChannelPluginsForConfig(
         workspaceDir,
         env,
         cache: options.cache,
-        includePersistedAuthState: options.includePersistedAuthState,
+        includePersistedAuthState: options.includePersistedAuthState ?? false,
         manifestRecords: externalManifestRecords,
       }),
     ),