Fix/telegram writeback admin scope gate (#54561)

* fix(telegram): require operator.admin for legacy target writeback persistence

* Address claude feedback

* Update extensions/telegram/src/target-writeback.ts

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* Remove stray brace

* Add updated docs

* Add missing test file, address codex concerns

* Fix test formatting error

* Address comments, fix tests

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

extensions/telegram/src/target-writeback.ts

@@ -16,6 +16,7 @@ import {
 } from "./targets.js";
 
 const writebackLogger = createSubsystemLogger("telegram/target-writeback");
+const TELEGRAM_ADMIN_SCOPE = "operator.admin";
 
 function asObjectRecord(value: unknown): Record<string, unknown> | null {
   if (!value || typeof value !== "object" || Array.isArray(value)) {
@@ -141,6 +142,7 @@ export async function maybePersistResolvedTelegramTarget(params: {
   rawTarget: string;
   resolvedChatId: string;
   verbose?: boolean;
+  gatewayClientScopes?: readonly string[];
 }): Promise<void> {
   const raw = params.rawTarget.trim();
   if (!raw) {
@@ -154,6 +156,15 @@ export async function maybePersistResolvedTelegramTarget(params: {
     return;
   }
   const { matchKey, resolvedTarget } = rewrite;
+  if (
+    Array.isArray(params.gatewayClientScopes) &&
+    !params.gatewayClientScopes.includes(TELEGRAM_ADMIN_SCOPE)
+  ) {
+    writebackLogger.warn(
+      `skipping Telegram target writeback for ${raw} because gateway caller is missing ${TELEGRAM_ADMIN_SCOPE}`,
+    );
+    return;
+  }
 
   try {
     const { snapshot, writeOptions } = await readConfigFileSnapshotForWrite();