← Back to Projects

Telegram Personal MCP: Bounded Agent Messenger

A Rust MCP server that lets coding agents use a personal Telegram account through a narrow, auditable surface: readiness checks, bounded reads, dialog search, and approval-gated private sends.

This case proves agent-tool design under real safety pressure: Telegram access is useful only when reading, sending, session ownership, and approval evidence are separated by construction.

bounded MCP
Tool Surface
approval argument
Send Safety
bounded slices
Read Scope
> Private repository. Available for code review on request.

▍ Problem Space

AI agents often need to look up a private working chat, read recent context, or deliver an approved operational update. A generic messenger bridge is too dangerous for that job.

  • Overbroad Access: Many chat tools expose unbounded history, noisy dialog dumps, or destructive actions the agent does not need.
  • Ambiguous Sending: A private message is still a human-contact action. The tool must require explicit current-session approval for the exact recipient and text.
  • Session Ownership: Telegram session files are credentials. One live owner and a lock file prevent split-brain access to the same account state.
  • Numeric Peer Resolution: Private chats cannot be treated like public usernames; dialog identity and access hashes must be resolved through the account's own dialogs.

▍ Architecture

CODEX / AGENT
  typed MCP call + approval evidence
          ↓
MCP SERVER (Rust)
  schema validation | bounded tools | session lock
          ↓
TELEGRAM ADAPTER
  ferogram session | proxy support | dialog identity
          ↓
TELEGRAM ACCOUNT
  read bounded slices | send only approved private messages

▍ Operating Proof

bounded MCP
Tool Surface
approval argument
Send Safety
bounded slices
Read Scope
none exposed
Destructive Tools
lock protected
Session Owner
Rust 2024
Implementation

▍ Key Engineering Decisions

Problem
Agents need Telegram context, but broad history export turns a simple lookup into private-data exposure.
Solution
Expose small tools only: health, bounded dialog listing, targeted search, bounded chat reads, and one approval-gated send path.
Alternative Rejected
Generic Telegram automation — faster to expose, but impossible to audit safely when agents share the same runtime.
Problem
A visible chat ID is not enough to address a Telegram peer reliably through MTProto.
Solution
Resolve numeric IDs through the account's dialog inventory and access-hash metadata instead of treating every ID as a username.

▍ Tech Stack

Core
Rust 2024, Tokio, clap
Protocol
MCP stdio, serde, schemars
Telegram
ferogram, MTProto session files
Safety
bounded reads, no delete tool, explicit approval field

▍ What This Proves

Agent Tool Design
Turning a risky human-contact channel into a narrow typed surface that agents can use without broad privileges.
Security Boundaries
Keeping session files, approvals, read scope, and send authority separate.
Protocol Integration
Using MTProto session identity and dialog metadata instead of brittle public-username assumptions.
Operational Fit
Making the tool useful for real work while still failing closed on unauthorized or ambiguous actions.

Ready to build something like this?

Start a Project