From 63548e4fe1c15f69a14fa0432e8355b7d7385f27 Mon Sep 17 00:00:00 2001
From: "Mil Wang (from Dev Box)" <mingjwan@microsoft.com>
Date: Wed, 15 Apr 2026 08:57:15 +0800
Subject: [PATCH] fix: validate Telegram bot token format during gateway setup
 (#9843)

The setup wizard accepted any string as a Telegram bot token without
validation. Invalid tokens were only caught at runtime when the gateway
failed to connect, with no clear error message.

Add regex validation for the expected format (<numeric_id>:<hash>) and
loop until a valid token is entered or the user cancels.
---
 hermes_cli/setup.py | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/hermes_cli/setup.py b/hermes_cli/setup.py
index 9044871d..52f6e36d 100644
--- a/hermes_cli/setup.py
+++ b/hermes_cli/setup.py
@@ -1611,9 +1611,19 @@ def _setup_telegram():
             return
 
     print_info("Create a bot via @BotFather on Telegram")
-    token = prompt("Telegram bot token", password=True)
-    if not token:
-        return
+    import re
+
+    while True:
+        token = prompt("Telegram bot token", password=True)
+        if not token:
+            return
+        if not re.match(r"^\d+:[A-Za-z0-9_-]{30,}$", token):
+            print_error(
+                "Invalid token format. Expected: <numeric_id>:<alphanumeric_hash> "
+                "(e.g., 123456789:ABCdefGHI-jklMNOpqrSTUvwxYZ)"
+            )
+            continue
+        break
     save_env_value("TELEGRAM_BOT_TOKEN", token)
     print_success("Telegram token saved")