--- taskmaster_id: "5.8" status: "pending" priority: "high" depends_on: ["2", "3", "5", "6"] parent_id: "5" source: "taskmaster" generated_at: "2026-05-24T07:15:25.199Z" --- # 5.8 - Add security, compliance, and abuse controls for Telegram - [ ] 5.8 - Add security, compliance, and abuse controls for Telegram #taskmaster #priority/high #status/pending ⏫ 🆔 tm-5-8 ⛔ tm-2 ⛔ tm-3 ⛔ tm-5 ⛔ tm-6 ## Metadata | Field | Value | | --- | --- | | Taskmaster ID | 5.8 | | Status | pending | | Priority | high | | Dependencies | 2, 3, 5, 6 | | Parent | 5 - Deliver Telegram-native app, bot, and wallet experience | ## Description Threat-model the Telegram surface and add controls before launch. ## Details Cover forged init data, callback replay, deep-link parameter tampering, phishing links, bot token leakage, spam, account takeover, wallet spoofing, fake payment proof, and support impersonation. Document secrets, bot webhook endpoints, Wallet Pay keys, TON Connect manifest, CORS, CSP, allowed origins, rate limits, and monitoring for update failures, abnormal callbacks, payment mismatches, blocked notifications, and suspicious wallet activity. ## Verification See Telegram-native PRD acceptance criteria.