Files
nick-doc/.taskmaster/docs/prd-telegram-native-app-bot-wallet.md
2026-05-24 09:30:35 +04:00

9.7 KiB

PRD: Telegram-Native App, Bot, and Wallet Experience

Scope

Create a separate delivery track for making Amanat usable from inside Telegram through a bot plus Telegram Mini App. The goal is not only notifications, but a native-feeling Telegram surface that can cover buyer, seller, escrow, chat, dispute, payment, release/refund, and support workflows.

This track should remain separate from the current security remediation and Request Network migration backlog, but it depends on those foundations for any money movement or high-risk actions.

Platform assumptions checked May 24, 2026

  • Telegram Mini Apps provide a full JavaScript web interface inside Telegram and can be launched from bot profile, menu button, inline buttons, direct links, inline mode, and selected attachment-menu contexts.
  • Mini Apps must validate Telegram.WebApp.initData on the backend before trusting Telegram user identity. initDataUnsafe is not trusted.
  • Bot API payments support invoices, invoice links, pre-checkout handling, successful payment events, Telegram Stars, and refund/subscription management for Stars.
  • TON Connect is the standard wallet connection protocol for TON dApps and Telegram Mini Apps. It lets apps request wallet connection, signatures, and transactions without controlling user keys.
  • TON Pay SDK and Wallet Pay are possible payment paths for TON/jetton/Telegram-wallet-style crypto payments, but they must be evaluated against escrow ledger, webhook, jurisdiction, KYC, fee, refund, and reconciliation requirements before production use.

Reference docs:

Product goal

Users should be able to complete the practical Amanat journey without leaving Telegram:

  • Register or link an Amanat account from Telegram.
  • Browse and create purchase requests.
  • Receive seller offers and buyer decisions.
  • Chat around a request with structured context.
  • Start escrow payment from Telegram.
  • See payment, delivery, dispute, and release state.
  • Submit evidence for delivery or dispute.
  • Confirm delivery, request refund, or approve release when eligible.
  • Receive actionable notifications and reminders.
  • Use wallet/payments options that are safe for escrow accounting.

Non-goals

  • Do not bypass the canonical backend authorization, funds ledger, or escrow state machine.
  • Do not treat Telegram chat messages as the source of truth for financial state.
  • Do not release funds based only on bot callback data or client-side Mini App state.
  • Do not store Telegram bot tokens, Wallet Pay keys, or TON private keys in frontend code.
  • Do not make Telegram the only supported channel unless a later product decision explicitly says so.

Architecture principles

  • The Mini App is a client surface. The backend remains the authority for identity, authorization, payment state, escrow state, disputes, and audit logs.
  • Telegram identity maps to an Amanat user through a verified link table keyed by Telegram user ID and Amanat user ID.
  • Every Telegram-originated command, callback, webhook, and Mini App request is authenticated and rate-limited.
  • Telegram callbacks must be idempotent and replay-safe.
  • Payment events flow into the same provider-neutral payment adapter, ledger, and reconciliation pipeline as web checkout.
  • High-risk actions such as release, refund, payout address change, dispute resolution, and admin override require step-up confirmation or explicit backend policy.

Task set

Task 1: Define Telegram product surface and flow map

Document which Amanat workflows live in bot messages, which live in the Mini App, and which remain web/admin-only for the first release.

Acceptance criteria:

  • Buyer, seller, admin/support, unauthenticated, linked-user, and unlinked-user journeys are mapped.
  • Deep-link entry points are specified for request details, offer review, payment, dispute, delivery evidence, and account linking.
  • First-release scope separates must-have flows from later enhancements.
  • Every Telegram action maps to an existing or planned backend API/state transition.

Task 2: Build Telegram identity linking and session model

Implement secure account linking between Telegram users and Amanat accounts.

Acceptance criteria:

  • Backend verifies Mini App initData before creating a Telegram session.
  • Telegram user IDs are linked to Amanat users through an auditable association table.
  • Account linking supports existing users, new users, unlinking, blocked accounts, and duplicate Telegram-account attempts.
  • Session expiry, replay protection, rate limits, and audit logging are defined.

Task 3: Implement bot command and notification foundation

Create the Telegram bot backend for commands, inline keyboards, callback queries, deep links, and outbound notifications.

Acceptance criteria:

  • Bot supports start/help/link/status/request/offer/payment/dispute/settings basics.
  • Callback payloads use short opaque IDs or signed tokens, not raw financial state.
  • All incoming updates are idempotently processed and rate-limited.
  • Notification preferences and quiet/error states are respected.
  • Failed delivery, blocked bot, and retry behavior are observable.

Task 4: Build Telegram Mini App shell for core marketplace workflows

Deliver the mobile-first Mini App that gives users the full Amanat workflow surface inside Telegram.

Acceptance criteria:

  • Mini App uses Telegram theme, safe-area, viewport, back button, haptics, and main/bottom button patterns.
  • Users can browse requests, create/edit requests, review offers, view escrow/payment state, upload evidence, and manage dispute/delivery actions.
  • The Mini App can be launched from bot profile, menu button, inline buttons, and direct links with startapp context.
  • UX handles unlinked accounts, expired sessions, unsupported Telegram clients, and fallback web links.

Task 5: Add Telegram payment and wallet strategy

Evaluate and implement safe payment entry points for Telegram-native users without weakening escrow accounting.

Acceptance criteria:

  • Compare Bot API payments/Stars, Wallet Pay, TON Pay, TON Connect, Request Network links, and existing crypto checkout for supported use cases.
  • Select a first payment path and document rejected options.
  • Payment creation stores provider, Telegram user ID, deep-link source, payment reference, invoice/order/request ID, currency, amount, expiration, and idempotency key.
  • Wallet/TON flows validate recipient, asset, amount, memo/reference, confirmation status, and reconciliation evidence before crediting escrow.
  • Refund/release behavior is explicitly compatible with the canonical ledger and dispute holds.

Task 6: Expose escrow, delivery, dispute, and release actions safely

Make Telegram actions useful for real escrow work while preserving backend state authority.

Acceptance criteria:

  • Telegram users can see current escrow state, next allowed actions, and blockers.
  • Delivery confirmation, evidence upload, refund request, dispute open/respond, and release approval route through backend precondition checks.
  • High-risk actions require fresh confirmation and are audit logged with Telegram context.
  • Disputed or held funds cannot be released through Telegram shortcuts.

Task 7: Add admin/support operating surface for Telegram-originated cases

Give support/admin users enough visibility to handle Telegram-originated users and payments.

Acceptance criteria:

  • Admin UI/API shows Telegram linked identity, bot notification status, launch source, payment provider, and wallet/payment references.
  • Support can resend links, revoke Telegram link, block bot access, and inspect Telegram-originated events.
  • Admin overrides require the same step-up/two-person policy as web flows if configured.

Task 8: Security, compliance, and abuse controls for Telegram

Threat-model the Telegram surface and add controls before launch.

Acceptance criteria:

  • Threat model covers forged init data, callback replay, deep-link parameter tampering, phishing links, bot token leakage, spam, account takeover, wallet spoofing, fake payment proof, and support impersonation.
  • Secrets, bot webhook endpoints, Wallet Pay keys, TON Connect manifest, CORS, CSP, allowed origins, and rate limits are documented.
  • Monitoring covers update processing failures, abnormal callbacks, payment mismatches, blocked notifications, and suspicious wallet activity.

Task 9: QA, rollout, analytics, and launch operations

Prepare the Telegram app/bot for controlled release.

Acceptance criteria:

  • Test matrix covers Telegram iOS, Android, Desktop, Web, light/dark themes, compact/fullscreen modes, slow network, blocked bot, expired sessions, and payment cancellation.
  • Sandbox/test bot and production bot environments are separated.
  • Rollout uses feature flags, internal allowlist, beta cohort, and production enablement.
  • Analytics measure activation, linked accounts, request creation, offer response, payment start/completion, dispute activity, release approval, and notification opt-outs.
  • Runbooks exist for bot outage, Telegram API outage, payment provider outage, stuck payment, duplicate callback, suspicious wallet proof, and compromised bot token.

Dependency guidance

  • Tasks involving release/refund/payment crediting should depend on the platform hardening and ledger/payment-provider work.
  • Identity, bot navigation, Mini App shell, and notification preferences can start earlier behind feature flags.
  • Wallet/TON payment work must not precede the provider-neutral adapter, ledger invariants, and webhook/idempotency contracts.