Security story
User story: locking the app and the Telegram secret
As a user who treats the Telegram bot token like a password,
I want Pengine to require YubiKey or Face ID (platform biometrics) or a system password protection to unlock the running app,
And after initial setup I want the token stored in the OS secure store (Keychain / Credential Manager)
without ever offering an “export secret” path in normal use,
So that a copy of my database or logs is much less likely to contain a usable token, and casual access
to my laptop session is not enough to read the secret.
Implementation direction (conceptual):
- First setup: user pastes token; app validates with Telegram; then only the protected store holds
it (not plist/json in plain text long-term).
- Later launches: UI locked until Face ID / Touch ID / Windows Hello / YubiKey PIV or FIDO2 or Passwort
challenge (whatever you standardize on) unlocks the key unwrap or gateways access to the keyring
item.
- Runtime: token loaded into memory only for the minimum time needed to run the bot; no “copy
token” in production UI; no logging of secrets.
- Recovery: rotation in BotFather + re-pair in app; optional backup is user’s problem and should be
explicit (export is a dangerous, rare flow).
A YubiKey is most natural as “second factor to decrypt / release the keyring secret” or OS-backed
smart card, not as “the token lives on the YubiKey like a PGP key” unless you build a full custom
flow.
Currently the bot token list exposed in "connection.json" that should not be.
Acceptance criteria (for your backlog)
- Telegram token at rest: platform secure store, not world-readable app data.
- App unlock: biometric or YubiKey-gated access to secrets or to “sensitive mode” before the bot
starts or system password
- No export path in normal settings; rotation documented.
Security story
User story: locking the app and the Telegram secret
As a user who treats the Telegram bot token like a password,
I want Pengine to require YubiKey or Face ID (platform biometrics) or a system password protection to unlock the running app,
And after initial setup I want the token stored in the OS secure store (Keychain / Credential Manager)
without ever offering an “export secret” path in normal use,
So that a copy of my database or logs is much less likely to contain a usable token, and casual access
to my laptop session is not enough to read the secret.
Implementation direction (conceptual):
it (not plist/json in plain text long-term).
challenge (whatever you standardize on) unlocks the key unwrap or gateways access to the keyring
item.
token” in production UI; no logging of secrets.
explicit (export is a dangerous, rare flow).
A YubiKey is most natural as “second factor to decrypt / release the keyring secret” or OS-backed
smart card, not as “the token lives on the YubiKey like a PGP key” unless you build a full custom
flow.
Currently the bot token list exposed in "connection.json" that should not be.
Acceptance criteria (for your backlog)
starts or system password