fix(telegram): allowlist api.telegram.org in media SSRF policy

src/telegram/bot/delivery.resolve-media-retry.test.ts

@@ -95,7 +95,10 @@ async function expectTransientGetFileRetrySuccess() {
   expect(fetchRemoteMedia).toHaveBeenCalledWith(
     expect.objectContaining({
       url: `https://api.telegram.org/file/bot${BOT_TOKEN}/voice/file_0.oga`,
-      ssrfPolicy: { allowRfc2544BenchmarkRange: true },
+      ssrfPolicy: {
+        allowRfc2544BenchmarkRange: true,
+        allowedHostnames: ["api.telegram.org"],
+      },
     }),
   );
   return result;

src/telegram/bot/delivery.ts

@@ -36,6 +36,9 @@ const PARSE_ERR_RE = /can't parse entities|parse entities|find end of the entity
 const VOICE_FORBIDDEN_RE = /VOICE_MESSAGES_FORBIDDEN/;
 const FILE_TOO_BIG_RE = /file is too big/i;
 const TELEGRAM_MEDIA_SSRF_POLICY = {
+  // Telegram file downloads should trust api.telegram.org even when DNS/proxy
+  // resolution maps to private/internal ranges in restricted networks.
+  allowedHostnames: ["api.telegram.org"],
   allowRfc2544BenchmarkRange: true,
 } as const;