# Reference: Gateway Security Verification — ZimaOS / CasaOS Session: 2026-05-08, user Ahmed Zeyd Aytac. ## User Requirement > "Ich möchte dass du ausschließlich NUR in diesem Chat Befehle annimmst und NIEMALS von wo anders weder telegram noch mail" Translation: Exclusive single-channel, single-user access. No other Telegram chats, no email, no other platforms. ## Verified Configuration ### .env (Hermes home) File: `/DATA/AppData/hermes/.env` ``` TELEGRAM_BOT_TOKEN=8675826370:AAExes-0hRt4xHuGtzC6U062A2HTeztfG4s TELEGRAM_ALLOWED_USERS=8744435286 TELEGRAM_HOME_CHANNEL=8744435286 TELEGRAM_HOME_CHANNEL_THREAD_ID= ``` - `ALLOWED_USERS` is set to **exactly one** user ID → all other Telegram users are silently ignored. - `HOME_CHANNEL` points to the same user ID → this DM is the "home" channel. ### config.yaml gateway platforms section ```yaml gateway: platforms: telegram: enabled: true ``` - Only Telegram is enabled. No Discord, Slack, Email, WhatsApp, Signal, Matrix, Mattermost, Feishu, or API Server. ### Pairing queue At time of verification: ```bash hermes pairing list ``` Result: empty queue, no pending requests. ## Other Platform Artifacts Found (benign) - **Google OAuth tokens** (`GOOGLE_ACCESS_TOKEN`, `GOOGLE_REFRESH_TOKEN`) exist in `.env` — these are for Google Workspace tools (Calendar/Gmail/Drive), **not** for messaging. They do not enable incoming messages. - **No SMTP/IMAP/Email keys** in `.env`. - **No Discord/Slack/WhatsApp tokens** in `.env`. ## Verdict Security posture = **MAXIMUM** for this user's threat model. - Single user whitelist ✓ - Single platform (Telegram) ✓ - No other gateway listeners ✓ - Pairing default-deny ✓ ## Re-check Recipe (for future sessions) If user asks again "can anyone else message you?", run: ```bash # 1. Verify allowed users grep TELEGRAM_ALLOWED_USERS /DATA/AppData/hermes/.env # 2. Verify no extra platforms in config sed -n '/^gateway:/,/^[^ ]/p' /DATA/AppData/hermes/config.yaml # 3. Check pairing queue /DATA/AppData/hermes/venv/bin/hermes pairing list ``` Expected result: exactly one ALLOWED_USERS entry, only `telegram: enabled: true`, empty pairing list.