- Changed `check_authorized` in `scripts/telegram_deploy_bot.py` to fail closed (deny all) if `TELEGRAM_ALLOWED_USER_IDS` is unset or empty.
- Updated `scripts/TELEGRAM_BOT_SETUP.md` and `QUICK_DEPLOY.md` to document that `TELEGRAM_ALLOWED_USER_IDS` is now mandatory for bot access.
- Added Sentinel Journal entry in `.jules/sentinel.md` documenting the vulnerability and learning.
- Verified fix with reproduction script.
Replaced blocking `subprocess.run` calls with `asyncio.create_subprocess_exec` to ensure the Telegram bot event loop remains responsive during long-running deployment tasks.
Key changes:
- Switched to `asyncio.create_subprocess_exec` for command execution.
- implemented `asyncio.wait_for` to handle the 300s timeout.
- Added explicit process cleanup (kill/wait) on timeout.
- Manually decoded stdout/stderr since async subprocesses return bytes.
Verified with a reproduction script showing the event loop gap dropped from ~2.0s (blocking) to ~0.1s (non-blocking).
Co-authored-by: Mouy-leng <199350297+Mouy-leng@users.noreply.github.com>
