PART 1 — What We Built Tonight
At 3:09 AM on March 2, 2026, we installed a system that lets AZ talk to Claude Code (the Brain) from his phone while driving Uber — while the M3 Mac sits at home doing the work.
The one-sentence version: A Telegram bot called @AZ_CEO_bot sits on the M3 Mac, listens for messages from AZ's phone, wakes up Claude Code to handle them, and sends the answer back to Telegram.
1 Installed Python 3.12 + uv package manager
The bot needs Python 3.12 (AZ had 3.14 which is too new). uv manages the virtual environment cleanly.
2 Cloned claude-code-telegram from GitHub
Open-source project (1,100+ stars) at ~/claude-code-telegram/. All code is reviewable — nothing hidden.
3 Created @AZ_CEO_bot via Telegram's @BotFather
AZ created the bot on his phone. BotFather gave a secret token (like a password). Only AZ has this token.
4 Configured .env with security settings
Bot token, AZ's Telegram user ID (whitelist), approved directory, Claude CLI path. All secrets stay in .env only — never saved to memory files, never committed to git.
5 First security incident — found and fixed
The bot itself (running on Telegram) scanned the system and found the token had leaked into Claude Code debug logs from the curl verification commands. We revoked the old token, got a new one, and cleaned all logs. The system caught its own vulnerability.
6 Bot is LIVE
AZ can now send messages from Telegram on his phone → Claude Code processes them on the M3 Mac → responds back. $0 extra cost (rides on the existing $100/mo Claude Max subscription).
PART 2 — How It Actually Works (Simple Version)
AZ's PHONE (Telegram)
│
│ sends message
▼
┌─────────────────────────────────┐
│ @AZ_CEO_bot │
│ (Python process on M3 Mac) │
│ Always listening. Uses no AI. │
│ Just a messenger. │
└───────────────┬─────────────────┘
│ wakes up
▼
┌─────────────────────────────────┐
│ CLAUDE CODE (temporary) │
│ Reads CLAUDE.md + memory files │
│ Does the work (Bash, Read, │
│ Write, Edit, Search, etc.) │
│ Sends answer back to bot │
│ Then DIES. │
└───────────────┬─────────────────┘
│ response
▼
AZ's PHONE (sees the answer)
The bot itself is NOT an AI. It's a tiny Python program that sits idle, waiting for a Telegram message. When one arrives, it spawns a real Claude Code process, lets it work, captures the response, and sends it back through Telegram. Then the Claude Code process ends.
Think of it like this: The bot is a secretary sitting by the phone. When you call, the secretary wakes up the engineer (Claude Code), hands them your question, waits for the answer, and reads it back to you over the phone. The engineer goes back to sleep. The secretary stays by the phone.
PART 3 — Two Doors, Same Room
After installing the bot, AZ has two ways to talk to Claude Code on his M3 Mac:
DOOR 1: Terminal (Desk)
When: AZ is at the Mac
How: Opens Terminal, types claude
Experience: Full interactive session. Asks permission before risky actions (1/2/3 prompts). AZ sees everything in real time.
Conversation: Persistent — remembers everything said in this session.
Best for: Building, coding, creating content, deep work sessions.
DOOR 2: Telegram (Phone)
When: AZ is away from Mac
How: Opens Telegram, texts @AZ_CEO_bot
Experience: Autonomous — runs tools without asking permission. Shows tool names as it works. Responds when done.
Conversation: Each message = fresh start. No memory of previous messages (except what's in files).
Best for: Quick notes, questions, giving orders, checking status.
CRITICAL DIFFERENCE: These two doors lead to separate conversations. Terminal-Claude doesn't know what Telegram-Claude said, and vice versa. They share the same files (CLAUDE.md, memory files, your Desktop files) but NOT the same conversation.
PART 4 — The Memory Problem (And How We Fix It)
This is the biggest thing to understand. Here's what each Claude instance knows when it wakes up:
| Knowledge Source | Terminal | Telegram Bot |
|---|
| CLAUDE.md (main brain file) | Reads it | Reads it |
| Memory files (~/.claude/...) | Reads them | Reads them |
| Files on Desktop | Can access | Can access |
| Current conversation | Full session history | Only current message |
| What the OTHER door did | Only if saved to files | Only if saved to files |
The Fix: Shared Memory Files
TERMINAL SESSION TELEGRAM BOT SESSION
━━━━━━━━━━━━━━━━ ━━━━━━━━━━━━━━━━━━━━
│ │
│ writes to │ writes to
▼ ▼
┌──────────────────────────────────────────┐
│ SHARED MEMORY FILES │
│ │
│ 📄 MEMORY.md (index of everything) │
│ 📄 goals.md (milestone tracking) │
│ 📄 agent-team-research.md │
│ 📄 content-outlines.md │
│ 📄 launch-monitor.md │
│ 📄 security.md │
│ 📄 ... more as needed │
│ │
│ 🔑 RULE: Important stuff gets saved │
│ here so ALL instances know it. │
└──────────────────────────────────────────┘
▲ ▲
│ reads from │ reads from
│ │
NEXT TERMINAL SESSION NEXT TELEGRAM SESSION
The rule is simple: If something important happens in any session (terminal OR Telegram), it gets written to a memory file. Next time ANY Claude instance wakes up, it reads those files and knows what happened.
PART 5 — Security: Who Gave That Order?
AZ asked a smart question: "How do I know if a command came from Terminal or Telegram? What if something runs that I didn't authorize?"
This matters. When multiple doors lead into the same system, you need to know which door someone came through. Here's the plan:
Layer 1: Source Tags in Memory Files
Every memory file entry should include WHERE it came from:
## Token Revoked — March 2, 3:55 AM PT
- Source: TERMINAL (direct session with AZ)
- Old token leaked in debug logs, revoked via BotFather
- New token applied, bot restarted
## Note from AZ — March 2, 10:30 AM PT
- Source: TELEGRAM (@AZ_CEO_bot)
- "Had an idea about the test channel — try cooking niche"
- Saved by bot-Claude, pending terminal review
Layer 2: Telegram Bot Audit Log
The bot automatically logs every action to a SQLite database at ~/claude-code-telegram/data/bot.db:
- Every message received (who, when, what)
- Every Claude command executed (what tools, how long, cost)
- Every response sent back
- Risk level assessment for each action
Layer 3: Terminal vs Telegram — Visual Indicator
Terminal Entries
Tagged: [TERMINAL]
You were at the Mac. You saw it happen. You approved it with 1/2/3.
Trust level: HIGHEST — you watched it happen
Telegram Entries
Tagged: [TELEGRAM]
You sent a message from phone. Bot-Claude acted autonomously.
Trust level: HIGH — only YOUR Telegram ID can trigger it, but you didn't watch every tool call
Layer 4: The "Did I Say That?" Safety Net (Planned)
Future upgrade: When the bot-Claude wants to do something big (install software, delete files, change configs), instead of just doing it, it could write a "pending approval" to a memory file. Next time terminal-Claude opens, it shows: "The Telegram bot wants to do X. Approve?" This adds human-in-the-loop for high-risk actions from the phone.
PART 6 — The Full System (Where This Is Going)
The Telegram bot is Step 1. Here's how the complete system looks when OpenClaw is added:
AZ (CEO)
│
┌───────────┴───────────┐
│ │
AT THE MAC ON THE ROAD
│ │
▼ ▼
┌──────────────┐ ┌──────────────────┐
│ TERMINAL │ │ TELEGRAM BOT │
│ Claude Code │ │ @AZ_CEO_bot │
│ (interactive)│ │ (autonomous) │
└──────┬───────┘ └────────┬─────────┘
│ │
│ both can control │
▼ ▼
┌────────────────────────────────────────┐
│ SHARED MEMORY FILES │
│ (the connective tissue — everyone │
│ reads and writes to these) │
└───────────────────┬────────────────────┘
│
│ Claude Code (either door)
│ sends commands to:
▼
┌────────────────────────────────────────┐
│ OPENCLAW (Docker sandbox) │
│ Always-on. Runs 24/7. │
│ ┌─────────┐ ┌─────────┐ │
│ │ NAVI │ │ SCOUT │ │
│ │ (Chief │ │(Research│ │
│ │ of Staff)│ │ Agent) │ │
│ └─────────┘ └─────────┘ │
│ ┌─────────┐ ┌─────────┐ │
│ │ ECHO │ │ BOOST │ │
│ │(Writer) │ │ (Social │ │
│ │ │ │ Media) │ │
│ └─────────┘ └─────────┘ │
│ ┌─────────┐ ┌─────────┐ │
│ │ DOLLAR │ │ BUILDER │ │
│ │(Finance)│ │ (Dev) │ │
│ └─────────┘ └─────────┘ │
│ │
│ Communicates via: Telegram group │
│ Reports to: Claude Code (the Brain) │
│ Uses: ChatGPT Plus (allowed by TOS) │
└────────────────────────────────────────┘
│
│ agents connect to:
▼
┌────────────────────────────────────────┐
│ EXTERNAL SERVICES │
│ n8n (workflow automation) │
│ Ollama (local LLMs, $0) │
│ Postiz (social media posting, $0) │
│ ElevenLabs (voice clone, future) │
│ HeyGen/Argil (avatar, future) │
└────────────────────────────────────────┘
The chain of command:
AZ gives orders → Claude Code (the Brain) designs the plan → OpenClaw agents execute the plan → External services do the physical work (posting, rendering, etc.)
AZ can give orders from Terminal (at desk) OR from Telegram (on the road). Both go through Claude Code. OpenClaw never receives direct orders from AZ — always through the Brain.
PART 7 — Memory Sync System (How Bot and Terminal Stay Connected)
This is the upgrade plan. Right now, the bot writes to memory files but doesn't tag the source. Here's the system we're building:
The Source-Tagged Memory Protocol
1 Every Entry Gets a Source Tag
When Terminal-Claude writes to memory: [TERMINAL | Mar 2, 3:55 AM]
When Bot-Claude writes to memory: [TELEGRAM | Mar 2, 10:30 AM]
When OpenClaw writes to memory: [OPENCLAW:NAVI | Mar 2, 2:15 PM]
This creates an audit trail. You always know who wrote what and when.
2 Dedicated Notes File for Phone Messages
When AZ texts a note from Telegram, it goes to a special file: phone-notes.md
Next terminal session, Claude reads this file and says: "You sent 3 notes from your phone today. Here they are."
This prevents notes from getting buried in general memory.
3 Action Log with Source Tracking
A running log of ALL significant actions across all sessions:
# action-log.md
## March 2, 2026
- [TERMINAL 03:09] Installed claude-code-telegram bot
- [TERMINAL 03:31] Bot launched, first connection
- [TELEGRAM 03:34] AZ asked about token security
- [TELEGRAM 03:40] Bot scanned system, found token in logs
- [TERMINAL 03:55] Token revoked, new token applied
- [TERMINAL 04:02] Memory files updated
- [TELEGRAM 10:30] AZ note: "cooking niche idea"
- [OPENCLAW:SCOUT 14:00] Trend research completed
- [OPENCLAW:ECHO 14:30] Draft script written
4 Suspicious Activity Alerts
If anything unusual happens, it gets flagged:
- A command from an unrecognized source → ALERT
- A Telegram message from a non-whitelisted user (blocked automatically, but logged)
- An OpenClaw agent trying to access files outside its sandbox
- Any attempt to modify .env, CLAUDE.md, or security files
Next session, terminal-Claude reports: "1 security event since last session."
PART 8 — Status: What's Done, What's Next
March 2, 3:09 AM — DONE
Python 3.12 + uv installed
March 2, 3:19 AM — DONE
@AZ_CEO_bot created via BotFather
March 2, 3:25 AM — DONE
Bot repo cloned, dependencies installed, .env configured
March 2, 3:31 AM — DONE
Bot launched — first successful connection
March 2, 3:40 AM — DONE
Security: Bot caught token in debug logs
March 2, 3:55 AM — DONE
Token revoked, new token applied, logs cleaned
March 2, 3:58 AM — DONE
Bot restarted with new token — working
Next Session — TODO
Auto-launch bot on Mac startup (so you don't type a command every time)
Next Session — TODO
Source-tagged memory protocol (every entry tagged [TERMINAL], [TELEGRAM], or [OPENCLAW])
Next Session — TODO
Phone notes file (phone-notes.md) + "you sent X notes from phone" briefing
This Week — PLANNED
Install Docker — foundation for OpenClaw sandbox
This Week — PLANNED
Install OpenClaw in Docker — isolated, can't touch main system
Week 1-2 — PLANNED
Install n8n + Postiz — workflow automation + social media posting ($0)
Week 2-3 — PLANNED
Test channel launch — separate accounts, OpenClaw team runs it
PART 9 — Security Rules for the System
| # | Rule | Why |
|---|
| 1 | Bot token stays in .env ONLY — never in memory files, never in chat | Anyone with the token controls the bot |
| 2 | ALLOWED_USERS whitelist — only AZ's Telegram ID | Nobody else can trigger the bot |
| 3 | No curl commands with tokens — use API libraries instead | curl logs tokens in debug files (learned the hard way) |
| 4 | Every memory entry tagged with source [TERMINAL/TELEGRAM/OPENCLAW] | Know who gave every order |
| 5 | High-risk bot actions → write to pending-approval file, don't execute | Human-in-the-loop for dangerous stuff |
| 6 | OpenClaw runs in Docker — can't touch host system files | Sandboxed. If it breaks, nuke the container. |
| 7 | Revoke and rotate tokens monthly | Limits damage if any token leaks |
| 8 | Review action-log.md at start of every terminal session | Catch anything suspicious that happened while AZ was away |
PART 10 — The Simple Summary
What we built: A Telegram bot (@AZ_CEO_bot) that lets AZ talk to Claude Code from his phone while the M3 Mac sits at home doing the work. Cost: $0 extra.
How it works: Phone → Telegram → Bot on Mac → Claude Code does the work → Response back to phone. Takes 30-120 seconds per request.
The memory solution: Shared memory files are the connective tissue. Every Claude instance (terminal, bot, future OpenClaw) reads and writes to the same files. Entries are tagged with their source [TERMINAL/TELEGRAM/OPENCLAW] so you always know who did what.
The security model: Whitelist (only AZ), sandbox (approved directory only), audit log (every action recorded), source tags (every entry traceable), human-in-the-loop (high-risk actions need terminal approval).
For the audience: "I can now talk to my AI Brain from my phone while driving Uber. It reads, writes, and runs code on my laptop at home. My M3 Mac is now a 24/7 AI office that I carry in my pocket through Telegram. And it cost me $0 extra."