@integrity-labs/agt-cli 0.19.19 → 0.19.21

package/mcp/slack-channel.js

@@ -14734,6 +14734,202 @@ function buildChannelInfoResult(args) {
   return { ok: true, channel, bot_user_handle: botUserHandle };
 }
 
+// src/slack-peer-classifier.ts
+var CODE_NAME_RE = /^[a-z0-9]+(-[a-z0-9]+)*$/;
+function classifyPeerMessage(msg, cfg, self) {
+  if (!msg.bot_id) return { kind: "human" };
+  if (self.bot_user_id !== null && msg.user === self.bot_user_id) {
+    return { kind: "self" };
+  }
+  if (cfg.peer_disabled_mode === "all") {
+    return { kind: "drop", reason: "peer_disabled_all" };
+  }
+  if (cfg.peer_agent_mode === "off") {
+    return { kind: "drop", reason: "mode_off" };
+  }
+  if (cfg.peer_group_ids.length === 0) {
+    if (msg.channel_type !== "im") {
+      return { kind: "drop", reason: "chat_not_allowed" };
+    }
+  } else if (!cfg.peer_group_ids.includes(msg.channel)) {
+    return { kind: "drop", reason: "chat_not_allowed" };
+  }
+  const peer = cfg.peers.find((p) => p.bot_user_id === msg.user);
+  if (!peer) {
+    return { kind: "drop", reason: "unknown_peer" };
+  }
+  if (peer.gate_path === null) {
+    return { kind: "drop", reason: "cross_team_grant_missing" };
+  }
+  if (cfg.peer_disabled_mode === "cross_team_only" && peer.gate_path !== void 0 && peer.gate_path !== "same_team") {
+    return { kind: "drop", reason: "peer_disabled_cross_team" };
+  }
+  if (self.bot_user_id === null) {
+    return { kind: "drop", reason: "self_resolution_pending" };
+  }
+  const addressing = classifyAddressing(msg, self.bot_user_id);
+  if (!addressing.addressed) {
+    return { kind: "drop", reason: "not_addressed" };
+  }
+  if (addressing.viaReplyOnly) {
+    const inAllowedGroup = cfg.peer_group_ids.length > 0 && cfg.peer_group_ids.includes(msg.channel);
+    const respondMode = cfg.peer_agent_mode === "respond";
+    if (!(inAllowedGroup && respondMode)) {
+      return { kind: "drop", reason: "not_addressed" };
+    }
+  }
+  return { kind: "peer-ingress", peer };
+}
+function classifyAddressing(msg, ourBotUserId) {
+  const text = msg.text ?? "";
+  const mentionToken = `<@${ourBotUserId}>`;
+  const viaMention = text.includes(mentionToken);
+  const viaReply = !!msg.thread_ts && msg.thread_ts !== void 0 && msg.parent_user_id === ourBotUserId;
+  if (viaMention) {
+    return { addressed: true, viaReplyOnly: false };
+  }
+  if (viaReply) {
+    return { addressed: true, viaReplyOnly: true };
+  }
+  return { addressed: false, viaReplyOnly: false };
+}
+function parsePeersEnv(raw, gateRaw) {
+  if (!raw || raw.trim().length === 0) return [];
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return [];
+  }
+  if (!Array.isArray(parsed)) return [];
+  const gateMap = /* @__PURE__ */ new Map();
+  let gateConfigInvalid = false;
+  if (gateRaw && gateRaw.trim().length > 0) {
+    try {
+      const gateParsed = JSON.parse(gateRaw);
+      if (!gateParsed || typeof gateParsed !== "object" || Array.isArray(gateParsed)) {
+        gateConfigInvalid = true;
+      } else {
+        for (const [k, v] of Object.entries(gateParsed)) {
+          if (v === null) {
+            gateMap.set(k, null);
+          } else if (typeof v === "string") {
+            const isGrantPath = v.startsWith("grant:") && v.slice("grant:".length).trim().length > 0;
+            if (v === "same_team" || v === "intra_org_unrestricted" || isGrantPath) {
+              gateMap.set(k, v);
+            } else {
+              gateConfigInvalid = true;
+              break;
+            }
+          } else {
+            gateConfigInvalid = true;
+            break;
+          }
+        }
+      }
+    } catch {
+      gateConfigInvalid = true;
+    }
+    if (gateConfigInvalid) {
+      console.error(
+        "[slack-peer-classifier] SLACK_PEERS_GATE is present but malformed; failing closed (every peer drops as cross_team_grant_missing)"
+      );
+    }
+  }
+  const out = [];
+  for (const entry of parsed) {
+    if (entry && typeof entry === "object" && typeof entry.code_name === "string" && CODE_NAME_RE.test(entry.code_name) && typeof entry.agent_id === "string" && typeof entry.bot_user_id === "string" && entry.bot_user_id.length > 0) {
+      const e = entry;
+      const peer = {
+        code_name: e.code_name,
+        bot_user_id: e.bot_user_id,
+        agent_id: e.agent_id
+      };
+      if (gateConfigInvalid) {
+        peer.gate_path = null;
+      } else if (gateMap.has(e.bot_user_id)) {
+        peer.gate_path = gateMap.get(e.bot_user_id) ?? null;
+      }
+      out.push(peer);
+    }
+  }
+  return out;
+}
+function parsePeerGroupIdsEnv(raw) {
+  if (!raw) return [];
+  return raw.split(",").map((s) => s.trim()).filter(Boolean);
+}
+function parsePeerAgentModeEnv(raw) {
+  if (raw === "listen" || raw === "respond") return raw;
+  return "off";
+}
+
+// src/cross-team-peer-audit-client.ts
+var REQUEST_TIMEOUT_MS = 1e4;
+function createCrossTeamPeerAuditClient(args) {
+  if (!args.agtHost || !args.agtApiKey || !args.agentId) return null;
+  const fetchImpl = args.fetchImpl ?? fetch;
+  const log = args.log ?? (() => {
+  });
+  const base = args.agtHost.replace(/\/+$/, "");
+  const agentId = args.agentId;
+  const apiKey = args.agtApiKey;
+  let cachedToken = null;
+  let cachedTokenExpiresAt = 0;
+  async function getToken() {
+    if (cachedToken && Date.now() < cachedTokenExpiresAt) return cachedToken;
+    const resp = await fetchImpl(`${base}/host/exchange`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ host_key: apiKey }),
+      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
+    });
+    if (!resp.ok) {
+      const body = await resp.text().catch(() => "");
+      throw new Error(`/host/exchange failed (${resp.status}): ${body.slice(0, 200)}`);
+    }
+    const data = await resp.json();
+    cachedToken = data.token;
+    cachedTokenExpiresAt = data.expires_at ? new Date(data.expires_at).getTime() - 12e4 : Date.now() + 55 * 6e4;
+    return cachedToken;
+  }
+  async function postOnce(event) {
+    const token = await getToken();
+    return fetchImpl(`${base}/host/cross-team-peer-event`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ agent_id: agentId, ...event }),
+      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
+    });
+  }
+  async function emitAsync(event) {
+    try {
+      let resp = await postOnce(event);
+      if (resp.status === 401) {
+        cachedToken = null;
+        cachedTokenExpiresAt = 0;
+        resp = await postOnce(event);
+      }
+      if (!resp.ok) {
+        const body = await resp.text().catch(() => "");
+        log(
+          `cross-team-peer-audit: POST failed (${resp.status}) event=${event.event_type}: ${body.slice(0, 200)}`
+        );
+      }
+    } catch (err) {
+      log(`cross-team-peer-audit: emit threw event=${event.event_type}: ${err.message}`);
+    }
+  }
+  return {
+    emit(event) {
+      void emitAsync(event);
+    }
+  };
+}
+
 // src/slack-channel.ts
 var BOT_TOKEN = process.env.SLACK_BOT_TOKEN;
 var APP_TOKEN = process.env.SLACK_APP_TOKEN;
@@ -14749,6 +14945,35 @@ var ALLOWED_USERS = new Set(
 );
 var THREAD_AUTO_FOLLOW = process.env.SLACK_THREAD_AUTO_FOLLOW ?? "off";
 var CHANNEL_RESPONSE_MODE = parseResponseMode(process.env.SLACK_CHANNEL_RESPONSE_MODE);
+var SLACK_PEER_DISABLED_MODE = (() => {
+  const raw = (process.env.PEER_DISABLED ?? "").trim().toLowerCase();
+  if (raw === "" || raw === "off") return "off";
+  if (raw === "cross_team_only" || raw === "all") return raw;
+  process.stderr.write(
+    `slack-channel: invalid PEER_DISABLED=${JSON.stringify(process.env.PEER_DISABLED)} \u2014 defaulting to 'all' (fail-closed)
+`
+  );
+  return "all";
+})();
+if (SLACK_PEER_DISABLED_MODE !== "off") {
+  process.stderr.write(
+    `slack-channel: PEER_DISABLED=${SLACK_PEER_DISABLED_MODE} \u2014 ${SLACK_PEER_DISABLED_MODE === "all" ? "every peer surface short-circuited" : "cross-team peers dropped, same-team peers admitted"}
+`
+  );
+}
+var crossTeamPeerAuditClient = createCrossTeamPeerAuditClient({
+  agtHost: AGT_HOST,
+  agtApiKey: AGT_API_KEY,
+  agentId: AGT_AGENT_ID,
+  log: (line) => process.stderr.write(`slack-channel: ${line}
+`)
+});
+var SLACK_PEER_CLASSIFIER_CONFIG = {
+  peer_agent_mode: parsePeerAgentModeEnv(process.env.SLACK_PEER_AGENT_MODE),
+  peer_group_ids: parsePeerGroupIdsEnv(process.env.SLACK_PEER_GROUP_IDS),
+  peers: parsePeersEnv(process.env.SLACK_PEERS, process.env.SLACK_PEERS_GATE),
+  peer_disabled_mode: SLACK_PEER_DISABLED_MODE
+};
 var RESPONSE_TIMEOUT_MS = 3e5;
 var pendingMessages = /* @__PURE__ */ new Map();
 var SLACK_AGENT_DIR = AGENT_CODE_NAME ? join2(homedir2(), ".augmented", AGENT_CODE_NAME) : null;
@@ -16715,6 +16940,63 @@ async function connectSocketMode() {
         return;
       }
       if (ALLOWED_USERS.size > 0 && evt.user && !ALLOWED_USERS.has(evt.user)) return;
+      if (evt.bot_id) {
+        const peerMsg = {
+          text: evt.text,
+          channel: evt.channel ?? "",
+          channel_type: evt.channel_type,
+          user: evt.user,
+          bot_id: evt.bot_id,
+          thread_ts: evt.thread_ts,
+          parent_user_id: evt.parent_user_id
+        };
+        const decision = classifyPeerMessage(
+          peerMsg,
+          SLACK_PEER_CLASSIFIER_CONFIG,
+          { bot_user_id: botUserId }
+        );
+        if (decision.kind === "self") return;
+        if (decision.kind === "drop") {
+          const channelHash = createHash("sha256").update(evt.channel ?? "").digest("hex").slice(0, 8);
+          process.stderr.write(
+            `slack-channel: peer drop reason=${decision.reason} channel=${channelHash}
+`
+          );
+          if (decision.reason === "cross_team_grant_missing") {
+            crossTeamPeerAuditClient?.emit({
+              event_type: "slack.peer.drop.cross_team_grant_missing",
+              peer_agent_id: null,
+              gate_path: null,
+              grant_id: null,
+              chat_id: evt.channel ?? null,
+              message_id: evt.ts ?? null
+            });
+          }
+          return;
+        }
+        if (decision.kind === "peer-ingress") {
+          const peerGate = decision.peer.gate_path;
+          if (peerGate === "intra_org_unrestricted") {
+            crossTeamPeerAuditClient?.emit({
+              event_type: "slack.peer.ingress.cross_team",
+              peer_agent_id: decision.peer.agent_id || null,
+              gate_path: peerGate,
+              grant_id: null,
+              chat_id: evt.channel ?? null,
+              message_id: evt.ts ?? null
+            });
+          } else if (typeof peerGate === "string" && peerGate.startsWith("grant:")) {
+            crossTeamPeerAuditClient?.emit({
+              event_type: "slack.peer.ingress.cross_team",
+              peer_agent_id: decision.peer.agent_id || null,
+              gate_path: peerGate,
+              grant_id: peerGate.slice("grant:".length),
+              chat_id: evt.channel ?? null,
+              message_id: evt.ts ?? null
+            });
+          }
+        }
+      }
       if (evt.type === "app_mention") {
         rememberThread(evt.channel, trackTs, "mentioned");
       }

package/mcp/telegram-channel.js

@@ -14217,6 +14217,9 @@ function classifyPeerMessage(msg, cfg, self) {
   if (self.bot_id !== null && msg.from.id === self.bot_id) {
     return { kind: "self" };
   }
+  if (cfg.peer_disabled_mode === "all") {
+    return { kind: "drop", reason: "peer_disabled_all" };
+  }
   if (cfg.peer_agent_mode === "off") {
     return { kind: "drop", reason: "mode_off" };
   }
@@ -14232,6 +14235,12 @@ function classifyPeerMessage(msg, cfg, self) {
   if (!peer) {
     return { kind: "drop", reason: "unknown_peer" };
   }
+  if (peer.gate_path === null) {
+    return { kind: "drop", reason: "cross_team_grant_missing" };
+  }
+  if (cfg.peer_disabled_mode === "cross_team_only" && peer.gate_path !== void 0 && peer.gate_path !== "same_team") {
+    return { kind: "drop", reason: "peer_disabled_cross_team" };
+  }
   if (self.bot_id === null || self.bot_username === null) {
     return { kind: "drop", reason: "self_resolution_pending" };
   }
@@ -14272,7 +14281,7 @@ function classifyAddressing(msg, ourBotId, ourBotUsername) {
   return { addressed: false, viaReplyOnly: false };
 }
 var CODE_NAME_RE = /^[a-z0-9]+(?:-[a-z0-9]+)*$/;
-function parsePeersEnv(raw) {
+function parsePeersEnv(raw, gateRaw) {
   if (!raw || raw.trim().length === 0) return [];
   let parsed;
   try {
@@ -14281,11 +14290,54 @@ function parsePeersEnv(raw) {
     return [];
   }
   if (!Array.isArray(parsed)) return [];
+  const gateMap = /* @__PURE__ */ new Map();
+  let gateConfigInvalid = false;
+  if (gateRaw && gateRaw.trim().length > 0) {
+    try {
+      const gateParsed = JSON.parse(gateRaw);
+      if (!gateParsed || typeof gateParsed !== "object" || Array.isArray(gateParsed)) {
+        gateConfigInvalid = true;
+      } else {
+        for (const [k, v] of Object.entries(gateParsed)) {
+          if (v === null) {
+            gateMap.set(k, null);
+          } else if (typeof v === "string") {
+            const isGrantPath = v.startsWith("grant:") && v.slice("grant:".length).trim().length > 0;
+            if (v === "same_team" || v === "intra_org_unrestricted" || isGrantPath) {
+              gateMap.set(k, v);
+            } else {
+              gateConfigInvalid = true;
+              break;
+            }
+          } else {
+            gateConfigInvalid = true;
+            break;
+          }
+        }
+      }
+    } catch {
+      gateConfigInvalid = true;
+    }
+    if (gateConfigInvalid) {
+      console.error(
+        "[telegram-peer-classifier] TELEGRAM_PEERS_GATE is present but malformed; failing closed (every peer drops as cross_team_grant_missing)"
+      );
+    }
+  }
   const out = [];
   for (const entry of parsed) {
     if (entry && typeof entry === "object" && typeof entry.code_name === "string" && CODE_NAME_RE.test(entry.code_name) && typeof entry.agent_id === "string" && typeof entry.bot_id === "number" && Number.isInteger(entry.bot_id) && entry.bot_id > 0) {
       const e = entry;
-      out.push({ code_name: e.code_name, bot_id: e.bot_id, agent_id: e.agent_id });
+      const peer = { code_name: e.code_name, bot_id: e.bot_id, agent_id: e.agent_id };
+      if (gateConfigInvalid) {
+        peer.gate_path = null;
+      } else {
+        const key2 = String(e.bot_id);
+        if (gateMap.has(key2)) {
+          peer.gate_path = gateMap.get(key2) ?? null;
+        }
+      }
+      out.push(peer);
     }
   }
   return out;
@@ -14615,6 +14667,154 @@ function createDefaultPeerRateApiClient(args) {
   };
 }
 
+// src/cross-team-peer-audit-client.ts
+var REQUEST_TIMEOUT_MS = 1e4;
+function createCrossTeamPeerAuditClient(args) {
+  if (!args.agtHost || !args.agtApiKey || !args.agentId) return null;
+  const fetchImpl = args.fetchImpl ?? fetch;
+  const log = args.log ?? (() => {
+  });
+  const base = args.agtHost.replace(/\/+$/, "");
+  const agentId = args.agentId;
+  const apiKey = args.agtApiKey;
+  let cachedToken = null;
+  let cachedTokenExpiresAt = 0;
+  async function getToken() {
+    if (cachedToken && Date.now() < cachedTokenExpiresAt) return cachedToken;
+    const resp = await fetchImpl(`${base}/host/exchange`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ host_key: apiKey }),
+      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
+    });
+    if (!resp.ok) {
+      const body = await resp.text().catch(() => "");
+      throw new Error(`/host/exchange failed (${resp.status}): ${body.slice(0, 200)}`);
+    }
+    const data = await resp.json();
+    cachedToken = data.token;
+    cachedTokenExpiresAt = data.expires_at ? new Date(data.expires_at).getTime() - 12e4 : Date.now() + 55 * 6e4;
+    return cachedToken;
+  }
+  async function postOnce(event) {
+    const token = await getToken();
+    return fetchImpl(`${base}/host/cross-team-peer-event`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ agent_id: agentId, ...event }),
+      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
+    });
+  }
+  async function emitAsync(event) {
+    try {
+      let resp = await postOnce(event);
+      if (resp.status === 401) {
+        cachedToken = null;
+        cachedTokenExpiresAt = 0;
+        resp = await postOnce(event);
+      }
+      if (!resp.ok) {
+        const body = await resp.text().catch(() => "");
+        log(
+          `cross-team-peer-audit: POST failed (${resp.status}) event=${event.event_type}: ${body.slice(0, 200)}`
+        );
+      }
+    } catch (err) {
+      log(`cross-team-peer-audit: emit threw event=${event.event_type}: ${err.message}`);
+    }
+  }
+  return {
+    emit(event) {
+      void emitAsync(event);
+    }
+  };
+}
+
+// src/observed-chat-client.ts
+var REQUEST_TIMEOUT_MS2 = 1e4;
+function createObservedChatClient(args) {
+  if (!args.agtHost || !args.agtApiKey || !args.agentId) return null;
+  const fetchImpl = args.fetchImpl ?? fetch;
+  const log = args.log ?? (() => {
+  });
+  const base = args.agtHost.replace(/\/+$/, "");
+  const agentId = args.agentId;
+  const apiKey = args.agtApiKey;
+  const reported = /* @__PURE__ */ new Map();
+  let cachedToken = null;
+  let cachedTokenExpiresAt = 0;
+  async function getToken() {
+    if (cachedToken && Date.now() < cachedTokenExpiresAt) return cachedToken;
+    const resp = await fetchImpl(`${base}/host/exchange`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ host_key: apiKey }),
+      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS2)
+    });
+    if (!resp.ok) {
+      const body = await resp.text().catch(() => "");
+      throw new Error(`/host/exchange failed (${resp.status}): ${body.slice(0, 200)}`);
+    }
+    const data = await resp.json();
+    cachedToken = data.token;
+    cachedTokenExpiresAt = data.expires_at ? new Date(data.expires_at).getTime() - 12e4 : Date.now() + 55 * 6e4;
+    return cachedToken;
+  }
+  async function postOnce(chat) {
+    const token = await getToken();
+    return fetchImpl(`${base}/host/observed-chat`, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${token}`, "Content-Type": "application/json" },
+      body: JSON.stringify({ agent_id: agentId, ...chat }),
+      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS2)
+    });
+  }
+  async function emitAsync(chat) {
+    try {
+      let resp = await postOnce(chat);
+      if (resp.status === 401) {
+        cachedToken = null;
+        cachedTokenExpiresAt = 0;
+        resp = await postOnce(chat);
+      }
+      if (!resp.ok) {
+        const body = await resp.text().catch(() => "");
+        log(
+          `observed-chat: POST failed (${resp.status}) chat=${chat.chat_id}: ${body.slice(0, 200)}`
+        );
+        return false;
+      }
+      return true;
+    } catch (err) {
+      log(`observed-chat: emit threw chat=${chat.chat_id}: ${err.message}`);
+      return false;
+    }
+  }
+  return {
+    observe(chat) {
+      const prev = reported.get(chat.chat_id);
+      if (prev && prev.title === (chat.chat_title ?? void 0) && prev.type === (chat.chat_type ?? void 0)) {
+        return;
+      }
+      const snapshot = {
+        title: chat.chat_title ?? void 0,
+        type: chat.chat_type ?? void 0
+      };
+      reported.set(chat.chat_id, snapshot);
+      void emitAsync(chat).then((ok) => {
+        if (ok) return;
+        const current = reported.get(chat.chat_id);
+        if (current?.title === snapshot.title && current?.type === snapshot.type) {
+          reported.delete(chat.chat_id);
+        }
+      });
+    }
+  };
+}
+
 // src/telegram-channel.ts
 function redactId(id) {
   return createHash("sha256").update(String(id)).digest("hex").slice(0, 8);
@@ -14629,18 +14829,45 @@ var ALLOWED_CHATS = new Set(
 var PEER_CLASSIFIER_CONFIG = {
   peer_agent_mode: parsePeerAgentModeEnv(process.env.TELEGRAM_PEER_AGENT_MODE),
   peer_group_ids: parsePeerGroupIdsEnv(process.env.TELEGRAM_PEER_GROUP_IDS),
-  peers: parsePeersEnv(process.env.TELEGRAM_PEERS)
+  peers: parsePeersEnv(process.env.TELEGRAM_PEERS, process.env.TELEGRAM_PEERS_GATE),
+  peer_disabled_mode: "off"
+  // populated below from PEER_DISABLED_MODE
 };
-var PEER_DISABLED_GLOBAL = (() => {
-  const v = (process.env.TELEGRAM_PEER_DISABLED ?? "").toLowerCase();
-  return v === "1" || v === "true" || v === "yes";
+var PEER_DISABLED_MODE = (() => {
+  const next = (process.env.PEER_DISABLED ?? "").trim().toLowerCase();
+  if (next === "off" || next === "cross_team_only" || next === "all") return next;
+  if (next.length > 0) {
+    process.stderr.write(
+      `telegram-channel(${AGENT_CODE_NAME}): invalid PEER_DISABLED=${JSON.stringify(process.env.PEER_DISABLED)} \u2014 defaulting to 'all' (fail-closed)
+`
+    );
+    return "all";
+  }
+  const legacy = (process.env.TELEGRAM_PEER_DISABLED ?? "").trim().toLowerCase();
+  return legacy === "1" || legacy === "true" || legacy === "yes" ? "all" : "off";
 })();
-if (PEER_DISABLED_GLOBAL) {
+var PEER_DISABLED_GLOBAL = PEER_DISABLED_MODE === "all";
+if (PEER_DISABLED_MODE !== "off") {
   process.stderr.write(
-    `telegram-channel(${AGENT_CODE_NAME}): TELEGRAM_PEER_DISABLED=true \u2014 peer ingress + outgress short-circuited
+    `telegram-channel(${AGENT_CODE_NAME}): PEER_DISABLED=${PEER_DISABLED_MODE} \u2014 ${PEER_DISABLED_MODE === "all" ? "every peer surface short-circuited" : "cross-team peers dropped, same-team peers admitted"}
 `
   );
 }
+PEER_CLASSIFIER_CONFIG.peer_disabled_mode = PEER_DISABLED_MODE;
+var crossTeamPeerAuditClient = createCrossTeamPeerAuditClient({
+  agtHost: AGT_HOST,
+  agtApiKey: AGT_API_KEY,
+  agentId: process.env.AGT_AGENT_ID ?? null,
+  log: (line) => process.stderr.write(`telegram-channel(${AGENT_CODE_NAME}): ${line}
+`)
+});
+var observedChatClient = createObservedChatClient({
+  agtHost: AGT_HOST,
+  agtApiKey: AGT_API_KEY,
+  agentId: process.env.AGT_AGENT_ID ?? null,
+  log: (line) => process.stderr.write(`telegram-channel(${AGENT_CODE_NAME}): ${line}
+`)
+});
 var peerRateApiClient = createDefaultPeerRateApiClient({
   agtHost: AGT_HOST,
   agtApiKey: AGT_API_KEY,
@@ -15588,6 +15815,11 @@ async function pollLoop() {
         if (content.length === 0 && classifiedAttachments.length === 0) continue;
         const chatId = String(msg.chat.id);
         if (ALLOWED_CHATS.size > 0 && !ALLOWED_CHATS.has(chatId)) continue;
+        observedChatClient?.observe({
+          chat_id: chatId,
+          chat_title: msg.chat.title ?? msg.chat.username ?? msg.chat.first_name ?? null,
+          chat_type: msg.chat.type ?? null
+        });
         const trimmedContent = content.trim();
         if (isHelpSyntax(trimmedContent)) {
           const disposition = await classifyRestartCommand(trimmedContent.replace(/^\/help/, "/restart"));
@@ -15669,6 +15901,16 @@ async function pollLoop() {
               `telegram-channel(${AGENT_CODE_NAME}): peer_drop reason=${classification.reason} chat=${redactId(chatId)} from=${redactId(String(msg.from?.id ?? "unknown"))}
 `
             );
+            if (classification.reason === "cross_team_grant_missing") {
+              crossTeamPeerAuditClient?.emit({
+                event_type: "telegram.peer.drop.cross_team_grant_missing",
+                peer_agent_id: null,
+                gate_path: null,
+                grant_id: null,
+                chat_id: String(chatId),
+                message_id: String(msg.message_id)
+              });
+            }
             continue;
           }
           if (classification.kind === "peer-ingress") {
@@ -15695,6 +15937,26 @@ async function pollLoop() {
               code_name: classification.peer.code_name,
               agent_id: classification.peer.agent_id
             };
+            const gate = classification.peer.gate_path;
+            if (gate && gate !== "same_team" && gate !== "intra_org_unrestricted" && gate.startsWith("grant:")) {
+              crossTeamPeerAuditClient?.emit({
+                event_type: "telegram.peer.ingress.cross_team",
+                peer_agent_id: classification.peer.agent_id || null,
+                gate_path: gate,
+                grant_id: gate.slice("grant:".length),
+                chat_id: String(chatId),
+                message_id: String(msg.message_id)
+              });
+            } else if (gate === "intra_org_unrestricted") {
+              crossTeamPeerAuditClient?.emit({
+                event_type: "telegram.peer.ingress.cross_team",
+                peer_agent_id: classification.peer.agent_id || null,
+                gate_path: gate,
+                grant_id: null,
+                chat_id: String(chatId),
+                message_id: String(msg.message_id)
+              });
+            }
           }
         }
         const messageId = String(msg.message_id);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@integrity-labs/agt-cli",
-  "version": "0.19.19",
+  "version": "0.19.21",
   "description": "Augmented Team CLI — agent provisioning and management",
   "type": "module",
   "engines": {