switchroom 0.11.0 → 0.12.0

package/telegram-plugin/format.ts

@@ -380,6 +380,77 @@ export function escapeHtml(text: string): string {
     .replace(/"/g, '"')
 }
 
+/**
+ * Last-resort renderer: turn (possibly malformed) Telegram HTML into
+ * readable plain text. Used by the gateway's send/edit path when
+ * Telegram rejects a chunk with a 400 "can't parse entities" /
+ * "unsupported start tag" — i.e. our HTML prevention (markdownToHtml +
+ * sanitizeForTelegram + splitHtmlChunks) let something through anyway.
+ *
+ * The caller resends the result with `parse_mode` UNSET, so the output
+ * is literal text — we intentionally do NOT re-escape `< > &`. The goal
+ * is "the agent's answer lands unformatted" instead of "the answer
+ * silently vanishes" (visibility + always-on).
+ *
+ * Transforms, in order:
+ *  1. `<a href="u">label</a>` → `label (u)` (or just `u` when label is
+ *     empty or equals the href). href/label are themselves stripped +
+ *     entity-decoded so we never emit nested markup.
+ *  2. Block / break boundaries → newline: `<br>`, `</p>`, `</div>`,
+ *     `</li>`, `</blockquote>`, `</pre>`. (These aren't Telegram-
+ *     supported tags, but a markdown→HTML slip that emits one is a
+ *     prime cause of the parse reject we're recovering from.)
+ *  3. Strip every remaining tag.
+ *  4. Decode the standard HTML entities Telegram uses.
+ *  5. Collapse 3+ blank lines to 2; trim trailing per-line whitespace.
+ */
+export function telegramHtmlToPlainText(html: string): string {
+  const decodeEntities = (s: string): string =>
+    s
+      .replace(/&amp;/g, '&')
+      .replace(/&lt;/g, '<')
+      .replace(/&gt;/g, '>')
+      .replace(/&quot;/g, '"')
+      .replace(/&#0*39;|&#x0*27;|&apos;/gi, "'")
+      .replace(/&nbsp;/g, ' ')
+      .replace(/&#(\d+);/g, (_m, d: string) => {
+        const cp = Number(d)
+        return Number.isFinite(cp) && cp > 0 && cp <= 0x10ffff
+          ? String.fromCodePoint(cp)
+          : _m
+      })
+      .replace(/&#x([0-9a-fA-F]+);/g, (_m, h: string) => {
+        const cp = parseInt(h, 16)
+        return Number.isFinite(cp) && cp > 0 && cp <= 0x10ffff
+          ? String.fromCodePoint(cp)
+          : _m
+      })
+
+  const stripTags = (s: string): string =>
+    decodeEntities(
+      s
+        .replace(/<\s*br\s*\/?\s*>/gi, '\n')
+        .replace(/<\/\s*(?:p|div|li|blockquote|pre|h[1-6])\s*>/gi, '\n')
+        .replace(/<[^>]*>/g, ''),
+    )
+
+  // 1. Anchors → "label (href)". Handle double/single/unquoted href.
+  const withPlainLinks = html.replace(
+    /<a\b[^>]*\bhref\s*=\s*(?:"([^"]*)"|'([^']*)'|([^\s>]+))[^>]*>([\s\S]*?)<\/a>/gi,
+    (_m, dq: string | undefined, sq: string | undefined, uq: string | undefined, label: string) => {
+      const href = decodeEntities((dq ?? sq ?? uq ?? '').trim())
+      const text = stripTags(label).trim()
+      if (!href) return text
+      return !text || text === href ? href : `${text} (${href})`
+    },
+  )
+
+  return stripTags(withPlainLinks)
+    .replace(/[ \t]+$/gm, '')
+    .replace(/\n{3,}/g, '\n\n')
+    .trim()
+}
+
 // ---------------------------------------------------------------------------
 // Output sanitizer — enforces fleet-wide Telegram formatting invariants
 // ---------------------------------------------------------------------------

package/telegram-plugin/gateway/approval-card.test.ts

@@ -12,7 +12,7 @@ import {
 describe("approval card", () => {
   it("renders the pristine card with default buttons", () => {
     const card = buildApprovalCard({
-      request_id: "a3f1b9c2",
+      request_id: "a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2",
       agent: "klanker",
       scope_humanized: "secret:OPENAI_API_KEY",
       why: "needs to call OpenAI",
@@ -24,14 +24,14 @@ describe("approval card", () => {
     // Validate the inline_keyboard structure carries our four callback shapes
     const flat = card.reply_markup.inline_keyboard.flat();
     const datas = flat.map((b) => ("callback_data" in b ? b.callback_data : ""));
-    expect(datas).toContain("apv:a3f1b9c2:once");
-    expect(datas).toContain("apv:a3f1b9c2:deny");
-    expect(datas).toContain("apv:a3f1b9c2:always");
+    expect(datas).toContain("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:once");
+    expect(datas).toContain("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:deny");
+    expect(datas).toContain("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:always");
   });
 
   it("respects offer_always=false and offer_ttl=true", () => {
     const card = buildApprovalCard({
-      request_id: "a3f1b9c2",
+      request_id: "a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2",
       agent: "k",
       scope_humanized: "x",
       offer_always: false,
@@ -40,13 +40,13 @@ describe("approval card", () => {
     const datas = card.reply_markup.inline_keyboard
       .flat()
       .map((b) => ("callback_data" in b ? b.callback_data : ""));
-    expect(datas).not.toContain("apv:a3f1b9c2:always");
-    expect(datas).toContain("apv:a3f1b9c2:ttl:1h");
+    expect(datas).not.toContain("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:always");
+    expect(datas).toContain("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:ttl:1h");
   });
 
   it("escapes HTML metacharacters in agent and scope", () => {
     const card = buildApprovalCard({
-      request_id: "deadbeef",
+      request_id: "deadbeefdeadbeefdeadbeefdeadbeef",
       agent: "<script>",
       scope_humanized: "a&b",
     });
@@ -58,21 +58,21 @@ describe("approval card", () => {
 
 describe("parseApprovalCallback", () => {
   it("parses every choice variant", () => {
-    expect(parseApprovalCallback("apv:a3f1b9c2:once"))
-      .toEqual({ request_id: "a3f1b9c2", choice: { kind: "once" } });
-    expect(parseApprovalCallback("apv:a3f1b9c2:always"))
-      .toEqual({ request_id: "a3f1b9c2", choice: { kind: "always" } });
-    expect(parseApprovalCallback("apv:a3f1b9c2:deny"))
-      .toEqual({ request_id: "a3f1b9c2", choice: { kind: "deny" } });
-    expect(parseApprovalCallback("apv:a3f1b9c2:ttl:1h"))
-      .toEqual({ request_id: "a3f1b9c2", choice: { kind: "ttl", param: "1h" } });
+    expect(parseApprovalCallback("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:once"))
+      .toEqual({ request_id: "a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2", choice: { kind: "once" } });
+    expect(parseApprovalCallback("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:always"))
+      .toEqual({ request_id: "a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2", choice: { kind: "always" } });
+    expect(parseApprovalCallback("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:deny"))
+      .toEqual({ request_id: "a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2", choice: { kind: "deny" } });
+    expect(parseApprovalCallback("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:ttl:1h"))
+      .toEqual({ request_id: "a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2", choice: { kind: "ttl", param: "1h" } });
   });
 
   it("rejects malformed prefixes and bad ids", () => {
     expect(parseApprovalCallback("perm:more:abc")).toBeNull();
     expect(parseApprovalCallback("apv:NOTHEX12:once")).toBeNull();
-    expect(parseApprovalCallback("apv:a3f1b9c2:bogus")).toBeNull();
-    expect(parseApprovalCallback("apv:a3f1b9c2:ttl")).toBeNull();
+    expect(parseApprovalCallback("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:bogus")).toBeNull();
+    expect(parseApprovalCallback("apv:a3f1b9c2a3f1b9c2a3f1b9c2a3f1b9c2:ttl")).toBeNull();
   });
 });
 

package/telegram-plugin/gateway/approval-card.ts

@@ -89,7 +89,7 @@ export function parseApprovalCallback(data: string): ParsedApprovalCallback | nu
   if (parts.length < 3) return null;
   const request_id = parts[1];
   const choiceStr = parts[2];
-  if (!/^[0-9a-f]{8}$/.test(request_id ?? "")) return null;
+  if (!/^[0-9a-f]{32}$/.test(request_id ?? "")) return null;
   switch (choiceStr) {
     case "once":
       return { request_id: request_id as string, choice: { kind: "once" } };

package/telegram-plugin/gateway/auth-broker-client.ts

@@ -30,6 +30,8 @@ export function createAuthBrokerClient(): {
     refreshAccount: (label: string) => broker.refreshAccount(label),
     setOverride: (agent: string, account: string | null) =>
       broker.setOverride(agent, account),
+    probeQuota: (accounts: readonly string[], timeoutMs?: number) =>
+      broker.probeQuota(accounts, timeoutMs),
   }
   return { client, close: () => broker.close() }
 }

package/telegram-plugin/gateway/auth-command.ts

@@ -220,6 +220,16 @@ export interface AuthBrokerClient {
     agent: string,
     account: string | null,
   ): Promise<{ agent: string; account: string | null }>
+  /**
+   * Live Anthropic quota probe via the broker (#1336). The broker
+   * uses its stored accessTokens to hit `/v1/messages` server-side
+   * and returns parsed rate-limit headers. Tokens never reach the
+   * caller. Per-label results are returned in input order.
+   */
+  probeQuota(
+    accounts: readonly string[],
+    timeoutMs?: number,
+  ): Promise<{ results: Array<{ label: string; result: import('../quota-check.js').QuotaResult }> }>
 }
 
 export interface AuthCommandContext {
@@ -250,8 +260,8 @@ export interface AuthCommandContext {
    * working without spinning up the Anthropic API path.
    *
    * Returns a parallel array (same length, same order as
-   * `state.accounts`) of QuotaResult — the gateway passes
-   * `accounts.map(a => fetchAccountQuota(a.label, {force: true}))`.
+   * `state.accounts`) of QuotaResult — sourced from the broker
+   * `probe-quota` op (#1336).
    */
   liveQuotas?: (
     accounts: AccountState[],

package/telegram-plugin/gateway/boot-card.ts

@@ -33,6 +33,7 @@
  */
 
 import type { ProbeResult, GatewayRuntimeInfo } from './boot-probes.js'
+import type { QuotaResult } from '../quota-check.js'
 import type { ListStateData } from './auth-line.js'
 import { renderAuthLine } from './auth-line.js'
 import {
@@ -291,6 +292,12 @@ export interface RenderBootCardOpts {
   snoozeRows?: ReadonlyArray<ProbeKey>
   /** Clock injection point for tests; defaults to `new Date()`. */
   now?: Date
+  /** PR C update-flow: outcome line for the most recent terminal
+   *  update_apply audit row (rendered by `update-announce.ts`). When
+   *  present, appended as a stand-alone section below the probe rows so
+   *  the operator sees what happened with the update that triggered
+   *  this boot without trawling the audit log. */
+  updateOutcomeLine?: string
 }
 
 /**
@@ -348,8 +355,13 @@ export function renderBootCard(opts: RenderBootCardOpts): string {
       : ''
     degradedRows.push(`⚠️ <b>Restart</b>  ${escapeHtml(REASON_LABEL.crash)}${ageStr}`)
     // Principle 1: every failure carries its next step. The crash row
-    // tells the user how to inspect why.
-    degradedRows.push(`    ↳ Tail logs: <code>journalctl --user -u switchroom-${escapeHtml(agentSlug)} -n 100</code>`)
+    // tells the user how to inspect why. Runtime-aware: v0.7+ agents run
+    // in Docker (no systemd/journalctl in-container) — the canonical
+    // detection is SWITCHROOM_RUNTIME (see doctor-docker.ts).
+    const tailCmd = process.env.SWITCHROOM_RUNTIME === 'docker'
+      ? `docker logs --tail 100 switchroom-${escapeHtml(agentSlug)}`
+      : `journalctl --user -u switchroom-${escapeHtml(agentSlug)} -n 100`
+    degradedRows.push(`    ↳ Tail logs: <code>${tailCmd}</code>`)
   }
 
   // Probe rows — only those that surfaced as degraded/fail. Healthy
@@ -394,6 +406,12 @@ export function renderBootCard(opts: RenderBootCardOpts): string {
   const sections: string[] = [ack]
   if (degradedRows.length > 0) sections.push('', ...degradedRows)
   if (accountRows.length > 0) sections.push('', ...accountRows)
+  if (opts.updateOutcomeLine) {
+    // PR C: each line of the update-outcome blob is its own row in the
+    // sections array so the join('\n') below renders the multi-line
+    // failure-with-recovery hint cleanly.
+    sections.push('', ...opts.updateOutcomeLine.split('\n'))
+  }
   if (sections.length === 1) return ack
   return sections.join('\n')
 }
@@ -469,6 +487,15 @@ export interface RunProbesOpts {
     | ListStateData
     | null
     | Promise<ListStateData | null>
+  /**
+   * Canonical quota source (#1336): probes this agent's effective
+   * account via the broker (server-side /v1/messages). Returns null
+   * when the broker is unreachable / no active account → `probeQuota`
+   * falls back to a direct probe. Wired from gateway.ts
+   * (`probeQuotaForBootCard`); omitted in non-docker / unit tests where
+   * the direct fallback preserves prior behaviour.
+   */
+  probeQuotaViaBroker?: (timeoutMs?: number) => Promise<QuotaResult | null>
   /** When true, resolve the agent PID via cgroup walk instead of MainPID
    *  (which is the tmux server pid under tmux supervisor). */
   tmuxSupervisor?: boolean
@@ -486,6 +513,13 @@ export interface RunProbesOpts {
    *  and externally-managed surface text instead of execing systemctl
    *  (which doesn't exist in the agent image). See `runtime-mode.ts`. */
   dockerMode?: boolean
+  /** PR C: pass-through to the renderer. When the gateway boot path
+   *  detects a recent terminal `update_apply` audit row, it computes the
+   *  outcome line via `update-announce.ts` and passes it here so the
+   *  card surfaces "✅ update completed (channel:dev, sha:…)" or the
+   *  failure body with a recovery hint. Append-only — never replaces
+   *  the existing ack/probe sections. */
+  updateOutcomeLine?: string
 }
 
 /** Run all six probes concurrently with their own per-probe timeouts.
@@ -502,7 +536,7 @@ export async function runAllProbes(opts: RunProbesOpts): Promise<ProbeMap> {
     probeAccount(opts.agentDir).then(r => { probes.account = r }),
     probeAgentProcess(slug, { execFileImpl: opts.probeExecFileImpl, tmuxSupervisor: opts.tmuxSupervisor, dockerMode: opts.dockerMode }).then(r => { probes.agent = r }),
     probeGateway(opts.gatewayInfo).then(r => { probes.gateway = r }),
-    probeQuota(claudeDir, opts.agentDir, opts.fetchImpl).then(r => { probes.quota = r }),
+    probeQuota(claudeDir, opts.agentDir, opts.fetchImpl, { brokerProbe: opts.probeQuotaViaBroker }).then(r => { probes.quota = r }),
     probeHindsight(opts.bankName, opts.fetchImpl).then(r => { probes.hindsight = r }),
     probeScheduler(slug, { dockerMode: opts.dockerMode }).then(r => { probes.scheduler = r }),
     probeBroker(undefined, { dockerMode: opts.dockerMode }).then(r => { probes.broker = r }),
@@ -540,6 +574,7 @@ export async function startBootCard(
     version: opts.version,
     restartReason: opts.restartReason,
     restartAgeMs: opts.restartAgeMs,
+    ...(opts.updateOutcomeLine ? { updateOutcomeLine: opts.updateOutcomeLine } : {}),
   })
 
   // Silence the notification for operator-initiated redeploys. A
@@ -646,6 +681,7 @@ export async function startBootCard(
           ...(accountRows ? { accounts: accountRows } : {}),
           ...(resolvedRows.length > 0 ? { resolvedRows } : {}),
           ...(snoozeRows.length > 0 ? { snoozeRows } : {}),
+          ...(opts.updateOutcomeLine ? { updateOutcomeLine: opts.updateOutcomeLine } : {}),
         })
 
         if (currentText !== ackText) {
@@ -697,6 +733,7 @@ export async function startBootCard(
             // cache write from the live-watch loop.
             ...(resolvedRows.length > 0 ? { resolvedRows } : {}),
             ...(snoozeRows.length > 0 ? { snoozeRows } : {}),
+            ...(opts.updateOutcomeLine ? { updateOutcomeLine: opts.updateOutcomeLine } : {}),
           })
 
           if (updatedText === currentText) continue

package/telegram-plugin/gateway/boot-probes.ts

@@ -17,7 +17,7 @@ import { execFile as execFileCb } from 'child_process'
 import { promisify } from 'util'
 
 import { readQuotaCache, writeQuotaCache } from './quota-cache.js'
-import { fetchQuota, formatQuotaLine } from '../quota-check.js'
+import { fetchQuota, formatQuotaLine, type QuotaResult } from '../quota-check.js'
 
 const execFile = promisify(execFileCb)
 
@@ -47,6 +47,25 @@ export interface ProbeResult {
 
 const PROBE_TIMEOUT_MS = 2000
 
+/**
+ * Quota is the one probe that legitimately needs a network round-trip.
+ * The boot card is NOT blocked on probes — it's posted immediately and
+ * probe rows edit in at the 6s settle window (see boot-card.ts
+ * SETTLE_WINDOW_MS) — so the old 1.8s direct-fetch budget was a
+ * self-inflicted abort, not a real constraint. Post-#1336 the broker
+ * owns the canonical probe; the gateway just awaits a local UDS
+ * round-trip while the broker does the Anthropic call server-side.
+ *
+ *   BROKER   — passed to client.probeQuota(); the broker's server-side
+ *              /v1/messages timeout.
+ *   DIRECT   — fallback direct fetch when the broker is unreachable
+ *              (non-docker, boot-time socket race). Still bounded.
+ *   OUTER    — withTimeout() guard; must exceed BROKER + UDS RTT.
+ */
+const QUOTA_BROKER_TIMEOUT_MS = 7000
+const QUOTA_DIRECT_FALLBACK_TIMEOUT_MS = 5000
+const QUOTA_PROBE_OUTER_TIMEOUT_MS = 9000
+
 /**
  * Race a probe against a hard timeout. Returns a fail ProbeResult if the
  * probe doesn't settle within timeoutMs.
@@ -831,6 +850,14 @@ export async function probeQuota(
   claudeConfigDir: string,
   _agentDir: string,
   fetchImpl: typeof fetch = fetch,
+  opts: {
+    /** Canonical path (#1336): the broker probes Anthropic server-side
+     *  for this agent's effective account. Returns null when the broker
+     *  is unreachable / no active account → caller falls back to a
+     *  direct probe. Injected from gateway.ts (probeQuotaForBootCard);
+     *  omitted in non-docker / unit tests. */
+    brokerProbe?: (timeoutMs?: number) => Promise<QuotaResult | null>
+  } = {},
 ): Promise<ProbeResult> {
   return withTimeout('Quota', (async (): Promise<ProbeResult> => {
     const cached = readQuotaCache()
@@ -838,35 +865,50 @@ export async function probeQuota(
       return cached
     }
 
-    // The fallback per-agent token path is `accounts/default/.oauth-token`;
-    // fetchQuota's own resolver only checks the top-level `.oauth-token`,
-    // so prefer that, and if it's missing surface the same degraded row
-    // we did before (no live probe — that's a setup issue, not a runtime
-    // one).
-    let claudeDirForProbe: string | null = null
-    for (const candidate of [
-      claudeConfigDir,
-      join(claudeConfigDir, 'accounts', 'default'),
-    ]) {
-      if (existsSync(join(candidate, '.oauth-token'))) {
-        claudeDirForProbe = candidate
-        break
+    // Prefer the broker (canonical since #1336). It does the /v1/messages
+    // call server-side with its own timeout; we just await the local UDS
+    // round-trip. Reset Dates are revived at the client boundary
+    // (src/auth/broker/client.ts) so formatQuotaLine is safe.
+    let probe: QuotaResult | null = null
+    if (opts.brokerProbe) {
+      try {
+        probe = await opts.brokerProbe(QUOTA_BROKER_TIMEOUT_MS)
+      } catch {
+        probe = null
       }
     }
-    if (!claudeDirForProbe) {
-      return {
-        status: 'degraded',
-        label: 'Quota',
-        detail: 'no OAuth token',
-        nextStep: 'No OAuth token on disk — register a fleet account: `switchroom auth add <label> --from-oauth` then `switchroom auth use <label>` (RFC H)',
+
+    if (!probe) {
+      // Fallback: broker absent/unreachable (non-docker install, or a
+      // boot-time socket race). Direct probe — the per-agent token path
+      // is `accounts/default/.oauth-token`; fetchQuota's resolver only
+      // checks the top-level `.oauth-token`, so prefer that. Missing
+      // token is a setup issue, surfaced as the same degraded row.
+      let claudeDirForProbe: string | null = null
+      for (const candidate of [
+        claudeConfigDir,
+        join(claudeConfigDir, 'accounts', 'default'),
+      ]) {
+        if (existsSync(join(candidate, '.oauth-token'))) {
+          claudeDirForProbe = candidate
+          break
+        }
       }
+      if (!claudeDirForProbe) {
+        return {
+          status: 'degraded',
+          label: 'Quota',
+          detail: 'no OAuth token',
+          nextStep: 'No OAuth token on disk — register a fleet account: `switchroom auth add <label> --from-oauth` then `switchroom auth use <label>` (RFC H)',
+        }
+      }
+      probe = await fetchQuota({
+        claudeConfigDir: claudeDirForProbe,
+        fetchImpl,
+        timeoutMs: QUOTA_DIRECT_FALLBACK_TIMEOUT_MS,
+      })
     }
 
-    const probe = await fetchQuota({
-      claudeConfigDir: claudeDirForProbe,
-      fetchImpl,
-      timeoutMs: 1800,
-    })
     if (!probe.ok) {
       // Auth rejection from /v1/messages is a strong signal — the same
       // endpoint claude itself uses. Other errors are surfaced verbatim
@@ -889,7 +931,7 @@ export async function probeQuota(
     }
     writeQuotaCache(result)
     return result
-  })())
+  })(), QUOTA_PROBE_OUTER_TIMEOUT_MS)
 }
 
 // ─── Probe: Hindsight ────────────────────────────────────────────────────────
@@ -917,7 +959,9 @@ export async function probeHindsight(
         status: 'fail',
         label: 'Hindsight',
         detail: 'unreachable',
-        nextStep: 'Hindsight server not responding on 127.0.0.1:18888 — start it with `hindsight serve` or check `systemctl --user status hindsight`',
+        nextStep: process.env.SWITCHROOM_RUNTIME === 'docker'
+          ? 'Hindsight server not responding on 127.0.0.1:18888 — check the hindsight container (`docker ps` / `docker logs`); it must be reachable on the host network.'
+          : 'Hindsight server not responding on 127.0.0.1:18888 — start it with `hindsight serve` (or check `systemctl --user status hindsight`).',
       }
     }
 

package/telegram-plugin/gateway/diff-preview-card.test.ts

@@ -41,8 +41,8 @@ describe("buildDiffPreviewCard — suggest mode (default)", () => {
     const preview = buildDiffPreview(baseInput({ agentSummary: "Added Hiring section" }));
     const card = buildDiffPreviewCard({
       preview,
-      suggestRequestId: "aabbccdd",
-      writeRequestId: "11223344",
+      suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
+      writeRequestId: "11223344112233441122334411223344",
     });
 
     // Body: title bold + all preview lines.
@@ -59,19 +59,19 @@ describe("buildDiffPreviewCard — suggest mode (default)", () => {
     expect(r[0]?.[0]?.text).toBe("📖 Open in Drive");
     expect(r[0]?.[0]?.url).toBe("https://docs.google.com/document/d/DOC1/edit");
     expect(r[0]?.[1]?.text).toBe("✅ Apply as suggestion");
-    expect(r[0]?.[1]?.callback_data).toBe("apv:aabbccdd:once");
+    expect(r[0]?.[1]?.callback_data).toBe("apv:aabbccddaabbccddaabbccddaabbccdd:once");
     // Row 2: [Apply directly] [Cancel]
     expect(r[1]?.[0]?.text).toBe("⚠ Apply directly");
-    expect(r[1]?.[0]?.callback_data).toBe("apv:11223344:once");
+    expect(r[1]?.[0]?.callback_data).toBe("apv:11223344112233441122334411223344:once");
     expect(r[1]?.[1]?.text).toBe("🚫 Cancel");
-    expect(r[1]?.[1]?.callback_data).toBe("apv:aabbccdd:deny");
+    expect(r[1]?.[1]?.callback_data).toBe("apv:aabbccddaabbccddaabbccddaabbccdd:deny");
   });
 
   it("hides 'Apply directly' when writeRequestId is undefined", () => {
     const preview = buildDiffPreview(baseInput());
     const card = buildDiffPreviewCard({
       preview,
-      suggestRequestId: "aabbccdd",
+      suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
     });
     const flat = rows(card.reply_markup).flat();
     expect(flat.find((b) => b.text === "⚠ Apply directly")).toBeUndefined();
@@ -91,8 +91,8 @@ describe("buildDiffPreviewCard — write mode (opt-in via expand)", () => {
       // callback's deny channel — semantically Cancel is "don't grant
       // either scope" but reusing the suggest id keeps the existing
       // approval-callback handler stateless.
-      suggestRequestId: "aabbccdd",
-      writeRequestId: "11223344",
+      suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
+      writeRequestId: "11223344112233441122334411223344",
     });
 
     const r = rows(card.reply_markup);
@@ -100,7 +100,7 @@ describe("buildDiffPreviewCard — write mode (opt-in via expand)", () => {
     expect(flat.find((b) => b.text === "✅ Apply as suggestion")).toBeUndefined();
     const directly = flat.find((b) => b.text === "⚠ Apply directly");
     expect(directly).toBeDefined();
-    expect(directly?.callback_data).toBe("apv:11223344:once");
+    expect(directly?.callback_data).toBe("apv:11223344112233441122334411223344:once");
     // Title icon swaps to ⚠.
     expect(card.text).toContain("⚠");
   });
@@ -119,7 +119,7 @@ describe("buildDiffPreviewCard — input validation", () => {
     expect(() =>
       buildDiffPreviewCard({
         preview,
-        suggestRequestId: "aabbccdd",
+        suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
         writeRequestId: "ABCDEF01", // wrong case
       }),
     ).toThrow(/8 hex chars/);
@@ -136,7 +136,7 @@ describe("buildDiffPreviewCard — fragility guards", () => {
     );
     const card = buildDiffPreviewCard({
       preview,
-      suggestRequestId: "aabbccdd",
+      suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
     });
     const flat = rows(card.reply_markup).flat();
     expect(flat.find((b) => b.text === "📖 Open in Drive")).toBeUndefined();
@@ -150,7 +150,7 @@ describe("buildDiffPreviewCard — fragility guards", () => {
     );
     const card = buildDiffPreviewCard({
       preview,
-      suggestRequestId: "aabbccdd",
+      suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
     });
     expect(card.text).not.toContain("<script>");
     expect(card.text).toContain("&lt;script&gt;");
@@ -162,7 +162,7 @@ describe("buildDiffPreviewCard — fragility guards", () => {
     );
     const card = buildDiffPreviewCard({
       preview,
-      suggestRequestId: "aabbccdd",
+      suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
     });
     expect(card.text).not.toMatch(/💬.*<b>/);
     expect(card.text).toContain("&lt;b&gt;");
@@ -175,8 +175,8 @@ describe("buildDiffPreviewCard — audit fidelity", () => {
     const preview = buildDiffPreview(input);
     const card = buildDiffPreviewCard({
       preview,
-      suggestRequestId: "aabbccdd",
-      writeRequestId: "11223344",
+      suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
+      writeRequestId: "11223344112233441122334411223344",
     });
     // The audit row captures both wrapper truth + agent framing,
     // exactly as surfaced on the card.

package/telegram-plugin/gateway/diff-preview-card.ts

@@ -55,7 +55,7 @@ export interface DiffPreviewCardInput {
  * callback_data that the dispatcher rejects, but we'd rather fail
  * loudly at build time.
  */
-const REQUEST_ID_RE = /^[0-9a-f]{8}$/;
+const REQUEST_ID_RE = /^[0-9a-f]{32}$/;
 
 /**
  * Fragility-guard from B2 review: the `create_doc` prep helper

package/telegram-plugin/gateway/drive-write-approval.test.ts

@@ -66,7 +66,7 @@ function deps(overrides: Partial<DriveApprovalHandlerDeps> & { spy: Spy }): Driv
         ttl_ms: args.ttl_ms,
         approver_set: args.approver_set,
       });
-      return { request_id: "aabbccdd", expires_at_ms: Date.now() + args.ttl_ms };
+      return { request_id: "aabbccddaabbccddaabbccddaabbccdd", expires_at_ms: Date.now() + args.ttl_ms };
     },
     postCard: async (args) => {
       spy.posted.push({
@@ -123,7 +123,7 @@ describe("handleRequestDriveApproval — happy path", () => {
       type: "drive_approval_posted",
       correlationId: "corr-1",
       ok: true,
-      requestId: "aabbccdd",
+      requestId: "aabbccddaabbccddaabbccddaabbccdd",
     });
     expect(spy.sent[0]?.expiresAtMs).toBeGreaterThan(Date.now());
   });