switchroom 0.11.1 → 0.12.1

package/telegram-plugin/gateway/diff-preview-card.test.ts

@@ -41,8 +41,8 @@ describe("buildDiffPreviewCard — suggest mode (default)", () => {
     const preview = buildDiffPreview(baseInput({ agentSummary: "Added Hiring section" }));
     const card = buildDiffPreviewCard({
       preview,
-      suggestRequestId: "aabbccdd",
-      writeRequestId: "11223344",
+      suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
+      writeRequestId: "11223344112233441122334411223344",
     });
 
     // Body: title bold + all preview lines.
@@ -59,19 +59,19 @@ describe("buildDiffPreviewCard — suggest mode (default)", () => {
     expect(r[0]?.[0]?.text).toBe("📖 Open in Drive");
     expect(r[0]?.[0]?.url).toBe("https://docs.google.com/document/d/DOC1/edit");
     expect(r[0]?.[1]?.text).toBe("✅ Apply as suggestion");
-    expect(r[0]?.[1]?.callback_data).toBe("apv:aabbccdd:once");
+    expect(r[0]?.[1]?.callback_data).toBe("apv:aabbccddaabbccddaabbccddaabbccdd:once");
     // Row 2: [Apply directly] [Cancel]
     expect(r[1]?.[0]?.text).toBe("⚠ Apply directly");
-    expect(r[1]?.[0]?.callback_data).toBe("apv:11223344:once");
+    expect(r[1]?.[0]?.callback_data).toBe("apv:11223344112233441122334411223344:once");
     expect(r[1]?.[1]?.text).toBe("🚫 Cancel");
-    expect(r[1]?.[1]?.callback_data).toBe("apv:aabbccdd:deny");
+    expect(r[1]?.[1]?.callback_data).toBe("apv:aabbccddaabbccddaabbccddaabbccdd:deny");
   });
 
   it("hides 'Apply directly' when writeRequestId is undefined", () => {
     const preview = buildDiffPreview(baseInput());
     const card = buildDiffPreviewCard({
       preview,
-      suggestRequestId: "aabbccdd",
+      suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
     });
     const flat = rows(card.reply_markup).flat();
     expect(flat.find((b) => b.text === "⚠ Apply directly")).toBeUndefined();
@@ -91,8 +91,8 @@ describe("buildDiffPreviewCard — write mode (opt-in via expand)", () => {
       // callback's deny channel — semantically Cancel is "don't grant
       // either scope" but reusing the suggest id keeps the existing
       // approval-callback handler stateless.
-      suggestRequestId: "aabbccdd",
-      writeRequestId: "11223344",
+      suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
+      writeRequestId: "11223344112233441122334411223344",
     });
 
     const r = rows(card.reply_markup);
@@ -100,7 +100,7 @@ describe("buildDiffPreviewCard — write mode (opt-in via expand)", () => {
     expect(flat.find((b) => b.text === "✅ Apply as suggestion")).toBeUndefined();
     const directly = flat.find((b) => b.text === "⚠ Apply directly");
     expect(directly).toBeDefined();
-    expect(directly?.callback_data).toBe("apv:11223344:once");
+    expect(directly?.callback_data).toBe("apv:11223344112233441122334411223344:once");
     // Title icon swaps to ⚠.
     expect(card.text).toContain("⚠");
   });
@@ -119,7 +119,7 @@ describe("buildDiffPreviewCard — input validation", () => {
     expect(() =>
       buildDiffPreviewCard({
         preview,
-        suggestRequestId: "aabbccdd",
+        suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
         writeRequestId: "ABCDEF01", // wrong case
       }),
     ).toThrow(/8 hex chars/);
@@ -136,7 +136,7 @@ describe("buildDiffPreviewCard — fragility guards", () => {
     );
     const card = buildDiffPreviewCard({
       preview,
-      suggestRequestId: "aabbccdd",
+      suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
     });
     const flat = rows(card.reply_markup).flat();
     expect(flat.find((b) => b.text === "📖 Open in Drive")).toBeUndefined();
@@ -150,7 +150,7 @@ describe("buildDiffPreviewCard — fragility guards", () => {
     );
     const card = buildDiffPreviewCard({
       preview,
-      suggestRequestId: "aabbccdd",
+      suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
     });
     expect(card.text).not.toContain("<script>");
     expect(card.text).toContain("&lt;script&gt;");
@@ -162,7 +162,7 @@ describe("buildDiffPreviewCard — fragility guards", () => {
     );
     const card = buildDiffPreviewCard({
       preview,
-      suggestRequestId: "aabbccdd",
+      suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
     });
     expect(card.text).not.toMatch(/💬.*<b>/);
     expect(card.text).toContain("&lt;b&gt;");
@@ -175,8 +175,8 @@ describe("buildDiffPreviewCard — audit fidelity", () => {
     const preview = buildDiffPreview(input);
     const card = buildDiffPreviewCard({
       preview,
-      suggestRequestId: "aabbccdd",
-      writeRequestId: "11223344",
+      suggestRequestId: "aabbccddaabbccddaabbccddaabbccdd",
+      writeRequestId: "11223344112233441122334411223344",
     });
     // The audit row captures both wrapper truth + agent framing,
     // exactly as surfaced on the card.

package/telegram-plugin/gateway/diff-preview-card.ts

@@ -55,7 +55,7 @@ export interface DiffPreviewCardInput {
  * callback_data that the dispatcher rejects, but we'd rather fail
  * loudly at build time.
  */
-const REQUEST_ID_RE = /^[0-9a-f]{8}$/;
+const REQUEST_ID_RE = /^[0-9a-f]{32}$/;
 
 /**
  * Fragility-guard from B2 review: the `create_doc` prep helper

package/telegram-plugin/gateway/drive-write-approval.test.ts

@@ -66,7 +66,7 @@ function deps(overrides: Partial<DriveApprovalHandlerDeps> & { spy: Spy }): Driv
         ttl_ms: args.ttl_ms,
         approver_set: args.approver_set,
       });
-      return { request_id: "aabbccdd", expires_at_ms: Date.now() + args.ttl_ms };
+      return { request_id: "aabbccddaabbccddaabbccddaabbccdd", expires_at_ms: Date.now() + args.ttl_ms };
     },
     postCard: async (args) => {
       spy.posted.push({
@@ -123,7 +123,7 @@ describe("handleRequestDriveApproval — happy path", () => {
       type: "drive_approval_posted",
       correlationId: "corr-1",
       ok: true,
-      requestId: "aabbccdd",
+      requestId: "aabbccddaabbccddaabbccddaabbccdd",
     });
     expect(spy.sent[0]?.expiresAtMs).toBeGreaterThan(Date.now());
   });

package/telegram-plugin/gateway/gateway.ts

@@ -62,6 +62,7 @@ import {
   createRetryApiCall,
   createSwallowingRetryApiCall,
   retryWithThreadFallback,
+  isHtmlParseRejectError,
 } from '../retry-api-call.js'
 import { installTgPostLogger, withTgPostTags } from '../shared/bot-runtime.js'
 import { buildAttachmentPath, assertInsideInbox } from '../attachment-path.js'
@@ -137,7 +138,7 @@ import { validateStringArray } from './access-validator.js'
  * identical envelope shapes.
  */
 const REPLY_TO_TEXT_MAX = 200
-import { markdownToHtml, splitHtmlChunks, repairEscapedWhitespace } from '../format.js'
+import { markdownToHtml, splitHtmlChunks, repairEscapedWhitespace, telegramHtmlToPlainText } from '../format.js'
 import {
   validateInlineKeyboard,
   type AnyButton,
@@ -213,6 +214,7 @@ import {
 import {
   fetchQuota,
   formatQuotaBlock,
+  type QuotaResult,
 } from '../quota-check.js'
 import {
   loadLockout,
@@ -301,6 +303,7 @@ import {
 } from './boot-card.js'
 import { determineRestartReason } from './boot-reason.js'
 import { shouldSkipDuplicateBootCard, type RestartReason } from './boot-card.js'
+import { maybeRenderUpdateAnnouncement } from './update-announce.js'
 import { createIssuesCardHandle, type IssuesCardHandle } from '../issues-card.js'
 import { startIssuesWatcher, type IssuesWatcherHandle } from '../issues-watcher.js'
 import { list as listIssues, resolve as resolveIssue } from '../../src/issues/index.js'
@@ -2775,6 +2778,12 @@ const ipcServer: IpcServer = createIpcServer({
           // second bridge-reconnect in the same lifetime can't race against
           // an in-flight sendMessage here either (#489).
           bootCardPending = true
+          // PR C: surface the most recent terminal update_apply audit
+          // row if it lands within the lookback window AND no other
+          // boot has claimed it. Cheap (one file read + one O_EXCL).
+          const updateOutcomeLine = (() => {
+            try { return maybeRenderUpdateAnnouncement() ?? undefined } catch { return undefined }
+          })()
           startBootCard(chatId, threadId, botApiForCard, {
             agentName: agentDisplayName,
             agentSlug,
@@ -2785,8 +2794,10 @@ const ipcServer: IpcServer = createIpcServer({
             restartAgeMs: markerAgeMs,
             restartReasonDetail: cleanMarker?.reason,
             loadAccounts: () => loadAccountsForBootCard(agentSlug),
+            probeQuotaViaBroker: (t) => probeQuotaForBootCard(agentSlug, t),
             tmuxSupervisor: process.env.SWITCHROOM_TMUX_SUPERVISOR === '1',
             dockerMode: process.env.SWITCHROOM_RUNTIME === 'docker',
+            ...(updateOutcomeLine ? { updateOutcomeLine } : {}),
           }, ackMsgId).then(handle => {
             activeBootCard = handle
           }).catch((err: Error) => {
@@ -3484,6 +3495,31 @@ async function executeReply(args: Record<string, unknown>): Promise<{ content: A
         }
       }
 
+      // Last-resort: resend this chunk as plain text (parse_mode unset).
+      // Keeps thread / reply / markup params; only the formatting is
+      // sacrificed. Used when Telegram rejects our HTML — better an
+      // unformatted answer than a vanished one.
+      const sendChunkPlainText = async (opts: Record<string, unknown>): Promise<void> => {
+        const plainOpts = { ...opts }
+        delete (plainOpts as { parse_mode?: unknown }).parse_mode
+        // A chunk that was pure markup (no text content) strips to ''.
+        // Sending '' is a Telegram 400 "message text is empty" — i.e.
+        // the answer would still vanish, in the exact path that exists
+        // to prevent that. Substitute an honest placeholder so the
+        // user at least sees that a fragment was unrenderable.
+        const stripped = telegramHtmlToPlainText(chunks[i])
+        const plain =
+          stripped.length > 0
+            ? stripped
+            : '⚠️ (a formatted fragment could not be rendered for Telegram)'
+        const sent = await lockedBot.api.sendMessage(chat_id, plain, plainOpts as never)
+        sentIds.push(sent.message_id)
+        logOutbound('reply', chat_id, sent.message_id, plain.length, `chunk=${i + 1}/${chunks.length} plaintext-fallback`)
+        process.stderr.write(
+          `telegram gateway: HTML parse-reject — resent chunk ${i + 1}/${chunks.length} as plain text\n`,
+        )
+      }
+
       try {
         const sent = await robustApiCall(
           () => lockedBot.api.sendMessage(chat_id, chunks[i], sendOpts as never),
@@ -3496,8 +3532,16 @@ async function executeReply(args: Record<string, unknown>): Promise<{ content: A
           threadId = undefined
           const retryOpts = { ...sendOpts }
           delete (retryOpts as any).message_thread_id
-          const sent = await lockedBot.api.sendMessage(chat_id, chunks[i], retryOpts as never)
-          sentIds.push(sent.message_id)
+          try {
+            const sent = await lockedBot.api.sendMessage(chat_id, chunks[i], retryOpts as never)
+            sentIds.push(sent.message_id)
+          } catch (retryErr) {
+            // Thread dropped, but the HTML is also unparseable — go plain.
+            if (isHtmlParseRejectError(retryErr)) await sendChunkPlainText(retryOpts)
+            else throw retryErr
+          }
+        } else if (isHtmlParseRejectError(err)) {
+          await sendChunkPlainText(sendOpts)
         } else {
           throw err
         }
@@ -4460,6 +4504,44 @@ async function executeVaultRequestAccess(args: Record<string, unknown>): Promise
 
   const agentSlug = process.env.SWITCHROOM_AGENT_NAME || 'agent'
 
+  // Fix B (#1487 follow-up): if this agent's STANDING ACL already
+  // covers the key, do NOT render a card or mint a grant. Minting
+  // writes a `.vault-token` that — pre-#1487 — *shadowed* the standing
+  // ACL (the exact gymbro trap) and is simply redundant post-#1487.
+  // Determine coverage AUTHORITATIVELY by probing the broker AS THIS
+  // AGENT (no-token list over the per-agent socket — path-as-identity;
+  // the gateway runs in the agent's container so the broker attributes
+  // it to this agent). NOT a gateway-side config read: the gateway can
+  // see newer config than the broker has loaded, so a config-derived
+  // "covered" could be wrong where the broker still denies. `list`
+  // returns only ACL-visible key NAMES — never secret values. Read
+  // scope only: schedule.secrets[] confers read, not write.
+  if (scopeRaw === 'read') {
+    try {
+      const visible = await listViaBroker()
+      if (visible !== null && visible.includes(key)) {
+        return {
+          content: [
+            {
+              type: 'text',
+              text:
+                `vault_request_access: '${key}' is ALREADY covered by ${agentSlug}'s ` +
+                `standing ACL (schedule.secrets[]). No approval card or grant is needed — ` +
+                `read it directly: \`switchroom vault get ${key}\`. Do NOT request a grant ` +
+                `for this key (a minted token would shadow the standing ACL). If a read ` +
+                `still returns VAULT-BROKER-DENIED, the broker likely needs a restart to ` +
+                `pick up a recent config change — tell the operator; don't re-request.`,
+            },
+          ],
+        }
+      }
+    } catch {
+      // Probe failed (broker unreachable / transient): fall through to
+      // the normal card flow. Fail-open is correct here — a redundant
+      // card is harmless; suppressing a needed card is not.
+    }
+  }
+
   const stageId = randomBytes(4).toString('hex')
   const pending: PendingVaultRequestAccess = {
     agent: agentSlug,
@@ -6658,7 +6740,7 @@ async function handleInbound(
       } else {
         // Fresh turn — priorTurnInFlight is false, so priorActive is
         // provably undefined. Earlier `if (priorActive)` block was dead
-        // code (mirrors first-paint.ts cleanup).
+        // code, removed in the same first-paint cleanup pass.
         const sKey = streamKey(chat_id, messageThreadId)
         const priorStream = activeDraftStreams.get(sKey)
         if (priorStream && !priorStream.isFinal()) {
@@ -7770,26 +7852,65 @@ async function runSwitchroomCommandFormatted(ctx: Context, args: string[], label
 // every agent can self-restart without admin privilege. `/restart <other>`
 // is blocked just like any other admin verb.
 //
-// Invariant: when AGENT_ADMIN=true, this middleware is a no-op — bot.command()
-// handlers run normally for all admin verbs and Claude never sees them.
+// sec WS7-F2 (#1394): when AGENT_ADMIN=true this middleware is NO LONGER a
+// no-op — a `block`-classified verb (fleet-admin / `/restart <other>`)
+// requires OPERATOR-PRIVATE (a private chat from a strict
+// `access.allowFrom` sender), because the per-command `isAuthorizedSender`
+// gate treats an empty group `allowFrom` as "allow every member". Non-
+// admin-verb traffic (`pass-through`, incl. `/restart`-self and all normal
+// chat) is untouched and reaches `next()` exactly as before.
 bot.use(async (ctx, next) => {
-  if (!AGENT_ADMIN && ctx.message?.text) {
+  if (ctx.message?.text) {
     const myName = getMyAgentName()
     const decision = classifyAdminGate(ctx.message.text, myName)
     if (decision.action === 'block') {
-      // Block admin commands the LLM should never see. Reply with a concise
-      // "admin required" warning instead of forwarding to Claude.
-      process.stderr.write(
-        `telegram gateway: admin-gate blocked cmd=/${decision.cmd} agent=${process.env.SWITCHROOM_AGENT_NAME ?? '-'} reason=${decision.reason} (AGENT_ADMIN=false)\n`,
-      )
+      // `block` = a fleet-admin verb (ADMIN_COMMAND_NAMES) or
+      // `/restart <other-agent>`. classifyAdminGate already lets
+      // `/restart`-self and every non-admin command pass through, so
+      // this branch is exactly the privileged set.
       const cmdHtml = escapeHtmlForTg(`/${decision.cmd}`)
       const nameHtml = escapeHtmlForTg(myName)
-      const text =
+      const notFlagged =
         decision.reason === 'other-agent'
           ? `⚠️ <code>${cmdHtml}</code> targeting another agent is an admin operation — this agent (<code>${nameHtml}</code>) isn't admin-flagged. Run it from an admin agent, or set <code>admin: true</code> for this agent in switchroom.yaml. (Self-restart is allowed: send <code>/restart</code> with no arg.)`
           : `⚠️ <code>${cmdHtml}</code> is an admin command — this agent (<code>${nameHtml}</code>) isn't admin-flagged. Run it from an admin agent, or set <code>admin: true</code> for this agent in switchroom.yaml.`
-      await switchroomReply(ctx, text, { html: true })
-      return
+      if (!AGENT_ADMIN) {
+        // Unchanged behaviour: a non-admin agent never executes admin
+        // verbs locally and must not forward them to Claude.
+        process.stderr.write(
+          `telegram gateway: admin-gate blocked cmd=/${decision.cmd} agent=${process.env.SWITCHROOM_AGENT_NAME ?? '-'} reason=${decision.reason} (AGENT_ADMIN=false)\n`,
+        )
+        await switchroomReply(ctx, notFlagged, { html: true })
+        return
+      }
+      // sec WS7-F2 (#1394): fleet-admin is OPERATOR-PRIVATE. Honor it
+      // ONLY in a private chat from an `access.allowFrom` sender.
+      // Before this, when AGENT_ADMIN=true the middleware was a no-op
+      // and the per-command `isAuthorizedSender` gate treats an empty
+      // group `allowFrom` as "allow every member" — so any member of
+      // an admin agent's forum/group could run /vault, /update apply,
+      // /grant, /dangerous, etc. (the default shape for an agent
+      // created via `agent add --topology forum` + `admin: true`).
+      // Strict `access.allowFrom` + private-chat-only — never the
+      // group-permissive isAuthorizedSender.
+      const senderId = String(ctx.from?.id ?? '')
+      const operatorPrivate =
+        ctx.chat?.type === 'private' &&
+        loadAccess().allowFrom.includes(senderId)
+      if (!operatorPrivate) {
+        process.stderr.write(
+          `telegram gateway: admin-gate refused (not operator-private) cmd=/${decision.cmd} agent=${process.env.SWITCHROOM_AGENT_NAME ?? '-'} chat=${ctx.chat?.type ?? '?'} sender=${senderId}\n`,
+        )
+        await switchroomReply(
+          ctx,
+          `⚠️ <code>${cmdHtml}</code> is a fleet-admin command — it is <b>operator-private</b>. Send it as a direct message to me from your operator account (a private chat where your Telegram ID is on the access allowlist), not in a group or forum.`,
+          { html: true },
+        )
+        return
+      }
+      // operator-private admin verb on an admin agent → fall through
+      // to the bot.command() handler (which re-checks isAuthorizedSender
+      // — redundant but harmless in a private allowFrom chat).
     }
   }
   await next()
@@ -7958,6 +8079,7 @@ async function buildLiveProbeRows(agentName: string): Promise<StatusProbeRow[]>
       gatewayInfo: { pid: process.pid, startedAtMs: GATEWAY_STARTED_AT_MS },
       tmuxSupervisor: process.env.SWITCHROOM_TMUX_SUPERVISOR === '1',
       dockerMode: process.env.SWITCHROOM_RUNTIME === 'docker',
+      probeQuotaViaBroker: (t) => probeQuotaForBootCard(agentName, t),
     })
     const rows: StatusProbeRow[] = []
     // Render order matches the boot card's PROBE_KEYS so the two
@@ -8574,7 +8696,7 @@ bot.command('audit', async ctx => {
   if (arg === '' || arg === 'help' || arg === '--help') {
     await switchroomReply(
       ctx,
-      'Usage: <code>/audit hostd [--tail N] [--agent &lt;name&gt;] [--op &lt;verb&gt;] [--error]</code>',
+      'Usage: <code>/audit hostd [--tail N] [--agent &lt;name&gt;] [--op &lt;verb&gt;] [--error] [--verbose]</code>',
       { html: true },
     )
     return
@@ -8601,6 +8723,7 @@ bot.command('audit', async ctx => {
   for (let i = 1; i < tokens.length; i++) {
     const t = tokens[i]!
     if (t === '--error') { argv.push('--error'); continue }
+    if (t === '--verbose') { argv.push('--verbose'); continue }
     if (t === '--tail' || t === '--agent' || t === '--op') {
       const v = tokens[++i]
       if (v == null) {
@@ -8630,7 +8753,7 @@ bot.command('audit', async ctx => {
     await switchroomReply(
       ctx,
       `Unknown flag <code>${escapeHtmlForTg(t)}</code>. ` +
-      `Allowed: <code>--tail</code>, <code>--agent</code>, <code>--op</code>, <code>--error</code>.`,
+      `Allowed: <code>--tail</code>, <code>--agent</code>, <code>--op</code>, <code>--error</code>, <code>--verbose</code>.`,
       { html: true },
     )
     return
@@ -9011,7 +9134,39 @@ async function runCreditWatch(): Promise<void> {
 }
 
 bot.command("auth", async ctx => {
-  if (!isAuthorizedSender(ctx)) return
+  // sec WS7-F2b (#1394): `/auth` drives the auth-broker credential
+  // lifecycle (`/auth add` mints/attaches an Anthropic account token,
+  // `/auth use` switches the active account, …). It is NOT in
+  // ADMIN_COMMAND_NAMES (deliberately gateway-handled even on
+  // non-admin agents so it works when the model is unreachable — that
+  // routing is unchanged), so the WS7-F2 operator-private middleware
+  // does not cover it, and its only sender gate was the
+  // group-permissive `isAuthorizedSender` (empty group `allowFrom` =
+  // allow every member). On an `admin:true` forum agent any
+  // forum/supergroup member could therefore run privileged `/auth`.
+  // Credential-plane admin is OPERATOR-PRIVATE, exactly like the
+  // ADMIN_COMMAND_NAMES verbs (WS7-F2 / #1408): honor `/auth` ONLY in
+  // a private chat from a strict `access.allowFrom` sender — never the
+  // group-permissive isAuthorizedSender. The agent-admin-flag /
+  // broker-side enforcement (isAuthAdmin below) is orthogonal and
+  // unchanged; operator auth-recovery is via DM (same as #1408).
+  const authSenderId = String(ctx.from?.id ?? '')
+  const authOperatorPrivate =
+    ctx.chat?.type === 'private' &&
+    loadAccess().allowFrom.includes(authSenderId)
+  if (!authOperatorPrivate) {
+    if (ctx.chat?.type !== 'private') {
+      process.stderr.write(
+        `telegram gateway: /auth refused (not operator-private) agent=${process.env.SWITCHROOM_AGENT_NAME ?? '-'} chat=${ctx.chat?.type ?? '?'} sender=${authSenderId}\n`,
+      )
+      await switchroomReply(
+        ctx,
+        `⚠️ <code>/auth</code> manages account credentials — it is <b>operator-private</b>. Send it as a direct message to me from your operator account (a private chat where your Telegram ID is on the access allowlist), not in a group or forum.`,
+        { html: true },
+      ).catch(() => {})
+    }
+    return
+  }
   const text = ctx.message?.text ?? ""
   const parsed = parseAuthCommand(text)
   if (!parsed) return
@@ -9174,6 +9329,33 @@ async function loadAccountsForBootCard(agent: string): Promise<ListStateData | n
   }
 }
 
+/**
+ * Canonical boot-card quota probe (#1336): resolve this agent's
+ * effective account, then have the broker probe Anthropic server-side.
+ * Returns null on any failure (broker unreachable, no active account)
+ * so `probeQuota` falls back to a direct probe. Mirrors
+ * `loadAccountsForBootCard`'s broker-client + swallow-to-null shape,
+ * and the override→account→active resolution used by auth-line.ts.
+ */
+async function probeQuotaForBootCard(
+  agent: string,
+  timeoutMs?: number,
+): Promise<QuotaResult | null> {
+  try {
+    const client = await getAuthBrokerClient(agent)
+    if (!client) return null
+    const state = await client.listState()
+    const entry = state.agents.find((a) => a.name === agent)
+    const label = entry?.override ?? entry?.account ?? state.active
+    if (!label) return null
+    const { results } = await client.probeQuota([label], timeoutMs)
+    return results.find((r) => r.label === label)?.result ?? null
+  } catch (err) {
+    process.stderr.write(`telegram gateway: boot-card quota probe failed: ${(err as Error)?.message ?? String(err)}\n`)
+    return null
+  }
+}
+
 /**
  * Read the pending auth session's target slot from the agent's
  * `.setup-token.session.json` meta file. Returns null when no session
@@ -9408,6 +9590,40 @@ async function performVaultAccessApproval(
     attestation.kind === 'passphrase'
       ? { passphrase: attestation.passphrase }
       : { attest_via_posture: true as const }
+
+  // Fix B (#1487 follow-up), operator-tap guard. Defense-in-depth for a
+  // card staged before the key became standing-ACL-covered (config edit
+  // / #1487 deploy / drift): if the agent's standing ACL ALREADY covers
+  // this read key, do NOT mint — minting writes a `.vault-token` that
+  // shadows the standing ACL and is redundant. Authoritative broker
+  // probe AS THIS AGENT (no-token list over the per-agent socket — same
+  // rationale as executeVaultRequestAccess; never a gateway-side config
+  // read). Read scope only. Fail-open on probe error (mint as before).
+  if (pending.scope === 'read') {
+    try {
+      const visible = await listViaBroker()
+      if (visible !== null && visible.includes(pending.key)) {
+        pendingVaultRequestAccesses.delete(stageId)
+        if (pending.card_message_id != null) {
+          await ctx.api
+            .editMessageText(
+              pending.chat_id,
+              pending.card_message_id,
+              `ℹ️ <b>${escapeHtmlForTg(pending.agent)}</b> already has standing-ACL access to ` +
+              `<code>${escapeHtmlForTg(pending.key)}</code> (schedule.secrets[]). ` +
+              `<b>No grant minted</b> — a token would shadow the standing ACL. ` +
+              `The agent can read it directly.`,
+              { parse_mode: 'HTML', reply_markup: { inline_keyboard: [] } },
+            )
+            .catch(() => {})
+        }
+        return
+      }
+    } catch {
+      // Probe failed: fall through and mint as before (fail-open).
+    }
+  }
+
   // #1051: union the new key with the agent's existing active grant
   // before minting. Without this, each fresh Approve OVERWRITES the
   // agent's `.vault-token` file with a single-key grant — the
@@ -11501,7 +11717,24 @@ bot.on('callback_query:data', async ctx => {
   // Routed through the generic kernel handler so any surface that uses
   // buildApprovalCard inherits consume → record → confirmation UX without
   // each surface re-implementing it.
+  //
+  // SECURITY (sec WS7-F1, #1394): this is the human-in-the-loop gate for
+  // EVERY dangerous tool call + Drive write. handleApprovalCallback records
+  // whoever tapped as the approver (`granted_by_user_id = ctx.from.id`) and
+  // the approval-kernel performs NO server-side approver validation, so an
+  // unauthorized tap is laundered into a real grant. The card is delivered
+  // to the agent's chat(s) — for a forum/group agent that is every member.
+  // Refuse callbacks from anyone outside `access.allowFrom`, BEFORE the
+  // approval_consume nonce burn. Strict `access.allowFrom` — identical to
+  // the drvpick:/op:/vd:/vg:/vra:/vrs:/vrd: families; the absence of this
+  // check (not a deliberate exemption) was the vulnerability.
   if (data.startsWith('apv:')) {
+    const access = loadAccess()
+    const senderId = String(ctx.from?.id ?? '')
+    if (!access.allowFrom.includes(senderId)) {
+      await ctx.answerCallbackQuery({ text: 'Not authorized.' })
+      return
+    }
     const { handleApprovalCallback } = await import('./approval-callback.js')
     await handleApprovalCallback(ctx, data)
     return
@@ -11512,10 +11745,11 @@ bot.on('callback_query:data', async ctx => {
   // grant writes an allow_always kernel decision at
   // doc:gdrive:folder/<id>/** and edits the card to a confirmation.
   //
-  // Auth gate: the picker grant is an OPERATOR action (mirrors the
-  // `op:`/`vd:`/`vg:` family, not the `apv:` agent-approval shape).
-  // Mirror those patterns — refuse callbacks from anyone outside
-  // `access.allowFrom`. Without this, a group member who isn't in
+  // Auth gate: the picker grant is an OPERATOR action — same strict
+  // `access.allowFrom` check as every other callback family (`op:`/
+  // `vd:`/`vg:`/`apv:` since sec WS7-F1, …). Refuse callbacks from
+  // anyone outside `access.allowFrom`. Without this, a group member
+  // who isn't in
   // the operator allowlist could still tap [✅ Allow "<folder>"] on
   // a card that landed in the group and write an `allow_always`
   // decision attributed to themselves.
@@ -13433,6 +13667,13 @@ void (async () => {
                   // sendMessage round-trip) sees an in-flight emit. See #489.
                   bootCardPending = true
                   try {
+                    // PR C: mirror the bridge-reconnect path — surface
+                    // a recent terminal update_apply outcome with claim
+                    // dedupe so it doesn't render twice if bridge
+                    // re-connects within the lookback window.
+                    const updateOutcomeLine = (() => {
+                      try { return maybeRenderUpdateAnnouncement() ?? undefined } catch { return undefined }
+                    })()
                     const handle = await startBootCard(chatId, threadId, botApiForCard, {
                       agentName: agentDisplayName,
                       agentSlug,
@@ -13443,8 +13684,10 @@ void (async () => {
                       restartAgeMs: markerAgeMs,
                       restartReasonDetail: cleanMarker?.reason,
                       loadAccounts: () => loadAccountsForBootCard(agentSlug),
+                      probeQuotaViaBroker: (t) => probeQuotaForBootCard(agentSlug, t),
                       tmuxSupervisor: process.env.SWITCHROOM_TMUX_SUPERVISOR === '1',
                       dockerMode: process.env.SWITCHROOM_RUNTIME === 'docker',
+                      ...(updateOutcomeLine ? { updateOutcomeLine } : {}),
                     }, ackMsgId)
                     activeBootCard = handle
                   } catch (err) {