switchroom 0.12.0 → 0.12.1

package/telegram-plugin/tests/auth-snapshot-format.test.ts

@@ -135,7 +135,7 @@ describe('renderAuthSnapshotFormat2', () => {
   // fixture. If the formatter changes shape, update these expectations.
   const fixtureSnaps: AccountSnapshot[] = [
     snap({
-      label: 'ken.thompson@outlook.com.au',
+      label: 'alice@example.com',
       isActive: false,
       quota: quota({
         fiveHourUtilizationPct: 0,
@@ -146,7 +146,7 @@ describe('renderAuthSnapshotFormat2', () => {
       }),
     }),
     snap({
-      label: 'me@kenthompson.com.au',
+      label: 'bob@example.com',
       isActive: false,
       quota: quota({
         fiveHourUtilizationPct: 0,
@@ -157,7 +157,7 @@ describe('renderAuthSnapshotFormat2', () => {
       }),
     }),
     snap({
-      label: 'pixsoul@gmail.com',
+      label: 'you@example.com',
       isActive: true,
       quota: quota({
         fiveHourUtilizationPct: 8,
@@ -181,18 +181,18 @@ describe('renderAuthSnapshotFormat2', () => {
 
   it('marks the active account with ●', () => {
     const out = renderAuthSnapshotFormat2(fixtureSnaps, { now: NOW, tz: 'UTC' });
-    expect(out).toMatch(/●\s*<code>pixsoul@gmail\.com<\/code>/);
+    expect(out).toMatch(/●\s*<code>you@example\.com<\/code>/);
   });
 
   it('shows "back …" for blocked accounts with binding-window word', () => {
     const out = renderAuthSnapshotFormat2(fixtureSnaps, { now: NOW, tz: 'UTC' });
-    // me@kenthompson is blocked on 7d, recovers Sun
-    expect(out).toMatch(/me@kenthompson\.com\.au[\s\S]*back .* 7-day cap/);
+    // bob@example is blocked on 7d, recovers Sun
+    expect(out).toMatch(/bob@example\.com[\s\S]*back .* 7-day cap/);
   });
 
   it('puts the imminent window first on healthy/throttling rows', () => {
     const out = renderAuthSnapshotFormat2(fixtureSnaps, { now: NOW, tz: 'UTC' });
-    // pixsoul: 5h reset is in 7m, 7d reset is in 2d. 5h should come first.
+    // you: 5h reset is in 7m, 7d reset is in 2d. 5h should come first.
     const pixRow = out.split('\n').find((l) => l.includes('5h refills') && l.includes('7d resets'));
     expect(pixRow).toBeDefined();
     expect(pixRow!.indexOf('5h refills')).toBeLessThan(pixRow!.indexOf('7d resets'));
@@ -245,7 +245,7 @@ describe('renderFallbackAnnouncement', () => {
     representativeClaim: 'five_hour',
   });
 
-  const PIXSOUL_HEALTHY = quota({
+  const YOU_HEALTHY = quota({
     fiveHourUtilizationPct: 8,
     sevenDayUtilizationPct: 20,
     fiveHourResetAt: new Date('2026-05-15T01:00:00Z'),
@@ -256,8 +256,8 @@ describe('renderFallbackAnnouncement', () => {
     const out5 = renderFallbackAnnouncement({
       oldLabel: 'ken@x',
       oldQuota: KEN_5H_BLOWN,
-      newLabel: 'pixsoul@x',
-      newQuota: PIXSOUL_HEALTHY,
+      newLabel: 'you@x',
+      newQuota: YOU_HEALTHY,
       triggerAgent: 'carrie',
       now: NOW,
       tz: 'UTC',
@@ -272,8 +272,8 @@ describe('renderFallbackAnnouncement', () => {
         sevenDayResetAt: new Date('2026-05-17T10:00:00Z'),
         representativeClaim: 'seven_day',
       }),
-      newLabel: 'pixsoul@x',
-      newQuota: PIXSOUL_HEALTHY,
+      newLabel: 'you@x',
+      newQuota: YOU_HEALTHY,
       triggerAgent: 'clerk',
       now: NOW,
       tz: 'UTC',
@@ -285,8 +285,8 @@ describe('renderFallbackAnnouncement', () => {
     const out = renderFallbackAnnouncement({
       oldLabel: 'ken@x',
       oldQuota: KEN_5H_BLOWN,
-      newLabel: 'pixsoul@x',
-      newQuota: PIXSOUL_HEALTHY,
+      newLabel: 'you@x',
+      newQuota: YOU_HEALTHY,
       triggerAgent: 'carrie',
       now: NOW,
       tz: 'UTC',
@@ -299,8 +299,8 @@ describe('renderFallbackAnnouncement', () => {
     const happy = renderFallbackAnnouncement({
       oldLabel: 'ken@x',
       oldQuota: KEN_5H_BLOWN,
-      newLabel: 'pixsoul@x',
-      newQuota: PIXSOUL_HEALTHY,
+      newLabel: 'you@x',
+      newQuota: YOU_HEALTHY,
       triggerAgent: 'carrie',
       now: NOW,
       tz: 'UTC',
@@ -310,7 +310,7 @@ describe('renderFallbackAnnouncement', () => {
     const tight = renderFallbackAnnouncement({
       oldLabel: 'ken@x',
       oldQuota: KEN_5H_BLOWN,
-      newLabel: 'pixsoul@x',
+      newLabel: 'you@x',
       newQuota: quota({ fiveHourUtilizationPct: 85 }),
       triggerAgent: 'carrie',
       now: NOW,

package/telegram-plugin/tests/auto-fallback-fleet.test.ts

@@ -44,7 +44,7 @@ describe('runFleetAutoFallback', () => {
       fanned: ['alice', 'bob'],
     }));
     const out = await runFleetAutoFallback({
-      state: state('ken@x', ['ken@x', 'me@x', 'pixsoul@x']),
+      state: state('ken@x', ['ken@x', 'me@x', 'you@x']),
       quotas: [
         // ken: just blew 5h
         qOk({
@@ -58,7 +58,7 @@ describe('runFleetAutoFallback', () => {
           sevenDayResetAt: new Date('2026-05-17T10:00:00Z'),
           representativeClaim: 'seven_day',
         }),
-        // pixsoul: healthy 5h/7d
+        // you: healthy 5h/7d
         qOk({ fiveHourUtilizationPct: 8, sevenDayUtilizationPct: 20 }),
       ],
       setActive,
@@ -69,10 +69,10 @@ describe('runFleetAutoFallback', () => {
 
     expect(out.kind).toBe('switched');
     expect(setActive).toHaveBeenCalledTimes(1);
-    expect(setActive).toHaveBeenCalledWith('pixsoul@x');
+    expect(setActive).toHaveBeenCalledWith('you@x');
     if (out.kind === 'switched') {
       expect(out.oldLabel).toBe('ken@x');
-      expect(out.newLabel).toBe('pixsoul@x');
+      expect(out.newLabel).toBe('you@x');
       expect(out.announcement).toContain('5-hour limit on ken@x');
       expect(out.announcement).toContain('Triggered by: agent <b>carrie</b>');
       expect(out.announcement).toContain('plenty of headroom');
@@ -112,7 +112,7 @@ describe('runFleetAutoFallback', () => {
   it('idempotency: skips swap when active probes healthy (stale event)', async () => {
     const setActive = vi.fn();
     const out = await runFleetAutoFallback({
-      state: state('ken@x', ['ken@x', 'pixsoul@x']),
+      state: state('ken@x', ['ken@x', 'you@x']),
       quotas: [
         qOk({ fiveHourUtilizationPct: 5, sevenDayUtilizationPct: 10 }),
         qOk({ fiveHourUtilizationPct: 5, sevenDayUtilizationPct: 10 }),
@@ -147,14 +147,14 @@ describe('runFleetAutoFallback', () => {
   it('falls back to a throttling alternative when no healthy one exists', async () => {
     const setActive = vi.fn(async (label: string) => ({ active: label, fanned: [] }));
     const out = await runFleetAutoFallback({
-      state: state('ken@x', ['ken@x', 'pixsoul@x']),
+      state: state('ken@x', ['ken@x', 'you@x']),
       quotas: [
         qOk({
           fiveHourUtilizationPct: 100,
           fiveHourResetAt: new Date('2026-05-15T05:50:00Z'),
           representativeClaim: 'five_hour',
         }),
-        // pixsoul throttling at 85% but not blocked
+        // you throttling at 85% but not blocked
         qOk({ fiveHourUtilizationPct: 85, sevenDayUtilizationPct: 20 }),
       ],
       setActive,
@@ -164,7 +164,7 @@ describe('runFleetAutoFallback', () => {
     });
 
     expect(out.kind).toBe('switched');
-    expect(setActive).toHaveBeenCalledWith('pixsoul@x');
+    expect(setActive).toHaveBeenCalledWith('you@x');
     if (out.kind === 'switched') {
       expect(out.announcement).toContain('near limit — watch this');
     }
@@ -173,7 +173,7 @@ describe('runFleetAutoFallback', () => {
   it('skips unknown-health (probe failed) when picking a target', async () => {
     const setActive = vi.fn(async (label: string) => ({ active: label, fanned: [] }));
     const out = await runFleetAutoFallback({
-      state: state('ken@x', ['ken@x', 'broken@x', 'pixsoul@x']),
+      state: state('ken@x', ['ken@x', 'broken@x', 'you@x']),
       quotas: [
         qOk({ fiveHourUtilizationPct: 100, fiveHourResetAt: new Date('2026-05-15T05:50:00Z') }),
         { ok: false, reason: 'HTTP 401' },
@@ -186,7 +186,7 @@ describe('runFleetAutoFallback', () => {
     });
 
     expect(out.kind).toBe('switched');
-    expect(setActive).toHaveBeenCalledWith('pixsoul@x');
+    expect(setActive).toHaveBeenCalledWith('you@x');
   });
 });
 

package/telegram-plugin/tests/boot-probes.test.ts

@@ -883,7 +883,7 @@ describe('probeSkills', () => {
     expect(result.detail).toContain('no skills dir')
   })
 
-  it('returns ok with count when every skill resolves', async () => {
+  it('returns ok with every skill listed under Switchroom bucket when no overlay', async () => {
     const fs = makeSkillsFs(
       { [skillsDir]: ['simplify', 'review'] },
       new Set([
@@ -893,7 +893,40 @@ describe('probeSkills', () => {
     )
     const result = await probeSkills(agentDir, { fs })
     expect(result.status).toBe('ok')
-    expect(result.detail).toContain('2 resolved')
+    expect(result.detail).toBe('Switchroom: review, simplify')
+  })
+
+  it('buckets overlay-installed skills under Agent', async () => {
+    const overlayDir = '/state/agent/skills.d'
+    const fs = makeSkillsFs(
+      {
+        [skillsDir]: ['simplify', 'review', 'webapp-testing'],
+        [overlayDir]: ['webapp-testing.yaml'],
+      },
+      new Set([
+        `${skillsDir}/simplify`, `${skillsDir}/simplify/SKILL.md`,
+        `${skillsDir}/review`, `${skillsDir}/review/SKILL.md`,
+        `${skillsDir}/webapp-testing`, `${skillsDir}/webapp-testing/SKILL.md`,
+        overlayDir,
+      ]),
+    )
+    const result = await probeSkills(agentDir, { fs })
+    expect(result.status).toBe('ok')
+    expect(result.detail).toBe('Switchroom: review, simplify · Agent: webapp-testing')
+  })
+
+  it('lists every skill without a +N more truncation in the healthy case', async () => {
+    const names = Array.from({ length: 12 }, (_, i) => `skill-${i.toString().padStart(2, '0')}`)
+    const fileSet = new Set<string>()
+    for (const n of names) {
+      fileSet.add(`${skillsDir}/${n}`)
+      fileSet.add(`${skillsDir}/${n}/SKILL.md`)
+    }
+    const fs = makeSkillsFs({ [skillsDir]: names }, fileSet)
+    const result = await probeSkills(agentDir, { fs })
+    expect(result.status).toBe('ok')
+    expect(result.detail).not.toContain('+')
+    for (const n of names) expect(result.detail).toContain(n)
   })
 
   it('degraded when at least one symlink dangles, names them up to cap', async () => {
@@ -912,6 +945,8 @@ describe('probeSkills', () => {
     expect(result.detail).toContain('also-gone')
     expect(result.detail).toContain('+1 more')
     expect(result.detail).not.toContain('and-this')
+    // resolved skills still surface alongside the dangling summary
+    expect(result.detail).toContain('Switchroom: review, simplify')
   })
 
   it('returns ok when entries dir is empty', async () => {

package/telegram-plugin/tests/fixtures/service-log-current-claude-code.bin

@@ -339,7 +339,7 @@
 
 
 
-
+
 ❯  
 ────────────────────────────────────────────────────────────────────────────────
 ⏵⏵accepteditson(shift+tabtocycle)·esctointerrupt

package/telegram-plugin/tests/fleet-state.test.ts

@@ -155,8 +155,9 @@ describe('sanitiseToolArg', () => {
     expect(sanitiseToolArg('Write', { file_path: '/tmp/out.json' })).toBe('out.json')
   })
   it('redacts bearer-token-like strings in Bash commands', () => {
-    const out = sanitiseToolArg('Bash', { command: 'curl -H "Authorization: Bearer sk-ant-1234567890abcdef" https://x' })
-    expect(out).not.toContain('sk-ant-1234567890abcdef')
+    const tok = ['sk-ant-', '1234567890abcdef'].join('')
+    const out = sanitiseToolArg('Bash', { command: `curl -H "Authorization: Bearer ${tok}" https://x` })
+    expect(out).not.toContain(tok)
     expect(out.toLowerCase()).toContain('redacted')
   })
   it('returns empty string when no recognisable arg', () => {

package/telegram-plugin/tests/secret-detect-audit.test.ts

@@ -12,7 +12,7 @@ describe('secret-detect audit log', () => {
   })
 
   it('emits a structured event with slug but never the raw value', () => {
-    const raw = 'sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22'
+    const raw = ['sk-ant-', 'Apq13yqRnPzx4MxK0TfAbY98Qw22'].join('')
     emitAudit({
       chat_id: '-100',
       message_id: 5,

package/telegram-plugin/tests/secret-detect-pipeline.test.ts

@@ -27,7 +27,8 @@ describe('pipeline.runPipeline', () => {
 
   it('stores a high-confidence hit and rewrites the prompt', () => {
     const { write, list, store } = mkFakeVault()
-    const text = 'hey here is my key: sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22 thanks'
+    const tok = ['sk-ant-', 'Apq13yqRnPzx4MxK0TfAbY98Qw22'].join('')
+    const text = `hey here is my key: ${tok} thanks`
     const res = runPipeline({
       chat_id: '-100',
       message_id: 5,
@@ -38,9 +39,9 @@ describe('pipeline.runPipeline', () => {
     })
     expect(res.stored).toHaveLength(1)
     expect(res.rewritten_text).toContain('[secret stored as vault:')
-    expect(res.rewritten_text).not.toContain('sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22')
+    expect(res.rewritten_text).not.toContain(tok)
     // The raw secret made it to the vault under the generated slug.
-    expect([...store.values()]).toContain('sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22')
+    expect([...store.values()]).toContain(tok)
     // Audit emitted once with action=stored.
     const storedLogs = captured.filter((l) => l.includes('"action":"stored"'))
     expect(storedLogs).toHaveLength(1)
@@ -71,7 +72,7 @@ describe('pipeline.runPipeline', () => {
 
   it('treats suppressed high-confidence hits as ambiguous', () => {
     const { write, list, store } = mkFakeVault()
-    const text = 'test sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22'
+    const text = `test ${['sk-ant-', 'Apq13yqRnPzx4MxK0TfAbY98Qw22'].join('')}`
     const res = runPipeline({
       chat_id: 'c',
       message_id: 1,
@@ -89,7 +90,7 @@ describe('pipeline.runPipeline', () => {
     const { write, list, store } = mkFakeVault()
     store.set('anthropic_api_key_20260423', 'preexisting')
     const text =
-      'first: sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22 second: sk-ant-BqZ13yqRnPzx4MxK0TfAbY98Qw22'
+      `first: ${['sk-ant-', 'Apq13yqRnPzx4MxK0TfAbY98Qw22'].join('')} second: ${['sk-ant-', 'BqZ13yqRnPzx4MxK0TfAbY98Qw22'].join('')}`
     const res = runPipeline({
       chat_id: 'c',
       message_id: 2,
@@ -111,7 +112,7 @@ describe('pipeline.runPipeline', () => {
     const res = runPipeline({
       chat_id: 'c',
       message_id: 3,
-      text: 'key is sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22',
+      text: `key is ${['sk-ant-', 'Apq13yqRnPzx4MxK0TfAbY98Qw22'].join('')}`,
       passphrase: 'pw',
       vaultWrite: failingWrite,
       vaultList: list,

package/telegram-plugin/tests/secret-detect-suppressor-no-silent-allow.test.ts

@@ -20,12 +20,13 @@ import type { VaultWriteFn, VaultListFn } from '../secret-detect/vault-write.js'
  * this without breaking a test.
  */
 describe('suppressor: never silent-allows on structured matches', () => {
+  const tok = ['sk-ant-', 'Apq13yqRnPzx4MxK0TfAbY98Qw22'].join('')
   const phrasings = [
-    'this is a test, here is sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22',
-    'mock token: sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22',
-    'example: sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22',
-    'dummy sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22',
-    'fixture sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22',
+    `this is a test, here is ${tok}`,
+    `mock token: ${tok}`,
+    `example: ${tok}`,
+    `dummy ${tok}`,
+    `fixture ${tok}`,
   ]
 
   for (const text of phrasings) {

package/telegram-plugin/tests/secret-detect.test.ts

@@ -9,7 +9,7 @@ import { rewritePrompt } from '../secret-detect/rewrite.js'
 
 describe('mask.maskToken', () => {
   it('reveals first 6 + last 4 when length ≥ 18', () => {
-    const tok = 'sk-ant-abc123XYZdefGHI456789'
+    const tok = ['sk-ant-', 'abc123XYZdefGHI456789'].join('')
     expect(maskToken(tok)).toBe(`${tok.slice(0, 6)}...${tok.slice(-4)}`)
   })
   it('returns *** for short inputs', () => {
@@ -96,7 +96,7 @@ describe('chunker.chunk', () => {
 
 describe('suppressor.isSuppressed', () => {
   it('demotes hits near test/mock/example/fixture/dummy', () => {
-    const text = 'test: sk-ant-abc123defgh456789'
+    const text = `test: ${['sk-ant-', 'abc123defgh456789'].join('')}`
     const start = text.indexOf('sk-ant-')
     const end = text.length
     expect(isSuppressed(text, start, end)).toBe(true)
@@ -104,13 +104,13 @@ describe('suppressor.isSuppressed', () => {
   it('ignores markers more than 40 chars away', () => {
     // 80 chars of filler between "test" and the secret
     const filler = ' '.repeat(80)
-    const text = `test${filler}sk-ant-abc123defgh456789`
+    const text = `test${filler}${['sk-ant-', 'abc123defgh456789'].join('')}`
     const start = text.indexOf('sk-ant-')
     const end = text.length
     expect(isSuppressed(text, start, end)).toBe(false)
   })
   it('whole-word only — "tested" does not trigger', () => {
-    const text = 'untested sk-ant-abc123defgh456789'
+    const text = `untested ${['sk-ant-', 'abc123defgh456789'].join('')}`
     const start = text.indexOf('sk-ant-')
     const end = text.length
     expect(isSuppressed(text, start, end)).toBe(false)
@@ -150,7 +150,7 @@ describe('rewrite.rewritePrompt', () => {
     expect(out).toContain('[secret stored as vault:TOKEN]')
   })
   it('preserves non-secret substrings verbatim', () => {
-    const text = 'please stash api key ANTHROPIC_API_KEY=sk-ant-ABCDEFGHIJKLMNOP now'
+    const text = `please stash api key ANTHROPIC_API_KEY=${['sk-ant-', 'ABCDEFGHIJKLMNOP'].join('')} now`
     const detections = detectSecrets(text)
     expect(detections.length).toBeGreaterThan(0)
     const targets = detections.map((d) => ({ detection: d, actual_slug: 'ANTHROPIC_API_KEY' }))
@@ -161,7 +161,7 @@ describe('rewrite.rewritePrompt', () => {
 
 describe('detectSecrets — end-to-end', () => {
   it('finds an anthropic key', () => {
-    const text = 'here you go: sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22'
+    const text = `here you go: ${['sk-ant-', 'Apq13yqRnPzx4MxK0TfAbY98Qw22'].join('')}`
     const d = detectSecrets(text)
     expect(d).toHaveLength(1)
     expect(d[0]!.rule_id).toBe('anthropic_api_key')
@@ -175,7 +175,7 @@ describe('detectSecrets — end-to-end', () => {
     expect(d.some((h) => h.rule_id === 'github_pat_classic')).toBe(true)
   })
   it('captures only the value for KEY=VALUE patterns', () => {
-    const text = 'ANTHROPIC_API_KEY=sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22'
+    const text = `ANTHROPIC_API_KEY=${['sk-ant-', 'Apq13yqRnPzx4MxK0TfAbY98Qw22'].join('')}`
     const d = detectSecrets(text)
     const envHit = d.find((h) => h.rule_id === 'env_key_value' || h.rule_id === 'anthropic_api_key')
     expect(envHit).toBeDefined()
@@ -183,7 +183,7 @@ describe('detectSecrets — end-to-end', () => {
     expect(envHit!.matched_text.startsWith('sk-ant-')).toBe(true)
   })
   it('flags suppressed on nearby "test"', () => {
-    const text = 'test token: sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22'
+    const text = `test token: ${['sk-ant-', 'Apq13yqRnPzx4MxK0TfAbY98Qw22'].join('')}`
     const d = detectSecrets(text)
     expect(d.length).toBeGreaterThan(0)
     expect(d[0]!.suppressed).toBe(true)

package/telegram-plugin/tests/vault-grant-inbound-builders.test.ts

@@ -25,7 +25,7 @@ const CTX_READ: VaultGrantInboundContext = {
   agent: 'gymbro',
   key: 'fatsecret/credentials',
   scope: 'read',
-  chat_id: '8248703757',
+  chat_id: '12345',
   ttl_seconds: 30 * 86400,
 }
 
@@ -42,11 +42,11 @@ describe('buildVaultGrantApprovedInbound', () => {
       ctx: CTX_READ,
       grantId: 'vg_a1b2c3',
       stageId: 'stage-001',
-      operatorId: '8248703757',
+      operatorId: '12345',
       nowMs: FIXED_NOW,
     })
     expect(msg.type).toBe('inbound')
-    expect(msg.chatId).toBe('8248703757')
+    expect(msg.chatId).toBe('12345')
     expect(msg.user).toBe('vault-broker')
     expect(msg.userId).toBe(0)
     expect(msg.ts).toBe(FIXED_NOW)
@@ -71,7 +71,7 @@ describe('buildVaultGrantApprovedInbound', () => {
       ctx: CTX_READ,
       grantId: 'vg_a1b2c3',
       stageId: 'stage-001',
-      operatorId: '8248703757',
+      operatorId: '12345',
     })
     expect(msg.meta).toEqual({
       source: 'vault_grant_approved',
@@ -80,7 +80,7 @@ describe('buildVaultGrantApprovedInbound', () => {
       scope: 'read',
       grant_id: 'vg_a1b2c3',
       stage_id: 'stage-001',
-      operator_id: '8248703757',
+      operator_id: '12345',
     })
   })
 
@@ -151,7 +151,7 @@ describe('buildVaultGrantDeniedInbound', () => {
     const msg = buildVaultGrantDeniedInbound({
       ctx: CTX_READ,
       stageId: 'stage-001',
-      operatorId: '8248703757',
+      operatorId: '12345',
     })
     expect(msg.meta).toEqual({
       source: 'vault_grant_denied',
@@ -159,7 +159,7 @@ describe('buildVaultGrantDeniedInbound', () => {
       key: 'fatsecret/credentials',
       scope: 'read',
       stage_id: 'stage-001',
-      operator_id: '8248703757',
+      operator_id: '12345',
     })
     expect((msg.meta as { grant_id?: string }).grant_id).toBeUndefined()
   })
@@ -189,7 +189,7 @@ describe('buildVaultGrantDeniedInbound', () => {
     expect(denied.type).toBe('inbound')
     expect(denied.user).toBe('vault-broker')
     expect(denied.userId).toBe(0)
-    expect(denied.chatId).toBe('8248703757')
+    expect(denied.chatId).toBe('12345')
     expect(denied.ts).toBe(FIXED_NOW)
     expect(denied.messageId).toBe(FIXED_NOW)
   })

package/telegram-plugin/tests/vault-request-access-tool.test.ts

@@ -112,3 +112,54 @@ describe('vault_request_access (#1012)', () => {
     expect(handlerBlock).toMatch(/allowFrom\.includes/)
   })
 })
+
+/**
+ * Fix B (#1487 follow-up): vault_request_access must NOT card/mint when
+ * the agent's STANDING ACL already covers the key — and must decide
+ * that by probing the BROKER as the agent (no-token listViaBroker over
+ * the per-agent socket — path-as-identity), never a gateway-side
+ * config/checkAclByAgent read (the gateway can see newer config than
+ * the broker has loaded → "covered here, denied there"). Read scope
+ * only; fail-open on probe error. Source-pattern assertions matching
+ * this file's established style (the flow has Telegram + module-state
+ * side effects that aren't behaviourally unit-testable here).
+ */
+describe('Fix B: vault_request_access standing-ACL-aware (#1487 follow-up)', () => {
+  const execBlock =
+    gatewaySrc.split('async function executeVaultRequestAccess')[1]?.split('\nasync function ')[0] ?? ''
+  const approveBlock =
+    gatewaySrc.split('async function performVaultAccessApproval')[1]?.split('\nasync function ')[0] ?? ''
+
+  it('request path: read-scope broker-probe short-circuits BEFORE the card is staged/sent', () => {
+    expect(execBlock).toContain('listViaBroker(')
+    expect(execBlock).toMatch(/scopeRaw === 'read'/)
+    const probeIdx = execBlock.indexOf('listViaBroker(')
+    const stageIdx = execBlock.indexOf('pendingVaultRequestAccesses.set(stageId')
+    expect(probeIdx).toBeGreaterThan(-1)
+    expect(stageIdx).toBeGreaterThan(-1)
+    expect(probeIdx).toBeLessThan(stageIdx)
+    expect(execBlock).toMatch(/ALREADY covered[\s\S]*?return\s*{/)
+  })
+
+  it('request path: decides via the BROKER, not a gateway-side config/ACL read (B2 — no config drift)', () => {
+    expect(execBlock).not.toContain('checkAclByAgent(')
+    expect(execBlock).not.toContain('loadSwitchroomConfig(')
+  })
+
+  it('operator-approve path: parallel guard short-circuits BEFORE mintGrantViaBroker', () => {
+    expect(approveBlock).toContain('listViaBroker(')
+    expect(approveBlock).toMatch(/pending\.scope === 'read'/)
+    const probeIdx = approveBlock.indexOf('listViaBroker(')
+    const mintIdx = approveBlock.indexOf('mintGrantViaBroker(mintArgs)')
+    expect(probeIdx).toBeGreaterThan(-1)
+    expect(mintIdx).toBeGreaterThan(-1)
+    expect(probeIdx).toBeLessThan(mintIdx)
+    expect(approveBlock).toMatch(/listViaBroker\([\s\S]*?pendingVaultRequestAccesses\.delete\(stageId\)[\s\S]*?return/)
+    expect(approveBlock).not.toContain('checkAclByAgent(')
+  })
+
+  it('both guards are fail-open (probe error → normal card/mint flow)', () => {
+    expect(execBlock).toMatch(/try\s*{[\s\S]*?listViaBroker\([\s\S]*?}\s*catch/)
+    expect(approveBlock).toMatch(/try\s*{[\s\S]*?listViaBroker\([\s\S]*?}\s*catch/)
+  })
+})