switchroom 0.12.0 → 0.12.2

package/dist/vault/broker/server.js

@@ -12986,6 +12986,14 @@ function checkAclByAgent(config, agentName, key) {
   if (googleSlot !== null) {
     return checkGoogleAccountAcl(config, agentName, googleSlot.account, key);
   }
+  const agentBot = agentConfig.bot_token;
+  const botRef = agentBot && agentBot.length > 0 ? agentBot : config.telegram?.bot_token;
+  if (typeof botRef === "string" && botRef.startsWith("vault:")) {
+    const botKey = botRef.slice("vault:".length).split("#")[0];
+    if (botKey.length > 0 && botKey === key) {
+      return { allow: true };
+    }
+  }
   const schedule = agentConfig.schedule ?? [];
   if (schedule.length === 0) {
     return {
@@ -16042,35 +16050,37 @@ class VaultBroker {
         const grantId = dotIdx !== -1 ? req.token.slice(0, dotIdx) : undefined;
         const sentinelKey = Object.keys(this.secrets)[0] ?? "__list_check__";
         const tokenCheck = await validateGrant(this.grantsDb, req.token, sentinelKey);
-        if (!tokenCheck.ok && tokenCheck.reason !== "grant-key-not-allowed") {
+        if (!tokenCheck.ok && tokenCheck.reason === "grant-revoked") {
           this.auditLogger.write({
             ts: new Date().toISOString(),
             op: "list",
             caller: auditCaller,
             pid: auditPid,
             cgroup: auditCgroup,
-            result: `denied:${tokenCheck.reason}`,
+            result: `denied:grant-revoked`,
             method: "grant",
             grant_id: grantId
           });
-          socket.write(encodeResponse(errorResponse("DENIED", tokenCheck.reason)));
+          socket.write(encodeResponse(errorResponse("DENIED", "grant-revoked")));
+          return;
+        }
+        if (tokenCheck.ok || tokenCheck.reason === "grant-key-not-allowed") {
+          const grantRow = tokenCheck.ok ? tokenCheck.grant : this.grantsDb.query("SELECT key_allow FROM vault_grants WHERE id = ?").get(grantId ?? "");
+          const allowedKeys = grantRow ? typeof grantRow.key_allow === "string" ? JSON.parse(grantRow.key_allow) : grantRow.key_allow : [];
+          const visibleKeys2 = allowedKeys.filter((k) => (k in this.secrets));
+          this.auditLogger.write({
+            ts: new Date().toISOString(),
+            op: "list",
+            caller: auditCaller,
+            pid: auditPid,
+            cgroup: auditCgroup,
+            result: `allowed:${visibleKeys2.length}`,
+            method: "grant",
+            grant_id: grantId
+          });
+          socket.write(encodeResponse({ ok: true, keys: visibleKeys2 }));
           return;
         }
-        const grantRow = tokenCheck.ok ? tokenCheck.grant : this.grantsDb.query("SELECT key_allow FROM vault_grants WHERE id = ?").get(grantId ?? "");
-        const allowedKeys = grantRow ? typeof grantRow.key_allow === "string" ? JSON.parse(grantRow.key_allow) : grantRow.key_allow : [];
-        const visibleKeys2 = allowedKeys.filter((k) => (k in this.secrets));
-        this.auditLogger.write({
-          ts: new Date().toISOString(),
-          op: "list",
-          caller: auditCaller,
-          pid: auditPid,
-          cgroup: auditCgroup,
-          result: `allowed:${visibleKeys2.length}`,
-          method: "grant",
-          grant_id: grantId
-        });
-        socket.write(encodeResponse({ ok: true, keys: visibleKeys2 }));
-        return;
       }
       if (!isOperator && agentName === null && process.platform === "linux" && peer === null) {
         const reason = "Unable to identify caller (peercred unavailable); denying on Linux";
@@ -16145,10 +16155,9 @@ class VaultBroker {
           });
           socket.write(encodeResponse(entryResponse(entry2)));
           return;
-        } else {
+        } else if (grantResult.reason === "grant-revoked") {
           const dotIdx = req.token.indexOf(".");
           const grantId = dotIdx !== -1 ? req.token.slice(0, dotIdx) : undefined;
-          const denyReason = grantResult.reason;
           this.auditLogger.write({
             ts: new Date().toISOString(),
             op: "get",
@@ -16156,11 +16165,11 @@ class VaultBroker {
             caller: auditCaller,
             pid: auditPid,
             cgroup: auditCgroup,
-            result: `denied:${denyReason}`,
+            result: `denied:grant-revoked`,
             method: "grant",
             grant_id: grantId
           });
-          socket.write(encodeResponse(errorResponse("DENIED", denyReason)));
+          socket.write(encodeResponse(errorResponse("DENIED", "grant-revoked")));
           return;
         }
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.12.0",
+  "version": "0.12.2",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {
@@ -26,11 +26,12 @@
     "test:vitest": "vitest run",
     "test:bun": "bun test src/watchdog/state.test.ts src/watchdog/policy.test.ts src/vault/grants.test.ts src/vault/write-grants.test.ts src/vault/broker/server-grants.test.ts src/vault/broker/server-write-grants.test.ts src/vault/broker/server-mint-grant-passphrase-attest.test.ts src/vault/broker/server-passphrase-attest.test.ts src/vault/broker/server-mint-grant-posture-attest.test.ts src/vault/broker/client-token.test.ts src/vault/broker/server-unlock.test.ts src/vault/broker/auto-unlock.test.ts src/vault/broker/drift-detection.test.ts tests/vault-broker-passphrase.test.ts src/cli/vault-get-broker.test.ts src/vault/resolver-via-broker.test.ts src/vault/broker/scope.test.ts src/vault/broker/server.test.ts src/drive/disconnect.test.ts src/drive/grants.test.ts src/drive/oauth.test.ts src/drive/onboarding.test.ts src/drive/reconciler.test.ts src/drive/vault-slots.test.ts src/drive/wrapper.test.ts src/vault/approvals/kernel.test.ts src/vault/approvals/schema-idempotent.test.ts src/vault/broker/server-approvals.test.ts telegram-plugin/tests/boot-probes.test.ts telegram-plugin/tests/boot-version-string.test.ts telegram-plugin/tests/history.test.ts telegram-plugin/tests/history-reaper.test.ts telegram-plugin/tests/ipc-server-client.test.ts telegram-plugin/tests/ipc-server-race.test.ts telegram-plugin/tests/gateway-bridge.test.ts telegram-plugin/tests/gateway-startup-mutex.test.ts telegram-plugin/tests/gateway-clean-shutdown-marker.test.ts telegram-plugin/tests/boot-card-dedupe.test.ts telegram-plugin/tests/boot-card-reason.test.ts telegram-plugin/tests/progress-update.test.ts telegram-plugin/tests/quota-cache.test.ts telegram-plugin/tests/silent-reply-guard.test.ts telegram-plugin/tests/unhandled-rejection-policy.test.ts telegram-plugin/tests/registry-turns.test.ts telegram-plugin/registry/subagents.test.ts telegram-plugin/tests/turns-writer.test.ts telegram-plugin/tests/resolve-calling-subagent.test.ts telegram-plugin/tests/gateway-update-placeholder-dispatch.test.ts telegram-plugin/tests/reaction-trigger.test.ts telegram-plugin/tests/reaction-trigger-flow.test.ts telegram-plugin/uat/load-env.test.ts",
     "test:watch": "vitest",
-    "lint": "tsc --noEmit && node scripts/check-plugin-references.mjs && bash scripts/check-bot-api-wrapping.sh && node scripts/check-bun-test-imports.mjs",
+    "lint": "tsc --noEmit && node scripts/check-plugin-references.mjs && bash scripts/check-bot-api-wrapping.sh && node scripts/check-bun-test-imports.mjs && node scripts/check-no-pii-secrets.mjs",
     "lint:tsc": "tsc --noEmit",
     "lint:plugin-references": "node scripts/check-plugin-references.mjs",
     "lint:bot-api-wrapping": "bash scripts/check-bot-api-wrapping.sh",
     "lint:bun-test-imports": "node scripts/check-bun-test-imports.mjs",
+    "lint:no-pii": "node scripts/check-no-pii-secrets.mjs",
     "prepublishOnly": "npm run build && npm run lint && npm test"
   },
   "dependencies": {

package/profiles/_shared/agent-self-service.md.hbs

@@ -29,7 +29,7 @@ tools is to let you do the edit yourself.
   entry. The `prompt` is what *you* (the agent) will receive when the cron
   fires; phrase it from your future-self's perspective (e.g.
   `"Time for the daily digest — pull yesterday's GitHub activity and DM the
-  summary to chat 8248703757"`, not `"please send the digest"`). Optional
+  summary to chat 12345"`, not `"please send the digest"`). Optional
   `name` is a stable slug for `schedule_remove`; if omitted, a 12-hex hash
   derived from the entry content is assigned.
 

package/skills/skill-creator/SKILL.md

@@ -460,6 +460,12 @@ In Claude.ai, the core workflow is the same (draft → test → review → impro
 - **Copy to a writeable location before editing.** The installed skill path may be read-only. Copy to `/tmp/skill-name/`, edit there, and package from the copy.
 - **If packaging manually, stage in `/tmp/` first**, then copy to the output directory -- direct writes may fail due to permissions.
 
+> The two bullets above are the *generic / packaging* case (read-only
+> installed skills, producing a `.skill` file for download). If you are
+> running inside a **switchroom agent**, your own skills live in a
+> writable, persistent directory — do **not** stage in `/tmp/`; author
+> in place. See "Switchroom agent instructions" below.
+
 ---
 
 ## Cowork-Specific Instructions
@@ -476,6 +482,52 @@ If you're in Cowork, the main things to know are:
 
 ---
 
+## Switchroom agent instructions
+
+If you are running as a switchroom agent (you have a
+`$CLAUDE_CONFIG_DIR` and talk to a user over Telegram), authoring a
+skill for *yourself* is a plain filesystem write — no special tool, no
+broker, no packaging:
+
+- **Where skills live.** Your own (agent-scope) skills go in
+  `$CLAUDE_CONFIG_DIR/skills/<slug>/` — one directory per skill, with
+  `SKILL.md` at its root. This directory is **writable by you** and
+  **persistent** (it survives restarts and `switchroom agent
+  restart`). Just `Write`/`Edit` the files there directly. Do **not**
+  stage in `/tmp/` and do **not** copy anything afterwards — the
+  native filesystem write *is* the supported path. (There is no
+  skill authoring tool of any kind; authoring is plain file writes.
+  Sharing a skill with the rest of the fleet is **not** a runtime
+  action — it is a reviewed pull request; see the last bullet.)
+- **It goes live on your *next* turn, not this one.** Claude discovers
+  skills when a session starts. After you write the files, tell the
+  user the skill is created and will be active on the next message —
+  then stop. Don't write the skill and immediately try to invoke it in
+  the same turn; it won't be loaded yet. (If you need it active
+  immediately, the user can `switchroom agent restart <you>`.)
+- **A linter will nudge you, not block you.** A non-blocking
+  PreToolUse hook checks the skill shape (slug, path allowlist,
+  SKILL.md frontmatter) and returns advisory feedback if something is
+  off — the write still goes through. The only hard limit is the
+  per-skill byte cap (2 MiB); a write over that is rejected, so split
+  large assets out.
+- **Skill shape.** `SKILL.md` must start with YAML frontmatter:
+  `name:` equal to the `<slug>` directory name, and a `description:`
+  (1–1024 chars) that says when the skill should trigger. Supporting
+  files follow the allowlist: `README.md`, `scripts/*.{sh,py}`,
+  `assets/*`, `reference/*.md` (max depth 3).
+- **Fleet / global skills go through review, not a command.** Making a
+  skill available to *other* agents is a deliberate operator decision,
+  not a runtime write. The path is: open a pull request adding the
+  skill to switchroom's reviewed skill set (the canonical repo's
+  `skills/` for general skills, or the operator's private
+  `switchroom.skills_dir` repo for operator-specific ones); once merged
+  it ships as a bundled default (opt-out per agent via
+  `bundled_skills`) or via the `skills:` cascade. You can *propose* a
+  fleet skill by opening that PR; a human approves it. There is no
+  `skill_publish` and nothing an agent runs makes a skill fleet-wide on
+  its own.
+
 ## Reference files
 
 The agents/ directory contains instructions for specialized subagents. Read them when you need to spawn the relevant subagent.

package/telegram-plugin/auth-snapshot-format.ts

@@ -178,7 +178,7 @@ const HEALTH_TITLE: Record<AccountHealth, string> = {
 /**
  * One-line per-account summary inside its health group.
  *
- *   pixsoul@gmail.com  ● 8% / 20%
+ *   you@example.com  ● 8% / 20%
  *     5h refills 11:00 AM (in 6m)  ·  7d resets Sun 11:00 AM
  *
  * Two lines actually: the label/percent line and a sub-line with the
@@ -389,13 +389,13 @@ export interface FallbackAnnouncementInput {
 /**
  * Render the causal-shape fallback announcement.
  *
- *   ✓ Switched fleet · 5-hour limit on ken
+ *   ✓ Switched fleet · 5-hour limit on alice
  *
- *   ken.thompson@outlook → pixsoul@gmail.com
+ *   alice@example → you@example.com
  *   Triggered by: agent carrie
  *
- *   ken recovers Fri 3:50 PM (in 4h 56m)
- *   pixsoul now: 8% of 5h · 20% of 7d (plenty of headroom)
+ *   alice recovers Fri 3:50 PM (in 4h 56m)
+ *   you now: 8% of 5h · 20% of 7d (plenty of headroom)
  *
  * Falls back to a different shape when no eligible target was found
  * (`newLabel === null`) — see "all-blocked" branch.

package/telegram-plugin/dist/gateway/gateway.js

@@ -28009,8 +28009,26 @@ async function probeSkills(agentDir, opts = {}) {
         continue;
       }
     }
+    const overlayDir = opts.overlaySkillsDir ?? join21(agentDir, "skills.d");
+    const overlaySlugs = new Set;
+    if (fs2.exists(overlayDir)) {
+      let overlayEntries = [];
+      try {
+        overlayEntries = fs2.readdir(overlayDir);
+      } catch {}
+      for (const name of overlayEntries) {
+        const m = name.match(/^(.+)\.ya?ml$/i);
+        if (!m)
+          continue;
+        overlaySlugs.add(m[1]);
+      }
+    }
+    const liveEntries = entries.filter((n) => !dangling.includes(n)).sort();
+    const switchroomSkills = liveEntries.filter((n) => !overlaySlugs.has(n));
+    const agentSkills = liveEntries.filter((n) => overlaySlugs.has(n));
+    const bucketed = renderBucketedSkills(switchroomSkills, agentSkills);
     if (dangling.length === 0) {
-      return { status: "ok", label: "Skills", detail: `${entries.length} resolved` };
+      return { status: "ok", label: "Skills", detail: bucketed };
     }
     const named = dangling.slice(0, max).join(", ");
     const more = dangling.length > max ? ` +${dangling.length - max} more` : "";
@@ -28018,11 +28036,19 @@ async function probeSkills(agentDir, opts = {}) {
     return {
       status: "degraded",
       label: "Skills",
-      detail: `${dangling.length}/${entries.length} dangling: ${named}${more}`,
+      detail: `${dangling.length}/${entries.length} dangling: ${named}${more} \u00b7 ${bucketed}`,
       nextStep: `Run \`switchroom agent reconcile${reconcileTarget}\` to rebuild symlinks, or remove unused entries from switchroom.yaml`
     };
   })());
 }
+function renderBucketedSkills(switchroom, agent) {
+  const parts = [];
+  if (switchroom.length > 0)
+    parts.push(`Switchroom: ${switchroom.join(", ")}`);
+  if (agent.length > 0)
+    parts.push(`Agent: ${agent.join(", ")}`);
+  return parts.length === 0 ? "none resolved" : parts.join(" \u00b7 ");
+}
 var execFile3, PROBE_TIMEOUT_MS = 2000, QUOTA_BROKER_TIMEOUT_MS = 7000, QUOTA_DIRECT_FALLBACK_TIMEOUT_MS = 5000, QUOTA_PROBE_OUTER_TIMEOUT_MS = 9000, TOKEN_EXPIRING_SOON_DAYS = 7, AGENT_RETRY_INTERVAL_MS = 1500, AGENT_RETRY_MAX_MS = 12000, AGENT_LIVE_WINDOW_MS = 45000, AGENT_LIVE_POLL_INTERVAL_MS = 2000, AGENT_LIVE_FOLLOWUP_REPOLL_MS = 30000, realProcFs, SCHEDULER_LOCK_PATH_DEFAULT = "/state/agent/scheduler.lock", SCHEDULER_JSONL_PATH_DEFAULT = "/state/agent/scheduler.jsonl", SCHEDULER_FRESH_BOOT_MS = 30000, realSchedulerFs, realSkillsFs;
 var init_boot_probes = __esm(() => {
   init_quota_cache();
@@ -46533,11 +46559,11 @@ function sweepStaleTurnActiveMarker(stateDir, opts) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.12.0";
-var COMMIT_SHA = "2870fb03";
-var COMMIT_DATE = "2026-05-17T08:03:22Z";
-var LATEST_PR = 1462;
-var COMMITS_AHEAD_OF_TAG = 0;
+var VERSION = "0.12.2";
+var COMMIT_SHA = "1eeb64be";
+var COMMIT_DATE = "2026-05-18T09:09:53Z";
+var LATEST_PR = 1507;
+var COMMITS_AHEAD_OF_TAG = 2;
 
 // gateway/boot-version.ts
 function formatRelativeAgo(iso) {
@@ -46604,6 +46630,7 @@ import * as fs2 from "node:fs";
 import { homedir as homedir11 } from "node:os";
 import { join as join29 } from "node:path";
 var DEFAULT_TIMEOUT_MS4 = 2000;
+var UNLOCK_TIMEOUT_MS = 30000;
 var LEGACY_SOCKET_PATH2 = join29(homedir11(), ".switchroom", "vault-broker.sock");
 var OPERATOR_SOCKET_PATH2 = join29(homedir11(), ".switchroom", "broker-operator", "sock");
 function defaultBrokerSocketPath2() {
@@ -46715,7 +46742,7 @@ async function lockViaBroker(opts) {
 async function unlockViaBroker(passphrase, opts) {
   const dataSocketPath = resolveBrokerSocketPath2(opts);
   const unlockSocketPath = unlockSocketFor(dataSocketPath);
-  const timeoutMs = opts?.timeoutMs ?? DEFAULT_TIMEOUT_MS4;
+  const timeoutMs = opts?.timeoutMs ?? UNLOCK_TIMEOUT_MS;
   return new Promise((resolve7) => {
     let settled = false;
     const settle = (val) => {
@@ -49446,6 +49473,21 @@ async function executeVaultRequestAccess(args) {
   }
   assertAllowedChat(chat_id);
   const agentSlug = process.env.SWITCHROOM_AGENT_NAME || "agent";
+  if (scopeRaw === "read") {
+    try {
+      const visible = await listViaBroker();
+      if (visible !== null && visible.includes(key)) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: `vault_request_access: '${key}' is ALREADY covered by ${agentSlug}'s ` + `standing ACL (schedule.secrets[]). No approval card or grant is needed \u2014 ` + `read it directly: \`switchroom vault get ${key}\`. Do NOT request a grant for this key (a minted token would shadow the standing ACL). If a read still returns VAULT-BROKER-DENIED, the broker likely needs a restart to ` + `pick up a recent config change \u2014 tell the operator; don't re-request.`
+            }
+          ]
+        };
+      }
+    } catch {}
+  }
   const stageId = randomBytes6(4).toString("hex");
   const pending = {
     agent: agentSlug,
@@ -52562,6 +52604,18 @@ async function handleVaultRecentDenialCallback(ctx, data) {
 }
 async function performVaultAccessApproval(ctx, pending, stageId, senderId, attestation) {
   const brokerAuthOpts = attestation.kind === "passphrase" ? { passphrase: attestation.passphrase } : { attest_via_posture: true };
+  if (pending.scope === "read") {
+    try {
+      const visible = await listViaBroker();
+      if (visible !== null && visible.includes(pending.key)) {
+        pendingVaultRequestAccesses.delete(stageId);
+        if (pending.card_message_id != null) {
+          await ctx.api.editMessageText(pending.chat_id, pending.card_message_id, `\u2139\uFE0F <b>${escapeHtmlForTg(pending.agent)}</b> already has standing-ACL access to <code>${escapeHtmlForTg(pending.key)}</code> (schedule.secrets[]). ` + `<b>No grant minted</b> \u2014 a token would shadow the standing ACL. ` + `The agent can read it directly.`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
+        }
+        return;
+      }
+    } catch {}
+  }
   let existingReadKeys = [];
   let existingWriteKeys = [];
   if (pending.scope === "read" || pending.scope === "write") {

package/telegram-plugin/gateway/access-validator.test.ts

@@ -2,8 +2,8 @@
  * Unit tests for access-validator.ts — validateStringArray.
  *
  * This function guards access.json fields at load time. The motivating bug:
- * a hand-edit that drops quotes around IDs (`[8248703757]` instead of
- * `["8248703757"]`) produces a valid JSON number array. Array.includes() uses
+ * a hand-edit that drops quotes around IDs (`[12345]` instead of
+ * `["12345"]`) produces a valid JSON number array. Array.includes() uses
  * strict equality, so number entries never match the string comparison in the
  * gate — every DM is silently dropped.
  *
@@ -27,7 +27,7 @@ describe('validateStringArray', () => {
   // ─── Happy path ────────────────────────────────────────────────────────────
 
   it('returns the array unchanged for a valid string array', () => {
-    expect(validateStringArray('allowFrom', ['8248703757', '9999'])).toEqual(['8248703757', '9999'])
+    expect(validateStringArray('allowFrom', ['12345', '9999'])).toEqual(['12345', '9999'])
     expect(stderrSpy).not.toHaveBeenCalled()
   })
 
@@ -49,21 +49,21 @@ describe('validateStringArray', () => {
   // ─── Bug reproduction: number array ────────────────────────────────────────
 
   it('rejects a number array (the hand-edit bug) and returns []', () => {
-    // This is the exact bug: [8248703757] parses as a number, not a string.
-    // Array.includes("8248703757") === false for a number entry — silently drops DMs.
-    const result = validateStringArray('allowFrom', [8248703757])
+    // This is the exact bug: [12345] parses as a number, not a string.
+    // Array.includes("12345") === false for a number entry — silently drops DMs.
+    const result = validateStringArray('allowFrom', [12345])
     expect(result).toEqual([])
     expect(stderrSpy).toHaveBeenCalled()
     const msg = String(stderrSpy.mock.calls[0][0])
     expect(msg).toContain('allowFrom')
     expect(msg).toContain('non-string entries')
-    expect(msg).toContain('8248703757')
+    expect(msg).toContain('12345')
   })
 
   // ─── Mixed array ──────────────────────────────────────────────────────────
 
   it('rejects a mixed array (some strings, some numbers) and returns []', () => {
-    const result = validateStringArray('allowFrom', ['8248703757', 9999])
+    const result = validateStringArray('allowFrom', ['12345', 9999])
     expect(result).toEqual([])
     expect(stderrSpy).toHaveBeenCalled()
     const msg = String(stderrSpy.mock.calls[0][0])

package/telegram-plugin/gateway/access-validator.ts

@@ -2,7 +2,7 @@
  * Validates fields loaded from access.json, failing loudly on type mismatches.
  *
  * JSON has no type system — a hand-edit that drops quotes around IDs
- * (e.g. `[8248703757]` instead of `["8248703757"]`) parses without error
+ * (e.g. `[12345]` instead of `["12345"]`) parses without error
  * but produces a number array. The gate compares with strict equality via
  * Array.includes(), so number entries silently drop every matching DM.
  *

package/telegram-plugin/gateway/boot-probes.ts

@@ -1318,7 +1318,14 @@ export async function probeKernel(
  */
 export async function probeSkills(
   agentDir: string,
-  opts: { fs?: SkillsFsImpl; maxNamesShown?: number; agentName?: string } = {},
+  opts: {
+    fs?: SkillsFsImpl
+    maxNamesShown?: number
+    agentName?: string
+    /** Override skills.d overlay dir. Defaults to `<agentDir>/skills.d`
+     *  on host installs; tests inject a path. */
+    overlaySkillsDir?: string
+  } = {},
 ): Promise<ProbeResult> {
   return withTimeout('Skills', (async (): Promise<ProbeResult> => {
     const fs = opts.fs ?? realSkillsFs
@@ -1359,8 +1366,32 @@ export async function probeSkills(
         continue
       }
     }
+
+    // Bucket entries by source: agent-overlay slugs come from filenames
+    // under <agentRoot>/skills.d/<slug>.yaml (written by skill_install).
+    // Everything else is operator-baseline from switchroom.yaml.
+    const overlayDir = opts.overlaySkillsDir ?? join(agentDir, 'skills.d')
+    const overlaySlugs = new Set<string>()
+    if (fs.exists(overlayDir)) {
+      let overlayEntries: string[] = []
+      try {
+        overlayEntries = fs.readdir(overlayDir)
+      } catch {
+        /* unreadable overlay — fall through with empty set */
+      }
+      for (const name of overlayEntries) {
+        const m = name.match(/^(.+)\.ya?ml$/i)
+        if (!m) continue
+        overlaySlugs.add(m[1])
+      }
+    }
+    const liveEntries = entries.filter(n => !dangling.includes(n)).sort()
+    const switchroomSkills = liveEntries.filter(n => !overlaySlugs.has(n))
+    const agentSkills = liveEntries.filter(n => overlaySlugs.has(n))
+    const bucketed = renderBucketedSkills(switchroomSkills, agentSkills)
+
     if (dangling.length === 0) {
-      return { status: 'ok', label: 'Skills', detail: `${entries.length} resolved` }
+      return { status: 'ok', label: 'Skills', detail: bucketed }
     }
     const named = dangling.slice(0, max).join(', ')
     const more = dangling.length > max ? ` +${dangling.length - max} more` : ''
@@ -1368,12 +1399,21 @@ export async function probeSkills(
     return {
       status: 'degraded',
       label: 'Skills',
-      detail: `${dangling.length}/${entries.length} dangling: ${named}${more}`,
+      detail: `${dangling.length}/${entries.length} dangling: ${named}${more} · ${bucketed}`,
       nextStep: `Run \`switchroom agent reconcile${reconcileTarget}\` to rebuild symlinks, or remove unused entries from switchroom.yaml`,
     }
   })())
 }
 
+/** Format the two source-buckets into a single mobile-readable line.
+ *  Empty buckets are omitted. `none` covers the all-dangling edge case. */
+function renderBucketedSkills(switchroom: string[], agent: string[]): string {
+  const parts: string[] = []
+  if (switchroom.length > 0) parts.push(`Switchroom: ${switchroom.join(', ')}`)
+  if (agent.length > 0) parts.push(`Agent: ${agent.join(', ')}`)
+  return parts.length === 0 ? 'none resolved' : parts.join(' · ')
+}
+
 export interface SkillsFsImpl {
   readdir: (p: string) => string[]
   exists: (p: string) => boolean

package/telegram-plugin/gateway/gateway.ts

@@ -4504,6 +4504,44 @@ async function executeVaultRequestAccess(args: Record<string, unknown>): Promise
 
   const agentSlug = process.env.SWITCHROOM_AGENT_NAME || 'agent'
 
+  // Fix B (#1487 follow-up): if this agent's STANDING ACL already
+  // covers the key, do NOT render a card or mint a grant. Minting
+  // writes a `.vault-token` that — pre-#1487 — *shadowed* the standing
+  // ACL (the exact gymbro trap) and is simply redundant post-#1487.
+  // Determine coverage AUTHORITATIVELY by probing the broker AS THIS
+  // AGENT (no-token list over the per-agent socket — path-as-identity;
+  // the gateway runs in the agent's container so the broker attributes
+  // it to this agent). NOT a gateway-side config read: the gateway can
+  // see newer config than the broker has loaded, so a config-derived
+  // "covered" could be wrong where the broker still denies. `list`
+  // returns only ACL-visible key NAMES — never secret values. Read
+  // scope only: schedule.secrets[] confers read, not write.
+  if (scopeRaw === 'read') {
+    try {
+      const visible = await listViaBroker()
+      if (visible !== null && visible.includes(key)) {
+        return {
+          content: [
+            {
+              type: 'text',
+              text:
+                `vault_request_access: '${key}' is ALREADY covered by ${agentSlug}'s ` +
+                `standing ACL (schedule.secrets[]). No approval card or grant is needed — ` +
+                `read it directly: \`switchroom vault get ${key}\`. Do NOT request a grant ` +
+                `for this key (a minted token would shadow the standing ACL). If a read ` +
+                `still returns VAULT-BROKER-DENIED, the broker likely needs a restart to ` +
+                `pick up a recent config change — tell the operator; don't re-request.`,
+            },
+          ],
+        }
+      }
+    } catch {
+      // Probe failed (broker unreachable / transient): fall through to
+      // the normal card flow. Fail-open is correct here — a redundant
+      // card is harmless; suppressing a needed card is not.
+    }
+  }
+
   const stageId = randomBytes(4).toString('hex')
   const pending: PendingVaultRequestAccess = {
     agent: agentSlug,
@@ -9552,6 +9590,40 @@ async function performVaultAccessApproval(
     attestation.kind === 'passphrase'
       ? { passphrase: attestation.passphrase }
       : { attest_via_posture: true as const }
+
+  // Fix B (#1487 follow-up), operator-tap guard. Defense-in-depth for a
+  // card staged before the key became standing-ACL-covered (config edit
+  // / #1487 deploy / drift): if the agent's standing ACL ALREADY covers
+  // this read key, do NOT mint — minting writes a `.vault-token` that
+  // shadows the standing ACL and is redundant. Authoritative broker
+  // probe AS THIS AGENT (no-token list over the per-agent socket — same
+  // rationale as executeVaultRequestAccess; never a gateway-side config
+  // read). Read scope only. Fail-open on probe error (mint as before).
+  if (pending.scope === 'read') {
+    try {
+      const visible = await listViaBroker()
+      if (visible !== null && visible.includes(pending.key)) {
+        pendingVaultRequestAccesses.delete(stageId)
+        if (pending.card_message_id != null) {
+          await ctx.api
+            .editMessageText(
+              pending.chat_id,
+              pending.card_message_id,
+              `ℹ️ <b>${escapeHtmlForTg(pending.agent)}</b> already has standing-ACL access to ` +
+              `<code>${escapeHtmlForTg(pending.key)}</code> (schedule.secrets[]). ` +
+              `<b>No grant minted</b> — a token would shadow the standing ACL. ` +
+              `The agent can read it directly.`,
+              { parse_mode: 'HTML', reply_markup: { inline_keyboard: [] } },
+            )
+            .catch(() => {})
+        }
+        return
+      }
+    } catch {
+      // Probe failed: fall through and mint as before (fail-open).
+    }
+  }
+
   // #1051: union the new key with the agent's existing active grant
   // before minting. Without this, each fresh Approve OVERWRITES the
   // agent's `.vault-token` file with a single-key grant — the

package/telegram-plugin/recent-outbound-dedup.ts

@@ -14,7 +14,7 @@
  *      stream_reply lands as a SECOND message with the same content
  *      (raw markdown, since reply tools don't always render HTML).
  *
- * Smoking-gun evidence: klanker chat 8248703757, msgs 5025 + 5027,
+ * Smoking-gun evidence: klanker chat 12345, msgs 5025 + 5027,
  * 11s apart. msg=5025 had `<b>...</b>` (turn-flush + markdownToHtml).
  * msg=5027 had `**...**` (the raw markdown reply tool's payload).
  * Same content, different formatting, two messages.

package/telegram-plugin/registry/turns-schema.ts

@@ -12,7 +12,7 @@
  * Schema (one table):
  *
  *   turns
- *     turn_key              TEXT PK           -- e.g. "8248703757:11"
+ *     turn_key              TEXT PK           -- e.g. "12345:11"
  *     chat_id               TEXT NOT NULL
  *     thread_id             TEXT              -- nullable: forum topics only
  *     started_at            INTEGER NOT NULL  -- unix ms

package/telegram-plugin/tests/auth-add-flow.test.ts

@@ -127,7 +127,7 @@ function fakeClaudeBinary(opts: {
     const creds = {
       claudeAiOauth: {
         accessToken: ${JSON.stringify(token)},
-        refreshToken: 'sk-ant-ort01-test-refresh',
+        refreshToken: ${JSON.stringify(['sk-ant-', 'ort01-test-refresh'].join(''))},
         expiresAt: Date.now() + 8 * 3600_000,
         scopes: ['user:inference'],
         subscriptionType: 'max',

package/telegram-plugin/tests/auth-command-format2.test.ts

@@ -45,14 +45,14 @@ function qOk(part: Partial<QuotaUtilization>): QuotaResult {
 const NOW_MS = new Date('2026-05-15T00:53:00Z').getTime();
 
 const FIXTURE_STATE: ListStateData = {
-  active: 'pixsoul@x',
-  fallback_order: ['ken@x', 'me@x', 'pixsoul@x'],
+  active: 'you@x',
+  fallback_order: ['ken@x', 'me@x', 'you@x'],
   accounts: [
     { label: 'ken@x', exhausted: false },
     { label: 'me@x', exhausted: false },
-    { label: 'pixsoul@x', exhausted: false },
+    { label: 'you@x', exhausted: false },
   ],
-  agents: [{ name: 'carrie', account: 'pixsoul@x', override: null }],
+  agents: [{ name: 'carrie', account: 'you@x', override: null }],
   consumers: [],
 };