switchroom 0.12.12 → 0.12.14

package/dist/host-control/main.js

@@ -15877,7 +15877,7 @@ class HostdServer {
     const PROBES = [
       {
         name: "auth",
-        cmd: 'test -s "$CLAUDE_CONFIG_DIR/.credentials.json" || test -s "$HOME/.claude/.credentials.json"'
+        cmd: "test -s /state/agent/.claude/.credentials.json"
       },
       {
         name: "scheduler",

package/dist/vault/approvals/kernel-server.js

@@ -11719,6 +11719,24 @@ var LockRequestSchema = exports_external.object({
   v: exports_external.literal(1),
   op: exports_external.literal("lock")
 });
+var PreflightAccessRequestSchema = exports_external.object({
+  v: exports_external.literal(1),
+  op: exports_external.literal("preflight_access"),
+  agent: exports_external.string().min(1),
+  keys: exports_external.array(exports_external.string().min(1)).min(1).max(128)
+});
+var OkPreflightAccessResponseSchema = exports_external.object({
+  ok: exports_external.literal(true),
+  op: exports_external.literal("preflight_access"),
+  results: exports_external.array(exports_external.object({
+    key: exports_external.string(),
+    exists: exports_external.boolean(),
+    acl_ok: exports_external.boolean(),
+    acl_reason: exports_external.string().optional(),
+    scope_ok: exports_external.boolean(),
+    scope_reason: exports_external.string().optional()
+  }))
+});
 var ApprovalRequestRequestSchema = exports_external.object({
   v: exports_external.literal(1),
   op: exports_external.literal("approval_request"),
@@ -11776,6 +11794,7 @@ var RequestSchema = exports_external.discriminatedUnion("op", [
   ListRequestSchema,
   StatusRequestSchema,
   LockRequestSchema,
+  PreflightAccessRequestSchema,
   MintGrantRequestSchema,
   ListGrantsRequestSchema,
   RevokeGrantRequestSchema,
@@ -11916,6 +11935,7 @@ var ResponseSchema = exports_external.union([
   OkKeysResponseSchema,
   OkStatusResponseSchema,
   OkLockResponseSchema,
+  OkPreflightAccessResponseSchema,
   OkPutResponseSchema,
   OkMintGrantResponseSchema,
   OkListGrantsResponseSchema,

package/dist/vault/broker/server.js

@@ -12899,6 +12899,48 @@ function readAutoUnlockFile(filePath) {
 }
 var DEFAULT_AUTO_UNLOCK_PATH = "~/.switchroom/vault-auto-unlock";
 
+// src/config/google-workspace-acl.ts
+function shouldEmitGdriveMcp(agentName, agentGoogleAccount, googleAccounts) {
+  if (!agentGoogleAccount)
+    return false;
+  const account = agentGoogleAccount.trim().toLowerCase();
+  if (account.length === 0)
+    return false;
+  const acctEntry = googleAccounts?.[account];
+  if (!acctEntry)
+    return false;
+  const enabledFor = acctEntry.enabled_for ?? [];
+  return enabledFor.includes(agentName);
+}
+function vaultRefKey(value) {
+  if (typeof value !== "string" || !value.startsWith("vault:"))
+    return null;
+  const key = value.slice("vault:".length).split("#")[0];
+  return key.length > 0 ? key : null;
+}
+function isGoogleClientCredentialKeyForAgent(config, agentName, key) {
+  if (!agentName || !key)
+    return false;
+  const agentConfig = config.agents?.[agentName];
+  if (!agentConfig)
+    return false;
+  if (agentConfig.mcp_servers?.["gdrive"] === false) {
+    return false;
+  }
+  const account = agentConfig.google_workspace?.account;
+  if (!shouldEmitGdriveMcp(agentName, account, config.google_accounts)) {
+    return false;
+  }
+  const gw = config.google_workspace;
+  if (!gw)
+    return false;
+  for (const ref of [gw.google_client_id, gw.google_client_secret]) {
+    if (vaultRefKey(ref) === key)
+      return true;
+  }
+  return false;
+}
+
 // src/vault/broker/acl.ts
 function parseCronUnit(unitName) {
   const m = unitName.match(/^switchroom-([a-zA-Z0-9_-]+)-cron-(\d+)\.service$/);
@@ -12986,6 +13028,9 @@ function checkAclByAgent(config, agentName, key) {
   if (googleSlot !== null) {
     return checkGoogleAccountAcl(config, agentName, googleSlot.account, key);
   }
+  if (isGoogleClientCredentialKeyForAgent(config, agentName, key)) {
+    return { allow: true };
+  }
   const agentBot = agentConfig.bot_token;
   const botRef = agentBot && agentBot.length > 0 ? agentBot : config.telegram?.bot_token;
   if (typeof botRef === "string" && botRef.startsWith("vault:")) {
@@ -13102,6 +13147,24 @@ var LockRequestSchema = exports_external.object({
   v: exports_external.literal(1),
   op: exports_external.literal("lock")
 });
+var PreflightAccessRequestSchema = exports_external.object({
+  v: exports_external.literal(1),
+  op: exports_external.literal("preflight_access"),
+  agent: exports_external.string().min(1),
+  keys: exports_external.array(exports_external.string().min(1)).min(1).max(128)
+});
+var OkPreflightAccessResponseSchema = exports_external.object({
+  ok: exports_external.literal(true),
+  op: exports_external.literal("preflight_access"),
+  results: exports_external.array(exports_external.object({
+    key: exports_external.string(),
+    exists: exports_external.boolean(),
+    acl_ok: exports_external.boolean(),
+    acl_reason: exports_external.string().optional(),
+    scope_ok: exports_external.boolean(),
+    scope_reason: exports_external.string().optional()
+  }))
+});
 var ApprovalRequestRequestSchema = exports_external.object({
   v: exports_external.literal(1),
   op: exports_external.literal("approval_request"),
@@ -13159,6 +13222,7 @@ var RequestSchema = exports_external.discriminatedUnion("op", [
   ListRequestSchema,
   StatusRequestSchema,
   LockRequestSchema,
+  PreflightAccessRequestSchema,
   MintGrantRequestSchema,
   ListGrantsRequestSchema,
   RevokeGrantRequestSchema,
@@ -13299,6 +13363,7 @@ var ResponseSchema = exports_external.union([
   OkKeysResponseSchema,
   OkStatusResponseSchema,
   OkLockResponseSchema,
+  OkPreflightAccessResponseSchema,
   OkPutResponseSchema,
   OkMintGrantResponseSchema,
   OkListGrantsResponseSchema,
@@ -15741,7 +15806,9 @@ class VaultBroker {
     this._writePidFile();
     this._sdNotify(`READY=1
 `);
-    this._tryAutoUnlock();
+    if (this.testOpts._testSecrets === undefined) {
+      this._tryAutoUnlock();
+    }
     if (process.platform !== "linux") {
       process.stderr.write(`[vault-broker] WARNING: running on ${process.platform} with ` + `SWITCHROOM_BROKER_ALLOW_NON_LINUX=1 — peercred ACL is disabled. ` + `Access control is socket file mode 0600 ONLY. Do not use this configuration for production secrets.
 `);
@@ -16052,6 +16119,49 @@ class VaultBroker {
       socket.write(encodeResponse({ ok: true, locked: true }));
       return;
     }
+    if (req.op === "preflight_access") {
+      if (!isOperator) {
+        writeAudit({
+          ts: new Date().toISOString(),
+          op: "preflight_access",
+          caller: auditCaller,
+          pid: auditPid,
+          cgroup: auditCgroup,
+          result: "denied:operator-only"
+        });
+        socket.write(encodeResponse(errorResponse("DENIED", "preflight_access is operator-only")));
+        return;
+      }
+      if (this.secrets === null) {
+        socket.write(encodeResponse(errorResponse("LOCKED", "Vault is locked")));
+        return;
+      }
+      const pfSecrets = this.secrets;
+      const pfConfig = this.config;
+      const results = req.keys.map((key) => {
+        const exists = Object.prototype.hasOwnProperty.call(pfSecrets, key);
+        const acl = pfConfig !== null ? checkAclByAgent(pfConfig, req.agent, key) : { allow: false, reason: "broker has no config loaded" };
+        const scope = checkEntryScope(pfSecrets[key]?.scope, req.agent);
+        return {
+          key,
+          exists,
+          acl_ok: acl.allow,
+          ...acl.allow ? {} : { acl_reason: acl.reason },
+          scope_ok: scope.allow,
+          ...scope.allow ? {} : { scope_reason: scope.reason }
+        };
+      });
+      writeAudit({
+        ts: new Date().toISOString(),
+        op: "preflight_access",
+        caller: auditCaller,
+        pid: auditPid,
+        cgroup: auditCgroup,
+        result: `allowed:agent=${req.agent},keys=${req.keys.length}`
+      });
+      socket.write(encodeResponse({ ok: true, op: "preflight_access", results }));
+      return;
+    }
     if (req.op === "list") {
       if (this.secrets === null) {
         socket.write(encodeResponse(errorResponse("LOCKED", "Vault is locked")));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.12.12",
+  "version": "0.12.14",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/telegram-plugin/dist/gateway/gateway.js

@@ -24664,7 +24664,7 @@ function decodeResponse2(line) {
   const obj = JSON.parse(line);
   return ResponseSchema2.parse(obj);
 }
-var MAX_FRAME_BYTES2, GetRequestSchema, PutRequestSchema, ListRequestSchema, MintGrantRequestSchema, ListGrantsRequestSchema, RevokeGrantRequestSchema, StatusRequestSchema, LockRequestSchema, ApprovalRequestRequestSchema, ApprovalLookupRequestSchema, ApprovalConsumeRequestSchema, ApprovalRevokeRequestSchema, ApprovalListRequestSchema, ApprovalDecisionModeSchema, ApprovalRecordRequestSchema, RequestSchema2, VaultEntrySchema, ErrorCode, OkEntryResponseSchema, OkKeysResponseSchema, BrokerStatus, OkStatusResponseSchema, OkLockResponseSchema, OkPutResponseSchema, OkMintGrantResponseSchema, GrantMetaSchema, OkListGrantsResponseSchema, OkRevokeGrantResponseSchema, OkApprovalRequestResponseSchema, ApprovalDecisionMetaSchema, OkApprovalLookupResponseSchema, OkApprovalConsumeResponseSchema, OkApprovalRevokeResponseSchema, OkApprovalListResponseSchema, OkApprovalRecordResponseSchema, ErrorResponseSchema2, ResponseSchema2;
+var MAX_FRAME_BYTES2, GetRequestSchema, PutRequestSchema, ListRequestSchema, MintGrantRequestSchema, ListGrantsRequestSchema, RevokeGrantRequestSchema, StatusRequestSchema, LockRequestSchema, PreflightAccessRequestSchema, OkPreflightAccessResponseSchema, ApprovalRequestRequestSchema, ApprovalLookupRequestSchema, ApprovalConsumeRequestSchema, ApprovalRevokeRequestSchema, ApprovalListRequestSchema, ApprovalDecisionModeSchema, ApprovalRecordRequestSchema, RequestSchema2, VaultEntrySchema, ErrorCode, OkEntryResponseSchema, OkKeysResponseSchema, BrokerStatus, OkStatusResponseSchema, OkLockResponseSchema, OkPutResponseSchema, OkMintGrantResponseSchema, GrantMetaSchema, OkListGrantsResponseSchema, OkRevokeGrantResponseSchema, OkApprovalRequestResponseSchema, ApprovalDecisionMetaSchema, OkApprovalLookupResponseSchema, OkApprovalConsumeResponseSchema, OkApprovalRevokeResponseSchema, OkApprovalListResponseSchema, OkApprovalRecordResponseSchema, ErrorResponseSchema2, ResponseSchema2;
 var init_protocol2 = __esm(() => {
   init_zod();
   MAX_FRAME_BYTES2 = 64 * 1024;
@@ -24723,6 +24723,24 @@ var init_protocol2 = __esm(() => {
     v: exports_external.literal(1),
     op: exports_external.literal("lock")
   });
+  PreflightAccessRequestSchema = exports_external.object({
+    v: exports_external.literal(1),
+    op: exports_external.literal("preflight_access"),
+    agent: exports_external.string().min(1),
+    keys: exports_external.array(exports_external.string().min(1)).min(1).max(128)
+  });
+  OkPreflightAccessResponseSchema = exports_external.object({
+    ok: exports_external.literal(true),
+    op: exports_external.literal("preflight_access"),
+    results: exports_external.array(exports_external.object({
+      key: exports_external.string(),
+      exists: exports_external.boolean(),
+      acl_ok: exports_external.boolean(),
+      acl_reason: exports_external.string().optional(),
+      scope_ok: exports_external.boolean(),
+      scope_reason: exports_external.string().optional()
+    }))
+  });
   ApprovalRequestRequestSchema = exports_external.object({
     v: exports_external.literal(1),
     op: exports_external.literal("approval_request"),
@@ -24780,6 +24798,7 @@ var init_protocol2 = __esm(() => {
     ListRequestSchema,
     StatusRequestSchema,
     LockRequestSchema,
+    PreflightAccessRequestSchema,
     MintGrantRequestSchema,
     ListGrantsRequestSchema,
     RevokeGrantRequestSchema,
@@ -24920,6 +24939,7 @@ var init_protocol2 = __esm(() => {
     OkKeysResponseSchema,
     OkStatusResponseSchema,
     OkLockResponseSchema,
+    OkPreflightAccessResponseSchema,
     OkPutResponseSchema,
     OkMintGrantResponseSchema,
     OkListGrantsResponseSchema,
@@ -29610,15 +29630,6 @@ async function handleApprovalCallback(ctx, data) {
     await ctx.answerCallbackQuery({ text: "malformed approval callback" });
     return;
   }
-  const consumed = await approvalConsume2(parsed.request_id);
-  if (consumed === null) {
-    await ctx.answerCallbackQuery({ text: "approval kernel unreachable" });
-    return;
-  }
-  if (!consumed.consumed) {
-    await ctx.answerCallbackQuery({ text: "this prompt expired" });
-    return;
-  }
   let decision;
   let granted;
   let ttl_ms = null;
@@ -29652,6 +29663,15 @@ async function handleApprovalCallback(ctx, data) {
       break;
     }
   }
+  const consumed = await approvalConsume2(parsed.request_id);
+  if (consumed === null) {
+    await ctx.answerCallbackQuery({ text: "approval kernel unreachable" });
+    return;
+  }
+  if (!consumed.consumed) {
+    await ctx.answerCallbackQuery({ text: "this prompt expired" });
+    return;
+  }
   const granted_by_user_id = ctx.from?.id ?? 0;
   const approver_set = [String(granted_by_user_id)];
   const decision_id = await approvalRecord2({
@@ -43366,6 +43386,52 @@ function createPendingInboundBuffer(opts = {}) {
   };
 }
 
+// gateway/pending-permission-decisions.ts
+var DEFAULT_PENDING_PERMISSION_CAP = 32;
+function createPendingPermissionBuffer(opts = {}) {
+  const cap = opts.capPerAgent ?? DEFAULT_PENDING_PERMISSION_CAP;
+  const log = opts.log ?? ((line) => process.stderr.write(line));
+  const queues = new Map;
+  return {
+    push(agent, ev) {
+      let q = queues.get(agent);
+      if (q == null) {
+        q = [];
+        queues.set(agent, q);
+      }
+      let evicted = false;
+      if (q.length >= cap) {
+        const dropped = q.shift();
+        evicted = true;
+        log(`pending-permission-buffer: agent=${agent} cap=${cap} reached \u2014 ` + `dropped oldest verdict request=${dropped?.requestId ?? "-"} ` + `behavior=${dropped?.behavior ?? "-"}
+`);
+      }
+      q.push(ev);
+      log(`pending-permission-buffer: agent=${agent} buffered request=${ev.requestId} ` + `behavior=${ev.behavior} depth_after=${q.length} evicted=${evicted}
+`);
+      return !evicted;
+    },
+    drain(agent) {
+      const q = queues.get(agent);
+      if (q == null || q.length === 0)
+        return [];
+      queues.delete(agent);
+      log(`pending-permission-buffer: drained agent=${agent} count=${q.length} ` + `requests=[${q.map((e) => e.requestId).join(",")}]
+`);
+      return q;
+    },
+    depth(agent) {
+      return queues.get(agent)?.length ?? 0;
+    },
+    totalDepth() {
+      let n = 0;
+      for (const q of queues.values())
+        n += q.length;
+      return n;
+    }
+  };
+}
+
 // gateway/vault-grant-inbound-builders.ts
 function buildVaultGrantApprovedInbound(opts) {
   const ts = opts.nowMs ?? Date.now();
@@ -43409,6 +43475,63 @@ function buildVaultGrantDeniedInbound(opts) {
     }
   };
 }
+function buildVaultSaveCompletedInbound(opts) {
+  const ts = opts.nowMs ?? Date.now();
+  return {
+    type: "inbound",
+    chatId: opts.ctx.chat_id,
+    messageId: ts,
+    user: "vault-broker",
+    userId: 0,
+    ts,
+    text: `\u2705 Operator saved your secret as \`vault:${opts.ctx.key}\`. ` + `Please resume the task that was waiting on it \u2014 reference the ` + `value via the usual \`vault:${opts.ctx.key}\` path.`,
+    meta: {
+      source: "vault_save_completed",
+      agent: opts.ctx.agent,
+      key: opts.ctx.key,
+      stage_id: opts.stageId,
+      operator_id: opts.operatorId
+    }
+  };
+}
+function buildVaultSaveFailedInbound(opts) {
+  const ts = opts.nowMs ?? Date.now();
+  return {
+    type: "inbound",
+    chatId: opts.ctx.chat_id,
+    messageId: ts,
+    user: "vault-broker",
+    userId: 0,
+    ts,
+    text: `\u26a0\ufe0f The operator tapped Save but the vault write for ` + `\`vault:${opts.ctx.key}\` FAILED (${opts.reason}). The secret was ` + `NOT stored \u2014 do NOT assume \`vault:${opts.ctx.key}\` resolves. ` + `Either retry the save (the operator may need to fix the underlying ` + `issue first) or pick a fallback for the original task.`,
+    meta: {
+      source: "vault_save_failed",
+      agent: opts.ctx.agent,
+      key: opts.ctx.key,
+      stage_id: opts.stageId,
+      operator_id: opts.operatorId
+    }
+  };
+}
+function buildVaultSaveDiscardedInbound(opts) {
+  const ts = opts.nowMs ?? Date.now();
+  return {
+    type: "inbound",
+    chatId: opts.ctx.chat_id,
+    messageId: ts,
+    user: "vault-broker",
+    userId: 0,
+    ts,
+    text: `\uD83D\uDEAB Operator discarded your \`vault_request_save\` for ` + `\`${opts.ctx.key}\` \u2014 the secret was NOT stored and ` + `\`vault:${opts.ctx.key}\` will not resolve. Pick a fallback for ` + `the original task (ask the user, try another approach, or skip ` + `the feature). Do NOT re-request the save without asking the user.`,
+    meta: {
+      source: "vault_save_discarded",
+      agent: opts.ctx.agent,
+      key: opts.ctx.key,
+      stage_id: opts.stageId,
+      operator_id: opts.operatorId
+    }
+  };
+}
 
 // gateway/poll-health.ts
 var DEFAULT_LOG = (msg) => {
@@ -46621,11 +46744,11 @@ function sweepStaleTurnActiveMarker(stateDir, opts) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.12.12";
-var COMMIT_SHA = "85dea837";
-var COMMIT_DATE = "2026-05-19T01:52:34Z";
-var LATEST_PR = 1530;
-var COMMITS_AHEAD_OF_TAG = 6;
+var VERSION = "0.12.14";
+var COMMIT_SHA = "db6d87d6";
+var COMMIT_DATE = "2026-05-19T05:51:09Z";
+var LATEST_PR = 1542;
+var COMMITS_AHEAD_OF_TAG = 17;
 
 // gateway/boot-version.ts
 function formatRelativeAgo(iso) {
@@ -47995,8 +48118,12 @@ var pendingStateReaper = setInterval(() => {
       pendingVaultOps.delete(k);
   }
   for (const [k, v] of pendingPermissions) {
-    if (now - v.startedAt > PERMISSION_TTL_MS)
+    if (now - v.startedAt > PERMISSION_TTL_MS) {
+      dispatchPermissionVerdict({ type: "permission", requestId: k, behavior: "deny" });
+      process.stderr.write(`telegram gateway: permission TTL expired \u2014 auto-deny request=${k} tool=${v.tool_name} (no operator response in ${Math.round(PERMISSION_TTL_MS / 60000)}m)
+`);
       pendingPermissions.delete(k);
+    }
   }
   for (const [k, v] of vaultPassphraseCache) {
     if (now > v.expiresAt)
@@ -48316,6 +48443,16 @@ startTimer({
   }
 });
 var pendingInboundBuffer = createPendingInboundBuffer();
+var pendingPermissionBuffer = createPendingPermissionBuffer();
+function dispatchPermissionVerdict(ev) {
+  const selfAgent = process.env.SWITCHROOM_AGENT_NAME ?? "";
+  const delivered = ipcServer.sendToAgent(selfAgent, ev);
+  if (!delivered) {
+    pendingPermissionBuffer.push(selfAgent, ev);
+    process.stderr.write(`telegram gateway: permission verdict buffered (bridge offline) request=${ev.requestId} behavior=${ev.behavior}
+`);
+  }
+}
 var ipcServer = createIpcServer({
   socketPath: SOCKET_PATH,
   onClientRegistered(client3) {
@@ -48329,6 +48466,15 @@ var ipcServer = createIpcServer({
           client3.send(msg);
         } catch (err) {
           process.stderr.write(`telegram gateway: pending-inbound drain failed agent=${client3.agentName} source=${msg.meta?.source ?? "-"}: ${err.message}
+`);
+        }
+      }
+      const pendingVerdicts = pendingPermissionBuffer.drain(client3.agentName);
+      for (const ev of pendingVerdicts) {
+        try {
+          client3.send(ev);
+        } catch (err) {
+          process.stderr.write(`telegram gateway: pending-permission drain failed agent=${client3.agentName} request=${ev.requestId} behavior=${ev.behavior}: ${err.message}
 `);
         }
       }
@@ -50646,7 +50792,7 @@ async function handleInbound(ctx, text, downloadImage, attachment) {
   if (permMatch) {
     const behavior = permMatch[1].toLowerCase().startsWith("y") ? "allow" : "deny";
     const request_id = permMatch[2].toLowerCase();
-    ipcServer.broadcast({
+    dispatchPermissionVerdict({
       type: "permission",
       requestId: request_id,
       behavior
@@ -51121,11 +51267,12 @@ ${preBlock(write.output)}`;
       } : {}
     }
   };
-  ipcServer.broadcast(inboundMsg);
-  const delivered = ipcServer.clientCount() > 0;
+  const selfAgent = process.env.SWITCHROOM_AGENT_NAME ?? "";
+  const delivered = ipcServer.sendToAgent(selfAgent, inboundMsg);
   if (!delivered) {
+    pendingInboundBuffer.push(selfAgent, inboundMsg);
     const threadOpts = messageThreadId != null ? { message_thread_id: messageThreadId } : {};
-    swallowingApiCall(() => bot.api.sendMessage(chat_id, "\u23F3 Agent is restarting, please wait\u2026", { ...threadOpts }), {
+    swallowingApiCall(() => bot.api.sendMessage(chat_id, "\u23F3 Agent is restarting \u2014 your message is queued and will be processed when it reconnects.", { ...threadOpts }), {
       chat_id,
       verb: "agent-restarting-notice",
       ...messageThreadId != null ? { threadId: messageThreadId } : {}
@@ -52298,7 +52445,7 @@ async function handlePermissionSlash(ctx, behavior) {
     await switchroomReply(ctx, `No pending permission for id <code>${escapeHtmlForTg(request_id)}</code>. It may have already been answered or timed out.`, { html: true });
     return;
   }
-  ipcServer.broadcast({ type: "permission", requestId: request_id, behavior });
+  dispatchPermissionVerdict({ type: "permission", requestId: request_id, behavior });
   pendingPermissions.delete(request_id);
   process.stderr.write(`[telegram gateway] slash-${behavior} request_id=${request_id} tool=${details.tool_name} by=${senderId}
 `);
@@ -52893,6 +53040,16 @@ async function handleVaultRequestSaveCallback(ctx, data) {
     if (pending.card_message_id != null) {
       await ctx.api.editMessageText(pending.chat_id, pending.card_message_id, `\uD83D\uDEAB <i>Discarded. The secret was not written to the vault.</i>`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
     }
+    const discardInbound = buildVaultSaveDiscardedInbound({
+      ctx: { agent: pending.agent, key: pending.key, chat_id: pending.chat_id },
+      stageId,
+      operatorId: senderId
+    });
+    const dDelivered = ipcServer.sendToAgent(pending.agent, discardInbound);
+    process.stderr.write(`telegram gateway: vault_save_discarded injection agent=${pending.agent} key=${pending.key} stage=${stageId} delivered=${dDelivered}
+`);
+    if (!dDelivered)
+      pendingInboundBuffer.push(pending.agent, discardInbound);
     return;
   }
   if (action === "rename") {
@@ -52935,6 +53092,19 @@ async function handleVaultRequestSaveCallback(ctx, data) {
 <i>Tap a fresh card after fixing the underlying issue.</i>`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
       }
       pendingVaultRequestSaves.delete(stageId);
+      const failReason = (write.output || "vault write error").split(`
+`)[0].slice(0, 200);
+      const failInbound = buildVaultSaveFailedInbound({
+        ctx: { agent: pending.agent, key: pending.key, chat_id: pending.chat_id },
+        stageId,
+        operatorId: senderId,
+        reason: failReason
+      });
+      const fDelivered = ipcServer.sendToAgent(pending.agent, failInbound);
+      process.stderr.write(`telegram gateway: vault_save_failed injection agent=${pending.agent} key=${pending.key} stage=${stageId} delivered=${fDelivered}
+`);
+      if (!fDelivered)
+        pendingInboundBuffer.push(pending.agent, failInbound);
       return;
     }
     pendingVaultRequestSaves.delete(stageId);
@@ -52942,6 +53112,16 @@ async function handleVaultRequestSaveCallback(ctx, data) {
       await ctx.api.editMessageText(pending.chat_id, pending.card_message_id, `\u2705 saved as <code>vault:${escapeHtmlForTg(pending.key)}</code> (masked: <code>${escapeHtmlForTg(maskToken2(pending.value))}</code>)
 <i>The agent can now reference this as <code>vault:${escapeHtmlForTg(pending.key)}</code>.</i>`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
     }
+    const okInbound = buildVaultSaveCompletedInbound({
+      ctx: { agent: pending.agent, key: pending.key, chat_id: pending.chat_id },
+      stageId,
+      operatorId: senderId
+    });
+    const okDelivered = ipcServer.sendToAgent(pending.agent, okInbound);
+    process.stderr.write(`telegram gateway: vault_save_completed injection agent=${pending.agent} key=${pending.key} stage=${stageId} delivered=${okDelivered}
+`);
+    if (!okDelivered)
+      pendingInboundBuffer.push(pending.agent, okInbound);
     return;
   }
   await ctx.answerCallbackQuery({ text: "Unknown action" }).catch(() => {});
@@ -54348,9 +54528,11 @@ ${preBlock(formatSwitchroomOutput(err.message ?? "unknown error"))}`, { html: tr
     };
     process.stderr.write(`telegram gateway: button_callback chatId=${cbChatId} user=${ctx.from.id} data=${JSON.stringify(agentCb.raw)} btnText=${JSON.stringify(buttonText ?? null)}
 `);
-    ipcServer.broadcast(inboundMsg);
-    if (ipcServer.clientCount() === 0) {
-      swallowingApiCall(() => bot.api.sendMessage(cbChatId, "\u23F3 Agent is restarting \u2014 your button tap was queued but won't be processed until it comes back.", cbThreadId != null ? { message_thread_id: cbThreadId } : {}), {
+    const selfAgentBtn = process.env.SWITCHROOM_AGENT_NAME ?? "";
+    const btnDelivered = ipcServer.sendToAgent(selfAgentBtn, inboundMsg);
+    if (!btnDelivered) {
+      pendingInboundBuffer.push(selfAgentBtn, inboundMsg);
+      swallowingApiCall(() => bot.api.sendMessage(cbChatId, "\u23F3 Agent is restarting \u2014 your button tap is queued and will be processed when it comes back.", cbThreadId != null ? { message_thread_id: cbThreadId } : {}), {
         chat_id: cbChatId,
         verb: "button-tap-restarting-notice",
         ...cbThreadId != null ? { threadId: cbThreadId } : {}
@@ -54445,7 +54627,7 @@ ${prettyInput}`;
 ${editLabel}` : editLabel,
       parseMode: "HTML",
       synthInbound: () => {
-        ipcServer.broadcast({
+        dispatchPermissionVerdict({
           type: "permission",
           requestId: request_id,
           behavior: "allow",
@@ -54466,7 +54648,7 @@ ${editLabel}` : editLabel,
 ${label}` : label,
     parseMode: "HTML",
     synthInbound: () => {
-      ipcServer.broadcast({
+      dispatchPermissionVerdict({
         type: "permission",
         requestId: request_id,
         behavior

package/telegram-plugin/gateway/approval-callback.ts

@@ -57,19 +57,18 @@ export async function handleApprovalCallback(
     return;
   }
 
-  const consumed = await approvalConsume(parsed.request_id);
-  if (consumed === null) {
-    await ctx.answerCallbackQuery({ text: "approval kernel unreachable" });
-    return;
-  }
-  if (!consumed.consumed) {
-    // Single-use enforcement: someone already tapped, or the nonce
-    // expired/unknown. Match the RFC §8.1 wording.
-    await ctx.answerCallbackQuery({ text: "this prompt expired" });
-    return;
-  }
-
-  // Compute decision + ttl from the choice variant.
+  // Compute decision + ttl from the choice variant BEFORE burning the
+  // single-use nonce. This block has a fallible early-return (the
+  // `bad ttl token` path). Pre-fix it ran AFTER approvalConsume(), so a
+  // malformed ttl token burned the nonce but recorded no decision — the
+  // agent's approval_lookup poll never saw a verdict and the turn
+  // wedged (pre-PR-3: forever; now bounded by PR-3's PERMISSION_TTL
+  // auto-deny). approvalConsume stays the atomic single-use guard; it
+  // simply doesn't fire until we have a valid decision to record
+  // immediately after. There is now NO fallible step between
+  // consume→record; the only residual gap is the inherent 1-RPC
+  // consume/record non-atomicity (backstopped by PR-3's TTL auto-deny;
+  // a fully atomic kernel consume+record is a tracked follow-up).
   let decision: ApprovalDecisionMode;
   let granted: boolean;
   let ttl_ms: number | null = null;
@@ -107,6 +106,18 @@ export async function handleApprovalCallback(
     }
   }
 
+  const consumed = await approvalConsume(parsed.request_id);
+  if (consumed === null) {
+    await ctx.answerCallbackQuery({ text: "approval kernel unreachable" });
+    return;
+  }
+  if (!consumed.consumed) {
+    // Single-use enforcement: someone already tapped, or the nonce
+    // expired/unknown. Match the RFC §8.1 wording.
+    await ctx.answerCallbackQuery({ text: "this prompt expired" });
+    return;
+  }
+
   const granted_by_user_id = ctx.from?.id ?? 0;
   // Approver set at decision time = the chat that received the card. We
   // store the singleton for now; the gateway-side approver-set lookup