npm - switchroom - Versions diffs - 0.12.14 → 0.12.15 - Mend

switchroom 0.12.14 → 0.12.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/cli/switchroom.js +367 -278
package/dist/vault/approvals/kernel-server.js +68 -1
package/dist/vault/broker/server.js +21 -1
package/package.json +1 -1
package/telegram-plugin/dist/gateway/gateway.js +96 -70
package/telegram-plugin/gateway/approval-callback.test.ts +49 -1
package/telegram-plugin/gateway/approval-callback.ts +85 -67
package/telegram-plugin/gateway/gateway.ts +19 -2
package/telegram-plugin/gateway/pending-inbound-buffer.ts +39 -0
package/telegram-plugin/tests/pending-inbound-buffer.test.ts +71 -1

package/dist/vault/approvals/kernel-server.js CHANGED Viewed

@@ -11788,6 +11788,15 @@ var ApprovalRecordRequestSchema = exports_external.object({
   granted_by_user_id: exports_external.number().int(),
   ttl_ms: exports_external.number().int().positive().nullable().optional()
 });
+var ApprovalConsumeRecordRequestSchema = exports_external.object({
+  v: exports_external.literal(1),
+  op: exports_external.literal("approval_consume_record"),
+  request_id: exports_external.string().regex(/^[0-9a-f]{32}$/),
+  decision: ApprovalDecisionModeSchema,
+  approver_set: exports_external.array(exports_external.string()),
+  granted_by_user_id: exports_external.number().int(),
+  ttl_ms: exports_external.number().int().positive().nullable().optional()
+});
 var RequestSchema = exports_external.discriminatedUnion("op", [
   GetRequestSchema,
   PutRequestSchema,
@@ -11803,7 +11812,8 @@ var RequestSchema = exports_external.discriminatedUnion("op", [
   ApprovalConsumeRequestSchema,
   ApprovalRevokeRequestSchema,
   ApprovalListRequestSchema,
-  ApprovalRecordRequestSchema
+  ApprovalRecordRequestSchema,
+  ApprovalConsumeRecordRequestSchema
 ]);
 var VaultEntrySchema = exports_external.union([
   exports_external.object({ kind: exports_external.literal("string"), value: exports_external.string() }),
@@ -11925,6 +11935,15 @@ var OkApprovalRecordResponseSchema = exports_external.object({
   ok: exports_external.literal(true),
   decision_id: exports_external.string()
 });
+var OkApprovalConsumeRecordResponseSchema = exports_external.object({
+  ok: exports_external.literal(true),
+  consumed: exports_external.boolean(),
+  decision_id: exports_external.string().optional(),
+  agent_unit: exports_external.string().optional(),
+  scope: exports_external.string().optional(),
+  action: exports_external.string().optional(),
+  why: exports_external.string().nullable().optional()
+});
 var ErrorResponseSchema = exports_external.object({
   ok: exports_external.literal(false),
   code: ErrorCode,
@@ -11946,6 +11965,7 @@ var ResponseSchema = exports_external.union([
   OkApprovalRevokeResponseSchema,
   OkApprovalListResponseSchema,
   OkApprovalRecordResponseSchema,
+  OkApprovalConsumeRecordResponseSchema,
   ErrorResponseSchema
 ]);
 function decodeRequest(line) {
@@ -12264,6 +12284,22 @@ function recordDecision(db, input, now = Date.now()) {
   });
   return id;
 }
+function consumeAndRecord(db, input, now = Date.now()) {
+  const run = db.transaction(() => {
+    const nonce = consumeNonce(db, input.request_id, now);
+    if (nonce === null)
+      return { consumed: false };
+    const decision_id = recordDecision(db, {
+      nonce,
+      decision: input.decision,
+      approver_set: input.approver_set,
+      granted_by_user_id: input.granted_by_user_id,
+      ttl_ms: input.ttl_ms
+    }, now);
+    return { consumed: true, decision_id, nonce };
+  });
+  return run();
+}
 function revokeDecision(db, decision_id, actor, reason, now = Date.now()) {
   const row = db.query(`SELECT * FROM approval_decisions WHERE id = ?`).get(decision_id);
   if (!row)
@@ -12973,6 +13009,37 @@ function handleRequest(socket, req, agent, db, peerUid, isOperator = false) {
     socket.write(encodeResponse({ ok: true, decision_id }));
     return;
   }
+  if (req.op === "approval_consume_record") {
+    const peek = getNonce(db, req.request_id);
+    if (peek !== null) {
+      const acl = checkApprovalAclByAgent(agent, peek.agent_unit);
+      if (!acl.allow) {
+        socket.write(encodeResponse(errorResponse("DENIED", "approval_consume_record denied: nonce does not belong to the calling agent")));
+        return;
+      }
+    }
+    const res = consumeAndRecord(db, {
+      request_id: req.request_id,
+      decision: req.decision,
+      approver_set: req.approver_set,
+      granted_by_user_id: req.granted_by_user_id,
+      ttl_ms: req.ttl_ms ?? undefined
+    });
+    if (!res.consumed) {
+      socket.write(encodeResponse({ ok: true, consumed: false }));
+      return;
+    }
+    socket.write(encodeResponse({
+      ok: true,
+      consumed: true,
+      decision_id: res.decision_id,
+      agent_unit: res.nonce.agent_unit,
+      scope: res.nonce.scope,
+      action: res.nonce.action,
+      why: res.nonce.why
+    }));
+    return;
+  }
   if (req.op === "approval_list") {
     const decisions = listDecisions(db, { agent_unit: req.agent_unit });
     const meta = decisions.map((d) => ({

package/dist/vault/broker/server.js CHANGED Viewed

@@ -13216,6 +13216,15 @@ var ApprovalRecordRequestSchema = exports_external.object({
   granted_by_user_id: exports_external.number().int(),
   ttl_ms: exports_external.number().int().positive().nullable().optional()
 });
+var ApprovalConsumeRecordRequestSchema = exports_external.object({
+  v: exports_external.literal(1),
+  op: exports_external.literal("approval_consume_record"),
+  request_id: exports_external.string().regex(/^[0-9a-f]{32}$/),
+  decision: ApprovalDecisionModeSchema,
+  approver_set: exports_external.array(exports_external.string()),
+  granted_by_user_id: exports_external.number().int(),
+  ttl_ms: exports_external.number().int().positive().nullable().optional()
+});
 var RequestSchema = exports_external.discriminatedUnion("op", [
   GetRequestSchema,
   PutRequestSchema,
@@ -13231,7 +13240,8 @@ var RequestSchema = exports_external.discriminatedUnion("op", [
   ApprovalConsumeRequestSchema,
   ApprovalRevokeRequestSchema,
   ApprovalListRequestSchema,
-  ApprovalRecordRequestSchema
+  ApprovalRecordRequestSchema,
+  ApprovalConsumeRecordRequestSchema
 ]);
 var VaultEntrySchema = exports_external.union([
   exports_external.object({ kind: exports_external.literal("string"), value: exports_external.string() }),
@@ -13353,6 +13363,15 @@ var OkApprovalRecordResponseSchema = exports_external.object({
   ok: exports_external.literal(true),
   decision_id: exports_external.string()
 });
+var OkApprovalConsumeRecordResponseSchema = exports_external.object({
+  ok: exports_external.literal(true),
+  consumed: exports_external.boolean(),
+  decision_id: exports_external.string().optional(),
+  agent_unit: exports_external.string().optional(),
+  scope: exports_external.string().optional(),
+  action: exports_external.string().optional(),
+  why: exports_external.string().nullable().optional()
+});
 var ErrorResponseSchema = exports_external.object({
   ok: exports_external.literal(false),
   code: ErrorCode,
@@ -13374,6 +13393,7 @@ var ResponseSchema = exports_external.union([
   OkApprovalRevokeResponseSchema,
   OkApprovalListResponseSchema,
   OkApprovalRecordResponseSchema,
+  OkApprovalConsumeRecordResponseSchema,
   ErrorResponseSchema
 ]);
 function decodeRequest(line) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.12.14",
+  "version": "0.12.15",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/telegram-plugin/dist/gateway/gateway.js CHANGED Viewed

@@ -24664,7 +24664,7 @@ function decodeResponse2(line) {
   const obj = JSON.parse(line);
   return ResponseSchema2.parse(obj);
 }
-var MAX_FRAME_BYTES2, GetRequestSchema, PutRequestSchema, ListRequestSchema, MintGrantRequestSchema, ListGrantsRequestSchema, RevokeGrantRequestSchema, StatusRequestSchema, LockRequestSchema, PreflightAccessRequestSchema, OkPreflightAccessResponseSchema, ApprovalRequestRequestSchema, ApprovalLookupRequestSchema, ApprovalConsumeRequestSchema, ApprovalRevokeRequestSchema, ApprovalListRequestSchema, ApprovalDecisionModeSchema, ApprovalRecordRequestSchema, RequestSchema2, VaultEntrySchema, ErrorCode, OkEntryResponseSchema, OkKeysResponseSchema, BrokerStatus, OkStatusResponseSchema, OkLockResponseSchema, OkPutResponseSchema, OkMintGrantResponseSchema, GrantMetaSchema, OkListGrantsResponseSchema, OkRevokeGrantResponseSchema, OkApprovalRequestResponseSchema, ApprovalDecisionMetaSchema, OkApprovalLookupResponseSchema, OkApprovalConsumeResponseSchema, OkApprovalRevokeResponseSchema, OkApprovalListResponseSchema, OkApprovalRecordResponseSchema, ErrorResponseSchema2, ResponseSchema2;
+var MAX_FRAME_BYTES2, GetRequestSchema, PutRequestSchema, ListRequestSchema, MintGrantRequestSchema, ListGrantsRequestSchema, RevokeGrantRequestSchema, StatusRequestSchema, LockRequestSchema, PreflightAccessRequestSchema, OkPreflightAccessResponseSchema, ApprovalRequestRequestSchema, ApprovalLookupRequestSchema, ApprovalConsumeRequestSchema, ApprovalRevokeRequestSchema, ApprovalListRequestSchema, ApprovalDecisionModeSchema, ApprovalRecordRequestSchema, ApprovalConsumeRecordRequestSchema, RequestSchema2, VaultEntrySchema, ErrorCode, OkEntryResponseSchema, OkKeysResponseSchema, BrokerStatus, OkStatusResponseSchema, OkLockResponseSchema, OkPutResponseSchema, OkMintGrantResponseSchema, GrantMetaSchema, OkListGrantsResponseSchema, OkRevokeGrantResponseSchema, OkApprovalRequestResponseSchema, ApprovalDecisionMetaSchema, OkApprovalLookupResponseSchema, OkApprovalConsumeResponseSchema, OkApprovalRevokeResponseSchema, OkApprovalListResponseSchema, OkApprovalRecordResponseSchema, OkApprovalConsumeRecordResponseSchema, ErrorResponseSchema2, ResponseSchema2;
 var init_protocol2 = __esm(() => {
   init_zod();
   MAX_FRAME_BYTES2 = 64 * 1024;
@@ -24792,6 +24792,15 @@ var init_protocol2 = __esm(() => {
     granted_by_user_id: exports_external.number().int(),
     ttl_ms: exports_external.number().int().positive().nullable().optional()
   });
+  ApprovalConsumeRecordRequestSchema = exports_external.object({
+    v: exports_external.literal(1),
+    op: exports_external.literal("approval_consume_record"),
+    request_id: exports_external.string().regex(/^[0-9a-f]{32}$/),
+    decision: ApprovalDecisionModeSchema,
+    approver_set: exports_external.array(exports_external.string()),
+    granted_by_user_id: exports_external.number().int(),
+    ttl_ms: exports_external.number().int().positive().nullable().optional()
+  });
   RequestSchema2 = exports_external.discriminatedUnion("op", [
     GetRequestSchema,
     PutRequestSchema,
@@ -24807,7 +24816,8 @@ var init_protocol2 = __esm(() => {
     ApprovalConsumeRequestSchema,
     ApprovalRevokeRequestSchema,
     ApprovalListRequestSchema,
-    ApprovalRecordRequestSchema
+    ApprovalRecordRequestSchema,
+    ApprovalConsumeRecordRequestSchema
   ]);
   VaultEntrySchema = exports_external.union([
     exports_external.object({ kind: exports_external.literal("string"), value: exports_external.string() }),
@@ -24929,6 +24939,15 @@ var init_protocol2 = __esm(() => {
     ok: exports_external.literal(true),
     decision_id: exports_external.string()
   });
+  OkApprovalConsumeRecordResponseSchema = exports_external.object({
+    ok: exports_external.literal(true),
+    consumed: exports_external.boolean(),
+    decision_id: exports_external.string().optional(),
+    agent_unit: exports_external.string().optional(),
+    scope: exports_external.string().optional(),
+    action: exports_external.string().optional(),
+    why: exports_external.string().nullable().optional()
+  });
   ErrorResponseSchema2 = exports_external.object({
     ok: exports_external.literal(false),
     code: ErrorCode,
@@ -24950,6 +24969,7 @@ var init_protocol2 = __esm(() => {
     OkApprovalRevokeResponseSchema,
     OkApprovalListResponseSchema,
     OkApprovalRecordResponseSchema,
+    OkApprovalConsumeRecordResponseSchema,
     ErrorResponseSchema2
   ]);
 });
@@ -29132,20 +29152,6 @@ function withKernelOpts2(opts) {
     return opts;
   return { ...opts ?? {}, socket: sock };
 }
-async function approvalConsume2(request_id, opts) {
-  const r = await rpcRaw({ v: 1, op: "approval_consume", request_id }, withKernelOpts2(opts));
-  if (r.kind !== "response" || !r.resp.ok)
-    return null;
-  if (!("consumed" in r.resp))
-    return null;
-  return {
-    consumed: r.resp.consumed,
-    agent_unit: r.resp.agent_unit,
-    scope: r.resp.scope,
-    action: r.resp.action,
-    why: r.resp.why ?? null
-  };
-}
 async function approvalRevoke(decision_id, actor, reason, opts) {
   const r = await rpcRaw({ v: 1, op: "approval_revoke", decision_id, actor, reason }, withKernelOpts2(opts));
   if (r.kind !== "response" || !r.resp.ok)
@@ -29154,10 +29160,10 @@ async function approvalRevoke(decision_id, actor, reason, opts) {
     return null;
   return r.resp.revoked;
 }
-async function approvalRecord2(args, opts) {
+async function approvalConsumeRecord(args, opts) {
   const r = await rpcRaw({
     v: 1,
-    op: "approval_record",
+    op: "approval_consume_record",
     request_id: args.request_id,
     decision: args.decision,
     approver_set: args.approver_set,
@@ -29166,9 +29172,17 @@ async function approvalRecord2(args, opts) {
   }, withKernelOpts2(opts));
   if (r.kind !== "response" || !r.resp.ok)
     return null;
-  if (!("decision_id" in r.resp))
+  if (!("consumed" in r.resp))
     return null;
-  return r.resp.decision_id;
+  const resp = r.resp;
+  return {
+    consumed: resp.consumed,
+    decision_id: resp.decision_id,
+    agent_unit: resp.agent_unit,
+    scope: resp.scope,
+    action: resp.action,
+    why: resp.why ?? null
+  };
 }
 async function approvalList(agent_unit, opts) {
   const r = await rpcRaw({ v: 1, op: "approval_list", agent_unit }, withKernelOpts2(opts));
@@ -29615,9 +29629,26 @@ var init_approval_card = __esm(() => {
 // gateway/approval-callback.ts
 var exports_approval_callback = {};
 __export(exports_approval_callback, {
+  resolveApprovalDecision: () => resolveApprovalDecision,
   handleApprovalCallback: () => handleApprovalCallback,
   buildGrantedKeyboard: () => buildGrantedKeyboard
 });
+function resolveApprovalDecision(choice) {
+  switch (choice.kind) {
+    case "deny":
+      return { ok: true, decision: "deny", granted: false, ttl_ms: null, displayMode: "denied" };
+    case "once":
+      return { ok: true, decision: "allow_once", granted: true, ttl_ms: null, displayMode: "granted once" };
+    case "always":
+      return { ok: true, decision: "allow_always", granted: true, ttl_ms: null, displayMode: "granted always" };
+    case "ttl": {
+      const ms = ttlMsFromToken(choice.param);
+      if (ms === null)
+        return { ok: false, error: "bad ttl token" };
+      return { ok: true, decision: "allow_ttl", granted: true, ttl_ms: ms, displayMode: `granted for ${choice.param}` };
+    }
+  }
+}
 function buildGrantedKeyboard(scope) {
   const btn = scopeToOpenInDriveButton(scope);
   if (btn === null)
@@ -29630,64 +29661,37 @@ async function handleApprovalCallback(ctx, data) {
     await ctx.answerCallbackQuery({ text: "malformed approval callback" });
     return;
   }
-  let decision;
-  let granted;
-  let ttl_ms = null;
-  let displayMode;
-  switch (parsed.choice.kind) {
-    case "deny":
-      decision = "deny";
-      granted = false;
-      displayMode = "denied";
-      break;
-    case "once":
-      decision = "allow_once";
-      granted = true;
-      displayMode = "granted once";
-      break;
-    case "always":
-      decision = "allow_always";
-      granted = true;
-      displayMode = "granted always";
-      break;
-    case "ttl": {
-      decision = "allow_ttl";
-      granted = true;
-      const ms = ttlMsFromToken(parsed.choice.param);
-      if (ms === null) {
-        await ctx.answerCallbackQuery({ text: "bad ttl token" });
-        return;
-      }
-      ttl_ms = ms;
-      displayMode = `granted for ${parsed.choice.param}`;
-      break;
-    }
-  }
-  const consumed = await approvalConsume2(parsed.request_id);
-  if (consumed === null) {
-    await ctx.answerCallbackQuery({ text: "approval kernel unreachable" });
-    return;
-  }
-  if (!consumed.consumed) {
-    await ctx.answerCallbackQuery({ text: "this prompt expired" });
+  const resolved = resolveApprovalDecision(parsed.choice);
+  if (!resolved.ok) {
+    await ctx.answerCallbackQuery({ text: resolved.error });
     return;
   }
+  const { decision, granted, ttl_ms, displayMode } = resolved;
   const granted_by_user_id = ctx.from?.id ?? 0;
   const approver_set = [String(granted_by_user_id)];
-  const decision_id = await approvalRecord2({
+  const result = await approvalConsumeRecord({
     request_id: parsed.request_id,
     decision,
     approver_set,
     granted_by_user_id,
     ttl_ms
   });
-  if (decision_id === null) {
+  if (result === null) {
+    await ctx.answerCallbackQuery({ text: "approval kernel unreachable" });
+    return;
+  }
+  if (!result.consumed) {
+    await ctx.answerCallbackQuery({ text: "this prompt expired" });
+    return;
+  }
+  if (!result.decision_id) {
     await ctx.answerCallbackQuery({ text: "kernel record failed" });
     return;
   }
+  const decision_id = result.decision_id;
   const icon = granted ? "\u2705" : "\uD83D\uDEAB";
   const newBody = `${icon} ${displayMode}` + (granted ? ` \u00b7 /approvals revoke <code>${decision_id}</code>` : "");
-  const postTapKeyboard = granted && consumed.scope ? buildGrantedKeyboard(consumed.scope) : undefined;
+  const postTapKeyboard = granted && result.scope ? buildGrantedKeyboard(result.scope) : undefined;
   try {
     await ctx.editMessageText(newBody, {
       parse_mode: "HTML",
@@ -41300,7 +41304,7 @@ async function approvalRecord(args, opts) {
     return null;
   if (!("decision_id" in r.resp))
     return null;
-  return r.resp.decision_id;
+  return r.resp.decision_id ?? null;
 }
 // quota-check.ts
@@ -43342,6 +43346,26 @@ function escapeHtml7(s) {
 // gateway/pending-inbound-buffer.ts
 var DEFAULT_PENDING_INBOUND_CAP = 32;
+function redeliverBufferedInbound(buffer, agent, send) {
+  const pending = buffer.drain(agent);
+  let redelivered = 0;
+  let rebuffered = 0;
+  for (const msg of pending) {
+    let delivered = false;
+    try {
+      delivered = send(msg);
+    } catch {
+      delivered = false;
+    }
+    if (delivered) {
+      redelivered++;
+    } else {
+      buffer.push(agent, msg);
+      rebuffered++;
+    }
+  }
+  return { drained: pending.length, redelivered, rebuffered };
+}
 function createPendingInboundBuffer(opts = {}) {
   const cap = opts.capPerAgent ?? DEFAULT_PENDING_INBOUND_CAP;
   const log = opts.log ?? ((line) => process.stderr.write(line));
@@ -46744,11 +46768,11 @@ function sweepStaleTurnActiveMarker(stateDir, opts) {
 }
 // ../src/build-info.ts
-var VERSION = "0.12.14";
-var COMMIT_SHA = "db6d87d6";
-var COMMIT_DATE = "2026-05-19T05:51:09Z";
-var LATEST_PR = 1542;
-var COMMITS_AHEAD_OF_TAG = 17;
+var VERSION = "0.12.15";
+var COMMIT_SHA = "dc508a92";
+var COMMIT_DATE = "2026-05-19T07:24:41Z";
+var LATEST_PR = 1547;
+var COMMITS_AHEAD_OF_TAG = 22;
 // gateway/boot-version.ts
 function formatRelativeAgo(iso) {
@@ -48438,7 +48462,9 @@ startTimer({
     try {
       clearSilentEndState(fbKey);
     } catch {}
-    process.stderr.write(`telegram gateway: silence-poke framework-fallback ended wedged turn chat=${fbChatId} thread=${ctx.threadId ?? "-"} silence_ms=${ctx.silenceMs} currentTurn_nulled=${turnMatchesFallback}
+    const fbSelfAgent = process.env.SWITCHROOM_AGENT_NAME ?? "";
+    const fbRedeliver = redeliverBufferedInbound(pendingInboundBuffer, fbSelfAgent, (m) => ipcServer.sendToAgent(fbSelfAgent, m));
+    process.stderr.write(`telegram gateway: silence-poke framework-fallback ended wedged turn chat=${fbChatId} thread=${ctx.threadId ?? "-"} silence_ms=${ctx.silenceMs} currentTurn_nulled=${turnMatchesFallback} drained_buffered=${fbRedeliver.redelivered}/${fbRedeliver.drained}${fbRedeliver.rebuffered > 0 ? ` rebuffered=${fbRedeliver.rebuffered}` : ""}
 `);
   }
 });

package/telegram-plugin/gateway/approval-callback.test.ts CHANGED Viewed

@@ -12,7 +12,10 @@
 import { describe, expect, it } from "vitest";
 import { InlineKeyboard } from "grammy";
-import { buildGrantedKeyboard } from "./approval-callback.js";
+import {
+  buildGrantedKeyboard,
+  resolveApprovalDecision,
+} from "./approval-callback.js";
 /**
  * Helper — pull the `[{text, url}]` rows out of a grammy InlineKeyboard
@@ -102,3 +105,48 @@ describe("buildGrantedKeyboard — no button cases", () => {
     expect(buildGrantedKeyboard("doc:gdrive:write:abc?evil=1")).toBeUndefined();
   });
 });
+describe("resolveApprovalDecision — pure decision resolution (PR-5)", () => {
+  it("deny → deny / not granted", () => {
+    expect(resolveApprovalDecision({ kind: "deny" })).toEqual({
+      ok: true, decision: "deny", granted: false, ttl_ms: null, displayMode: "denied",
+    });
+  });
+  it("once → allow_once, no ttl", () => {
+    expect(resolveApprovalDecision({ kind: "once" })).toEqual({
+      ok: true, decision: "allow_once", granted: true, ttl_ms: null, displayMode: "granted once",
+    });
+  });
+  it("always → allow_always, no ttl", () => {
+    expect(resolveApprovalDecision({ kind: "always" })).toEqual({
+      ok: true, decision: "allow_always", granted: true, ttl_ms: null, displayMode: "granted always",
+    });
+  });
+  it("ttl with a valid token → allow_ttl with computed ms", () => {
+    expect(resolveApprovalDecision({ kind: "ttl", param: "24h" })).toEqual({
+      ok: true,
+      decision: "allow_ttl",
+      granted: true,
+      ttl_ms: 24 * 60 * 60 * 1000,
+      displayMode: "granted for 24h",
+    });
+    expect(resolveApprovalDecision({ kind: "ttl", param: "7d" })).toMatchObject({
+      ok: true, decision: "allow_ttl", ttl_ms: 7 * 24 * 60 * 60 * 1000,
+    });
+  });
+  it("ttl with a bad token → { ok: false } so the caller does NOT consume the nonce", () => {
+    // This is the load-bearing case: pre-PR-4 this branch ran after
+    // approvalConsume() burned the single-use nonce, wedging the agent.
+    // It must report failure WITHOUT side effects (pure fn → caller
+    // returns before approvalConsume).
+    for (const param of ["bogus", "0h", "1w", "", "h", "12"]) {
+      expect(resolveApprovalDecision({ kind: "ttl", param })).toEqual({
+        ok: false, error: "bad ttl token",
+      });
+    }
+  });
+});