switchroom 0.13.29 → 0.13.30

package/dist/cli/switchroom.js

@@ -47436,8 +47436,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.13.29";
-var COMMIT_SHA = "927abe08";
+var VERSION = "0.13.30";
+var COMMIT_SHA = "c544689a";
 
 // src/cli/agent.ts
 init_source();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.13.29",
+  "version": "0.13.30",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/telegram-plugin/dist/gateway/gateway.js

@@ -25142,6 +25142,34 @@ async function getViaBrokerStructured(key, opts) {
   }
   return { kind: "unreachable", msg: "unexpected broker response shape" };
 }
+async function putViaBroker(key, entry, opts) {
+  const token = opts?.token;
+  const passphrase = opts?.passphrase;
+  const attestViaPosture = opts?.attest_via_posture === true;
+  const result = await rpc({
+    v: 1,
+    op: "put",
+    key,
+    entry,
+    ...token ? { token } : {},
+    ...passphrase ? { passphrase } : {},
+    ...attestViaPosture ? { attest_via_posture: true } : {}
+  }, opts);
+  if (result.kind === "unreachable") {
+    return { kind: "unreachable", msg: result.msg };
+  }
+  const resp = result.resp;
+  if (resp.ok && "put" in resp) {
+    return { kind: "ok" };
+  }
+  if (!resp.ok) {
+    if (resp.code === "UNKNOWN_KEY") {
+      return { kind: "not_found", code: resp.code, msg: resp.msg };
+    }
+    return { kind: "denied", code: resp.code, msg: resp.msg };
+  }
+  return { kind: "unreachable", msg: "unexpected broker response shape" };
+}
 var DEFAULT_TIMEOUT_MS3 = 2000, LEGACY_SOCKET_PATH, OPERATOR_SOCKET_PATH;
 var init_client2 = __esm(() => {
   init_protocol2();
@@ -46209,7 +46237,19 @@ function maskToken2(s) {
 }
 
 // secret-detect/vault-write.ts
+init_client2();
 import { execFileSync as execFileSync3 } from "node:child_process";
+var defaultVaultWritePosture = async (slug, value, deps) => {
+  const put = deps?.putViaBroker ?? putViaBroker;
+  const resolveSocket = deps?.resolveBrokerSocketPath ?? resolveBrokerSocketPath;
+  const socket = resolveSocket();
+  const result = await put(slug, { kind: "string", value }, { socket, attest_via_posture: true, timeoutMs: 1e4 });
+  if (result.kind === "ok") {
+    return { ok: true, output: `sent (key: ${slug})` };
+  }
+  const prefix = result.kind === "unreachable" ? "VAULT-BROKER-UNREACHABLE" : result.kind === "denied" ? `VAULT-BROKER-DENIED (${result.code})` : `VAULT-BROKER-${result.code}`;
+  return { ok: false, output: `${prefix}: ${result.msg}` };
+};
 var defaultVaultWrite = (slug, value, passphrase) => {
   const env = {
     ...process.env,
@@ -48464,10 +48504,10 @@ function sweepStaleTurnActiveMarker(stateDir, opts) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.13.29";
-var COMMIT_SHA = "927abe08";
-var COMMIT_DATE = "2026-05-24T12:14:05Z";
-var LATEST_PR = 1732;
+var VERSION = "0.13.30";
+var COMMIT_SHA = "c544689a";
+var COMMIT_DATE = "2026-05-24T12:56:26Z";
+var LATEST_PR = 1734;
 var COMMITS_AHEAD_OF_TAG = 0;
 
 // gateway/boot-version.ts
@@ -55370,15 +55410,20 @@ async function handleVaultRequestSaveCallback(ctx, data) {
   }
   if (action === "save") {
     await ctx.answerCallbackQuery({ text: "\u23F3 Saving\u2026" }).catch(() => {});
-    const cached = vaultPassphraseCache.get(pending2.chat_id);
-    if (!cached || cached.expiresAt <= Date.now()) {
-      if (pending2.card_message_id != null) {
-        await ctx.api.editMessageText(pending2.chat_id, pending2.card_message_id, `\uD83D\uDD12 <b>Vault is locked.</b> Run <code>/vault unlock</code> (or any /vault command) to cache the passphrase, then tap Save again on the next card.`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
+    let write;
+    if (VAULT_APPROVAL_AUTH_MODE === "telegram-id") {
+      write = await defaultVaultWritePosture(pending2.key, pending2.value);
+    } else {
+      const cached = vaultPassphraseCache.get(pending2.chat_id);
+      if (!cached || cached.expiresAt <= Date.now()) {
+        if (pending2.card_message_id != null) {
+          await ctx.api.editMessageText(pending2.chat_id, pending2.card_message_id, `\uD83D\uDD12 <b>Passphrase not cached for this chat.</b> Run <code>/vault unlock</code> (or any /vault command) to cache it, then tap Save again on the next card.`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
+        }
+        pendingVaultRequestSaves.delete(stageId);
+        return;
       }
-      pendingVaultRequestSaves.delete(stageId);
-      return;
+      write = defaultVaultWrite(pending2.key, pending2.value, cached.passphrase);
     }
-    const write = defaultVaultWrite(pending2.key, pending2.value, cached.passphrase);
     if (!write.ok) {
       const parsed = parseVaultCliError(write.output);
       const rendered = renderVaultCliError(parsed, { verb: "save", key: pending2.key });

package/telegram-plugin/gateway/gateway.ts

@@ -332,7 +332,7 @@ import {
 import { runPipeline } from '../secret-detect/pipeline.js'
 import { StagingMap } from '../secret-detect/staging.js'
 import { maskToken } from '../secret-detect/mask.js'
-import { defaultVaultWrite, defaultVaultList } from '../secret-detect/vault-write.js'
+import { defaultVaultWrite, defaultVaultList, defaultVaultWritePosture } from '../secret-detect/vault-write.js'
 import { parseVaultCliError, renderVaultCliError } from '../secret-detect/vault-error.js'
 import { recentDenialsFromAuditLog, type RecentDenial } from './recent-denials.js'
 import { detectSecrets } from '../secret-detect/index.js'
@@ -11774,47 +11774,50 @@ async function handleVaultRequestSaveCallback(ctx: Context, data: string): Promi
     // stale "spinning" state on the button while we run the write.
     await ctx.answerCallbackQuery({ text: '⏳ Saving…' }).catch(() => {})
 
-    // #1115 follow-up: telegram-id mode silent-save was withdrawn. The
-    // original PR shortcut routed the save through an in-memory
-    // passphrase the gateway held under telegram-id; the reviewer
-    // flagged that as a bypass surface (claude in the same container
-    // could exfiltrate the passphrase). The access-approve flow now
-    // attests via the broker (`attest_via_posture: true` on
-    // mint_grant) so the passphrase never leaves the broker. The
-    // save-approve flow uses `defaultVaultWrite` which shells to the
-    // CLI — routing it through broker-IPC attest_via_posture is a
-    // tracked follow-up. Until then, vault_request_save under
-    // telegram-id falls through to the standard passphrase-cache
-    // path: the operator must have unlocked the vault in this chat
-    // (`/vault unlock` or any /vault command) so the cache is
-    // populated. Same UX as passphrase mode.
-
-    // Fetch the cached passphrase for this chat. If the gateway hasn't
-    // seen the user unlock the vault yet, we can't attest the write —
-    // surface the unlock card via the same path the deferred-secret
-    // flow uses (issue #44).
-    const cached = vaultPassphraseCache.get(pending.chat_id)
-    if (!cached || cached.expiresAt <= Date.now()) {
-      if (pending.card_message_id != null) {
-        await ctx.api
-          .editMessageText(
-            pending.chat_id,
-            pending.card_message_id,
-            `🔒 <b>Vault is locked.</b> Run <code>/vault unlock</code> (or any /vault command) to cache the passphrase, then tap Save again on the next card.`,
-            { parse_mode: 'HTML', reply_markup: { inline_keyboard: [] } },
-          )
-          .catch(() => {})
+    // #1115 follow-up: the save-approve flow now mirrors the access-
+    // approve flow under telegram-id mode — broker `put` accepts
+    // `attest_via_posture: true` (server.ts:1448-1500), so the
+    // gateway can attest the write without a cached passphrase.
+    // Closes the UX gap where tapping Save surfaced a misleading
+    // "🔒 Vault is locked" message even when the broker had been
+    // auto-unlocked at boot.
+    //
+    // Branch: under telegram-id mode use the posture-attested put;
+    // under passphrase mode keep the existing cached-passphrase +
+    // shell-to-CLI path (operator must `/vault unlock` once per
+    // chat session to populate `vaultPassphraseCache`).
+    let write: { ok: boolean; output: string }
+    if (VAULT_APPROVAL_AUTH_MODE === 'telegram-id') {
+      // Posture-attested broker put. No passphrase needed. The broker
+      // verifies (a) telegram-id mode, (b) per-agent peer, (c) broker
+      // unlocked — see server.ts:1448-1500.
+      write = await defaultVaultWritePosture(pending.key, pending.value)
+    } else {
+      // Passphrase mode — fetch the cached passphrase for this chat.
+      // If the gateway hasn't seen the user unlock the vault yet, we
+      // can't attest the write — surface the unlock prompt.
+      const cached = vaultPassphraseCache.get(pending.chat_id)
+      if (!cached || cached.expiresAt <= Date.now()) {
+        if (pending.card_message_id != null) {
+          await ctx.api
+            .editMessageText(
+              pending.chat_id,
+              pending.card_message_id,
+              `🔒 <b>Passphrase not cached for this chat.</b> Run <code>/vault unlock</code> (or any /vault command) to cache it, then tap Save again on the next card.`,
+              { parse_mode: 'HTML', reply_markup: { inline_keyboard: [] } },
+            )
+            .catch(() => {})
+        }
+        pendingVaultRequestSaves.delete(stageId)
+        return
       }
-      pendingVaultRequestSaves.delete(stageId)
-      return
+      // defaultVaultWrite spawns `switchroom vault set <key>` with the
+      // passphrase env set; the CLI forwards the passphrase to the
+      // broker put as operator-attestation (#969 P1a), which authorizes
+      // new-key creation.
+      write = defaultVaultWrite(pending.key, pending.value, cached.passphrase)
     }
 
-    // Run the write. defaultVaultWrite spawns `switchroom vault set
-    // <key>` with the passphrase env set; the CLI in turn forwards the
-    // passphrase to the broker put as operator-attestation (#969 P1a),
-    // which authorizes new-key creation.
-    const write = defaultVaultWrite(pending.key, pending.value, cached.passphrase)
-
     if (!write.ok) {
       // Route through the structured-error renderer from #969 P0b so
       // failures show the actionable host hint instead of a raw blob.

package/telegram-plugin/secret-detect/vault-write.ts

@@ -1,15 +1,31 @@
 /**
  * Programmatic vault write from the Telegram plugin path.
  *
- * Reuses the existing `runVaultCli`-style approach (spawn `switchroom vault
- * set` with SWITCHROOM_VAULT_PASSPHRASE in env and the secret piped on
- * stdin) so we don't have to import and open the vault directly from this
- * subprocess.
+ * Two flavors:
  *
- * Exposed as a pure function for testability: callers inject the spawn
- * helper in tests to avoid needing a real vault on disk.
+ *   1. `defaultVaultWrite(slug, value, passphrase)` — shell-out to
+ *      `switchroom vault set`. The CLI forwards the passphrase to the
+ *      broker as operator-attestation (#969 P1a). Used by passphrase-
+ *      mode approval flows where the gateway cached the operator's
+ *      passphrase via /vault unlock.
+ *
+ *   2. `defaultVaultWritePosture(slug, value)` — direct broker call via
+ *      `putViaBroker(..., attest_via_posture: true)`. Used by
+ *      telegram-id-mode approval flows where the broker auto-unlocked
+ *      at boot and the gateway never needs the passphrase
+ *      (`vault.broker.approvalAuth: telegram-id` in switchroom.yaml).
+ *      Closes the UX gap where tapping Save on a `vault_request_save`
+ *      card surfaced a misleading "🔒 Vault is locked" message when
+ *      the operator hadn't run /vault unlock in that chat — even
+ *      though the broker had been unlocked for hours. The tracked
+ *      follow-up of #1115; broker side has supported the flag since
+ *      PR #1115 follow-up rev 3.
+ *
+ * Exposed as pure functions for testability: callers inject the spawn /
+ * broker helper in tests to avoid needing a real vault on disk.
  */
 import { execFileSync } from 'node:child_process'
+import { putViaBroker, resolveBrokerSocketPath } from '../../src/vault/broker/client.js'
 
 export interface VaultWriteResult {
   ok: boolean
@@ -22,6 +38,68 @@ export type VaultWriteFn = (
   passphrase: string,
 ) => VaultWriteResult
 
+/**
+ * Posture-attested vault write — no passphrase required. Returns the
+ * same `VaultWriteResult` shape as `defaultVaultWrite` for drop-in
+ * substitution at the gateway save / defer / auto-save callsites.
+ *
+ * Caller MUST verify `vault.broker.approvalAuth === 'telegram-id'` in
+ * config before invoking — the broker will reject `attest_via_posture`
+ * under passphrase mode with `attest_via_posture requires
+ * vault.broker.approvalAuth: telegram-id` (server.ts:1500). The
+ * gateway's `VAULT_APPROVAL_AUTH_MODE` flag is the canonical signal.
+ *
+ * Returns `{ ok: false, output: ... }` on any broker error so the
+ * gateway's existing parseVaultCliError / renderVaultCliError path
+ * still works.
+ */
+/**
+ * Test-injection seam for `defaultVaultWritePosture`. Production
+ * callers omit and get the live broker client; tests pass mock
+ * functions to avoid `vi.mock` / `mock.module` (which don't
+ * cross-runtime cleanly — vitest's `vi.mock` and bun:test's
+ * `mock.module` need separate wiring and shadow other tests' module
+ * imports if not carefully isolated).
+ */
+export interface VaultWritePostureDeps {
+  putViaBroker?: typeof putViaBroker
+  resolveBrokerSocketPath?: typeof resolveBrokerSocketPath
+}
+
+export type VaultWritePostureFn = (
+  slug: string,
+  value: string,
+  deps?: VaultWritePostureDeps,
+) => Promise<VaultWriteResult>
+
+export const defaultVaultWritePosture: VaultWritePostureFn = async (
+  slug,
+  value,
+  deps,
+) => {
+  const put = deps?.putViaBroker ?? putViaBroker
+  const resolveSocket = deps?.resolveBrokerSocketPath ?? resolveBrokerSocketPath
+  const socket = resolveSocket()
+  const result = await put(
+    slug,
+    { kind: 'string', value },
+    { socket, attest_via_posture: true, timeoutMs: 10000 },
+  )
+  if (result.kind === 'ok') {
+    return { ok: true, output: `sent (key: ${slug})` }
+  }
+  // Mirror the CLI's error format so the existing parseVaultCliError
+  // / renderVaultCliError stack handles broker-mediated failures
+  // without a special branch.
+  const prefix =
+    result.kind === 'unreachable'
+      ? 'VAULT-BROKER-UNREACHABLE'
+      : result.kind === 'denied'
+        ? `VAULT-BROKER-DENIED (${result.code})`
+        : `VAULT-BROKER-${result.code}`
+  return { ok: false, output: `${prefix}: ${result.msg}` }
+}
+
 export type VaultListFn = (passphrase: string) => { ok: boolean; keys: string[] }
 
 export const defaultVaultWrite: VaultWriteFn = (slug, value, passphrase) => {

package/telegram-plugin/tests/vault-approval-posture.test.ts

@@ -121,20 +121,34 @@ describe('performVaultAccessApproval — broker-mediated attestation', () => {
   })
 })
 
-describe('handleVaultRequestSaveCallback — telegram-id silent path withdrawn', () => {
-  it('NO LONGER reads an in-memory passphrase for telegram-id; falls through to cached-passphrase path', () => {
+describe('handleVaultRequestSaveCallback — posture-attested broker put (#1115 follow-up)', () => {
+  it('NO in-memory passphrase under telegram-id; routes the save through the broker via attest_via_posture', () => {
     const fnBlock =
       gatewaySrc
         .split('async function handleVaultRequestSaveCallback')[1]
         ?.split('async function handleVaultDeferCallback')[0] ?? ''
-    // Regression guard: the original PR added a
-    // `VAULT_APPROVAL_AUTH_MODE === 'telegram-id'` shortcut that
-    // pulled an in-memory passphrase. That was a bypass surface.
-    // The save handler must NOT branch on the posture for an
-    // in-memory passphrase any more.
+    // Regression guard (original #1115 first-cut withdrawal): the
+    // handler must NOT pull a long-lived in-memory passphrase under
+    // telegram-id. That was a bypass surface — claude in the same
+    // container could exfiltrate it. The follow-up replaces it with
+    // a broker-IPC `attest_via_posture` call so the passphrase
+    // never leaves the broker process.
     expect(fnBlock).not.toMatch(/AUTO_UNLOCK_PASSPHRASE/)
-    // Standard cache lookup still present.
+    // The #1115 follow-up wiring: under telegram-id the handler
+    // calls `defaultVaultWritePosture` (posture-attested broker put,
+    // no passphrase). Under passphrase mode it keeps the legacy
+    // cached-passphrase + shell-out path.
+    expect(fnBlock).toMatch(/VAULT_APPROVAL_AUTH_MODE === 'telegram-id'/)
+    expect(fnBlock).toMatch(/defaultVaultWritePosture\(/)
+    // Passphrase-mode branch still present.
     expect(fnBlock).toMatch(/vaultPassphraseCache\.get\(pending\.chat_id\)/)
+    expect(fnBlock).toMatch(/defaultVaultWrite\(pending\.key, pending\.value, cached\.passphrase\)/)
+    // The misleading pre-fix card text ("Vault is locked") must be
+    // rephrased — the broker IS unlocked under telegram-id; only
+    // the chat's passphrase cache needs warming up under passphrase
+    // mode. Pin the corrected wording so the wedge UX can't
+    // silently regress.
+    expect(fnBlock).toMatch(/Passphrase not cached for this chat/)
   })
 })
 

package/telegram-plugin/tests/vault-write-posture.test.ts

@@ -0,0 +1,108 @@
+/**
+ * Unit tests for `defaultVaultWritePosture` — the posture-attested
+ * vault write helper introduced by the #1115 follow-up.
+ *
+ * Contract pinned here:
+ *   - Returns `{ ok: true, output }` on broker `kind: 'ok'`.
+ *   - Returns `{ ok: false, output: <marker>: <msg> }` on each broker
+ *     failure shape (unreachable / denied / not_found), with markers
+ *     that the gateway's `parseVaultCliError` / `renderVaultCliError`
+ *     stack can recognize (so failures still render the actionable
+ *     host hint instead of a raw blob).
+ *   - Forwards `attest_via_posture: true` on the put — the load-
+ *     bearing flag the broker server (server.ts:1448-1500) gates on.
+ *   - Forwards `kind: 'string'` entry shape verbatim (only kind the
+ *     `vault_request_save` MCP tool emits).
+ *
+ * Test seam: the helper accepts an optional `deps` param so tests
+ * inject mock fns directly (no `vi.mock` / `mock.module`). This
+ * keeps the test runnable under both vitest AND bun:test without
+ * the module-cache cross-pollination that broke an earlier rev.
+ */
+
+import { describe, expect, it } from 'vitest'
+import { defaultVaultWritePosture } from '../secret-detect/vault-write.js'
+import type { PutResult } from '../../src/vault/broker/client.js'
+
+type PutCall = {
+  slug: string
+  entry: { kind: 'string'; value: string } | { kind: 'binary'; value: string }
+  opts: { socket?: string; attest_via_posture?: boolean; timeoutMs?: number }
+}
+
+function makeDeps(putResult: PutResult, socket = '/run/switchroom/broker/sock'): {
+  deps: { putViaBroker: (...args: never[]) => Promise<PutResult>; resolveBrokerSocketPath: () => string }
+  calls: PutCall[]
+} {
+  const calls: PutCall[] = []
+  const deps = {
+    putViaBroker: async (...args: never[]): Promise<PutResult> => {
+      const [slug, entry, opts] = args as unknown as [PutCall['slug'], PutCall['entry'], PutCall['opts']]
+      calls.push({ slug, entry, opts })
+      return putResult
+    },
+    resolveBrokerSocketPath: () => socket,
+  }
+  return { deps, calls }
+}
+
+describe('defaultVaultWritePosture', () => {
+  it('returns { ok: true } on broker `kind: ok`', async () => {
+    const { deps } = makeDeps({ kind: 'ok' })
+    const r = await defaultVaultWritePosture('forward-email/api-key', 'sk-value', deps)
+    expect(r.ok).toBe(true)
+    expect(r.output).toContain('forward-email/api-key')
+  })
+
+  it('forwards attest_via_posture: true on the put RPC', async () => {
+    const { deps, calls } = makeDeps({ kind: 'ok' })
+    await defaultVaultWritePosture('ha/access-token', 'jwt-value', deps)
+    expect(calls).toHaveLength(1)
+    expect(calls[0].opts.attest_via_posture).toBe(true)
+  })
+
+  it('forwards kind: string entry verbatim', async () => {
+    const { deps, calls } = makeDeps({ kind: 'ok' })
+    await defaultVaultWritePosture('some-key', 'some-value', deps)
+    expect(calls[0].slug).toBe('some-key')
+    expect(calls[0].entry).toEqual({ kind: 'string', value: 'some-value' })
+  })
+
+  it('returns ok:false with VAULT-BROKER-UNREACHABLE prefix on unreachable', async () => {
+    const { deps } = makeDeps({ kind: 'unreachable', msg: 'connect ENOENT' })
+    const r = await defaultVaultWritePosture('k', 'v', deps)
+    expect(r.ok).toBe(false)
+    expect(r.output).toContain('VAULT-BROKER-UNREACHABLE')
+    expect(r.output).toContain('connect ENOENT')
+  })
+
+  it('returns ok:false with VAULT-BROKER-DENIED prefix on denied', async () => {
+    const { deps } = makeDeps({
+      kind: 'denied',
+      code: 'DENIED',
+      msg: 'attest_via_posture requires telegram-id',
+    })
+    const r = await defaultVaultWritePosture('k', 'v', deps)
+    expect(r.ok).toBe(false)
+    expect(r.output).toContain('VAULT-BROKER-DENIED')
+    expect(r.output).toContain('DENIED')
+    expect(r.output).toContain('telegram-id')
+  })
+
+  it('returns ok:false with VAULT-BROKER-UNKNOWN_KEY prefix on not_found', async () => {
+    const { deps } = makeDeps({
+      kind: 'not_found',
+      code: 'UNKNOWN_KEY',
+      msg: 'no such key',
+    })
+    const r = await defaultVaultWritePosture('k', 'v', deps)
+    expect(r.ok).toBe(false)
+    expect(r.output).toContain('VAULT-BROKER-UNKNOWN_KEY')
+  })
+
+  it('resolves the broker socket via the injected resolveBrokerSocketPath', async () => {
+    const { deps, calls } = makeDeps({ kind: 'ok' }, '/tmp/test-socket')
+    await defaultVaultWritePosture('k', 'v', deps)
+    expect(calls[0].opts.socket).toBe('/tmp/test-socket')
+  })
+})