switchroom 0.13.29 → 0.13.31

package/dist/cli/switchroom.js

@@ -47436,8 +47436,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.13.29";
-var COMMIT_SHA = "927abe08";
+var VERSION = "0.13.31";
+var COMMIT_SHA = "061eead1";
 
 // src/cli/agent.ts
 init_source();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.13.29",
+  "version": "0.13.31",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/telegram-plugin/dist/gateway/gateway.js

@@ -25142,6 +25142,34 @@ async function getViaBrokerStructured(key, opts) {
   }
   return { kind: "unreachable", msg: "unexpected broker response shape" };
 }
+async function putViaBroker(key, entry, opts) {
+  const token = opts?.token;
+  const passphrase = opts?.passphrase;
+  const attestViaPosture = opts?.attest_via_posture === true;
+  const result = await rpc({
+    v: 1,
+    op: "put",
+    key,
+    entry,
+    ...token ? { token } : {},
+    ...passphrase ? { passphrase } : {},
+    ...attestViaPosture ? { attest_via_posture: true } : {}
+  }, opts);
+  if (result.kind === "unreachable") {
+    return { kind: "unreachable", msg: result.msg };
+  }
+  const resp = result.resp;
+  if (resp.ok && "put" in resp) {
+    return { kind: "ok" };
+  }
+  if (!resp.ok) {
+    if (resp.code === "UNKNOWN_KEY") {
+      return { kind: "not_found", code: resp.code, msg: resp.msg };
+    }
+    return { kind: "denied", code: resp.code, msg: resp.msg };
+  }
+  return { kind: "unreachable", msg: "unexpected broker response shape" };
+}
 var DEFAULT_TIMEOUT_MS3 = 2000, LEGACY_SOCKET_PATH, OPERATOR_SOCKET_PATH;
 var init_client2 = __esm(() => {
   init_protocol2();
@@ -46209,7 +46237,19 @@ function maskToken2(s) {
 }
 
 // secret-detect/vault-write.ts
+init_client2();
 import { execFileSync as execFileSync3 } from "node:child_process";
+var defaultVaultWritePosture = async (slug, value, deps) => {
+  const put = deps?.putViaBroker ?? putViaBroker;
+  const resolveSocket = deps?.resolveBrokerSocketPath ?? resolveBrokerSocketPath;
+  const socket = resolveSocket();
+  const result = await put(slug, { kind: "string", value }, { socket, attest_via_posture: true, timeoutMs: 1e4 });
+  if (result.kind === "ok") {
+    return { ok: true, output: `sent (key: ${slug})` };
+  }
+  const prefix = result.kind === "unreachable" ? "VAULT-BROKER-UNREACHABLE" : result.kind === "denied" ? `VAULT-BROKER-DENIED (${result.code})` : `VAULT-BROKER-${result.code}`;
+  return { ok: false, output: `${prefix}: ${result.msg}` };
+};
 var defaultVaultWrite = (slug, value, passphrase) => {
   const env = {
     ...process.env,
@@ -48464,10 +48504,10 @@ function sweepStaleTurnActiveMarker(stateDir, opts) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.13.29";
-var COMMIT_SHA = "927abe08";
-var COMMIT_DATE = "2026-05-24T12:14:05Z";
-var LATEST_PR = 1732;
+var VERSION = "0.13.31";
+var COMMIT_SHA = "061eead1";
+var COMMIT_DATE = "2026-05-24T13:21:09Z";
+var LATEST_PR = 1736;
 var COMMITS_AHEAD_OF_TAG = 0;
 
 // gateway/boot-version.ts
@@ -49450,6 +49490,22 @@ function purgeReactionTracking(key, endingTurn) {
     }
   }
 }
+function releaseTurnBufferGate(key) {
+  if (!activeTurnStartedAt.has(key))
+    return;
+  activeTurnStartedAt.delete(key);
+  shadowEmit({ kind: "turnEnd", key, at: Date.now(), outboundEmitted: true });
+  if (activeTurnStartedAt.size === 0) {
+    const selfAgentForFlush = process.env.SWITCHROOM_AGENT_NAME ?? "";
+    if (pendingInboundBuffer.depth(selfAgentForFlush) > 0) {
+      const fr = redeliverBufferedInbound(pendingInboundBuffer, selfAgentForFlush, (m) => ipcServer.sendToAgent(selfAgentForFlush, m), inboundSpool);
+      if (fr.redelivered > 0) {
+        process.stderr.write(`telegram gateway: reply-released-gate flushed ${fr.redelivered}/${fr.drained} held inbound for ${selfAgentForFlush}${fr.rebuffered > 0 ? ` (${fr.rebuffered} re-buffered)` : ""}
+`);
+      }
+    }
+  }
+}
 function endCurrentTurnAtomic(turn) {
   if (currentTurn !== turn)
     return;
@@ -51328,6 +51384,7 @@ ${url}`;
       turn.finalAnswerDelivered = true;
       finalizeStatusReaction(chat_id, threadId, "done");
     }
+    releaseTurnBufferGate(statusKey(chat_id, threadId));
   }
   process.stderr.write(`telegram channel: reply: finalized chatId=${chat_id} messageIds=[${sentIds.join(",")}] chunks=${chunks.length}
 `);
@@ -51465,6 +51522,11 @@ async function executeStreamReply(args) {
   })) {
     turn.finalAnswerDelivered = true;
   }
+  {
+    const sChat = args.chat_id;
+    const sThread = resolveThreadId(sChat, args.message_thread_id);
+    releaseTurnBufferGate(statusKey(sChat, sThread));
+  }
   return { content: [{ type: "text", text: `${result.status} (id: ${result.messageId ?? "pending"})` }] };
 }
 async function executeProgressUpdate(args) {
@@ -55370,15 +55432,20 @@ async function handleVaultRequestSaveCallback(ctx, data) {
   }
   if (action === "save") {
     await ctx.answerCallbackQuery({ text: "\u23F3 Saving\u2026" }).catch(() => {});
-    const cached = vaultPassphraseCache.get(pending2.chat_id);
-    if (!cached || cached.expiresAt <= Date.now()) {
-      if (pending2.card_message_id != null) {
-        await ctx.api.editMessageText(pending2.chat_id, pending2.card_message_id, `\uD83D\uDD12 <b>Vault is locked.</b> Run <code>/vault unlock</code> (or any /vault command) to cache the passphrase, then tap Save again on the next card.`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
+    let write;
+    if (VAULT_APPROVAL_AUTH_MODE === "telegram-id") {
+      write = await defaultVaultWritePosture(pending2.key, pending2.value);
+    } else {
+      const cached = vaultPassphraseCache.get(pending2.chat_id);
+      if (!cached || cached.expiresAt <= Date.now()) {
+        if (pending2.card_message_id != null) {
+          await ctx.api.editMessageText(pending2.chat_id, pending2.card_message_id, `\uD83D\uDD12 <b>Passphrase not cached for this chat.</b> Run <code>/vault unlock</code> (or any /vault command) to cache it, then tap Save again on the next card.`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
+        }
+        pendingVaultRequestSaves.delete(stageId);
+        return;
       }
-      pendingVaultRequestSaves.delete(stageId);
-      return;
+      write = defaultVaultWrite(pending2.key, pending2.value, cached.passphrase);
     }
-    const write = defaultVaultWrite(pending2.key, pending2.value, cached.passphrase);
     if (!write.ok) {
       const parsed = parseVaultCliError(write.output);
       const rendered = renderVaultCliError(parsed, { verb: "save", key: pending2.key });

package/telegram-plugin/gateway/gateway.ts

@@ -332,7 +332,7 @@ import {
 import { runPipeline } from '../secret-detect/pipeline.js'
 import { StagingMap } from '../secret-detect/staging.js'
 import { maskToken } from '../secret-detect/mask.js'
-import { defaultVaultWrite, defaultVaultList } from '../secret-detect/vault-write.js'
+import { defaultVaultWrite, defaultVaultList, defaultVaultWritePosture } from '../secret-detect/vault-write.js'
 import { parseVaultCliError, renderVaultCliError } from '../secret-detect/vault-error.js'
 import { recentDenialsFromAuditLog, type RecentDenial } from './recent-denials.js'
 import { detectSecrets } from '../secret-detect/index.js'
@@ -1412,6 +1412,78 @@ function purgeReactionTracking(key: string, endingTurn?: CurrentTurn): void {
   }
 }
 
+/**
+ * Narrow buffer-gate release. Clears the per-key
+ * `activeTurnStartedAt` entry and triggers the held-inbound flush
+ * if the fleet went idle, WITHOUT touching the reaction
+ * controller, the active-reaction message-id, or the typing loop.
+ *
+ * Why split from `purgeReactionTracking`. #1718's contract keeps
+ * `activeStatusReactions[key]` alive across the turn so the
+ * working-state ladder can re-paint on every tool/thinking event
+ * (and the steer-vs-queue logic at the inbound handler reads the
+ * controller — gateway.ts:8322-8323 — to classify mid-turn
+ * messages). Wiping the controller mid-turn would either collapse
+ * the ladder to 👍 prematurely (#1713 regression) or break the
+ * steer detection.
+ *
+ * The BUFFER gate (`activeTurnStartedAt`) is a separate concern:
+ * it gates `shouldBufferInbound` (gateway.ts:8603) and the
+ * "claude is idle" flush at `purgeReactionTracking`'s tail. The
+ * #1728/#1729 fix released both halves together by gating on
+ * `isFinalAnswerReply`, but a trivial-prompt reply that sets
+ * `disable_notification: true` and is < 200 chars (e.g. the model
+ * mis-classifies "4" as an interim ack) returns false from
+ * `isFinalAnswerReply`, so neither half releases and the gate
+ * wedges (v0.13.30 UAT regression — every subsequent inbound logs
+ * `held mid-turn ... will flush on turn-complete` forever).
+ *
+ * `releaseTurnBufferGate` is called from `executeReply` on EVERY
+ * successful reply finalize — regardless of `isFinalAnswerReply` —
+ * so the buffer gate releases independently of the reaction
+ * state. The reaction controller stays for #1713's bidirectional
+ * ladder + steer detection; only the gate flips.
+ *
+ * Idempotent: a second release is a no-op `.delete()` on an
+ * already-empty key.
+ *
+ * @internal exported only via the `gateway.ts` module — used by
+ * `executeReply`'s post-send block and by tests via source-level
+ * pinning in `vault-approval-posture.test.ts` / wedge-guard suites.
+ */
+function releaseTurnBufferGate(key: string): void {
+  if (!activeTurnStartedAt.has(key)) return
+  activeTurnStartedAt.delete(key)
+  // Shadow trace so the structural turn-end metric still records.
+  // outboundEmitted=true is correct here — we only reach this from
+  // executeReply AFTER an outbound landed.
+  shadowEmit({ kind: 'turnEnd', key: key as _ChatKey, at: Date.now(), outboundEmitted: true })
+
+  // Mirror the deterministic-delivery flush from
+  // `purgeReactionTracking` (gateway.ts:1376-1399). When the fleet
+  // hits zero-active-turns, drain any held inbound. This is the
+  // load-bearing wedge fix: the gate that pinned msg 1874+ in
+  // test-harness's 13:02 UAT now opens after the reply.
+  if (activeTurnStartedAt.size === 0) {
+    const selfAgentForFlush = process.env.SWITCHROOM_AGENT_NAME ?? ''
+    if (pendingInboundBuffer.depth(selfAgentForFlush) > 0) {
+      const fr = redeliverBufferedInbound(
+        pendingInboundBuffer,
+        selfAgentForFlush,
+        (m) => ipcServer.sendToAgent(selfAgentForFlush, m),
+        inboundSpool,
+      )
+      if (fr.redelivered > 0) {
+        process.stderr.write(
+          `telegram gateway: reply-released-gate flushed ${fr.redelivered}/${fr.drained} ` +
+          `held inbound for ${selfAgentForFlush}` +
+          `${fr.rebuffered > 0 ? ` (${fr.rebuffered} re-buffered)` : ''}\n`,
+        )
+      }
+    }
+  }
+}
+
 /**
  * Atomic null-and-purge for a wedged turn. Every site that ends a
  * turn by nulling `currentTurn` MUST also clear the turn's statusKey
@@ -4975,6 +5047,24 @@ async function executeReply(args: Record<string, unknown>): Promise<{ content: A
       // observable side effects that #1718 deferred unconditionally.
       finalizeStatusReaction(chat_id, threadId, 'done')
     }
+    // v0.13.30 follow-up — release the buffer gate on EVERY reply
+    // finalize, not just on `isFinalAnswerReply`. The narrow
+    // `finalizeStatusReaction` path above misses short replies that
+    // set `disable_notification: true` (the model mis-classifies a
+    // genuine answer as an interim ack — e.g. "4" for "what's
+    // 2+2"). Pre-fix the gate stayed set forever and every later
+    // inbound logged `held mid-turn ... will flush on turn-
+    // complete` — but turn-complete never came because Claude
+    // Code's `turn_duration` system event doesn't reliably land
+    // for trivial-prompt turns. v0.13.30 UAT showed the regression
+    // (msg 1873 reply at 13:02:46, msg 1874 held at 13:03:04, gate
+    // never released).
+    //
+    // The reaction controller stays alive (preserves #1713
+    // bidirectional ladder + the steer-vs-queue logic at
+    // gateway.ts:8322 which reads `activeStatusReactions`). Only
+    // the buffer gate flips.
+    releaseTurnBufferGate(statusKey(chat_id, threadId))
   }
 
   process.stderr.write(`telegram channel: reply: finalized chatId=${chat_id} messageIds=[${sentIds.join(',')}] chunks=${chunks.length}\n`)
@@ -5231,6 +5321,17 @@ async function executeStreamReply(args: Record<string, unknown>): Promise<unknow
   ) {
     turn.finalAnswerDelivered = true
   }
+  // v0.13.30 follow-up — release the buffer gate on every successful
+  // stream_reply too. Same rationale as executeReply: short replies
+  // with `disable_notification: true` would otherwise wedge the gate
+  // forever. `result.status` is always 'updated' | 'finalized'
+  // (stream-reply-handler.ts:305) at this point — earlier failures
+  // throw or return before reaching here.
+  {
+    const sChat = args.chat_id as string
+    const sThread = resolveThreadId(sChat, args.message_thread_id as string | undefined)
+    releaseTurnBufferGate(statusKey(sChat, sThread))
+  }
   return { content: [{ type: 'text', text: `${result.status} (id: ${result.messageId ?? 'pending'})` }] }
 }
 
@@ -11774,47 +11875,50 @@ async function handleVaultRequestSaveCallback(ctx: Context, data: string): Promi
     // stale "spinning" state on the button while we run the write.
     await ctx.answerCallbackQuery({ text: '⏳ Saving…' }).catch(() => {})
 
-    // #1115 follow-up: telegram-id mode silent-save was withdrawn. The
-    // original PR shortcut routed the save through an in-memory
-    // passphrase the gateway held under telegram-id; the reviewer
-    // flagged that as a bypass surface (claude in the same container
-    // could exfiltrate the passphrase). The access-approve flow now
-    // attests via the broker (`attest_via_posture: true` on
-    // mint_grant) so the passphrase never leaves the broker. The
-    // save-approve flow uses `defaultVaultWrite` which shells to the
-    // CLI — routing it through broker-IPC attest_via_posture is a
-    // tracked follow-up. Until then, vault_request_save under
-    // telegram-id falls through to the standard passphrase-cache
-    // path: the operator must have unlocked the vault in this chat
-    // (`/vault unlock` or any /vault command) so the cache is
-    // populated. Same UX as passphrase mode.
-
-    // Fetch the cached passphrase for this chat. If the gateway hasn't
-    // seen the user unlock the vault yet, we can't attest the write —
-    // surface the unlock card via the same path the deferred-secret
-    // flow uses (issue #44).
-    const cached = vaultPassphraseCache.get(pending.chat_id)
-    if (!cached || cached.expiresAt <= Date.now()) {
-      if (pending.card_message_id != null) {
-        await ctx.api
-          .editMessageText(
-            pending.chat_id,
-            pending.card_message_id,
-            `🔒 <b>Vault is locked.</b> Run <code>/vault unlock</code> (or any /vault command) to cache the passphrase, then tap Save again on the next card.`,
-            { parse_mode: 'HTML', reply_markup: { inline_keyboard: [] } },
-          )
-          .catch(() => {})
+    // #1115 follow-up: the save-approve flow now mirrors the access-
+    // approve flow under telegram-id mode — broker `put` accepts
+    // `attest_via_posture: true` (server.ts:1448-1500), so the
+    // gateway can attest the write without a cached passphrase.
+    // Closes the UX gap where tapping Save surfaced a misleading
+    // "🔒 Vault is locked" message even when the broker had been
+    // auto-unlocked at boot.
+    //
+    // Branch: under telegram-id mode use the posture-attested put;
+    // under passphrase mode keep the existing cached-passphrase +
+    // shell-to-CLI path (operator must `/vault unlock` once per
+    // chat session to populate `vaultPassphraseCache`).
+    let write: { ok: boolean; output: string }
+    if (VAULT_APPROVAL_AUTH_MODE === 'telegram-id') {
+      // Posture-attested broker put. No passphrase needed. The broker
+      // verifies (a) telegram-id mode, (b) per-agent peer, (c) broker
+      // unlocked — see server.ts:1448-1500.
+      write = await defaultVaultWritePosture(pending.key, pending.value)
+    } else {
+      // Passphrase mode — fetch the cached passphrase for this chat.
+      // If the gateway hasn't seen the user unlock the vault yet, we
+      // can't attest the write — surface the unlock prompt.
+      const cached = vaultPassphraseCache.get(pending.chat_id)
+      if (!cached || cached.expiresAt <= Date.now()) {
+        if (pending.card_message_id != null) {
+          await ctx.api
+            .editMessageText(
+              pending.chat_id,
+              pending.card_message_id,
+              `🔒 <b>Passphrase not cached for this chat.</b> Run <code>/vault unlock</code> (or any /vault command) to cache it, then tap Save again on the next card.`,
+              { parse_mode: 'HTML', reply_markup: { inline_keyboard: [] } },
+            )
+            .catch(() => {})
+        }
+        pendingVaultRequestSaves.delete(stageId)
+        return
       }
-      pendingVaultRequestSaves.delete(stageId)
-      return
+      // defaultVaultWrite spawns `switchroom vault set <key>` with the
+      // passphrase env set; the CLI forwards the passphrase to the
+      // broker put as operator-attestation (#969 P1a), which authorizes
+      // new-key creation.
+      write = defaultVaultWrite(pending.key, pending.value, cached.passphrase)
     }
 
-    // Run the write. defaultVaultWrite spawns `switchroom vault set
-    // <key>` with the passphrase env set; the CLI in turn forwards the
-    // passphrase to the broker put as operator-attestation (#969 P1a),
-    // which authorizes new-key creation.
-    const write = defaultVaultWrite(pending.key, pending.value, cached.passphrase)
-
     if (!write.ok) {
       // Route through the structured-error renderer from #969 P0b so
       // failures show the actionable host hint instead of a raw blob.

package/telegram-plugin/secret-detect/vault-write.ts

@@ -1,15 +1,31 @@
 /**
  * Programmatic vault write from the Telegram plugin path.
  *
- * Reuses the existing `runVaultCli`-style approach (spawn `switchroom vault
- * set` with SWITCHROOM_VAULT_PASSPHRASE in env and the secret piped on
- * stdin) so we don't have to import and open the vault directly from this
- * subprocess.
+ * Two flavors:
  *
- * Exposed as a pure function for testability: callers inject the spawn
- * helper in tests to avoid needing a real vault on disk.
+ *   1. `defaultVaultWrite(slug, value, passphrase)` — shell-out to
+ *      `switchroom vault set`. The CLI forwards the passphrase to the
+ *      broker as operator-attestation (#969 P1a). Used by passphrase-
+ *      mode approval flows where the gateway cached the operator's
+ *      passphrase via /vault unlock.
+ *
+ *   2. `defaultVaultWritePosture(slug, value)` — direct broker call via
+ *      `putViaBroker(..., attest_via_posture: true)`. Used by
+ *      telegram-id-mode approval flows where the broker auto-unlocked
+ *      at boot and the gateway never needs the passphrase
+ *      (`vault.broker.approvalAuth: telegram-id` in switchroom.yaml).
+ *      Closes the UX gap where tapping Save on a `vault_request_save`
+ *      card surfaced a misleading "🔒 Vault is locked" message when
+ *      the operator hadn't run /vault unlock in that chat — even
+ *      though the broker had been unlocked for hours. The tracked
+ *      follow-up of #1115; broker side has supported the flag since
+ *      PR #1115 follow-up rev 3.
+ *
+ * Exposed as pure functions for testability: callers inject the spawn /
+ * broker helper in tests to avoid needing a real vault on disk.
  */
 import { execFileSync } from 'node:child_process'
+import { putViaBroker, resolveBrokerSocketPath } from '../../src/vault/broker/client.js'
 
 export interface VaultWriteResult {
   ok: boolean
@@ -22,6 +38,68 @@ export type VaultWriteFn = (
   passphrase: string,
 ) => VaultWriteResult
 
+/**
+ * Posture-attested vault write — no passphrase required. Returns the
+ * same `VaultWriteResult` shape as `defaultVaultWrite` for drop-in
+ * substitution at the gateway save / defer / auto-save callsites.
+ *
+ * Caller MUST verify `vault.broker.approvalAuth === 'telegram-id'` in
+ * config before invoking — the broker will reject `attest_via_posture`
+ * under passphrase mode with `attest_via_posture requires
+ * vault.broker.approvalAuth: telegram-id` (server.ts:1500). The
+ * gateway's `VAULT_APPROVAL_AUTH_MODE` flag is the canonical signal.
+ *
+ * Returns `{ ok: false, output: ... }` on any broker error so the
+ * gateway's existing parseVaultCliError / renderVaultCliError path
+ * still works.
+ */
+/**
+ * Test-injection seam for `defaultVaultWritePosture`. Production
+ * callers omit and get the live broker client; tests pass mock
+ * functions to avoid `vi.mock` / `mock.module` (which don't
+ * cross-runtime cleanly — vitest's `vi.mock` and bun:test's
+ * `mock.module` need separate wiring and shadow other tests' module
+ * imports if not carefully isolated).
+ */
+export interface VaultWritePostureDeps {
+  putViaBroker?: typeof putViaBroker
+  resolveBrokerSocketPath?: typeof resolveBrokerSocketPath
+}
+
+export type VaultWritePostureFn = (
+  slug: string,
+  value: string,
+  deps?: VaultWritePostureDeps,
+) => Promise<VaultWriteResult>
+
+export const defaultVaultWritePosture: VaultWritePostureFn = async (
+  slug,
+  value,
+  deps,
+) => {
+  const put = deps?.putViaBroker ?? putViaBroker
+  const resolveSocket = deps?.resolveBrokerSocketPath ?? resolveBrokerSocketPath
+  const socket = resolveSocket()
+  const result = await put(
+    slug,
+    { kind: 'string', value },
+    { socket, attest_via_posture: true, timeoutMs: 10000 },
+  )
+  if (result.kind === 'ok') {
+    return { ok: true, output: `sent (key: ${slug})` }
+  }
+  // Mirror the CLI's error format so the existing parseVaultCliError
+  // / renderVaultCliError stack handles broker-mediated failures
+  // without a special branch.
+  const prefix =
+    result.kind === 'unreachable'
+      ? 'VAULT-BROKER-UNREACHABLE'
+      : result.kind === 'denied'
+        ? `VAULT-BROKER-DENIED (${result.code})`
+        : `VAULT-BROKER-${result.code}`
+  return { ok: false, output: `${prefix}: ${result.msg}` }
+}
+
 export type VaultListFn = (passphrase: string) => { ok: boolean; keys: string[] }
 
 export const defaultVaultWrite: VaultWriteFn = (slug, value, passphrase) => {

package/telegram-plugin/tests/buffer-gate-broadened.test.ts

@@ -0,0 +1,138 @@
+/**
+ * Regression guard for the v0.13.30→v0.13.31 wedge fix: the buffer
+ * gate (`activeTurnStartedAt`) must release on EVERY successful
+ * reply / stream_reply finalize — not just on `isFinalAnswerReply`.
+ *
+ * Surfaced 2026-05-24 via the v0.13.30 UAT canary:
+ *   13:02:46 reply finalized for msg 1873 (charCount=67)
+ *   13:03:04 msg 1874 — held mid-turn  (gate STILL open)
+ *   13:03:40 msg 1875 — held mid-turn  (depth=2)
+ *   13:04:19 msg 1876 — held mid-turn  (depth=3)
+ *
+ * Root cause: the trivial-prompt reply used `disable_notification:
+ * true` and was < 200 chars (the model classified "4" as an interim
+ * ack), so `isFinalAnswerReply` returned false, the
+ * `finalizeStatusReaction` gate in `executeReply` short-circuited,
+ * and the buffer gate stayed set. Pre-#1718 the gate released on
+ * every reply (via `endStatusReaction → purgeReactionTracking`);
+ * #1718 deferred everything to `turn_end`, then #1729 partially
+ * restored via `isFinalAnswerReply`-gated finalize. This fix
+ * decouples the buffer-gate release from the reaction-state
+ * finalize: every successful reply releases the gate, the reaction
+ * controller stays alive (preserves #1713 bidirectional ladder +
+ * the steer-vs-queue logic).
+ *
+ * The gateway IIFE is too entangled to instantiate in-process; we
+ * do source-level assertions like `reply-terminal-reaction.test.ts`
+ * does. If a future commit regresses the contract (re-narrows the
+ * gate release, or removes the helper), these assertions trip.
+ */
+
+import { describe, it, expect } from 'vitest'
+import { readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+
+const gatewaySrc = readFileSync(
+  resolve(__dirname, '..', 'gateway', 'gateway.ts'),
+  'utf-8',
+)
+
+describe('buffer-gate release decoupled from final-answer classification', () => {
+  // Extract the helper's docstring (everything between the matching
+  // `/**` block above `function releaseTurnBufferGate` and the
+  // function declaration). The body slice (used by other tests) is
+  // separate — see fnBody().
+  function fnDocstring(): string {
+    const beforeFn = gatewaySrc.split('function releaseTurnBufferGate')[0] ?? ''
+    const lastBlockOpen = beforeFn.lastIndexOf('/**')
+    if (lastBlockOpen < 0) return ''
+    return beforeFn.slice(lastBlockOpen)
+  }
+  function fnBody(): string {
+    // The function body — everything between `function
+    // releaseTurnBufferGate(...): void {` and its matching `}`. Use
+    // a simple brace-balance over the slice from open-brace onward.
+    const afterDecl = gatewaySrc.split('function releaseTurnBufferGate')[1] ?? ''
+    const openIdx = afterDecl.indexOf('{')
+    if (openIdx < 0) return ''
+    let depth = 0
+    for (let i = openIdx; i < afterDecl.length; i++) {
+      const ch = afterDecl[i]
+      if (ch === '{') depth++
+      else if (ch === '}') {
+        depth--
+        if (depth === 0) return afterDecl.slice(openIdx, i + 1)
+      }
+    }
+    return afterDecl.slice(openIdx)
+  }
+
+  it('declares a narrow `releaseTurnBufferGate` helper (not the full purgeReactionTracking)', () => {
+    expect(gatewaySrc).toMatch(/function releaseTurnBufferGate\(key: string\): void/)
+    // The helper docstring must explain WHY split from
+    // purgeReactionTracking — future readers need to know.
+    const doc = fnDocstring()
+    expect(doc).toMatch(/#1713/)
+    expect(doc).toMatch(/steer-vs-queue/)
+  })
+
+  it('releaseTurnBufferGate ONLY clears activeTurnStartedAt + flushes; does NOT touch activeStatusReactions', () => {
+    const body = fnBody()
+    expect(body).toMatch(/activeTurnStartedAt\.delete\(key\)/)
+    expect(body).toMatch(/pendingInboundBuffer/)
+    // Critical regression guard: the helper must NOT touch the
+    // reaction controller, else #1713's bidirectional ladder
+    // collapses to 👍 mid-turn.
+    expect(body).not.toMatch(/activeStatusReactions\.delete/)
+    expect(body).not.toMatch(/activeReactionMsgIds\.delete/)
+    // Also must NOT call finalizeStatusReaction or
+    // purgeReactionTracking (both would clear the controller).
+    expect(body).not.toMatch(/finalizeStatusReaction\(/)
+    expect(body).not.toMatch(/purgeReactionTracking\(/)
+  })
+
+  it('executeReply calls releaseTurnBufferGate OUTSIDE the isFinalAnswerReply branch', () => {
+    // Slice the executeReply post-send block (between the anchor
+    // comments and the next exported function).
+    const post = gatewaySrc.split("fresh sendMessage from reply tool is a user-visible")[1] ?? ''
+    const slice = post.split('\nasync function ')[0] ?? ''
+    // The narrow `isFinalAnswerReply`-gated finalize MUST stay (it
+    // emits the 👍 reaction on the final-answer happy path).
+    expect(slice).toMatch(/isFinalAnswerReply\(/)
+    expect(slice).toMatch(/finalizeStatusReaction\(/)
+    // The new unconditional buffer-gate release must ALSO be
+    // present and must be OUTSIDE the isFinalAnswerReply branch
+    // (so trivial-prompt non-notification replies still release
+    // the gate).
+    expect(slice).toMatch(/releaseTurnBufferGate\(statusKey\(chat_id, threadId\)\)/)
+    // Structural check: the release must appear AFTER the
+    // isFinalAnswerReply block's closing brace but BEFORE the
+    // post-send block ends. Easiest pin: it must NOT be inside the
+    // `if (turn != null && isFinalAnswerReply(...))` block.
+    const gateBlockOpen = slice.indexOf('if (turn != null && isFinalAnswerReply(')
+    const gateBlockClose = slice.indexOf('}', gateBlockOpen)
+    const releaseIdx = slice.indexOf('releaseTurnBufferGate(')
+    expect(gateBlockOpen).toBeGreaterThan(-1)
+    expect(gateBlockClose).toBeGreaterThan(gateBlockOpen)
+    expect(releaseIdx).toBeGreaterThan(gateBlockClose)
+  })
+
+  it('executeStreamReply calls releaseTurnBufferGate before its final return', () => {
+    const post =
+      gatewaySrc.split('async function executeStreamReply')[1]
+        ?.split('\nasync function ')[0] ?? ''
+    expect(post).toMatch(/releaseTurnBufferGate\(statusKey\(/)
+  })
+
+  it('the helper is invoked from executeReply / executeStreamReply only — not from new mid-turn paths', () => {
+    // Sanity: nothing else should call releaseTurnBufferGate. The
+    // helper is narrow on purpose. If future code adds new
+    // callsites that aren't reply-finalize, the steer-vs-queue
+    // semantics could drift.
+    const callMatches = gatewaySrc.match(/releaseTurnBufferGate\(/g) ?? []
+    // Definition + 2 callsites (executeReply, executeStreamReply) = 3.
+    // If this count grows the test catches it; reviewer must justify
+    // any new callsite.
+    expect(callMatches.length).toBe(3)
+  })
+})

package/telegram-plugin/tests/vault-approval-posture.test.ts

@@ -121,20 +121,34 @@ describe('performVaultAccessApproval — broker-mediated attestation', () => {
   })
 })
 
-describe('handleVaultRequestSaveCallback — telegram-id silent path withdrawn', () => {
-  it('NO LONGER reads an in-memory passphrase for telegram-id; falls through to cached-passphrase path', () => {
+describe('handleVaultRequestSaveCallback — posture-attested broker put (#1115 follow-up)', () => {
+  it('NO in-memory passphrase under telegram-id; routes the save through the broker via attest_via_posture', () => {
     const fnBlock =
       gatewaySrc
         .split('async function handleVaultRequestSaveCallback')[1]
         ?.split('async function handleVaultDeferCallback')[0] ?? ''
-    // Regression guard: the original PR added a
-    // `VAULT_APPROVAL_AUTH_MODE === 'telegram-id'` shortcut that
-    // pulled an in-memory passphrase. That was a bypass surface.
-    // The save handler must NOT branch on the posture for an
-    // in-memory passphrase any more.
+    // Regression guard (original #1115 first-cut withdrawal): the
+    // handler must NOT pull a long-lived in-memory passphrase under
+    // telegram-id. That was a bypass surface — claude in the same
+    // container could exfiltrate it. The follow-up replaces it with
+    // a broker-IPC `attest_via_posture` call so the passphrase
+    // never leaves the broker process.
     expect(fnBlock).not.toMatch(/AUTO_UNLOCK_PASSPHRASE/)
-    // Standard cache lookup still present.
+    // The #1115 follow-up wiring: under telegram-id the handler
+    // calls `defaultVaultWritePosture` (posture-attested broker put,
+    // no passphrase). Under passphrase mode it keeps the legacy
+    // cached-passphrase + shell-out path.
+    expect(fnBlock).toMatch(/VAULT_APPROVAL_AUTH_MODE === 'telegram-id'/)
+    expect(fnBlock).toMatch(/defaultVaultWritePosture\(/)
+    // Passphrase-mode branch still present.
     expect(fnBlock).toMatch(/vaultPassphraseCache\.get\(pending\.chat_id\)/)
+    expect(fnBlock).toMatch(/defaultVaultWrite\(pending\.key, pending\.value, cached\.passphrase\)/)
+    // The misleading pre-fix card text ("Vault is locked") must be
+    // rephrased — the broker IS unlocked under telegram-id; only
+    // the chat's passphrase cache needs warming up under passphrase
+    // mode. Pin the corrected wording so the wedge UX can't
+    // silently regress.
+    expect(fnBlock).toMatch(/Passphrase not cached for this chat/)
   })
 })
 

package/telegram-plugin/tests/vault-write-posture.test.ts

@@ -0,0 +1,108 @@
+/**
+ * Unit tests for `defaultVaultWritePosture` — the posture-attested
+ * vault write helper introduced by the #1115 follow-up.
+ *
+ * Contract pinned here:
+ *   - Returns `{ ok: true, output }` on broker `kind: 'ok'`.
+ *   - Returns `{ ok: false, output: <marker>: <msg> }` on each broker
+ *     failure shape (unreachable / denied / not_found), with markers
+ *     that the gateway's `parseVaultCliError` / `renderVaultCliError`
+ *     stack can recognize (so failures still render the actionable
+ *     host hint instead of a raw blob).
+ *   - Forwards `attest_via_posture: true` on the put — the load-
+ *     bearing flag the broker server (server.ts:1448-1500) gates on.
+ *   - Forwards `kind: 'string'` entry shape verbatim (only kind the
+ *     `vault_request_save` MCP tool emits).
+ *
+ * Test seam: the helper accepts an optional `deps` param so tests
+ * inject mock fns directly (no `vi.mock` / `mock.module`). This
+ * keeps the test runnable under both vitest AND bun:test without
+ * the module-cache cross-pollination that broke an earlier rev.
+ */
+
+import { describe, expect, it } from 'vitest'
+import { defaultVaultWritePosture } from '../secret-detect/vault-write.js'
+import type { PutResult } from '../../src/vault/broker/client.js'
+
+type PutCall = {
+  slug: string
+  entry: { kind: 'string'; value: string } | { kind: 'binary'; value: string }
+  opts: { socket?: string; attest_via_posture?: boolean; timeoutMs?: number }
+}
+
+function makeDeps(putResult: PutResult, socket = '/run/switchroom/broker/sock'): {
+  deps: { putViaBroker: (...args: never[]) => Promise<PutResult>; resolveBrokerSocketPath: () => string }
+  calls: PutCall[]
+} {
+  const calls: PutCall[] = []
+  const deps = {
+    putViaBroker: async (...args: never[]): Promise<PutResult> => {
+      const [slug, entry, opts] = args as unknown as [PutCall['slug'], PutCall['entry'], PutCall['opts']]
+      calls.push({ slug, entry, opts })
+      return putResult
+    },
+    resolveBrokerSocketPath: () => socket,
+  }
+  return { deps, calls }
+}
+
+describe('defaultVaultWritePosture', () => {
+  it('returns { ok: true } on broker `kind: ok`', async () => {
+    const { deps } = makeDeps({ kind: 'ok' })
+    const r = await defaultVaultWritePosture('forward-email/api-key', 'sk-value', deps)
+    expect(r.ok).toBe(true)
+    expect(r.output).toContain('forward-email/api-key')
+  })
+
+  it('forwards attest_via_posture: true on the put RPC', async () => {
+    const { deps, calls } = makeDeps({ kind: 'ok' })
+    await defaultVaultWritePosture('ha/access-token', 'jwt-value', deps)
+    expect(calls).toHaveLength(1)
+    expect(calls[0].opts.attest_via_posture).toBe(true)
+  })
+
+  it('forwards kind: string entry verbatim', async () => {
+    const { deps, calls } = makeDeps({ kind: 'ok' })
+    await defaultVaultWritePosture('some-key', 'some-value', deps)
+    expect(calls[0].slug).toBe('some-key')
+    expect(calls[0].entry).toEqual({ kind: 'string', value: 'some-value' })
+  })
+
+  it('returns ok:false with VAULT-BROKER-UNREACHABLE prefix on unreachable', async () => {
+    const { deps } = makeDeps({ kind: 'unreachable', msg: 'connect ENOENT' })
+    const r = await defaultVaultWritePosture('k', 'v', deps)
+    expect(r.ok).toBe(false)
+    expect(r.output).toContain('VAULT-BROKER-UNREACHABLE')
+    expect(r.output).toContain('connect ENOENT')
+  })
+
+  it('returns ok:false with VAULT-BROKER-DENIED prefix on denied', async () => {
+    const { deps } = makeDeps({
+      kind: 'denied',
+      code: 'DENIED',
+      msg: 'attest_via_posture requires telegram-id',
+    })
+    const r = await defaultVaultWritePosture('k', 'v', deps)
+    expect(r.ok).toBe(false)
+    expect(r.output).toContain('VAULT-BROKER-DENIED')
+    expect(r.output).toContain('DENIED')
+    expect(r.output).toContain('telegram-id')
+  })
+
+  it('returns ok:false with VAULT-BROKER-UNKNOWN_KEY prefix on not_found', async () => {
+    const { deps } = makeDeps({
+      kind: 'not_found',
+      code: 'UNKNOWN_KEY',
+      msg: 'no such key',
+    })
+    const r = await defaultVaultWritePosture('k', 'v', deps)
+    expect(r.ok).toBe(false)
+    expect(r.output).toContain('VAULT-BROKER-UNKNOWN_KEY')
+  })
+
+  it('resolves the broker socket via the injected resolveBrokerSocketPath', async () => {
+    const { deps, calls } = makeDeps({ kind: 'ok' }, '/tmp/test-socket')
+    await defaultVaultWritePosture('k', 'v', deps)
+    expect(calls[0].opts.socket).toBe('/tmp/test-socket')
+  })
+})