switchroom 0.13.9 → 0.13.11

package/telegram-plugin/dist/gateway/gateway.js

@@ -27225,7 +27225,7 @@ var init_secretlint_source = __esm(() => {
 function escapeHtml8(s) {
   return s.replace(/[&<>]/g, (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;" })[c]);
 }
-function truncate2(s, n) {
+function truncate3(s, n) {
   return s.length > n ? s.slice(0, n - 1) + "\u2026" : s;
 }
 
@@ -29017,6 +29017,161 @@ var init_materialize_bot_token = __esm(() => {
   };
 });
 
+// gateway/config-approval-handler.ts
+var exports_config_approval_handler = {};
+__export(exports_config_approval_handler, {
+  resolvePendingConfigApproval: () => resolvePendingConfigApproval,
+  parseConfigApprovalCallback: () => parseConfigApprovalCallback,
+  handleRequestConfigFinalize: () => handleRequestConfigFinalize,
+  handleRequestConfigApproval: () => handleRequestConfigApproval,
+  buildConfigApprovalCardBody: () => buildConfigApprovalCardBody,
+  _resetPendingConfigApprovalsForTest: () => _resetPendingConfigApprovalsForTest,
+  _peekPendingConfigApprovalForTest: () => _peekPendingConfigApprovalForTest
+});
+function buildConfigApprovalCardBody(args) {
+  const esc = (s) => s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+  return `\uD83D\uDEE0 <b>Config edit proposed</b>
+` + `Agent: <code>${esc(args.agentName)}</code>
+` + `Reason: ${esc(args.reason)}
+
+` + `<pre>${esc(args.unifiedDiff)}</pre>`;
+}
+async function handleRequestConfigApproval(client3, msg, deps) {
+  const reply = (verdict, reason) => {
+    try {
+      client3.send({
+        type: "config_approval_resolved",
+        requestId: msg.requestId,
+        verdict,
+        ...reason ? { reason } : {}
+      });
+    } catch (err) {
+      deps.log?.(`config_approval_resolved send failed (requestId=${msg.requestId}): ${err.message}`);
+    }
+  };
+  if (msg.agentName !== deps.agentName) {
+    reply("deny", `gateway serves '${deps.agentName}', not '${msg.agentName}'`);
+    return;
+  }
+  const target = deps.loadTargetChat();
+  if (target === null) {
+    reply("deny", "no target chat available \u2014 operator not paired?");
+    return;
+  }
+  const body = buildConfigApprovalCardBody({
+    agentName: msg.agentName,
+    reason: msg.reason,
+    unifiedDiff: msg.unifiedDiff
+  });
+  const replyMarkup = deps.buildKeyboard(msg.requestId);
+  const posted = await deps.postCard({
+    chatId: target.chatId,
+    ...target.threadId !== undefined ? { threadId: target.threadId } : {},
+    text: body,
+    replyMarkup
+  });
+  if (posted === null) {
+    reply("deny", "Telegram sendMessage failed");
+    return;
+  }
+  const entry = {
+    requestId: msg.requestId,
+    client: client3,
+    chatId: target.chatId,
+    ...target.threadId !== undefined ? { threadId: target.threadId } : {},
+    messageId: posted.messageId,
+    timer: null,
+    resolved: false
+  };
+  entry.timer = setTimeout(() => {
+    resolvePendingConfigApproval(msg.requestId, "timeout", deps).catch((err) => deps.log?.(`config approval timeout handler threw (requestId=${msg.requestId}): ${err.message}`));
+  }, msg.timeoutMs);
+  pending.set(msg.requestId, entry);
+  deps.log?.(`config_approval_posted requestId=${msg.requestId} agent=${msg.agentName} messageId=${posted.messageId}`);
+}
+async function resolvePendingConfigApproval(requestId, verdict, deps) {
+  const entry = pending.get(requestId);
+  if (!entry || entry.resolved)
+    return false;
+  entry.resolved = true;
+  if (entry.timer !== null) {
+    clearTimeout(entry.timer);
+    entry.timer = null;
+  }
+  try {
+    entry.client.send({
+      type: "config_approval_resolved",
+      requestId,
+      verdict
+    });
+  } catch (err) {
+    deps.log?.(`config_approval_resolved send failed (requestId=${requestId}): ${err.message}`);
+  }
+  const interim = verdict === "approve" ? "\uD83D\uDC40 <b>Applying\u2026</b>" : verdict === "deny" ? "\uD83D\uDEAB <b>Denied</b>" : "\u23f1 <b>Expired</b>";
+  try {
+    await deps.editCard({
+      chatId: entry.chatId,
+      messageId: entry.messageId,
+      text: interim
+    });
+  } catch (err) {
+    deps.log?.(`config approval card edit failed (requestId=${requestId}): ${err.message}`);
+  }
+  return true;
+}
+async function handleRequestConfigFinalize(_client, msg, deps) {
+  const entry = pending.get(msg.requestId);
+  if (!entry) {
+    deps.log?.(`config_finalize: no pending entry for requestId=${msg.requestId} (likely already cleaned up)`);
+    return;
+  }
+  pending.delete(msg.requestId);
+  const body = msg.outcome === "applied" ? `\u2705 <b>Applied</b>${msg.detail ? `
+${escapeHtml11(msg.detail)}` : ""}` : `\u26a0\ufe0f <b>Reconcile failed; rolled back</b>${msg.detail ? `
+${escapeHtml11(msg.detail)}` : ""}`;
+  try {
+    await deps.editCard({
+      chatId: entry.chatId,
+      messageId: entry.messageId,
+      text: body
+    });
+  } catch (err) {
+    deps.log?.(`config finalize card edit failed (requestId=${msg.requestId}): ${err.message}`);
+  }
+}
+function escapeHtml11(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function _resetPendingConfigApprovalsForTest() {
+  for (const entry of pending.values()) {
+    if (entry.timer !== null)
+      clearTimeout(entry.timer);
+  }
+  pending.clear();
+}
+function _peekPendingConfigApprovalForTest(requestId) {
+  return pending.get(requestId);
+}
+function parseConfigApprovalCallback(data) {
+  if (!data.startsWith("cfg:"))
+    return null;
+  const rest = data.slice(4);
+  const colon = rest.lastIndexOf(":");
+  if (colon < 0)
+    return null;
+  const requestId = rest.slice(0, colon);
+  const choice = rest.slice(colon + 1);
+  if (requestId.length === 0 || requestId.length > 64)
+    return null;
+  if (choice !== "approve" && choice !== "deny")
+    return null;
+  return { requestId, choice };
+}
+var pending;
+var init_config_approval_handler = __esm(() => {
+  pending = new Map;
+});
+
 // ../src/agents/tmux.ts
 var exports_tmux = {};
 __export(exports_tmux, {
@@ -29229,17 +29384,17 @@ function registerApprovalsCommands(bot, opts) {
         return;
       }
       if (decisions.length === 0) {
-        await ctx.reply(agentFilter ? `No active approvals for <code>${escapeHtml11(agentFilter)}</code>.` : "No active approvals.", { parse_mode: "HTML" });
+        await ctx.reply(agentFilter ? `No active approvals for <code>${escapeHtml12(agentFilter)}</code>.` : "No active approvals.", { parse_mode: "HTML" });
         return;
       }
       const byAgent = new Map;
       for (const d of decisions)
         byAgent.set(d.agent_unit, (byAgent.get(d.agent_unit) ?? 0) + 1);
-      const summary = Array.from(byAgent.entries()).map(([a, n]) => `\u2022 <b>${escapeHtml11(a)}</b>: ${n}`).join(`
+      const summary = Array.from(byAgent.entries()).map(([a, n]) => `\u2022 <b>${escapeHtml12(a)}</b>: ${n}`).join(`
 `);
       const detail = decisions.slice(0, 20).map((d) => {
         const ttl = d.ttl_expires_at === null ? "always" : `until ${new Date(d.ttl_expires_at).toISOString().slice(0, 16).replace("T", " ")}`;
-        return `<code>${escapeHtml11(d.id.slice(0, 8))}</code> ` + `${escapeHtml11(d.agent_unit)} \u2192 ` + `<code>${escapeHtml11(d.scope)}</code> ` + `(${escapeHtml11(d.action)}, ${ttl}) ` + `\u00b7 /approvals revoke ${escapeHtml11(d.id)}`;
+        return `<code>${escapeHtml12(d.id.slice(0, 8))}</code> ` + `${escapeHtml12(d.agent_unit)} \u2192 ` + `<code>${escapeHtml12(d.scope)}</code> ` + `(${escapeHtml12(d.action)}, ${ttl}) ` + `\u00b7 /approvals revoke ${escapeHtml12(d.id)}`;
       }).join(`
 `);
       await ctx.reply(`<b>Active approvals</b>
@@ -29265,13 +29420,13 @@ ${detail}`, {
         await ctx.reply("Approval kernel unreachable.");
         return;
       }
-      await ctx.reply(ok ? `Revoked <code>${escapeHtml11(id)}</code>.` : `No such active decision <code>${escapeHtml11(id)}</code>.`, { parse_mode: "HTML" });
+      await ctx.reply(ok ? `Revoked <code>${escapeHtml12(id)}</code>.` : `No such active decision <code>${escapeHtml12(id)}</code>.`, { parse_mode: "HTML" });
       return;
     }
-    await ctx.reply(`Unknown subcommand <code>${escapeHtml11(sub)}</code>. ` + `Use <code>/approvals list</code> or <code>/approvals revoke &lt;id&gt;</code>. ` + `(<code>add</code> and <code>stats</code> are coming in a follow-up.)`, { parse_mode: "HTML" });
+    await ctx.reply(`Unknown subcommand <code>${escapeHtml12(sub)}</code>. ` + `Use <code>/approvals list</code> or <code>/approvals revoke &lt;id&gt;</code>. ` + `(<code>add</code> and <code>stats</code> are coming in a follow-up.)`, { parse_mode: "HTML" });
   });
 }
-function escapeHtml11(s) {
+function escapeHtml12(s) {
   return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
 var init_approvals_commands = __esm(() => {
@@ -29353,16 +29508,16 @@ function renderAccountRow2(snap, opts) {
   const lines = [];
   const marker = snap.isActive ? "\u25cf " : "";
   if (!snap.quota) {
-    lines.push(`${marker}<code>${escapeHtml12(snap.label)}</code>  <i>quota probe failed</i>`);
+    lines.push(`${marker}<code>${escapeHtml13(snap.label)}</code>  <i>quota probe failed</i>`);
     if (snap.quotaError) {
-      lines.push(`  <i>${escapeHtml12(snap.quotaError)}</i>`);
+      lines.push(`  <i>${escapeHtml13(snap.quotaError)}</i>`);
     }
     return lines;
   }
   const q = snap.quota;
   const fiveStr = fmtPct2(q.fiveHourUtilizationPct);
   const sevenStr = fmtPct2(q.sevenDayUtilizationPct);
-  lines.push(`${marker}<code>${escapeHtml12(snap.label)}</code>  ${fiveStr} / ${sevenStr}`);
+  lines.push(`${marker}<code>${escapeHtml13(snap.label)}</code>  ${fiveStr} / ${sevenStr}`);
   const health = classifyHealth2(snap);
   if (health === "blocked") {
     const win = bindingWindow2(q);
@@ -29468,13 +29623,13 @@ function renderFallbackAnnouncement2(input) {
   const limitWord = input.oldQuota ? limitWordFor2(input.oldQuota) : "quota";
   const headerLimit = limitWord === "quota" ? "quota cap" : `${limitWord} limit`;
   if (!input.newLabel) {
-    lines.push(`\uD83D\uDD34 <b>All accounts blocked \u00b7 ${headerLimit} on ${escapeHtml12(input.oldLabel)}</b>`);
+    lines.push(`\uD83D\uDD34 <b>All accounts blocked \u00b7 ${headerLimit} on ${escapeHtml13(input.oldLabel)}</b>`);
     lines.push("");
-    lines.push(`Triggered by: agent <b>${escapeHtml12(input.triggerAgent)}</b>`);
+    lines.push(`Triggered by: agent <b>${escapeHtml13(input.triggerAgent)}</b>`);
     if (input.oldQuota) {
       const recovery = recoveryAtFor2(input.oldQuota);
       if (recovery) {
-        lines.push(`${escapeHtml12(input.oldLabel)} recovers ${formatAbsolute2(recovery, tz)} ` + `(in ${formatRelative2(recovery, now)})`);
+        lines.push(`${escapeHtml13(input.oldLabel)} recovers ${formatAbsolute2(recovery, tz)} ` + `(in ${formatRelative2(recovery, now)})`);
       }
     }
     lines.push("");
@@ -29482,15 +29637,15 @@ function renderFallbackAnnouncement2(input) {
     return lines.join(`
 `);
   }
-  lines.push(`\u2713 <b>Switched fleet \u00b7 ${headerLimit} on ${escapeHtml12(input.oldLabel)}</b>`);
+  lines.push(`\u2713 <b>Switched fleet \u00b7 ${headerLimit} on ${escapeHtml13(input.oldLabel)}</b>`);
   lines.push("");
-  lines.push(`<code>${escapeHtml12(input.oldLabel)}</code> \u2192 <code>${escapeHtml12(input.newLabel)}</code>`);
-  lines.push(`Triggered by: agent <b>${escapeHtml12(input.triggerAgent)}</b>`);
+  lines.push(`<code>${escapeHtml13(input.oldLabel)}</code> \u2192 <code>${escapeHtml13(input.newLabel)}</code>`);
+  lines.push(`Triggered by: agent <b>${escapeHtml13(input.triggerAgent)}</b>`);
   lines.push("");
   if (input.oldQuota) {
     const recovery = recoveryAtFor2(input.oldQuota);
     if (recovery) {
-      lines.push(`<code>${escapeHtml12(input.oldLabel)}</code> recovers ` + `${formatAbsolute2(recovery, tz)} (in ${formatRelative2(recovery, now)})`);
+      lines.push(`<code>${escapeHtml13(input.oldLabel)}</code> recovers ` + `${formatAbsolute2(recovery, tz)} (in ${formatRelative2(recovery, now)})`);
     }
   }
   if (input.newQuota) {
@@ -29498,7 +29653,7 @@ function renderFallbackAnnouncement2(input) {
     const sevenStr = fmtPct2(input.newQuota.sevenDayUtilizationPct);
     const hasHeadroom = input.newQuota.fiveHourUtilizationPct < THROTTLING_THRESHOLD_PCT2 && input.newQuota.sevenDayUtilizationPct < THROTTLING_THRESHOLD_PCT2;
     const headroomStr = hasHeadroom ? "<i>(plenty of headroom)</i>" : "<i>(near limit \u2014 watch this)</i>";
-    lines.push(`<code>${escapeHtml12(input.newLabel)}</code> now: ${fiveStr} of 5h \u00b7 ${sevenStr} of 7d ${headroomStr}`);
+    lines.push(`<code>${escapeHtml13(input.newLabel)}</code> now: ${fiveStr} of 5h \u00b7 ${sevenStr} of 7d ${headroomStr}`);
   } else {
     lines.push(`<i>(quota probe for new account is pending \u2014 will reflect on next /auth)</i>`);
   }
@@ -29557,7 +29712,7 @@ function switchPriority2(s) {
     return 2;
   return 3;
 }
-function escapeHtml12(s) {
+function escapeHtml13(s) {
   return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
 function buildSnapshotsFromState2(state4, quotas) {
@@ -39477,7 +39632,8 @@ function resolveModelUnavailableFromOperatorEvent(ev) {
     return detectModelUnavailable(detail) ?? { kind: "quota_exhausted", raw: detail };
   }
   if (ev.kind === "rate-limited") {
-    return detectModelUnavailable(detail) ?? { kind: "overload", raw: detail };
+    const detected = detectModelUnavailable(detail);
+    return detected?.kind === "quota_exhausted" ? detected : null;
   }
   if (ev.kind === "unknown-5xx") {
     return detectModelUnavailable(detail) ?? { kind: "overload", raw: detail };
@@ -43135,6 +43291,28 @@ function validateClientMessage(msg) {
       const inb = m.inbound;
       return inb.type === "inbound" && typeof inb.chatId === "string" && inb.chatId.length > 0 && typeof inb.text === "string" && typeof inb.messageId === "number" && typeof inb.user === "string" && typeof inb.userId === "number" && typeof inb.ts === "number" && typeof inb.meta === "object" && inb.meta !== null;
     }
+    case "request_config_approval": {
+      if (typeof m.requestId !== "string" || m.requestId.length === 0 || m.requestId.length > 64)
+        return false;
+      if (typeof m.agentName !== "string" || !AGENT_NAME_RE3.test(m.agentName))
+        return false;
+      if (typeof m.reason !== "string" || m.reason.length === 0 || m.reason.length > 500)
+        return false;
+      if (typeof m.unifiedDiff !== "string" || m.unifiedDiff.length === 0)
+        return false;
+      if (typeof m.timeoutMs !== "number" || !Number.isFinite(m.timeoutMs) || m.timeoutMs <= 0)
+        return false;
+      return true;
+    }
+    case "request_config_finalize": {
+      if (typeof m.requestId !== "string" || m.requestId.length === 0 || m.requestId.length > 64)
+        return false;
+      if (m.outcome !== "applied" && m.outcome !== "reconcile_failed_rolled_back")
+        return false;
+      if (m.detail !== undefined && (typeof m.detail !== "string" || m.detail.length > 500))
+        return false;
+      return true;
+    }
     case "request_drive_approval": {
       if (typeof m.correlationId !== "string" || m.correlationId.length === 0 || m.correlationId.length > 64)
         return false;
@@ -43164,6 +43342,8 @@ function createIpcServer(options) {
     onPtyPartial,
     onInjectInbound,
     onRequestDriveApproval,
+    onRequestConfigApproval,
+    onRequestConfigFinalize,
     log = () => {},
     heartbeatTimeoutMs = 30000
   } = options;
@@ -43268,6 +43448,37 @@ function createIpcServer(options) {
           } catch {}
         }
         break;
+      case "request_config_approval":
+        if (onRequestConfigApproval) {
+          onRequestConfigApproval(client3, msg).catch((err) => {
+            log(`request_config_approval handler threw (client=${client3.id}): ${err.message}`);
+            try {
+              client3.send({
+                type: "config_approval_resolved",
+                requestId: msg.requestId,
+                verdict: "deny",
+                reason: `gateway handler error: ${err.message}`
+              });
+            } catch {}
+          });
+        } else {
+          try {
+            client3.send({
+              type: "config_approval_resolved",
+              requestId: msg.requestId,
+              verdict: "deny",
+              reason: "gateway not configured for config-edit approval"
+            });
+          } catch {}
+        }
+        break;
+      case "request_config_finalize":
+        if (onRequestConfigFinalize) {
+          onRequestConfigFinalize(client3, msg).catch((err) => {
+            log(`request_config_finalize handler threw (client=${client3.id}): ${err.message}`);
+          });
+        }
+        break;
       case "update_placeholder":
         if (!loggedLegacyUpdatePlaceholder.has(client3.id)) {
           loggedLegacyUpdatePlaceholder.add(client3.id);
@@ -44530,6 +44741,74 @@ function buildVaultSaveDiscardedInbound(opts) {
   };
 }
 
+// gateway/subagent-handback-inbound-builder.ts
+var HANDBACK_RESULT_MAX = 3000;
+var HANDBACK_DESC_MAX = 200;
+function truncate2(s, max) {
+  const t = s.trim();
+  return t.length > max ? t.slice(0, max) + "\u2026" : t;
+}
+function buildSubagentHandbackInbound(opts) {
+  const ts = opts.nowMs ?? Date.now();
+  const desc = truncate2(opts.ctx.taskDescription, HANDBACK_DESC_MAX) || "(no description)";
+  const result = truncate2(opts.ctx.resultText, HANDBACK_RESULT_MAX);
+  const text = opts.ctx.outcome === "failed" ? `\uD83E\uDD1D A background worker you dispatched has FAILED.
+
+` + `Task: ${desc}
+
+` + (result ? `What it reported before failing:
+${result}
+
+` : "") + `This is beat 4 \u2014 the handback. Tell the user plainly that the ` + `delegated work did not complete, what is known, and your ` + `recommended next step \u2014 one \`reply\` in your own voice. Do not ` + `stay silent.` : `\uD83E\uDD1D A background worker you dispatched has finished.
+
+` + `Task: ${desc}
+
+` + (result ? `What the worker reported:
+${result}
+
+` : `The worker left no summary text.
+
+`) + `This is beat 4 \u2014 the handback. Synthesise this for the user ` + `now: one \`reply\` in your own voice covering what the worker ` + `found and your recommended next step. Do NOT paste the raw ` + `report and do NOT stay silent \u2014 the user dispatched this and ` + `is waiting to hear back.`;
+  return {
+    type: "inbound",
+    chatId: opts.ctx.chatId,
+    messageId: ts,
+    user: "subagent-watcher",
+    userId: 0,
+    ts,
+    text,
+    meta: {
+      source: "subagent_handback",
+      outcome: opts.ctx.outcome
+    }
+  };
+}
+function decideSubagentHandback(input) {
+  if (input.handbackEnvValue === "0") {
+    return { deliver: false, reason: "env-disabled" };
+  }
+  if (input.outcome !== "completed" && input.outcome !== "failed") {
+    return { deliver: false, reason: "outcome-not-terminal" };
+  }
+  if (!input.isBackground) {
+    return { deliver: false, reason: "foreground" };
+  }
+  const chatId = input.fleetChatId || input.ownerChatId;
+  if (!chatId) {
+    return { deliver: false, reason: "no-chat" };
+  }
+  const inbound = buildSubagentHandbackInbound({
+    ctx: {
+      chatId,
+      taskDescription: input.taskDescription,
+      resultText: input.resultText,
+      outcome: input.outcome
+    },
+    ...input.nowMs !== undefined ? { nowMs: input.nowMs } : {}
+  });
+  return { deliver: true, chatId, inbound };
+}
+
 // gateway/poll-health.ts
 var DEFAULT_LOG = (msg) => {
   process.stderr.write(msg.endsWith(`
@@ -46106,6 +46385,7 @@ var DEFAULT_RESCAN_MS = 1000;
 var DEFAULT_STALL_THRESHOLD_MS = 60000;
 var DEFAULT_SILENT_SYNTHESIS_STALL_THRESHOLD_MS = 300000;
 var DEFAULT_SILENT_STALL_TERMINAL_MS = 300000;
+var SUBAGENT_RESULT_TEXT_MAX = 3000;
 function parseEnvMs(varName) {
   const raw = process.env[varName];
   if (raw == null || raw === "")
@@ -46231,6 +46511,7 @@ function readSubTail(entry, tail, now, onDescriptionUpdate, fs2, log, db2, paren
         } else if (ev.kind === "sub_agent_text") {
           entry.lastSummaryLine = ev.text.split(`
 `)[0].trim().slice(0, 120);
+          entry.lastResultText = ev.text.trim().slice(0, SUBAGENT_RESULT_TEXT_MAX);
         } else if (ev.kind === "sub_agent_turn_end") {
           if (entry.state === "running") {
             entry.state = "done";
@@ -46322,6 +46603,7 @@ function startSubagentWatcher(config) {
       completionNotified: false,
       stallTerminalSynthesised: false,
       lastSummaryLine: "",
+      lastResultText: "",
       lastTool: null,
       historical: isHistorical
     };
@@ -46372,8 +46654,8 @@ function startSubagentWatcher(config) {
       return;
     if (entry.state === "done" && !entry.completionNotified) {
       entry.completionNotified = true;
-      const desc = escapeHtml8(truncate2(entry.description, 80));
-      const summary = entry.lastSummaryLine ? ` \u2014 ${escapeHtml8(truncate2(entry.lastSummaryLine, 120))}` : "";
+      const desc = escapeHtml8(truncate3(entry.description, 80));
+      const summary = entry.lastSummaryLine ? ` \u2014 ${escapeHtml8(truncate3(entry.lastSummaryLine, 120))}` : "";
       const tools = entry.toolCount > 0 ? ` (${entry.toolCount} tools)` : "";
       try {
         config.sendNotification(`\u2713 Worker done: ${desc}${tools}${summary}`);
@@ -46387,7 +46669,9 @@ function startSubagentWatcher(config) {
             state: entry.state,
             outcome: entry.historical ? "orphan" : "completed",
             toolCount: entry.toolCount,
-            durationMs: nowFn() - entry.dispatchedAt
+            durationMs: nowFn() - entry.dispatchedAt,
+            description: entry.description,
+            resultText: entry.lastResultText
           });
         } catch (cbErr) {
           log?.(`subagent-watcher: onFinish callback error ${agentId}: ${cbErr.message}`);
@@ -46404,7 +46688,9 @@ function startSubagentWatcher(config) {
             state: entry.state,
             outcome: "failed",
             toolCount: entry.toolCount,
-            durationMs: nowFn() - entry.dispatchedAt
+            durationMs: nowFn() - entry.dispatchedAt,
+            description: entry.description,
+            resultText: entry.lastResultText
           });
         } catch (cbErr) {
           log?.(`subagent-watcher: onFinish callback error ${agentId}: ${cbErr.message}`);
@@ -46457,7 +46743,7 @@ function startSubagentWatcher(config) {
       if (idleMs >= threshold) {
         entry.stallNotified = true;
         entry.stalledAt = n;
-        const desc = escapeHtml8(truncate2(entry.description, 80));
+        const desc = escapeHtml8(truncate3(entry.description, 80));
         const idleSec = Math.floor(idleMs / 1000);
         log?.(`subagent-watcher: stall detected for ${entry.agentId} (idle ${idleSec}s): ${desc}`);
         if (db2 != null) {
@@ -47419,7 +47705,7 @@ function summarizeToolForTitle(toolName, inputPreview) {
     }
     case "Bash": {
       const command = readString(input, "command");
-      return command ? `${toolName}: ${truncate3(command, COMMAND_TITLE_MAX)}` : toolName;
+      return command ? `${toolName}: ${truncate4(command, COMMAND_TITLE_MAX)}` : toolName;
     }
     case "Read":
     case "Edit":
@@ -47427,17 +47713,17 @@ function summarizeToolForTitle(toolName, inputPreview) {
     case "MultiEdit":
     case "NotebookEdit": {
       const filePath = readString(input, "file_path") ?? readString(input, "notebook_path");
-      return filePath ? `${toolName}: ${truncate3(basename5(filePath), PATH_TITLE_MAX)}` : toolName;
+      return filePath ? `${toolName}: ${truncate4(basename5(filePath), PATH_TITLE_MAX)}` : toolName;
     }
     case "Glob":
     case "Grep": {
       const pattern = readString(input, "pattern");
-      return pattern ? `${toolName}: ${truncate3(pattern, COMMAND_TITLE_MAX)}` : toolName;
+      return pattern ? `${toolName}: ${truncate4(pattern, COMMAND_TITLE_MAX)}` : toolName;
     }
     case "WebFetch":
     case "WebSearch": {
       const query2 = readString(input, "url") ?? readString(input, "query");
-      return query2 ? `${toolName}: ${truncate3(query2, COMMAND_TITLE_MAX)}` : toolName;
+      return query2 ? `${toolName}: ${truncate4(query2, COMMAND_TITLE_MAX)}` : toolName;
     }
     default:
       return toolName;
@@ -47470,7 +47756,7 @@ function skillBasenameFromPath(input) {
   const basename6 = lastSlash >= 0 ? trimmed.slice(lastSlash + 1) : trimmed;
   return basename6.length > 0 ? basename6 : null;
 }
-function truncate3(text, max) {
+function truncate4(text, max) {
   const collapsed = text.replace(/\s+/g, " ").trim();
   if (collapsed.length <= max)
     return collapsed;
@@ -47741,11 +48027,11 @@ function sweepStaleTurnActiveMarker(stateDir, opts) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.13.9";
-var COMMIT_SHA = "b3a077a6";
-var COMMIT_DATE = "2026-05-22T10:38:19+10:00";
+var VERSION = "0.13.11";
+var COMMIT_SHA = "5984798c";
+var COMMIT_DATE = "2026-05-22T15:59:07+10:00";
 var LATEST_PR = null;
-var COMMITS_AHEAD_OF_TAG = 1;
+var COMMITS_AHEAD_OF_TAG = 3;
 
 // gateway/boot-version.ts
 function formatRelativeAgo(iso) {
@@ -48562,23 +48848,23 @@ try {
   }
   const pendingEnvPath = join32(agentDir, ".pending-turn.env");
   try {
-    const pending = findMostRecentInterruptedTurn(turnsDb);
-    if (pending != null) {
+    const pending2 = findMostRecentInterruptedTurn(turnsDb);
+    if (pending2 != null) {
       const lines = [
         `SWITCHROOM_PENDING_TURN=true`,
-        `SWITCHROOM_PENDING_TURN_KEY=${pending.turn_key}`,
-        `SWITCHROOM_PENDING_CHAT_ID=${pending.chat_id}`,
-        pending.thread_id != null ? `SWITCHROOM_PENDING_THREAD_ID=${pending.thread_id}` : `SWITCHROOM_PENDING_THREAD_ID=`,
-        pending.last_user_msg_id != null ? `SWITCHROOM_PENDING_USER_MSG_ID=${pending.last_user_msg_id}` : `SWITCHROOM_PENDING_USER_MSG_ID=`,
-        `SWITCHROOM_PENDING_ENDED_VIA=${pending.ended_via ?? "unknown"}`,
-        `SWITCHROOM_PENDING_STARTED_AT=${pending.started_at}`
+        `SWITCHROOM_PENDING_TURN_KEY=${pending2.turn_key}`,
+        `SWITCHROOM_PENDING_CHAT_ID=${pending2.chat_id}`,
+        pending2.thread_id != null ? `SWITCHROOM_PENDING_THREAD_ID=${pending2.thread_id}` : `SWITCHROOM_PENDING_THREAD_ID=`,
+        pending2.last_user_msg_id != null ? `SWITCHROOM_PENDING_USER_MSG_ID=${pending2.last_user_msg_id}` : `SWITCHROOM_PENDING_USER_MSG_ID=`,
+        `SWITCHROOM_PENDING_ENDED_VIA=${pending2.ended_via ?? "unknown"}`,
+        `SWITCHROOM_PENDING_STARTED_AT=${pending2.started_at}`
       ];
       const pendingEnvTmp = `${pendingEnvPath}.tmp-${process.pid}`;
       writeFileSync21(pendingEnvTmp, lines.join(`
 `) + `
 `, { mode: 384 });
       renameSync12(pendingEnvTmp, pendingEnvPath);
-      process.stderr.write(`telegram gateway: pending-turn env written to ${pendingEnvPath} turnKey=${pending.turn_key} endedVia=${pending.ended_via ?? "open"}
+      process.stderr.write(`telegram gateway: pending-turn env written to ${pendingEnvPath} turnKey=${pending2.turn_key} endedVia=${pending2.ended_via ?? "open"}
 `);
     } else if (existsSync34(pendingEnvPath)) {
       rmSync4(pendingEnvPath, { force: true });
@@ -49368,7 +49654,7 @@ function emitGatewayOperatorEvent(event) {
   let renderedText;
   let renderedKeyboard;
   if (modelUnavailable) {
-    const isAutoKind = modelUnavailable.kind === "quota_exhausted" || modelUnavailable.kind === "overload";
+    const isAutoKind = modelUnavailable.kind === "quota_exhausted";
     const willActuallyFire = isAutoKind && wouldFireFleetAutoFallback();
     process.stderr.write(`telegram gateway: operator-event suppressing-raw-stderr-for-model-unavailable agent=${agent} kind=${kind} detected=${modelUnavailable.kind} autoKind=${isAutoKind} willFire=${willActuallyFire}
 `);
@@ -49658,8 +49944,8 @@ var ipcServer = createIpcServer({
           client: client3
         });
       } else {
-        const pending = pendingInboundBuffer.drain(client3.agentName);
-        for (const msg of pending) {
+        const pending2 = pendingInboundBuffer.drain(client3.agentName);
+        for (const msg of pending2) {
           try {
             client3.send(msg);
             inboundSpool?.ack(msg);
@@ -49762,9 +50048,9 @@ var ipcServer = createIpcServer({
     }
   },
   onClientDisconnected(client3) {
-    process.stderr.write(`telegram gateway: bridge disconnected \u2014 agent=${client3.agentName}
-`);
     if (client3.agentName != null) {
+      process.stderr.write(`telegram gateway: bridge disconnected \u2014 agent=${client3.agentName}
+`);
       shadowEmit({ kind: "bridgeDown", at: Date.now() });
     }
     flushOnAgentDisconnect({
@@ -49954,6 +50240,68 @@ ${reminder}
       },
       buildCard: ({ preview, suggestRequestId }) => buildDiffPreviewCard({ preview, suggestRequestId }),
       log: (m) => process.stderr.write(`telegram gateway: drive-approval \u2014 ${m}
+`)
+    });
+  },
+  async onRequestConfigApproval(client3, msg) {
+    const { handleRequestConfigApproval: handleRequestConfigApproval2 } = await Promise.resolve().then(() => (init_config_approval_handler(), exports_config_approval_handler));
+    const { InlineKeyboard: InlineKeyboard6 } = await Promise.resolve().then(() => __toESM(require_mod(), 1));
+    await handleRequestConfigApproval2(client3, msg, {
+      agentName: getMyAgentName(),
+      loadTargetChat: () => {
+        const access = loadAccess();
+        const operator = access.allowFrom[0];
+        if (operator === undefined)
+          return null;
+        return { chatId: operator };
+      },
+      buildKeyboard: (requestId) => new InlineKeyboard6().text("\u2705 Approve", `cfg:${requestId}:approve`).text("\uD83D\uDEAB Deny", `cfg:${requestId}:deny`),
+      postCard: async (args) => {
+        try {
+          const sent = await robustApiCall(() => bot.api.sendMessage(args.chatId, args.text, {
+            parse_mode: "HTML",
+            ...args.threadId !== undefined ? { message_thread_id: args.threadId } : {},
+            reply_markup: args.replyMarkup
+          }), {
+            chat_id: String(args.chatId),
+            verb: "config-approval-card",
+            ...args.threadId !== undefined ? { threadId: args.threadId } : {}
+          });
+          return { messageId: sent.message_id };
+        } catch (err) {
+          process.stderr.write(`telegram gateway: config-approval postCard failed: ${err.message}
+`);
+          return null;
+        }
+      },
+      editCard: async (args) => {
+        try {
+          await robustApiCall(() => bot.api.editMessageText(args.chatId, args.messageId, args.text, {
+            parse_mode: "HTML"
+          }), { chat_id: String(args.chatId), verb: "config-approval-edit" });
+        } catch (err) {
+          process.stderr.write(`telegram gateway: config-approval editCard failed: ${err.message}
+`);
+        }
+      },
+      log: (m) => process.stderr.write(`telegram gateway: config-approval \u2014 ${m}
+`)
+    });
+  },
+  async onRequestConfigFinalize(client3, msg) {
+    const { handleRequestConfigFinalize: handleRequestConfigFinalize2 } = await Promise.resolve().then(() => (init_config_approval_handler(), exports_config_approval_handler));
+    await handleRequestConfigFinalize2(client3, msg, {
+      editCard: async (args) => {
+        try {
+          await robustApiCall(() => bot.api.editMessageText(args.chatId, args.messageId, args.text, {
+            parse_mode: "HTML"
+          }), { chat_id: String(args.chatId), verb: "config-approval-finalize" });
+        } catch (err) {
+          process.stderr.write(`telegram gateway: config-finalize editCard failed: ${err.message}
+`);
+        }
+      },
+      log: (m) => process.stderr.write(`telegram gateway: config-finalize \u2014 ${m}
 `)
     });
   },
@@ -50847,7 +51195,7 @@ async function executeVaultRequestSave(args) {
   }
   const agentSlug = process.env.SWITCHROOM_AGENT_NAME || "agent";
   const stageId = randomBytes6(4).toString("hex");
-  const pending = {
+  const pending2 = {
     agent: agentSlug,
     chat_id,
     key,
@@ -50856,16 +51204,16 @@ async function executeVaultRequestSave(args) {
     why,
     staged_at: Date.now()
   };
-  pendingVaultRequestSaves.set(stageId, pending);
+  pendingVaultRequestSaves.set(stageId, pending2);
   sweepPendingVaultRequestSaves();
-  const text = renderVaultRequestSaveCard(pending, agentSlug);
+  const text = renderVaultRequestSaveCard(pending2, agentSlug);
   const threadId = args.message_thread_id != null ? Number(args.message_thread_id) : undefined;
   const sent = await retryWithThreadFallback(robustApiCall, (tid) => lockedBot.api.sendMessage(chat_id, text, {
     parse_mode: "HTML",
     reply_markup: buildVaultRequestSaveKeyboard(stageId),
     ...tid != null && Number.isFinite(tid) ? { message_thread_id: tid } : {}
   }), { threadId, chat_id, verb: "vault_request_save.card" });
-  pending.card_message_id = sent.message_id;
+  pending2.card_message_id = sent.message_id;
   return {
     content: [
       {
@@ -50950,7 +51298,7 @@ async function executeVaultRequestAccess(args) {
     } catch {}
   }
   const stageId = randomBytes6(4).toString("hex");
-  const pending = {
+  const pending2 = {
     agent: agentSlug,
     chat_id,
     key,
@@ -50959,16 +51307,16 @@ async function executeVaultRequestAccess(args) {
     ttl_seconds,
     staged_at: Date.now()
   };
-  pendingVaultRequestAccesses.set(stageId, pending);
+  pendingVaultRequestAccesses.set(stageId, pending2);
   sweepPendingVaultRequestAccesses();
-  const text = renderVaultRequestAccessCard(pending);
+  const text = renderVaultRequestAccessCard(pending2);
   const threadId = args.message_thread_id != null ? Number(args.message_thread_id) : undefined;
   const sent = await retryWithThreadFallback(robustApiCall, (tid) => lockedBot.api.sendMessage(chat_id, text, {
     parse_mode: "HTML",
     reply_markup: buildVaultRequestAccessKeyboard(stageId),
     ...tid != null && Number.isFinite(tid) ? { message_thread_id: tid } : {}
   }), { threadId, chat_id, verb: "vault_request_access.card" });
-  pending.card_message_id = sent.message_id;
+  pending2.card_message_id = sent.message_id;
   return {
     content: [
       {
@@ -51282,9 +51630,9 @@ function handleSessionEvent(ev) {
           });
         }
         if (pendingPtyPartial != null) {
-          const pending = pendingPtyPartial;
+          const pending2 = pendingPtyPartial;
           pendingPtyPartial = null;
-          handlePtyPartial(pending);
+          handlePtyPartial(pending2);
         }
       }
       return;
@@ -54096,15 +54444,15 @@ async function handleVaultRecentDenialCallback(ctx, data) {
     parseMode: "HTML"
   });
 }
-async function performVaultAccessApproval(ctx, pending, stageId, senderId, attestation) {
+async function performVaultAccessApproval(ctx, pending2, stageId, senderId, attestation) {
   const brokerAuthOpts = attestation.kind === "passphrase" ? { passphrase: attestation.passphrase } : { attest_via_posture: true };
-  if (pending.scope === "read") {
+  if (pending2.scope === "read") {
     try {
       const visible = await listViaBroker();
-      if (visible !== null && visible.includes(pending.key)) {
+      if (visible !== null && visible.includes(pending2.key)) {
         pendingVaultRequestAccesses.delete(stageId);
-        if (pending.card_message_id != null) {
-          await ctx.api.editMessageText(pending.chat_id, pending.card_message_id, `\u2139\uFE0F <b>${escapeHtmlForTg(pending.agent)}</b> already has standing-ACL access to <code>${escapeHtmlForTg(pending.key)}</code> (schedule.secrets[]). ` + `<b>No grant minted</b> \u2014 a token would shadow the standing ACL. ` + `The agent can read it directly.`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
+        if (pending2.card_message_id != null) {
+          await ctx.api.editMessageText(pending2.chat_id, pending2.card_message_id, `\u2139\uFE0F <b>${escapeHtmlForTg(pending2.agent)}</b> already has standing-ACL access to <code>${escapeHtmlForTg(pending2.key)}</code> (schedule.secrets[]). ` + `<b>No grant minted</b> \u2014 a token would shadow the standing ACL. ` + `The agent can read it directly.`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
         }
         return;
       }
@@ -54112,8 +54460,8 @@ async function performVaultAccessApproval(ctx, pending, stageId, senderId, attes
   }
   let existingReadKeys = [];
   let existingWriteKeys = [];
-  if (pending.scope === "read" || pending.scope === "write") {
-    const list2 = await listGrantsViaBroker(pending.agent, brokerAuthOpts);
+  if (pending2.scope === "read" || pending2.scope === "write") {
+    const list2 = await listGrantsViaBroker(pending2.agent, brokerAuthOpts);
     if (list2.kind === "ok") {
       const now = Math.floor(Date.now() / 1000);
       const active = list2.grants.filter((g) => g.expires_at === null || g.expires_at > now).sort((a, b) => {
@@ -54130,15 +54478,15 @@ async function performVaultAccessApproval(ctx, pending, stageId, senderId, attes
   }
   const readKeys = new Set(existingReadKeys);
   const writeKeys = new Set(existingWriteKeys);
-  if (pending.scope === "read")
-    readKeys.add(pending.key);
-  if (pending.scope === "write")
-    writeKeys.add(pending.key);
+  if (pending2.scope === "read")
+    readKeys.add(pending2.key);
+  if (pending2.scope === "write")
+    writeKeys.add(pending2.key);
   const mintArgs = {
-    agent: pending.agent,
+    agent: pending2.agent,
     keys: Array.from(readKeys),
-    ttl_seconds: pending.ttl_seconds,
-    description: `auto-mint via vault_request_access (#1012, scope=${pending.scope}, by op ${senderId}` + (existingReadKeys.length + existingWriteKeys.length > 0 ? `, unioned with prior grant` : ``) + `)`,
+    ttl_seconds: pending2.ttl_seconds,
+    description: `auto-mint via vault_request_access (#1012, scope=${pending2.scope}, by op ${senderId}` + (existingReadKeys.length + existingWriteKeys.length > 0 ? `, unioned with prior grant` : ``) + `)`,
     ...writeKeys.size > 0 ? { write_keys: Array.from(writeKeys) } : {},
     ...brokerAuthOpts
   };
@@ -54149,45 +54497,45 @@ async function performVaultAccessApproval(ctx, pending, stageId, senderId, attes
   }
   if (result.kind === "error") {
     pendingVaultRequestAccesses.delete(stageId);
-    if (pending.card_message_id != null) {
-      await ctx.api.editMessageText(pending.chat_id, pending.card_message_id, `<b>mint_grant failed:</b> ${escapeHtmlForTg(result.msg)}`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
+    if (pending2.card_message_id != null) {
+      await ctx.api.editMessageText(pending2.chat_id, pending2.card_message_id, `<b>mint_grant failed:</b> ${escapeHtmlForTg(result.msg)}`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
     }
     return;
   }
   const { token, id } = result;
-  const tokenPath = join32(homedir12(), ".switchroom", "agents", pending.agent, ".vault-token");
+  const tokenPath = join32(homedir12(), ".switchroom", "agents", pending2.agent, ".vault-token");
   try {
-    mkdirSync21(join32(homedir12(), ".switchroom", "agents", pending.agent), { recursive: true });
+    mkdirSync21(join32(homedir12(), ".switchroom", "agents", pending2.agent), { recursive: true });
     writeFileSync21(tokenPath, token, { mode: 384 });
   } catch (err) {
     await switchroomReply(ctx, `<b>Grant created (${escapeHtmlForTg(id)}) but token write failed:</b> ${escapeHtmlForTg(String(err))}
-<i>Recover with: <code>switchroom vault grant ${escapeHtmlForTg(pending.agent)} --keys ${escapeHtmlForTg(pending.key)} --duration ${Math.round(pending.ttl_seconds / 86400)}d</code> on the host.</i>`, { html: true });
+<i>Recover with: <code>switchroom vault grant ${escapeHtmlForTg(pending2.agent)} --keys ${escapeHtmlForTg(pending2.key)} --duration ${Math.round(pending2.ttl_seconds / 86400)}d</code> on the host.</i>`, { html: true });
     return;
   }
   pendingVaultRequestAccesses.delete(stageId);
-  if (pending.card_message_id != null) {
-    const days = Math.round(pending.ttl_seconds / 86400);
+  if (pending2.card_message_id != null) {
+    const days = Math.round(pending2.ttl_seconds / 86400);
     const footer = VAULT_APPROVAL_AUTH_MODE === "telegram-id" ? `
 <i>Approver verified by Telegram identity \u2014 broker auto-unlocked at startup.</i>` : "";
-    await ctx.api.editMessageText(pending.chat_id, pending.card_message_id, `\u2705 Granted <b>${escapeHtmlForTg(pending.agent)}</b> ${pending.scope} access to <code>${escapeHtmlForTg(pending.key)}</code> for ${days}d. (grant <code>${escapeHtmlForTg(id)}</code>)` + footer, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
+    await ctx.api.editMessageText(pending2.chat_id, pending2.card_message_id, `\u2705 Granted <b>${escapeHtmlForTg(pending2.agent)}</b> ${pending2.scope} access to <code>${escapeHtmlForTg(pending2.key)}</code> for ${days}d. (grant <code>${escapeHtmlForTg(id)}</code>)` + footer, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
   }
   const synthetic = buildVaultGrantApprovedInbound({
     ctx: {
-      agent: pending.agent,
-      key: pending.key,
-      scope: pending.scope,
-      chat_id: pending.chat_id,
-      ttl_seconds: pending.ttl_seconds
+      agent: pending2.agent,
+      key: pending2.key,
+      scope: pending2.scope,
+      chat_id: pending2.chat_id,
+      ttl_seconds: pending2.ttl_seconds
     },
     grantId: id,
     stageId,
     operatorId: senderId
   });
-  const delivered = ipcServer.sendToAgent(pending.agent, synthetic);
-  process.stderr.write(`telegram gateway: vault_grant_approved injection agent=${pending.agent} key=${pending.key} stage=${stageId} delivered=${delivered}
+  const delivered = ipcServer.sendToAgent(pending2.agent, synthetic);
+  process.stderr.write(`telegram gateway: vault_grant_approved injection agent=${pending2.agent} key=${pending2.key} stage=${stageId} delivered=${delivered}
 `);
   if (!delivered) {
-    pendingInboundBuffer.push(pending.agent, synthetic);
+    pendingInboundBuffer.push(pending2.agent, synthetic);
   }
 }
 async function handleVaultRequestAccessCallback(ctx, data) {
@@ -54204,8 +54552,8 @@ async function handleVaultRequestAccessCallback(ctx, data) {
   }
   const action = parts[1];
   const stageId = parts.slice(2).join(":");
-  const pending = pendingVaultRequestAccesses.get(stageId);
-  if (!pending) {
+  const pending2 = pendingVaultRequestAccesses.get(stageId);
+  if (!pending2) {
     await ctx.answerCallbackQuery({ text: "Card expired \u2014 ask the agent to re-request." }).catch(() => {});
     if (ctx.callbackQuery?.message) {
       await ctx.api.editMessageText(ctx.callbackQuery.message.chat.id, ctx.callbackQuery.message.message_id, "\u231B <i>This access-request card expired before you tapped. Ask the agent to re-issue if the need still stands.</i>", { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
@@ -54215,66 +54563,66 @@ async function handleVaultRequestAccessCallback(ctx, data) {
   if (action === "deny") {
     pendingVaultRequestAccesses.delete(stageId);
     await ctx.answerCallbackQuery({ text: "\uD83D\uDEAB Denied" }).catch(() => {});
-    if (pending.card_message_id != null) {
-      await ctx.api.editMessageText(pending.chat_id, pending.card_message_id, `\uD83D\uDEAB <i>Denied. <b>${escapeHtmlForTg(pending.agent)}</b> will not get access to <code>${escapeHtmlForTg(pending.key)}</code>.</i>`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
+    if (pending2.card_message_id != null) {
+      await ctx.api.editMessageText(pending2.chat_id, pending2.card_message_id, `\uD83D\uDEAB <i>Denied. <b>${escapeHtmlForTg(pending2.agent)}</b> will not get access to <code>${escapeHtmlForTg(pending2.key)}</code>.</i>`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
     }
     const denyInbound = buildVaultGrantDeniedInbound({
       ctx: {
-        agent: pending.agent,
-        key: pending.key,
-        scope: pending.scope,
-        chat_id: pending.chat_id,
-        ttl_seconds: pending.ttl_seconds
+        agent: pending2.agent,
+        key: pending2.key,
+        scope: pending2.scope,
+        chat_id: pending2.chat_id,
+        ttl_seconds: pending2.ttl_seconds
       },
       stageId,
       operatorId: senderId
     });
-    const denyDelivered = ipcServer.sendToAgent(pending.agent, denyInbound);
-    process.stderr.write(`telegram gateway: vault_grant_denied injection agent=${pending.agent} key=${pending.key} stage=${stageId} delivered=${denyDelivered}
+    const denyDelivered = ipcServer.sendToAgent(pending2.agent, denyInbound);
+    process.stderr.write(`telegram gateway: vault_grant_denied injection agent=${pending2.agent} key=${pending2.key} stage=${stageId} delivered=${denyDelivered}
 `);
     if (!denyDelivered) {
-      pendingInboundBuffer.push(pending.agent, denyInbound);
+      pendingInboundBuffer.push(pending2.agent, denyInbound);
     }
     return;
   }
   if (action === "approve") {
     if (VAULT_APPROVAL_AUTH_MODE === "telegram-id") {
       const username = ctx.from?.username ?? ctx.from?.first_name ?? `id=${senderId}`;
-      if (pending.card_message_id != null) {
-        await ctx.api.editMessageText(pending.chat_id, pending.card_message_id, `\u2705 Approved by @${escapeHtmlForTg(username)} \u2014 minting\u2026`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
+      if (pending2.card_message_id != null) {
+        await ctx.api.editMessageText(pending2.chat_id, pending2.card_message_id, `\u2705 Approved by @${escapeHtmlForTg(username)} \u2014 minting\u2026`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
       }
       await ctx.answerCallbackQuery({ text: "\u23F3 Minting grant\u2026" }).catch(() => {});
-      await performVaultAccessApproval(ctx, pending, stageId, senderId, { kind: "posture" });
+      await performVaultAccessApproval(ctx, pending2, stageId, senderId, { kind: "posture" });
       return;
     }
-    const cached = vaultPassphraseCache.get(pending.chat_id);
+    const cached = vaultPassphraseCache.get(pending2.chat_id);
     if (!cached || cached.expiresAt <= Date.now()) {
-      if (pending.card_message_id == null) {
+      if (pending2.card_message_id == null) {
         await ctx.answerCallbackQuery({ text: "Card missing \u2014 ask the agent to re-issue." }).catch(() => {});
         return;
       }
-      const existing = pendingVaultOps.get(pending.chat_id);
+      const existing = pendingVaultOps.get(pending2.chat_id);
       const newItem = {
         stageId,
-        cardChatId: pending.chat_id,
-        cardMessageId: pending.card_message_id,
+        cardChatId: pending2.chat_id,
+        cardMessageId: pending2.card_message_id,
         senderId
       };
       const items = existing?.kind === "passphrase-for-access-approve" ? [...existing.items.filter((it) => it.stageId !== stageId), newItem] : [newItem];
-      pendingVaultOps.set(pending.chat_id, {
+      pendingVaultOps.set(pending2.chat_id, {
         kind: "passphrase-for-access-approve",
         items,
         startedAt: existing?.kind === "passphrase-for-access-approve" ? existing.startedAt : Date.now()
       });
       const joiningBatch = items.length > 1;
       await ctx.answerCallbackQuery({ text: joiningBatch ? `\uD83D\uDD10 Queued \u2014 one passphrase covers ${items.length} cards` : "\uD83D\uDD10 Send your passphrase\u2026" }).catch(() => {});
-      await ctx.api.editMessageText(pending.chat_id, pending.card_message_id, joiningBatch ? `\uD83D\uDD10 <b>Queued behind an earlier card.</b> Type your passphrase as your next message \u2014 it covers <b>${items.length}</b> pending approvals in this chat (one entry mints all grants, no re-type per card).` : `\uD83D\uDD10 <b>Vault is locked.</b> Reply with your passphrase as your next message \u2014 we'll unlock, mint the grant for <b>${escapeHtmlForTg(pending.agent)}</b>, and delete the passphrase message in one step.
+      await ctx.api.editMessageText(pending2.chat_id, pending2.card_message_id, joiningBatch ? `\uD83D\uDD10 <b>Queued behind an earlier card.</b> Type your passphrase as your next message \u2014 it covers <b>${items.length}</b> pending approvals in this chat (one entry mints all grants, no re-type per card).` : `\uD83D\uDD10 <b>Vault is locked.</b> Reply with your passphrase as your next message \u2014 we'll unlock, mint the grant for <b>${escapeHtmlForTg(pending2.agent)}</b>, and delete the passphrase message in one step.
 
 <i>Mint authority stays operator-only: the broker only accepts the grant when the passphrase matches.</i>`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
       return;
     }
     await ctx.answerCallbackQuery({ text: "\u23F3 Minting grant\u2026" }).catch(() => {});
-    await performVaultAccessApproval(ctx, pending, stageId, senderId, { kind: "passphrase", passphrase: cached.passphrase });
+    await performVaultAccessApproval(ctx, pending2, stageId, senderId, { kind: "passphrase", passphrase: cached.passphrase });
     return;
   }
   await ctx.answerCallbackQuery({ text: "Unknown action" }).catch(() => {});
@@ -54293,8 +54641,8 @@ async function handleVaultRequestSaveCallback(ctx, data) {
   }
   const action = parts[1];
   const stageId = parts.slice(2).join(":");
-  const pending = pendingVaultRequestSaves.get(stageId);
-  if (!pending) {
+  const pending2 = pendingVaultRequestSaves.get(stageId);
+  if (!pending2) {
     await ctx.answerCallbackQuery({ text: "Card expired \u2014 ask the agent to re-send." }).catch(() => {});
     if (ctx.callbackQuery?.message) {
       await ctx.api.editMessageText(ctx.callbackQuery.message.chat.id, ctx.callbackQuery.message.message_id, "\u231B <i>This vault-save card expired before you tapped. Ask the agent to re-issue if you still want to save.</i>", { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
@@ -54304,23 +54652,23 @@ async function handleVaultRequestSaveCallback(ctx, data) {
   if (action === "discard") {
     pendingVaultRequestSaves.delete(stageId);
     await ctx.answerCallbackQuery({ text: "\uD83D\uDEAB Discarded" }).catch(() => {});
-    if (pending.card_message_id != null) {
-      await ctx.api.editMessageText(pending.chat_id, pending.card_message_id, `\uD83D\uDEAB <i>Discarded. The secret was not written to the vault.</i>`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
+    if (pending2.card_message_id != null) {
+      await ctx.api.editMessageText(pending2.chat_id, pending2.card_message_id, `\uD83D\uDEAB <i>Discarded. The secret was not written to the vault.</i>`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
     }
     const discardInbound = buildVaultSaveDiscardedInbound({
-      ctx: { agent: pending.agent, key: pending.key, chat_id: pending.chat_id },
+      ctx: { agent: pending2.agent, key: pending2.key, chat_id: pending2.chat_id },
       stageId,
       operatorId: senderId
     });
-    const dDelivered = ipcServer.sendToAgent(pending.agent, discardInbound);
-    process.stderr.write(`telegram gateway: vault_save_discarded injection agent=${pending.agent} key=${pending.key} stage=${stageId} delivered=${dDelivered}
+    const dDelivered = ipcServer.sendToAgent(pending2.agent, discardInbound);
+    process.stderr.write(`telegram gateway: vault_save_discarded injection agent=${pending2.agent} key=${pending2.key} stage=${stageId} delivered=${dDelivered}
 `);
     if (!dDelivered)
-      pendingInboundBuffer.push(pending.agent, discardInbound);
+      pendingInboundBuffer.push(pending2.agent, discardInbound);
     return;
   }
   if (action === "rename") {
-    pendingVaultOps.set(pending.chat_id, {
+    pendingVaultOps.set(pending2.chat_id, {
       kind: "rename-vault-save",
       stageId,
       startedAt: Date.now()
@@ -54329,7 +54677,7 @@ async function handleVaultRequestSaveCallback(ctx, data) {
     const baseText = sourceMsg && "text" in sourceMsg && sourceMsg.text ? escapeHtmlForTg(sourceMsg.text) : "";
     const statusLine = `
 
-\u270F\uFE0F <b>Rename mode</b> \u2014 send the new key name as your next message. ` + `The current proposed key is <code>${escapeHtmlForTg(pending.key)}</code>.`;
+\u270F\uFE0F <b>Rename mode</b> \u2014 send the new key name as your next message. ` + `The current proposed key is <code>${escapeHtmlForTg(pending2.key)}</code>.`;
     await finalizeCallback(ctx, {
       ackText: "Send the new key name as your next message.",
       newText: baseText ? `${baseText}${statusLine}` : statusLine,
@@ -54339,22 +54687,22 @@ async function handleVaultRequestSaveCallback(ctx, data) {
   }
   if (action === "save") {
     await ctx.answerCallbackQuery({ text: "\u23F3 Saving\u2026" }).catch(() => {});
-    const cached = vaultPassphraseCache.get(pending.chat_id);
+    const cached = vaultPassphraseCache.get(pending2.chat_id);
     if (!cached || cached.expiresAt <= Date.now()) {
-      if (pending.card_message_id != null) {
-        await ctx.api.editMessageText(pending.chat_id, pending.card_message_id, `\uD83D\uDD12 <b>Vault is locked.</b> Run <code>/vault unlock</code> (or any /vault command) to cache the passphrase, then tap Save again on the next card.`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
+      if (pending2.card_message_id != null) {
+        await ctx.api.editMessageText(pending2.chat_id, pending2.card_message_id, `\uD83D\uDD12 <b>Vault is locked.</b> Run <code>/vault unlock</code> (or any /vault command) to cache the passphrase, then tap Save again on the next card.`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
       }
       pendingVaultRequestSaves.delete(stageId);
       return;
     }
-    const write = defaultVaultWrite(pending.key, pending.value, cached.passphrase);
+    const write = defaultVaultWrite(pending2.key, pending2.value, cached.passphrase);
     if (!write.ok) {
       const parsed = parseVaultCliError(write.output);
-      const rendered = renderVaultCliError(parsed, { verb: "save", key: pending.key });
+      const rendered = renderVaultCliError(parsed, { verb: "save", key: pending2.key });
       const body = rendered.suppressRaw ? rendered.html : `\u26A0\uFE0F vault write failed:
 <pre>${escapeHtmlForTg(write.output)}</pre>`;
-      if (pending.card_message_id != null) {
-        await ctx.api.editMessageText(pending.chat_id, pending.card_message_id, `${body}
+      if (pending2.card_message_id != null) {
+        await ctx.api.editMessageText(pending2.chat_id, pending2.card_message_id, `${body}
 
 <i>Tap a fresh card after fixing the underlying issue.</i>`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
       }
@@ -54362,33 +54710,33 @@ async function handleVaultRequestSaveCallback(ctx, data) {
       const failReason = (write.output || "vault write error").split(`
 `)[0].slice(0, 200);
       const failInbound = buildVaultSaveFailedInbound({
-        ctx: { agent: pending.agent, key: pending.key, chat_id: pending.chat_id },
+        ctx: { agent: pending2.agent, key: pending2.key, chat_id: pending2.chat_id },
         stageId,
         operatorId: senderId,
         reason: failReason
       });
-      const fDelivered = ipcServer.sendToAgent(pending.agent, failInbound);
-      process.stderr.write(`telegram gateway: vault_save_failed injection agent=${pending.agent} key=${pending.key} stage=${stageId} delivered=${fDelivered}
+      const fDelivered = ipcServer.sendToAgent(pending2.agent, failInbound);
+      process.stderr.write(`telegram gateway: vault_save_failed injection agent=${pending2.agent} key=${pending2.key} stage=${stageId} delivered=${fDelivered}
 `);
       if (!fDelivered)
-        pendingInboundBuffer.push(pending.agent, failInbound);
+        pendingInboundBuffer.push(pending2.agent, failInbound);
       return;
     }
     pendingVaultRequestSaves.delete(stageId);
-    if (pending.card_message_id != null) {
-      await ctx.api.editMessageText(pending.chat_id, pending.card_message_id, `\u2705 saved as <code>vault:${escapeHtmlForTg(pending.key)}</code> (masked: <code>${escapeHtmlForTg(maskToken2(pending.value))}</code>)
-<i>The agent can now reference this as <code>vault:${escapeHtmlForTg(pending.key)}</code>.</i>`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
+    if (pending2.card_message_id != null) {
+      await ctx.api.editMessageText(pending2.chat_id, pending2.card_message_id, `\u2705 saved as <code>vault:${escapeHtmlForTg(pending2.key)}</code> (masked: <code>${escapeHtmlForTg(maskToken2(pending2.value))}</code>)
+<i>The agent can now reference this as <code>vault:${escapeHtmlForTg(pending2.key)}</code>.</i>`, { parse_mode: "HTML", reply_markup: { inline_keyboard: [] } }).catch(() => {});
     }
     const okInbound = buildVaultSaveCompletedInbound({
-      ctx: { agent: pending.agent, key: pending.key, chat_id: pending.chat_id },
+      ctx: { agent: pending2.agent, key: pending2.key, chat_id: pending2.chat_id },
       stageId,
       operatorId: senderId
     });
-    const okDelivered = ipcServer.sendToAgent(pending.agent, okInbound);
-    process.stderr.write(`telegram gateway: vault_save_completed injection agent=${pending.agent} key=${pending.key} stage=${stageId} delivered=${okDelivered}
+    const okDelivered = ipcServer.sendToAgent(pending2.agent, okInbound);
+    process.stderr.write(`telegram gateway: vault_save_completed injection agent=${pending2.agent} key=${pending2.key} stage=${stageId} delivered=${okDelivered}
 `);
     if (!okDelivered)
-      pendingInboundBuffer.push(pending.agent, okInbound);
+      pendingInboundBuffer.push(pending2.agent, okInbound);
     return;
   }
   await ctx.answerCallbackQuery({ text: "Unknown action" }).catch(() => {});
@@ -55650,6 +55998,35 @@ bot.on("callback_query:data", async (ctx) => {
     await handleApprovalCallback2(ctx, data);
     return;
   }
+  if (data.startsWith("cfg:")) {
+    const access2 = loadAccess();
+    const senderId2 = String(ctx.from?.id ?? "");
+    if (!access2.allowFrom.includes(senderId2)) {
+      await ctx.answerCallbackQuery({ text: "Not authorized." });
+      return;
+    }
+    const { parseConfigApprovalCallback: parseConfigApprovalCallback2, resolvePendingConfigApproval: resolvePendingConfigApproval2 } = await Promise.resolve().then(() => (init_config_approval_handler(), exports_config_approval_handler));
+    const parsed = parseConfigApprovalCallback2(data);
+    if (parsed === null) {
+      await ctx.answerCallbackQuery({ text: "Malformed callback." });
+      return;
+    }
+    const resolved = await resolvePendingConfigApproval2(parsed.requestId, parsed.choice, {
+      editCard: async (args) => {
+        try {
+          await robustApiCall(() => bot.api.editMessageText(args.chatId, args.messageId, args.text, {
+            parse_mode: "HTML"
+          }));
+        } catch {}
+      },
+      log: (m2) => process.stderr.write(`telegram gateway: config-approval cb \u2014 ${m2}
+`)
+    });
+    await ctx.answerCallbackQuery({
+      text: resolved ? parsed.choice === "approve" ? "Approving\u2026" : "Denied" : "Already resolved."
+    });
+    return;
+  }
   if (data.startsWith("drvpick:")) {
     const access2 = loadAccess();
     const senderId2 = String(ctx.from?.id ?? "");
@@ -56490,7 +56867,7 @@ async function handleMessageReaction(ctx) {
 `);
       return;
     }
-    const pending = {
+    const pending2 = {
       targetMessageId: message_id,
       emoji,
       action,
@@ -56500,7 +56877,7 @@ async function handleMessageReaction(ctx) {
       user: reacter.first_name ?? reacter.username ?? String(reacter.id),
       ...typeof update.message_thread_id === "number" ? { threadId: update.message_thread_id } : {}
     };
-    getReactionDebounce().enqueue(update.chat.id, pending);
+    getReactionDebounce().enqueue(update.chat.id, pending2);
   } catch (err) {
     process.stderr.write(`telegram gateway: message_reaction handler error: ${err}
 `);
@@ -56969,16 +57346,14 @@ var didOneTimeSetup = false;
 `);
                 }
               },
-              onFinish: ({ agentId, outcome, toolCount, durationMs }) => {
-                let parentTurnKey = "";
-                let chatId = "";
+              onFinish: ({ agentId, outcome, description, resultText }) => {
+                let fleetChatId = "";
                 let isBackground = false;
                 try {
                   const fleets = progressDriver?.peekAllFleets() ?? [];
                   for (const f of fleets) {
                     if (f.fleet.has(agentId)) {
-                      parentTurnKey = f.turnKey;
-                      chatId = f.chatId ?? "";
+                      fleetChatId = f.chatId ?? "";
                       break;
                     }
                   }
@@ -56990,7 +57365,25 @@ var didOneTimeSetup = false;
                       isBackground = row.background === 1;
                   } catch {}
                 }
-                const finalOutcome = isBackground ? "background" : outcome === "completed" ? "completed" : "orphan";
+                const decision = decideSubagentHandback({
+                  handbackEnvValue: process.env.SWITCHROOM_SUBAGENT_HANDBACK,
+                  outcome,
+                  isBackground,
+                  fleetChatId,
+                  ownerChatId: loadAccess().allowFrom[0] ?? "",
+                  taskDescription: description,
+                  resultText
+                });
+                if (!decision.deliver) {
+                  if (decision.reason === "no-chat") {
+                    process.stderr.write(`telegram gateway: subagent-handback ${agentId} \u2014 no chat to deliver to; skipped
+`);
+                  }
+                  return;
+                }
+                pendingInboundBuffer.push(process.env.SWITCHROOM_AGENT_NAME ?? "", decision.inbound);
+                process.stderr.write(`telegram gateway: subagent-handback queued agent=${agentId} outcome=${outcome} chat=${decision.chatId} resultChars=${resultText.length}
+`);
               }
             });
             process.stderr.write(`telegram gateway: subagent-watcher active