switchroom 0.14.26 → 0.14.28

package/telegram-plugin/history.ts

@@ -27,6 +27,7 @@
 
 import { chmodSync, mkdirSync } from 'fs'
 import { join } from 'path'
+import { redact } from './secret-detect/redact.js'
 
 /**
  * `bun:sqlite` is a Bun built-in — Vite/Node loaders can't resolve it
@@ -300,6 +301,10 @@ export function recordInbound(args: RecordInboundArgs): void {
       (chat_id, thread_id, message_id, role, user, user_id, ts, text, attachment_kind, group_id, reply_to_message_id, reply_to_text)
     VALUES (?, ?, ?, 'user', ?, ?, ?, ?, ?, NULL, ?, ?)
   `)
+  // Defense-in-depth: never persist a detected secret to the message store.
+  // The inbound gate (server.ts handleInbound) already deletes + vaults a
+  // high-confidence hit before reaching here, so for caught secrets this is
+  // a no-op; it's the backstop for any shape the gate's pattern set misses.
   stmt.run(
     args.chat_id,
     args.thread_id ?? null,
@@ -307,10 +312,10 @@ export function recordInbound(args: RecordInboundArgs): void {
     args.user ?? null,
     args.user_id ?? null,
     args.ts,
-    args.text,
+    redact(args.text),
     args.attachment_kind ?? null,
     args.reply_to_message_id ?? null,
-    args.reply_to_text ?? null,
+    args.reply_to_text != null ? redact(args.reply_to_text) : (args.reply_to_text ?? null),
   )
 }
 
@@ -356,9 +361,14 @@ export function recordOutbound(args: RecordOutboundArgs): void {
       )
     }
   }) as (...args: unknown[]) => unknown)
+  // Outbound redaction: the agent→user direction has no other secret
+  // scrub, so this is the chokepoint that keeps an agent-echoed secret out
+  // of the message store (e.g. an agent quoting a token it read from a file
+  // or a not-yet-vaulted value). Masks the secret bytes in place; the
+  // surrounding reply text is preserved.
   const rows: Array<[number, string, string | null]> = args.message_ids.map((id, i) => [
     id,
-    args.texts[i] ?? '',
+    redact(args.texts[i] ?? ''),
     args.attachment_kinds?.[i] ?? null,
   ])
   tx(rows)
@@ -387,7 +397,9 @@ export function recordEdit(args: RecordEditArgs): void {
          SET text = ?
        WHERE chat_id = ? AND message_id = ?
     `)
-    .run(args.text, args.chat_id, args.message_id)
+    // Same outbound chokepoint as recordOutbound — an edit must not
+    // reintroduce a raw secret into the stored row.
+    .run(redact(args.text), args.chat_id, args.message_id)
 }
 
 export interface RecordReactionArgs {

package/telegram-plugin/permission-title.ts

@@ -248,6 +248,54 @@ export function describeGrant(
   }
 }
 
+/**
+ * Agent-voiced "I got your verdict and I'm continuing" message, posted as
+ * a *distinct* Telegram message the instant the operator answers a
+ * permission card (allow / deny / always / slash / free-text). The card
+ * edit + status reaction are easy to miss — a reaction lands on the turn's
+ * triggering message far up the chat, and the card footnote is a one-liner
+ * the operator scrolls past — so this is the legible signal that the tap
+ * landed and names the work being (re)started.
+ *
+ * Mirrors `formatPermissionCardBody`'s style ("🔐 <b>Gymbro</b> wants to
+ * edit: log.md" → "▶️ <b>Gymbro</b> — got it, continuing: edit: log.md").
+ * `action` is a phrase from {@link naturalAction} (already operator-facing,
+ * no tool ids). Output is HTML-escaped for `parse_mode: 'HTML'`.
+ *
+ * `timeoutMinutes` marks the TTL auto-deny variant (no operator tapped —
+ * the request aged out) so the wording reflects "no answer" rather than a
+ * deliberate denial.
+ */
+export function formatPermissionResumeMessage(opts: {
+  agentName: string | null;
+  behavior: "allow" | "deny";
+  action: string;
+  timeoutMinutes?: number;
+}): string {
+  const who =
+    opts.agentName && opts.agentName.length > 0
+      ? `<b>${escapeTgHtml(capFirst(opts.agentName))}</b>`
+      : `<b>Agent</b>`;
+  const act = (opts.action ?? "").trim();
+  const hasAction = act.length > 0;
+
+  if (opts.behavior === "allow") {
+    return hasAction
+      ? `▶️ ${who} — got it, continuing: <i>${escapeTgHtml(act)}</i>`
+      : `▶️ ${who} — got it, back to work.`;
+  }
+
+  // deny
+  if (opts.timeoutMinutes != null) {
+    return hasAction
+      ? `🚫 ${who} — no answer in ${opts.timeoutMinutes}m, continuing without it (<i>${escapeTgHtml(act)}</i>).`
+      : `🚫 ${who} — no answer in ${opts.timeoutMinutes}m, continuing without it.`;
+  }
+  return hasAction
+    ? `🚫 ${who} — noted, I won't ${escapeTgHtml(lowerFirst(act))}. Continuing without it.`
+    : `🚫 ${who} — noted, continuing without it.`;
+}
+
 function resolveSkillName(input: Record<string, unknown>): string | null {
   return (
     readString(input, "skill") ??

package/telegram-plugin/secret-detect/patterns.ts

@@ -54,6 +54,14 @@ export const ANCHORED_PATTERNS: PatternDef[] = [
   // Telegram bot tokens: with "bot" prefix or bare ID:token.
   { rule_id: 'telegram_bot_token_prefixed', regex: /\bbot(\d{6,}:[A-Za-z0-9_-]{20,})\b/g, captureIndex: 1, slugHint: 'telegram_bot_token' },
   { rule_id: 'telegram_bot_token', regex: /\b(\d{6,}:[A-Za-z0-9_-]{20,})\b/g, captureIndex: 1, slugHint: 'telegram_bot_token' },
+  // Laravel Sanctum / Coolify personal-access tokens. Shape: `<id>|<token>`
+  // where <id> is the integer PK and <token> is `Str::random(40)` — 40 base62
+  // chars. The `|` separator is what distinguishes this from a Telegram
+  // `id:token` (colon) or a JWT. Length floor 40 (the Sanctum default) keeps
+  // this off short pipe-joined chat like `1|foo` or markdown table cells.
+  // Incident 2026-06-01: a live `17|<40-char>` Coolify token pasted by a user
+  // slipped every existing pattern and persisted in plaintext.
+  { rule_id: 'laravel_sanctum_token', regex: /\b(\d+\|[A-Za-z0-9]{40,})\b/g, captureIndex: 1, slugHint: 'api_token' },
   { rule_id: 'aws_access_key', regex: /\b(AKIA[0-9A-Z]{16})\b/g, captureIndex: 1, slugHint: 'aws_access_key' },
   { rule_id: 'jwt', regex: /\b(eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,})\b/g, captureIndex: 1, slugHint: 'jwt' },
 ]

package/telegram-plugin/secret-detect/redact.ts

@@ -0,0 +1,76 @@
+/**
+ * `redact(text)` — sanitize text by replacing detected secrets and
+ * credential-bearing URL parts with `[REDACTED]` markers, in place.
+ *
+ * This is the shared mask-in-place chokepoint. Unlike the inbound
+ * vault-staging flow (which DELETES the Telegram message and offers to
+ * save the secret), `redact()` leaves the surrounding prose intact and
+ * only masks the secret byte-ranges — the right behavior when we must
+ * keep a record but never store/log/forward the raw value:
+ *
+ *   - INBOUND + OUTBOUND history persistence — `history.ts`
+ *     `recordInbound` / `recordOutbound` redact before the row hits
+ *     SQLite, so no detected secret survives in the message store in
+ *     either direction (defense-in-depth behind the inbound gate, and
+ *     the only redaction on the agent→user direction).
+ *   - `switchroom issues record` — `src/issues/store.ts:capDetail`.
+ *   - `switchroom secret-detect redact --stdin` — bash-callable shim.
+ *   - hostd — `src/host-control/server.ts`.
+ *
+ * Detection is delegated to `detectSecrets()` (same patterns, same
+ * suppressor, same engine as the inbound Telegram gate) so a pattern
+ * added once — e.g. the Laravel/Coolify Sanctum `<id>|<token>` shape —
+ * covers detection, inbound interception, and this redactor uniformly.
+ *
+ * Idempotence: for token-shape detections the marker doesn't re-match.
+ * For *structural* detectors (`cli_flag`, `json_secret_field`) a second
+ * pass may rewrite the tag, but the bytes stay redacted. Rely on "no
+ * detected secret bytes survive any number of passes", not on strict
+ * `redact(redact(x)) === redact(x)`.
+ */
+import { detectSecrets, type Detection } from './index.js'
+import { redactUrls } from './url-redact.js'
+
+export const REDACTED_MARKER = '[REDACTED]'
+
+/**
+ * Synchronous, fast redactor. Vendored pattern engine only (no async
+ * secretlint) so it is safe on hot paths (every stored message).
+ *
+ * Order matters:
+ *   1. URL credentials (`https://u:p@host` → `https://***@host`,
+ *      sensitive query params → `?key=***`).
+ *   2. Token-shape detection over the URL-normalized text; matched byte
+ *      ranges are replaced right-to-left so earlier offsets stay valid.
+ */
+export function redact(text: string): string {
+  if (!text || text.length === 0) return text
+
+  // Step 1 — URL credentials and known-sensitive query params.
+  const urlScrubbed = redactUrls(text)
+
+  // Step 2 — token shape detection over the URL-scrubbed text.
+  const hits: Detection[] = detectSecrets(urlScrubbed)
+  if (hits.length === 0) return urlScrubbed
+
+  // Apply replacements right-to-left so byte offsets stay valid.
+  const sorted = [...hits].sort((a, b) => b.start - a.start)
+  let out = urlScrubbed
+  for (const h of sorted) {
+    out = out.slice(0, h.start) + redactedMarker(h.rule_id) + out.slice(h.end)
+  }
+  return out
+}
+
+/**
+ * `[REDACTED:<rule_id>]` when the rule_id is informative,
+ * `[REDACTED]` otherwise. The rule_id is detector-emitted, so it never
+ * contains attacker-controlled bytes — safe to embed verbatim.
+ */
+function redactedMarker(ruleId: string): string {
+  const trimmed = ruleId.replace(/^(kv|env)_/, '')
+  if (!trimmed || trimmed === 'key_value' || trimmed === 'kv_entropy') {
+    return REDACTED_MARKER
+  }
+  return `[REDACTED:${trimmed}]`
+}

package/telegram-plugin/tests/card-format.test.ts

@@ -0,0 +1,96 @@
+import { describe, it, expect } from 'vitest'
+import {
+  cleanWorkerResultParagraph,
+  escapeHtml,
+  formatDuration,
+  stripMarkdown,
+  truncate,
+} from '../card-format.js'
+
+describe('stripMarkdown', () => {
+  it('strips paired bold and emphasis', () => {
+    expect(stripMarkdown('a **bold** and *em* and __b__ and _e_')).toBe(
+      'a bold and em and b and e',
+    )
+  })
+
+  it('strips inline code spans', () => {
+    expect(stripMarkdown('run `git push` now')).toBe('run git push now')
+  })
+
+  it('strips leading headings, blockquotes, bullets, and ordered items', () => {
+    expect(stripMarkdown('### Heading')).toBe('Heading')
+    expect(stripMarkdown('> quoted')).toBe('quoted')
+    expect(stripMarkdown('- a bullet')).toBe('a bullet')
+    expect(stripMarkdown('* star bullet')).toBe('star bullet')
+    expect(stripMarkdown('1. first')).toBe('first')
+    expect(stripMarkdown('2) second')).toBe('second')
+  })
+
+  it('strips leading block markup on EVERY line, not just the string start', () => {
+    // The screenshot regression: a worker summary that opens with prose
+    // ("Done.") then a `## Summary` heading mid-string. Without the `gm`
+    // flags the heading marker leaked into the rendered card.
+    const headed = stripMarkdown('Done.\n\n## Summary\n\nFixed the bug')
+    expect(headed).not.toContain('##')
+    expect(headed).toContain('Done.')
+    expect(headed).toContain('Summary')
+    expect(headed).toContain('Fixed the bug')
+
+    const mixed = stripMarkdown('intro\n> quoted\n- item')
+    expect(mixed).not.toMatch(/(^|\n)\s*[>\-*]/)
+    expect(mixed).toContain('quoted')
+    expect(mixed).toContain('item')
+  })
+
+  it('reduces a link to its label', () => {
+    expect(stripMarkdown('see [the PR](https://x/y) here')).toBe('see the PR here')
+  })
+
+  it('removes residual doubled markers but keeps a lone asterisk (math)', () => {
+    expect(stripMarkdown('**dangling')).toBe('dangling')
+    expect(stripMarkdown('3 * 4 = 12')).toBe('3 * 4 = 12')
+  })
+
+  it('does not touch HTML-significant characters (escaping stays separate)', () => {
+    expect(stripMarkdown('a < b & c > d')).toBe('a < b & c > d')
+  })
+})
+
+describe('cleanWorkerResultParagraph', () => {
+  it('collapses multi-line Markdown into one plain paragraph', () => {
+    const input = '## Done\n\n**PR #21** opened\n\n- merged\n- pushed'
+    expect(cleanWorkerResultParagraph(input)).toBe('Done PR #21 opened merged pushed')
+  })
+
+  it('drops fenced code blocks entirely', () => {
+    const input = 'before\n```ts\nconst x = 1\n```\nafter'
+    expect(cleanWorkerResultParagraph(input)).toBe('before after')
+  })
+
+  it('drops horizontal rules', () => {
+    expect(cleanWorkerResultParagraph('a\n---\nb\n***\nc')).toBe('a b c')
+  })
+
+  it('returns empty for whitespace/markup-only input', () => {
+    expect(cleanWorkerResultParagraph('   \n---\n')).toBe('')
+  })
+})
+
+describe('formatDuration', () => {
+  it('renders sub-second as ms and seconds/minutes as MM:SS', () => {
+    expect(formatDuration(500)).toBe('500ms')
+    expect(formatDuration(1000)).toBe('00:01')
+    expect(formatDuration(60_000)).toBe('01:00')
+  })
+})
+
+describe('escapeHtml / truncate', () => {
+  it('escapes the three HTML-significant characters', () => {
+    expect(escapeHtml('a <b> & c')).toBe('a &lt;b&gt; &amp; c')
+  })
+  it('truncates with an ellipsis', () => {
+    expect(truncate('abcdef', 4)).toBe('abc…')
+    expect(truncate('abc', 4)).toBe('abc')
+  })
+})

package/telegram-plugin/tests/gateway-outbound-redact.test.ts

@@ -0,0 +1,80 @@
+import { describe, it, expect } from 'vitest'
+import { readFileSync } from 'node:fs'
+
+/**
+ * Structural test for the outbound secret-scrub (#2044).
+ *
+ * Outbound (agent→user) text previously had NO redaction — an agent that
+ * echoed a secret it read from a file/env/not-yet-vaulted value would send
+ * the raw bytes to Telegram, log a preview to stderr, and store them in
+ * history. This pins that `redactOutboundText()` runs at the ENTRY of each
+ * agent-free-text tool (reply / stream_reply / edit_message), before the
+ * stderr preview, the dedup key, the send, and the history record.
+ *
+ * Why structural: executeReply/executeStreamReply/executeEditMessage are
+ * not exported (same constraint as gateway-secret-detect.test.ts). The
+ * masking itself — that `redact()` covers the Sanctum shape and every
+ * provider token — is exercised behaviorally in secret-detect-sanctum.test.ts
+ * and the redact() unit tests; what's left to pin here is the wiring + slot.
+ */
+describe('gateway outbound secret-scrub — structural wiring', () => {
+  const src = readFileSync(
+    new URL('../gateway/gateway.ts', import.meta.url),
+    'utf8',
+  )
+
+  it('imports the shared redactor', () => {
+    expect(src).toMatch(/import \{ redact \} from '\.\.\/secret-detect\/redact\.js'/)
+  })
+
+  it('defines the redactOutboundText helper backed by redact()', () => {
+    const idx = src.indexOf('function redactOutboundText(')
+    expect(idx).toBeGreaterThan(0)
+    const body = src.slice(idx, idx + 400)
+    expect(body).toMatch(/redact\(text\)/)
+  })
+
+  it('reply: scrubs at entry, before the stderr preview log', () => {
+    const start = src.indexOf('async function executeReply(')
+    const redactIdx = src.indexOf(`redactOutboundText(text, 'reply')`, start)
+    const previewIdx = src.indexOf('reply: invoked chatId=', start)
+    expect(start).toBeGreaterThan(0)
+    expect(redactIdx).toBeGreaterThan(start)
+    expect(previewIdx).toBeGreaterThan(redactIdx) // mask BEFORE the preview is logged
+  })
+
+  it('stream_reply: scrubs at entry, before the voice scrub + dedup', () => {
+    const start = src.indexOf('async function executeStreamReply(')
+    const redactIdx = src.indexOf(`redactOutboundText(args.text as string, 'stream_reply')`, start)
+    const scrubIdx = src.indexOf(`site: 'stream_reply'`, start)
+    expect(start).toBeGreaterThan(0)
+    expect(redactIdx).toBeGreaterThan(start)
+    expect(scrubIdx).toBeGreaterThan(redactIdx)
+  })
+
+  it('edit_message: scrubs at entry, before the voice scrub + send', () => {
+    const start = src.indexOf('async function executeEditMessage(')
+    const redactIdx = src.indexOf(`redactOutboundText(editRawText, 'edit_message')`, start)
+    const scrubIdx = src.indexOf(`site: 'edit_message'`, start)
+    expect(start).toBeGreaterThan(0)
+    expect(redactIdx).toBeGreaterThan(start)
+    expect(scrubIdx).toBeGreaterThan(redactIdx)
+  })
+
+  it('turn-flush backstop: scrubs the model terminal prose before send', () => {
+    // Turn-flush delivers the model's answer when it skipped reply/stream_reply
+    // — arbitrary agent free-text that hits the wire + stderr preview.
+    const redactIdx = src.indexOf(`redactOutboundText(capturedText, 'turn_flush')`)
+    const scrubSiteIdx = src.indexOf(`site: 'turn_flush'`)
+    expect(redactIdx).toBeGreaterThan(0)
+    expect(scrubSiteIdx).toBeGreaterThan(redactIdx) // mask BEFORE the voice scrub + send
+  })
+
+  it('does not log the secret value when a mask fires', () => {
+    const idx = src.indexOf('function redactOutboundText(')
+    const body = src.slice(idx, idx + 400)
+    // The log line names the site, never the text/masked value.
+    expect(body).toMatch(/outbound secret masked site=\$\{site\}/)
+    expect(body).not.toMatch(/\$\{text\}|\$\{masked\}/)
+  })
+})

package/telegram-plugin/tests/gateway-request-secret.test.ts

@@ -0,0 +1,78 @@
+import { describe, it, expect } from 'vitest'
+import { readFileSync } from 'node:fs'
+
+/**
+ * Structural test for the `request_secret` tool (#2045) — the secure
+ * "agent asks the operator to PROVIDE a missing secret" flow. The operator
+ * taps [Provide securely], sends the value once, and the gateway deletes it
+ * + writes it straight to the vault; the raw value is never recorded,
+ * logged, or returned to the agent.
+ *
+ * Structural because the gateway handlers (handleInbound, executeToolCall,
+ * the callback router) aren't exported — same constraint as
+ * gateway-secret-detect.test.ts. The vault-write reuse + card UX are
+ * exercised end-to-end by the mtcute UAT (jtbd-request-secret-dm).
+ */
+describe('request_secret — gateway wiring', () => {
+  const gw = readFileSync(new URL('../gateway/gateway.ts', import.meta.url), 'utf8')
+  const bridge = readFileSync(new URL('../bridge/bridge.ts', import.meta.url), 'utf8')
+
+  it('declares the MCP tool with required {chat_id,key} and NO value arg', () => {
+    const idx = bridge.indexOf(`name: 'request_secret'`)
+    expect(idx).toBeGreaterThan(0)
+    const schema = bridge.slice(idx, idx + 3000)
+    expect(schema).toMatch(/required: \['chat_id', 'key'\]/)
+    // The whole point: the agent does NOT supply the value.
+    expect(schema).not.toMatch(/\bvalue:\s*\{/)
+    // Tells the agent never to ask for a chat paste.
+    expect(schema).toMatch(/NEVER ask the user to paste/i)
+  })
+
+  it('is allow-listed and dispatched', () => {
+    expect(gw).toMatch(/'request_secret',\n\]\)/)
+    expect(gw).toMatch(/case 'request_secret':\s*\n\s*return executeRequestSecret\(args\)/)
+  })
+
+  it('routes the vsp: callback', () => {
+    expect(gw).toMatch(/data\.startsWith\('vsp:'\)/)
+    expect(gw).toMatch(/handleSecretRequestCallback\(ctx, data\)/)
+  })
+
+  it('captures the provided value BEFORE recordInbound and the broadcast', () => {
+    const start = gw.indexOf('async function handleInbound(')
+    const captureIdx = gw.indexOf('captureProvidedSecret(ctx, chat_id', start)
+    const recordIdx = gw.indexOf('recordInbound(', captureIdx)
+    const broadcastIdx = gw.indexOf('ipcServer.broadcast(inboundMsg)', captureIdx)
+    expect(captureIdx).toBeGreaterThan(start)
+    expect(recordIdx).toBeGreaterThan(captureIdx)
+    expect(broadcastIdx).toBeGreaterThan(captureIdx)
+  })
+
+  it('the capture deletes the raw message and writes to the vault, then returns', () => {
+    const idx = gw.indexOf('async function captureProvidedSecret(')
+    expect(idx).toBeGreaterThan(0)
+    const body = gw.slice(idx, idx + 3600)
+    // delete the raw message before anything else
+    expect(body).toMatch(/deleteSensitiveMessage\(chat_id, msgId/)
+    // write via the posture/passphrase helper
+    expect(body).toMatch(/writeRequestedSecret\(armed\.key, value, chat_id\)/)
+  })
+
+  it('the agent-resume inbound carries the key but NOT the value', () => {
+    const idx = gw.indexOf('async function captureProvidedSecret(')
+    const body = gw.slice(idx, idx + 3600)
+    const syntheticIdx = body.indexOf("source: 'secret_provided'")
+    expect(syntheticIdx).toBeGreaterThan(0)
+    // The synthetic text references vault:<key>, never the raw `value`.
+    expect(body).toMatch(/vault:\$\{armed\.key\}/)
+    const textIdx = body.lastIndexOf('text:', syntheticIdx)
+    const metaIdx = body.indexOf('meta:', syntheticIdx)
+    expect(body.slice(textIdx, metaIdx)).not.toMatch(/\$\{value\}/)
+  })
+
+  it('dedupes to one open request per (chat,key)', () => {
+    const idx = gw.indexOf('async function executeRequestSecret(')
+    const body = gw.slice(idx, idx + 1800)
+    expect(body).toMatch(/p\.chat_id === chat_id && p\.key === key/)
+  })
+})

package/telegram-plugin/tests/history.test.ts

@@ -362,3 +362,62 @@ describe('getRecentOutboundCount (backstop dedup helper)', () => {
     expect(getRecentOutboundCount('-200', 2)).toBe(1)
   })
 })
+
+describe('secret redaction at persistence (both directions)', () => {
+  beforeEach(() => initHistory(stateDir, 30))
+
+  // Built by concatenation so the source never holds a contiguous
+  // secret-shaped literal (repo Push Protection / no-pii lint).
+  const SANCTUM = `19|${'qP4mN7rT2v'.repeat(4)}` // <id>|<40 base62> (Sanctum/Coolify)
+  const GH_PAT = `ghp_${'A1b2C3d4E5'.repeat(3)}` // ghp_<30 base62>
+
+  it('masks a user-pasted secret before it is stored (inbound)', () => {
+    recordInbound({
+      chat_id: '-100',
+      thread_id: null,
+      message_id: 1,
+      user: 'alice',
+      user_id: '111',
+      ts: 1000,
+      text: `the new coolify token is ${SANCTUM}, save it`,
+    })
+    const text = query({ chat_id: '-100' })[0]!.text as string
+    expect(text).not.toContain(SANCTUM)
+    expect(text).toContain('[REDACTED')
+    expect(text).toContain('the new coolify token is') // surrounding prose preserved
+  })
+
+  it('masks a secret echoed by the agent before it is stored (outbound)', () => {
+    recordOutbound({
+      chat_id: '-100',
+      thread_id: null,
+      message_ids: [2],
+      texts: [`sure — your key is ${GH_PAT}, keep it safe`],
+      ts: 2000,
+    })
+    const text = query({ chat_id: '-100' })[0]!.text as string
+    expect(text).not.toContain(GH_PAT)
+    expect(text).toContain('[REDACTED')
+  })
+
+  it('masks a secret introduced by an edit', () => {
+    recordOutbound({ chat_id: '-100', thread_id: null, message_ids: [3], texts: ['placeholder'], ts: 3000 })
+    recordEdit({ chat_id: '-100', message_id: 3, text: `token: ${SANCTUM}` })
+    const text = query({ chat_id: '-100' })[0]!.text as string
+    expect(text).not.toContain(SANCTUM)
+    expect(text).toContain('[REDACTED')
+  })
+
+  it('leaves ordinary prose untouched', () => {
+    recordInbound({
+      chat_id: '-100',
+      thread_id: null,
+      message_id: 4,
+      user: 'a',
+      user_id: '1',
+      ts: 4000,
+      text: 'hello, how are you?',
+    })
+    expect(query({ chat_id: '-100' })[0]!.text).toBe('hello, how are you?')
+  })
+})

package/telegram-plugin/tests/permission-title.test.ts

@@ -12,6 +12,7 @@ import {
   naturalAction,
   describeGrant,
   formatPermissionCardBody,
+  formatPermissionResumeMessage,
 } from '../permission-title.js'
 import type { ScopeOption } from '../permission-rule.js'
 
@@ -193,3 +194,70 @@ describe('describeGrant — phrased from the chosen scope', () => {
     )
   })
 })
+
+describe('formatPermissionResumeMessage — agent-voiced verdict ack', () => {
+  test('allow names the work it is resuming', () => {
+    expect(
+      formatPermissionResumeMessage({
+        agentName: 'gymbro',
+        behavior: 'allow',
+        action: 'edit: supplement-log.md',
+      }),
+    ).toBe('▶️ <b>Gymbro</b> — got it, continuing: <i>edit: supplement-log.md</i>')
+  })
+
+  test('deny names what it will skip, lower-cased inline', () => {
+    expect(
+      formatPermissionResumeMessage({
+        agentName: 'ziggy',
+        behavior: 'deny',
+        action: 'Search the web',
+      }),
+    ).toBe("🚫 <b>Ziggy</b> — noted, I won't search the web. Continuing without it.")
+  })
+
+  test('TTL auto-deny variant reads as a timeout, not a tap', () => {
+    expect(
+      formatPermissionResumeMessage({
+        agentName: 'finn',
+        behavior: 'deny',
+        action: 'run: deploy.sh',
+        timeoutMinutes: 5,
+      }),
+    ).toBe('🚫 <b>Finn</b> — no answer in 5m, continuing without it (<i>run: deploy.sh</i>).')
+  })
+
+  test('HTML-escapes a hostile action phrase (no raw </>& injection)', () => {
+    const out = formatPermissionResumeMessage({
+      agentName: 'clerk',
+      behavior: 'allow',
+      action: 'run: echo <b>&"pwned"</b>',
+    })
+    expect(out).toContain('&lt;b&gt;&amp;')
+    expect(out).not.toContain('<b>&"pwned"')
+  })
+
+  test('cap-first on the agent name', () => {
+    const out = formatPermissionResumeMessage({
+      agentName: 'lawgpt',
+      behavior: 'allow',
+      action: 'read: contract.pdf',
+    })
+    expect(out).toContain('<b>Lawgpt</b>')
+  })
+
+  test('empty action falls back to a generic continue (no dangling phrase)', () => {
+    expect(
+      formatPermissionResumeMessage({ agentName: 'carrie', behavior: 'allow', action: '' }),
+    ).toBe('▶️ <b>Carrie</b> — got it, back to work.')
+    expect(
+      formatPermissionResumeMessage({ agentName: 'carrie', behavior: 'deny', action: '   ' }),
+    ).toBe('🚫 <b>Carrie</b> — noted, continuing without it.')
+  })
+
+  test('null agent name degrades to a neutral "Agent" label', () => {
+    expect(
+      formatPermissionResumeMessage({ agentName: null, behavior: 'allow', action: 'edit: x.md' }),
+    ).toBe('▶️ <b>Agent</b> — got it, continuing: <i>edit: x.md</i>')
+  })
+})

package/telegram-plugin/tests/permission-verdict-resume-guard.test.ts

@@ -22,6 +22,12 @@
  * This guard fails loudly if any `dispatchPermissionVerdict(...)`
  * callsite is not paired with a `resumeReactionAfterVerdict()` within a
  * few lines — i.e. a new (or refactored) verdict path drops the resume.
+ *
+ * Same pin applies to `postPermissionResumeMessage(...)`: the distinct
+ * agent-voiced "got it, continuing: <work>" message is the legible signal
+ * the operator actually sees (the reaction lands on a far-up message; the
+ * card edit is a one-liner). It rides the exact same 5-paths-drift hazard,
+ * so every verdict path must post it too.
  */
 
 import { describe, it, expect } from 'vitest'
@@ -83,4 +89,33 @@ describe('permission verdict → resume reaction wiring', () => {
       true,
     )
   })
+
+  // postPermissionResumeMessage rides ~1–2 lines after resumeReactionAfterVerdict
+  // on every path, so it can sit a touch further from the dispatch than the
+  // resume call — give it a little more headroom.
+  const POST_WINDOW = 20
+
+  it('every dispatchPermissionVerdict() callsite posts the agent-voiced resume message via postPermissionResumeMessage()', () => {
+    const unpaired: number[] = []
+    for (const idx of dispatchCallsites) {
+      const window = LINES.slice(idx, idx + POST_WINDOW + 1).join('\n')
+      if (!/\bpostPermissionResumeMessage\s*\(/.test(window)) {
+        unpaired.push(idx + 1)
+      }
+    }
+    expect(
+      unpaired,
+      `dispatchPermissionVerdict() at gateway.ts line(s) ` +
+        `${unpaired.join(', ')} has no postPermissionResumeMessage() within ` +
+        `${POST_WINDOW} lines — that verdict path resumes the turn silently, ` +
+        `so the operator never gets the "got it, continuing: <work>" message. ` +
+        `Add the post call next to resumeReactionAfterVerdict() (see sibling paths).`,
+    ).toEqual([])
+  })
+
+  it('the resume-message helper still exists', () => {
+    expect(
+      /function\s+postPermissionResumeMessage\s*\(/.test(GATEWAY_SRC),
+    ).toBe(true)
+  })
 })