switchroom 0.14.27 → 0.14.28

package/telegram-plugin/dist/server.js

@@ -24611,6 +24611,20 @@ var init_bridge = __esm(async () => {
         },
         required: ["chat_id", "key"]
       }
+    },
+    {
+      name: "request_secret",
+      description: "Ask the operator to PROVIDE a secret you do not have, securely \u2014 NEVER ask the user to paste a token/key/password as a normal chat message. Use this when you need a credential that is not in the vault (a `vault:<key>` reference is missing/empty, or you know an upcoming task needs one you lack). Renders a Telegram card with [Provide securely] [Decline]; on tap, the operator sends the value once and the gateway DELETES their message instantly and writes it straight to the vault \u2014 the raw value is never echoed back to you. You receive only `vault:<key>`. This is the sibling of `vault_request_save` (use that when the user already handed YOU a value to store) and `vault_request_access` (use that when the key exists but you lack read access). After firing this tool, END YOUR TURN cleanly \u2014 a fresh inbound message arrives once the operator provides (or declines) the secret. Do NOT call this for keys you already have, and do NOT spam (one open request per key; the operator sees every card).",
+      inputSchema: {
+        type: "object",
+        properties: {
+          chat_id: { type: "string", description: "Chat to render the card in (use the chat_id of the user message that triggered the workflow)." },
+          key: { type: "string", description: "Vault key to store the provided secret under. Use lowercase namespaced snake_case, e.g. `coolify/api-token`." },
+          reason: { type: "string", description: 'REQUIRED in practice \u2014 one-line human-readable rationale rendered on the card (e.g. "to trigger a redeploy on Coolify"). Omitting it makes the operator more likely to Decline.' },
+          message_thread_id: { type: "string", description: "Forum topic thread ID. Auto-applied from the last inbound message if not specified." }
+        },
+        required: ["chat_id", "key"]
+      }
     }
   ];
   mcp.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: TOOL_SCHEMAS }));

package/telegram-plugin/gateway/gateway.ts

@@ -355,6 +355,7 @@ import { defaultVaultWrite, defaultVaultList, defaultVaultWritePosture } from '.
 import { parseVaultCliError, renderVaultCliError } from '../secret-detect/vault-error.js'
 import { recentDenialsFromAuditLog, type RecentDenial } from './recent-denials.js'
 import { detectSecrets } from '../secret-detect/index.js'
+import { redact } from '../secret-detect/redact.js'
 import { classifyAdminGate } from '../admin-commands/index.js'
 import {
   startSubagentWatcher,
@@ -371,7 +372,7 @@ import { maybeRenderUpdateAnnouncement } from './update-announce.js'
 import { createIssuesCardHandle, type IssuesCardHandle } from '../issues-card.js'
 import { startIssuesWatcher, type IssuesWatcherHandle } from '../issues-watcher.js'
 import { list as listIssues, resolve as resolveIssue } from '../../src/issues/index.js'
-import { formatPermissionCardBody, describeGrant } from '../permission-title.js'
+import { formatPermissionCardBody, describeGrant, naturalAction, formatPermissionResumeMessage } from '../permission-title.js'
 import { resolveScopedAllowChoices, isRulePersisted } from '../permission-rule.js'
 import { synthesizeAllowRuleDiff, extractAddedAllowRule } from '../permission-diff.js'
 import {
@@ -2158,6 +2159,60 @@ function resumeReactionAfterVerdict(): void {
     ?.setThinking()
 }
 
+/**
+ * Post the agent-voiced "got your verdict — continuing" message the
+ * instant the operator answers a permission card. Travels right beside
+ * `resumeReactionAfterVerdict()` at every operator-driven verdict site so
+ * the legible signal (a distinct message naming the work) can't drift away
+ * from the reaction flip — the same 5-paths-drift hazard #2019 guards.
+ *
+ * The card edit + 🙏→working reaction are easy to miss (a reaction lands on
+ * the turn's triggering message far up the chat; the card footnote is a
+ * one-liner). This message is the thing the operator actually sees.
+ *
+ * Posts to the suspended turn's chat/thread (`currentTurn` still points at
+ * it mid-gate — the same controller `resumeReactionAfterVerdict` addresses)
+ * so it lands in the conversation the gate belongs to; falls back to the
+ * configured operator chats when there's no active turn (e.g. a swept turn
+ * at TTL-sweep time). Kill-switch: `SWITCHROOM_RESUME_MSG=0`.
+ */
+function postPermissionResumeMessage(opts: {
+  behavior: 'allow' | 'deny'
+  action: string
+  timeoutMinutes?: number
+}): void {
+  if (process.env.SWITCHROOM_RESUME_MSG === '0') return
+  const text = formatPermissionResumeMessage({
+    agentName: process.env.SWITCHROOM_AGENT_NAME ?? null,
+    behavior: opts.behavior,
+    action: opts.action,
+    timeoutMinutes: opts.timeoutMinutes,
+  })
+  const turn = currentTurn
+  const targets: Array<{ chatId: string; threadId: number | undefined }> =
+    turn != null
+      ? [{ chatId: turn.sessionChatId, threadId: turn.sessionThreadId }]
+      : loadAccess().allowFrom.map(chatId => ({
+          chatId,
+          threadId: resolveAgentOutboundTopic({
+            kind: 'permission',
+            turnInitiated: false,
+            originThreadId: undefined,
+          }),
+        }))
+  for (const { chatId, threadId } of targets) {
+    // allow-raw-bot-api: wrapped in swallowingApiCall (retry policy); thread-aware send
+    void swallowingApiCall(
+      () =>
+        bot.api.sendMessage(chatId, text, {
+          parse_mode: 'HTML',
+          ...(threadId != null ? { message_thread_id: threadId } : {}),
+        }),
+      { chat_id: chatId, verb: 'permission-resume', ...(threadId != null ? { threadId } : {}) },
+    )
+  }
+}
+
 function resolveThreadId(chat_id: string, explicit?: string | number | null): number | undefined {
   if (explicit != null) return Number(explicit)
   return chatThreadMap.get(chat_id)
@@ -3066,6 +3121,11 @@ const pendingStateReaper = setInterval(() => {
       // The auto-deny un-parks the suspended turn — flip 🙏 → working so
       // it doesn't sit on the awaiting glyph (or stall) after the timeout.
       resumeReactionAfterVerdict()
+      postPermissionResumeMessage({
+        behavior: 'deny',
+        action: naturalAction(v.tool_name, v.input_preview),
+        timeoutMinutes: Math.round(PERMISSION_TTL_MS / 60000),
+      })
       process.stderr.write(
         `telegram gateway: permission TTL expired — auto-deny request=${k} ` +
         `tool=${v.tool_name} (no operator response in ` +
@@ -5080,6 +5140,7 @@ const ALLOWED_TOOLS = new Set([
   'send_sticker', 'send_gif',
   'vault_request_save',
   'vault_request_access',
+  'request_secret',
 ])
 
 async function executeToolCall(tool: string, args: Record<string, unknown>): Promise<unknown> {
@@ -5123,6 +5184,8 @@ async function executeToolCall(tool: string, args: Record<string, unknown>): Pro
       return executeVaultRequestSave(args)
     case 'vault_request_access':
       return executeVaultRequestAccess(args)
+    case 'request_secret':
+      return executeRequestSecret(args)
     default:
       throw new Error(`unknown tool: ${tool}`)
   }
@@ -5170,6 +5233,32 @@ async function executeUpdateChecklist(args: Record<string, unknown>): Promise<{
   return { content: [{ type: 'text', text: `checklist updated (id: ${message_id})` }] }
 }
 
+/**
+ * Outbound secret scrub (#2044). The agent is trusted, but it can still
+ * echo a secret it read from a file, env, or a not-yet-vaulted value into
+ * a reply — and outbound text had no redaction at all. This masks any
+ * detected secret in agent-authored text BEFORE it is logged (the stderr
+ * previews), forwarded (sent to Telegram), or stored (recordOutbound).
+ *
+ * It runs the SAME `detectSecrets` engine as the inbound gate, so a
+ * pattern added once (e.g. the Sanctum `<id>|<token>` shape, #2043) covers
+ * both directions. Applied at the entry of every agent-free-text tool
+ * (reply / stream_reply / edit_message), mutating the text in place so all
+ * downstream consumers — voice scrub, dedup key, chunker, answer-stream
+ * diffing, history record — see the masked value. This is the same
+ * in-place-mutation contract the voice scrub already relies on, which
+ * keeps the answer-stream's incremental edit diffing consistent (it always
+ * compares redacted-against-redacted).
+ */
+function redactOutboundText(text: string, site: string): string {
+  const masked = redact(text)
+  if (masked !== text) {
+    // Never log the secret — only that a mask fired, and where.
+    process.stderr.write(`telegram gateway: outbound secret masked site=${site}\n`)
+  }
+  return masked
+}
+
 async function executeReply(args: Record<string, unknown>): Promise<{ content: Array<{ type: string; text: string }> }> {
   // #1664 — pin the turn this reply belongs to at entry. The
   // finalAnswerDelivered write near the end of this function runs after
@@ -5183,6 +5272,11 @@ async function executeReply(args: Record<string, unknown>): Promise<{ content: A
   const rawText = args.text as string | undefined
   if (rawText == null || rawText === '') throw new Error('reply: text is required and cannot be empty')
   let text = repairEscapedWhitespace(rawText)
+  // Outbound secret scrub (#2044): mask any secret the agent echoed BEFORE
+  // the stderr preview below, the dedup key, the send, and the history
+  // record. Mutates `text` so every downstream consumer sees the masked
+  // value, exactly like the voice scrub that follows.
+  text = redactOutboundText(text, 'reply')
   // Voice scrub (#1683): replace em / en dashes with commas / periods.
   // Runs BEFORE outboundDedup so retries see the scrubbed key, and
   // BEFORE markdownToHtml so code-block content is correctly parked
@@ -5935,6 +6029,12 @@ async function executeStreamReply(args: Record<string, unknown>): Promise<unknow
   if (!args.chat_id) throw new Error('stream_reply: chat_id is required')
   if (args.text == null || args.text === '') throw new Error('stream_reply: text is required and cannot be empty')
 
+  // Outbound secret scrub (#2044): mask before the dedup key, the draft
+  // stream sends, and the history record. stream_reply carries the FULL
+  // text-so-far on every call, so redacting each call keeps the answer-
+  // stream's incremental diffing comparing redacted-against-redacted.
+  args.text = redactOutboundText(args.text as string, 'stream_reply')
+
   // Voice scrub (PR #1683 follow-up). Modern Claude on the fleet
   // uses the answer-stream / draft-stream path for multi-paragraph
   // replies — the model emits via stream_reply and the original
@@ -6777,6 +6877,297 @@ async function executeVaultRequestSave(args: Record<string, unknown>): Promise<{
   }
 }
 
+// ─── #2045 request_secret — agent asks the operator to PROVIDE a secret ───
+//
+// The third member of the agent-vault tool family. `vault_request_save`
+// = agent HAS a value and asks to save it; `vault_request_access` = agent
+// needs read access to an existing key; `request_secret` = agent needs a
+// value it does NOT have. The operator provides it through a secure card:
+// they tap [Provide securely], send the value once, and the gateway deletes
+// the message instantly + writes it straight to the vault. The raw value is
+// never recorded to history, never logged, never returned to the agent —
+// the agent only ever references `vault:<key>`. This removes the reason an
+// agent would ever ask a user to paste a secret as a normal chat message.
+interface PendingSecretRequest {
+  agent: string
+  chat_id: string
+  key: string
+  reason?: string
+  staged_at: number
+  card_message_id?: number
+}
+// stageId -> request (lives until tapped or TTL).
+const pendingSecretRequests = new Map<string, PendingSecretRequest>()
+// chat_id -> the armed capture: the operator's NEXT message in this chat is
+// the value for `key`. Set when [Provide securely] is tapped.
+interface ArmedSecretCapture { key: string; agent: string; stageId: string; armed_at: number }
+const armedSecretCaptures = new Map<string, ArmedSecretCapture>()
+const PENDING_SECRET_REQUEST_TTL_MS = 30 * 60_000 // card lifetime
+const ARMED_SECRET_CAPTURE_TTL_MS = 10 * 60_000   // window to send the value after tapping
+
+function sweepSecretRequests(): void {
+  const now = Date.now()
+  for (const [k, v] of pendingSecretRequests) {
+    if (now - v.staged_at > PENDING_SECRET_REQUEST_TTL_MS) pendingSecretRequests.delete(k)
+  }
+  for (const [k, v] of armedSecretCaptures) {
+    if (now - v.armed_at > ARMED_SECRET_CAPTURE_TTL_MS) armedSecretCaptures.delete(k)
+  }
+}
+
+function buildSecretRequestKeyboard(stageId: string): { inline_keyboard: Array<Array<{ text: string; callback_data: string }>> } {
+  return {
+    inline_keyboard: [
+      [
+        { text: '🔐 Provide securely', callback_data: `vsp:provide:${stageId}` },
+        { text: '🚫 Decline', callback_data: `vsp:decline:${stageId}` },
+      ],
+    ],
+  }
+}
+
+function renderSecretRequestCard(req: PendingSecretRequest): string {
+  const lines: string[] = [
+    `🔒 <b>${escapeHtmlForTg(req.agent)}</b> needs a secret:`,
+    `<code>${escapeHtmlForTg(req.key)}</code>`,
+  ]
+  if (req.reason) lines.push(`<i>${escapeHtmlForTg(req.reason)}</i>`)
+  lines.push(
+    '',
+    'Tap <b>Provide securely</b>, then send the value as your next message. I’ll delete it instantly and store it in the vault — it is never shown in chat or to the agent.',
+  )
+  return lines.join('\n')
+}
+
+/**
+ * `request_secret` tool — agent surfaces a card asking the operator to
+ * provide a missing secret. No `value` arg: the value arrives via secure
+ * capture (the operator's next message after they tap [Provide securely]).
+ */
+async function executeRequestSecret(args: Record<string, unknown>): Promise<{ content: Array<{ type: string; text: string }> }> {
+  const chat_id = args.chat_id as string
+  if (!chat_id) throw new Error('request_secret: chat_id is required')
+  const key = args.key as string
+  if (!key || typeof key !== 'string') throw new Error('request_secret: key is required')
+  const reason = typeof args.reason === 'string' ? args.reason : undefined
+  assertAllowedChat(chat_id)
+  if (!VAULT_KEY_REGEX.test(key)) {
+    throw new Error(`request_secret: key must match ${VAULT_KEY_REGEX_LABEL}`)
+  }
+  const agentSlug = process.env.SWITCHROOM_AGENT_NAME || 'agent'
+
+  // Dedupe: one open request per (chat, key). Drop any prior stage for
+  // the same target so the operator never sees stacked cards.
+  for (const [sid, p] of pendingSecretRequests) {
+    if (p.chat_id === chat_id && p.key === key) pendingSecretRequests.delete(sid)
+  }
+
+  const stageId = randomBytes(4).toString('hex')
+  const pending: PendingSecretRequest = { agent: agentSlug, chat_id, key, reason, staged_at: Date.now() }
+  pendingSecretRequests.set(stageId, pending)
+  sweepSecretRequests()
+
+  const text = renderSecretRequestCard(pending)
+  const threadId = args.message_thread_id != null ? Number(args.message_thread_id) : undefined
+  const sent = await retryWithThreadFallback<{ message_id: number }>(
+    robustApiCall,
+    (tid) =>
+      lockedBot.api.sendMessage(chat_id, text, {
+        parse_mode: 'HTML',
+        reply_markup: buildSecretRequestKeyboard(stageId),
+        ...(tid != null && Number.isFinite(tid) ? { message_thread_id: tid } : {}),
+      }),
+    { threadId, chat_id, verb: 'request_secret.card' },
+  )
+  pending.card_message_id = sent.message_id
+
+  return {
+    content: [
+      {
+        type: 'text',
+        text: `request_secret: card sent (stage_id=${stageId}, key=${key}). END YOUR TURN now and wait — a fresh inbound message arrives once the operator provides (or declines) the secret. Do NOT ask them to paste it as a normal message; the card handles it securely.`,
+      },
+    ],
+  }
+}
+
+/**
+ * Write a provided secret to the vault. Mirrors the vrs:save write branch:
+ * posture-attested broker put under telegram-id mode (no passphrase), else
+ * the cached-passphrase CLI path. Returns the same {ok, output} shape.
+ */
+async function writeRequestedSecret(key: string, value: string, chat_id: string): Promise<{ ok: boolean; output: string }> {
+  if (VAULT_APPROVAL_AUTH_MODE === 'telegram-id') {
+    return await defaultVaultWritePosture(key, value)
+  }
+  const cached = vaultPassphraseCache.get(chat_id)
+  if (!cached || cached.expiresAt <= Date.now()) {
+    return { ok: false, output: 'VAULT-LOCKED: run /vault unlock once in this chat, then have the agent re-request.' }
+  }
+  return defaultVaultWrite(key, value, cached.passphrase)
+}
+
+/**
+ * Secure value capture. Called early in handleInbound: if this chat is
+ * armed (operator tapped [Provide securely]), the inbound message IS the
+ * secret value. Delete it, write to the vault under the requested key, tell
+ * the agent it's available, and STOP — never record / log / forward the raw
+ * value. Returns true if it consumed the message (caller must return).
+ */
+async function captureProvidedSecret(
+  ctx: Context,
+  chat_id: string,
+  msgId: number | undefined,
+  value: string,
+): Promise<boolean> {
+  const armed = armedSecretCaptures.get(chat_id)
+  if (!armed || Date.now() - armed.armed_at > ARMED_SECRET_CAPTURE_TTL_MS) {
+    if (armed) armedSecretCaptures.delete(chat_id)
+    return false
+  }
+  armedSecretCaptures.delete(chat_id)
+  const pending = pendingSecretRequests.get(armed.stageId)
+  pendingSecretRequests.delete(armed.stageId)
+
+  // Delete the raw message FIRST — surfaces a warning if it fails.
+  if (msgId != null) await deleteSensitiveMessage(chat_id, msgId, 'provided secret value')
+
+  const write = await writeRequestedSecret(armed.key, value, chat_id)
+  if (!write.ok) {
+    const parsed = parseVaultCliError(write.output)
+    const rendered = renderVaultCliError(parsed, { verb: 'save', key: armed.key })
+    const body = rendered.suppressRaw ? rendered.html : `⚠️ vault write failed:\n<pre>${escapeHtmlForTg(write.output)}</pre>`
+    await switchroomReply(ctx, `${body}\n\n<i>The secret was NOT saved. The agent can re-request with <code>request_secret</code>.</i>`, { html: true })
+    // Wake the agent too (review #2047 finding #3): it ended its turn
+    // waiting for a synthetic inbound; without this it stalls silently.
+    const fts = Date.now()
+    const failMsg: InboundMessage = {
+      type: 'inbound',
+      chatId: chat_id,
+      messageId: fts,
+      user: 'vault-broker',
+      userId: 0,
+      ts: fts,
+      text: `⚠️ The secret you requested for \`vault:${armed.key}\` could NOT be saved (vault write failed). Do not assume it is available; tell the operator or try request_secret again.`,
+      meta: { source: 'secret_provide_failed', agent: armed.agent, key: armed.key, stage_id: armed.stageId },
+    }
+    const fdelivered = ipcServer.sendToAgent(armed.agent, failMsg)
+    if (fdelivered) markClaudeBusyForInbound(failMsg)
+    else pendingInboundBuffer.push(armed.agent, failMsg)
+    return true
+  }
+
+  await switchroomReply(
+    ctx,
+    `✅ saved as <code>vault:${escapeHtmlForTg(armed.key)}</code> (masked: <code>${escapeHtmlForTg(maskToken(value))}</code>). The agent can now reference it.`,
+    { html: true },
+  )
+
+  // Resume the requesting agent with a synthetic inbound — mirrors the
+  // vault_grant_approved injection. The value is NOT included; only the key.
+  const ts = Date.now()
+  const synthetic: InboundMessage = {
+    type: 'inbound',
+    chatId: chat_id,
+    messageId: ts,
+    user: 'vault-broker',
+    userId: 0,
+    ts,
+    text:
+      `✅ Operator provided the secret you requested. It is saved as ` +
+      `\`vault:${armed.key}\` — reference it the usual way. Resume the task ` +
+      `that was waiting on this credential. Do NOT ask the operator to paste it.`,
+    meta: {
+      source: 'secret_provided',
+      agent: armed.agent,
+      key: armed.key,
+      stage_id: armed.stageId,
+    },
+  }
+  const delivered = ipcServer.sendToAgent(armed.agent, synthetic)
+  if (delivered) markClaudeBusyForInbound(synthetic)
+  else pendingInboundBuffer.push(armed.agent, synthetic)
+  process.stderr.write(
+    `telegram gateway: secret_provided injection agent=${armed.agent} key=${armed.key} stage=${armed.stageId} delivered=${delivered}\n`,
+  )
+  return true
+}
+
+/**
+ * `vsp:` callbacks — agent-requested-secret card.
+ *   vsp:provide:<stageId>  — arm capture: operator's next message is the value
+ *   vsp:decline:<stageId>  — drop the request; tell the agent it was declined
+ */
+async function handleSecretRequestCallback(ctx: Context, data: string): Promise<void> {
+  const senderId = String(ctx.from?.id ?? '')
+  const access = loadAccess()
+  if (!access.allowFrom.includes(senderId)) {
+    await ctx.answerCallbackQuery({ text: 'Not authorized.' }).catch(() => {})
+    return
+  }
+  const parts = data.split(':')
+  const action = parts[1]
+  const stageId = parts[2] ?? ''
+  const pending = pendingSecretRequests.get(stageId)
+  if (!pending) {
+    await ctx.answerCallbackQuery({ text: 'This request expired.' }).catch(() => {})
+    return
+  }
+
+  if (action === 'provide') {
+    armedSecretCaptures.set(pending.chat_id, {
+      key: pending.key,
+      agent: pending.agent,
+      stageId,
+      armed_at: Date.now(),
+    })
+    await ctx.answerCallbackQuery({ text: 'Send the value now — it auto-deletes.' }).catch(() => {})
+    if (pending.card_message_id != null) {
+      await ctx.api
+        .editMessageText(
+          pending.chat_id,
+          pending.card_message_id,
+          `🔐 Send the value for <code>${escapeHtmlForTg(pending.key)}</code> as your next message — a single message, exactly as-is (don't add other text). I’ll delete it instantly and store it in the vault.`,
+          { parse_mode: 'HTML', reply_markup: { inline_keyboard: [] } },
+        )
+        .catch(() => {})
+    }
+    return
+  }
+
+  if (action === 'decline') {
+    pendingSecretRequests.delete(stageId)
+    armedSecretCaptures.delete(pending.chat_id)
+    await ctx.answerCallbackQuery({ text: 'Declined.' }).catch(() => {})
+    if (pending.card_message_id != null) {
+      await ctx.api
+        .editMessageText(pending.chat_id, pending.card_message_id, `🚫 Declined — <code>${escapeHtmlForTg(pending.key)}</code> not provided.`, {
+          parse_mode: 'HTML',
+          reply_markup: { inline_keyboard: [] },
+        })
+        .catch(() => {})
+    }
+    // Tell the agent so it stops waiting.
+    const ts = Date.now()
+    const synthetic: InboundMessage = {
+      type: 'inbound',
+      chatId: pending.chat_id,
+      messageId: ts,
+      user: 'vault-broker',
+      userId: 0,
+      ts,
+      text: `🚫 Operator declined your request for \`vault:${pending.key}\`. Proceed without it or ask how they'd like to handle the task.`,
+      meta: { source: 'secret_declined', agent: pending.agent, key: pending.key, stage_id: stageId },
+    }
+    const delivered = ipcServer.sendToAgent(pending.agent, synthetic)
+    if (delivered) markClaudeBusyForInbound(synthetic)
+    else pendingInboundBuffer.push(pending.agent, synthetic)
+    return
+  }
+
+  await ctx.answerCallbackQuery().catch(() => {})
+}
+
 /**
  * Issue #1012 — render the agent-initiated ACL request approval card.
  * Same visual language as the recent-denials one-tap allow (#969 P2b)
@@ -6991,6 +7382,9 @@ async function executeEditMessage(args: Record<string, unknown>): Promise<unknow
   const editConfigMode = editAccess.parseMode ?? 'html'
   const editFormat = (args.format as string | undefined) ?? editConfigMode
   let editRawText = repairEscapedWhitespace(args.text as string)
+  // Outbound secret scrub (#2044): an edit must not re-introduce a raw
+  // secret into a live bubble or the history row. Mask before scrub/send.
+  editRawText = redactOutboundText(editRawText, 'edit_message')
   // Voice scrub (#1683): same em-dash scrub as the reply path. Edits
   // are how silent-anchor and progress-update mutate already-sent
   // bubbles, so without this an edit can re-introduce dashes the
@@ -8170,6 +8564,14 @@ function handleSessionEvent(ev: SessionEvent): void {
         const backstopThreadId = threadId
         const backstopCtrl = ctrl
 
+        // Outbound secret scrub (#2044). Turn-flush delivers the model's
+        // terminal answer prose when it skipped reply/stream_reply — that
+        // is arbitrary agent free-text, sent via sendMessage/editMessageText
+        // and previewed to stderr below, so it needs the same mask as the
+        // three reply tools. Mirror the voice scrub: mask before the send,
+        // the preview, and recordOutbound.
+        capturedText = redactOutboundText(capturedText, 'turn_flush')
+
         // Voice scrub (PR #1683 follow-up). Turn-flush is the path
         // that fires when the model emits raw transcript text WITHOUT
         // calling reply / stream_reply. That captured text bypasses
@@ -9216,6 +9618,11 @@ async function handleInbound(
       behavior,
     })
     resumeReactionAfterVerdict()
+    const ftDetails = pendingPermissions.get(request_id)
+    postPermissionResumeMessage({
+      behavior,
+      action: ftDetails ? naturalAction(ftDetails.tool_name, ftDetails.input_preview) : '',
+    })
     if (msgId != null) {
       const emoji = behavior === 'allow' ? '✅' : '❌'
       void bot.api.setMessageReaction(chat_id, msgId, [
@@ -9525,6 +9932,22 @@ async function handleInbound(
   const isQueuedPrefix = parsedQueue.queued
   let effectiveText = isSteerPrefix ? parsedSteer.body : (isQueuedPrefix ? parsedQueue.body : text)
 
+  // --- #2045 provided-secret capture ---
+  // If this chat is armed (operator tapped [Provide securely] on a
+  // request_secret card), THIS message is the secret value: delete it,
+  // write it to the vault, resume the agent, and STOP. Runs before secret
+  // detection, recordInbound, and the IPC broadcast so the raw value is
+  // never recorded, logged, or forwarded.
+  if (armedSecretCaptures.has(chat_id)) {
+    // Capture the RAW message text, not effectiveText — the secret value
+    // must be vaulted verbatim, without the steer/queue prefix-stripping or
+    // trim that effectiveText applies (review #2047 finding #1). A
+    // credential that legitimately starts with `/s` or has surrounding
+    // whitespace would otherwise be mangled.
+    const consumed = await captureProvidedSecret(ctx, chat_id, msgId ?? undefined, text)
+    if (consumed) return
+  }
+
   // --- Secret detection + vault-scrub ---
   // If the user pasted a secret, intercept BEFORE we record to history or
   // broadcast to the agent: write to vault, delete the Telegram message,
@@ -12109,6 +12532,10 @@ async function handlePermissionSlash(ctx: Context, behavior: 'allow' | 'deny'):
   // Forward to connected bridges — same IPC the button handler uses.
   dispatchPermissionVerdict({ type: 'permission', requestId: request_id, behavior })
   resumeReactionAfterVerdict()
+  postPermissionResumeMessage({
+    behavior,
+    action: naturalAction(details.tool_name, details.input_preview),
+  })
   pendingPermissions.delete(request_id)
   process.stderr.write(
     `[telegram gateway] slash-${behavior} request_id=${request_id} tool=${details.tool_name} by=${senderId}\n`,
@@ -15482,6 +15909,14 @@ bot.on('callback_query:data', async ctx => {
     return
   }
 
+  // #2045: agent-requested-secret card.
+  //   vsp:provide:<stageId> — arm capture; operator's next message is the value
+  //   vsp:decline:<stageId> — drop the request, notify the agent
+  if (data.startsWith('vsp:')) {
+    await handleSecretRequestCallback(ctx, data)
+    return
+  }
+
   // Issue #969 P2b: vault recent-denial one-tap approval.
   //   vrd:<agent>:<key> — mint a 30-day read-grant for the agent + key
   // Posted by /vault audit <agent> in the "Recent denials" section.
@@ -15763,6 +16198,10 @@ bot.on('callback_query:data', async ctx => {
     // below). Un-park 🙏 → working immediately so the operator sees the
     // agent continue while hostd writes the durable rule.
     resumeReactionAfterVerdict()
+    postPermissionResumeMessage({
+      behavior: 'allow',
+      action: naturalAction(details.tool_name, details.input_preview),
+    })
 
     // (3) Decide the persistence path. tryHostdDispatch returns
     // "not-configured" when host_control is disabled or the per-agent
@@ -15914,18 +16353,20 @@ bot.on('callback_query:data', async ctx => {
     return
   }
 
-  // Forward permission decision to connected bridges
+  // Forward permission decision to connected bridges. Capture the work
+  // phrase BEFORE deleting the pending entry — postPermissionResumeMessage
+  // (fired in synthInbound below) names the resumed work.
+  const resumeAction = (() => {
+    const d = pendingPermissions.get(request_id)
+    return d ? naturalAction(d.tool_name, d.input_preview) : ''
+  })()
   pendingPermissions.delete(request_id)
-  // Deterministic "▶️ resuming…" beat (framework-posted, not model text):
-  // the verdict un-parks the suspended turn, so confirm to the operator
-  // that the agent received it and is continuing — closing the "is it
-  // working or did my tap do nothing?" gap. Allow and deny both resume the
-  // turn (deny just hands claude a refusal it then handles).
-  const resumeAgent = process.env.SWITCHROOM_AGENT_NAME
-  const resumeBeat = resumeAgent
-    ? `▶️ ${escapeHtmlForTg(resumeAgent)} resuming…`
-    : '▶️ resuming…'
-  const label = `${behavior === 'allow' ? '✅ Allowed' : '❌ Denied'} · ${resumeBeat}`
+  // The card collapses to a plain verdict label. The distinct agent-voiced
+  // "got it, continuing: …" message (posted on resume below) now carries
+  // the "is it working or did my tap do nothing?" signal the old
+  // `▶️ resuming…` card footnote used to — and names the work, which the
+  // footnote never did. Keeps the card terse and the resume legible.
+  const label = behavior === 'allow' ? '✅ Allowed' : '❌ Denied'
   // HTML-escape the source text — same hazard as the scope-commit and
   // recent-denial paths above. The permission card body
   // (formatPermissionCardBody) appends claude-supplied `description`
@@ -15956,6 +16397,10 @@ bot.on('callback_query:data', async ctx => {
       // Un-park the status reaction: 🙏 → working, re-arming the stall
       // watchdog that setAwaiting() suspended.
       resumeReactionAfterVerdict()
+      postPermissionResumeMessage({
+        behavior: behavior as 'allow' | 'deny',
+        action: resumeAction,
+      })
     },
   })
 })

package/telegram-plugin/history.ts

@@ -27,6 +27,7 @@
 
 import { chmodSync, mkdirSync } from 'fs'
 import { join } from 'path'
+import { redact } from './secret-detect/redact.js'
 
 /**
  * `bun:sqlite` is a Bun built-in — Vite/Node loaders can't resolve it
@@ -300,6 +301,10 @@ export function recordInbound(args: RecordInboundArgs): void {
       (chat_id, thread_id, message_id, role, user, user_id, ts, text, attachment_kind, group_id, reply_to_message_id, reply_to_text)
     VALUES (?, ?, ?, 'user', ?, ?, ?, ?, ?, NULL, ?, ?)
   `)
+  // Defense-in-depth: never persist a detected secret to the message store.
+  // The inbound gate (server.ts handleInbound) already deletes + vaults a
+  // high-confidence hit before reaching here, so for caught secrets this is
+  // a no-op; it's the backstop for any shape the gate's pattern set misses.
   stmt.run(
     args.chat_id,
     args.thread_id ?? null,
@@ -307,10 +312,10 @@ export function recordInbound(args: RecordInboundArgs): void {
     args.user ?? null,
     args.user_id ?? null,
     args.ts,
-    args.text,
+    redact(args.text),
     args.attachment_kind ?? null,
     args.reply_to_message_id ?? null,
-    args.reply_to_text ?? null,
+    args.reply_to_text != null ? redact(args.reply_to_text) : (args.reply_to_text ?? null),
   )
 }
 
@@ -356,9 +361,14 @@ export function recordOutbound(args: RecordOutboundArgs): void {
       )
     }
   }) as (...args: unknown[]) => unknown)
+  // Outbound redaction: the agent→user direction has no other secret
+  // scrub, so this is the chokepoint that keeps an agent-echoed secret out
+  // of the message store (e.g. an agent quoting a token it read from a file
+  // or a not-yet-vaulted value). Masks the secret bytes in place; the
+  // surrounding reply text is preserved.
   const rows: Array<[number, string, string | null]> = args.message_ids.map((id, i) => [
     id,
-    args.texts[i] ?? '',
+    redact(args.texts[i] ?? ''),
     args.attachment_kinds?.[i] ?? null,
   ])
   tx(rows)
@@ -387,7 +397,9 @@ export function recordEdit(args: RecordEditArgs): void {
          SET text = ?
        WHERE chat_id = ? AND message_id = ?
     `)
-    .run(args.text, args.chat_id, args.message_id)
+    // Same outbound chokepoint as recordOutbound — an edit must not
+    // reintroduce a raw secret into the stored row.
+    .run(redact(args.text), args.chat_id, args.message_id)
 }
 
 export interface RecordReactionArgs {