switchroom 0.14.27 → 0.14.28

package/telegram-plugin/permission-title.ts

@@ -248,6 +248,54 @@ export function describeGrant(
   }
 }
 
+/**
+ * Agent-voiced "I got your verdict and I'm continuing" message, posted as
+ * a *distinct* Telegram message the instant the operator answers a
+ * permission card (allow / deny / always / slash / free-text). The card
+ * edit + status reaction are easy to miss — a reaction lands on the turn's
+ * triggering message far up the chat, and the card footnote is a one-liner
+ * the operator scrolls past — so this is the legible signal that the tap
+ * landed and names the work being (re)started.
+ *
+ * Mirrors `formatPermissionCardBody`'s style ("🔐 <b>Gymbro</b> wants to
+ * edit: log.md" → "▶️ <b>Gymbro</b> — got it, continuing: edit: log.md").
+ * `action` is a phrase from {@link naturalAction} (already operator-facing,
+ * no tool ids). Output is HTML-escaped for `parse_mode: 'HTML'`.
+ *
+ * `timeoutMinutes` marks the TTL auto-deny variant (no operator tapped —
+ * the request aged out) so the wording reflects "no answer" rather than a
+ * deliberate denial.
+ */
+export function formatPermissionResumeMessage(opts: {
+  agentName: string | null;
+  behavior: "allow" | "deny";
+  action: string;
+  timeoutMinutes?: number;
+}): string {
+  const who =
+    opts.agentName && opts.agentName.length > 0
+      ? `<b>${escapeTgHtml(capFirst(opts.agentName))}</b>`
+      : `<b>Agent</b>`;
+  const act = (opts.action ?? "").trim();
+  const hasAction = act.length > 0;
+
+  if (opts.behavior === "allow") {
+    return hasAction
+      ? `▶️ ${who} — got it, continuing: <i>${escapeTgHtml(act)}</i>`
+      : `▶️ ${who} — got it, back to work.`;
+  }
+
+  // deny
+  if (opts.timeoutMinutes != null) {
+    return hasAction
+      ? `🚫 ${who} — no answer in ${opts.timeoutMinutes}m, continuing without it (<i>${escapeTgHtml(act)}</i>).`
+      : `🚫 ${who} — no answer in ${opts.timeoutMinutes}m, continuing without it.`;
+  }
+  return hasAction
+    ? `🚫 ${who} — noted, I won't ${escapeTgHtml(lowerFirst(act))}. Continuing without it.`
+    : `🚫 ${who} — noted, continuing without it.`;
+}
+
 function resolveSkillName(input: Record<string, unknown>): string | null {
   return (
     readString(input, "skill") ??

package/telegram-plugin/secret-detect/patterns.ts

@@ -54,6 +54,14 @@ export const ANCHORED_PATTERNS: PatternDef[] = [
   // Telegram bot tokens: with "bot" prefix or bare ID:token.
   { rule_id: 'telegram_bot_token_prefixed', regex: /\bbot(\d{6,}:[A-Za-z0-9_-]{20,})\b/g, captureIndex: 1, slugHint: 'telegram_bot_token' },
   { rule_id: 'telegram_bot_token', regex: /\b(\d{6,}:[A-Za-z0-9_-]{20,})\b/g, captureIndex: 1, slugHint: 'telegram_bot_token' },
+  // Laravel Sanctum / Coolify personal-access tokens. Shape: `<id>|<token>`
+  // where <id> is the integer PK and <token> is `Str::random(40)` — 40 base62
+  // chars. The `|` separator is what distinguishes this from a Telegram
+  // `id:token` (colon) or a JWT. Length floor 40 (the Sanctum default) keeps
+  // this off short pipe-joined chat like `1|foo` or markdown table cells.
+  // Incident 2026-06-01: a live `17|<40-char>` Coolify token pasted by a user
+  // slipped every existing pattern and persisted in plaintext.
+  { rule_id: 'laravel_sanctum_token', regex: /\b(\d+\|[A-Za-z0-9]{40,})\b/g, captureIndex: 1, slugHint: 'api_token' },
   { rule_id: 'aws_access_key', regex: /\b(AKIA[0-9A-Z]{16})\b/g, captureIndex: 1, slugHint: 'aws_access_key' },
   { rule_id: 'jwt', regex: /\b(eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,})\b/g, captureIndex: 1, slugHint: 'jwt' },
 ]

package/telegram-plugin/secret-detect/redact.ts

@@ -0,0 +1,76 @@
+/**
+ * `redact(text)` — sanitize text by replacing detected secrets and
+ * credential-bearing URL parts with `[REDACTED]` markers, in place.
+ *
+ * This is the shared mask-in-place chokepoint. Unlike the inbound
+ * vault-staging flow (which DELETES the Telegram message and offers to
+ * save the secret), `redact()` leaves the surrounding prose intact and
+ * only masks the secret byte-ranges — the right behavior when we must
+ * keep a record but never store/log/forward the raw value:
+ *
+ *   - INBOUND + OUTBOUND history persistence — `history.ts`
+ *     `recordInbound` / `recordOutbound` redact before the row hits
+ *     SQLite, so no detected secret survives in the message store in
+ *     either direction (defense-in-depth behind the inbound gate, and
+ *     the only redaction on the agent→user direction).
+ *   - `switchroom issues record` — `src/issues/store.ts:capDetail`.
+ *   - `switchroom secret-detect redact --stdin` — bash-callable shim.
+ *   - hostd — `src/host-control/server.ts`.
+ *
+ * Detection is delegated to `detectSecrets()` (same patterns, same
+ * suppressor, same engine as the inbound Telegram gate) so a pattern
+ * added once — e.g. the Laravel/Coolify Sanctum `<id>|<token>` shape —
+ * covers detection, inbound interception, and this redactor uniformly.
+ *
+ * Idempotence: for token-shape detections the marker doesn't re-match.
+ * For *structural* detectors (`cli_flag`, `json_secret_field`) a second
+ * pass may rewrite the tag, but the bytes stay redacted. Rely on "no
+ * detected secret bytes survive any number of passes", not on strict
+ * `redact(redact(x)) === redact(x)`.
+ */
+import { detectSecrets, type Detection } from './index.js'
+import { redactUrls } from './url-redact.js'
+
+export const REDACTED_MARKER = '[REDACTED]'
+
+/**
+ * Synchronous, fast redactor. Vendored pattern engine only (no async
+ * secretlint) so it is safe on hot paths (every stored message).
+ *
+ * Order matters:
+ *   1. URL credentials (`https://u:p@host` → `https://***@host`,
+ *      sensitive query params → `?key=***`).
+ *   2. Token-shape detection over the URL-normalized text; matched byte
+ *      ranges are replaced right-to-left so earlier offsets stay valid.
+ */
+export function redact(text: string): string {
+  if (!text || text.length === 0) return text
+
+  // Step 1 — URL credentials and known-sensitive query params.
+  const urlScrubbed = redactUrls(text)
+
+  // Step 2 — token shape detection over the URL-scrubbed text.
+  const hits: Detection[] = detectSecrets(urlScrubbed)
+  if (hits.length === 0) return urlScrubbed
+
+  // Apply replacements right-to-left so byte offsets stay valid.
+  const sorted = [...hits].sort((a, b) => b.start - a.start)
+  let out = urlScrubbed
+  for (const h of sorted) {
+    out = out.slice(0, h.start) + redactedMarker(h.rule_id) + out.slice(h.end)
+  }
+  return out
+}
+
+/**
+ * `[REDACTED:<rule_id>]` when the rule_id is informative,
+ * `[REDACTED]` otherwise. The rule_id is detector-emitted, so it never
+ * contains attacker-controlled bytes — safe to embed verbatim.
+ */
+function redactedMarker(ruleId: string): string {
+  const trimmed = ruleId.replace(/^(kv|env)_/, '')
+  if (!trimmed || trimmed === 'key_value' || trimmed === 'kv_entropy') {
+    return REDACTED_MARKER
+  }
+  return `[REDACTED:${trimmed}]`
+}

package/telegram-plugin/tests/card-format.test.ts

@@ -27,6 +27,22 @@ describe('stripMarkdown', () => {
     expect(stripMarkdown('2) second')).toBe('second')
   })
 
+  it('strips leading block markup on EVERY line, not just the string start', () => {
+    // The screenshot regression: a worker summary that opens with prose
+    // ("Done.") then a `## Summary` heading mid-string. Without the `gm`
+    // flags the heading marker leaked into the rendered card.
+    const headed = stripMarkdown('Done.\n\n## Summary\n\nFixed the bug')
+    expect(headed).not.toContain('##')
+    expect(headed).toContain('Done.')
+    expect(headed).toContain('Summary')
+    expect(headed).toContain('Fixed the bug')
+
+    const mixed = stripMarkdown('intro\n> quoted\n- item')
+    expect(mixed).not.toMatch(/(^|\n)\s*[>\-*]/)
+    expect(mixed).toContain('quoted')
+    expect(mixed).toContain('item')
+  })
+
   it('reduces a link to its label', () => {
     expect(stripMarkdown('see [the PR](https://x/y) here')).toBe('see the PR here')
   })

package/telegram-plugin/tests/gateway-outbound-redact.test.ts

@@ -0,0 +1,80 @@
+import { describe, it, expect } from 'vitest'
+import { readFileSync } from 'node:fs'
+
+/**
+ * Structural test for the outbound secret-scrub (#2044).
+ *
+ * Outbound (agent→user) text previously had NO redaction — an agent that
+ * echoed a secret it read from a file/env/not-yet-vaulted value would send
+ * the raw bytes to Telegram, log a preview to stderr, and store them in
+ * history. This pins that `redactOutboundText()` runs at the ENTRY of each
+ * agent-free-text tool (reply / stream_reply / edit_message), before the
+ * stderr preview, the dedup key, the send, and the history record.
+ *
+ * Why structural: executeReply/executeStreamReply/executeEditMessage are
+ * not exported (same constraint as gateway-secret-detect.test.ts). The
+ * masking itself — that `redact()` covers the Sanctum shape and every
+ * provider token — is exercised behaviorally in secret-detect-sanctum.test.ts
+ * and the redact() unit tests; what's left to pin here is the wiring + slot.
+ */
+describe('gateway outbound secret-scrub — structural wiring', () => {
+  const src = readFileSync(
+    new URL('../gateway/gateway.ts', import.meta.url),
+    'utf8',
+  )
+
+  it('imports the shared redactor', () => {
+    expect(src).toMatch(/import \{ redact \} from '\.\.\/secret-detect\/redact\.js'/)
+  })
+
+  it('defines the redactOutboundText helper backed by redact()', () => {
+    const idx = src.indexOf('function redactOutboundText(')
+    expect(idx).toBeGreaterThan(0)
+    const body = src.slice(idx, idx + 400)
+    expect(body).toMatch(/redact\(text\)/)
+  })
+
+  it('reply: scrubs at entry, before the stderr preview log', () => {
+    const start = src.indexOf('async function executeReply(')
+    const redactIdx = src.indexOf(`redactOutboundText(text, 'reply')`, start)
+    const previewIdx = src.indexOf('reply: invoked chatId=', start)
+    expect(start).toBeGreaterThan(0)
+    expect(redactIdx).toBeGreaterThan(start)
+    expect(previewIdx).toBeGreaterThan(redactIdx) // mask BEFORE the preview is logged
+  })
+
+  it('stream_reply: scrubs at entry, before the voice scrub + dedup', () => {
+    const start = src.indexOf('async function executeStreamReply(')
+    const redactIdx = src.indexOf(`redactOutboundText(args.text as string, 'stream_reply')`, start)
+    const scrubIdx = src.indexOf(`site: 'stream_reply'`, start)
+    expect(start).toBeGreaterThan(0)
+    expect(redactIdx).toBeGreaterThan(start)
+    expect(scrubIdx).toBeGreaterThan(redactIdx)
+  })
+
+  it('edit_message: scrubs at entry, before the voice scrub + send', () => {
+    const start = src.indexOf('async function executeEditMessage(')
+    const redactIdx = src.indexOf(`redactOutboundText(editRawText, 'edit_message')`, start)
+    const scrubIdx = src.indexOf(`site: 'edit_message'`, start)
+    expect(start).toBeGreaterThan(0)
+    expect(redactIdx).toBeGreaterThan(start)
+    expect(scrubIdx).toBeGreaterThan(redactIdx)
+  })
+
+  it('turn-flush backstop: scrubs the model terminal prose before send', () => {
+    // Turn-flush delivers the model's answer when it skipped reply/stream_reply
+    // — arbitrary agent free-text that hits the wire + stderr preview.
+    const redactIdx = src.indexOf(`redactOutboundText(capturedText, 'turn_flush')`)
+    const scrubSiteIdx = src.indexOf(`site: 'turn_flush'`)
+    expect(redactIdx).toBeGreaterThan(0)
+    expect(scrubSiteIdx).toBeGreaterThan(redactIdx) // mask BEFORE the voice scrub + send
+  })
+
+  it('does not log the secret value when a mask fires', () => {
+    const idx = src.indexOf('function redactOutboundText(')
+    const body = src.slice(idx, idx + 400)
+    // The log line names the site, never the text/masked value.
+    expect(body).toMatch(/outbound secret masked site=\$\{site\}/)
+    expect(body).not.toMatch(/\$\{text\}|\$\{masked\}/)
+  })
+})

package/telegram-plugin/tests/gateway-request-secret.test.ts

@@ -0,0 +1,78 @@
+import { describe, it, expect } from 'vitest'
+import { readFileSync } from 'node:fs'
+
+/**
+ * Structural test for the `request_secret` tool (#2045) — the secure
+ * "agent asks the operator to PROVIDE a missing secret" flow. The operator
+ * taps [Provide securely], sends the value once, and the gateway deletes it
+ * + writes it straight to the vault; the raw value is never recorded,
+ * logged, or returned to the agent.
+ *
+ * Structural because the gateway handlers (handleInbound, executeToolCall,
+ * the callback router) aren't exported — same constraint as
+ * gateway-secret-detect.test.ts. The vault-write reuse + card UX are
+ * exercised end-to-end by the mtcute UAT (jtbd-request-secret-dm).
+ */
+describe('request_secret — gateway wiring', () => {
+  const gw = readFileSync(new URL('../gateway/gateway.ts', import.meta.url), 'utf8')
+  const bridge = readFileSync(new URL('../bridge/bridge.ts', import.meta.url), 'utf8')
+
+  it('declares the MCP tool with required {chat_id,key} and NO value arg', () => {
+    const idx = bridge.indexOf(`name: 'request_secret'`)
+    expect(idx).toBeGreaterThan(0)
+    const schema = bridge.slice(idx, idx + 3000)
+    expect(schema).toMatch(/required: \['chat_id', 'key'\]/)
+    // The whole point: the agent does NOT supply the value.
+    expect(schema).not.toMatch(/\bvalue:\s*\{/)
+    // Tells the agent never to ask for a chat paste.
+    expect(schema).toMatch(/NEVER ask the user to paste/i)
+  })
+
+  it('is allow-listed and dispatched', () => {
+    expect(gw).toMatch(/'request_secret',\n\]\)/)
+    expect(gw).toMatch(/case 'request_secret':\s*\n\s*return executeRequestSecret\(args\)/)
+  })
+
+  it('routes the vsp: callback', () => {
+    expect(gw).toMatch(/data\.startsWith\('vsp:'\)/)
+    expect(gw).toMatch(/handleSecretRequestCallback\(ctx, data\)/)
+  })
+
+  it('captures the provided value BEFORE recordInbound and the broadcast', () => {
+    const start = gw.indexOf('async function handleInbound(')
+    const captureIdx = gw.indexOf('captureProvidedSecret(ctx, chat_id', start)
+    const recordIdx = gw.indexOf('recordInbound(', captureIdx)
+    const broadcastIdx = gw.indexOf('ipcServer.broadcast(inboundMsg)', captureIdx)
+    expect(captureIdx).toBeGreaterThan(start)
+    expect(recordIdx).toBeGreaterThan(captureIdx)
+    expect(broadcastIdx).toBeGreaterThan(captureIdx)
+  })
+
+  it('the capture deletes the raw message and writes to the vault, then returns', () => {
+    const idx = gw.indexOf('async function captureProvidedSecret(')
+    expect(idx).toBeGreaterThan(0)
+    const body = gw.slice(idx, idx + 3600)
+    // delete the raw message before anything else
+    expect(body).toMatch(/deleteSensitiveMessage\(chat_id, msgId/)
+    // write via the posture/passphrase helper
+    expect(body).toMatch(/writeRequestedSecret\(armed\.key, value, chat_id\)/)
+  })
+
+  it('the agent-resume inbound carries the key but NOT the value', () => {
+    const idx = gw.indexOf('async function captureProvidedSecret(')
+    const body = gw.slice(idx, idx + 3600)
+    const syntheticIdx = body.indexOf("source: 'secret_provided'")
+    expect(syntheticIdx).toBeGreaterThan(0)
+    // The synthetic text references vault:<key>, never the raw `value`.
+    expect(body).toMatch(/vault:\$\{armed\.key\}/)
+    const textIdx = body.lastIndexOf('text:', syntheticIdx)
+    const metaIdx = body.indexOf('meta:', syntheticIdx)
+    expect(body.slice(textIdx, metaIdx)).not.toMatch(/\$\{value\}/)
+  })
+
+  it('dedupes to one open request per (chat,key)', () => {
+    const idx = gw.indexOf('async function executeRequestSecret(')
+    const body = gw.slice(idx, idx + 1800)
+    expect(body).toMatch(/p\.chat_id === chat_id && p\.key === key/)
+  })
+})

package/telegram-plugin/tests/history.test.ts

@@ -362,3 +362,62 @@ describe('getRecentOutboundCount (backstop dedup helper)', () => {
     expect(getRecentOutboundCount('-200', 2)).toBe(1)
   })
 })
+
+describe('secret redaction at persistence (both directions)', () => {
+  beforeEach(() => initHistory(stateDir, 30))
+
+  // Built by concatenation so the source never holds a contiguous
+  // secret-shaped literal (repo Push Protection / no-pii lint).
+  const SANCTUM = `19|${'qP4mN7rT2v'.repeat(4)}` // <id>|<40 base62> (Sanctum/Coolify)
+  const GH_PAT = `ghp_${'A1b2C3d4E5'.repeat(3)}` // ghp_<30 base62>
+
+  it('masks a user-pasted secret before it is stored (inbound)', () => {
+    recordInbound({
+      chat_id: '-100',
+      thread_id: null,
+      message_id: 1,
+      user: 'alice',
+      user_id: '111',
+      ts: 1000,
+      text: `the new coolify token is ${SANCTUM}, save it`,
+    })
+    const text = query({ chat_id: '-100' })[0]!.text as string
+    expect(text).not.toContain(SANCTUM)
+    expect(text).toContain('[REDACTED')
+    expect(text).toContain('the new coolify token is') // surrounding prose preserved
+  })
+
+  it('masks a secret echoed by the agent before it is stored (outbound)', () => {
+    recordOutbound({
+      chat_id: '-100',
+      thread_id: null,
+      message_ids: [2],
+      texts: [`sure — your key is ${GH_PAT}, keep it safe`],
+      ts: 2000,
+    })
+    const text = query({ chat_id: '-100' })[0]!.text as string
+    expect(text).not.toContain(GH_PAT)
+    expect(text).toContain('[REDACTED')
+  })
+
+  it('masks a secret introduced by an edit', () => {
+    recordOutbound({ chat_id: '-100', thread_id: null, message_ids: [3], texts: ['placeholder'], ts: 3000 })
+    recordEdit({ chat_id: '-100', message_id: 3, text: `token: ${SANCTUM}` })
+    const text = query({ chat_id: '-100' })[0]!.text as string
+    expect(text).not.toContain(SANCTUM)
+    expect(text).toContain('[REDACTED')
+  })
+
+  it('leaves ordinary prose untouched', () => {
+    recordInbound({
+      chat_id: '-100',
+      thread_id: null,
+      message_id: 4,
+      user: 'a',
+      user_id: '1',
+      ts: 4000,
+      text: 'hello, how are you?',
+    })
+    expect(query({ chat_id: '-100' })[0]!.text).toBe('hello, how are you?')
+  })
+})

package/telegram-plugin/tests/permission-title.test.ts

@@ -12,6 +12,7 @@ import {
   naturalAction,
   describeGrant,
   formatPermissionCardBody,
+  formatPermissionResumeMessage,
 } from '../permission-title.js'
 import type { ScopeOption } from '../permission-rule.js'
 
@@ -193,3 +194,70 @@ describe('describeGrant — phrased from the chosen scope', () => {
     )
   })
 })
+
+describe('formatPermissionResumeMessage — agent-voiced verdict ack', () => {
+  test('allow names the work it is resuming', () => {
+    expect(
+      formatPermissionResumeMessage({
+        agentName: 'gymbro',
+        behavior: 'allow',
+        action: 'edit: supplement-log.md',
+      }),
+    ).toBe('▶️ <b>Gymbro</b> — got it, continuing: <i>edit: supplement-log.md</i>')
+  })
+
+  test('deny names what it will skip, lower-cased inline', () => {
+    expect(
+      formatPermissionResumeMessage({
+        agentName: 'ziggy',
+        behavior: 'deny',
+        action: 'Search the web',
+      }),
+    ).toBe("🚫 <b>Ziggy</b> — noted, I won't search the web. Continuing without it.")
+  })
+
+  test('TTL auto-deny variant reads as a timeout, not a tap', () => {
+    expect(
+      formatPermissionResumeMessage({
+        agentName: 'finn',
+        behavior: 'deny',
+        action: 'run: deploy.sh',
+        timeoutMinutes: 5,
+      }),
+    ).toBe('🚫 <b>Finn</b> — no answer in 5m, continuing without it (<i>run: deploy.sh</i>).')
+  })
+
+  test('HTML-escapes a hostile action phrase (no raw </>& injection)', () => {
+    const out = formatPermissionResumeMessage({
+      agentName: 'clerk',
+      behavior: 'allow',
+      action: 'run: echo <b>&"pwned"</b>',
+    })
+    expect(out).toContain('&lt;b&gt;&amp;')
+    expect(out).not.toContain('<b>&"pwned"')
+  })
+
+  test('cap-first on the agent name', () => {
+    const out = formatPermissionResumeMessage({
+      agentName: 'lawgpt',
+      behavior: 'allow',
+      action: 'read: contract.pdf',
+    })
+    expect(out).toContain('<b>Lawgpt</b>')
+  })
+
+  test('empty action falls back to a generic continue (no dangling phrase)', () => {
+    expect(
+      formatPermissionResumeMessage({ agentName: 'carrie', behavior: 'allow', action: '' }),
+    ).toBe('▶️ <b>Carrie</b> — got it, back to work.')
+    expect(
+      formatPermissionResumeMessage({ agentName: 'carrie', behavior: 'deny', action: '   ' }),
+    ).toBe('🚫 <b>Carrie</b> — noted, continuing without it.')
+  })
+
+  test('null agent name degrades to a neutral "Agent" label', () => {
+    expect(
+      formatPermissionResumeMessage({ agentName: null, behavior: 'allow', action: 'edit: x.md' }),
+    ).toBe('▶️ <b>Agent</b> — got it, continuing: <i>edit: x.md</i>')
+  })
+})

package/telegram-plugin/tests/permission-verdict-resume-guard.test.ts

@@ -22,6 +22,12 @@
  * This guard fails loudly if any `dispatchPermissionVerdict(...)`
  * callsite is not paired with a `resumeReactionAfterVerdict()` within a
  * few lines — i.e. a new (or refactored) verdict path drops the resume.
+ *
+ * Same pin applies to `postPermissionResumeMessage(...)`: the distinct
+ * agent-voiced "got it, continuing: <work>" message is the legible signal
+ * the operator actually sees (the reaction lands on a far-up message; the
+ * card edit is a one-liner). It rides the exact same 5-paths-drift hazard,
+ * so every verdict path must post it too.
  */
 
 import { describe, it, expect } from 'vitest'
@@ -83,4 +89,33 @@ describe('permission verdict → resume reaction wiring', () => {
       true,
     )
   })
+
+  // postPermissionResumeMessage rides ~1–2 lines after resumeReactionAfterVerdict
+  // on every path, so it can sit a touch further from the dispatch than the
+  // resume call — give it a little more headroom.
+  const POST_WINDOW = 20
+
+  it('every dispatchPermissionVerdict() callsite posts the agent-voiced resume message via postPermissionResumeMessage()', () => {
+    const unpaired: number[] = []
+    for (const idx of dispatchCallsites) {
+      const window = LINES.slice(idx, idx + POST_WINDOW + 1).join('\n')
+      if (!/\bpostPermissionResumeMessage\s*\(/.test(window)) {
+        unpaired.push(idx + 1)
+      }
+    }
+    expect(
+      unpaired,
+      `dispatchPermissionVerdict() at gateway.ts line(s) ` +
+        `${unpaired.join(', ')} has no postPermissionResumeMessage() within ` +
+        `${POST_WINDOW} lines — that verdict path resumes the turn silently, ` +
+        `so the operator never gets the "got it, continuing: <work>" message. ` +
+        `Add the post call next to resumeReactionAfterVerdict() (see sibling paths).`,
+    ).toEqual([])
+  })
+
+  it('the resume-message helper still exists', () => {
+    expect(
+      /function\s+postPermissionResumeMessage\s*\(/.test(GATEWAY_SRC),
+    ).toBe(true)
+  })
 })

package/telegram-plugin/tests/secret-detect-sanctum.test.ts

@@ -0,0 +1,115 @@
+import { describe, it, expect } from 'vitest'
+import { detectSecrets } from '../secret-detect/index.js'
+import { redact } from '../secret-detect/redact.js'
+
+/**
+ * Regression for the 2026-06-01 incident: a live Laravel Sanctum / Coolify
+ * personal-access token (`<id>|<40-char base62>`, e.g. `17|aB3d…`) pasted by
+ * a USER into chat slipped every existing pattern and persisted in plaintext.
+ *
+ * Diagnosis: the inbound gate (gateway handleInbound) already runs
+ * `detectSecrets` at ingest, fail-closed, BEFORE recordInbound + IPC dispatch
+ * — so the leak was NOT an inbound bypass and NOT render-time masking. It was
+ * pure PATTERN COVERAGE: no rule matched the `<id>|<token>` shape. These tests
+ * pin the new `laravel_sanctum_token` rule and the redactor that backs both
+ * the history-store persistence (both directions) and the issues pipeline.
+ */
+
+// Build token fixtures by concatenation so the source file never contains a
+// contiguous secret-shaped literal (repo Push Protection / no-pii lint).
+const ID = '17'
+const BODY40 = 'aB3dE6fH9j'.repeat(4) // 40 base62 chars — Sanctum's Str::random(40)
+const SANCTUM = `${ID}|${BODY40}` // e.g. 17|aB3dE6fH9j…
+
+describe('laravel/coolify sanctum token detection', () => {
+  it('detects <id>|<40-char> as a high-confidence laravel_sanctum_token', () => {
+    const hits = detectSecrets(`here is the token: ${SANCTUM}`)
+    const hit = hits.find((d) => d.rule_id === 'laravel_sanctum_token')
+    expect(hit).toBeDefined()
+    expect(hit!.matched_text).toBe(SANCTUM)
+    expect(hit!.confidence).toBe('high')
+    expect(hit!.suppressed).toBe(false)
+  })
+
+  it('satisfies the exact inbound-gate predicate (high + not suppressed)', () => {
+    // This is verbatim the condition gateway handleInbound uses to decide to
+    // delete + defer-to-vault: if it is truthy, the pasted token is
+    // intercepted before recordInbound() and the IPC broadcast to the agent.
+    const detections = detectSecrets(SANCTUM)
+    const gateHit = detections.find((d) => d.confidence === 'high' && !d.suppressed)
+    expect(gateHit).toBeDefined()
+  })
+
+  it('redact() masks the token in place, preserving surrounding prose', () => {
+    const out = redact(`new token: ${SANCTUM}\nuse it for the deploy API`)
+    expect(out).not.toContain(SANCTUM)
+    expect(out).not.toContain(BODY40)
+    expect(out).toContain('[REDACTED:laravel_sanctum_token]')
+    // Surrounding prose is untouched.
+    expect(out).toContain('new token:')
+    expect(out).toContain('use it for the deploy API')
+  })
+
+  it('covers longer-than-40 token bodies', () => {
+    const longTok = `42|${'Xy7Zk2Qp9w'.repeat(6)}` // 60 base62 chars
+    const hits = detectSecrets(longTok)
+    expect(hits.find((d) => d.rule_id === 'laravel_sanctum_token')?.matched_text).toBe(longTok)
+  })
+
+  it('catches a token mid-sentence and masks only the token', () => {
+    const out = redact(`use ${SANCTUM} when deploying, ok?`)
+    expect(out).not.toContain(SANCTUM)
+    expect(out).toContain('use ')
+    expect(out).toContain(' when deploying, ok?')
+  })
+
+  it('catches multiple tokens in one message (redact right-to-left loop)', () => {
+    const second = `88|${'mK2pR7vT4x'.repeat(4)}` // distinct <id>|<40 base62>
+    const detected = detectSecrets(`old ${SANCTUM} new ${second}`)
+      .filter((d) => d.rule_id === 'laravel_sanctum_token')
+    expect(detected).toHaveLength(2)
+    const out = redact(`old ${SANCTUM} new ${second}`)
+    expect(out).not.toContain(SANCTUM)
+    expect(out).not.toContain(second)
+    expect(out).not.toContain(BODY40)
+  })
+
+  describe('false-positive guards', () => {
+    it('does NOT match a pipe-joined value under the 40-char floor', () => {
+      const short = `1|${'abcDEF123'}` // 9 chars after the pipe
+      expect(detectSecrets(short).some((d) => d.rule_id === 'laravel_sanctum_token')).toBe(false)
+    })
+
+    it('does NOT match exactly 39 base62 chars (one under the floor)', () => {
+      const justUnder = `17|${BODY40.slice(0, 39)}`
+      expect(
+        detectSecrets(justUnder).some((d) => d.rule_id === 'laravel_sanctum_token'),
+      ).toBe(false)
+    })
+
+    it('does NOT match a number with no pipe-delimited token', () => {
+      expect(
+        detectSecrets('order 17 shipped 40 items').some(
+          (d) => d.rule_id === 'laravel_sanctum_token',
+        ),
+      ).toBe(false)
+    })
+
+    it('does NOT match a spaced markdown table cell', () => {
+      // Table cells are `| value |` with spaces around the pipe; the Sanctum
+      // shape has the token immediately adjacent to the pipe.
+      const table = `| 17 | ${BODY40} |`
+      expect(
+        detectSecrets(table).some((d) => d.rule_id === 'laravel_sanctum_token'),
+      ).toBe(false)
+    })
+  })
+
+  it('suppresses a token sitting next to an example/fixture marker', () => {
+    // A documented example must not trigger a destructive delete+vault.
+    const hits = detectSecrets(`example token: ${SANCTUM}`)
+    const hit = hits.find((d) => d.rule_id === 'laravel_sanctum_token')
+    expect(hit).toBeDefined()
+    expect(hit!.suppressed).toBe(true)
+  })
+})

package/telegram-plugin/tests/worker-activity-feed.test.ts

@@ -187,6 +187,21 @@ describe('renderWorkerActivity', () => {
     expect(done).not.toMatch(/(^|\n)\s*-{3,}\s*(\n|$)/)
   })
 
+  it('renders a multi-line narrative entry as one clean step (no raw ## leak)', () => {
+    // Screenshot regression: a running-card step whose narrative entry is
+    // itself multi-line ("Done.\n\n## Summary\n…"). The heading marker must
+    // not leak and the step must collapse to a single visual line.
+    const out = renderWorkerActivity(
+      view({
+        narrativeLines: ['Done.\n\n## Summary\n\nFixed the bug where a bad password logged you out'],
+        latestSummary: '',
+      }),
+    )
+    expect(out).not.toContain('## Summary')
+    expect(out).not.toContain('\n\n')
+    expect(out).toContain('Done. Summary Fixed the bug where a bad password logged you out')
+  })
+
   it('escapes HTML inside narrative lines', () => {
     const out = renderWorkerActivity(view({ narrativeLines: ['a <b>x</b> & y'] }))
     expect(out).toContain('a &lt;b&gt;x&lt;/b&gt; &amp; y')