switchroom 0.14.27 → 0.14.29

package/telegram-plugin/history.ts

@@ -27,6 +27,7 @@
 
 import { chmodSync, mkdirSync } from 'fs'
 import { join } from 'path'
+import { redact } from './secret-detect/redact.js'
 
 /**
  * `bun:sqlite` is a Bun built-in — Vite/Node loaders can't resolve it
@@ -300,6 +301,10 @@ export function recordInbound(args: RecordInboundArgs): void {
       (chat_id, thread_id, message_id, role, user, user_id, ts, text, attachment_kind, group_id, reply_to_message_id, reply_to_text)
     VALUES (?, ?, ?, 'user', ?, ?, ?, ?, ?, NULL, ?, ?)
   `)
+  // Defense-in-depth: never persist a detected secret to the message store.
+  // The inbound gate (server.ts handleInbound) already deletes + vaults a
+  // high-confidence hit before reaching here, so for caught secrets this is
+  // a no-op; it's the backstop for any shape the gate's pattern set misses.
   stmt.run(
     args.chat_id,
     args.thread_id ?? null,
@@ -307,10 +312,10 @@ export function recordInbound(args: RecordInboundArgs): void {
     args.user ?? null,
     args.user_id ?? null,
     args.ts,
-    args.text,
+    redact(args.text),
     args.attachment_kind ?? null,
     args.reply_to_message_id ?? null,
-    args.reply_to_text ?? null,
+    args.reply_to_text != null ? redact(args.reply_to_text) : (args.reply_to_text ?? null),
   )
 }
 
@@ -356,9 +361,14 @@ export function recordOutbound(args: RecordOutboundArgs): void {
       )
     }
   }) as (...args: unknown[]) => unknown)
+  // Outbound redaction: the agent→user direction has no other secret
+  // scrub, so this is the chokepoint that keeps an agent-echoed secret out
+  // of the message store (e.g. an agent quoting a token it read from a file
+  // or a not-yet-vaulted value). Masks the secret bytes in place; the
+  // surrounding reply text is preserved.
   const rows: Array<[number, string, string | null]> = args.message_ids.map((id, i) => [
     id,
-    args.texts[i] ?? '',
+    redact(args.texts[i] ?? ''),
     args.attachment_kinds?.[i] ?? null,
   ])
   tx(rows)
@@ -387,7 +397,9 @@ export function recordEdit(args: RecordEditArgs): void {
          SET text = ?
        WHERE chat_id = ? AND message_id = ?
     `)
-    .run(args.text, args.chat_id, args.message_id)
+    // Same outbound chokepoint as recordOutbound — an edit must not
+    // reintroduce a raw secret into the stored row.
+    .run(redact(args.text), args.chat_id, args.message_id)
 }
 
 export interface RecordReactionArgs {

package/telegram-plugin/permission-title.ts

@@ -248,6 +248,54 @@ export function describeGrant(
   }
 }
 
+/**
+ * Agent-voiced "I got your verdict and I'm continuing" message, posted as
+ * a *distinct* Telegram message the instant the operator answers a
+ * permission card (allow / deny / always / slash / free-text). The card
+ * edit + status reaction are easy to miss — a reaction lands on the turn's
+ * triggering message far up the chat, and the card footnote is a one-liner
+ * the operator scrolls past — so this is the legible signal that the tap
+ * landed and names the work being (re)started.
+ *
+ * Mirrors `formatPermissionCardBody`'s style ("🔐 <b>Gymbro</b> wants to
+ * edit: log.md" → "▶️ <b>Gymbro</b> — got it, continuing: edit: log.md").
+ * `action` is a phrase from {@link naturalAction} (already operator-facing,
+ * no tool ids). Output is HTML-escaped for `parse_mode: 'HTML'`.
+ *
+ * `timeoutMinutes` marks the TTL auto-deny variant (no operator tapped —
+ * the request aged out) so the wording reflects "no answer" rather than a
+ * deliberate denial.
+ */
+export function formatPermissionResumeMessage(opts: {
+  agentName: string | null;
+  behavior: "allow" | "deny";
+  action: string;
+  timeoutMinutes?: number;
+}): string {
+  const who =
+    opts.agentName && opts.agentName.length > 0
+      ? `<b>${escapeTgHtml(capFirst(opts.agentName))}</b>`
+      : `<b>Agent</b>`;
+  const act = (opts.action ?? "").trim();
+  const hasAction = act.length > 0;
+
+  if (opts.behavior === "allow") {
+    return hasAction
+      ? `▶️ ${who} — got it, continuing: <i>${escapeTgHtml(act)}</i>`
+      : `▶️ ${who} — got it, back to work.`;
+  }
+
+  // deny
+  if (opts.timeoutMinutes != null) {
+    return hasAction
+      ? `🚫 ${who} — no answer in ${opts.timeoutMinutes}m, continuing without it (<i>${escapeTgHtml(act)}</i>).`
+      : `🚫 ${who} — no answer in ${opts.timeoutMinutes}m, continuing without it.`;
+  }
+  return hasAction
+    ? `🚫 ${who} — noted, I won't ${escapeTgHtml(lowerFirst(act))}. Continuing without it.`
+    : `🚫 ${who} — noted, continuing without it.`;
+}
+
 function resolveSkillName(input: Record<string, unknown>): string | null {
   return (
     readString(input, "skill") ??

package/telegram-plugin/registry/subagents-schema.ts

@@ -360,6 +360,41 @@ export function getSubagentByJsonlId(db: SqliteDatabase, jsonlAgentId: string):
   return row ? mapSubagentRow(row) : null
 }
 
+/**
+ * Count background subagents that have not yet reached a terminal state.
+ *
+ * This is the dispatch-time source of truth for "is a background worker still
+ * running" — the row is INSERTed with `status='running'` by `recordSubagentStart`
+ * the moment the parent's `Agent` tool_use fires (keyed on the `toolu_…` id),
+ * which is BEFORE the parent's turn ends. The deferred-done-reaction gate reads
+ * this so it holds the 👍 the instant a worker is dispatched, rather than
+ * snapshotting the file-discovery registry (which lags dispatch by a poll/fswatch
+ * tick and so missed just-dispatched workers — the premature-👍 race).
+ *
+ * Counts `running` ONLY — `stalled` is deliberately excluded. `stalled` is NOT
+ * a terminal status: the reaper (`reapStuckRunningRows`) transitions a row to
+ * `stalled`, never to `completed`/`failed`. A genuinely-orphaned background row
+ * — one INSERTed at dispatch whose JSONL was never linked, so no activity ever
+ * bumped it and the in-memory silent-stall synthesis never terminalised it —
+ * sits in `stalled` indefinitely (the 1h reaper TTL is the only thing that
+ * moves it off `running`). Counting `stalled` would wedge the deferred 👍 above
+ * zero forever for that row (`reaction-defer.ts` `promote()` bails while the
+ * count is > 0). A live-but-quiet worker, by contrast, is driven to `completed`
+ * by the watcher's terminal paths (end_turn signal OR silent-stall synthesis,
+ * both call `recordSubagentEnd`) long before the 1h reaper, and a stalled row
+ * that genuinely resumes is flipped back to `running` by `recordSubagentResume`
+ * — so excluding `stalled` never releases the 👍 on a worker that's merely
+ * paused rather than dead.
+ */
+export function countRunningBackgroundSubagents(db: SqliteDatabase): number {
+  const row = db
+    .prepare(
+      "SELECT count(*) AS n FROM subagents WHERE background = 1 AND status = 'running'",
+    )
+    .get() as { n: number } | undefined
+  return row?.n ?? 0
+}
+
 /**
  * Record that a subagent has reached a terminal state (completed or failed).
  * Sets `ended_at`, `status`, and optionally `result_summary`.

package/telegram-plugin/registry/subagents.test.ts

@@ -28,6 +28,7 @@ import {
   bumpSubagentActivity,
   getSubagent,
   reapStuckRunningRows,
+  countRunningBackgroundSubagents,
 } from './subagents-schema.js'
 
 // ---------------------------------------------------------------------------
@@ -182,6 +183,83 @@ describe('recordSubagentStart + recordSubagentEnd happy path', () => {
   })
 })
 
+// ---------------------------------------------------------------------------
+// countRunningBackgroundSubagents — the dispatch-time gate for the
+// deferred-done 👍 reaction. A row counts as "still running" the instant
+// recordSubagentStart inserts it (status='running'), closing the
+// file-discovery registration race that promoted the 👍 prematurely.
+// ---------------------------------------------------------------------------
+
+describe('countRunningBackgroundSubagents', () => {
+  it('counts a background worker the moment it starts (before any terminal)', () => {
+    const db = openFreshSubagentsDbInMemory()
+    expect(countRunningBackgroundSubagents(db)).toBe(0)
+    recordSubagentStart(db, { id: 'bg-1', background: true, startedAt: 1000 })
+    expect(countRunningBackgroundSubagents(db)).toBe(1)
+    db.close()
+  })
+
+  it('does NOT count a stalled worker — stalled is the reaper sink, never terminalised', () => {
+    // A `stalled` row is NOT terminal and is NOT actively running. The only
+    // way a background row reaches `stalled` is the 1h reaper firing on a row
+    // that never linked a JSONL (no activity bumps, no silent-stall synthesis
+    // to drive it to `completed`) — i.e. an orphaned/dead dispatch. Counting it
+    // would wedge the deferred 👍 above zero forever (promote() bails while the
+    // count is > 0). A live-but-quiet worker terminalises to `completed` long
+    // before the reaper, so `stalled` always means "dead" here.
+    const db = openFreshSubagentsDbInMemory()
+    recordSubagentStart(db, { id: 'bg-2', background: true, startedAt: 1000 })
+    recordSubagentStall(db, { id: 'bg-2', stalledAt: 1500 })
+    expect(countRunningBackgroundSubagents(db)).toBe(0)
+    db.close()
+  })
+
+  it('a row reaped to stalled does not keep the gate above zero (permanent-👍-hold regression guard)', () => {
+    // Regression guard for the orphaned-dispatch wedge: dispatch inserts a
+    // `running` row, the JSONL never links, and the reaper transitions it to
+    // `stalled`. The deferred-👍 gate must read zero so promote() can fire —
+    // counting the reaped row would hold the 👍 forever.
+    const db = openFreshSubagentsDbInMemory()
+    recordSubagentStart(db, { id: 'bg-orphan', background: true, startedAt: 1000 })
+    expect(countRunningBackgroundSubagents(db)).toBe(1)
+    const result = reapStuckRunningRows(db, { ttlMs: 500, now: 5000 })
+    expect(result.reaped).toBe(1)
+    expect(getSubagent(db, 'bg-orphan')!.status).toBe('stalled')
+    expect(countRunningBackgroundSubagents(db)).toBe(0)
+    db.close()
+  })
+
+  it('re-counts a stalled worker that resumes — recordSubagentResume flips it back to running', () => {
+    // A worker that's merely paused (not dead) and resumes JSONL activity is
+    // flipped stalled → running by recordSubagentResume, so the gate holds the
+    // 👍 again. Excluding `stalled` from the count never releases the 👍 on a
+    // worker that's only paused.
+    const db = openFreshSubagentsDbInMemory()
+    recordSubagentStart(db, { id: 'bg-resume', background: true, startedAt: 1000 })
+    recordSubagentStall(db, { id: 'bg-resume', stalledAt: 1500 })
+    expect(countRunningBackgroundSubagents(db)).toBe(0)
+    recordSubagentResume(db, { id: 'bg-resume', resumedAt: 2000 })
+    expect(countRunningBackgroundSubagents(db)).toBe(1)
+    db.close()
+  })
+
+  it('drops to zero once the worker reaches a terminal status', () => {
+    const db = openFreshSubagentsDbInMemory()
+    recordSubagentStart(db, { id: 'bg-3', background: true, startedAt: 1000 })
+    expect(countRunningBackgroundSubagents(db)).toBe(1)
+    recordSubagentEnd(db, { id: 'bg-3', endedAt: 2000, status: 'completed' })
+    expect(countRunningBackgroundSubagents(db)).toBe(0)
+    db.close()
+  })
+
+  it('ignores foreground subagents — only background workers gate the reaction', () => {
+    const db = openFreshSubagentsDbInMemory()
+    recordSubagentStart(db, { id: 'fg-1', background: false, startedAt: 1000 })
+    expect(countRunningBackgroundSubagents(db)).toBe(0)
+    db.close()
+  })
+})
+
 // ---------------------------------------------------------------------------
 // Test 4 — start → stall → end
 // ---------------------------------------------------------------------------

package/telegram-plugin/secret-detect/patterns.ts

@@ -54,6 +54,14 @@ export const ANCHORED_PATTERNS: PatternDef[] = [
   // Telegram bot tokens: with "bot" prefix or bare ID:token.
   { rule_id: 'telegram_bot_token_prefixed', regex: /\bbot(\d{6,}:[A-Za-z0-9_-]{20,})\b/g, captureIndex: 1, slugHint: 'telegram_bot_token' },
   { rule_id: 'telegram_bot_token', regex: /\b(\d{6,}:[A-Za-z0-9_-]{20,})\b/g, captureIndex: 1, slugHint: 'telegram_bot_token' },
+  // Laravel Sanctum / Coolify personal-access tokens. Shape: `<id>|<token>`
+  // where <id> is the integer PK and <token> is `Str::random(40)` — 40 base62
+  // chars. The `|` separator is what distinguishes this from a Telegram
+  // `id:token` (colon) or a JWT. Length floor 40 (the Sanctum default) keeps
+  // this off short pipe-joined chat like `1|foo` or markdown table cells.
+  // Incident 2026-06-01: a live `17|<40-char>` Coolify token pasted by a user
+  // slipped every existing pattern and persisted in plaintext.
+  { rule_id: 'laravel_sanctum_token', regex: /\b(\d+\|[A-Za-z0-9]{40,})\b/g, captureIndex: 1, slugHint: 'api_token' },
   { rule_id: 'aws_access_key', regex: /\b(AKIA[0-9A-Z]{16})\b/g, captureIndex: 1, slugHint: 'aws_access_key' },
   { rule_id: 'jwt', regex: /\b(eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,})\b/g, captureIndex: 1, slugHint: 'jwt' },
 ]

package/telegram-plugin/secret-detect/redact.ts

@@ -0,0 +1,76 @@
+/**
+ * `redact(text)` — sanitize text by replacing detected secrets and
+ * credential-bearing URL parts with `[REDACTED]` markers, in place.
+ *
+ * This is the shared mask-in-place chokepoint. Unlike the inbound
+ * vault-staging flow (which DELETES the Telegram message and offers to
+ * save the secret), `redact()` leaves the surrounding prose intact and
+ * only masks the secret byte-ranges — the right behavior when we must
+ * keep a record but never store/log/forward the raw value:
+ *
+ *   - INBOUND + OUTBOUND history persistence — `history.ts`
+ *     `recordInbound` / `recordOutbound` redact before the row hits
+ *     SQLite, so no detected secret survives in the message store in
+ *     either direction (defense-in-depth behind the inbound gate, and
+ *     the only redaction on the agent→user direction).
+ *   - `switchroom issues record` — `src/issues/store.ts:capDetail`.
+ *   - `switchroom secret-detect redact --stdin` — bash-callable shim.
+ *   - hostd — `src/host-control/server.ts`.
+ *
+ * Detection is delegated to `detectSecrets()` (same patterns, same
+ * suppressor, same engine as the inbound Telegram gate) so a pattern
+ * added once — e.g. the Laravel/Coolify Sanctum `<id>|<token>` shape —
+ * covers detection, inbound interception, and this redactor uniformly.
+ *
+ * Idempotence: for token-shape detections the marker doesn't re-match.
+ * For *structural* detectors (`cli_flag`, `json_secret_field`) a second
+ * pass may rewrite the tag, but the bytes stay redacted. Rely on "no
+ * detected secret bytes survive any number of passes", not on strict
+ * `redact(redact(x)) === redact(x)`.
+ */
+import { detectSecrets, type Detection } from './index.js'
+import { redactUrls } from './url-redact.js'
+
+export const REDACTED_MARKER = '[REDACTED]'
+
+/**
+ * Synchronous, fast redactor. Vendored pattern engine only (no async
+ * secretlint) so it is safe on hot paths (every stored message).
+ *
+ * Order matters:
+ *   1. URL credentials (`https://u:p@host` → `https://***@host`,
+ *      sensitive query params → `?key=***`).
+ *   2. Token-shape detection over the URL-normalized text; matched byte
+ *      ranges are replaced right-to-left so earlier offsets stay valid.
+ */
+export function redact(text: string): string {
+  if (!text || text.length === 0) return text
+
+  // Step 1 — URL credentials and known-sensitive query params.
+  const urlScrubbed = redactUrls(text)
+
+  // Step 2 — token shape detection over the URL-scrubbed text.
+  const hits: Detection[] = detectSecrets(urlScrubbed)
+  if (hits.length === 0) return urlScrubbed
+
+  // Apply replacements right-to-left so byte offsets stay valid.
+  const sorted = [...hits].sort((a, b) => b.start - a.start)
+  let out = urlScrubbed
+  for (const h of sorted) {
+    out = out.slice(0, h.start) + redactedMarker(h.rule_id) + out.slice(h.end)
+  }
+  return out
+}
+
+/**
+ * `[REDACTED:<rule_id>]` when the rule_id is informative,
+ * `[REDACTED]` otherwise. The rule_id is detector-emitted, so it never
+ * contains attacker-controlled bytes — safe to embed verbatim.
+ */
+function redactedMarker(ruleId: string): string {
+  const trimmed = ruleId.replace(/^(kv|env)_/, '')
+  if (!trimmed || trimmed === 'key_value' || trimmed === 'kv_entropy') {
+    return REDACTED_MARKER
+  }
+  return `[REDACTED:${trimmed}]`
+}

package/telegram-plugin/session-tail.ts

@@ -390,6 +390,21 @@ export function projectSubagentLine(
         events.push({ kind: 'sub_agent_text', agentId, text })
       }
     }
+    // Authoritative early terminal: a background `Agent` worker's JSONL on
+    // claude ≥2.1.156 never writes the `system/turn_duration` line below, so
+    // the watcher used to only learn the worker finished via the ~5-min
+    // silent-stall synthesis net — leaving the card stuck "running" and the
+    // deferred 👍 held for minutes after the work was actually done. The
+    // worker DOES write a final assistant message with
+    // `stop_reason: 'end_turn'` (a tool-using turn is `'tool_use'` and keeps
+    // going), so treat that as the terminal signal. Emitted AFTER the content
+    // events so the final text/preamble still renders; the watcher's turn_end
+    // handler is guarded on `state === 'running'`, so a later real
+    // turn_duration line is a no-op.
+    const stopReason = message?.stop_reason as string | undefined
+    if (stopReason === 'end_turn') {
+      events.push({ kind: 'sub_agent_turn_end', agentId })
+    }
     return events
   }
 

package/telegram-plugin/subagent-watcher.ts

@@ -43,7 +43,7 @@ import { homedir } from 'os'
 import { projectSubagentLine, sanitizeCwdToProjectName, detectErrorInTranscriptLine } from './session-tail.js'
 import { sanitiseToolArg } from './fleet-state.js'
 import { escapeHtml, truncate } from './card-format.js'
-import { bumpSubagentActivity, recordSubagentStall, recordSubagentResume, recordSubagentEnd, reapStuckRunningRows } from './registry/subagents-schema.js'
+import { bumpSubagentActivity, recordSubagentStall, recordSubagentResume, recordSubagentEnd, reapStuckRunningRows, countRunningBackgroundSubagents } from './registry/subagents-schema.js'
 import { touchTurnActiveMarker } from './gateway/turn-active-marker.js'
 
 // ─── Types ───────────────────────────────────────────────────────────────────
@@ -377,6 +377,13 @@ export interface SubagentWatcherHandle {
   stop(): void
   /** Snapshot of current registry for tests/inspection. */
   getRegistry(): ReadonlyMap<string, WorkerEntry>
+  /**
+   * Count background workers still in flight, read from the dispatch-time DB
+   * (not the file-discovery registry). Returns null when no DB is wired so the
+   * caller can fall back to the registry snapshot. Drives the deferred-done
+   * reaction gate — see `countRunningBackgroundSubagents`.
+   */
+  countRunningBackgroundWorkers(): number | null
 }
 
 // ─── Constants ───────────────────────────────────────────────────────────────
@@ -1498,5 +1505,16 @@ export function startSubagentWatcher(config: SubagentWatcherConfig): SubagentWat
     getRegistry(): ReadonlyMap<string, WorkerEntry> {
       return registry
     },
+
+    countRunningBackgroundWorkers(): number | null {
+      if (db == null) return null
+      try {
+        return countRunningBackgroundSubagents(db)
+      } catch {
+        // A torn/locked DB read must not wedge the reaction gate — fall back
+        // to the registry snapshot by returning null.
+        return null
+      }
+    },
   }
 }

package/telegram-plugin/tests/card-format.test.ts

@@ -27,6 +27,22 @@ describe('stripMarkdown', () => {
     expect(stripMarkdown('2) second')).toBe('second')
   })
 
+  it('strips leading block markup on EVERY line, not just the string start', () => {
+    // The screenshot regression: a worker summary that opens with prose
+    // ("Done.") then a `## Summary` heading mid-string. Without the `gm`
+    // flags the heading marker leaked into the rendered card.
+    const headed = stripMarkdown('Done.\n\n## Summary\n\nFixed the bug')
+    expect(headed).not.toContain('##')
+    expect(headed).toContain('Done.')
+    expect(headed).toContain('Summary')
+    expect(headed).toContain('Fixed the bug')
+
+    const mixed = stripMarkdown('intro\n> quoted\n- item')
+    expect(mixed).not.toMatch(/(^|\n)\s*[>\-*]/)
+    expect(mixed).toContain('quoted')
+    expect(mixed).toContain('item')
+  })
+
   it('reduces a link to its label', () => {
     expect(stripMarkdown('see [the PR](https://x/y) here')).toBe('see the PR here')
   })

package/telegram-plugin/tests/gateway-outbound-redact.test.ts

@@ -0,0 +1,80 @@
+import { describe, it, expect } from 'vitest'
+import { readFileSync } from 'node:fs'
+
+/**
+ * Structural test for the outbound secret-scrub (#2044).
+ *
+ * Outbound (agent→user) text previously had NO redaction — an agent that
+ * echoed a secret it read from a file/env/not-yet-vaulted value would send
+ * the raw bytes to Telegram, log a preview to stderr, and store them in
+ * history. This pins that `redactOutboundText()` runs at the ENTRY of each
+ * agent-free-text tool (reply / stream_reply / edit_message), before the
+ * stderr preview, the dedup key, the send, and the history record.
+ *
+ * Why structural: executeReply/executeStreamReply/executeEditMessage are
+ * not exported (same constraint as gateway-secret-detect.test.ts). The
+ * masking itself — that `redact()` covers the Sanctum shape and every
+ * provider token — is exercised behaviorally in secret-detect-sanctum.test.ts
+ * and the redact() unit tests; what's left to pin here is the wiring + slot.
+ */
+describe('gateway outbound secret-scrub — structural wiring', () => {
+  const src = readFileSync(
+    new URL('../gateway/gateway.ts', import.meta.url),
+    'utf8',
+  )
+
+  it('imports the shared redactor', () => {
+    expect(src).toMatch(/import \{ redact \} from '\.\.\/secret-detect\/redact\.js'/)
+  })
+
+  it('defines the redactOutboundText helper backed by redact()', () => {
+    const idx = src.indexOf('function redactOutboundText(')
+    expect(idx).toBeGreaterThan(0)
+    const body = src.slice(idx, idx + 400)
+    expect(body).toMatch(/redact\(text\)/)
+  })
+
+  it('reply: scrubs at entry, before the stderr preview log', () => {
+    const start = src.indexOf('async function executeReply(')
+    const redactIdx = src.indexOf(`redactOutboundText(text, 'reply')`, start)
+    const previewIdx = src.indexOf('reply: invoked chatId=', start)
+    expect(start).toBeGreaterThan(0)
+    expect(redactIdx).toBeGreaterThan(start)
+    expect(previewIdx).toBeGreaterThan(redactIdx) // mask BEFORE the preview is logged
+  })
+
+  it('stream_reply: scrubs at entry, before the voice scrub + dedup', () => {
+    const start = src.indexOf('async function executeStreamReply(')
+    const redactIdx = src.indexOf(`redactOutboundText(args.text as string, 'stream_reply')`, start)
+    const scrubIdx = src.indexOf(`site: 'stream_reply'`, start)
+    expect(start).toBeGreaterThan(0)
+    expect(redactIdx).toBeGreaterThan(start)
+    expect(scrubIdx).toBeGreaterThan(redactIdx)
+  })
+
+  it('edit_message: scrubs at entry, before the voice scrub + send', () => {
+    const start = src.indexOf('async function executeEditMessage(')
+    const redactIdx = src.indexOf(`redactOutboundText(editRawText, 'edit_message')`, start)
+    const scrubIdx = src.indexOf(`site: 'edit_message'`, start)
+    expect(start).toBeGreaterThan(0)
+    expect(redactIdx).toBeGreaterThan(start)
+    expect(scrubIdx).toBeGreaterThan(redactIdx)
+  })
+
+  it('turn-flush backstop: scrubs the model terminal prose before send', () => {
+    // Turn-flush delivers the model's answer when it skipped reply/stream_reply
+    // — arbitrary agent free-text that hits the wire + stderr preview.
+    const redactIdx = src.indexOf(`redactOutboundText(capturedText, 'turn_flush')`)
+    const scrubSiteIdx = src.indexOf(`site: 'turn_flush'`)
+    expect(redactIdx).toBeGreaterThan(0)
+    expect(scrubSiteIdx).toBeGreaterThan(redactIdx) // mask BEFORE the voice scrub + send
+  })
+
+  it('does not log the secret value when a mask fires', () => {
+    const idx = src.indexOf('function redactOutboundText(')
+    const body = src.slice(idx, idx + 400)
+    // The log line names the site, never the text/masked value.
+    expect(body).toMatch(/outbound secret masked site=\$\{site\}/)
+    expect(body).not.toMatch(/\$\{text\}|\$\{masked\}/)
+  })
+})

package/telegram-plugin/tests/gateway-request-secret.test.ts

@@ -0,0 +1,78 @@
+import { describe, it, expect } from 'vitest'
+import { readFileSync } from 'node:fs'
+
+/**
+ * Structural test for the `request_secret` tool (#2045) — the secure
+ * "agent asks the operator to PROVIDE a missing secret" flow. The operator
+ * taps [Provide securely], sends the value once, and the gateway deletes it
+ * + writes it straight to the vault; the raw value is never recorded,
+ * logged, or returned to the agent.
+ *
+ * Structural because the gateway handlers (handleInbound, executeToolCall,
+ * the callback router) aren't exported — same constraint as
+ * gateway-secret-detect.test.ts. The vault-write reuse + card UX are
+ * exercised end-to-end by the mtcute UAT (jtbd-request-secret-dm).
+ */
+describe('request_secret — gateway wiring', () => {
+  const gw = readFileSync(new URL('../gateway/gateway.ts', import.meta.url), 'utf8')
+  const bridge = readFileSync(new URL('../bridge/bridge.ts', import.meta.url), 'utf8')
+
+  it('declares the MCP tool with required {chat_id,key} and NO value arg', () => {
+    const idx = bridge.indexOf(`name: 'request_secret'`)
+    expect(idx).toBeGreaterThan(0)
+    const schema = bridge.slice(idx, idx + 3000)
+    expect(schema).toMatch(/required: \['chat_id', 'key'\]/)
+    // The whole point: the agent does NOT supply the value.
+    expect(schema).not.toMatch(/\bvalue:\s*\{/)
+    // Tells the agent never to ask for a chat paste.
+    expect(schema).toMatch(/NEVER ask the user to paste/i)
+  })
+
+  it('is allow-listed and dispatched', () => {
+    expect(gw).toMatch(/'request_secret',\n\]\)/)
+    expect(gw).toMatch(/case 'request_secret':\s*\n\s*return executeRequestSecret\(args\)/)
+  })
+
+  it('routes the vsp: callback', () => {
+    expect(gw).toMatch(/data\.startsWith\('vsp:'\)/)
+    expect(gw).toMatch(/handleSecretRequestCallback\(ctx, data\)/)
+  })
+
+  it('captures the provided value BEFORE recordInbound and the broadcast', () => {
+    const start = gw.indexOf('async function handleInbound(')
+    const captureIdx = gw.indexOf('captureProvidedSecret(ctx, chat_id', start)
+    const recordIdx = gw.indexOf('recordInbound(', captureIdx)
+    const broadcastIdx = gw.indexOf('ipcServer.broadcast(inboundMsg)', captureIdx)
+    expect(captureIdx).toBeGreaterThan(start)
+    expect(recordIdx).toBeGreaterThan(captureIdx)
+    expect(broadcastIdx).toBeGreaterThan(captureIdx)
+  })
+
+  it('the capture deletes the raw message and writes to the vault, then returns', () => {
+    const idx = gw.indexOf('async function captureProvidedSecret(')
+    expect(idx).toBeGreaterThan(0)
+    const body = gw.slice(idx, idx + 3600)
+    // delete the raw message before anything else
+    expect(body).toMatch(/deleteSensitiveMessage\(chat_id, msgId/)
+    // write via the posture/passphrase helper
+    expect(body).toMatch(/writeRequestedSecret\(armed\.key, value, chat_id\)/)
+  })
+
+  it('the agent-resume inbound carries the key but NOT the value', () => {
+    const idx = gw.indexOf('async function captureProvidedSecret(')
+    const body = gw.slice(idx, idx + 3600)
+    const syntheticIdx = body.indexOf("source: 'secret_provided'")
+    expect(syntheticIdx).toBeGreaterThan(0)
+    // The synthetic text references vault:<key>, never the raw `value`.
+    expect(body).toMatch(/vault:\$\{armed\.key\}/)
+    const textIdx = body.lastIndexOf('text:', syntheticIdx)
+    const metaIdx = body.indexOf('meta:', syntheticIdx)
+    expect(body.slice(textIdx, metaIdx)).not.toMatch(/\$\{value\}/)
+  })
+
+  it('dedupes to one open request per (chat,key)', () => {
+    const idx = gw.indexOf('async function executeRequestSecret(')
+    const body = gw.slice(idx, idx + 1800)
+    expect(body).toMatch(/p\.chat_id === chat_id && p\.key === key/)
+  })
+})

package/telegram-plugin/tests/history.test.ts

@@ -362,3 +362,62 @@ describe('getRecentOutboundCount (backstop dedup helper)', () => {
     expect(getRecentOutboundCount('-200', 2)).toBe(1)
   })
 })
+
+describe('secret redaction at persistence (both directions)', () => {
+  beforeEach(() => initHistory(stateDir, 30))
+
+  // Built by concatenation so the source never holds a contiguous
+  // secret-shaped literal (repo Push Protection / no-pii lint).
+  const SANCTUM = `19|${'qP4mN7rT2v'.repeat(4)}` // <id>|<40 base62> (Sanctum/Coolify)
+  const GH_PAT = `ghp_${'A1b2C3d4E5'.repeat(3)}` // ghp_<30 base62>
+
+  it('masks a user-pasted secret before it is stored (inbound)', () => {
+    recordInbound({
+      chat_id: '-100',
+      thread_id: null,
+      message_id: 1,
+      user: 'alice',
+      user_id: '111',
+      ts: 1000,
+      text: `the new coolify token is ${SANCTUM}, save it`,
+    })
+    const text = query({ chat_id: '-100' })[0]!.text as string
+    expect(text).not.toContain(SANCTUM)
+    expect(text).toContain('[REDACTED')
+    expect(text).toContain('the new coolify token is') // surrounding prose preserved
+  })
+
+  it('masks a secret echoed by the agent before it is stored (outbound)', () => {
+    recordOutbound({
+      chat_id: '-100',
+      thread_id: null,
+      message_ids: [2],
+      texts: [`sure — your key is ${GH_PAT}, keep it safe`],
+      ts: 2000,
+    })
+    const text = query({ chat_id: '-100' })[0]!.text as string
+    expect(text).not.toContain(GH_PAT)
+    expect(text).toContain('[REDACTED')
+  })
+
+  it('masks a secret introduced by an edit', () => {
+    recordOutbound({ chat_id: '-100', thread_id: null, message_ids: [3], texts: ['placeholder'], ts: 3000 })
+    recordEdit({ chat_id: '-100', message_id: 3, text: `token: ${SANCTUM}` })
+    const text = query({ chat_id: '-100' })[0]!.text as string
+    expect(text).not.toContain(SANCTUM)
+    expect(text).toContain('[REDACTED')
+  })
+
+  it('leaves ordinary prose untouched', () => {
+    recordInbound({
+      chat_id: '-100',
+      thread_id: null,
+      message_id: 4,
+      user: 'a',
+      user_id: '1',
+      ts: 4000,
+      text: 'hello, how are you?',
+    })
+    expect(query({ chat_id: '-100' })[0]!.text).toBe('hello, how are you?')
+  })
+})