switchroom 0.14.27 → 0.14.29

package/telegram-plugin/tests/permission-title.test.ts

@@ -12,6 +12,7 @@ import {
   naturalAction,
   describeGrant,
   formatPermissionCardBody,
+  formatPermissionResumeMessage,
 } from '../permission-title.js'
 import type { ScopeOption } from '../permission-rule.js'
 
@@ -193,3 +194,70 @@ describe('describeGrant — phrased from the chosen scope', () => {
     )
   })
 })
+
+describe('formatPermissionResumeMessage — agent-voiced verdict ack', () => {
+  test('allow names the work it is resuming', () => {
+    expect(
+      formatPermissionResumeMessage({
+        agentName: 'gymbro',
+        behavior: 'allow',
+        action: 'edit: supplement-log.md',
+      }),
+    ).toBe('▶️ <b>Gymbro</b> — got it, continuing: <i>edit: supplement-log.md</i>')
+  })
+
+  test('deny names what it will skip, lower-cased inline', () => {
+    expect(
+      formatPermissionResumeMessage({
+        agentName: 'ziggy',
+        behavior: 'deny',
+        action: 'Search the web',
+      }),
+    ).toBe("🚫 <b>Ziggy</b> — noted, I won't search the web. Continuing without it.")
+  })
+
+  test('TTL auto-deny variant reads as a timeout, not a tap', () => {
+    expect(
+      formatPermissionResumeMessage({
+        agentName: 'finn',
+        behavior: 'deny',
+        action: 'run: deploy.sh',
+        timeoutMinutes: 5,
+      }),
+    ).toBe('🚫 <b>Finn</b> — no answer in 5m, continuing without it (<i>run: deploy.sh</i>).')
+  })
+
+  test('HTML-escapes a hostile action phrase (no raw </>& injection)', () => {
+    const out = formatPermissionResumeMessage({
+      agentName: 'clerk',
+      behavior: 'allow',
+      action: 'run: echo <b>&"pwned"</b>',
+    })
+    expect(out).toContain('&lt;b&gt;&amp;')
+    expect(out).not.toContain('<b>&"pwned"')
+  })
+
+  test('cap-first on the agent name', () => {
+    const out = formatPermissionResumeMessage({
+      agentName: 'lawgpt',
+      behavior: 'allow',
+      action: 'read: contract.pdf',
+    })
+    expect(out).toContain('<b>Lawgpt</b>')
+  })
+
+  test('empty action falls back to a generic continue (no dangling phrase)', () => {
+    expect(
+      formatPermissionResumeMessage({ agentName: 'carrie', behavior: 'allow', action: '' }),
+    ).toBe('▶️ <b>Carrie</b> — got it, back to work.')
+    expect(
+      formatPermissionResumeMessage({ agentName: 'carrie', behavior: 'deny', action: '   ' }),
+    ).toBe('🚫 <b>Carrie</b> — noted, continuing without it.')
+  })
+
+  test('null agent name degrades to a neutral "Agent" label', () => {
+    expect(
+      formatPermissionResumeMessage({ agentName: null, behavior: 'allow', action: 'edit: x.md' }),
+    ).toBe('▶️ <b>Agent</b> — got it, continuing: <i>edit: x.md</i>')
+  })
+})

package/telegram-plugin/tests/permission-verdict-resume-guard.test.ts

@@ -22,6 +22,12 @@
  * This guard fails loudly if any `dispatchPermissionVerdict(...)`
  * callsite is not paired with a `resumeReactionAfterVerdict()` within a
  * few lines — i.e. a new (or refactored) verdict path drops the resume.
+ *
+ * Same pin applies to `postPermissionResumeMessage(...)`: the distinct
+ * agent-voiced "got it, continuing: <work>" message is the legible signal
+ * the operator actually sees (the reaction lands on a far-up message; the
+ * card edit is a one-liner). It rides the exact same 5-paths-drift hazard,
+ * so every verdict path must post it too.
  */
 
 import { describe, it, expect } from 'vitest'
@@ -83,4 +89,33 @@ describe('permission verdict → resume reaction wiring', () => {
       true,
     )
   })
+
+  // postPermissionResumeMessage rides ~1–2 lines after resumeReactionAfterVerdict
+  // on every path, so it can sit a touch further from the dispatch than the
+  // resume call — give it a little more headroom.
+  const POST_WINDOW = 20
+
+  it('every dispatchPermissionVerdict() callsite posts the agent-voiced resume message via postPermissionResumeMessage()', () => {
+    const unpaired: number[] = []
+    for (const idx of dispatchCallsites) {
+      const window = LINES.slice(idx, idx + POST_WINDOW + 1).join('\n')
+      if (!/\bpostPermissionResumeMessage\s*\(/.test(window)) {
+        unpaired.push(idx + 1)
+      }
+    }
+    expect(
+      unpaired,
+      `dispatchPermissionVerdict() at gateway.ts line(s) ` +
+        `${unpaired.join(', ')} has no postPermissionResumeMessage() within ` +
+        `${POST_WINDOW} lines — that verdict path resumes the turn silently, ` +
+        `so the operator never gets the "got it, continuing: <work>" message. ` +
+        `Add the post call next to resumeReactionAfterVerdict() (see sibling paths).`,
+    ).toEqual([])
+  })
+
+  it('the resume-message helper still exists', () => {
+    expect(
+      /function\s+postPermissionResumeMessage\s*\(/.test(GATEWAY_SRC),
+    ).toBe(true)
+  })
 })

package/telegram-plugin/tests/secret-detect-sanctum.test.ts

@@ -0,0 +1,115 @@
+import { describe, it, expect } from 'vitest'
+import { detectSecrets } from '../secret-detect/index.js'
+import { redact } from '../secret-detect/redact.js'
+
+/**
+ * Regression for the 2026-06-01 incident: a live Laravel Sanctum / Coolify
+ * personal-access token (`<id>|<40-char base62>`, e.g. `17|aB3d…`) pasted by
+ * a USER into chat slipped every existing pattern and persisted in plaintext.
+ *
+ * Diagnosis: the inbound gate (gateway handleInbound) already runs
+ * `detectSecrets` at ingest, fail-closed, BEFORE recordInbound + IPC dispatch
+ * — so the leak was NOT an inbound bypass and NOT render-time masking. It was
+ * pure PATTERN COVERAGE: no rule matched the `<id>|<token>` shape. These tests
+ * pin the new `laravel_sanctum_token` rule and the redactor that backs both
+ * the history-store persistence (both directions) and the issues pipeline.
+ */
+
+// Build token fixtures by concatenation so the source file never contains a
+// contiguous secret-shaped literal (repo Push Protection / no-pii lint).
+const ID = '17'
+const BODY40 = 'aB3dE6fH9j'.repeat(4) // 40 base62 chars — Sanctum's Str::random(40)
+const SANCTUM = `${ID}|${BODY40}` // e.g. 17|aB3dE6fH9j…
+
+describe('laravel/coolify sanctum token detection', () => {
+  it('detects <id>|<40-char> as a high-confidence laravel_sanctum_token', () => {
+    const hits = detectSecrets(`here is the token: ${SANCTUM}`)
+    const hit = hits.find((d) => d.rule_id === 'laravel_sanctum_token')
+    expect(hit).toBeDefined()
+    expect(hit!.matched_text).toBe(SANCTUM)
+    expect(hit!.confidence).toBe('high')
+    expect(hit!.suppressed).toBe(false)
+  })
+
+  it('satisfies the exact inbound-gate predicate (high + not suppressed)', () => {
+    // This is verbatim the condition gateway handleInbound uses to decide to
+    // delete + defer-to-vault: if it is truthy, the pasted token is
+    // intercepted before recordInbound() and the IPC broadcast to the agent.
+    const detections = detectSecrets(SANCTUM)
+    const gateHit = detections.find((d) => d.confidence === 'high' && !d.suppressed)
+    expect(gateHit).toBeDefined()
+  })
+
+  it('redact() masks the token in place, preserving surrounding prose', () => {
+    const out = redact(`new token: ${SANCTUM}\nuse it for the deploy API`)
+    expect(out).not.toContain(SANCTUM)
+    expect(out).not.toContain(BODY40)
+    expect(out).toContain('[REDACTED:laravel_sanctum_token]')
+    // Surrounding prose is untouched.
+    expect(out).toContain('new token:')
+    expect(out).toContain('use it for the deploy API')
+  })
+
+  it('covers longer-than-40 token bodies', () => {
+    const longTok = `42|${'Xy7Zk2Qp9w'.repeat(6)}` // 60 base62 chars
+    const hits = detectSecrets(longTok)
+    expect(hits.find((d) => d.rule_id === 'laravel_sanctum_token')?.matched_text).toBe(longTok)
+  })
+
+  it('catches a token mid-sentence and masks only the token', () => {
+    const out = redact(`use ${SANCTUM} when deploying, ok?`)
+    expect(out).not.toContain(SANCTUM)
+    expect(out).toContain('use ')
+    expect(out).toContain(' when deploying, ok?')
+  })
+
+  it('catches multiple tokens in one message (redact right-to-left loop)', () => {
+    const second = `88|${'mK2pR7vT4x'.repeat(4)}` // distinct <id>|<40 base62>
+    const detected = detectSecrets(`old ${SANCTUM} new ${second}`)
+      .filter((d) => d.rule_id === 'laravel_sanctum_token')
+    expect(detected).toHaveLength(2)
+    const out = redact(`old ${SANCTUM} new ${second}`)
+    expect(out).not.toContain(SANCTUM)
+    expect(out).not.toContain(second)
+    expect(out).not.toContain(BODY40)
+  })
+
+  describe('false-positive guards', () => {
+    it('does NOT match a pipe-joined value under the 40-char floor', () => {
+      const short = `1|${'abcDEF123'}` // 9 chars after the pipe
+      expect(detectSecrets(short).some((d) => d.rule_id === 'laravel_sanctum_token')).toBe(false)
+    })
+
+    it('does NOT match exactly 39 base62 chars (one under the floor)', () => {
+      const justUnder = `17|${BODY40.slice(0, 39)}`
+      expect(
+        detectSecrets(justUnder).some((d) => d.rule_id === 'laravel_sanctum_token'),
+      ).toBe(false)
+    })
+
+    it('does NOT match a number with no pipe-delimited token', () => {
+      expect(
+        detectSecrets('order 17 shipped 40 items').some(
+          (d) => d.rule_id === 'laravel_sanctum_token',
+        ),
+      ).toBe(false)
+    })
+
+    it('does NOT match a spaced markdown table cell', () => {
+      // Table cells are `| value |` with spaces around the pipe; the Sanctum
+      // shape has the token immediately adjacent to the pipe.
+      const table = `| 17 | ${BODY40} |`
+      expect(
+        detectSecrets(table).some((d) => d.rule_id === 'laravel_sanctum_token'),
+      ).toBe(false)
+    })
+  })
+
+  it('suppresses a token sitting next to an example/fixture marker', () => {
+    // A documented example must not trigger a destructive delete+vault.
+    const hits = detectSecrets(`example token: ${SANCTUM}`)
+    const hit = hits.find((d) => d.rule_id === 'laravel_sanctum_token')
+    expect(hit).toBeDefined()
+    expect(hit!.suppressed).toBe(true)
+  })
+})

package/telegram-plugin/tests/session-tail.test.ts

@@ -492,6 +492,49 @@ describe('projectSubagentLine', () => {
     expect(events).toEqual([{ kind: 'sub_agent_turn_end', agentId: 'X' }])
   })
 
+  it('emits sub_agent_turn_end after the text when the final assistant message stop_reason is end_turn', () => {
+    // Background `Agent` workers (claude ≥2.1.156) never write the
+    // system/turn_duration line, only a final assistant message with
+    // stop_reason 'end_turn'. That IS the authoritative completion signal —
+    // without treating it as terminal the card hung "running" until the
+    // ~5-min stall-synthesis net fired (the screenshot bug).
+    const st = { hasEmittedStart: true }
+    const events = projectSubagentLine(
+      JSON.stringify({
+        type: 'assistant',
+        message: {
+          stop_reason: 'end_turn',
+          content: [{ type: 'text', text: 'Done. Fixed the bug.' }],
+        },
+      }),
+      'X',
+      st,
+    )
+    // Text first (so the final summary still renders), turn_end last.
+    expect(events).toEqual([
+      { kind: 'sub_agent_text', agentId: 'X', text: 'Done. Fixed the bug.' },
+      { kind: 'sub_agent_turn_end', agentId: 'X' },
+    ])
+  })
+
+  it('does NOT emit sub_agent_turn_end for a tool-using assistant message (stop_reason tool_use)', () => {
+    // A mid-run assistant message that calls a tool has stop_reason 'tool_use'
+    // and keeps going — it must not be mistaken for completion.
+    const st = { hasEmittedStart: true }
+    const events = projectSubagentLine(
+      JSON.stringify({
+        type: 'assistant',
+        message: {
+          stop_reason: 'tool_use',
+          content: [{ type: 'tool_use', id: 'toolu_a', name: 'Read', input: { file_path: '/a' } }],
+        },
+      }),
+      'X',
+      st,
+    )
+    expect(events.some((e) => e.kind === 'sub_agent_turn_end')).toBe(false)
+  })
+
   it('skips malformed lines silently', () => {
     const st = { hasEmittedStart: false }
     expect(projectSubagentLine('{not-json', 'X', st)).toEqual([])

package/telegram-plugin/tests/worker-activity-feed.test.ts

@@ -187,6 +187,21 @@ describe('renderWorkerActivity', () => {
     expect(done).not.toMatch(/(^|\n)\s*-{3,}\s*(\n|$)/)
   })
 
+  it('renders a multi-line narrative entry as one clean step (no raw ## leak)', () => {
+    // Screenshot regression: a running-card step whose narrative entry is
+    // itself multi-line ("Done.\n\n## Summary\n…"). The heading marker must
+    // not leak and the step must collapse to a single visual line.
+    const out = renderWorkerActivity(
+      view({
+        narrativeLines: ['Done.\n\n## Summary\n\nFixed the bug where a bad password logged you out'],
+        latestSummary: '',
+      }),
+    )
+    expect(out).not.toContain('## Summary')
+    expect(out).not.toContain('\n\n')
+    expect(out).toContain('Done. Summary Fixed the bug where a bad password logged you out')
+  })
+
   it('escapes HTML inside narrative lines', () => {
     const out = renderWorkerActivity(view({ narrativeLines: ['a <b>x</b> & y'] }))
     expect(out).toContain('a &lt;b&gt;x&lt;/b&gt; &amp; y')

package/telegram-plugin/uat/scenarios/jtbd-request-secret-dm.test.ts

@@ -0,0 +1,101 @@
+/**
+ * End-to-end UAT for the agent-initiated `request_secret` flow (#2045).
+ *
+ * The upstream fix behind the 2026-06-01 incident: an agent must never ask
+ * the user to paste a secret into chat. Instead it calls `request_secret`,
+ * the operator taps [Provide securely] and sends the value once, and the
+ * gateway deletes the message + writes it straight to the vault — the raw
+ * value never lands in history/logs and is never returned to the agent.
+ *
+ * This round-trips through real Telegram + real broker + real agent and
+ * asserts the FINAL state: (a) the secure card renders with the right
+ * button, (b) after the operator provides the value the bot confirms a
+ * vault save, (c) the value actually landed in the vault (host-side read),
+ * and (d) the raw value never reappears in a bot message.
+ *
+ * **Skipped by default.** To unskip:
+ *
+ * 1. Standard UAT preflight (`uat/SETUP.md` §5-6) — test-harness agent live
+ *    (running build WITH request_secret, #2045), driver session auth'd,
+ *    env vars set.
+ * 2. `SWITCHROOM_VAULT_PASSPHRASE` in env (read-back asserts the value
+ *    landed; under telegram-id approval mode the save itself is
+ *    posture-attested and needs no passphrase).
+ * 3. Remove `describe.skip`.
+ *
+ * Cleanup is operator-side: `switchroom vault rm uat/req-secret-target`.
+ */
+
+import { execFileSync } from "node:child_process";
+import { describe, expect, it } from "vitest";
+import { spinUp } from "../harness.js";
+
+const TARGET_KEY = "uat/req-secret-target";
+// Built at runtime so the source never holds a contiguous secret literal.
+const PROVIDED_VALUE = "sentinel-2045-" + "Ab3xK9pQ".repeat(2);
+
+function hostVaultGet(key: string): string {
+  try {
+    return execFileSync("switchroom", ["vault", "get", key], {
+      encoding: "utf-8",
+      env: { ...process.env },
+    }).trim();
+  } catch {
+    return "";
+  }
+}
+
+describe.skip("uat: request_secret end-to-end (#2045)", () => {
+  it(
+    "agent calls request_secret → operator provides → value vaulted, never echoed",
+    async () => {
+      const sc = await spinUp({ agent: "test-harness" });
+      try {
+        // 1. Prompt the agent to call request_secret for a key it lacks.
+        //    (We don't fire the card from the driver — the point is to
+        //    cover the agent → gateway → capture → vault path.)
+        await sc.sendDM(
+          `I need an API token but it is NOT in your vault. Use your ` +
+          `request_secret MCP tool with key="${TARGET_KEY}", ` +
+          `reason="UAT for #2045" to ask me for it securely. Do NOT ask me ` +
+          `to paste it as a normal message.`,
+        );
+
+        // 2. The secure card (request_secret renders "needs a secret").
+        const card = await sc.expectMessage(/needs a secret/i, {
+          from: "bot",
+          timeout: 60_000,
+        });
+
+        // 3. It must carry a [Provide securely] button.
+        const kb = await sc.driver.getKeyboard(sc.botUserId, card.messageId);
+        expect(kb).not.toBeNull();
+        const provide = kb!
+          .flat()
+          .find((b) => b.callbackData !== undefined && /provide/i.test(b.text));
+        expect(provide, "card should have a [Provide securely] button").toBeDefined();
+
+        // 4. Tap Provide → the card arms capture + prompts for the value.
+        await sc.driver.pressButton(sc.botUserId, card.messageId, provide!.callbackData!);
+        await sc.expectMessage(/Send the value for/i, { from: "bot", timeout: 15_000 });
+
+        // 5. Send the value. The gateway deletes it + writes to the vault.
+        await sc.sendDM(PROVIDED_VALUE);
+        const confirm = await sc.expectMessage(/saved as/i, {
+          from: "bot",
+          timeout: 30_000,
+        });
+
+        // 6. The confirmation references the key, NOT the raw value.
+        expect(confirm.text).toContain(`vault:${TARGET_KEY}`);
+        expect(confirm.text).not.toContain(PROVIDED_VALUE);
+
+        // 7. Load-bearing: the value actually landed in the vault.
+        expect(hostVaultGet(TARGET_KEY)).toBe(PROVIDED_VALUE);
+      } finally {
+        await sc.tearDown();
+      }
+    },
+    300_000,
+  );
+});

package/telegram-plugin/worker-activity-feed.ts

@@ -147,7 +147,10 @@ export function renderWorkerActivity(v: WorkerActivityView): string {
   const finished = v.state === 'done' || v.state === 'failed'
 
   const steps = (v.narrativeLines ?? [])
-    .map((s) => stripMarkdown(s))
+    // A narrative entry can itself be multi-line (e.g. a worker's final
+    // "Done.\n\n## Summary\n…"). Collapse to one visual line so a step
+    // slot stays single-line after the per-line markdown strip.
+    .map((s) => stripMarkdown(s).replace(/\s+/g, ' ').trim())
     .filter((s) => s.length > 0)
     .map((s) => escapeHtml(truncate(s, STEP_MAX)))
 
@@ -172,7 +175,7 @@ export function renderWorkerActivity(v: WorkerActivityView): string {
   } else {
     // Back-compat for direct render callers that pass only latestSummary;
     // the manager always supplies narrativeLines.
-    const summary = stripMarkdown(v.latestSummary)
+    const summary = stripMarkdown(v.latestSummary).replace(/\s+/g, ' ').trim()
     if (summary.length > 0) {
       lines.push(`<b>→ ${escapeHtml(truncate(summary, STEP_MAX))}</b>`)
     } else {