switchroom 0.14.29 → 0.14.31

package/telegram-plugin/tests/secret-detect-generic-entropy.test.ts

@@ -0,0 +1,94 @@
+import { describe, it, expect } from 'vitest'
+import { detectSecrets } from '../secret-detect/index.js'
+import { scanGenericSecrets, GENERIC_MIN_DISTINCT } from '../secret-detect/generic-entropy.js'
+import { redact } from '../secret-detect/redact.js'
+
+/**
+ * Generic bare-high-entropy fallback (#1) — the long-tail detector for
+ * standalone tokens that no prefix/KV rule matches (the Sanctum class).
+ * Emitted at `ambiguous` confidence: the inbound gate ASKS ("stash to
+ * vault or ignore?") rather than auto-deleting, so recall can be generous.
+ *
+ * Fixtures built by concatenation (no contiguous secret-shaped literals).
+ */
+
+// 32 varied base62 chars → high entropy (~5 bits/char).
+const HIGH_ENTROPY = 'q7Wm2Zx9' + 'Lk4Rp1Vn' + '8Bs3Yt6H' + 'd5Gj0Fc7'
+// 32 chars but only 3 distinct → low entropy (< 4), must NOT flag.
+const LOW_ENTROPY = 'abc'.repeat(11) // 33 chars, entropy ~1.6
+
+describe('generic high-entropy detector', () => {
+  it('flags a standalone high-entropy token as ambiguous', () => {
+    const hits = detectSecrets(`the value is ${HIGH_ENTROPY} ok`)
+    const hit = hits.find((d) => d.rule_id === 'generic_high_entropy')
+    expect(hit).toBeDefined()
+    expect(hit!.matched_text).toBe(HIGH_ENTROPY)
+    expect(hit!.confidence).toBe('ambiguous') // asks, never auto-deletes
+  })
+
+  it('redact() does NOT mask a generic-flagged token (the #2059 outbound-corruption regression)', () => {
+    // HIGH_ENTROPY flags as generic_high_entropy (ambiguous). redact() — the
+    // chokepoint for the outbound reply mask + history + issues — must leave
+    // it intact; masking it would corrupt agent replies. This is the exact
+    // BLOCK that shipped to review; pin it.
+    const text = `use ${HIGH_ENTROPY} for the deploy`
+    expect(redact(text)).toBe(text)
+  })
+
+  it('respects the distinct-char floor (repetitive long strings do not flag)', () => {
+    expect(scanGenericSecrets(LOW_ENTROPY).length).toBe(0) // 3 distinct < 18
+    expect(GENERIC_MIN_DISTINCT).toBe(18)
+  })
+
+  it('caps hits on pathological input (bounds the O(n²) overlap-dedup)', () => {
+    // 100 distinct high-entropy tokens; the scanner must not return all 100.
+    const blob = Array.from({ length: 100 }, (_, i) =>
+      ('q7Wm2Zx9Lk4Rp1Vn8Bs3Yt6H' + 'd5Gj0Fc7') + String(i).padStart(3, '0'),
+    ).join(' ')
+    expect(scanGenericSecrets(blob).length).toBeLessThanOrEqual(20)
+  })
+
+  it('respects the length floor (short tokens do not flag)', () => {
+    const short = 'q7Wm2Zx9Lk4Rp1Vn' // 16 chars
+    expect(scanGenericSecrets(short).length).toBe(0)
+  })
+
+  it('does NOT downgrade a recognized high-confidence token', () => {
+    // A ghp_ token is matched by the anchored pattern (high). The generic
+    // pass must not swallow/downgrade it to ambiguous.
+    const ghp = 'ghp_' + 'A1b2C3d4E5'.repeat(3) // ghp_ + 30
+    const hits = detectSecrets(`token ${ghp} here`)
+    const ghpHit = hits.find((d) => d.matched_text === ghp || d.rule_id === 'github_pat_classic')
+    expect(ghpHit).toBeDefined()
+    expect(ghpHit!.confidence).toBe('high')
+  })
+
+  describe('false-positive guards — benign high-entropy shapes do NOT flag', () => {
+    const BENIGN: Array<[string, string]> = [
+      ['a UUID', '550e8400-e29b-41d4-a716-446655440000'],
+      ['a git SHA (40 hex)', 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0'],
+      ['a sha256 (64 hex)', 'e3b0c44298fc1c149afbf4c8996fb924' + '27ae41e4649b934ca495991b7852b855'],
+      ['an md5 (32 hex)', 'd41d8cd98f00b204' + 'e9800998ecf8427e'],
+      ['a long digit run', '123456789012345678901234567890'],
+      ['plain prose', 'the quick brown fox jumps over the lazy dog repeatedly today'],
+      ['a file path', '/usr/local/lib/python3.11/site-packages/somepackage/internal/module.py'],
+      // Dense technical identifiers — the FP shapes the reviewer flagged.
+      // CamelCase-no-digit → killed by the digit requirement; separator
+      // styles (snake/kebab/npm/slug) → broken into sub-28 runs by the
+      // charset (no `_ - / .`).
+      ['a CamelCase class name', 'AbstractSingletonProxyFactoryBeanGenerator'],
+      ['a snake_case symbol', 'get_user_profile_by_organization_identifier'],
+      ['a kebab-case slug', 'how-to-configure-kubernetes-ingress-with-cert-manager'],
+      ['an npm package path', '@babel/plugin-transform-modules-commonjs'],
+      ['a CSS class string (has a digit)', 'flex-row-justify-between-items-center-gap-4'],
+      ['a long CamelCase phrase', 'TheQuickBrownFoxJumpsOverTheLazyDogToday'],
+      ['a 32-char base62 with NO digit', 'AbcdefGhijkLmnopQrstuVwxyzABCDEFG'],
+    ]
+    for (const [label, text] of BENIGN) {
+      it(`${label} does not flag generic_high_entropy`, () => {
+        const hits = detectSecrets(text).filter((d) => d.rule_id === 'generic_high_entropy')
+        expect(hits, `unexpected: ${JSON.stringify(hits.map((h) => h.matched_text))}`).toHaveLength(0)
+      })
+    }
+  })
+})

package/telegram-plugin/tests/secret-detect-providers.test.ts

@@ -0,0 +1,74 @@
+import { describe, it, expect } from 'vitest'
+import { detectSecrets } from '../secret-detect/index.js'
+import { PROVIDER_PATTERNS } from '../secret-detect/patterns.js'
+
+/**
+ * High-precision provider ruleset (#2 — "use a comprehensive, GitHub-style
+ * curated set instead of 22 hand-rolled patterns"). Each fixture token is
+ * built by concatenation so the source never holds a contiguous secret-shaped
+ * literal (repo Push Protection / no-pii lint).
+ */
+
+// [rule_id, sample token] — token built to match the rule's regex exactly.
+const HEX10 = 'a1b2c3d4e5'
+const ALNUM10 = 'A1b2C3d4E5'
+const CASES: Array<[string, string]> = [
+  ['slack_webhook', 'https://hooks.slack.com/services/' + 'T00000000/B00000000/' + 'XXXXXXXXXXXXXXXXXXXXXXXX'],
+  ['stripe_live_secret', 'sk_' + 'live_' + ALNUM10.repeat(2) + 'ABcd'],          // 24 alnum
+  ['stripe_restricted', 'rk_' + 'live_' + ALNUM10.repeat(2) + 'ABcd'],
+  ['sendgrid_api_key', 'SG' + '.' + (ALNUM10 + ALNUM10 + 'AB') + '.' + 'a'.repeat(43)], // 22 . 43
+  ['gitlab_pat', 'glpat-' + ALNUM10.repeat(2)],                                  // 20
+  ['huggingface_token', 'hf_' + 'a'.repeat(34)],
+  ['twilio_api_key', 'SK' + HEX10.repeat(3) + 'ab'],                             // 32 hex
+  ['mailgun_key', 'key-' + HEX10.repeat(3) + 'ab'],
+  ['digitalocean_pat', 'dop_v1_' + HEX10.repeat(6) + 'abcd'],                    // 64 hex
+  ['linear_api_key', 'lin_api_' + ALNUM10.repeat(4)],                           // 40
+  ['shopify_access_token', 'shpat_' + HEX10.repeat(3) + 'ab'],
+  ['square_access_token', 'sq0atp-' + ALNUM10.repeat(2) + 'AB'],                 // 22
+  ['newrelic_key', 'NRAK-' + 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0'],                     // 27 A-Z0-9
+  ['notion_token', 'ntn_' + ALNUM10.repeat(4) + 'A1b2C3'],                       // 46
+  ['atlassian_token', 'ATATT' + ALNUM10.repeat(2)],
+  ['supabase_service_key', 'sbp_' + HEX10.repeat(4)],                            // 40 hex
+  ['databricks_token', 'dapi' + HEX10.repeat(3) + 'ab'],
+  ['aws_temp_access_key', 'ASIA' + 'ABCDEFGHIJKLMNOP'],                          // 16 A-Z0-9
+  ['gcp_oauth_token', 'ya29' + '.' + 'a'.repeat(40)],
+]
+
+describe('high-precision provider patterns', () => {
+  for (const [ruleId, tok] of CASES) {
+    it(`detects ${ruleId} as a high-confidence hit`, () => {
+      const hits = detectSecrets(`here's the credential: ${tok} — use it`)
+      const hit = hits.find((d) => d.rule_id === ruleId)
+      expect(hit, `expected a ${ruleId} hit for ${tok.slice(0, 8)}…`).toBeDefined()
+      expect(hit!.matched_text).toBe(tok)
+      expect(hit!.confidence).toBe('high')
+      expect(hit!.suppressed).toBe(false)
+    })
+  }
+
+  it('exposes the provider rules through ALL_PATTERNS (so detectSecrets uses them)', () => {
+    expect(PROVIDER_PATTERNS.length).toBeGreaterThanOrEqual(25)
+  })
+
+  describe('false-positive guards — ordinary strings must NOT match any provider rule', () => {
+    const providerIds = new Set(PROVIDER_PATTERNS.map((p) => p.rule_id))
+    const BENIGN: Array<[string, string]> = [
+      ['a UUID', '550e8400-e29b-41d4-a716-446655440000'],
+      ['a git SHA', 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0'],
+      // MD5 split so the SOURCE never holds a contiguous `<32hex>-usN`
+      // (which is the Mailchimp shape — GitHub Push Protection flags it).
+      ['a bare md5 hash', 'checksum ' + ('d41d8cd98f00b204' + 'e9800998ecf8427e') + ' ok'],
+      ['an md5 + -usN (mailchimp look-alike, must NOT auto-delete)', 'ETag ' + ('d41d8cd98f00b204' + 'e9800998ecf8427e') + '-us' + '1 cached'],
+      ['plain prose', 'the quick brown fox jumps over the lazy dog 12 times'],
+      ['a base64 data blob', 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAA'],
+      ['a hex color + number', 'background #ff00aa width 1024px margin 32'],
+      ['a long file path', '/usr/local/lib/python3.11/site-packages/somepkg/module.py'],
+    ]
+    for (const [label, text] of BENIGN) {
+      it(`${label} triggers no provider rule`, () => {
+        const providerHits = detectSecrets(text).filter((d) => providerIds.has(d.rule_id))
+        expect(providerHits, `unexpected provider hits: ${JSON.stringify(providerHits.map((h) => h.rule_id))}`).toHaveLength(0)
+      })
+    }
+  })
+})

package/telegram-plugin/tests/secret-detect-secretlint.test.ts

@@ -80,14 +80,18 @@ describe('detectSecretsAsync merge', () => {
     expect(slackHits[0]!.rule_id).toBe('slack_token')
   })
 
-  it('adds Secretlint-only hits for providers the vendored list misses', async () => {
-    // Shopify is covered by Secretlint preset-recommend but not by our
-    // vendored ANCHORED_PATTERNS.
+  it('detects a Shopify token via the async (Secretlint-augmented) path', async () => {
+    // Shopify is now ALSO a vendored PROVIDER_PATTERN (shopify_shared_secret),
+    // so on this span the merge prefers the vendored high hit over the
+    // Secretlint one — both are valid Shopify classifications. Secretlint
+    // remains the fallback for the long tail of providers we don't vendor;
+    // this asserts the async path still detects + classifies the token.
     const text = 'SHOPIFY=shpss_1234567890abcdef1234567890abcdef and go'
     const hits = await detectSecretsAsync(text)
     const shopify = hits.find((h) => h.matched_text.startsWith('shpss_'))
     expect(shopify).toBeDefined()
-    expect(shopify!.rule_id).toMatch(/secretlint_shopify/)
+    expect(shopify!.rule_id).toMatch(/shopify/)
+    expect(shopify!.confidence).toBe('high')
   })
 
   it('produces unique slugs across the merged detection list', async () => {

package/telegram-plugin/tests/sentinel-reply-guard-pretool.test.ts

@@ -0,0 +1,109 @@
+/**
+ * Tests for telegram-plugin/hooks/sentinel-reply-guard-pretool.mjs (#2053).
+ *
+ * Defense-in-depth guard on the reply path: a reply / stream_reply call
+ * whose entire payload is only the silent sentinel (NO_REPLY /
+ * HEARTBEAT_OK) must be DROPPED before it reaches the Telegram chat,
+ * regardless of any nag-loop behaviour upstream.
+ *
+ * Two layers of coverage:
+ *   - the pure `isSentinelOnly` predicate (exact-trim match, never a
+ *     substring of genuine prose);
+ *   - the hook end-to-end as a child process, asserting the PreToolUse
+ *     block/allow protocol (decision JSON on stdout).
+ */
+
+import { describe, it, expect } from 'vitest'
+import { spawnSync } from 'node:child_process'
+import { resolve } from 'node:path'
+
+import { isSentinelOnly } from '../hooks/sentinel-reply-guard-pretool.mjs'
+
+const HOOK_PATH = resolve(__dirname, '..', 'hooks', 'sentinel-reply-guard-pretool.mjs')
+
+function runHook(event: unknown): { stdout: string; decision?: { decision?: string; reason?: string } } {
+  const res = spawnSync('node', [HOOK_PATH], {
+    input: JSON.stringify(event),
+    encoding: 'utf8',
+  })
+  const stdout = res.stdout.trim()
+  let decision: { decision?: string; reason?: string } | undefined
+  if (stdout) {
+    try {
+      decision = JSON.parse(stdout)
+    } catch {
+      decision = undefined
+    }
+  }
+  return { stdout, decision }
+}
+
+const REPLY = 'mcp__switchroom-telegram__reply'
+const STREAM_REPLY = 'mcp__switchroom-telegram__stream_reply'
+
+describe('isSentinelOnly — exact-trim, never substring (#2053)', () => {
+  it('bare NO_REPLY / HEARTBEAT_OK → true', () => {
+    expect(isSentinelOnly('NO_REPLY')).toBe(true)
+    expect(isSentinelOnly('HEARTBEAT_OK')).toBe(true)
+    expect(isSentinelOnly('  NO_REPLY  ')).toBe(true)
+    expect(isSentinelOnly('NO_REPLY.')).toBe(true)
+  })
+  it('repeats of the sentinel → true', () => {
+    expect(isSentinelOnly('NO_REPLY\nNO_REPLY')).toBe(true)
+    expect(isSentinelOnly('NO_REPLY\nHEARTBEAT_OK\nNO_REPLY')).toBe(true)
+  })
+  it('(d) genuine prose containing "NO_REPLY" as a substring → false', () => {
+    expect(isSentinelOnly('Reply with exactly NO_REPLY if there is nothing to add.')).toBe(false)
+    expect(isSentinelOnly('The hook expects NO_REPLY on idle turns — here is your answer.')).toBe(false)
+  })
+  it('prose then a trailing NO_REPLY line → false (has non-marker content)', () => {
+    // The guard is the LAST line of defense and only drops PURE sentinel
+    // payloads. A prose+trailing-NO_REPLY blob is handled upstream by the
+    // flush gate / Stop-hook scan; if it somehow reaches the reply tool it
+    // still carries real prose the user might need, so the guard lets it
+    // through rather than silently eating content.
+    expect(isSentinelOnly('Here is the summary.\nNO_REPLY')).toBe(false)
+  })
+  it('non-strings / empty → false', () => {
+    expect(isSentinelOnly(undefined as unknown as string)).toBe(false)
+    expect(isSentinelOnly('')).toBe(false)
+    expect(isSentinelOnly('   ')).toBe(false)
+  })
+})
+
+describe('sentinel-reply-guard hook — end-to-end (#2053)', () => {
+  it('(c) DROPS a sentinel-only reply payload', () => {
+    const { decision } = runHook({ tool_name: REPLY, tool_input: { text: 'NO_REPLY' } })
+    expect(decision?.decision).toBe('block')
+    expect(decision?.reason).toMatch(/sentinel|NO_REPLY/i)
+  })
+
+  it('DROPS a sentinel-only stream_reply payload (repeated markers)', () => {
+    const { decision } = runHook({ tool_name: STREAM_REPLY, tool_input: { text: 'NO_REPLY\nNO_REPLY' } })
+    expect(decision?.decision).toBe('block')
+  })
+
+  it('(d) ALLOWS a real reply that mentions NO_REPLY inside prose', () => {
+    const { stdout } = runHook({
+      tool_name: REPLY,
+      tool_input: { text: 'If nothing is pending, reply with exactly NO_REPLY — otherwise summarise.' },
+    })
+    expect(stdout).toBe('')
+  })
+
+  it('ALLOWS an ordinary reply', () => {
+    const { stdout } = runHook({ tool_name: REPLY, tool_input: { text: 'Done — the build is green.' } })
+    expect(stdout).toBe('')
+  })
+
+  it('ignores non-reply tools entirely', () => {
+    const { stdout } = runHook({ tool_name: 'Bash', tool_input: { command: 'NO_REPLY' } })
+    expect(stdout).toBe('')
+  })
+
+  it('fails open on malformed / empty stdin', () => {
+    const res = spawnSync('node', [HOOK_PATH], { input: '', encoding: 'utf8' })
+    expect(res.status).toBe(0)
+    expect(res.stdout.trim()).toBe('')
+  })
+})

package/telegram-plugin/tests/silent-end-interrupt-stop-scan.test.ts

@@ -22,6 +22,7 @@ import { describe, it, expect } from 'vitest'
 import {
   scanTurnForFinalReply,
   isFinalAnswerReply,
+  endsWithSilentMarker,
 } from '../hooks/silent-end-scan.mjs'
 
 // ── Fixture builders ────────────────────────────────────────────────
@@ -32,6 +33,13 @@ const ENQUEUE = JSON.stringify({
   content: '<channel source="switchroom-telegram" chat_id="111" message_id="42">hi</channel>',
 })
 
+// Cron-fired turn: the enqueue envelope carries `source="cron"` (#2053).
+const ENQUEUE_CRON = JSON.stringify({
+  type: 'queue-operation',
+  operation: 'enqueue',
+  content: '<channel source="cron" chat_id="111" message_thread_id="7">Time for the digest</channel>',
+})
+
 function assistantToolUse(name: string, input: Record<string, unknown>, opts: { isSidechain?: boolean } = {}) {
   const base = {
     type: 'assistant',
@@ -312,3 +320,113 @@ describe('scanTurnForFinalReply — malformed input tolerance', () => {
     expect(scanTurnForFinalReply(text).decided).toBe('block')
   })
 })
+
+// ── #2053 — endsWithSilentMarker helper ─────────────────────────────
+
+describe('endsWithSilentMarker (#2053)', () => {
+  it('bare marker (whole string) → true', () => {
+    expect(endsWithSilentMarker('NO_REPLY')).toBe(true)
+    expect(endsWithSilentMarker('HEARTBEAT_OK')).toBe(true)
+  })
+  it('prose then trailing bare NO_REPLY → true', () => {
+    expect(endsWithSilentMarker('Nothing actionable in the digest today.\nNO_REPLY')).toBe(true)
+    expect(endsWithSilentMarker('Long\nmulti-line\nsummary.\nHEARTBEAT_OK')).toBe(true)
+  })
+  it('trailing marker with stray punctuation → true', () => {
+    expect(endsWithSilentMarker('done reviewing.\nNO_REPLY.')).toBe(true)
+  })
+  it('marker buried mid-output with real content after → false', () => {
+    expect(endsWithSilentMarker('NO_REPLY\nThe answer is 42.')).toBe(false)
+  })
+  // Documents the intentional divergence from the TS-side helper: this
+  // .mjs uses SILENT_MARKER_RE directly (unlimited trailing punctuation),
+  // whereas turn-flush-safety.ts delegates to the length-capped,
+  // single-punct isSilentFlushMarker. This side is deliberately the more
+  // permissive of the two — extra leniency only ever suppresses more.
+  it('trailing marker with multiple punctuation chars → true (more permissive than TS side)', () => {
+    expect(endsWithSilentMarker('all quiet.\nNO_REPLY...')).toBe(true)
+    expect(endsWithSilentMarker('NO_REPLY!!!')).toBe(true)
+    expect(endsWithSilentMarker('NO_REPLY?!')).toBe(true)
+  })
+  it('genuine prose mentioning NO_REPLY as a substring → false', () => {
+    expect(endsWithSilentMarker('reply with exactly NO_REPLY if there is nothing to add')).toBe(false)
+  })
+  it('non-strings / empty → false', () => {
+    expect(endsWithSilentMarker(undefined)).toBe(false)
+    expect(endsWithSilentMarker('')).toBe(false)
+    expect(endsWithSilentMarker('   \n  ')).toBe(false)
+  })
+})
+
+// ── #2053 — prose-then-trailing-NO_REPLY recognised as silent ───────
+
+describe('scanTurnForFinalReply — trailing NO_REPLY is a valid silent end (#2053)', () => {
+  it('(a) plain assistant TEXT ending with a trailing bare NO_REPLY → allow', () => {
+    // The exact #2053 leak shape: the model wrote prose then a bare
+    // NO_REPLY as plain transcript text (NOT through the reply tool).
+    // Pre-fix this matched nothing → block → nag → sentinel leak.
+    const text = jsonl(
+      ENQUEUE,
+      assistantText("Reviewed the overnight digest — nothing needs your attention.\nNO_REPLY"),
+    )
+    const r = scanTurnForFinalReply(text)
+    expect(r.decided).toBe('allow')
+    expect(r.reason).toBe('silent-marker-text')
+  })
+
+  it('reply-tool payload of prose+trailing NO_REPLY → allow (silent-marker)', () => {
+    const text = jsonl(
+      ENQUEUE,
+      assistantToolUse('mcp__switchroom-telegram__reply', {
+        text: 'Checked the build — all green.\nNO_REPLY',
+        disable_notification: true,
+      }),
+    )
+    const r = scanTurnForFinalReply(text)
+    expect(r.decided).toBe('allow')
+    expect(r.reason).toBe('silent-marker')
+  })
+
+  it('plain text NOT ending with a marker → still block', () => {
+    const text = jsonl(
+      ENQUEUE,
+      assistantText('Here is my real answer that I forgot to send via the reply tool.'),
+    )
+    expect(scanTurnForFinalReply(text).decided).toBe('block')
+  })
+})
+
+// ── #2053 — cron-source turns skip the nag ──────────────────────────
+
+describe('scanTurnForFinalReply — cron-source turns skip the nag (#2053)', () => {
+  it('(b) cron turn with no qualifying reply → allow (cron-source), not block', () => {
+    const text = jsonl(
+      ENQUEUE_CRON,
+      assistantText('Ran the scheduled check. Nothing to report.'),
+    )
+    const r = scanTurnForFinalReply(text)
+    expect(r.decided).toBe('allow')
+    expect(r.reason).toBe('cron-source')
+  })
+
+  it('cron turn that DID send a real reply → allow (final-reply), reply still wins', () => {
+    const text = jsonl(
+      ENQUEUE_CRON,
+      assistantToolUse('mcp__switchroom-telegram__reply', {
+        text: 'Daily digest: 3 PRs merged, 1 incident.',
+        disable_notification: false,
+      }),
+    )
+    const r = scanTurnForFinalReply(text)
+    expect(r.decided).toBe('allow')
+    expect(r.reason).toBe('final-reply')
+  })
+
+  it('non-cron (telegram) turn with no reply → still blocks (cron carve-out scoped)', () => {
+    const text = jsonl(
+      ENQUEUE,
+      assistantText('I forgot to send my answer.'),
+    )
+    expect(scanTurnForFinalReply(text).decided).toBe('block')
+  })
+})

package/telegram-plugin/tests/turn-flush-safety.test.ts

@@ -18,6 +18,7 @@ import {
   decideTurnFlush,
   isSilentFlushMarker,
   isCompositeSilentNoise,
+  endsWithSilentMarker,
   isTurnFlushSafetyEnabled,
 } from '../turn-flush-safety.js'
 
@@ -68,6 +69,46 @@ describe('decideTurnFlush — composite silent noise is skipped, not leaked', ()
   })
 })
 
+describe('endsWithSilentMarker — prose+trailing-sentinel recognition (#2053)', () => {
+  it('recognises prose followed by a trailing bare NO_REPLY line', () => {
+    expect(endsWithSilentMarker('Nothing actionable in the digest.\nNO_REPLY')).toBe(true)
+    expect(endsWithSilentMarker('Build is green.\nHEARTBEAT_OK')).toBe(true)
+  })
+  it('tolerates a single trailing punctuation on the marker', () => {
+    expect(endsWithSilentMarker('done.\nNO_REPLY.')).toBe(true)
+  })
+  it('does NOT match when real content follows the marker', () => {
+    expect(endsWithSilentMarker('NO_REPLY\nThe answer is 42.')).toBe(false)
+  })
+  it('does NOT match a marker mentioned inside genuine prose', () => {
+    expect(endsWithSilentMarker('reply with exactly NO_REPLY when nothing to add')).toBe(false)
+  })
+  it('handles non-strings / empty safely', () => {
+    expect(endsWithSilentMarker(undefined)).toBe(false)
+    expect(endsWithSilentMarker('')).toBe(false)
+    expect(endsWithSilentMarker('  \n  ')).toBe(false)
+  })
+})
+
+describe('decideTurnFlush — prose+trailing-sentinel is suppressed, not leaked (#2053)', () => {
+  it('skips a cron-style "prose\\nNO_REPLY" blob (the #2053 leak)', () => {
+    const d = decideTurnFlush({
+      chatId: '12345',
+      replyCalled: false,
+      capturedText: ['Reviewed the overnight digest — nothing needs your attention.', 'NO_REPLY'],
+    })
+    expect(d).toEqual({ kind: 'skip', reason: 'silent-marker' })
+  })
+  it('still flushes a real answer whose last line is NOT a sentinel', () => {
+    const d = decideTurnFlush({
+      chatId: '12345',
+      replyCalled: false,
+      capturedText: ['Here is the summary.', 'Three stories, all low priority.'],
+    })
+    expect(d.kind).toBe('flush')
+  })
+})
+
 describe('decideTurnFlush', () => {
   it('(a) does NOT flush when the reply tool was called', () => {
     const decision = decideTurnFlush({

package/telegram-plugin/turn-flush-safety.ts

@@ -92,6 +92,42 @@ export function isCompositeSilentNoise(text: string | undefined): boolean {
   return lines.every(l => isSilentFlushMarker(l) || isTrivialConfirmationLine(l))
 }
 
+/**
+ * Recognise output whose final non-empty line is a bare silent marker
+ * (NO_REPLY / HEARTBEAT_OK, with the same single-trailing-punctuation
+ * tolerance as `isSilentFlushMarker`), regardless of what precedes it.
+ *
+ * This closes #2053: a turn (commonly a cron turn) that emits prose
+ * followed by a bare `NO_REPLY` line — e.g.
+ *   "Nothing actionable in today's digest.\nNO_REPLY"
+ * — is the model explicitly signalling "intentionally silent". The
+ * single-line `isSilentFlushMarker` misses it (multi-line, over the
+ * length guard) and `isCompositeSilentNoise` misses it too (the prose
+ * line is neither a marker nor a trivial confirmation), so the blob
+ * would otherwise flush to chat WITH the sentinel text appended.
+ *
+ * The trailing-marker line itself is the explicit silence signal — when
+ * the model deliberately terminates with NO_REPLY it means "do not
+ * deliver this turn", so we suppress the whole blob rather than strip
+ * the sentinel and flush the prose. Stripping-and-flushing would defeat
+ * the model's intent (it chose silence) and re-introduce the exact
+ * surprise-message problem the flush safety net was built to avoid.
+ *
+ * Requires the LAST line to be the marker — a marker buried mid-output
+ * with real content after it (e.g. "NO_REPLY\nThe answer is 42.") is
+ * NOT suppressed, because the trailing content is the model's actual
+ * message.
+ */
+export function endsWithSilentMarker(text: string | undefined): boolean {
+  if (typeof text !== 'string') return false
+  const lines = text
+    .split('\n')
+    .map(l => l.trim())
+    .filter(l => l.length > 0)
+  if (lines.length === 0) return false
+  return isSilentFlushMarker(lines[lines.length - 1])
+}
+
 export type FlushDecision =
   | { kind: 'flush'; text: string }
   | { kind: 'skip'; reason: FlushSkipReason }
@@ -162,6 +198,11 @@ export function decideTurnFlush(input: FlushDecisionInput): FlushDecision {
   // misses it (multi-line, over the length guard); without this the blob
   // leaks to chat as a visible message.
   if (isCompositeSilentNoise(joined)) return { kind: 'skip', reason: 'silent-marker' }
+  // Prose followed by a trailing bare NO_REPLY / HEARTBEAT_OK line (#2053).
+  // The model wrote content but explicitly terminated with the silence
+  // sentinel — treat the whole turn as intentionally silent rather than
+  // flush the prose with the sentinel glued on.
+  if (endsWithSilentMarker(joined)) return { kind: 'skip', reason: 'silent-marker' }
   return { kind: 'flush', text: joined }
 }
 

package/telegram-plugin/uat/scenarios/cross-turn-pending-progress-dm.test.ts

@@ -81,7 +81,8 @@ interface TrailEntry {
   text: string;
 }
 
-const SUFFIX_RE = /\n\n— still working \(\d+m\)$/;
+const SUFFIX_RE =
+  /\n\n— still working \(\d+m\)( · message me anytime, I'll keep you posted)?$/;
 
 function pad(s: string, n: number): string {
   return s.length >= n ? s : s + " ".repeat(n - s.length);

package/telegram-plugin/uat/scenarios/jtbd-pending-progress-html-dm.test.ts

@@ -40,7 +40,8 @@ const PROMPT =
   `the bash, send that one HTML reply, end your turn. When it finishes ` +
   `much later, reply with the single word "done".`;
 
-const SUFFIX_RE = /\n\n— still working \(\d+m\)$/;
+const SUFFIX_RE =
+  /\n\n— still working \(\d+m\)( · message me anytime, I'll keep you posted)?$/;
 
 describe("uat: pending-progress edit preserves HTML formatting (#1698 regression gate)", () => {
   it(