switchroom 0.14.30 → 0.14.31

package/dist/cli/switchroom.js

@@ -49420,8 +49420,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.14.30";
-var COMMIT_SHA = "84f50bd2";
+var VERSION = "0.14.31";
+var COMMIT_SHA = "1aa03b91";
 
 // src/cli/agent.ts
 init_source();
@@ -51839,6 +51839,15 @@ function buildSettingsHooksBlock(p) {
         }
       ]
     },
+    {
+      hooks: [
+        {
+          type: "command",
+          command: wrap("hook:sentinel-reply-guard-pretool", `node "${join8(DOCKER_HOOKS_PATH, "sentinel-reply-guard-pretool.mjs")}"`),
+          timeout: 5
+        }
+      ]
+    },
     {
       matcher: "^(Agent|Task)$",
       hooks: [
@@ -74020,7 +74029,39 @@ var STRUCTURED_PATTERNS = [
     slugHint: "pem_private_key"
   }
 ];
-var ALL_PATTERNS = [...ANCHORED_PATTERNS, ...STRUCTURED_PATTERNS];
+var PROVIDER_PATTERNS = [
+  { rule_id: "slack_webhook", regex: /(https:\/\/hooks\.slack\.com\/services\/[A-Za-z0-9_/]+)/g, captureIndex: 1, slugHint: "slack_webhook" },
+  { rule_id: "stripe_live_secret", regex: /\b(sk_live_[A-Za-z0-9]{24,})\b/g, captureIndex: 1, slugHint: "stripe_key" },
+  { rule_id: "stripe_restricted", regex: /\b(rk_live_[A-Za-z0-9]{24,})\b/g, captureIndex: 1, slugHint: "stripe_key" },
+  { rule_id: "sendgrid_api_key", regex: /\b(SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43})\b/g, captureIndex: 1, slugHint: "sendgrid_key" },
+  { rule_id: "gitlab_pat", regex: /\b(glpat-[A-Za-z0-9_-]{20})\b/g, captureIndex: 1, slugHint: "gitlab_pat" },
+  { rule_id: "huggingface_token", regex: /\b(hf_[A-Za-z0-9]{34,})\b/g, captureIndex: 1, slugHint: "huggingface_token" },
+  { rule_id: "twilio_api_key", regex: /\b(SK[0-9a-f]{32})\b/g, captureIndex: 1, slugHint: "twilio_api_key" },
+  { rule_id: "mailgun_key", regex: /\b(key-[0-9a-f]{32})\b/g, captureIndex: 1, slugHint: "mailgun_key" },
+  { rule_id: "digitalocean_pat", regex: /\b(dop_v1_[a-f0-9]{64})\b/g, captureIndex: 1, slugHint: "digitalocean_token" },
+  { rule_id: "digitalocean_oauth", regex: /\b(doo_v1_[a-f0-9]{64})\b/g, captureIndex: 1, slugHint: "digitalocean_token" },
+  { rule_id: "digitalocean_refresh", regex: /\b(dor_v1_[a-f0-9]{64})\b/g, captureIndex: 1, slugHint: "digitalocean_token" },
+  { rule_id: "doppler_token", regex: /\b(dp\.(?:pt|st|ct|sa|scim|audit)\.[A-Za-z0-9]{40,44})\b/g, captureIndex: 1, slugHint: "doppler_token" },
+  { rule_id: "linear_api_key", regex: /\b(lin_api_[A-Za-z0-9]{40})\b/g, captureIndex: 1, slugHint: "linear_api_key" },
+  { rule_id: "shopify_access_token", regex: /\b(shpat_[a-fA-F0-9]{32})\b/g, captureIndex: 1, slugHint: "shopify_token" },
+  { rule_id: "shopify_shared_secret", regex: /\b(shpss_[a-fA-F0-9]{32})\b/g, captureIndex: 1, slugHint: "shopify_token" },
+  { rule_id: "shopify_private_app", regex: /\b(shppa_[a-fA-F0-9]{32})\b/g, captureIndex: 1, slugHint: "shopify_token" },
+  { rule_id: "square_access_token", regex: /\b(sq0atp-[A-Za-z0-9_-]{22})\b/g, captureIndex: 1, slugHint: "square_token" },
+  { rule_id: "square_oauth_secret", regex: /\b(sq0csp-[A-Za-z0-9_-]{43})\b/g, captureIndex: 1, slugHint: "square_token" },
+  { rule_id: "newrelic_key", regex: /\b(NRAK-[A-Z0-9]{27})\b/g, captureIndex: 1, slugHint: "newrelic_key" },
+  { rule_id: "notion_token", regex: /\b(ntn_[A-Za-z0-9]{46})\b/g, captureIndex: 1, slugHint: "notion_token" },
+  { rule_id: "planetscale_password", regex: /\b(pscale_pw_[A-Za-z0-9_.-]{43})\b/g, captureIndex: 1, slugHint: "planetscale_token" },
+  { rule_id: "planetscale_token", regex: /\b(pscale_tkn_[A-Za-z0-9_.-]{43})\b/g, captureIndex: 1, slugHint: "planetscale_token" },
+  { rule_id: "supabase_service_key", regex: /\b(sbp_[a-f0-9]{40})\b/g, captureIndex: 1, slugHint: "supabase_key" },
+  { rule_id: "atlassian_token", regex: /\b(ATATT[A-Za-z0-9_\-=]{20,})\b/g, captureIndex: 1, slugHint: "atlassian_token" },
+  { rule_id: "dropbox_token", regex: /\b(sl\.[A-Za-z0-9_-]{130,})/g, captureIndex: 1, slugHint: "dropbox_token" },
+  { rule_id: "databricks_token", regex: /\b(dapi[a-f0-9]{32})\b/g, captureIndex: 1, slugHint: "databricks_token" },
+  { rule_id: "grafana_service_account", regex: /\b(glsa_[A-Za-z0-9]{32}_[a-fA-F0-9]{8})\b/g, captureIndex: 1, slugHint: "grafana_token" },
+  { rule_id: "pypi_token", regex: /\b(pypi-AgEIcHlwaS[A-Za-z0-9_-]{50,})/g, captureIndex: 1, slugHint: "pypi_token" },
+  { rule_id: "aws_temp_access_key", regex: /\b(ASIA[0-9A-Z]{16})\b/g, captureIndex: 1, slugHint: "aws_access_key" },
+  { rule_id: "gcp_oauth_token", regex: /\b(ya29\.[A-Za-z0-9_-]{30,})/g, captureIndex: 1, slugHint: "gcp_oauth_token" }
+];
+var ALL_PATTERNS = [...ANCHORED_PATTERNS, ...PROVIDER_PATTERNS, ...STRUCTURED_PATTERNS];
 
 // telegram-plugin/secret-detect/entropy.ts
 function shannonEntropy(s) {
@@ -74070,6 +74111,54 @@ function scanKeyValue(text) {
   return hits;
 }
 
+// telegram-plugin/secret-detect/generic-entropy.ts
+var CANDIDATE_RE = /[A-Za-z0-9]{28,}/g;
+var GENERIC_MIN_DISTINCT = 18;
+var MAX_GENERIC_HITS = 20;
+function hasDistinctChars(tok, n) {
+  const seen = new Uint8Array(128);
+  let distinct = 0;
+  for (let i = 0;i < tok.length; i++) {
+    const c = tok.charCodeAt(i);
+    if (seen[c] === 0) {
+      seen[c] = 1;
+      if (++distinct >= n)
+        return true;
+    }
+  }
+  return false;
+}
+function hasDigit(tok) {
+  for (let i = 0;i < tok.length; i++) {
+    const c = tok.charCodeAt(i);
+    if (c >= 48 && c <= 57)
+      return true;
+  }
+  return false;
+}
+function scanGenericSecrets(text) {
+  const hits = [];
+  CANDIDATE_RE.lastIndex = 0;
+  let m;
+  while ((m = CANDIDATE_RE.exec(text)) !== null) {
+    if (hits.length >= MAX_GENERIC_HITS)
+      break;
+    const tok = m[0];
+    if (!hasDigit(tok))
+      continue;
+    if (!hasDistinctChars(tok, GENERIC_MIN_DISTINCT))
+      continue;
+    hits.push({
+      rule_id: "generic_high_entropy",
+      start: m.index,
+      end: m.index + tok.length,
+      matched_text: tok,
+      confidence: "ambiguous"
+    });
+  }
+  return hits;
+}
+
 // telegram-plugin/secret-detect/chunker.ts
 var CHUNK_THRESHOLD = 32 * 1024;
 var WINDOW_SIZE = 16 * 1024;
@@ -74184,6 +74273,10 @@ function detectSecrets(text) {
     for (const h of kvHits) {
       raw.push({ ...h, start: h.start + win.offset, end: h.end + win.offset });
     }
+    const genHits = scanGenericSecrets(win.text);
+    for (const h of genHits) {
+      raw.push({ ...h, start: h.start + win.offset, end: h.end + win.offset });
+    }
   }
   const deduped = dedupeRaw(raw);
   const final = dropOverlaps(deduped);
@@ -74222,13 +74315,7 @@ function dedupeRaw(raw) {
   return Array.from(seen.values());
 }
 function dropOverlaps(hits) {
-  const sorted = [...hits].sort((a, b) => a.end - a.start - (b.end - b.start));
-  const out = [];
-  for (const h of sorted) {
-    const contained = out.some((existing) => existing !== h && existing.start <= h.start && existing.end >= h.end && !(existing.start === h.start && existing.end === h.end));
-    if (!contained)
-      out.push(h);
-  }
+  const out = hits.filter((h) => !(h.confidence === "ambiguous" && hits.some((o) => o !== h && o.start <= h.start && o.end >= h.end && !(o.start === h.start && o.end === h.end))));
   out.sort((a, b) => a.start - b.start || a.end - b.end);
   return out;
 }
@@ -74239,7 +74326,7 @@ function redact(text) {
   if (!text || text.length === 0)
     return text;
   const urlScrubbed = redactUrls(text);
-  const hits = detectSecrets(urlScrubbed);
+  const hits = detectSecrets(urlScrubbed).filter((h) => h.rule_id !== "generic_high_entropy");
   if (hits.length === 0)
     return urlScrubbed;
   const sorted = [...hits].sort((a, b) => b.start - a.start);

package/dist/host-control/main.js

@@ -19908,7 +19908,39 @@ var STRUCTURED_PATTERNS = [
     slugHint: "pem_private_key"
   }
 ];
-var ALL_PATTERNS = [...ANCHORED_PATTERNS, ...STRUCTURED_PATTERNS];
+var PROVIDER_PATTERNS = [
+  { rule_id: "slack_webhook", regex: /(https:\/\/hooks\.slack\.com\/services\/[A-Za-z0-9_/]+)/g, captureIndex: 1, slugHint: "slack_webhook" },
+  { rule_id: "stripe_live_secret", regex: /\b(sk_live_[A-Za-z0-9]{24,})\b/g, captureIndex: 1, slugHint: "stripe_key" },
+  { rule_id: "stripe_restricted", regex: /\b(rk_live_[A-Za-z0-9]{24,})\b/g, captureIndex: 1, slugHint: "stripe_key" },
+  { rule_id: "sendgrid_api_key", regex: /\b(SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43})\b/g, captureIndex: 1, slugHint: "sendgrid_key" },
+  { rule_id: "gitlab_pat", regex: /\b(glpat-[A-Za-z0-9_-]{20})\b/g, captureIndex: 1, slugHint: "gitlab_pat" },
+  { rule_id: "huggingface_token", regex: /\b(hf_[A-Za-z0-9]{34,})\b/g, captureIndex: 1, slugHint: "huggingface_token" },
+  { rule_id: "twilio_api_key", regex: /\b(SK[0-9a-f]{32})\b/g, captureIndex: 1, slugHint: "twilio_api_key" },
+  { rule_id: "mailgun_key", regex: /\b(key-[0-9a-f]{32})\b/g, captureIndex: 1, slugHint: "mailgun_key" },
+  { rule_id: "digitalocean_pat", regex: /\b(dop_v1_[a-f0-9]{64})\b/g, captureIndex: 1, slugHint: "digitalocean_token" },
+  { rule_id: "digitalocean_oauth", regex: /\b(doo_v1_[a-f0-9]{64})\b/g, captureIndex: 1, slugHint: "digitalocean_token" },
+  { rule_id: "digitalocean_refresh", regex: /\b(dor_v1_[a-f0-9]{64})\b/g, captureIndex: 1, slugHint: "digitalocean_token" },
+  { rule_id: "doppler_token", regex: /\b(dp\.(?:pt|st|ct|sa|scim|audit)\.[A-Za-z0-9]{40,44})\b/g, captureIndex: 1, slugHint: "doppler_token" },
+  { rule_id: "linear_api_key", regex: /\b(lin_api_[A-Za-z0-9]{40})\b/g, captureIndex: 1, slugHint: "linear_api_key" },
+  { rule_id: "shopify_access_token", regex: /\b(shpat_[a-fA-F0-9]{32})\b/g, captureIndex: 1, slugHint: "shopify_token" },
+  { rule_id: "shopify_shared_secret", regex: /\b(shpss_[a-fA-F0-9]{32})\b/g, captureIndex: 1, slugHint: "shopify_token" },
+  { rule_id: "shopify_private_app", regex: /\b(shppa_[a-fA-F0-9]{32})\b/g, captureIndex: 1, slugHint: "shopify_token" },
+  { rule_id: "square_access_token", regex: /\b(sq0atp-[A-Za-z0-9_-]{22})\b/g, captureIndex: 1, slugHint: "square_token" },
+  { rule_id: "square_oauth_secret", regex: /\b(sq0csp-[A-Za-z0-9_-]{43})\b/g, captureIndex: 1, slugHint: "square_token" },
+  { rule_id: "newrelic_key", regex: /\b(NRAK-[A-Z0-9]{27})\b/g, captureIndex: 1, slugHint: "newrelic_key" },
+  { rule_id: "notion_token", regex: /\b(ntn_[A-Za-z0-9]{46})\b/g, captureIndex: 1, slugHint: "notion_token" },
+  { rule_id: "planetscale_password", regex: /\b(pscale_pw_[A-Za-z0-9_.-]{43})\b/g, captureIndex: 1, slugHint: "planetscale_token" },
+  { rule_id: "planetscale_token", regex: /\b(pscale_tkn_[A-Za-z0-9_.-]{43})\b/g, captureIndex: 1, slugHint: "planetscale_token" },
+  { rule_id: "supabase_service_key", regex: /\b(sbp_[a-f0-9]{40})\b/g, captureIndex: 1, slugHint: "supabase_key" },
+  { rule_id: "atlassian_token", regex: /\b(ATATT[A-Za-z0-9_\-=]{20,})\b/g, captureIndex: 1, slugHint: "atlassian_token" },
+  { rule_id: "dropbox_token", regex: /\b(sl\.[A-Za-z0-9_-]{130,})/g, captureIndex: 1, slugHint: "dropbox_token" },
+  { rule_id: "databricks_token", regex: /\b(dapi[a-f0-9]{32})\b/g, captureIndex: 1, slugHint: "databricks_token" },
+  { rule_id: "grafana_service_account", regex: /\b(glsa_[A-Za-z0-9]{32}_[a-fA-F0-9]{8})\b/g, captureIndex: 1, slugHint: "grafana_token" },
+  { rule_id: "pypi_token", regex: /\b(pypi-AgEIcHlwaS[A-Za-z0-9_-]{50,})/g, captureIndex: 1, slugHint: "pypi_token" },
+  { rule_id: "aws_temp_access_key", regex: /\b(ASIA[0-9A-Z]{16})\b/g, captureIndex: 1, slugHint: "aws_access_key" },
+  { rule_id: "gcp_oauth_token", regex: /\b(ya29\.[A-Za-z0-9_-]{30,})/g, captureIndex: 1, slugHint: "gcp_oauth_token" }
+];
+var ALL_PATTERNS = [...ANCHORED_PATTERNS, ...PROVIDER_PATTERNS, ...STRUCTURED_PATTERNS];
 
 // telegram-plugin/secret-detect/entropy.ts
 function shannonEntropy(s) {
@@ -19958,6 +19990,54 @@ function scanKeyValue(text) {
   return hits;
 }
 
+// telegram-plugin/secret-detect/generic-entropy.ts
+var CANDIDATE_RE = /[A-Za-z0-9]{28,}/g;
+var GENERIC_MIN_DISTINCT = 18;
+var MAX_GENERIC_HITS = 20;
+function hasDistinctChars(tok, n) {
+  const seen = new Uint8Array(128);
+  let distinct = 0;
+  for (let i = 0;i < tok.length; i++) {
+    const c = tok.charCodeAt(i);
+    if (seen[c] === 0) {
+      seen[c] = 1;
+      if (++distinct >= n)
+        return true;
+    }
+  }
+  return false;
+}
+function hasDigit(tok) {
+  for (let i = 0;i < tok.length; i++) {
+    const c = tok.charCodeAt(i);
+    if (c >= 48 && c <= 57)
+      return true;
+  }
+  return false;
+}
+function scanGenericSecrets(text) {
+  const hits = [];
+  CANDIDATE_RE.lastIndex = 0;
+  let m;
+  while ((m = CANDIDATE_RE.exec(text)) !== null) {
+    if (hits.length >= MAX_GENERIC_HITS)
+      break;
+    const tok = m[0];
+    if (!hasDigit(tok))
+      continue;
+    if (!hasDistinctChars(tok, GENERIC_MIN_DISTINCT))
+      continue;
+    hits.push({
+      rule_id: "generic_high_entropy",
+      start: m.index,
+      end: m.index + tok.length,
+      matched_text: tok,
+      confidence: "ambiguous"
+    });
+  }
+  return hits;
+}
+
 // telegram-plugin/secret-detect/chunker.ts
 var CHUNK_THRESHOLD = 32 * 1024;
 var WINDOW_SIZE = 16 * 1024;
@@ -20072,6 +20152,10 @@ function detectSecrets(text) {
     for (const h of kvHits) {
       raw.push({ ...h, start: h.start + win.offset, end: h.end + win.offset });
     }
+    const genHits = scanGenericSecrets(win.text);
+    for (const h of genHits) {
+      raw.push({ ...h, start: h.start + win.offset, end: h.end + win.offset });
+    }
   }
   const deduped = dedupeRaw(raw);
   const final = dropOverlaps(deduped);
@@ -20110,13 +20194,7 @@ function dedupeRaw(raw) {
   return Array.from(seen.values());
 }
 function dropOverlaps(hits) {
-  const sorted = [...hits].sort((a, b) => a.end - a.start - (b.end - b.start));
-  const out = [];
-  for (const h of sorted) {
-    const contained = out.some((existing) => existing !== h && existing.start <= h.start && existing.end >= h.end && !(existing.start === h.start && existing.end === h.end));
-    if (!contained)
-      out.push(h);
-  }
+  const out = hits.filter((h) => !(h.confidence === "ambiguous" && hits.some((o) => o !== h && o.start <= h.start && o.end >= h.end && !(o.start === h.start && o.end === h.end))));
   out.sort((a, b) => a.start - b.start || a.end - b.end);
   return out;
 }
@@ -20127,7 +20205,7 @@ function redact(text) {
   if (!text || text.length === 0)
     return text;
   const urlScrubbed = redactUrls(text);
-  const hits = detectSecrets(urlScrubbed);
+  const hits = detectSecrets(urlScrubbed).filter((h) => h.rule_id !== "generic_high_entropy");
   if (hits.length === 0)
     return urlScrubbed;
   const sorted = [...hits].sort((a, b) => b.start - a.start);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.14.30",
+  "version": "0.14.31",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/telegram-plugin/dist/gateway/gateway.js

@@ -24867,7 +24867,7 @@ var init_loader = __esm(() => {
 });
 
 // secret-detect/patterns.ts
-var ANCHORED_PATTERNS, STRUCTURED_PATTERNS, ALL_PATTERNS;
+var ANCHORED_PATTERNS, STRUCTURED_PATTERNS, PROVIDER_PATTERNS, ALL_PATTERNS;
 var init_patterns = __esm(() => {
   ANCHORED_PATTERNS = [
     { rule_id: "anthropic_api_key", regex: /\b(sk-ant-[A-Za-z0-9_-]{8,})\b/g, captureIndex: 1, slugHint: "anthropic_api_key" },
@@ -24925,7 +24925,39 @@ var init_patterns = __esm(() => {
       slugHint: "pem_private_key"
     }
   ];
-  ALL_PATTERNS = [...ANCHORED_PATTERNS, ...STRUCTURED_PATTERNS];
+  PROVIDER_PATTERNS = [
+    { rule_id: "slack_webhook", regex: /(https:\/\/hooks\.slack\.com\/services\/[A-Za-z0-9_/]+)/g, captureIndex: 1, slugHint: "slack_webhook" },
+    { rule_id: "stripe_live_secret", regex: /\b(sk_live_[A-Za-z0-9]{24,})\b/g, captureIndex: 1, slugHint: "stripe_key" },
+    { rule_id: "stripe_restricted", regex: /\b(rk_live_[A-Za-z0-9]{24,})\b/g, captureIndex: 1, slugHint: "stripe_key" },
+    { rule_id: "sendgrid_api_key", regex: /\b(SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43})\b/g, captureIndex: 1, slugHint: "sendgrid_key" },
+    { rule_id: "gitlab_pat", regex: /\b(glpat-[A-Za-z0-9_-]{20})\b/g, captureIndex: 1, slugHint: "gitlab_pat" },
+    { rule_id: "huggingface_token", regex: /\b(hf_[A-Za-z0-9]{34,})\b/g, captureIndex: 1, slugHint: "huggingface_token" },
+    { rule_id: "twilio_api_key", regex: /\b(SK[0-9a-f]{32})\b/g, captureIndex: 1, slugHint: "twilio_api_key" },
+    { rule_id: "mailgun_key", regex: /\b(key-[0-9a-f]{32})\b/g, captureIndex: 1, slugHint: "mailgun_key" },
+    { rule_id: "digitalocean_pat", regex: /\b(dop_v1_[a-f0-9]{64})\b/g, captureIndex: 1, slugHint: "digitalocean_token" },
+    { rule_id: "digitalocean_oauth", regex: /\b(doo_v1_[a-f0-9]{64})\b/g, captureIndex: 1, slugHint: "digitalocean_token" },
+    { rule_id: "digitalocean_refresh", regex: /\b(dor_v1_[a-f0-9]{64})\b/g, captureIndex: 1, slugHint: "digitalocean_token" },
+    { rule_id: "doppler_token", regex: /\b(dp\.(?:pt|st|ct|sa|scim|audit)\.[A-Za-z0-9]{40,44})\b/g, captureIndex: 1, slugHint: "doppler_token" },
+    { rule_id: "linear_api_key", regex: /\b(lin_api_[A-Za-z0-9]{40})\b/g, captureIndex: 1, slugHint: "linear_api_key" },
+    { rule_id: "shopify_access_token", regex: /\b(shpat_[a-fA-F0-9]{32})\b/g, captureIndex: 1, slugHint: "shopify_token" },
+    { rule_id: "shopify_shared_secret", regex: /\b(shpss_[a-fA-F0-9]{32})\b/g, captureIndex: 1, slugHint: "shopify_token" },
+    { rule_id: "shopify_private_app", regex: /\b(shppa_[a-fA-F0-9]{32})\b/g, captureIndex: 1, slugHint: "shopify_token" },
+    { rule_id: "square_access_token", regex: /\b(sq0atp-[A-Za-z0-9_-]{22})\b/g, captureIndex: 1, slugHint: "square_token" },
+    { rule_id: "square_oauth_secret", regex: /\b(sq0csp-[A-Za-z0-9_-]{43})\b/g, captureIndex: 1, slugHint: "square_token" },
+    { rule_id: "newrelic_key", regex: /\b(NRAK-[A-Z0-9]{27})\b/g, captureIndex: 1, slugHint: "newrelic_key" },
+    { rule_id: "notion_token", regex: /\b(ntn_[A-Za-z0-9]{46})\b/g, captureIndex: 1, slugHint: "notion_token" },
+    { rule_id: "planetscale_password", regex: /\b(pscale_pw_[A-Za-z0-9_.-]{43})\b/g, captureIndex: 1, slugHint: "planetscale_token" },
+    { rule_id: "planetscale_token", regex: /\b(pscale_tkn_[A-Za-z0-9_.-]{43})\b/g, captureIndex: 1, slugHint: "planetscale_token" },
+    { rule_id: "supabase_service_key", regex: /\b(sbp_[a-f0-9]{40})\b/g, captureIndex: 1, slugHint: "supabase_key" },
+    { rule_id: "atlassian_token", regex: /\b(ATATT[A-Za-z0-9_\-=]{20,})\b/g, captureIndex: 1, slugHint: "atlassian_token" },
+    { rule_id: "dropbox_token", regex: /\b(sl\.[A-Za-z0-9_-]{130,})/g, captureIndex: 1, slugHint: "dropbox_token" },
+    { rule_id: "databricks_token", regex: /\b(dapi[a-f0-9]{32})\b/g, captureIndex: 1, slugHint: "databricks_token" },
+    { rule_id: "grafana_service_account", regex: /\b(glsa_[A-Za-z0-9]{32}_[a-fA-F0-9]{8})\b/g, captureIndex: 1, slugHint: "grafana_token" },
+    { rule_id: "pypi_token", regex: /\b(pypi-AgEIcHlwaS[A-Za-z0-9_-]{50,})/g, captureIndex: 1, slugHint: "pypi_token" },
+    { rule_id: "aws_temp_access_key", regex: /\b(ASIA[0-9A-Z]{16})\b/g, captureIndex: 1, slugHint: "aws_access_key" },
+    { rule_id: "gcp_oauth_token", regex: /\b(ya29\.[A-Za-z0-9_-]{30,})/g, captureIndex: 1, slugHint: "gcp_oauth_token" }
+  ];
+  ALL_PATTERNS = [...ANCHORED_PATTERNS, ...PROVIDER_PATTERNS, ...STRUCTURED_PATTERNS];
 });
 
 // secret-detect/entropy.ts
@@ -24978,6 +25010,55 @@ var init_kv_scanner = __esm(() => {
   KV_RE = /\b([A-Za-z_][A-Za-z0-9_-]*(?:password|passwd|token|secret|key|api[_-]?key))\s*[:=]\s*["']?([^\s"'\\]{8,})["']?/gi;
 });
 
+// secret-detect/generic-entropy.ts
+function hasDistinctChars(tok, n) {
+  const seen = new Uint8Array(128);
+  let distinct = 0;
+  for (let i = 0;i < tok.length; i++) {
+    const c = tok.charCodeAt(i);
+    if (seen[c] === 0) {
+      seen[c] = 1;
+      if (++distinct >= n)
+        return true;
+    }
+  }
+  return false;
+}
+function hasDigit(tok) {
+  for (let i = 0;i < tok.length; i++) {
+    const c = tok.charCodeAt(i);
+    if (c >= 48 && c <= 57)
+      return true;
+  }
+  return false;
+}
+function scanGenericSecrets(text) {
+  const hits = [];
+  CANDIDATE_RE.lastIndex = 0;
+  let m;
+  while ((m = CANDIDATE_RE.exec(text)) !== null) {
+    if (hits.length >= MAX_GENERIC_HITS)
+      break;
+    const tok = m[0];
+    if (!hasDigit(tok))
+      continue;
+    if (!hasDistinctChars(tok, GENERIC_MIN_DISTINCT))
+      continue;
+    hits.push({
+      rule_id: "generic_high_entropy",
+      start: m.index,
+      end: m.index + tok.length,
+      matched_text: tok,
+      confidence: "ambiguous"
+    });
+  }
+  return hits;
+}
+var CANDIDATE_RE, GENERIC_MIN_DISTINCT = 18, MAX_GENERIC_HITS = 20;
+var init_generic_entropy = __esm(() => {
+  CANDIDATE_RE = /[A-Za-z0-9]{28,}/g;
+});
+
 // secret-detect/chunker.ts
 function chunk(text) {
   if (text.length <= CHUNK_THRESHOLD) {
@@ -27070,6 +27151,10 @@ function detectSecrets(text) {
     for (const h of kvHits) {
       raw.push({ ...h, start: h.start + win.offset, end: h.end + win.offset });
     }
+    const genHits = scanGenericSecrets(win.text);
+    for (const h of genHits) {
+      raw.push({ ...h, start: h.start + win.offset, end: h.end + win.offset });
+    }
   }
   const deduped = dedupeRaw(raw);
   const final = dropOverlaps(deduped);
@@ -27108,19 +27193,14 @@ function dedupeRaw(raw) {
   return Array.from(seen.values());
 }
 function dropOverlaps(hits) {
-  const sorted = [...hits].sort((a, b) => a.end - a.start - (b.end - b.start));
-  const out = [];
-  for (const h of sorted) {
-    const contained = out.some((existing) => existing !== h && existing.start <= h.start && existing.end >= h.end && !(existing.start === h.start && existing.end === h.end));
-    if (!contained)
-      out.push(h);
-  }
+  const out = hits.filter((h) => !(h.confidence === "ambiguous" && hits.some((o) => o !== h && o.start <= h.start && o.end >= h.end && !(o.start === h.start && o.end === h.end))));
   out.sort((a, b) => a.start - b.start || a.end - b.end);
   return out;
 }
 var init_secret_detect = __esm(() => {
   init_patterns();
   init_kv_scanner();
+  init_generic_entropy();
   init_chunker();
   init_suppressor();
   init_url_redact();
@@ -27132,7 +27212,7 @@ function redact(text) {
   if (!text || text.length === 0)
     return text;
   const urlScrubbed = redactUrls(text);
-  const hits = detectSecrets(urlScrubbed);
+  const hits = detectSecrets(urlScrubbed).filter((h) => h.rule_id !== "generic_high_entropy");
   if (hits.length === 0)
     return urlScrubbed;
   const sorted = [...hits].sort((a, b) => b.start - a.start);
@@ -30521,6 +30601,7 @@ var init_materialize_bot_token = __esm(() => {
 var exports_tmux = {};
 __export(exports_tmux, {
   sendAgentInterrupt: () => sendAgentInterrupt,
+  clearAgentComposer: () => clearAgentComposer,
   captureAgentPane: () => captureAgentPane
 });
 import { execFileSync as execFileSync4 } from "node:child_process";
@@ -30616,6 +30697,22 @@ function sendAgentInterrupt(opts) {
   }
   return { error: lastError ?? "tmux send-keys C-c failed" };
 }
+function clearAgentComposer(opts) {
+  const { agentName: agentName3 } = opts;
+  const socket = `switchroom-${agentName3}`;
+  const args = ["-L", socket, "send-keys", "-t", agentName3, "C-u", "C-a", "C-k"];
+  try {
+    execFileSync4("tmux", args, {
+      timeout: 3000,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    return { ok: true };
+  } catch (err) {
+    const msg = `tmux send-keys composer-clear failed: ${err.message}`;
+    console.error(`[tmux-composer-clear] ${agentName3}: ${msg}`);
+    return { error: msg };
+  }
+}
 function sleepSync2(ms) {
   const sab = new SharedArrayBuffer(4);
   const view = new Int32Array(sab);
@@ -42495,6 +42592,15 @@ function isCompositeSilentNoise(text) {
     return false;
   return lines.every((l) => isSilentFlushMarker2(l) || isTrivialConfirmationLine(l));
 }
+function endsWithSilentMarker(text) {
+  if (typeof text !== "string")
+    return false;
+  const lines = text.split(`
+`).map((l) => l.trim()).filter((l) => l.length > 0);
+  if (lines.length === 0)
+    return false;
+  return isSilentFlushMarker2(lines[lines.length - 1]);
+}
 function decideTurnFlush(input) {
   const flushEnabled = input.flushEnabled !== false;
   if (!flushEnabled)
@@ -42511,6 +42617,8 @@ function decideTurnFlush(input) {
     return { kind: "skip", reason: "silent-marker" };
   if (isCompositeSilentNoise(joined))
     return { kind: "skip", reason: "silent-marker" };
+  if (endsWithSilentMarker(joined))
+    return { kind: "skip", reason: "silent-marker" };
   return { kind: "flush", text: joined };
 }
 function isTurnFlushSafetyEnabled(env = process.env) {
@@ -48810,6 +48918,7 @@ function recentDenialsFromAuditLog(rawAuditLog, opts) {
 // secret-detect/index.ts
 init_patterns();
 init_kv_scanner();
+init_generic_entropy();
 init_chunker();
 init_suppressor();
 init_url_redact();
@@ -48859,6 +48968,10 @@ function detectSecrets2(text) {
     for (const h of kvHits) {
       raw.push({ ...h, start: h.start + win.offset, end: h.end + win.offset });
     }
+    const genHits = scanGenericSecrets(win.text);
+    for (const h of genHits) {
+      raw.push({ ...h, start: h.start + win.offset, end: h.end + win.offset });
+    }
   }
   const deduped = dedupeRaw2(raw);
   const final = dropOverlaps2(deduped);
@@ -48897,13 +49010,7 @@ function dedupeRaw2(raw) {
   return Array.from(seen.values());
 }
 function dropOverlaps2(hits) {
-  const sorted = [...hits].sort((a, b) => a.end - a.start - (b.end - b.start));
-  const out = [];
-  for (const h of sorted) {
-    const contained = out.some((existing) => existing !== h && existing.start <= h.start && existing.end >= h.end && !(existing.start === h.start && existing.end === h.end));
-    if (!contained)
-      out.push(h);
-  }
+  const out = hits.filter((h) => !(h.confidence === "ambiguous" && hits.some((o) => o !== h && o.start <= h.start && o.end >= h.end && !(o.start === h.start && o.end === h.end))));
   out.sort((a, b) => a.start - b.start || a.end - b.end);
   return out;
 }
@@ -48916,7 +49023,7 @@ function redact2(text) {
   if (!text || text.length === 0)
     return text;
   const urlScrubbed = redactUrls(text);
-  const hits = detectSecrets(urlScrubbed);
+  const hits = detectSecrets(urlScrubbed).filter((h) => h.rule_id !== "generic_high_entropy");
   if (hits.length === 0)
     return urlScrubbed;
   const sorted = [...hits].sort((a, b) => b.start - a.start);
@@ -51659,10 +51766,10 @@ function sweepStaleTurnActiveMarker(stateDir, opts) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.14.30";
-var COMMIT_SHA = "84f50bd2";
-var COMMIT_DATE = "2026-06-01T06:07:00Z";
-var LATEST_PR = 2058;
+var VERSION = "0.14.31";
+var COMMIT_SHA = "1aa03b91";
+var COMMIT_DATE = "2026-06-01T06:45:00Z";
+var LATEST_PR = 2060;
 var COMMITS_AHEAD_OF_TAG = 0;
 
 // gateway/boot-version.ts
@@ -57717,6 +57824,19 @@ ${preBlock(write.output)}`;
 `);
     return;
   }
+  if (selfAgent) {
+    try {
+      const { clearAgentComposer: clearAgentComposer2 } = await Promise.resolve().then(() => (init_tmux(), exports_tmux));
+      const cleared = clearAgentComposer2({ agentName: selfAgent });
+      if ("error" in cleared) {
+        process.stderr.write(`telegram gateway: pre-send composer-clear soft-failed agent=${selfAgent}: ${cleared.error} \u2014 delivering anyway
+`);
+      }
+    } catch (err) {
+      process.stderr.write(`telegram gateway: pre-send composer-clear threw agent=${selfAgent}: ${err.message} \u2014 delivering anyway
+`);
+    }
+  }
   const delivered = ipcServer.sendToAgent(selfAgent, inboundMsg);
   if (delivered)
     markClaudeBusyForInbound(inboundMsg);

package/telegram-plugin/gateway/gateway.ts

@@ -10515,6 +10515,33 @@ async function handleInbound(
     return
   }
 
+  // Pre-send composer clear (the marko wedge). The inbound is about to be
+  // delivered as an MCP `notifications/claude/channel` notification, which
+  // the unmodified CLI appends into its composer and auto-submits ONLY when
+  // the composer is empty + idle. The #1556 gate above guarantees idle, but
+  // NOT empty: stale typed-ahead / ghost text stranded in the composer
+  // (observed live on agent `marko`: "Yes, go ahead on both") makes the
+  // appended inbound fail to submit and silently swallows every subsequent
+  // queued inbound until a hard restart. Wipe the composer first so the
+  // notification lands at a clean line. Soft-fail by contract — a clear
+  // failure (no tmux session under legacy_pty, socket missing, timeout)
+  // must NEVER block delivery; log and proceed.
+  if (selfAgent) {
+    try {
+      const { clearAgentComposer } = await import('../../src/agents/tmux.js')
+      const cleared = clearAgentComposer({ agentName: selfAgent })
+      if ('error' in cleared) {
+        process.stderr.write(
+          `telegram gateway: pre-send composer-clear soft-failed agent=${selfAgent}: ${cleared.error} — delivering anyway\n`,
+        )
+      }
+    } catch (err) {
+      process.stderr.write(
+        `telegram gateway: pre-send composer-clear threw agent=${selfAgent}: ${(err as Error).message} — delivering anyway\n`,
+      )
+    }
+  }
+
   const delivered = ipcServer.sendToAgent(selfAgent, inboundMsg)
   if (delivered) markClaudeBusyForInbound(inboundMsg)
   if (!delivered) {

package/telegram-plugin/hooks/hooks.json

@@ -10,6 +10,15 @@
           }
         ]
       },
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node \"${CLAUDE_PLUGIN_ROOT}/hooks/sentinel-reply-guard-pretool.mjs\"",
+            "timeout": 5
+          }
+        ]
+      },
       {
         "matcher": "^(Agent|Task)$",
         "hooks": [