switchroom 0.14.30 → 0.14.31

package/telegram-plugin/hooks/sentinel-reply-guard-pretool.mjs

@@ -0,0 +1,114 @@
+#!/usr/bin/env node
+/**
+ * PreToolUse hook — drops a `reply` / `stream_reply` call whose entire
+ * payload is only the silent sentinel(s) NO_REPLY / HEARTBEAT_OK.
+ *
+ * Defense-in-depth for #2053. The silent-end Stop hook and the gateway
+ * flush gate already recognise prose+trailing-NO_REPLY as "intentionally
+ * silent", but if a nag-loop (or any other path) ever pushes a
+ * sentinel-only payload through the reply tool, it must NEVER reach the
+ * Telegram chat. This guard is the last line: it intercepts the tool
+ * call itself, before the gateway sees it.
+ *
+ * Match discipline — EXACT, not substring:
+ *   - The trimmed payload must be ONLY one or more silent markers
+ *     (each on its own line, optional trailing punctuation per marker).
+ *   - A real reply that happens to mention "NO_REPLY" inside genuine
+ *     prose (e.g. "reply with exactly NO_REPLY if nothing to add") is
+ *     NOT dropped — it has non-marker content, so it is delivered.
+ *
+ * Claude Code PreToolUse protocol (v1):
+ *   Input:  JSON on stdin — { session_id, tool_name, tool_input, ... }
+ *   Output: exit 0 + empty stdout → allow.
+ *           exit 0 + JSON stdout { decision: "block", reason } → block.
+ *
+ * Fail-open on any parse/IO error — a malfunctioning guard must not wedge
+ * the reply path.
+ */
+
+import { readFileSync } from 'node:fs'
+import { argv } from 'node:process'
+import { fileURLToPath } from 'node:url'
+
+const REPLY_TOOLS = new Set([
+  'mcp__switchroom-telegram__reply',
+  'mcp__switchroom-telegram__stream_reply',
+])
+
+// Mirrors turn-flush-safety.ts:isSilentFlushMarker and
+// silent-end-scan.mjs:SILENT_MARKER_RE — a single bare marker with
+// optional trailing punctuation.
+const SILENT_MARKER_RE = /^(NO_REPLY|HEARTBEAT_OK)[\s.!?]*$/i
+
+function readStdin() {
+  try {
+    return readFileSync(0, 'utf8')
+  } catch {
+    return ''
+  }
+}
+
+/**
+ * True when `text` is composed ENTIRELY of silent markers — every
+ * non-empty line is a bare NO_REPLY / HEARTBEAT_OK — with at least one
+ * such line. Exact-match per line, never a substring of prose.
+ *
+ * @param {string} text
+ * @returns {boolean}
+ */
+export function isSentinelOnly(text) {
+  if (typeof text !== 'string') return false
+  const lines = text
+    .split('\n')
+    .map((l) => l.trim())
+    .filter((l) => l.length > 0)
+  if (lines.length === 0) return false
+  return lines.every((l) => SILENT_MARKER_RE.test(l))
+}
+
+function main() {
+  const raw = readStdin().trim()
+  if (!raw) process.exit(0)
+
+  let event
+  try {
+    event = JSON.parse(raw)
+  } catch {
+    process.exit(0)
+  }
+
+  const toolName = event?.tool_name
+  if (!REPLY_TOOLS.has(toolName)) process.exit(0)
+
+  const text = event?.tool_input?.text
+  if (typeof text !== 'string') process.exit(0)
+
+  if (isSentinelOnly(text)) {
+    process.stderr.write(
+      '[sentinel-reply-guard] dropped sentinel-only reply payload (#2053) — ' +
+        'NO_REPLY/HEARTBEAT_OK must never reach chat\n',
+    )
+    process.stdout.write(
+      JSON.stringify({
+        decision: 'block',
+        reason:
+          'This reply payload is only the silent sentinel (NO_REPLY / ' +
+          'HEARTBEAT_OK). That sentinel signals "send nothing" — it must not ' +
+          'be delivered to the user as a message. The turn is already ' +
+          'treated as intentionally silent; do not call the reply tool with ' +
+          'it. End your turn.',
+      }),
+    )
+    process.exit(0)
+  }
+
+  process.exit(0)
+}
+
+// Only run the stdin-reading entrypoint when invoked directly as the hook
+// script. When imported (e.g. by the unit test exercising `isSentinelOnly`)
+// the top-level `readFileSync(0)` would otherwise block on the importer's
+// stdin and hang the process.
+if (argv[1] && fileURLToPath(import.meta.url) === argv[1]) {
+  main()
+}

package/telegram-plugin/hooks/silent-end-scan.mjs

@@ -43,6 +43,38 @@ const FINAL_ANSWER_MIN_CHARS = 200
 // variants like "NO_REPLY." / "no_reply").
 const SILENT_MARKER_RE = /^(NO_REPLY|HEARTBEAT_OK)[\s.!?]*$/i
 
+/**
+ * True when `text`'s final non-empty line is a bare silent marker
+ * (NO_REPLY / HEARTBEAT_OK + optional trailing punctuation), regardless
+ * of what precedes it. Closes #2053: a turn that emits prose then a
+ * trailing bare `NO_REPLY` line is the model explicitly signalling
+ * "intentionally silent". The anchored `SILENT_MARKER_RE` only matches
+ * when the ENTIRE trimmed output is the bare marker, so prose+NO_REPLY
+ * slipped through → the hook blocked → nag loop → sentinel leak.
+ *
+ * Approximately mirrors `turn-flush-safety.ts:endsWithSilentMarker` (TS
+ * gateway side). NOT byte-identical: this .mjs uses `SILENT_MARKER_RE`
+ * directly (no length cap, unlimited trailing punctuation), whereas the
+ * TS side delegates to `isSilentFlushMarker` (length-capped, single
+ * trailing punct). This side is intentionally the more permissive of the
+ * two; the divergence is benign in direction — both suppress the common
+ * `prose\nNO_REPLY` shape, and the extra leniency here only ever
+ * suppresses MORE (never leaks, never wrongly silences a user-awaited
+ * reply, which is gated separately).
+ *
+ * @param {string} text
+ * @returns {boolean}
+ */
+export function endsWithSilentMarker(text) {
+  if (typeof text !== 'string') return false
+  const lines = text
+    .split('\n')
+    .map((l) => l.trim())
+    .filter((l) => l.length > 0)
+  if (lines.length === 0) return false
+  return SILENT_MARKER_RE.test(lines[lines.length - 1])
+}
+
 /**
  * Predicate ported from `telegram-plugin/final-answer-detect.ts:78-83`.
  * Kept in this .mjs so the hook is fully self-contained (no TS import).
@@ -69,13 +101,15 @@ export function isFinalAnswerReply({ text, disableNotification, done }) {
  * @returns {{ chatId: string | null, threadId: number | null }}
  */
 function parseChannelEnvelope(content) {
-  if (typeof content !== 'string') return { chatId: null, threadId: null }
+  if (typeof content !== 'string') return { chatId: null, threadId: null, source: null }
   const chatMatch = content.match(/chat_id="([^"]+)"/)
   const threadMatch = content.match(/message_thread_id="([^"]+)"/)
+  const sourceMatch = content.match(/<channel[^>]*\bsource="([^"]+)"/)
   const threadRaw = threadMatch ? Number(threadMatch[1]) : NaN
   return {
     chatId: chatMatch ? chatMatch[1] : null,
     threadId: Number.isFinite(threadRaw) && threadRaw !== 0 ? threadRaw : null,
+    source: sourceMatch ? sourceMatch[1] : null,
   }
 }
 
@@ -128,7 +162,7 @@ export function scanTurnForFinalReply(jsonl) {
 
   // 1. Walk backward to most-recent queue-operation/enqueue.
   let startIdx = -1
-  let envelope = { chatId: null, threadId: null }
+  let envelope = { chatId: null, threadId: null, source: null }
   for (let i = lines.length - 1; i >= 0; i--) {
     const line = lines[i]
     if (!line || line[0] !== '{') continue
@@ -159,15 +193,27 @@ export function scanTurnForFinalReply(jsonl) {
     const content = obj?.message?.content
     if (!Array.isArray(content)) continue
     for (const c of content) {
+      // Plain assistant text carve-out (#2053): a turn that ends with a
+      // trailing bare NO_REPLY / HEARTBEAT_OK line — emitted as plain
+      // transcript text, NOT through the reply tool — is the model
+      // explicitly signalling "intentionally silent". The anchored
+      // SILENT_MARKER_RE below only fires when the ENTIRE reply-tool
+      // text is the bare marker, so a plain-text prose+NO_REPLY turn
+      // matched nothing here → block → nag → sentinel leak. Treat a
+      // trailing-marker text block as a valid silent end.
+      if (c?.type === 'text' && endsWithSilentMarker(String(c.text ?? ''))) {
+        return { decided: 'allow', reason: 'silent-marker-text' }
+      }
       if (c?.type !== 'tool_use') continue
       if (!REPLY_TOOLS.has(c.name)) continue
       const input = c.input ?? {}
       const text = String(input.text ?? '')
       // Silent-marker carve-out: the operator explicitly signaled
       // "intentionally silent" (cron HEARTBEAT_OK, model-driven
-      // NO_REPLY). Don't block — same posture as the gateway's
-      // silent-marker suppression at gateway.ts:6692.
-      if (SILENT_MARKER_RE.test(text.trim())) {
+      // NO_REPLY). Accept both the whole-text bare marker and the
+      // prose+trailing-marker shape (#2053). Same posture as the
+      // gateway's silent-marker suppression at gateway.ts:6692.
+      if (SILENT_MARKER_RE.test(text.trim()) || endsWithSilentMarker(text)) {
         return { decided: 'allow', reason: 'silent-marker' }
       }
       if (isFinalAnswerReply({
@@ -180,6 +226,16 @@ export function scanTurnForFinalReply(jsonl) {
     }
   }
 
+  // Cron-fired turns (#2053): a scheduled turn that produced no
+  // qualifying reply is NOT a delivery failure the user is waiting on —
+  // nagging it only pushes the model to escape the loop by shoving a
+  // NO_REPLY sentinel through the reply tool, which leaks to chat. A
+  // cron turn that genuinely needs to speak will have called reply
+  // (caught above); otherwise let it end silently.
+  if (envelope.source === 'cron') {
+    return { decided: 'allow', reason: 'cron-source' }
+  }
+
   const block = { decided: 'block', reason: 'no-final-reply' }
   if (envelope.chatId) {
     block.chatId = envelope.chatId

package/telegram-plugin/secret-detect/generic-entropy.ts

@@ -0,0 +1,87 @@
+/**
+ * Generic bare-high-entropy detector — the long-tail fallback.
+ *
+ * The provider/anchored patterns only catch tokens with a known prefix
+ * (sk-, ghp_, shpat_, …) or a KEY=value context. A STANDALONE high-entropy
+ * token pasted in prose — a raw Sanctum/base62 token with no prefix —
+ * matches none of them and used to slip through (the 2026-06-01 Sanctum
+ * incident). This scanner closes that gap.
+ *
+ * Emitted at **`ambiguous`** confidence, and `redact()` deliberately
+ * EXCLUDES this rule (see redact.ts): a generic guess must never silently
+ * mask — it would corrupt agent replies and stored messages (dense
+ * identifiers look high-entropy too). Its sole job is to drive the inbound
+ * gate's "👀 looks like a high-entropy string — stash to vault or ignore?"
+ * ASK prompt, where the operator confirms.
+ *
+ * Precision (the hard part — distinguishing a random token from a long
+ * technical identifier), via three cheap, composable filters:
+ *  1. CHARSET `[A-Za-z0-9]` only — NO `_` `-` `/` `+` `=` `.` `:`. This
+ *     breaks snake_case / kebab-case / npm paths / slugs / version strings
+ *     into sub-28 runs, so identifiers like `get_user_profile_by_org`,
+ *     `flex-row-gap-4`, `@babel/plugin-transform-modules-commonjs` never
+ *     form a candidate. (Cost: base64url tokens with `-`/`_` aren't caught
+ *     here — they usually appear in Bearer/JWT/KV contexts other rules
+ *     handle.)
+ *  2. ≥18 DISTINCT chars — excludes hex hashes/SHAs (≤16), digit runs
+ *     (≤10) by construction; and since 18 distinct is unreachable with
+ *     digits alone, a passing token necessarily contains letters.
+ *  3. Contains ≥1 DIGIT — kills CamelCase-without-digits identifiers
+ *     (`AbstractSingletonProxyFactoryBeanGenerator`, `TheQuickBrownFox…`),
+ *     which are the residual no-separator FP shape. Real base62 tokens
+ *     almost always contain a digit (>99% at 28+ chars).
+ */
+import type { RawHit } from './kv-scanner.js'
+
+const CANDIDATE_RE = /[A-Za-z0-9]{28,}/g
+
+// Unreachable with digits alone (10) → excludes hex (≤16) and digit runs;
+// real base62 tokens have 24–62 distinct.
+export const GENERIC_MIN_DISTINCT = 18
+
+// A real message has at most a handful of credentials; bound the work on
+// pathological/junk input (the O(n²) overlap-dedup downstream is the cost).
+const MAX_GENERIC_HITS = 20
+
+/** True once `tok` has at least `n` distinct chars (early-exit). ASCII-only
+ *  by construction — CANDIDATE_RE admits no code point ≥ 128. */
+function hasDistinctChars(tok: string, n: number): boolean {
+  const seen = new Uint8Array(128)
+  let distinct = 0
+  for (let i = 0; i < tok.length; i++) {
+    const c = tok.charCodeAt(i)
+    if (seen[c] === 0) {
+      seen[c] = 1
+      if (++distinct >= n) return true
+    }
+  }
+  return false
+}
+
+function hasDigit(tok: string): boolean {
+  for (let i = 0; i < tok.length; i++) {
+    const c = tok.charCodeAt(i)
+    if (c >= 48 && c <= 57) return true
+  }
+  return false
+}
+
+export function scanGenericSecrets(text: string): RawHit[] {
+  const hits: RawHit[] = []
+  CANDIDATE_RE.lastIndex = 0
+  let m: RegExpExecArray | null
+  while ((m = CANDIDATE_RE.exec(text)) !== null) {
+    if (hits.length >= MAX_GENERIC_HITS) break
+    const tok = m[0]
+    if (!hasDigit(tok)) continue
+    if (!hasDistinctChars(tok, GENERIC_MIN_DISTINCT)) continue
+    hits.push({
+      rule_id: 'generic_high_entropy',
+      start: m.index,
+      end: m.index + tok.length,
+      matched_text: tok,
+      confidence: 'ambiguous',
+    })
+  }
+  return hits
+}

package/telegram-plugin/secret-detect/index.ts

@@ -25,6 +25,7 @@
  */
 import { ALL_PATTERNS } from './patterns.js'
 import { scanKeyValue, type RawHit } from './kv-scanner.js'
+import { scanGenericSecrets } from './generic-entropy.js'
 import { shannonEntropy } from './entropy.js'
 import { chunk } from './chunker.js'
 import { isSuppressed } from './suppressor.js'
@@ -118,6 +119,14 @@ export function detectSecrets(text: string): Detection[] {
     for (const h of kvHits) {
       raw.push({ ...h, start: h.start + win.offset, end: h.end + win.offset })
     }
+    // Generic bare-high-entropy fallback (ambiguous). Catches standalone
+    // tokens no prefix/KV rule matched. dropOverlaps/dedupeRaw below prefer
+    // a high-confidence pattern hit over a generic one on the same range,
+    // so a recognized token isn't double-flagged.
+    const genHits = scanGenericSecrets(win.text)
+    for (const h of genHits) {
+      raw.push({ ...h, start: h.start + win.offset, end: h.end + win.offset })
+    }
   }
 
   // Dedupe by range + rule. If two rules hit the same range, prefer the
@@ -171,24 +180,28 @@ function dedupeRaw(raw: RawHit[]): RawHit[] {
 }
 
 /**
- * Drop hits fully contained inside another hit. Keeps the outer (typically
- * broader / higher-signal) hit — e.g. a JWT match wholly inside an
- * Authorization Bearer match keeps the Bearer.
+ * Drop an AMBIGUOUS hit that is fully contained inside another (larger)
+ * hit — e.g. a `generic_high_entropy` sub-span sitting inside a recognized
+ * high token, or inside an Authorization Bearer match. Narrow by design:
+ * it never drops a high-confidence hit and never touches high-vs-high
+ * overlaps, so it can't suppress a real detection — it only removes the
+ * redundant low-precision sub-spans the generic fallback can emit.
  */
 function dropOverlaps(hits: RawHit[]): RawHit[] {
-  const sorted = [...hits].sort((a, b) => (a.end - a.start) - (b.end - b.start))
-  const out: RawHit[] = []
-  for (const h of sorted) {
-    const contained = out.some(
-      (existing) =>
-        existing !== h &&
-        existing.start <= h.start &&
-        existing.end >= h.end &&
-        !(existing.start === h.start && existing.end === h.end),
-    )
-    if (!contained) out.push(h)
-  }
-  // Re-sort by start offset for deterministic downstream handling.
+  const out = hits.filter(
+    (h) =>
+      !(
+        h.confidence === 'ambiguous' &&
+        hits.some(
+          (o) =>
+            o !== h &&
+            o.start <= h.start &&
+            o.end >= h.end &&
+            !(o.start === h.start && o.end === h.end),
+        )
+      ),
+  )
+  // Sort by start offset for deterministic downstream handling.
   out.sort((a, b) => a.start - b.start || a.end - b.end)
   return out
 }
@@ -217,16 +230,22 @@ export async function detectSecretsAsync(text: string): Promise<Detection[]> {
     import('./secretlint-source.js').then((m) => m.detectViaSecretlint(text)),
   ])
 
-  // Merge with range-based dedupe. Vendored first wins on exact ties.
+  // Merge with range-based dedupe. On an exact-range tie, prefer the
+  // higher-confidence detection (else vendored-first). This matters since
+  // the vendored generic high-entropy fallback emits `ambiguous` — without
+  // the confidence tie-break it would shadow a Secretlint `high` provider
+  // hit on the same span and silently downgrade it (mirrors the sync
+  // dedupeRaw's high-over-ambiguous rule).
   const seen = new Map<string, Detection>()
-  for (const d of vendored) {
+  const consider = (d: Detection): void => {
     const key = `${d.start}:${d.end}`
-    if (!seen.has(key)) seen.set(key, d)
-  }
-  for (const d of viaSecretlint) {
-    const key = `${d.start}:${d.end}`
-    if (!seen.has(key)) seen.set(key, d)
+    const existing = seen.get(key)
+    if (!existing || (existing.confidence === 'ambiguous' && d.confidence === 'high')) {
+      seen.set(key, d)
+    }
   }
+  for (const d of vendored) consider(d)
+  for (const d of viaSecretlint) consider(d)
 
   // Re-derive slugs against the merged set (Secretlint and vendored each
   // had independent `existing` sets; we coalesce here).

package/telegram-plugin/secret-detect/patterns.ts

@@ -118,6 +118,68 @@ export const STRUCTURED_PATTERNS: PatternDef[] = [
 ]
 
 /**
- * Concatenated registry — anchored first, then structured.
+ * High-precision PREFIXED provider patterns (gitleaks/secret-scanner style).
+ *
+ * Every rule here has a distinctive literal prefix + length, so false
+ * positives on ordinary chat/code are near-zero — which is load-bearing,
+ * because the inbound gate DELETES a message on a high-confidence hit.
+ * We deliberately keep ONLY prefix-anchored rules here; a generic
+ * "any high-entropy string" detector (the bare-token gap that let the
+ * Sanctum `<id>|<token>` slip) is intentionally NOT here — that's a
+ * separate, ambiguous-routed change so it can't auto-delete on a guess.
+ *
+ * Baked as TS (not loaded from the vendored gitleaks.toml at runtime):
+ * the bundler inlines secret-detect into dist/server.js + gateway.js and
+ * does NOT ship the .toml alongside, so a runtime `loadGitleaksPatterns()`
+ * would silently resolve to nothing in the agent image. TS entries flow
+ * through ALL_PATTERNS into the shared detectSecrets engine, so they
+ * protect the inbound gate, the outbound mask, AND the issues pipeline.
+ *
+ * Provider prefixes already in ANCHORED_PATTERNS (sk-ant-, sk-, ghp_,
+ * github_pat_, AKIA, AIza, xox*, gsk_, pplx-, npm_, telegram id:token, jwt)
+ * are intentionally omitted to avoid duplicate hits.
+ */
+export const PROVIDER_PATTERNS: PatternDef[] = [
+  { rule_id: 'slack_webhook', regex: /(https:\/\/hooks\.slack\.com\/services\/[A-Za-z0-9_/]+)/g, captureIndex: 1, slugHint: 'slack_webhook' },
+  { rule_id: 'stripe_live_secret', regex: /\b(sk_live_[A-Za-z0-9]{24,})\b/g, captureIndex: 1, slugHint: 'stripe_key' },
+  { rule_id: 'stripe_restricted', regex: /\b(rk_live_[A-Za-z0-9]{24,})\b/g, captureIndex: 1, slugHint: 'stripe_key' },
+  { rule_id: 'sendgrid_api_key', regex: /\b(SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43})\b/g, captureIndex: 1, slugHint: 'sendgrid_key' },
+  { rule_id: 'gitlab_pat', regex: /\b(glpat-[A-Za-z0-9_-]{20})\b/g, captureIndex: 1, slugHint: 'gitlab_pat' },
+  { rule_id: 'huggingface_token', regex: /\b(hf_[A-Za-z0-9]{34,})\b/g, captureIndex: 1, slugHint: 'huggingface_token' },
+  // (openai sk-proj-/sk-svcacct- are already covered by the anchored
+  //  `openai_api_key` sk- rule — no separate entry needed.)
+  { rule_id: 'twilio_api_key', regex: /\b(SK[0-9a-f]{32})\b/g, captureIndex: 1, slugHint: 'twilio_api_key' },
+  { rule_id: 'mailgun_key', regex: /\b(key-[0-9a-f]{32})\b/g, captureIndex: 1, slugHint: 'mailgun_key' },
+  // (mailchimp keys are `<32-hex>-us<N>` with NO distinctive prefix — that
+  //  collides with md5 hashes / ETags followed by `-usN` and would auto-delete
+  //  benign messages. Deferred to the planned generic high-entropy detector,
+  //  which asks instead of auto-deleting. Review #2054.)
+  { rule_id: 'digitalocean_pat', regex: /\b(dop_v1_[a-f0-9]{64})\b/g, captureIndex: 1, slugHint: 'digitalocean_token' },
+  { rule_id: 'digitalocean_oauth', regex: /\b(doo_v1_[a-f0-9]{64})\b/g, captureIndex: 1, slugHint: 'digitalocean_token' },
+  { rule_id: 'digitalocean_refresh', regex: /\b(dor_v1_[a-f0-9]{64})\b/g, captureIndex: 1, slugHint: 'digitalocean_token' },
+  { rule_id: 'doppler_token', regex: /\b(dp\.(?:pt|st|ct|sa|scim|audit)\.[A-Za-z0-9]{40,44})\b/g, captureIndex: 1, slugHint: 'doppler_token' },
+  { rule_id: 'linear_api_key', regex: /\b(lin_api_[A-Za-z0-9]{40})\b/g, captureIndex: 1, slugHint: 'linear_api_key' },
+  { rule_id: 'shopify_access_token', regex: /\b(shpat_[a-fA-F0-9]{32})\b/g, captureIndex: 1, slugHint: 'shopify_token' },
+  { rule_id: 'shopify_shared_secret', regex: /\b(shpss_[a-fA-F0-9]{32})\b/g, captureIndex: 1, slugHint: 'shopify_token' },
+  { rule_id: 'shopify_private_app', regex: /\b(shppa_[a-fA-F0-9]{32})\b/g, captureIndex: 1, slugHint: 'shopify_token' },
+  { rule_id: 'square_access_token', regex: /\b(sq0atp-[A-Za-z0-9_-]{22})\b/g, captureIndex: 1, slugHint: 'square_token' },
+  { rule_id: 'square_oauth_secret', regex: /\b(sq0csp-[A-Za-z0-9_-]{43})\b/g, captureIndex: 1, slugHint: 'square_token' },
+  { rule_id: 'newrelic_key', regex: /\b(NRAK-[A-Z0-9]{27})\b/g, captureIndex: 1, slugHint: 'newrelic_key' },
+  { rule_id: 'notion_token', regex: /\b(ntn_[A-Za-z0-9]{46})\b/g, captureIndex: 1, slugHint: 'notion_token' },
+  { rule_id: 'planetscale_password', regex: /\b(pscale_pw_[A-Za-z0-9_.-]{43})\b/g, captureIndex: 1, slugHint: 'planetscale_token' },
+  { rule_id: 'planetscale_token', regex: /\b(pscale_tkn_[A-Za-z0-9_.-]{43})\b/g, captureIndex: 1, slugHint: 'planetscale_token' },
+  { rule_id: 'supabase_service_key', regex: /\b(sbp_[a-f0-9]{40})\b/g, captureIndex: 1, slugHint: 'supabase_key' },
+  { rule_id: 'atlassian_token', regex: /\b(ATATT[A-Za-z0-9_\-=]{20,})\b/g, captureIndex: 1, slugHint: 'atlassian_token' },
+  { rule_id: 'dropbox_token', regex: /\b(sl\.[A-Za-z0-9_-]{130,})/g, captureIndex: 1, slugHint: 'dropbox_token' },
+  { rule_id: 'databricks_token', regex: /\b(dapi[a-f0-9]{32})\b/g, captureIndex: 1, slugHint: 'databricks_token' },
+  { rule_id: 'grafana_service_account', regex: /\b(glsa_[A-Za-z0-9]{32}_[a-fA-F0-9]{8})\b/g, captureIndex: 1, slugHint: 'grafana_token' },
+  { rule_id: 'pypi_token', regex: /\b(pypi-AgEIcHlwaS[A-Za-z0-9_-]{50,})/g, captureIndex: 1, slugHint: 'pypi_token' },
+  { rule_id: 'aws_temp_access_key', regex: /\b(ASIA[0-9A-Z]{16})\b/g, captureIndex: 1, slugHint: 'aws_access_key' },
+  { rule_id: 'gcp_oauth_token', regex: /\b(ya29\.[A-Za-z0-9_-]{30,})/g, captureIndex: 1, slugHint: 'gcp_oauth_token' },
+]
+
+/**
+ * Concatenated registry — anchored + provider prefixes first (high
+ * precision), then structured.
  */
-export const ALL_PATTERNS: PatternDef[] = [...ANCHORED_PATTERNS, ...STRUCTURED_PATTERNS]
+export const ALL_PATTERNS: PatternDef[] = [...ANCHORED_PATTERNS, ...PROVIDER_PATTERNS, ...STRUCTURED_PATTERNS]

package/telegram-plugin/secret-detect/redact.ts

@@ -50,7 +50,16 @@ export function redact(text: string): string {
   const urlScrubbed = redactUrls(text)
 
   // Step 2 — token shape detection over the URL-scrubbed text.
-  const hits: Detection[] = detectSecrets(urlScrubbed)
+  // EXCLUDE the generic high-entropy fallback: it is a low-precision
+  // "looks like a secret" signal (it flags dense technical identifiers —
+  // CamelCase class names, snake_case symbols, npm paths, slugs — as well
+  // as real tokens). It exists to drive the inbound "stash to vault or
+  // ignore?" ASK prompt, NOT to silently mask. Letting it into redact()
+  // would corrupt agent replies (the outbound mask) and stored messages.
+  // Only prefix/structured (high) + the contextual kv_entropy hits mask.
+  const hits: Detection[] = detectSecrets(urlScrubbed).filter(
+    (h) => h.rule_id !== 'generic_high_entropy',
+  )
   if (hits.length === 0) return urlScrubbed
 
   // Apply replacements right-to-left so byte offsets stay valid.

package/telegram-plugin/tests/secret-detect-generic-entropy.test.ts

@@ -0,0 +1,94 @@
+import { describe, it, expect } from 'vitest'
+import { detectSecrets } from '../secret-detect/index.js'
+import { scanGenericSecrets, GENERIC_MIN_DISTINCT } from '../secret-detect/generic-entropy.js'
+import { redact } from '../secret-detect/redact.js'
+
+/**
+ * Generic bare-high-entropy fallback (#1) — the long-tail detector for
+ * standalone tokens that no prefix/KV rule matches (the Sanctum class).
+ * Emitted at `ambiguous` confidence: the inbound gate ASKS ("stash to
+ * vault or ignore?") rather than auto-deleting, so recall can be generous.
+ *
+ * Fixtures built by concatenation (no contiguous secret-shaped literals).
+ */
+
+// 32 varied base62 chars → high entropy (~5 bits/char).
+const HIGH_ENTROPY = 'q7Wm2Zx9' + 'Lk4Rp1Vn' + '8Bs3Yt6H' + 'd5Gj0Fc7'
+// 32 chars but only 3 distinct → low entropy (< 4), must NOT flag.
+const LOW_ENTROPY = 'abc'.repeat(11) // 33 chars, entropy ~1.6
+
+describe('generic high-entropy detector', () => {
+  it('flags a standalone high-entropy token as ambiguous', () => {
+    const hits = detectSecrets(`the value is ${HIGH_ENTROPY} ok`)
+    const hit = hits.find((d) => d.rule_id === 'generic_high_entropy')
+    expect(hit).toBeDefined()
+    expect(hit!.matched_text).toBe(HIGH_ENTROPY)
+    expect(hit!.confidence).toBe('ambiguous') // asks, never auto-deletes
+  })
+
+  it('redact() does NOT mask a generic-flagged token (the #2059 outbound-corruption regression)', () => {
+    // HIGH_ENTROPY flags as generic_high_entropy (ambiguous). redact() — the
+    // chokepoint for the outbound reply mask + history + issues — must leave
+    // it intact; masking it would corrupt agent replies. This is the exact
+    // BLOCK that shipped to review; pin it.
+    const text = `use ${HIGH_ENTROPY} for the deploy`
+    expect(redact(text)).toBe(text)
+  })
+
+  it('respects the distinct-char floor (repetitive long strings do not flag)', () => {
+    expect(scanGenericSecrets(LOW_ENTROPY).length).toBe(0) // 3 distinct < 18
+    expect(GENERIC_MIN_DISTINCT).toBe(18)
+  })
+
+  it('caps hits on pathological input (bounds the O(n²) overlap-dedup)', () => {
+    // 100 distinct high-entropy tokens; the scanner must not return all 100.
+    const blob = Array.from({ length: 100 }, (_, i) =>
+      ('q7Wm2Zx9Lk4Rp1Vn8Bs3Yt6H' + 'd5Gj0Fc7') + String(i).padStart(3, '0'),
+    ).join(' ')
+    expect(scanGenericSecrets(blob).length).toBeLessThanOrEqual(20)
+  })
+
+  it('respects the length floor (short tokens do not flag)', () => {
+    const short = 'q7Wm2Zx9Lk4Rp1Vn' // 16 chars
+    expect(scanGenericSecrets(short).length).toBe(0)
+  })
+
+  it('does NOT downgrade a recognized high-confidence token', () => {
+    // A ghp_ token is matched by the anchored pattern (high). The generic
+    // pass must not swallow/downgrade it to ambiguous.
+    const ghp = 'ghp_' + 'A1b2C3d4E5'.repeat(3) // ghp_ + 30
+    const hits = detectSecrets(`token ${ghp} here`)
+    const ghpHit = hits.find((d) => d.matched_text === ghp || d.rule_id === 'github_pat_classic')
+    expect(ghpHit).toBeDefined()
+    expect(ghpHit!.confidence).toBe('high')
+  })
+
+  describe('false-positive guards — benign high-entropy shapes do NOT flag', () => {
+    const BENIGN: Array<[string, string]> = [
+      ['a UUID', '550e8400-e29b-41d4-a716-446655440000'],
+      ['a git SHA (40 hex)', 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0'],
+      ['a sha256 (64 hex)', 'e3b0c44298fc1c149afbf4c8996fb924' + '27ae41e4649b934ca495991b7852b855'],
+      ['an md5 (32 hex)', 'd41d8cd98f00b204' + 'e9800998ecf8427e'],
+      ['a long digit run', '123456789012345678901234567890'],
+      ['plain prose', 'the quick brown fox jumps over the lazy dog repeatedly today'],
+      ['a file path', '/usr/local/lib/python3.11/site-packages/somepackage/internal/module.py'],
+      // Dense technical identifiers — the FP shapes the reviewer flagged.
+      // CamelCase-no-digit → killed by the digit requirement; separator
+      // styles (snake/kebab/npm/slug) → broken into sub-28 runs by the
+      // charset (no `_ - / .`).
+      ['a CamelCase class name', 'AbstractSingletonProxyFactoryBeanGenerator'],
+      ['a snake_case symbol', 'get_user_profile_by_organization_identifier'],
+      ['a kebab-case slug', 'how-to-configure-kubernetes-ingress-with-cert-manager'],
+      ['an npm package path', '@babel/plugin-transform-modules-commonjs'],
+      ['a CSS class string (has a digit)', 'flex-row-justify-between-items-center-gap-4'],
+      ['a long CamelCase phrase', 'TheQuickBrownFoxJumpsOverTheLazyDogToday'],
+      ['a 32-char base62 with NO digit', 'AbcdefGhijkLmnopQrstuVwxyzABCDEFG'],
+    ]
+    for (const [label, text] of BENIGN) {
+      it(`${label} does not flag generic_high_entropy`, () => {
+        const hits = detectSecrets(text).filter((d) => d.rule_id === 'generic_high_entropy')
+        expect(hits, `unexpected: ${JSON.stringify(hits.map((h) => h.matched_text))}`).toHaveLength(0)
+      })
+    }
+  })
+})