switchroom 0.14.33 → 0.14.35

package/dist/agent-scheduler/index.js

@@ -11219,6 +11219,7 @@ var profileFields = {
     }).optional()
   }).optional(),
   schedule: exports_external.array(ScheduleEntrySchema).optional(),
+  secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional().describe("Operator-granted STANDING vault keys this agent may read via the " + "broker — independent of any cron or MCP server. Use when an agent " + "needs a credential both interactively and in its own (agent-managed) " + "schedules, so the grant lives with the agent rather than welded to a " + "specific cron's `secrets[]`. OPERATOR-SET ONLY: agents cannot edit " + "switchroom.yaml or self-grant (reference/vision.md outcome 2 — 'you " + "hold the leash; only your tap grants it'). Exact key names. Cascades " + "UNION across defaults -> profile -> agent (see docs/configuration.md)."),
   reactions: ReactionsSchema,
   model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only").optional(),
   thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -11287,6 +11288,7 @@ var AgentSchema = exports_external.object({
   tools: AgentToolsSchema,
   memory: AgentMemorySchema,
   schedule: exports_external.array(ScheduleEntrySchema).default([]),
+  secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional(),
   reactions: ReactionsSchema,
   model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only (no spaces or shell specials)").optional().describe("Claude model override (e.g., 'claude-sonnet-4-6')"),
   thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "Per-agent override wins over defaults.thinking_effort. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -11756,6 +11758,12 @@ function mergeAgentConfig(defaultsIn, agentIn) {
       deny: dedupe([...dDeny, ...aDeny])
     };
   }
+  if (defaults.secrets || merged.secrets) {
+    merged.secrets = dedupe([
+      ...defaults.secrets ?? [],
+      ...merged.secrets ?? []
+    ]);
+  }
   if (defaults.soul || merged.soul) {
     const base = defaults.soul ?? {};
     const override = merged.soul ?? {};

package/dist/auth-broker/index.js

@@ -11219,6 +11219,7 @@ var profileFields = {
     }).optional()
   }).optional(),
   schedule: exports_external.array(ScheduleEntrySchema).optional(),
+  secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional().describe("Operator-granted STANDING vault keys this agent may read via the " + "broker — independent of any cron or MCP server. Use when an agent " + "needs a credential both interactively and in its own (agent-managed) " + "schedules, so the grant lives with the agent rather than welded to a " + "specific cron's `secrets[]`. OPERATOR-SET ONLY: agents cannot edit " + "switchroom.yaml or self-grant (reference/vision.md outcome 2 — 'you " + "hold the leash; only your tap grants it'). Exact key names. Cascades " + "UNION across defaults -> profile -> agent (see docs/configuration.md)."),
   reactions: ReactionsSchema,
   model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only").optional(),
   thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -11287,6 +11288,7 @@ var AgentSchema = exports_external.object({
   tools: AgentToolsSchema,
   memory: AgentMemorySchema,
   schedule: exports_external.array(ScheduleEntrySchema).default([]),
+  secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional(),
   reactions: ReactionsSchema,
   model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only (no spaces or shell specials)").optional().describe("Claude model override (e.g., 'claude-sonnet-4-6')"),
   thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "Per-agent override wins over defaults.thinking_effort. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -11756,6 +11758,12 @@ function mergeAgentConfig(defaultsIn, agentIn) {
       deny: dedupe([...dDeny, ...aDeny])
     };
   }
+  if (defaults.secrets || merged.secrets) {
+    merged.secrets = dedupe([
+      ...defaults.secrets ?? [],
+      ...merged.secrets ?? []
+    ]);
+  }
   if (defaults.soul || merged.soul) {
     const base = defaults.soul ?? {};
     const override = merged.soul ?? {};

package/dist/cli/notion-write-pretool.mjs

@@ -10969,7 +10969,8 @@ var init_protocol = __esm(() => {
     description: exports_external.string().optional(),
     write_keys: exports_external.array(exports_external.string().min(1)).optional(),
     passphrase: exports_external.string().optional(),
-    attest_via_posture: exports_external.boolean().optional()
+    attest_via_posture: exports_external.boolean().optional(),
+    decision_id: exports_external.string().optional()
   });
   ListGrantsRequestSchema = exports_external.object({
     v: exports_external.literal(1),
@@ -11966,6 +11967,7 @@ var profileFields = {
     }).optional()
   }).optional(),
   schedule: exports_external.array(ScheduleEntrySchema).optional(),
+  secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional().describe("Operator-granted STANDING vault keys this agent may read via the " + "broker \u2014 independent of any cron or MCP server. Use when an agent " + "needs a credential both interactively and in its own (agent-managed) " + "schedules, so the grant lives with the agent rather than welded to a " + "specific cron's `secrets[]`. OPERATOR-SET ONLY: agents cannot edit " + "switchroom.yaml or self-grant (reference/vision.md outcome 2 \u2014 'you " + "hold the leash; only your tap grants it'). Exact key names. Cascades " + "UNION across defaults -> profile -> agent (see docs/configuration.md)."),
   reactions: ReactionsSchema,
   model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only").optional(),
   thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -12034,6 +12036,7 @@ var AgentSchema = exports_external.object({
   tools: AgentToolsSchema,
   memory: AgentMemorySchema,
   schedule: exports_external.array(ScheduleEntrySchema).default([]),
+  secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional(),
   reactions: ReactionsSchema,
   model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only (no spaces or shell specials)").optional().describe("Claude model override (e.g., 'claude-sonnet-4-6')"),
   thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "Per-agent override wins over defaults.thinking_effort. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -12505,6 +12508,12 @@ function mergeAgentConfig(defaultsIn, agentIn) {
       deny: dedupe([...dDeny, ...aDeny])
     };
   }
+  if (defaults.secrets || merged.secrets) {
+    merged.secrets = dedupe([
+      ...defaults.secrets ?? [],
+      ...merged.secrets ?? []
+    ]);
+  }
   if (defaults.soul || merged.soul) {
     const base = defaults.soul ?? {};
     const override = merged.soul ?? {};

package/dist/cli/switchroom.js

@@ -13783,6 +13783,7 @@ var init_schema = __esm(() => {
       }).optional()
     }).optional(),
     schedule: exports_external.array(ScheduleEntrySchema).optional(),
+    secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional().describe("Operator-granted STANDING vault keys this agent may read via the " + "broker \u2014 independent of any cron or MCP server. Use when an agent " + "needs a credential both interactively and in its own (agent-managed) " + "schedules, so the grant lives with the agent rather than welded to a " + "specific cron's `secrets[]`. OPERATOR-SET ONLY: agents cannot edit " + "switchroom.yaml or self-grant (reference/vision.md outcome 2 \u2014 'you " + "hold the leash; only your tap grants it'). Exact key names. Cascades " + "UNION across defaults -> profile -> agent (see docs/configuration.md)."),
     reactions: ReactionsSchema,
     model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only").optional(),
     thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -13851,6 +13852,7 @@ var init_schema = __esm(() => {
     tools: AgentToolsSchema,
     memory: AgentMemorySchema,
     schedule: exports_external.array(ScheduleEntrySchema).default([]),
+    secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional(),
     reactions: ReactionsSchema,
     model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only (no spaces or shell specials)").optional().describe("Claude model override (e.g., 'claude-sonnet-4-6')"),
     thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "Per-agent override wins over defaults.thinking_effort. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -14372,6 +14374,12 @@ function mergeAgentConfig(defaultsIn, agentIn) {
       deny: dedupe([...dDeny, ...aDeny])
     };
   }
+  if (defaults.secrets || merged.secrets) {
+    merged.secrets = dedupe([
+      ...defaults.secrets ?? [],
+      ...merged.secrets ?? []
+    ]);
+  }
   if (defaults.soul || merged.soul) {
     const base = defaults.soul ?? {};
     const override = merged.soul ?? {};
@@ -22004,7 +22012,8 @@ var init_protocol = __esm(() => {
     description: exports_external.string().optional(),
     write_keys: exports_external.array(exports_external.string().min(1)).optional(),
     passphrase: exports_external.string().optional(),
-    attest_via_posture: exports_external.boolean().optional()
+    attest_via_posture: exports_external.boolean().optional(),
+    decision_id: exports_external.string().optional()
   });
   ListGrantsRequestSchema = exports_external.object({
     v: exports_external.literal(1),
@@ -27941,11 +27950,21 @@ function checkAclByAgent(config, agentName, key) {
       return { allow: true };
     }
   }
+  const cfgSecrets = config;
+  const profileSecrets = profileName != null && profileName.length > 0 ? cfgSecrets.profiles?.[profileName]?.secrets : undefined;
+  const standingSecrets = [
+    ...Array.isArray(cfgSecrets.defaults?.secrets) ? cfgSecrets.defaults.secrets : [],
+    ...Array.isArray(profileSecrets) ? profileSecrets : [],
+    ...Array.isArray(agentConfig.secrets) ? agentConfig.secrets : []
+  ];
+  if (standingSecrets.includes(key)) {
+    return { allow: true };
+  }
   const schedule = agentConfig.schedule ?? [];
   if (schedule.length === 0) {
     return {
       allow: false,
-      reason: `agent '${agentName}' has no schedule entries declaring 'secrets' and no mcp_servers.*.secrets[] declaring '${key}'; nothing is broker-accessible`
+      reason: `agent '${agentName}' has no schedule entries declaring 'secrets', no mcp_servers.*.secrets[], and no agents.${agentName}.secrets[] standing grant declaring '${key}'; nothing is broker-accessible`
     };
   }
   for (const entry of schedule) {
@@ -49420,8 +49439,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.14.33";
-var COMMIT_SHA = "0b73633c";
+var VERSION = "0.14.35";
+var COMMIT_SHA = "7ac06aea";
 
 // src/cli/agent.ts
 init_source();
@@ -50323,6 +50342,22 @@ If you genuinely need WebFetch back for one agent (e.g. a workflow
 that depends on its specific output shape), set \`mcp_servers.webkite:
 false\` in that agent's switchroom.yaml block \u2014 webkite goes away
 and the native tools come back together.`;
+var VAULT_GUIDANCE = `## Secrets in the vault \u2014 discover, don't guess
+
+Your API keys and credentials live in the Switchroom vault. For normal
+MCP-tool work they're injected by the launchers and you never touch the
+raw values. When a task needs a secret directly (a direct API call an
+MCP tool has no verb for), read it with \`switchroom vault get <key>\`.
+
+**Never guess a key name.** Run \`switchroom vault list\` to see the
+exact keys you already hold \u2014 they're usually namespaced \`<you>/...\`
+(e.g. \`marko/postiz-api-key\`, not \`postiz/api-key\`). Use the real
+name from that list.
+
+Only call the \`vault_request_access\` MCP tool \u2014 which pings the
+operator for a Telegram approval \u2014 for a key you've **confirmed via
+\`vault list\` you don't already have.** Requesting access to a guessed
+or already-held key wastes the operator's tap and fails.`;
 function renderFleetInvariants() {
   return [
     "<!--",
@@ -50347,6 +50382,8 @@ function renderFleetInvariants() {
     MEMORY_GUIDANCE,
     "",
     WEB_FETCH_GUIDANCE,
+    "",
+    VAULT_GUIDANCE,
     ""
   ].join(`
 `);
@@ -58988,6 +59025,26 @@ function scrubSqlite(path, values, dryRun) {
 // src/cli/vault.ts
 init_client();
 
+// src/cli/vault-key-suggest.ts
+function tokenize(key) {
+  return key.toLowerCase().split(/[/\-_.]+/).filter((t) => t.length > 0);
+}
+function suggestVaultKeys(requested, available, max = 3) {
+  const want = new Set(tokenize(requested));
+  if (want.size === 0)
+    return [];
+  const scored = available.map((key) => {
+    const have = new Set(tokenize(key));
+    let shared = 0;
+    for (const t of have)
+      if (want.has(t))
+        shared++;
+    const diff = want.size + have.size - 2 * shared;
+    return { key, shared, diff };
+  }).filter((c) => c.shared > 0 && c.key !== requested).sort((a, b) => b.shared - a.shared || a.diff - b.diff);
+  return scored.slice(0, max).map((c) => c.key);
+}
+
 // src/cli/vault-broker.ts
 init_loader();
 init_loader();
@@ -61285,9 +61342,20 @@ function migrateApprovalSchema(db) {
       approver_set_canonical   TEXT NOT NULL,
       last_used_at             INTEGER,
       revoked_at               INTEGER,
-      revoke_reason            TEXT
+      revoke_reason            TEXT,
+      -- Provenance of the operator-authorization (RFC vault-approval-hard-
+      -- boundary). 'agent': recorded on a per-agent socket \u2014 claude shares
+      -- that socket, so it is FORGEABLE and must NOT be trusted as proof an
+      -- operator tapped. 'operator': recorded via the host-side verifier on a
+      -- claude-unreachable channel \u2014 the only value the broker's mint gate
+      -- trusts. Default 'agent' (fail-closed for the new gate).
+      origin                   TEXT NOT NULL DEFAULT 'agent'
     )
   `);
+  const decisionCols = db.query("PRAGMA table_info(approval_decisions)").all();
+  if (!decisionCols.some((c) => c.name === "origin")) {
+    db.run(`ALTER TABLE approval_decisions ADD COLUMN origin TEXT NOT NULL DEFAULT 'agent'`);
+  }
   db.run(`
     CREATE INDEX IF NOT EXISTS approval_decisions_lookup
     ON approval_decisions(agent_unit, scope, action)
@@ -61389,7 +61457,8 @@ function rowToDecision(row) {
     approver_set_canonical: row.approver_set_canonical,
     last_used_at: row.last_used_at ?? null,
     revoked_at: row.revoked_at ?? null,
-    revoke_reason: row.revoke_reason ?? null
+    revoke_reason: row.revoke_reason ?? null,
+    origin: row.origin === "operator" ? "operator" : "agent"
   };
 }
 var MAX_PENDING_PER_AGENT = 2;
@@ -61555,8 +61624,8 @@ function recordDecision(db, input, now = Date.now()) {
   db.run(`INSERT INTO approval_decisions
        (id, agent_unit, scope, action, decision,
         ttl_expires_at, granted_at, granted_by_user_id,
-        approver_set_canonical, last_used_at, revoked_at, revoke_reason)
-     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, NULL)`, [
+        approver_set_canonical, last_used_at, revoked_at, revoke_reason, origin)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, NULL, ?)`, [
     id,
     input.nonce.agent_unit,
     input.nonce.scope,
@@ -61565,7 +61634,8 @@ function recordDecision(db, input, now = Date.now()) {
     ttl_expires_at,
     now,
     input.granted_by_user_id,
-    canonical
+    canonical,
+    input.origin ?? "agent"
   ]);
   db.run(`UPDATE approval_nonces SET decision_id = ? WHERE request_id = ?`, [id, input.nonce.request_id]);
   const granted = input.decision === "allow_once" || input.decision === "allow_always" || input.decision === "allow_ttl";
@@ -61619,6 +61689,13 @@ function listDecisions(db, filter, now = Date.now()) {
   const rows = db.query(sql).all(...params);
   return rows.map(rowToDecision);
 }
+function getDecision(db, id) {
+  const row = db.query(`SELECT * FROM approval_decisions WHERE id = ?`).get(id);
+  return row ? rowToDecision(row) : null;
+}
+function isOperatorVerifiedDecision(dec, agent_unit, now = Date.now()) {
+  return dec !== null && dec.origin === "operator" && dec.agent_unit === agent_unit && dec.revoked_at === null && (dec.decision === "allow_once" || dec.decision === "allow_always" || dec.decision === "allow_ttl") && (dec.ttl_expires_at === null || dec.ttl_expires_at > now);
+}
 function getNonce(db, request_id) {
   const row = db.query(`SELECT * FROM approval_nonces WHERE request_id = ?`).get(request_id);
   return row ? nonceFromRow(row) : null;
@@ -62634,6 +62711,22 @@ class VaultBroker {
           socket.write(encodeResponse(errorResponse("LOCKED", "Broker is locked")));
           return;
         }
+        if (req.op === "mint_grant" && process.env.SWITCHROOM_REQUIRE_OPERATOR_APPROVAL_MINT === "1") {
+          const decisionId = req.decision_id;
+          const dec = decisionId != null && decisionId !== "" ? getDecision(this.grantsDb, decisionId) : null;
+          if (!isOperatorVerifiedDecision(dec, agentName ?? "")) {
+            writeAudit({
+              ts: new Date().toISOString(),
+              op: req.op,
+              caller: auditCaller,
+              pid: auditPid,
+              cgroup: auditCgroup,
+              result: "denied:posture-mint-needs-operator-verified-decision"
+            });
+            socket.write(encodeResponse(errorResponse("DENIED", "posture-attested mint requires an operator-verified approval (host-side tap); none referenced. See RFC vault-approval-hard-boundary.")));
+            return;
+          }
+        }
         mintPostureAttested = true;
         writeAudit({
           ts: new Date().toISOString(),
@@ -64404,14 +64497,19 @@ function refuseSandboxDirectAccess(verbHint) {
 `);
   process.exit(VAULT_EXIT_SANDBOX_CONTEXT);
 }
-function recoveryHint(situation, key) {
+function recoveryHint(situation, key, suggestions) {
   if (!isSandboxContext()) {
     const keyArg = key ? ` ${key}` : "";
     return `Hint: run 'switchroom vault get --no-broker${keyArg}' for interactive (non-cron) access.`;
   }
   switch (situation) {
-    case "denied":
-      return `Hint: this agent has no grant for ${key ? `'${key}'` : "this key"}. ` + `Call the \`vault_request_access\` MCP tool ` + `(key=${key ? `'${key}'` : "'<key>'"}, scope='read') ` + `to ask the operator for access via a Telegram approval card. ` + `Do NOT retry with --no-broker \u2014 the vault file is not mounted ` + `into agent containers.`;
+    case "denied": {
+      const named = key ? `'${key}'` : "this key";
+      if (suggestions && suggestions.length > 0) {
+        return `Hint: you have no grant for ${named} \u2014 that key may not even exist. ` + `You ALREADY have access to similar keys: ${suggestions.join(", ")}. ` + `Try \`switchroom vault get <one-of-those>\` instead. ` + `Run \`switchroom vault list\` to see every key you hold. ` + `Only call the \`vault_request_access\` MCP tool for a key you've ` + `confirmed (via \`vault list\`) you don't already have. ` + `Do NOT retry with --no-broker \u2014 the vault file is not mounted ` + `into agent containers.`;
+      }
+      return `Hint: this agent has no grant for ${named}. ` + `FIRST run \`switchroom vault list\` to see the keys you already hold \u2014 ` + `the real name often differs from a guessed one (it's usually ` + `namespaced \`<you>/...\`). ` + `If you genuinely lack it, call the \`vault_request_access\` MCP tool ` + `(key=${key ? `'${key}'` : "'<key>'"}, scope='read') ` + `to ask the operator for access via a Telegram approval card. ` + `Do NOT retry with --no-broker \u2014 the vault file is not mounted ` + `into agent containers.`;
+    }
     case "locked":
       return `Hint: the broker is locked. Ask the operator to unlock it ` + `(\`/vault unlock\` in this chat, or ` + `\`switchroom vault broker unlock\` on the host). ` + `Do NOT retry with --no-broker \u2014 the vault file is not mounted ` + `into agent containers.`;
     case "unreachable":
@@ -64829,8 +64927,14 @@ Push passphrase to broker for future requests? [Y/n]: `);
           if (process.stdin.isTTY) {
             console.error(source_default.yellow(`broker denied request (${result.code}): ${result.msg}. ` + `Falling back to direct vault access.`));
           } else {
+            let suggestions = [];
+            try {
+              const myKeys = await listViaBroker(brokerOpts);
+              if (myKeys && key)
+                suggestions = suggestVaultKeys(key, myKeys);
+            } catch {}
             process.stderr.write(`VAULT-BROKER-DENIED [${result.code}]: ${result.msg}
-` + `${recoveryHint("denied", key)}
+` + `${recoveryHint("denied", key, suggestions)}
 `);
             writeVaultDeniedEnvelope(key, result.code, result.msg);
             process.exit(2);
@@ -75544,7 +75648,7 @@ var DEFAULT_MEMORY_SEARCH_MAX_RESULTS = 6;
 var DEFAULT_MEMORY_SEARCH_SNIPPET_CHARS = 220;
 var MEMORY_SEARCH_MAX_INDEXED_CHARS = 2000000;
 var MEMORY_SEARCH_MAX_FILE_SIZE = 512 * 1024;
-function tokenize(text) {
+function tokenize2(text) {
   return text.toLowerCase().split(/[^a-z0-9]+/u).filter((t) => t.length > 1 && t.length < 40);
 }
 async function listMarkdownFiles(workspaceDir, maxDepth = 3) {
@@ -75596,7 +75700,7 @@ async function loadIndex(workspaceDir) {
     if (content.length === 0)
       continue;
     totalChars += content.length;
-    const terms = tokenize(content);
+    const terms = tokenize2(content);
     const freq = new Map;
     for (const t of terms) {
       freq.set(t, (freq.get(t) ?? 0) + 1);
@@ -75669,7 +75773,7 @@ function computeIdf(index, queryTerms) {
 async function searchWorkspaceMemory(params) {
   const maxResults = params.maxResults ?? DEFAULT_MEMORY_SEARCH_MAX_RESULTS;
   const snippetChars = params.snippetChars ?? DEFAULT_MEMORY_SEARCH_SNIPPET_CHARS;
-  const queryTerms = Array.from(new Set(tokenize(params.query)));
+  const queryTerms = Array.from(new Set(tokenize2(params.query)));
   if (queryTerms.length === 0) {
     return { query: params.query, indexedFiles: 0, totalMatches: 0, hits: [] };
   }

package/dist/host-control/main.js

@@ -13954,6 +13954,7 @@ var profileFields = {
     }).optional()
   }).optional(),
   schedule: exports_external.array(ScheduleEntrySchema).optional(),
+  secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional().describe("Operator-granted STANDING vault keys this agent may read via the " + "broker — independent of any cron or MCP server. Use when an agent " + "needs a credential both interactively and in its own (agent-managed) " + "schedules, so the grant lives with the agent rather than welded to a " + "specific cron's `secrets[]`. OPERATOR-SET ONLY: agents cannot edit " + "switchroom.yaml or self-grant (reference/vision.md outcome 2 — 'you " + "hold the leash; only your tap grants it'). Exact key names. Cascades " + "UNION across defaults -> profile -> agent (see docs/configuration.md)."),
   reactions: ReactionsSchema,
   model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only").optional(),
   thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -14022,6 +14023,7 @@ var AgentSchema = exports_external.object({
   tools: AgentToolsSchema,
   memory: AgentMemorySchema,
   schedule: exports_external.array(ScheduleEntrySchema).default([]),
+  secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional(),
   reactions: ReactionsSchema,
   model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only (no spaces or shell specials)").optional().describe("Claude model override (e.g., 'claude-sonnet-4-6')"),
   thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "Per-agent override wins over defaults.thinking_effort. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -14501,6 +14503,12 @@ function mergeAgentConfig(defaultsIn, agentIn) {
       deny: dedupe([...dDeny, ...aDeny])
     };
   }
+  if (defaults.secrets || merged.secrets) {
+    merged.secrets = dedupe([
+      ...defaults.secrets ?? [],
+      ...merged.secrets ?? []
+    ]);
+  }
   if (defaults.soul || merged.soul) {
     const base = defaults.soul ?? {};
     const override = merged.soul ?? {};

package/dist/vault/approvals/kernel-server.js

@@ -4106,6 +4106,12 @@ function mergeAgentConfig(defaultsIn, agentIn) {
       deny: dedupe([...dDeny, ...aDeny])
     };
   }
+  if (defaults.secrets || merged.secrets) {
+    merged.secrets = dedupe([
+      ...defaults.secrets ?? [],
+      ...merged.secrets ?? []
+    ]);
+  }
   if (defaults.soul || merged.soul) {
     const base = defaults.soul ?? {};
     const override = merged.soul ?? {};
@@ -11534,6 +11540,7 @@ var init_schema = __esm(() => {
       }).optional()
     }).optional(),
     schedule: exports_external.array(ScheduleEntrySchema).optional(),
+    secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional().describe("Operator-granted STANDING vault keys this agent may read via the " + "broker — independent of any cron or MCP server. Use when an agent " + "needs a credential both interactively and in its own (agent-managed) " + "schedules, so the grant lives with the agent rather than welded to a " + "specific cron's `secrets[]`. OPERATOR-SET ONLY: agents cannot edit " + "switchroom.yaml or self-grant (reference/vision.md outcome 2 — 'you " + "hold the leash; only your tap grants it'). Exact key names. Cascades " + "UNION across defaults -> profile -> agent (see docs/configuration.md)."),
     reactions: ReactionsSchema,
     model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only").optional(),
     thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -11602,6 +11609,7 @@ var init_schema = __esm(() => {
     tools: AgentToolsSchema,
     memory: AgentMemorySchema,
     schedule: exports_external.array(ScheduleEntrySchema).default([]),
+    secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional(),
     reactions: ReactionsSchema,
     model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only (no spaces or shell specials)").optional().describe("Claude model override (e.g., 'claude-sonnet-4-6')"),
     thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "Per-agent override wins over defaults.thinking_effort. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -12272,7 +12280,8 @@ var MintGrantRequestSchema = exports_external.object({
   description: exports_external.string().optional(),
   write_keys: exports_external.array(exports_external.string().min(1)).optional(),
   passphrase: exports_external.string().optional(),
-  attest_via_posture: exports_external.boolean().optional()
+  attest_via_posture: exports_external.boolean().optional(),
+  decision_id: exports_external.string().optional()
 });
 var ListGrantsRequestSchema = exports_external.object({
   v: exports_external.literal(1),
@@ -12587,9 +12596,20 @@ function migrateApprovalSchema(db) {
       approver_set_canonical   TEXT NOT NULL,
       last_used_at             INTEGER,
       revoked_at               INTEGER,
-      revoke_reason            TEXT
+      revoke_reason            TEXT,
+      -- Provenance of the operator-authorization (RFC vault-approval-hard-
+      -- boundary). 'agent': recorded on a per-agent socket — claude shares
+      -- that socket, so it is FORGEABLE and must NOT be trusted as proof an
+      -- operator tapped. 'operator': recorded via the host-side verifier on a
+      -- claude-unreachable channel — the only value the broker's mint gate
+      -- trusts. Default 'agent' (fail-closed for the new gate).
+      origin                   TEXT NOT NULL DEFAULT 'agent'
     )
   `);
+  const decisionCols = db.query("PRAGMA table_info(approval_decisions)").all();
+  if (!decisionCols.some((c) => c.name === "origin")) {
+    db.run(`ALTER TABLE approval_decisions ADD COLUMN origin TEXT NOT NULL DEFAULT 'agent'`);
+  }
   db.run(`
     CREATE INDEX IF NOT EXISTS approval_decisions_lookup
     ON approval_decisions(agent_unit, scope, action)
@@ -12665,7 +12685,8 @@ function rowToDecision(row) {
     approver_set_canonical: row.approver_set_canonical,
     last_used_at: row.last_used_at ?? null,
     revoked_at: row.revoked_at ?? null,
-    revoke_reason: row.revoke_reason ?? null
+    revoke_reason: row.revoke_reason ?? null,
+    origin: row.origin === "operator" ? "operator" : "agent"
   };
 }
 var MAX_PENDING_PER_AGENT = 2;
@@ -12831,8 +12852,8 @@ function recordDecision(db, input, now = Date.now()) {
   db.run(`INSERT INTO approval_decisions
        (id, agent_unit, scope, action, decision,
         ttl_expires_at, granted_at, granted_by_user_id,
-        approver_set_canonical, last_used_at, revoked_at, revoke_reason)
-     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, NULL)`, [
+        approver_set_canonical, last_used_at, revoked_at, revoke_reason, origin)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, NULL, ?)`, [
     id,
     input.nonce.agent_unit,
     input.nonce.scope,
@@ -12841,7 +12862,8 @@ function recordDecision(db, input, now = Date.now()) {
     ttl_expires_at,
     now,
     input.granted_by_user_id,
-    canonical
+    canonical,
+    input.origin ?? "agent"
   ]);
   db.run(`UPDATE approval_nonces SET decision_id = ? WHERE request_id = ?`, [id, input.nonce.request_id]);
   const granted = input.decision === "allow_once" || input.decision === "allow_always" || input.decision === "allow_ttl";
@@ -12869,7 +12891,8 @@ function consumeAndRecord(db, input, now = Date.now()) {
       decision: input.decision,
       approver_set: input.approver_set,
       granted_by_user_id: input.granted_by_user_id,
-      ttl_ms: input.ttl_ms
+      ttl_ms: input.ttl_ms,
+      origin: input.origin
     }, now);
     return { consumed: true, decision_id, nonce };
   });

package/dist/vault/broker/server.js

@@ -140,6 +140,12 @@ function mergeAgentConfig(defaultsIn, agentIn) {
       deny: dedupe([...dDeny, ...aDeny])
     };
   }
+  if (defaults.secrets || merged.secrets) {
+    merged.secrets = dedupe([
+      ...defaults.secrets ?? [],
+      ...merged.secrets ?? []
+    ]);
+  }
   if (defaults.soul || merged.soul) {
     const base = defaults.soul ?? {};
     const override = merged.soul ?? {};
@@ -11534,6 +11540,7 @@ var init_schema = __esm(() => {
       }).optional()
     }).optional(),
     schedule: exports_external.array(ScheduleEntrySchema).optional(),
+    secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional().describe("Operator-granted STANDING vault keys this agent may read via the " + "broker — independent of any cron or MCP server. Use when an agent " + "needs a credential both interactively and in its own (agent-managed) " + "schedules, so the grant lives with the agent rather than welded to a " + "specific cron's `secrets[]`. OPERATOR-SET ONLY: agents cannot edit " + "switchroom.yaml or self-grant (reference/vision.md outcome 2 — 'you " + "hold the leash; only your tap grants it'). Exact key names. Cascades " + "UNION across defaults -> profile -> agent (see docs/configuration.md)."),
     reactions: ReactionsSchema,
     model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only").optional(),
     thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -11602,6 +11609,7 @@ var init_schema = __esm(() => {
     tools: AgentToolsSchema,
     memory: AgentMemorySchema,
     schedule: exports_external.array(ScheduleEntrySchema).default([]),
+    secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional(),
     reactions: ReactionsSchema,
     model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only (no spaces or shell specials)").optional().describe("Claude model override (e.g., 'claude-sonnet-4-6')"),
     thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "Per-agent override wins over defaults.thinking_effort. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -13288,11 +13296,21 @@ function checkAclByAgent(config, agentName, key) {
       return { allow: true };
     }
   }
+  const cfgSecrets = config;
+  const profileSecrets = profileName != null && profileName.length > 0 ? cfgSecrets.profiles?.[profileName]?.secrets : undefined;
+  const standingSecrets = [
+    ...Array.isArray(cfgSecrets.defaults?.secrets) ? cfgSecrets.defaults.secrets : [],
+    ...Array.isArray(profileSecrets) ? profileSecrets : [],
+    ...Array.isArray(agentConfig.secrets) ? agentConfig.secrets : []
+  ];
+  if (standingSecrets.includes(key)) {
+    return { allow: true };
+  }
   const schedule = agentConfig.schedule ?? [];
   if (schedule.length === 0) {
     return {
       allow: false,
-      reason: `agent '${agentName}' has no schedule entries declaring 'secrets' and no mcp_servers.*.secrets[] declaring '${key}'; nothing is broker-accessible`
+      reason: `agent '${agentName}' has no schedule entries declaring 'secrets', no mcp_servers.*.secrets[], and no agents.${agentName}.secrets[] standing grant declaring '${key}'; nothing is broker-accessible`
     };
   }
   for (const entry of schedule) {
@@ -13377,7 +13395,8 @@ var MintGrantRequestSchema = exports_external.object({
   description: exports_external.string().optional(),
   write_keys: exports_external.array(exports_external.string().min(1)).optional(),
   passphrase: exports_external.string().optional(),
-  attest_via_posture: exports_external.boolean().optional()
+  attest_via_posture: exports_external.boolean().optional(),
+  decision_id: exports_external.string().optional()
 });
 var ListGrantsRequestSchema = exports_external.object({
   v: exports_external.literal(1),
@@ -15714,9 +15733,20 @@ function migrateApprovalSchema(db) {
       approver_set_canonical   TEXT NOT NULL,
       last_used_at             INTEGER,
       revoked_at               INTEGER,
-      revoke_reason            TEXT
+      revoke_reason            TEXT,
+      -- Provenance of the operator-authorization (RFC vault-approval-hard-
+      -- boundary). 'agent': recorded on a per-agent socket — claude shares
+      -- that socket, so it is FORGEABLE and must NOT be trusted as proof an
+      -- operator tapped. 'operator': recorded via the host-side verifier on a
+      -- claude-unreachable channel — the only value the broker's mint gate
+      -- trusts. Default 'agent' (fail-closed for the new gate).
+      origin                   TEXT NOT NULL DEFAULT 'agent'
     )
   `);
+  const decisionCols = db.query("PRAGMA table_info(approval_decisions)").all();
+  if (!decisionCols.some((c) => c.name === "origin")) {
+    db.run(`ALTER TABLE approval_decisions ADD COLUMN origin TEXT NOT NULL DEFAULT 'agent'`);
+  }
   db.run(`
     CREATE INDEX IF NOT EXISTS approval_decisions_lookup
     ON approval_decisions(agent_unit, scope, action)
@@ -15818,7 +15848,8 @@ function rowToDecision(row) {
     approver_set_canonical: row.approver_set_canonical,
     last_used_at: row.last_used_at ?? null,
     revoked_at: row.revoked_at ?? null,
-    revoke_reason: row.revoke_reason ?? null
+    revoke_reason: row.revoke_reason ?? null,
+    origin: row.origin === "operator" ? "operator" : "agent"
   };
 }
 var MAX_PENDING_PER_AGENT = 2;
@@ -15984,8 +16015,8 @@ function recordDecision(db, input, now = Date.now()) {
   db.run(`INSERT INTO approval_decisions
        (id, agent_unit, scope, action, decision,
         ttl_expires_at, granted_at, granted_by_user_id,
-        approver_set_canonical, last_used_at, revoked_at, revoke_reason)
-     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, NULL)`, [
+        approver_set_canonical, last_used_at, revoked_at, revoke_reason, origin)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, NULL, NULL, ?)`, [
     id,
     input.nonce.agent_unit,
     input.nonce.scope,
@@ -15994,7 +16025,8 @@ function recordDecision(db, input, now = Date.now()) {
     ttl_expires_at,
     now,
     input.granted_by_user_id,
-    canonical
+    canonical,
+    input.origin ?? "agent"
   ]);
   db.run(`UPDATE approval_nonces SET decision_id = ? WHERE request_id = ?`, [id, input.nonce.request_id]);
   const granted = input.decision === "allow_once" || input.decision === "allow_always" || input.decision === "allow_ttl";
@@ -16048,6 +16080,13 @@ function listDecisions(db, filter, now = Date.now()) {
   const rows = db.query(sql).all(...params);
   return rows.map(rowToDecision);
 }
+function getDecision(db, id) {
+  const row = db.query(`SELECT * FROM approval_decisions WHERE id = ?`).get(id);
+  return row ? rowToDecision(row) : null;
+}
+function isOperatorVerifiedDecision(dec, agent_unit, now = Date.now()) {
+  return dec !== null && dec.origin === "operator" && dec.agent_unit === agent_unit && dec.revoked_at === null && (dec.decision === "allow_once" || dec.decision === "allow_always" || dec.decision === "allow_ttl") && (dec.ttl_expires_at === null || dec.ttl_expires_at > now);
+}
 function getNonce(db, request_id) {
   const row = db.query(`SELECT * FROM approval_nonces WHERE request_id = ?`).get(request_id);
   return row ? nonceFromRow(row) : null;
@@ -17063,6 +17102,22 @@ class VaultBroker {
           socket.write(encodeResponse(errorResponse("LOCKED", "Broker is locked")));
           return;
         }
+        if (req.op === "mint_grant" && process.env.SWITCHROOM_REQUIRE_OPERATOR_APPROVAL_MINT === "1") {
+          const decisionId = req.decision_id;
+          const dec = decisionId != null && decisionId !== "" ? getDecision(this.grantsDb, decisionId) : null;
+          if (!isOperatorVerifiedDecision(dec, agentName ?? "")) {
+            writeAudit({
+              ts: new Date().toISOString(),
+              op: req.op,
+              caller: auditCaller,
+              pid: auditPid,
+              cgroup: auditCgroup,
+              result: "denied:posture-mint-needs-operator-verified-decision"
+            });
+            socket.write(encodeResponse(errorResponse("DENIED", "posture-attested mint requires an operator-verified approval (host-side tap); none referenced. See RFC vault-approval-hard-boundary.")));
+            return;
+          }
+        }
         mintPostureAttested = true;
         writeAudit({
           ts: new Date().toISOString(),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.14.33",
+  "version": "0.14.35",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {
@@ -25,7 +25,7 @@
     "pretest": "npm run build",
     "test": "vitest run && bun test telegram-plugin/tests/history.test.ts telegram-plugin/tests/history-reaper.test.ts telegram-plugin/tests/ipc-server-client.test.ts telegram-plugin/tests/ipc-server-race.test.ts telegram-plugin/tests/gateway-bridge.test.ts telegram-plugin/tests/gateway-startup-mutex.test.ts telegram-plugin/tests/gateway-clean-shutdown-marker.test.ts telegram-plugin/tests/boot-card-dedupe.test.ts telegram-plugin/tests/boot-card-reason.test.ts telegram-plugin/tests/progress-update.test.ts telegram-plugin/tests/quota-cache.test.ts telegram-plugin/tests/silent-reply-guard.test.ts telegram-plugin/tests/unhandled-rejection-policy.test.ts telegram-plugin/tests/registry-turns.test.ts telegram-plugin/registry/subagents.test.ts telegram-plugin/tests/turns-writer.test.ts telegram-plugin/tests/resume-inbound-builder.test.ts telegram-plugin/registry/api-registry.test.ts telegram-plugin/registry/turns-schema.test.ts telegram-plugin/tests/idle-footer-wiring.test.ts telegram-plugin/tests/subagent-tracker-hooks.test.ts telegram-plugin/tests/resolve-calling-subagent.test.ts telegram-plugin/tests/gateway-update-placeholder-dispatch.test.ts telegram-plugin/tests/reaction-trigger.test.ts telegram-plugin/tests/reaction-trigger-flow.test.ts telegram-plugin/gateway/webhook-ingest-server.test.ts",
     "test:vitest": "vitest run",
-    "test:bun": "bun test src/watchdog/state.test.ts src/watchdog/policy.test.ts src/vault/grants.test.ts src/vault/write-grants.test.ts src/vault/broker/server-grants.test.ts src/vault/broker/server-write-grants.test.ts src/vault/broker/server-mint-grant-passphrase-attest.test.ts src/vault/broker/server-passphrase-attest.test.ts src/vault/broker/server-mint-grant-posture-attest.test.ts src/vault/broker/client-token.test.ts src/vault/broker/server-unlock.test.ts src/vault/broker/auto-unlock.test.ts src/vault/broker/drift-detection.test.ts tests/vault-broker-passphrase.test.ts src/cli/vault-get-broker.test.ts src/vault/resolver-via-broker.test.ts src/vault/broker/scope.test.ts src/vault/broker/server.test.ts src/drive/disconnect.test.ts src/drive/grants.test.ts src/drive/oauth.test.ts src/drive/onboarding.test.ts src/drive/reconciler.test.ts src/drive/vault-slots.test.ts src/drive/wrapper.test.ts src/vault/approvals/kernel.test.ts src/vault/approvals/schema-idempotent.test.ts src/vault/broker/server-approvals.test.ts telegram-plugin/tests/boot-probes.test.ts telegram-plugin/tests/boot-version-string.test.ts telegram-plugin/tests/history.test.ts telegram-plugin/tests/history-reaper.test.ts telegram-plugin/tests/ipc-server-client.test.ts telegram-plugin/tests/ipc-server-race.test.ts telegram-plugin/tests/gateway-bridge.test.ts telegram-plugin/tests/gateway-startup-mutex.test.ts telegram-plugin/tests/gateway-clean-shutdown-marker.test.ts telegram-plugin/tests/boot-card-dedupe.test.ts telegram-plugin/tests/boot-card-reason.test.ts telegram-plugin/tests/progress-update.test.ts telegram-plugin/tests/quota-cache.test.ts telegram-plugin/tests/silent-reply-guard.test.ts telegram-plugin/tests/unhandled-rejection-policy.test.ts telegram-plugin/tests/registry-turns.test.ts telegram-plugin/registry/subagents.test.ts telegram-plugin/tests/turns-writer.test.ts telegram-plugin/tests/resume-inbound-builder.test.ts telegram-plugin/tests/resolve-calling-subagent.test.ts telegram-plugin/tests/gateway-update-placeholder-dispatch.test.ts telegram-plugin/tests/reaction-trigger.test.ts telegram-plugin/tests/reaction-trigger-flow.test.ts telegram-plugin/uat/load-env.test.ts telegram-plugin/uat/feed-matcher.test.ts telegram-plugin/gateway/webhook-ingest-server.test.ts",
+    "test:bun": "bun test src/watchdog/state.test.ts src/watchdog/policy.test.ts src/vault/grants.test.ts src/vault/write-grants.test.ts src/vault/broker/server-grants.test.ts src/vault/broker/server-write-grants.test.ts src/vault/broker/server-mint-grant-passphrase-attest.test.ts src/vault/broker/server-passphrase-attest.test.ts src/vault/broker/server-mint-grant-posture-attest.test.ts src/vault/broker/client-token.test.ts src/vault/broker/server-unlock.test.ts src/vault/broker/auto-unlock.test.ts src/vault/broker/drift-detection.test.ts tests/vault-broker-passphrase.test.ts src/cli/vault-get-broker.test.ts src/vault/resolver-via-broker.test.ts src/vault/broker/scope.test.ts src/vault/broker/server.test.ts src/drive/disconnect.test.ts src/drive/grants.test.ts src/drive/oauth.test.ts src/drive/onboarding.test.ts src/drive/reconciler.test.ts src/drive/vault-slots.test.ts src/drive/wrapper.test.ts src/vault/approvals/kernel.test.ts src/vault/approvals/approval-origin.test.ts src/vault/approvals/schema-idempotent.test.ts src/vault/broker/server-approvals.test.ts telegram-plugin/tests/boot-probes.test.ts telegram-plugin/tests/boot-version-string.test.ts telegram-plugin/tests/history.test.ts telegram-plugin/tests/history-reaper.test.ts telegram-plugin/tests/ipc-server-client.test.ts telegram-plugin/tests/ipc-server-race.test.ts telegram-plugin/tests/gateway-bridge.test.ts telegram-plugin/tests/gateway-startup-mutex.test.ts telegram-plugin/tests/gateway-clean-shutdown-marker.test.ts telegram-plugin/tests/boot-card-dedupe.test.ts telegram-plugin/tests/boot-card-reason.test.ts telegram-plugin/tests/progress-update.test.ts telegram-plugin/tests/quota-cache.test.ts telegram-plugin/tests/silent-reply-guard.test.ts telegram-plugin/tests/unhandled-rejection-policy.test.ts telegram-plugin/tests/registry-turns.test.ts telegram-plugin/registry/subagents.test.ts telegram-plugin/tests/turns-writer.test.ts telegram-plugin/tests/resume-inbound-builder.test.ts telegram-plugin/tests/resolve-calling-subagent.test.ts telegram-plugin/tests/gateway-update-placeholder-dispatch.test.ts telegram-plugin/tests/reaction-trigger.test.ts telegram-plugin/tests/reaction-trigger-flow.test.ts telegram-plugin/uat/load-env.test.ts telegram-plugin/uat/feed-matcher.test.ts telegram-plugin/gateway/webhook-ingest-server.test.ts",
     "test:watch": "vitest",
     "lint": "tsc --noEmit && node scripts/check-plugin-references.mjs && bash scripts/check-bot-api-wrapping.sh && node scripts/check-bun-test-imports.mjs && node scripts/check-no-pii-secrets.mjs && node scripts/check-vault-test-hermeticity.mjs && node scripts/check-no-broadcast-delivery.mjs",
     "lint:tsc": "tsc --noEmit",

package/telegram-plugin/dist/gateway/gateway.js

@@ -23925,6 +23925,7 @@ var init_schema = __esm(() => {
       }).optional()
     }).optional(),
     schedule: exports_external.array(ScheduleEntrySchema).optional(),
+    secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional().describe("Operator-granted STANDING vault keys this agent may read via the " + "broker \u2014 independent of any cron or MCP server. Use when an agent " + "needs a credential both interactively and in its own (agent-managed) " + "schedules, so the grant lives with the agent rather than welded to a " + "specific cron's `secrets[]`. OPERATOR-SET ONLY: agents cannot edit " + "switchroom.yaml or self-grant (reference/vision.md outcome 2 \u2014 'you " + "hold the leash; only your tap grants it'). Exact key names. Cascades " + "UNION across defaults -> profile -> agent (see docs/configuration.md)."),
     reactions: ReactionsSchema,
     model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only").optional(),
     thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -23993,6 +23994,7 @@ var init_schema = __esm(() => {
     tools: AgentToolsSchema,
     memory: AgentMemorySchema,
     schedule: exports_external.array(ScheduleEntrySchema).default([]),
+    secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).optional(),
     reactions: ReactionsSchema,
     model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only (no spaces or shell specials)").optional().describe("Claude model override (e.g., 'claude-sonnet-4-6')"),
     thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "Per-agent override wins over defaults.thinking_effort. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
@@ -24472,6 +24474,12 @@ function mergeAgentConfig(defaultsIn, agentIn) {
       deny: dedupe([...dDeny, ...aDeny])
     };
   }
+  if (defaults.secrets || merged.secrets) {
+    merged.secrets = dedupe([
+      ...defaults.secrets ?? [],
+      ...merged.secrets ?? []
+    ]);
+  }
   if (defaults.soul || merged.soul) {
     const base = defaults.soul ?? {};
     const override = merged.soul ?? {};
@@ -27725,7 +27733,8 @@ var init_protocol2 = __esm(() => {
     description: exports_external.string().optional(),
     write_keys: exports_external.array(exports_external.string().min(1)).optional(),
     passphrase: exports_external.string().optional(),
-    attest_via_posture: exports_external.boolean().optional()
+    attest_via_posture: exports_external.boolean().optional(),
+    decision_id: exports_external.string().optional()
   });
   ListGrantsRequestSchema = exports_external.object({
     v: exports_external.literal(1),
@@ -44481,6 +44490,12 @@ function mergeAgentConfig2(defaultsIn, agentIn) {
       deny: dedupe2([...dDeny, ...aDeny])
     };
   }
+  if (defaults.secrets || merged.secrets) {
+    merged.secrets = dedupe2([
+      ...defaults.secrets ?? [],
+      ...merged.secrets ?? []
+    ]);
+  }
   if (defaults.soul || merged.soul) {
     const base = defaults.soul ?? {};
     const override = merged.soul ?? {};
@@ -51766,10 +51781,10 @@ function sweepStaleTurnActiveMarker(stateDir, opts) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.14.33";
-var COMMIT_SHA = "0b73633c";
-var COMMIT_DATE = "2026-06-01T12:35:17Z";
-var LATEST_PR = 2066;
+var VERSION = "0.14.35";
+var COMMIT_SHA = "7ac06aea";
+var COMMIT_DATE = "2026-06-01T21:48:46Z";
+var LATEST_PR = 2072;
 var COMMITS_AHEAD_OF_TAG = 0;
 
 // gateway/boot-version.ts