switchroom 0.14.6 → 0.14.8

package/telegram-plugin/tests/always-allow-grant.test.ts

@@ -1,32 +1,27 @@
 /**
- * Structural contract tests for the "🔁 Always allow" handler in
- * gateway.ts (the `behavior === 'always'` branch of the perm: callback
- * dispatcher).
+ * Structural contract tests for the durable "🔁 Always allow" handler
+ * in gateway.ts (the `behavior === 'always'` branch of the perm:
+ * callback dispatcher), reworked for #1977.
  *
  * Why structural: the handler lives inside a Grammy callback closure
  * that's not exported. Full-function invocation would require a complete
- * Grammy + switchroomExec harness. Instead, we pin the source-level
- * invariants that were introduced to fix the silent-failure bug:
+ * Grammy + hostd + switchroomExec harness. The behavioural pieces are
+ * covered by the pure-function tests (permission-diff.test.ts) and the
+ * correlation handler tests (always-allow-correlation.test.ts); this
+ * file pins the source-level invariants of the orchestration block.
  *
- *   1. Loud failure text — the failure path must NOT read like success
- *      (`✅ Allowed …`). After the fix, both the toast (ackText) and the
- *      chat edit (editLabel) use the `⚠️` marker.
- *   2. Post-write verification — after `switchroomExec` returns success
- *      the handler MUST re-read the config and check that the rule is
- *      actually present in `tools.allow`. If the check fails it sets
- *      grantOk=false and surfaces the loud message.
- *   3. Success path unchanged — when `grantOk` is true the success
- *      strings (`🔁 Always allow …`, `restart agent for full effect`)
- *      are still present.
- *   4. Error reason capture — `grantFailReason` is declared and
- *      populated from `(err as Error).message` so the root cause can
- *      appear in logs; it is NOT silently swallowed into `message`-less
- *      stderr output.
+ * Post-#1977 contract:
+ *   1. The in-flight Allow verdict fires IMMEDIATELY (before awaiting
+ *      hostd) so the turn never blocks on host-config persistence.
+ *   2. Durable persistence goes through hostd's `config_propose_edit`
+ *      (synthesizeAllowRuleDiff → tryHostdDispatch).
+ *   3. The legacy `switchroom agent grant` path is the
+ *      not-configured fallback ONLY (not the primary path), and it
+ *      still verifies via isRulePersisted with honest messaging.
+ *   4. Failure text never falsely claims durable success.
  *
  * Slicing strategy: we extract the `if (behavior === 'always') {` block
- * from gateway.ts and run string assertions against that slice only —
- * so additions elsewhere in the 17k-line file don't produce false
- * positives or negatives.
+ * from gateway.ts and run string assertions against that slice only.
  */
 
 import { describe, it, expect } from 'vitest'
@@ -53,95 +48,96 @@ function sliceAlwaysBlock(): string {
 
 const alwaysBlock = sliceAlwaysBlock()
 
-describe('always-allow handler — loud failure invariants', () => {
-  it('failure ackText uses the ⚠️ warning marker, not ✅', () => {
-    // The failure path must be unambiguous. Before the fix, the failure
-    // ackText started with "✅ Allowed …" which reads like success.
-    expect(alwaysBlock).toContain(
-      `⚠️ Allowed for now, but "always" did NOT save — it will ask again after restart. Check gateway log.`,
-    )
-    // Confirm the old misleading text is gone.
-    expect(alwaysBlock).not.toContain('✅ Allowed (always-allow yaml edit failed')
+describe('always-allow handler — immediate verdict dispatch (turn must not block)', () => {
+  it('dispatches the permission verdict BEFORE the hostd await', () => {
+    const verdictIdx = alwaysBlock.indexOf('dispatchPermissionVerdict({')
+    const hostdAwaitIdx = alwaysBlock.indexOf('await tryHostdDispatch(')
+    expect(verdictIdx).toBeGreaterThan(-1)
+    expect(hostdAwaitIdx).toBeGreaterThan(-1)
+    // The verdict fires first — independent of the durable persistence
+    // round-trip.
+    expect(verdictIdx).toBeLessThan(hostdAwaitIdx)
+  })
+
+  it('carries the resolved rule on the verdict so the bridge caches it', () => {
+    expect(alwaysBlock).toContain("behavior: 'allow'")
+    expect(alwaysBlock).toContain('rule: rule.rule')
   })
 
-  it('failure editLabel uses the ⚠️ warning marker, not ✅', () => {
-    // The inline-keyboard collapse edit also must NOT look like success.
-    expect(alwaysBlock).toContain(
-      `⚠️ <b>Allowed for now — "always" did NOT save.</b> It will ask again after restart. Check gateway log.`,
-    )
-    // Confirm the old misleading text is gone.
-    expect(alwaysBlock).not.toContain('✅ <b>Allowed</b> (always-allow rule edit failed')
+  it('does NOT pass a synthInbound to finalizeCallback (verdict already fired)', () => {
+    // The verdict is dispatched directly above; finalizeCallback only
+    // edits the card. A synthInbound here would double-fire.
+    const finalizeIdx = alwaysBlock.indexOf('await finalizeCallback(ctx, {')
+    const after = alwaysBlock.slice(finalizeIdx)
+    expect(finalizeIdx).toBeGreaterThan(-1)
+    expect(after).not.toContain('synthInbound')
   })
 })
 
-describe('always-allow handler — success path unchanged', () => {
-  it('success ackText still uses 🔁 and names the rule', () => {
-    expect(alwaysBlock).toContain('`🔁 Always allow ${rule.label} for ${agentName}`')
+describe('always-allow handler — durable hostd persistence', () => {
+  it('synthesizes a unified diff from the raw config text', () => {
+    expect(alwaysBlock).toContain('synthesizeAllowRuleDiff({')
+    expect(alwaysBlock).toContain("op: 'config_propose_edit'")
   })
 
-  it('success editLabel still uses 🔁 bold + restart hint', () => {
-    expect(alwaysBlock).toContain('restart agent for full effect')
-    expect(alwaysBlock).toContain('🔁 <b>Always allow')
+  it('reads the RAW config bytes (readFileSync), not the parsed config', () => {
+    // The diff context lines must byte-match the on-disk file, so we
+    // read literal bytes rather than re-serialising loadSwitchroomConfig.
+    expect(alwaysBlock).toContain('readFileSync(')
   })
-})
 
-describe('always-allow handler — post-write verification', () => {
-  it('reloads config after switchroomExec returns', () => {
-    // The verification block must call loadSwitchroomConfig() AFTER
-    // the switchroomExec call to confirm the rule landed in the
-    // resolved tools.allow.
-    const execIdx = alwaysBlock.indexOf("switchroomExec(['agent', 'grant'")
-    const loadIdx = alwaysBlock.indexOf('loadSwitchroomConfig()', execIdx)
-    expect(execIdx).toBeGreaterThan(-1)
-    expect(loadIdx).toBeGreaterThan(execIdx)
+  it('passes a long timeout to tryHostdDispatch (apply+reconcile blocks)', () => {
+    expect(alwaysBlock).toContain('await tryHostdDispatch(agentName, req, 60_000)')
   })
 
-  it('calls resolveAgentConfig to obtain the merged tools.allow list', () => {
-    const execIdx = alwaysBlock.indexOf("switchroomExec(['agent', 'grant'")
-    const resolveIdx = alwaysBlock.indexOf('resolveAgentConfig(', execIdx)
-    expect(resolveIdx).toBeGreaterThan(execIdx)
+  it('registers + cleans up the single-tap correlation entry', () => {
+    expect(alwaysBlock).toContain('pendingAlwaysAllowCorrelations.set(correlationKey')
+    // Cleanup in a finally so it can never be replayed.
+    const finallyIdx = alwaysBlock.indexOf('} finally {')
+    const deleteIdx = alwaysBlock.indexOf('pendingAlwaysAllowCorrelations.delete(correlationKey)', finallyIdx)
+    expect(finallyIdx).toBeGreaterThan(-1)
+    expect(deleteIdx).toBeGreaterThan(finallyIdx)
   })
 
-  it('calls isRulePersisted(allowList, rule.rule) after the reload', () => {
-    // The handler delegates the membership check to the extracted pure
-    // helper so the behavioral test in always-allow-persist.test.ts can
-    // cover the same code path.
-    expect(alwaysBlock).toContain('isRulePersisted(allowList, rule.rule)')
+  it('treats E_CONFIG_EDIT_DISABLED specially (no legacy fallback, points at the flag)', () => {
+    expect(alwaysBlock).toContain('E_CONFIG_EDIT_DISABLED')
+    expect(alwaysBlock).toContain('hostd.config_edit_enabled')
+  })
+})
+
+describe('always-allow handler — legacy fallback ONLY when hostd not-configured', () => {
+  it('falls back to switchroom agent grant only on not-configured', () => {
+    const notConfiguredIdx = alwaysBlock.indexOf("resp === 'not-configured'")
+    const grantIdx = alwaysBlock.indexOf("switchroomExec(['agent', 'grant'")
+    expect(notConfiguredIdx).toBeGreaterThan(-1)
+    expect(grantIdx).toBeGreaterThan(-1)
+    // The grant shellout lives AFTER the not-configured branch sets
+    // legacy=true (i.e. it is the fallback, not the primary path).
+    expect(grantIdx).toBeGreaterThan(notConfiguredIdx)
   })
 
-  it('sets grantOk=true only when isRulePersisted returns true', () => {
-    // grantOk=true must be inside the `if (isRulePersisted(...))` branch,
-    // not unconditionally after switchroomExec.
-    const persistIdx = alwaysBlock.indexOf('isRulePersisted(allowList, rule.rule)')
-    const grantOkIdx = alwaysBlock.indexOf('grantOk = true', persistIdx)
-    expect(persistIdx).toBeGreaterThan(-1)
-    expect(grantOkIdx).toBeGreaterThan(persistIdx)
-    // Confirm grantOk=true does NOT appear before the persistence check
-    // (i.e., not unconditionally on switchroomExec success as in the old code).
-    const grantOkFirst = alwaysBlock.indexOf('grantOk = true')
-    expect(grantOkFirst).toBeGreaterThanOrEqual(persistIdx)
+  it('emits the legacy-spawn deprecation warning on the not-configured path', () => {
+    expect(alwaysBlock).toContain("warnLegacySpawnIfHostdDisabled('always-allow')")
   })
 
-  it('logs a VERIFY FAILED message when the rule is absent after the write', () => {
-    expect(alwaysBlock).toContain('always-allow VERIFY FAILED')
+  it('verifies the legacy write landed via isRulePersisted', () => {
+    expect(alwaysBlock).toContain('isRulePersisted(allowList, rule.rule)')
+    expect(alwaysBlock).toContain('resolveAgentConfig(')
   })
 
-  it('surfaces config-location drift as a failure reason', () => {
-    expect(alwaysBlock).toContain('config location may have drifted')
+  it('legacy success messaging is honest about being the legacy path', () => {
+    expect(alwaysBlock).toContain('(legacy path)')
   })
 })
 
-describe('always-allow handler — error reason capture', () => {
-  it('declares grantFailReason to capture the root cause', () => {
-    expect(alwaysBlock).toContain('let grantFailReason')
+describe('always-allow handler — loud failure invariants', () => {
+  it('failure text uses the ⚠️ warning marker, never a false ✅ success', () => {
+    expect(alwaysBlock).toContain('did NOT save')
+    expect(alwaysBlock).not.toContain('✅ Allowed (always-allow yaml edit failed')
   })
 
-  it('populates grantFailReason from the thrown error on switchroomExec failure', () => {
-    // After the catch for switchroomExec, grantFailReason must be set
-    // from the error object so log messages can show the actual cause.
-    const catchIdx = alwaysBlock.lastIndexOf('} catch (err) {')
-    const reasonIdx = alwaysBlock.indexOf('grantFailReason = (err as Error).message', catchIdx)
-    expect(catchIdx).toBeGreaterThan(-1)
-    expect(reasonIdx).toBeGreaterThan(catchIdx)
+  it('captures a failure reason for the gateway log', () => {
+    expect(alwaysBlock).toContain('failReason')
+    expect(alwaysBlock).toContain('(err as Error).message')
   })
 })

package/telegram-plugin/tests/permission-diff.test.ts

@@ -0,0 +1,336 @@
+/**
+ * Tests for the pure diff synthesizer that powers the durable
+ * "🔁 Always allow" flow (#1977).
+ *
+ * Two layers:
+ *   1. Unit — synthesizeAllowRuleDiff covers the three structural
+ *      cases (flow list, block sequence, absent tools.allow), only
+ *      touches the target agent in a multi-agent file, and returns
+ *      null when the agent is absent. extractAddedAllowRule round-trips.
+ *   2. End-to-end — feed each synthesized diff + a realistic, fully
+ *      schema-valid fixture switchroom.yaml through `validateConfigEdit`
+ *      (the real hostd validation pipeline, which runs
+ *      `git apply --recount` then zod) and assert ok===true and the
+ *      rule lands under the right agent. This is the load-bearing proof
+ *      that the synthesizer emits git-apply-compatible diffs with
+ *      byte-matching context lines AND that the post-apply yaml still
+ *      validates. Requires `git` on PATH.
+ */
+
+import { describe, it, expect } from 'vitest'
+import { mkdtempSync, writeFileSync, rmSync } from 'node:fs'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+import { parse as parseYaml } from 'yaml'
+import {
+  synthesizeAllowRuleDiff,
+  extractAddedAllowRule,
+} from '../permission-diff.js'
+import { validateConfigEdit } from '../../src/host-control/config-edit-validator.js'
+
+const TARGET = '/state/config/switchroom.yaml'
+
+/**
+ * A schema-valid switchroom.yaml header. The validator runs the post-
+ * apply content through the real SwitchroomConfigSchema (zod), so the
+ * fixtures must be complete configs, not just `agents:` fragments.
+ */
+const HEADER = [
+  'switchroom:',
+  '  version: 1',
+  'telegram:',
+  "  bot_token: vault:telegram-bot-token",
+  "  forum_chat_id: '-1001234567890'",
+].join('\n')
+
+/** Build a complete config from an `agents:` body. */
+function cfgWith(agentsBody: string): string {
+  return `${HEADER}\nagents:\n${agentsBody}\n`
+}
+
+/** Run the synthesized diff through the real hostd validator + apply. */
+function applyViaValidator(configText: string, unifiedDiff: string) {
+  const dir = mkdtempSync(join(tmpdir(), 'perm-diff-'))
+  const cfgPath = join(dir, 'switchroom.yaml')
+  try {
+    writeFileSync(cfgPath, configText)
+    return validateConfigEdit({
+      configPath: cfgPath,
+      targetPath: TARGET,
+      unifiedDiff,
+    })
+  } finally {
+    rmSync(dir, { recursive: true, force: true })
+  }
+}
+
+function allowListFor(yamlText: string, agent: string): string[] {
+  const data = parseYaml(yamlText) as {
+    agents?: Record<string, { tools?: { allow?: string[] } }>
+  }
+  return data.agents?.[agent]?.tools?.allow ?? []
+}
+
+describe('synthesizeAllowRuleDiff — structural cases', () => {
+  it('(a) flow list with elements: appends before the closing ]', () => {
+    const cfg = cfgWith(
+      [
+        '  clerk:',
+        '    topic_name: clerk',
+        '    purpose: clerk',
+        '    tools:',
+        '      allow: [Read, Grep]',
+        '    model: opus',
+      ].join('\n'),
+    )
+    const diff = synthesizeAllowRuleDiff({ agentName: 'clerk', rule: 'Bash', configText: cfg })
+    expect(diff).not.toBeNull()
+    expect(diff).toContain('--- a/switchroom.yaml')
+    expect(diff).toContain('+++ b/switchroom.yaml')
+    const res = applyViaValidator(cfg, diff!)
+    expect(res).toMatchObject({ ok: true })
+    if (res.ok) {
+      expect(allowListFor(res.postApplyContent, 'clerk')).toEqual(['Read', 'Grep', 'Bash'])
+    }
+  })
+
+  it('(a) flow list "[ all ]": appends, all preserved', () => {
+    const cfg = cfgWith(
+      [
+        '  ziggy:',
+        '    topic_name: ziggy',
+        '    purpose: ziggy',
+        '    tools:',
+        '      allow: [ all ]',
+        '    model: opus',
+      ].join('\n'),
+    )
+    const diff = synthesizeAllowRuleDiff({ agentName: 'ziggy', rule: 'Skill(mail)', configText: cfg })
+    expect(diff).not.toBeNull()
+    const res = applyViaValidator(cfg, diff!)
+    expect(res).toMatchObject({ ok: true })
+    if (res.ok) {
+      const allow = allowListFor(res.postApplyContent, 'ziggy')
+      expect(allow).toContain('all')
+      expect(allow).toContain('Skill(mail)')
+    }
+  })
+
+  it('(b) block sequence: inserts after the last - entry', () => {
+    const cfg = cfgWith(
+      [
+        '  klanker:',
+        '    topic_name: klanker',
+        '    purpose: klanker',
+        '    tools:',
+        '      allow:',
+        '        - Bash',
+        '        - Read',
+        '    model: opus',
+      ].join('\n'),
+    )
+    const diff = synthesizeAllowRuleDiff({ agentName: 'klanker', rule: 'mcp__notion__search', configText: cfg })
+    expect(diff).not.toBeNull()
+    const res = applyViaValidator(cfg, diff!)
+    expect(res).toMatchObject({ ok: true })
+    if (res.ok) {
+      expect(allowListFor(res.postApplyContent, 'klanker')).toEqual(['Bash', 'Read', 'mcp__notion__search'])
+    }
+  })
+
+  it('(c) tools.allow absent: inserts tools/allow/rule under the agent', () => {
+    const cfg = cfgWith(
+      [
+        '  carrie:',
+        '    topic_name: carrie',
+        '    purpose: carrie',
+        '    model: sonnet',
+        '    role: assistant',
+      ].join('\n'),
+    )
+    const diff = synthesizeAllowRuleDiff({ agentName: 'carrie', rule: 'WebFetch', configText: cfg })
+    expect(diff).not.toBeNull()
+    const res = applyViaValidator(cfg, diff!)
+    expect(res).toMatchObject({ ok: true })
+    if (res.ok) {
+      expect(allowListFor(res.postApplyContent, 'carrie')).toEqual(['WebFetch'])
+    }
+  })
+
+  it('(c) tools present but no allow: key: inserts allow block under tools', () => {
+    const cfg = cfgWith(
+      [
+        '  finn:',
+        '    topic_name: finn',
+        '    purpose: finn',
+        '    tools:',
+        '      deny:',
+        '        - Bash',
+        '    model: opus',
+      ].join('\n'),
+    )
+    const diff = synthesizeAllowRuleDiff({ agentName: 'finn', rule: 'Read', configText: cfg })
+    expect(diff).not.toBeNull()
+    const res = applyViaValidator(cfg, diff!)
+    expect(res).toMatchObject({ ok: true })
+    if (res.ok) {
+      expect(allowListFor(res.postApplyContent, 'finn')).toEqual(['Read'])
+    }
+  })
+
+  it('multi-agent: only the target agent is touched', () => {
+    const cfg = cfgWith(
+      [
+        '  clerk:',
+        '    topic_name: clerk',
+        '    purpose: clerk',
+        '    tools:',
+        '      allow:',
+        '        - Read',
+        '  ziggy:',
+        '    topic_name: ziggy',
+        '    purpose: ziggy',
+        '    tools:',
+        '      allow:',
+        '        - Bash',
+        '  reggie:',
+        '    topic_name: reggie',
+        '    purpose: reggie',
+        '    tools:',
+        '      allow: [Grep]',
+      ].join('\n'),
+    )
+    const diff = synthesizeAllowRuleDiff({ agentName: 'ziggy', rule: 'Write', configText: cfg })
+    expect(diff).not.toBeNull()
+    const res = applyViaValidator(cfg, diff!)
+    expect(res).toMatchObject({ ok: true })
+    if (res.ok) {
+      expect(allowListFor(res.postApplyContent, 'clerk')).toEqual(['Read'])
+      expect(allowListFor(res.postApplyContent, 'ziggy')).toEqual(['Bash', 'Write'])
+      expect(allowListFor(res.postApplyContent, 'reggie')).toEqual(['Grep'])
+    }
+  })
+
+  it('returns null when the agent is absent', () => {
+    const cfg = cfgWith(
+      ['  clerk:', '    topic_name: clerk',
+        '    purpose: clerk', '    tools:', '      allow: [Read]'].join('\n'),
+    )
+    expect(synthesizeAllowRuleDiff({ agentName: 'nope', rule: 'Bash', configText: cfg })).toBeNull()
+  })
+
+  it('returns null when there is no agents block at all', () => {
+    expect(
+      synthesizeAllowRuleDiff({ agentName: 'clerk', rule: 'Bash', configText: 'defaults:\n  model: opus\n' }),
+    ).toBeNull()
+  })
+})
+
+describe('extractAddedAllowRule — round-trips the synthesized diff', () => {
+  it('block-sequence add', () => {
+    const cfg = cfgWith(
+      ['  clerk:', '    topic_name: clerk',
+        '    purpose: clerk', '    tools:', '      allow:', '        - Bash', '        - Read'].join('\n'),
+    )
+    const diff = synthesizeAllowRuleDiff({ agentName: 'clerk', rule: 'mcp__x__y', configText: cfg })!
+    expect(extractAddedAllowRule(diff)).toBe('mcp__x__y')
+  })
+
+  it('flow-list append', () => {
+    const cfg = cfgWith(['  clerk:', '    topic_name: clerk',
+        '    purpose: clerk', '    tools:', '      allow: [Read, Grep]', '    model: opus'].join('\n'))
+    const diff = synthesizeAllowRuleDiff({ agentName: 'clerk', rule: 'Bash', configText: cfg })!
+    expect(extractAddedAllowRule(diff)).toBe('Bash')
+  })
+
+  it('flow-list append into [ all ]', () => {
+    const cfg = cfgWith(['  clerk:', '    topic_name: clerk',
+        '    purpose: clerk', '    tools:', '      allow: [ all ]', '    model: opus'].join('\n'))
+    const diff = synthesizeAllowRuleDiff({ agentName: 'clerk', rule: 'Skill(mail)', configText: cfg })!
+    expect(extractAddedAllowRule(diff)).toBe('Skill(mail)')
+  })
+
+  it('absent tools.allow (case c) — extracts the single added rule', () => {
+    const cfg = cfgWith(['  carrie:', '    topic_name: carrie',
+        '    purpose: carrie', '    model: sonnet', '    role: assistant'].join('\n'))
+    const diff = synthesizeAllowRuleDiff({ agentName: 'carrie', rule: 'WebFetch', configText: cfg })!
+    expect(extractAddedAllowRule(diff)).toBe('WebFetch')
+  })
+
+  it('returns null for a diff that adds something other than a tools.allow rule', () => {
+    // A hand-built diff that changes a `model:` field — must NOT be
+    // mistaken for an allow-rule add (forge-resistance).
+    const forged = [
+      '--- a/switchroom.yaml',
+      '+++ b/switchroom.yaml',
+      '@@ -1,3 +1,3 @@',
+      ' agents:',
+      '   clerk:',
+      '-    model: sonnet',
+      '+    model: opus',
+      '',
+    ].join('\n')
+    expect(extractAddedAllowRule(forged)).toBeNull()
+  })
+
+  it('returns null for a multi-rule diff (strict single-add only)', () => {
+    const forged = [
+      '--- a/switchroom.yaml',
+      '+++ b/switchroom.yaml',
+      '@@ -1,2 +1,4 @@',
+      ' agents:',
+      '   clerk:',
+      '+        - Bash',
+      '+        - Read',
+      '',
+    ].join('\n')
+    expect(extractAddedAllowRule(forged)).toBeNull()
+  })
+
+  it('returns null for empty input', () => {
+    expect(extractAddedAllowRule('')).toBeNull()
+  })
+})
+
+// The auto-approve correlation in gateway.ts gates on an EXACT byte-match
+// of the incoming diff against the diff the gateway synthesized — NOT on
+// the rule token alone. This documents why: extractAddedAllowRule is
+// location-blind (it returns the token for a `- <rule>` line under ANY
+// key), so a forged edit placing the same consented token under `deny:`
+// or `secrets:` yields the same token but a DIFFERENT diff string. The
+// exact-diff gate is what rejects it.
+describe('forge-resistance — same token, wrong location ≠ synthesized diff', () => {
+  const cfg = [
+    'agents:',
+    '  clerk:',
+    '    tools:',
+    '      allow:',
+    '        - Read',
+    '      deny:',
+    '        - WebFetch',
+    '',
+  ].join('\n')
+
+  it('a deny-block diff adding the same token has the same token but a different diff', () => {
+    const legit = synthesizeAllowRuleDiff({ agentName: 'clerk', rule: 'Bash', configText: cfg })
+    expect(legit).not.toBeNull()
+    // The legit diff adds `- Bash` under tools.allow.
+    expect(extractAddedAllowRule(legit!)).toBe('Bash')
+
+    // A forged diff placing `- Bash` under the deny: block. Same token...
+    const forged = [
+      '--- a/switchroom.yaml',
+      '+++ b/switchroom.yaml',
+      '@@ -6,2 +6,3 @@',
+      '      deny:',
+      '        - WebFetch',
+      '+        - Bash',
+      '',
+    ].join('\n')
+    expect(extractAddedAllowRule(forged)).toBe('Bash') // ...location-blind: same token
+
+    // ...but the byte strings differ, so the exact-diff correlation gate
+    // (entry.unifiedDiff === msg.unifiedDiff) rejects the forgery.
+    expect(forged).not.toBe(legit)
+  })
+})

package/telegram-plugin/tests/tool-activity-summary.test.ts

@@ -288,17 +288,17 @@ describe("registerAndRender — ergonomic full-pipeline call", () => {
   });
 });
 
-describe("appendActivityLine + renderActivityFeed — accumulating draft feed", () => {
-  it("accumulates distinct actions chronologically (newest last)", () => {
+describe("appendActivityLine + renderActivityFeed — accumulating activity feed", () => {
+  it("accumulates distinct actions chronologically (newest = current → bold, earlier = done ✓ italic)", () => {
     const lines: string[] = [];
     expect(appendActivityLine(lines, "Read", { file_path: "a/gateway.ts" })).toBe(
-      "· Reading gateway.ts",
+      "<b>→ Reading gateway.ts</b>",
     );
     expect(appendActivityLine(lines, "mcp__hindsight__reflect", { query: "x" })).toBe(
-      "· Reading gateway.ts\n· Searching memory",
+      "<i>✓ Reading gateway.ts</i>\n<b>→ Searching memory</b>",
     );
     expect(appendActivityLine(lines, "Bash", { command: "ls", description: "List workspace" })).toBe(
-      "· Reading gateway.ts\n· Searching memory\n· List workspace",
+      "<i>✓ Reading gateway.ts</i>\n<i>✓ Searching memory</i>\n<b>→ List workspace</b>",
     );
   });
 
@@ -315,14 +315,26 @@ describe("appendActivityLine + renderActivityFeed — accumulating draft feed",
     expect(lines).toEqual([]);
   });
 
-  it("caps to the last MIRROR_MAX_LINES with a '+N earlier' header", () => {
+  it("caps to the last MIRROR_MAX_LINES with a '✓ +N earlier…' header", () => {
     const lines = Array.from({ length: 9 }, (_, i) => `Action ${i + 1}`);
     const out = renderActivityFeed(lines)!;
-    expect(out.startsWith("· +3 earlier…\n")).toBe(true);
-    // Only the last 6 actions are shown.
-    expect(out).toContain("· Action 4");
-    expect(out).toContain("· Action 9");
-    expect(out).not.toContain("· Action 3\n");
+    expect(out.startsWith("<i>✓ +3 earlier…</i>\n")).toBe(true);
+    // Only the last 6 actions are shown; the oldest 3 are collapsed.
+    expect(out).toContain("<i>✓ Action 4</i>");
+    expect(out).not.toContain("Action 3");
+    // The newest action is the in-progress step (bold →); the rest are done (✓).
+    expect(out).toContain("<b>→ Action 9</b>");
+    expect(out).toContain("<i>✓ Action 8</i>");
+    expect(out).not.toContain("<b>→ Action 8</b>");
+  });
+
+  it("HTML-escapes &, <, > in action text (no double-escaping by callers)", () => {
+    const out = renderActivityFeed(["Running <foo> & <bar>"])!;
+    expect(out).toBe("<b>→ Running &lt;foo&gt; &amp; &lt;bar&gt;</b>");
+  });
+
+  it("renders a single line as the current (bold →) step", () => {
+    expect(renderActivityFeed(["Reading a.ts"])).toBe("<b>→ Reading a.ts</b>");
   });
 
   it("renderActivityFeed returns null on empty", () => {
@@ -333,9 +345,9 @@ describe("appendActivityLine + renderActivityFeed — accumulating draft feed",
 describe("appendActivityLabel — precomputed label feed (tool_label path)", () => {
   it("accumulates precomputed labels, dedups consecutive, ignores empty", () => {
     const lines: string[] = [];
-    expect(appendActivityLabel(lines, "Searching memory")).toBe("· Searching memory");
+    expect(appendActivityLabel(lines, "Searching memory")).toBe("<b>→ Searching memory</b>");
     expect(appendActivityLabel(lines, "List workspace")).toBe(
-      "· Searching memory\n· List workspace",
+      "<i>✓ Searching memory</i>\n<b>→ List workspace</b>",
     );
     // consecutive dup collapses
     appendActivityLabel(lines, "List workspace");