switchroom 0.14.7 → 0.14.9

package/telegram-plugin/gateway/gateway.ts

@@ -53,15 +53,7 @@ import { OutboundDedupCache } from '../recent-outbound-dedup.js'
 import { createInboundCoalescer, inboundCoalesceKey } from './inbound-coalesce.js'
 import { StatusReactionController } from '../status-reactions.js'
 import { isTelegramReplyTool, isTelegramSurfaceTool } from '../tool-names.js'
-import { allocateDraftId } from '../draft-transport.js'
-import {
-  makeEmptyActivityState,
-  registerAndRender,
-  describeToolUse,
-  appendActivityLine,
-  appendActivityLabel,
-  type ActivityState,
-} from '../tool-activity-summary.js'
+import { appendActivityLabel } from '../tool-activity-summary.js'
 import { toolLabel } from '../tool-labels.js'
 import { createTypingWrapper } from '../typing-wrap.js'
 import { type DraftStreamHandle } from '../draft-stream.js'
@@ -252,7 +244,7 @@ import { injectSlashCommand as injectSlashCommandImpl } from '../../src/agents/i
 import { handleInjectCommand } from './inject-handler.js'
 import { type BannerState } from '../slot-banner.js'
 import { refreshBanner } from '../slot-banner-driver.js'
-import { loadConfig as loadSwitchroomConfig } from '../../src/config/loader.js'; import { resolveAgentConfig } from '../../src/config/merge.js'
+import { loadConfig as loadSwitchroomConfig, findConfigFile as findSwitchroomConfigFile } from '../../src/config/loader.js'; import { resolveAgentConfig } from '../../src/config/merge.js'
 import { resolveOutboundTopic as resolveOutboundTopicHelper, type TopicRouterConfig as _OutboundRouterConfig } from '../../src/telegram/topic-router.js'
 import { readTurnUsages } from '../../src/agents/perf.js'
 import { decideProactiveCompact, initialCompactState, type CompactState } from './proactive-compact.js'
@@ -369,6 +361,7 @@ import { startIssuesWatcher, type IssuesWatcherHandle } from '../issues-watcher.
 import { list as listIssues, resolve as resolveIssue } from '../../src/issues/index.js'
 import { summarizeToolForTitle, formatPermissionCardBody } from '../permission-title.js'
 import { resolveAlwaysAllowRule, isRulePersisted } from '../permission-rule.js'
+import { synthesizeAllowRuleDiff, extractAddedAllowRule } from '../permission-diff.js'
 import {
   readClaudeJsonOverage,
   evaluateCreditState,
@@ -1274,6 +1267,11 @@ const progressUpdateTurnCount = new Map<string, number>()
 type CurrentTurn = {
   sessionChatId: string
   sessionThreadId: number | undefined
+  // Inbound message id this turn answers. Anchors the activity feed's
+  // native reply-quote (reply_parameters) so the user's question renders
+  // as a quoted header on the feed message. Null for synthesized turns
+  // (cron/handback) that have no originating inbound message.
+  sourceMessageId: number | null
   startedAt: number
   gatewayReceiveAt: number
   replyCalled: boolean
@@ -1347,21 +1345,14 @@ type CurrentTurn = {
   //     repeats until the pending matches the last-sent.
   // Result: at most one Telegram call in flight at a time; the
   // final state always lands.
-  toolActivity: ActivityState
   activityMessageId: number | null
-  // Draft-transport id when the activity summary is streamed via
-  // sendMessageDraft (DM-only, no thread). Each call to
-  // sendMessageDraft(chat, draftId, text) REPLACES the draft text —
-  // simpler than send+edit. Cleared by `clearActivitySummary` (which
-  // sends an empty draft) when the model's reply takes over.
-  activityDraftId: number | null
   activityInFlight: Promise<void> | null
   activityPendingRender: string | null
   activityLastSentRender: string | null
-  // Draft-mirror Phase 2: accumulating friendly-action feed for this turn
-  // (DRAFT_MIRROR only). Each non-surface tool_use appends a line via
-  // `appendActivityLine`; the feed renders as a capped chronological list
-  // in the ephemeral draft and clears on reply. Reset per turn.
+  // Accumulating friendly-action feed for this turn. Each non-surface
+  // tool_label appends a line via `appendActivityLabel`; the feed renders
+  // (via `renderActivityFeed`) as a capped chronological list into the
+  // in-place edited activity message and clears on reply. Reset per turn.
   mirrorLines: string[]
   // Issue #195 — answer-lane streaming. Lazily created on the first text
   // event of a turn (once enough text has accumulated, the stream itself
@@ -2282,6 +2273,27 @@ const PERMISSION_REPLY_RE = /^\s*(y|yes|n|no)\s+([a-km-z]{5})\s*$/i
 const pendingPermissions = new Map<string, { tool_name: string; description: string; input_preview: string; startedAt: number }>()
 const PERMISSION_TTL_MS = 10 * 60_000
 
+// #1977 — single-tap correlation for the durable "🔁 Always allow"
+// flow. When the gateway dispatches a `config_propose_edit` to hostd in
+// response to an operator tap, hostd calls BACK asking for operator
+// approval. We pre-register the (agent, rule) pair here keyed
+// `${agentName}::${rule}` so that callback auto-approves WITHOUT a
+// second card. Forge-resistance: the auto-resolve match requires the
+// rule the inbound diff ADDS (via extractAddedAllowRule) to equal a
+// rule the gateway itself just queued — a forged edit touching any
+// other field finds no entry and falls through to a real operator card.
+// Single-shot (deleted on match) + 30s TTL sweep so a stale correlation
+// can't be replayed.
+const pendingAlwaysAllowCorrelations = new Map<string, { agentName: string; rule: string; unifiedDiff: string; createdAt: number }>()
+const ALWAYS_ALLOW_CORRELATION_TTL_MS = 30_000
+function sweepStaleAlwaysAllowCorrelations(now = Date.now()): void {
+  for (const [key, entry] of pendingAlwaysAllowCorrelations) {
+    if (now - entry.createdAt > ALWAYS_ALLOW_CORRELATION_TTL_MS) {
+      pendingAlwaysAllowCorrelations.delete(key)
+    }
+  }
+}
+
 // `ask_user` MCP tool — open prompts awaiting a user button-tap.
 // Keyed by askId (8 hex chars from generateAskId). Each entry holds
 // the deferred promise that resolves the originating tool call, the
@@ -3233,25 +3245,16 @@ const ANSWER_STREAM_VISIBLE_ENABLED = (() => {
   return true
 })()
 
-// Draft-mirror preview (RFC docs/rfcs/draft-mirror-preview.md), Phase 1.
-// When enabled, the model's prose narration streams into the ephemeral
-// compose-area draft (sendMessageDraft) instead of a visible real
-// message — a live "what's it doing" preview that clears when the
-// reply lands. Default OFF (canary flag). When on it (a) forces the
-// answer-stream onto draft transport regardless of
-// ANSWER_STREAM_VISIBLE_ENABLED, and (b) suppresses the activity-summary
-// tool-count draft so the two don't collide on the single per-chat
-// draft slot. Delivery on a no-reply turn is owned by turn-flush
-// (decideTurnFlush → capturedText fresh send), NOT answer-stream
-// materialize() — which is dead on the draft-only path (streamMsgId
-// stays null, so its turn-end gate is false). Kill switch:
-// SWITCHROOM_DRAFT_MIRROR unset/0/false/off/no.
-const DRAFT_MIRROR_ENABLED = (() => {
-  const raw = process.env.SWITCHROOM_DRAFT_MIRROR
-  if (raw == null) return false
-  const v = raw.trim().toLowerCase()
-  return !(v === '0' || v === 'false' || v === 'off' || v === 'no')
-})()
+// Activity feed. The gateway streams a live "what it's doing" tool-activity
+// feed for every turn. The PreToolUse sidecar emits a `tool_label` per tool
+// call (flush-independent, so it stays real-time on fast/clustered-tool
+// turns); each label appends to `turn.mirrorLines`, and `renderActivityFeed`
+// renders the capped list into an in-place EDITED message (sendMessage +
+// editMessageText) anchored as a native reply-quote to the user's question.
+// The feed clears on the first reply (hand-off to the answer) and again at
+// turn_end (the no-reply safety net). It does NOT touch the answer-stream's
+// draft/visible lane — the two render on separate surfaces, so they never
+// collide.
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 const progressDriver: any = null
 const unpinProgressCardForChat: ((chatId: string, threadId: number | undefined) => void) | null = null
@@ -4572,6 +4575,32 @@ const ipcServer: IpcServer = createIpcServer({
       },
       log: (m) =>
         process.stderr.write(`telegram gateway: config-approval — ${m}\n`),
+      // #1977 single-tap correlation: auto-approve a config edit the
+      // gateway itself just queued in response to an operator tap on
+      // the "🔁 Always allow" permission card. Forge-resistant — the
+      // match requires the rule the diff ADDS to equal a rule the
+      // gateway queued; an agent-forged edit touching any other field
+      // finds no entry and falls through to a real operator card.
+      tryAutoResolve: (msg) => {
+        sweepStaleAlwaysAllowCorrelations()
+        // `extractAddedAllowRule` only locates a CANDIDATE entry by the
+        // rule token — it is shape-based, not YAML-location-aware, so it
+        // is NOT the security gate. The gate is an EXACT byte-match of
+        // the incoming diff against the diff the gateway itself
+        // synthesized and queued. A forged config_propose_edit (the same
+        // consented token placed under `deny:`/`secrets:`, a different
+        // field, or any other byte difference) won't match → falls
+        // through to a real operator approval card.
+        const added = extractAddedAllowRule(msg.unifiedDiff)
+        if (!added) return null
+        const key = `${msg.agentName}::${added}`
+        const entry = pendingAlwaysAllowCorrelations.get(key)
+        if (entry && entry.unifiedDiff === msg.unifiedDiff) {
+          pendingAlwaysAllowCorrelations.delete(key)
+          return 'approve'
+        }
+        return null
+      },
     })
   },
 
@@ -6883,19 +6912,12 @@ function closeProgressLane(chatId: string, threadId: number | undefined): void {
  * `turn.activityInFlight`; while set, new tool_uses only update
  * `turn.activityPendingRender` and return).
  *
- * Transport priority (mirrors the existing answer-stream pattern):
- *
- *   1. DM with no thread AND sendMessageDraft API available →
- *      DRAFT TRANSPORT. Each call REPLACES the draft text (no
- *      edit-in-place needed); the user sees a live preview in their
- *      Telegram compose area as the agent works. When the model's
- *      reply tool lands, `clearActivitySummary` sends an empty draft
- *      to wipe it — only the real reply persists.
- *
- *   2. Anything else (forum topic, draft API absent) → fall through
- *      to sendMessage + editMessageText. The activity message is a
- *      real chat message; `clearActivitySummary` deletes it when the
- *      reply tool takes over.
+ * Transport: a single in-place edited message. The first render does
+ * `sendMessage` (capturing `turn.activityMessageId`); subsequent renders
+ * `editMessageText` that id, so the summary accumulates in place without
+ * retyping the whole block. `clearActivitySummary` deletes the message
+ * when the reply tool takes over. Works in DMs, groups, and forum topics
+ * alike (forum topics pass message_thread_id).
  *
  * The drain holds a reference to `turn`, so a turn-swap mid-drain
  * doesn't corrupt the next turn's atom — late writes land on the
@@ -6906,29 +6928,28 @@ async function drainActivitySummary(turn: CurrentTurn): Promise<void> {
     while (turn.activityPendingRender !== turn.activityLastSentRender) {
       const target = turn.activityPendingRender
       if (target == null) break
-      // Escape before wrapping in <i> + parse_mode HTML. The legacy
-      // verb-count summaries were safe ASCII, but the draft-mirror's
-      // describeToolUse content (file names, Bash descriptions, search
-      // queries) can contain <, >, & — which would break HTML parsing
-      // and surface literal tags (the exact #1942 bug class).
-      const html = `<i>${escapeHtmlForTg(target)}</i>`
+      // `renderActivityFeed` already emitted ready Telegram HTML with per-line
+      // markup (<b>→ current</b> / <i>✓ done</i>) and escaped each label's
+      // <,>,& itself (#1942 class) — send verbatim, do NOT re-escape or
+      // re-wrap (double-escaping would surface literal tags).
+      const html = target
       const chat = turn.sessionChatId
       const thread = turn.sessionThreadId
-      // sendMessageDraft doesn't support forum threads.
-      const useDraft = turn.isDm && thread == null && sendMessageDraftFn != null
+      // Native reply-quote: anchor the feed message to the user's question so
+      // it renders as a quoted header (reply_parameters renders on a real
+      // message; edits preserve it). allow_sending_without_reply so a deleted
+      // source can't drop the send.
+      const replyAnchor = turn.sourceMessageId != null
+        ? { reply_parameters: { message_id: turn.sourceMessageId, allow_sending_without_reply: true } }
+        : {}
       try {
-        if (useDraft) {
-          if (turn.activityDraftId == null) {
-            turn.activityDraftId = allocateDraftId()
-          }
-          const draftId = turn.activityDraftId
-          await sendMessageDraftFn!(chat, draftId, html, { parse_mode: 'HTML' })
-        } else if (turn.activityMessageId == null) {
+        if (turn.activityMessageId == null) {
           const sent = await robustApiCall(
             () => bot.api.sendMessage(chat, html, {
               ...(thread != null ? { message_thread_id: thread } : {}),
               parse_mode: 'HTML',
               disable_notification: true,
+              ...replyAnchor,
             }),
             { chat_id: chat, ...(thread != null ? { threadId: thread } : {}), verb: 'activity-summary.send' },
           )
@@ -6958,30 +6979,20 @@ async function drainActivitySummary(turn: CurrentTurn): Promise<void> {
 /**
  * Clear the activity summary when the model's reply tool takes over
  * as the authoritative surface. Awaits any in-flight render so we
- * don't race a stale write against the clear, then either sends an
- * empty draft (clears the compose-area preview) or deletes the
- * persisted message. Idempotent + best-effort — failure stderr-logs
- * but does not block.
+ * don't race a stale write against the clear, then deletes the activity
+ * message. Idempotent + best-effort — failure stderr-logs but does not
+ * block.
  *
- * Called from `case 'tool_use'` the moment we see a Telegram reply
- * tool fire, so the user sees the real reply land in the same beat
- * the summary disappears.
+ * Called on the first reply (hand-off to the answer) and again at
+ * turn_end (the no-reply safety net), so the user sees the real reply
+ * land in the same beat the summary disappears.
  */
 function clearActivitySummary(turn: CurrentTurn): void {
   const chat = turn.sessionChatId
   const thread = turn.sessionThreadId
   const inFlight = turn.activityInFlight ?? Promise.resolve()
   void inFlight.then(async () => {
-    if (turn.activityDraftId != null && sendMessageDraftFn != null) {
-      const draftId = turn.activityDraftId
-      turn.activityDraftId = null
-      try {
-        // Empty text → Telegram clears the draft.
-        await sendMessageDraftFn(chat, draftId, '', undefined)
-      } catch (err) {
-        process.stderr.write(`telegram gateway: activity-summary draft-clear failed: ${err}\n`)
-      }
-    } else if (turn.activityMessageId != null) {
+    if (turn.activityMessageId != null) {
       const id = turn.activityMessageId
       turn.activityMessageId = null
       try {
@@ -7040,6 +7051,9 @@ function handleSessionEvent(ev: SessionEvent): void {
         const next: CurrentTurn = {
           sessionChatId: ev.chatId,
           sessionThreadId: ev.threadId != null ? Number(ev.threadId) : undefined,
+          sourceMessageId: ev.messageId != null && /^\d+$/.test(ev.messageId)
+            ? Number(ev.messageId)
+            : null,
           startedAt,
           gatewayReceiveAt: startedAt,
           replyCalled: false,
@@ -7053,9 +7067,7 @@ function handleSessionEvent(ev: SessionEvent): void {
           lastAssistantMsgId: null,
           lastAssistantDone: false,
           toolCallCount: 0,
-          toolActivity: makeEmptyActivityState(),
           activityMessageId: null,
-          activityDraftId: null,
           activityInFlight: null,
           activityPendingRender: null,
           activityLastSentRender: null,
@@ -7192,58 +7204,20 @@ function handleSessionEvent(ev: SessionEvent): void {
           turn.orphanedReplyTimeoutId = null
         }
         // The model's real reply takes over as the authoritative
-        // surface. Clear the activity summary — for drafts, send an
-        // empty draft to wipe the compose-area preview; for persisted
-        // messages, delete. The user sees the real reply land in the
-        // same beat the summary disappears.
-        // Legacy (flag-off): the activity summary clears on the first
-        // reply — it was a one-shot "what I did" line. DRAFT_MIRROR keeps
-        // the live feed running through mid-turn replies and clears it at
-        // turn_end instead, so an early reply doesn't wipe the stream
-        // (the fast-turn determinism fix).
-        if (wasFirstReply && !DRAFT_MIRROR_ENABLED) {
+        // surface, so delete the activity feed message — the user
+        // sees the real reply land in the same beat the feed
+        // disappears. turn_end is the no-reply safety net.
+        if (wasFirstReply) {
           clearActivitySummary(turn)
         }
       }
-      // Tool-intent surface — companion to the PreToolUse ack-first gate
-      // (#1921). On the FIRST non-reply tool_use of a turn AND only when
-      // Tool-activity summary — same shape Claude Code natively renders
-      // in its CLI/chat UI ("Ran 5 commands, read a file"). The gateway
-      // accumulates non-reply tool_use events into `turn.toolActivity`
-      // and sends ONE Telegram message that edits in place as more tools
-      // land. Stops editing once the model calls `reply` — the summary
-      // line stays as the final state. No model-side prompting; no per-
-      // tool labels. Just surface what's already in the stream.
-      //
-      // Single-flight coalescing (PR #1926 review): modern Claude emits
-      // multiple tool_uses in a synchronous burst (parallel Reads,
-      // Bashes, etc.). All would otherwise race past the message-id
-      // capture and produce N messages. Pattern mirrors answer-stream:
-      // update `activityPendingRender` synchronously here; a single
-      // worker promise drains the pending state, sending or editing
-      // exactly once at a time and re-running until pending matches
-      // the last-sent. Captures `turn` so a late drain after turn-swap
-      // can't corrupt the next turn's atom.
-      // Flag OFF (default): the legacy generic verb-count summary
-      // ("Ran 5 commands") via registerAndRender — byte-identical to
-      // pre-draft-mirror behavior, cleared on first reply.
-      //
-      // DRAFT_MIRROR: the draft is NOT driven from this (flush-gated)
-      // tool_use event — it's driven by the real-time `tool_label` event
-      // (PreToolUse sidecar, fires at tool-call time regardless of when
-      // claude flushes the transcript). See `case 'tool_label'`. That's
+      // The live activity feed is driven by the real-time `tool_label`
+      // event (PreToolUse sidecar) rather than this flush-gated tool_use
+      // path — see `case 'tool_label'`. The sidecar fires at tool-call
+      // time regardless of when claude flushes the transcript, which is
       // the determinism fix: on a fast/clustered-tool turn the JSONL
       // tool_use rows aren't on disk until ~turn-end, so sourcing the
-      // draft here lost the feed; the sidecar is flush-independent.
-      if (!DRAFT_MIRROR_ENABLED && !turn.replyCalled && !isTelegramSurfaceTool(name)) {
-        const rendered = registerAndRender(turn.toolActivity, name)
-        if (rendered != null) {
-          turn.activityPendingRender = rendered
-          if (turn.activityInFlight == null) {
-            turn.activityInFlight = drainActivitySummary(turn)
-          }
-        }
-      }
+      // feed here would lose them.
       if (!ctrl) return
       if (isTelegramSurfaceTool(name)) return
       ctrl.setTool(name)
@@ -7253,21 +7227,26 @@ function handleSessionEvent(ev: SessionEvent): void {
       return
     }
     case 'tool_label': {
-      // DRAFT_MIRROR real-time driver. The PreToolUse hook wrote this
+      // Real-time activity-feed driver. The PreToolUse hook wrote this
       // label synchronously at tool-call time; the sidecar surfaced it
       // here (~250ms) independent of the transcript flush. Accumulate it
-      // into the live feed and update the ephemeral draft — this is what
-      // makes the draft deterministic on fast/clustered-tool turns where
-      // the JSONL tool_use rows arrive too late.
-      if (!DRAFT_MIRROR_ENABLED) return
+      // into the live feed and edit the activity message in place — this
+      // is what makes the feed deterministic on fast/clustered-tool turns
+      // where the JSONL tool_use rows arrive too late.
       const turn = currentTurn
       if (turn == null) return
       // Surface tools (reply/stream_reply/react) are the conversation, not
       // activity — the hook labels them ("Replying"), so filter by name.
       if (isTelegramSurfaceTool(ev.toolName)) return
-      // Unlike the legacy tool_use path, do NOT gate on replyCalled — the
-      // whole point is to show activity even when a reply raced ahead of
-      // the (lagged) transcript. The feed clears at turn_end.
+      // Stop feeding once the reply has landed. The first reply is the
+      // hand-off: `clearActivitySummary` deletes the feed so the answer is
+      // the authoritative surface (the validated clean hand-off). Without
+      // this gate a tool called after the reply would re-`sendMessage` a
+      // fresh feed message below the answer — a delete-then-resend flicker.
+      // Safe ordering: `tool_label` is real-time (PreToolUse, ~250ms) while
+      // `replyCalled` is set from the lagged reply tool_use, so a genuinely
+      // pre-reply label virtually always arrives before the flag flips.
+      if (turn.replyCalled) return
       const rendered = appendActivityLabel(turn.mirrorLines, ev.label)
       if (rendered != null) {
         turn.activityPendingRender = rendered
@@ -7547,12 +7526,13 @@ function handleSessionEvent(ev: SessionEvent): void {
         clearTimeout(turn.orphanedReplyTimeoutId)
         turn.orphanedReplyTimeoutId = null
       }
-      // DRAFT_MIRROR: the live activity feed runs through the whole turn
-      // (it is NOT cleared on the first reply, unlike the legacy summary)
-      // so an early/mid-turn reply can't wipe it. Clear it here, at the
-      // real end of the turn — the ephemeral compose-area draft goes away
-      // once the work is actually done.
-      if (DRAFT_MIRROR_ENABLED && turn != null) {
+      // Clear the activity feed at the real end of the turn. This is the
+      // no-reply safety net — a turn that ends without ever calling reply
+      // (the answer is delivered by turn-flush / silent-end) still has its
+      // feed removed. On a normal turn the feed was already cleared at the
+      // first reply (the hand-off); clearActivitySummary is idempotent, so
+      // the second call is a no-op.
+      if (turn != null) {
         clearActivitySummary(turn)
       }
       // #549 fix — flush any pending preamble BEFORE the answer stream is
@@ -15266,13 +15246,20 @@ bot.on('callback_query:data', async ctx => {
   }
 
   if (behavior === 'always') {
-    // "🔁 Always allow" — write the resolved rule into the agent's
-    // tools.allow in switchroom.yaml via the existing `agent grant`
-    // CLI verb, then approve the in-flight request. Reconcile updates
-    // settings.json so future SESSIONS skip the popup; the in-flight
-    // turn already has its settings.json loaded so the rule won't
-    // suppress later prompts on this same turn — operator restarts
-    // the agent if they want full immediate effect.
+    // "🔁 Always allow" (#1977) — persist the resolved rule into the
+    // agent's tools.allow in the DURABLE host config. The old path
+    // shelled `switchroom agent grant` which wrote
+    // /state/config/switchroom.yaml — but that path is bind-mounted
+    // READ-ONLY into agent containers, so the write silently no-op'd.
+    // Durable host-config writes only land via the host-side hostd
+    // daemon's `config_propose_edit` flow. We:
+    //   1. dispatch the in-flight Allow verdict IMMEDIATELY (turn must
+    //      not block on the host round-trip);
+    //   2. if hostd is not-configured → fall back to the legacy
+    //      `agent grant` + verify path (honest messaging only);
+    //   3. otherwise synthesize a unified diff adding the rule to the
+    //      agent's tools.allow and send it to hostd, awaiting the
+    //      apply+reconcile result.
     const details = pendingPermissions.get(request_id)
     if (!details) { await ctx.answerCallbackQuery({ text: 'Details no longer available.' }).catch(() => {}); return }
     const rule = resolveAlwaysAllowRule(details.tool_name, details.input_preview)
@@ -15285,57 +15272,143 @@ bot.on('callback_query:data', async ctx => {
       await ctx.answerCallbackQuery({ text: 'Always-allow needs SWITCHROOM_AGENT_NAME — gateway is misconfigured.' }).catch(() => {})
       return
     }
-    let grantOk = false
-    let grantFailReason = ''
-    try {
-      // --no-restart: settings.json gets the new entry on the next
-      // reconcile but we don't bounce the agent mid-turn. Operator
-      // can restart manually if they want this rule live in this
-      // session; otherwise it kicks in next session.
-      switchroomExec(['agent', 'grant', agentName, rule.rule, '--no-restart'])
-      // Verify the rule actually landed in the resolved config — guards
-      // against config-location-drift (gateway edited a yaml that isn't
-      // the durable source-of-truth, or the grant was a no-op). One
-      // fresh config read; cheap since this is a rare operator tap.
+
+    pendingPermissions.delete(request_id)
+
+    // (2) Dispatch the in-flight permission verdict IMMEDIATELY — before
+    // any host round-trip — so the turn never blocks on persistence.
+    // We carry the resolved `rule` so the bridge caches it for the rest
+    // of the session and auto-allows matching tool calls from sub-agents
+    // (Task tool) + the parent without re-popping the prompt (#1138).
+    // The rule is safe to cache regardless of whether the *durable*
+    // write later succeeds — it's the operator's explicit intent.
+    dispatchPermissionVerdict({
+      type: 'permission',
+      requestId: request_id,
+      behavior: 'allow',
+      rule: rule.rule,
+    })
+
+    // (3) Decide the persistence path. tryHostdDispatch returns
+    // "not-configured" when host_control is disabled or the per-agent
+    // socket is absent → legacy fallback.
+    let durable = false
+    let legacy = false
+    let failReason = ''
+    let editLockHint = false
+
+    const configEditDisabled = (msg: string): boolean =>
+      msg.includes('E_CONFIG_EDIT_DISABLED')
+
+    const unifiedDiff = (() => {
       try {
-        const cfg = loadSwitchroomConfig()
-        const rawAgent = cfg.agents?.[agentName]
-        if (rawAgent) {
-          const resolved = resolveAgentConfig(cfg.defaults, cfg.profiles, rawAgent)
-          const allowList: string[] = (resolved as { tools?: { allow?: string[] } }).tools?.allow ?? []
-          if (isRulePersisted(allowList, rule.rule)) {
-            grantOk = true
-            process.stderr.write(
-              `telegram gateway: always-allow added rule="${rule.rule}" agent=${agentName} (request_id=${request_id})\n`,
-            )
-          } else {
-            grantFailReason = `rule "${rule.rule}" not found in resolved tools.allow after write — config location may have drifted`
-            process.stderr.write(
-              `telegram gateway: always-allow VERIFY FAILED: ${grantFailReason} (request_id=${request_id})\n`,
-            )
-          }
+        const cfgPath = process.env.SWITCHROOM_CONFIG ?? SWITCHROOM_CONFIG ?? findSwitchroomConfigFile()
+        const raw = readFileSync(cfgPath, 'utf8')
+        return synthesizeAllowRuleDiff({ agentName, rule: rule.rule, configText: raw })
+      } catch (err) {
+        process.stderr.write(`telegram gateway: always-allow diff synth failed: ${(err as Error).message}\n`)
+        return null
+      }
+    })()
+
+    const correlationKey = `${agentName}::${rule.rule}`
+    try {
+      if (unifiedDiff == null) {
+        // Could not locate the agent block / read config → fall back to
+        // the legacy grant path; its own verify will produce honest
+        // messaging.
+        legacy = true
+      } else {
+        // Pre-register the single-tap correlation so hostd's callback
+        // (request_config_approval) auto-approves WITHOUT a second card.
+        pendingAlwaysAllowCorrelations.set(correlationKey, { agentName, rule: rule.rule, unifiedDiff, createdAt: Date.now() })
+        const req: HostdRequest = {
+          v: 1,
+          op: 'config_propose_edit',
+          request_id: hostdRequestId('gw-always-allow'),
+          args: {
+            unified_diff: unifiedDiff,
+            reason: `Operator 'always allow' for ${rule.label}`,
+            target_path: '/state/config/switchroom.yaml',
+          },
+        }
+        // config_propose_edit blocks on validate→approve→apply→reconcile,
+        // so allow ~60s (well past the default 5s).
+        const resp = await tryHostdDispatch(agentName, req, 60_000)
+        if (resp === 'not-configured') {
+          warnLegacySpawnIfHostdDisabled('always-allow')
+          legacy = true
+        } else if (resp.result === 'completed') {
+          durable = true
+          process.stderr.write(
+            `telegram gateway: always-allow durable via hostd rule="${rule.rule}" agent=${agentName} (request_id=${request_id})\n`,
+          )
         } else {
-          grantFailReason = `agent "${agentName}" not found in config after write`
+          failReason = resp.error ?? `hostd ${resp.result}`
+          if (configEditDisabled(failReason)) editLockHint = true
           process.stderr.write(
-            `telegram gateway: always-allow VERIFY FAILED: ${grantFailReason} (request_id=${request_id})\n`,
+            `telegram gateway: always-allow hostd FAILED: ${failReason} (request_id=${request_id})\n`,
           )
         }
-      } catch (verifyErr) {
-        grantFailReason = `config re-read failed: ${(verifyErr as Error).message}`
-        process.stderr.write(
-          `telegram gateway: always-allow VERIFY FAILED: ${grantFailReason} (request_id=${request_id})\n`,
-        )
       }
-    } catch (err) {
-      grantFailReason = (err as Error).message
-      process.stderr.write(`telegram gateway: always-allow grant failed: ${grantFailReason}\n`)
-    }
 
-    pendingPermissions.delete(request_id)
+      if (legacy) {
+        // Legacy not-configured fallback — keep TODAY's behaviour:
+        // shell `agent grant` (writes the host yaml only when the
+        // gateway has a writable path) + verify the rule actually
+        // landed. Honest messaging: "saved (legacy path)" on verify,
+        // else the "did NOT save" warning.
+        try {
+          switchroomExec(['agent', 'grant', agentName, rule.rule, '--no-restart'])
+          try {
+            const cfg = loadSwitchroomConfig()
+            const rawAgent = cfg.agents?.[agentName]
+            if (rawAgent) {
+              const resolved = resolveAgentConfig(cfg.defaults, cfg.profiles, rawAgent)
+              const allowList: string[] = (resolved as { tools?: { allow?: string[] } }).tools?.allow ?? []
+              if (isRulePersisted(allowList, rule.rule)) {
+                durable = true // legacy path verified — durable on this host shape
+                process.stderr.write(
+                  `telegram gateway: always-allow added rule="${rule.rule}" agent=${agentName} via legacy grant (request_id=${request_id})\n`,
+                )
+              } else {
+                failReason = `rule "${rule.rule}" not found in resolved tools.allow after write — config location may have drifted`
+                process.stderr.write(
+                  `telegram gateway: always-allow VERIFY FAILED: ${failReason} (request_id=${request_id})\n`,
+                )
+              }
+            } else {
+              failReason = `agent "${agentName}" not found in config after write`
+              process.stderr.write(
+                `telegram gateway: always-allow VERIFY FAILED: ${failReason} (request_id=${request_id})\n`,
+              )
+            }
+          } catch (verifyErr) {
+            failReason = `config re-read failed: ${(verifyErr as Error).message}`
+            process.stderr.write(
+              `telegram gateway: always-allow VERIFY FAILED: ${failReason} (request_id=${request_id})\n`,
+            )
+          }
+        } catch (err) {
+          failReason = (err as Error).message
+          process.stderr.write(`telegram gateway: always-allow grant failed: ${failReason}\n`)
+        }
+      }
+    } finally {
+      // Single-shot correlation — drop it whether or not it was
+      // consumed by hostd's callback, so it can never be replayed.
+      pendingAlwaysAllowCorrelations.delete(correlationKey)
+    }
 
-    const ackText = grantOk
-      ? `🔁 Always allow ${rule.label} for ${agentName}`
-      : `⚠️ Allowed for now, but "always" did NOT save — it will ask again after restart. Check gateway log.`
+    const ok = durable
+    const legacyNote = legacy && durable
+    const ackText = ok
+      ? (legacyNote
+          ? `🔁 Always allow ${rule.label} for ${agentName} (legacy path)`
+          : `🔁 Always allow ${rule.label} for ${agentName}`)
+      : (editLockHint
+          ? `⚠️ Allowed for now — config edits are locked. Enable hostd.config_edit_enabled.`
+          : `⚠️ Allowed for now, but "always" did NOT save — it will ask again after restart. Check gateway log.`)
     // HTML-escape baseText — `ctx.callbackQuery.message.text` returns
     // entities-stripped plain UTF-8, so raw `<`/`>`/`&` in the
     // expanded permission card's `description` or `input_preview`
@@ -15346,37 +15419,22 @@ bot.on('callback_query:data', async ctx => {
     const baseText = sourceMsg && 'text' in sourceMsg && sourceMsg.text
       ? escapeHtmlForTg(sourceMsg.text)
       : ''
-    const editLabel = grantOk
-      ? `🔁 <b>Always allow ${escapeHtmlForTg(rule.label)}</b> for ${escapeHtmlForTg(agentName)} — restart agent for full effect`
-      : `⚠️ <b>Allowed for now — "always" did NOT save.</b> It will ask again after restart. Check gateway log.`
+    const editLabel = ok
+      ? (legacyNote
+          ? `🔁 <b>Always allow ${escapeHtmlForTg(rule.label)}</b> for ${escapeHtmlForTg(agentName)} — saved (legacy path); restart agent for full effect`
+          : `🔁 <b>Always allow ${escapeHtmlForTg(rule.label)}</b> for ${escapeHtmlForTg(agentName)} — saved; restart agent for full effect`)
+      : (editLockHint
+          ? `⚠️ <b>Allowed for now — "always" did NOT save.</b> Config edits are locked; enable <code>hostd.config_edit_enabled</code>.`
+          : `⚠️ <b>Allowed for now — "always" did NOT save.</b> It will ask again after restart. Check gateway log.`)
     // #1150 audit: route through finalizeCallback so the keyboard
-    // strips alongside the status-line edit. Pre-fix this called
-    // editMessageText without `reply_markup` so the Allow/Deny/Always
-    // buttons stayed tappable after the decision — re-tap would re-
-    // fire the permission broadcast.
+    // strips alongside the status-line edit. The in-flight verdict was
+    // ALREADY dispatched above (independently of this host round-trip)
+    // so the turn never blocked — finalizeCallback here only edits the
+    // card; no synthInbound (would double-fire the verdict).
     await finalizeCallback(ctx, {
       ackText: ackText.slice(0, 200),
       newText: baseText ? `${baseText}\n\n${editLabel}` : editLabel,
       parseMode: 'HTML',
-      // Forward approval for the in-flight request regardless — even
-      // if the yaml edit failed, the operator clearly meant "yes" so
-      // we honour the immediate decision and surface the failure as
-      // a hint in the chat.
-      //
-      // #1138: also carry the resolved `rule` so the bridge can cache
-      // it for the rest of the session and auto-allow matching tool
-      // calls from sub-agents (Task tool) and the parent without
-      // re-popping the prompt. Only set when the yaml edit succeeded —
-      // otherwise the rule may be unsafe to honour at scale and we
-      // fall back to single-use allow.
-      synthInbound: () => {
-        dispatchPermissionVerdict({
-          type: 'permission',
-          requestId: request_id,
-          behavior: 'allow',
-          ...(grantOk ? { rule: rule.rule } : {}),
-        })
-      },
     })
     return
   }
@@ -15418,7 +15476,9 @@ bot.on('callback_query:data', async ctx => {
 })
 
 // ─── Inbound message handlers ─────────────────────────────────────────────
-bot.on('message:text', async ctx => { await handleInboundCoalesced(ctx, ctx.message.text, undefined) })
+bot.on('message:text', async ctx => {
+  await handleInboundCoalesced(ctx, ctx.message.text, undefined)
+})
 
 bot.on('message:photo', async ctx => {
   const caption = ctx.message.caption ?? '(photo)'