switchroom 0.14.75 → 0.14.77

package/dist/agent-scheduler/index.js

@@ -11211,6 +11211,7 @@ var profileFields = {
   memory: exports_external.object({
     collection: exports_external.string().optional(),
     auto_recall: exports_external.boolean().optional(),
+    file: exports_external.boolean().optional(),
     isolation: exports_external.enum(["default", "strict"]).optional(),
     recall: exports_external.object({
       max_memories: exports_external.number().int().min(0).optional(),

package/dist/auth-broker/index.js

@@ -11211,6 +11211,7 @@ var profileFields = {
   memory: exports_external.object({
     collection: exports_external.string().optional(),
     auto_recall: exports_external.boolean().optional(),
+    file: exports_external.boolean().optional(),
     isolation: exports_external.enum(["default", "strict"]).optional(),
     recall: exports_external.object({
       max_memories: exports_external.number().int().min(0).optional(),
@@ -13891,8 +13892,29 @@ class AuthBroker {
       return override;
     return auth.active ?? null;
   }
-  async opGetCredentials(socket, id, identity2) {
+  servingAccount(identity2) {
     const account = this.callerAccount(identity2);
+    if (identity2.kind !== "consumer")
+      return account;
+    return this.consumerAccountWithFailover(account);
+  }
+  isAccountExhausted(account) {
+    const q = this.quota[account];
+    return q !== undefined && q.exhausted_until > this.now();
+  }
+  consumerAccountWithFailover(pinned) {
+    if (!pinned || !this.isAccountExhausted(pinned))
+      return pinned;
+    for (const cand of this.config.auth?.fallback_order ?? []) {
+      if (cand === pinned || this.isAccountExhausted(cand))
+        continue;
+      if (readAccountCredentials(cand, this.home))
+        return cand;
+    }
+    return pinned;
+  }
+  async opGetCredentials(socket, id, identity2) {
+    const account = this.servingAccount(identity2);
     if (!account) {
       this.audit({ op: "get-credentials", identity: identity2, ok: false, error: "no-active-account" });
       socket.write(encodeError(id, "ACCOUNT_NOT_FOUND", "no active account configured"));

package/dist/cli/notion-write-pretool.mjs

@@ -11959,6 +11959,7 @@ var profileFields = {
   memory: exports_external.object({
     collection: exports_external.string().optional(),
     auto_recall: exports_external.boolean().optional(),
+    file: exports_external.boolean().optional(),
     isolation: exports_external.enum(["default", "strict"]).optional(),
     recall: exports_external.object({
       max_memories: exports_external.number().int().min(0).optional(),

package/dist/cli/switchroom.js

@@ -13775,6 +13775,7 @@ var init_schema = __esm(() => {
     memory: exports_external.object({
       collection: exports_external.string().optional(),
       auto_recall: exports_external.boolean().optional(),
+      file: exports_external.boolean().optional(),
       isolation: exports_external.enum(["default", "strict"]).optional(),
       recall: exports_external.object({
         max_memories: exports_external.number().int().min(0).optional(),
@@ -20875,7 +20876,7 @@ function getHindsightSettingsEntry(agentName, config) {
   }
   const collection = getCollectionForAgent(agentName, config);
   const mcpConfig = generateHindsightMcpConfig(collection, memoryConfig);
-  return { key: "hindsight", value: mcpConfig };
+  return { key: "hindsight", value: { ...mcpConfig, alwaysLoad: true } };
 }
 function getPlaywrightMcpSettingsEntry() {
   return {
@@ -28973,7 +28974,7 @@ function classifyExtractionLogs(logs) {
       name: "hindsight extraction",
       status: "fail",
       detail: "fact-extraction LLM calls are failing" + (quotaHint ? " (429 / weekly-limit detected)" : "") + " \u2014 retains are accepted but extract 0 facts, so nothing becomes recallable",
-      fix: "Usually hindsight's `auth.consumers[hindsight].account` is quota-" + "exhausted or its OAuth broke. Repoint it to an account with quota in " + "switchroom.yaml, then `docker restart switchroom-auth-broker` and " + "`docker restart switchroom-hindsight` (single-file config mount needs " + "the broker restart to re-read). Confirm with a `claude -p` inside the " + "container."
+      fix: "Usually hindsight's `auth.consumers[hindsight].account` is quota-" + "exhausted or its OAuth broke. Repoint it to an account with quota in " + "switchroom.yaml, then `docker restart switchroom-auth-broker` and " + "`docker restart switchroom-hindsight` (single-file config mount needs " + "the broker restart to re-read). Confirm with a headless `claude` run " + "inside the container."
     };
   }
   if (zeroFacts >= 3 && okFacts === 0) {
@@ -49680,8 +49681,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.14.75";
-var COMMIT_SHA = "8c331b53";
+var VERSION = "0.14.77";
+var COMMIT_SHA = "2473dbbf";
 
 // src/cli/agent.ts
 init_source();
@@ -50533,16 +50534,16 @@ Every turn that answers a user message ends with a user-visible
 sees; your terminal output never reaches them.`;
 var MEMORY_GUIDANCE = `## Memory \u2014 proactive, conversational
 
-You have Hindsight tools: \`mcp__hindsight__sync_retain\`, \`mcp__hindsight__delete_memory\`, \`mcp__hindsight__recall\`, \`mcp__hindsight__reflect\`. Use them without being asked.
+You have Hindsight tools: \`mcp__hindsight__sync_retain\`, \`mcp__hindsight__delete_document\`, \`mcp__hindsight__recall\`, \`mcp__hindsight__reflect\`. Use them without being asked.
 
 ### Retain proactively
 When the user shares a fact, preference, decision, or plan worth keeping across sessions, call \`sync_retain\` in the same turn. Briefly acknowledge in your reply ("got it, April 2nd anniversary"). Don't narrate the tool call. Skip small talk and transient tool output, the auto-retain hook handles conversation-level signal.
 
 ### Correct proactively
-When the user corrects you or contradicts a prior memory, call \`delete_memory\` on the wrong entry, then \`sync_retain\` the correction. Acknowledge the correction in one line ("noted, Alice not Bob").
+When the user corrects you or contradicts a prior memory, call \`delete_document\` on the wrong entry, then \`sync_retain\` the correction. Acknowledge the correction in one line ("noted, Alice not Bob").
 
 ### Forget proactively
-When the user asks you to forget something ("forget that", "delete X", "drop what I said about Y"), call \`delete_memory\` for matching entries and confirm what was removed.
+When the user asks you to forget something ("forget that", "delete X", "drop what I said about Y"), call \`delete_document\` for matching entries and confirm what was removed.
 
 ### Inspect proactively
 When the user asks "what do you know about X / me", "what do you remember about Y", or any memory audit, use \`reflect\` to synthesize an answer across the bank. Return it as honest prose, not a raw dump. If the bank has little on the topic, say so.
@@ -50599,7 +50600,18 @@ name from that list.
 Only call the \`vault_request_access\` MCP tool \u2014 which pings the
 operator for a Telegram approval \u2014 for a key you've **confirmed via
 \`vault list\` you don't already have.** Requesting access to a guessed
-or already-held key wastes the operator's tap and fails.`;
+or already-held key wastes the operator's tap and fails.
+
+**Never put a secret's value \u2014 or a \`vault:<key>\` placeholder \u2014 in a
+tool call.** Tool arguments are sent to the underlying API verbatim;
+nothing resolves a \`vault:\` reference for them. A real secret never
+needs to appear in a tool call \u2014 the launcher injects it into the
+tool's environment for you. A value you genuinely must pass literally
+(an account or customer ID) is a public identifier, not a secret, and
+belongs in plain config, not the vault. If a tool call is **blocked for
+containing a vaulted secret**, report that exact block message to the
+operator and stop \u2014 don't theorise about auth or tokens; it just means
+a stored value reached a tool argument.`;
 function renderFleetInvariants() {
   return [
     "<!--",
@@ -51110,6 +51122,11 @@ function buildHumanizerEnvVars(agentDir, agent) {
   const resolved = expanded.startsWith("/") ? expanded : resolve11(agentDir, expanded);
   return { HUMANIZER_VOICE_FILE: resolved };
 }
+function buildToolSearchEnvVars() {
+  if (process.env.SWITCHROOM_DISABLE_TOOL_SEARCH === "1")
+    return {};
+  return { ENABLE_TOOL_SEARCH: process.env.SWITCHROOM_TOOL_SEARCH_MODE ?? "auto" };
+}
 var SWITCHROOM_OWNED_SETTINGS_KEYS = new Set([
   "permissions",
   "mcpServers",
@@ -51439,6 +51456,7 @@ function buildWorkspaceContext(args) {
     fallbackModelQ: agentConfig.fallback_model ? shellSingleQuote(agentConfig.fallback_model) : undefined,
     userEnvQuoted: (() => {
       const combined = {
+        ...buildToolSearchEnvVars(),
         ...channelsToEnv(agentConfig),
         ...agentConfig.env ?? {},
         ...buildRepoEnvVars(name, agentDir, agentConfig),
@@ -51749,7 +51767,8 @@ function scaffoldAgent(name, agentConfigRaw, agentsDir, telegramConfig, switchro
           TELEGRAM_STATE_DIR: telegramStateDir,
           SWITCHROOM_CONFIG: resolvedConfigPath,
           SWITCHROOM_CLI_PATH: switchroomCliPath
-        }
+        },
+        alwaysLoad: true
       },
       "agent-config": {
         command: switchroomCliPath,
@@ -51757,7 +51776,8 @@ function scaffoldAgent(name, agentConfigRaw, agentsDir, telegramConfig, switchro
         env: {
           SWITCHROOM_AGENT_NAME: name,
           SWITCHROOM_CONFIG: resolvedConfigPath
-        }
+        },
+        alwaysLoad: true
       }
     };
     if (agentConfig.admin === true) {
@@ -52502,6 +52522,7 @@ function reconcileAgent(name, agentConfigRaw, agentsDir, telegramConfig, switchr
       fallbackModelQ: agentConfig.fallback_model ? shellSingleQuote(agentConfig.fallback_model) : undefined,
       userEnvQuoted: (() => {
         const combined = {
+          ...buildToolSearchEnvVars(),
           ...channelsToEnv(agentConfig),
           ...agentConfig.env ?? {},
           ...buildRepoEnvVars(name, agentDir, agentConfig)
@@ -52784,7 +52805,8 @@ ${body}
           TELEGRAM_STATE_DIR: telegramStateDir,
           SWITCHROOM_CONFIG: resolvedConfigPath,
           SWITCHROOM_CLI_PATH: switchroomCliPath
-        }
+        },
+        alwaysLoad: true
       },
       "agent-config": {
         command: switchroomCliPath,
@@ -52792,7 +52814,8 @@ ${body}
         env: {
           SWITCHROOM_AGENT_NAME: name,
           SWITCHROOM_CONFIG: resolvedConfigPath
-        }
+        },
+        alwaysLoad: true
       }
     };
     if (agentConfig.admin === true) {
@@ -64068,6 +64091,15 @@ import { existsSync as existsSync37 } from "node:fs";
 
 // src/vault/doctor.ts
 var SENSITIVE_KEY_RE = /oauth(?![a-zA-Z])|token(?![a-zA-Z])|secret(?![a-zA-Z])|api[-_]?key(?![a-zA-Z])|password(?![a-zA-Z])/i;
+function looksLikeIdentifierValue(value) {
+  const v = value.trim();
+  if (v.length < 8 || v.length > 24)
+    return false;
+  if (!/^[0-9][0-9 -]*[0-9]$/.test(v))
+    return false;
+  const digitCount = v.replace(/[^0-9]/g, "").length;
+  return digitCount >= 8;
+}
 function analyseVaultHealth(input) {
   const diagnostics = [];
   if (input.brokerConfigured && input.brokerRunning === false) {
@@ -64123,6 +64155,23 @@ ${keyList}`,
         fix: "Consider `switchroom vault set <key> --allow <agent>` to restrict access"
       });
     }
+    const identifierKeys = [];
+    for (const [keyName, entry] of Object.entries(input.vaultKeys)) {
+      if (entry.looksLikeIdentifier)
+        identifierKeys.push(keyName);
+    }
+    if (identifierKeys.length > 0) {
+      const keyList = identifierKeys.map((k) => `  ${k}`).join(`
+`);
+      diagnostics.push({
+        level: "warn",
+        check: "identifier-stored-as-secret",
+        message: `${identifierKeys.length} vault key(s) hold an identifier-like value (digits only):
+${keyList}
+` + `If an agent must pass one of these in a tool call, the secret-guard hook will block it \u2014 it cannot tell a public ID from a secret.`,
+        fix: "If the value is a public identifier (account/customer ID), remove it from the vault and pass it as plain config (e.g. hardcode it in the MCP launcher). If it is genuinely secret, ignore this."
+      });
+    }
     const unreferencedKeys = [];
     for (const keyName of Object.keys(input.vaultKeys)) {
       if (!referencedKeys.has(keyName)) {
@@ -64214,7 +64263,8 @@ function registerVaultDoctorCommand(vault, program3) {
         vaultKeys = {};
         for (const [name, entry] of Object.entries(entries)) {
           vaultKeys[name] = {
-            scope: "scope" in entry && entry.scope ? entry.scope : undefined
+            scope: "scope" in entry && entry.scope ? entry.scope : undefined,
+            looksLikeIdentifier: entry.kind === "string" ? looksLikeIdentifierValue(entry.value) : false
           };
         }
       } catch (err) {
@@ -77206,7 +77256,18 @@ function formatBytes(bytes) {
   return `${bytes.toLocaleString()} bytes`;
 }
 function estimateTokens(bytes) {
-  return Math.round(bytes / 4);
+  return Math.round(bytes / 3.7);
+}
+function readMcpServerNames(agentDir) {
+  const mcpPath = join64(agentDir, ".mcp.json");
+  if (!existsSync64(mcpPath))
+    return [];
+  try {
+    const parsed = JSON.parse(readFileSync56(mcpPath, "utf-8"));
+    return Object.keys(parsed.mcpServers ?? {});
+  } catch {
+    return null;
+  }
 }
 function sha256(content) {
   return createHash13("sha256").update(content).digest("hex").slice(0, 16);
@@ -77424,14 +77485,31 @@ function registerDebugCommand(program3) {
     const soulMdBytes = soulMdContent.length;
     const perTurnBytes = dynamicResult.concatenated.length;
     const userBytes = userMessage?.text.length ?? 0;
-    const totalBytes = stableBytes + perSessionBytes + claudeMdBytes + soulMdBytes + perTurnBytes + userBytes;
-    console.log(`Stable prefix:     ${formatBytes(stableBytes).padEnd(20)} (cache-hot)`);
+    const fleetDir = join64(agentsDir, "..", "fleet");
+    const fleetInvPath = join64(fleetDir, "switchroom-invariants.md");
+    const fleetClaudePath = join64(fleetDir, "CLAUDE.md");
+    const fleetInvBytes = existsSync64(fleetInvPath) ? readFileSync56(fleetInvPath, "utf-8").length : 0;
+    const fleetClaudeBytes = existsSync64(fleetClaudePath) ? readFileSync56(fleetClaudePath, "utf-8").length : 0;
+    const fleetBytes = fleetInvBytes + fleetClaudeBytes;
+    const totalBytes = stableBytes + perSessionBytes + claudeMdBytes + fleetBytes + perTurnBytes + userBytes;
+    console.log(`Stable prefix:     ${formatBytes(stableBytes).padEnd(20)} (cache-hot; includes SOUL.md ${soulMdBytes.toLocaleString()}B)`);
     console.log(`Per-session:       ${formatBytes(perSessionBytes).padEnd(20)} (cache-warm until next session)`);
-    console.log(`CLAUDE.md:         ${formatBytes(claudeMdBytes).padEnd(20)}`);
-    console.log(`SOUL.md:           ${formatBytes(soulMdBytes).padEnd(20)}`);
-    console.log(`Per-turn:          ${formatBytes(perTurnBytes).padEnd(20)} (never cached)`);
+    console.log(`CLAUDE.md (cwd):   ${formatBytes(claudeMdBytes).padEnd(20)} (cache-hot)`);
+    console.log(`Fleet invariants:  ${formatBytes(fleetBytes).padEnd(20)} (--add-dir, cache-hot)`);
+    console.log(`Per-turn:          ${formatBytes(perTurnBytes).padEnd(20)} (never cached \u2014 the real per-turn $ cost)`);
     console.log(`User message:      ${formatBytes(userBytes).padEnd(20)}`);
-    console.log(`Total:             ${formatBytes(totalBytes).padEnd(20)} (~${estimateTokens(totalBytes).toLocaleString()} tokens est.)`);
+    console.log(`Authored text:     ${formatBytes(totalBytes).padEnd(20)} (~${estimateTokens(totalBytes).toLocaleString()} tokens est.)`);
+    const mcpServers = readMcpServerNames(agentDir);
+    const mcpCount = mcpServers?.length ?? null;
+    const mcpEstK = mcpCount != null ? mcpCount * 3 : null;
+    const mcpLabel = mcpCount != null ? `${mcpCount} servers` : "(unreadable \u2014 agent-private .mcp.json)";
+    const mcpEstLabel = mcpEstK != null ? `~${mcpEstK.toLocaleString()}k tok` : "~30k tok (audit est.)";
+    console.log(`MCP tool surface:  ${mcpLabel.padEnd(20)} (NOT counted above; ~3k tok/server \u2248 ${mcpEstLabel} \u2014 deferred under tool search)`);
+    if (mcpServers && mcpServers.length > 0) {
+      console.log(`                   [${mcpServers.join(", ")}]`);
+    }
+    const floorMcp = mcpEstK != null ? `~${mcpEstK.toLocaleString()}k` : "~30k";
+    console.log(`Per-turn FLOOR:    ${`~${estimateTokens(totalBytes).toLocaleString()} + ${floorMcp} MCP + ~13k CLI-base`.padEnd(20)} tokens est. (before the user msg, recall, or tool results)`);
     const stableCacheInput = stableResult.concatenated + progressGuidance + baseSystemPromptAppend;
     const stableHash = sha256(stableCacheInput);
     console.log(`Cache stable hash: sha256:${stableHash}`);

package/dist/host-control/main.js

@@ -13946,6 +13946,7 @@ var profileFields = {
   memory: exports_external.object({
     collection: exports_external.string().optional(),
     auto_recall: exports_external.boolean().optional(),
+    file: exports_external.boolean().optional(),
     isolation: exports_external.enum(["default", "strict"]).optional(),
     recall: exports_external.object({
       max_memories: exports_external.number().int().min(0).optional(),

package/dist/vault/approvals/kernel-server.js

@@ -11532,6 +11532,7 @@ var init_schema = __esm(() => {
     memory: exports_external.object({
       collection: exports_external.string().optional(),
       auto_recall: exports_external.boolean().optional(),
+      file: exports_external.boolean().optional(),
       isolation: exports_external.enum(["default", "strict"]).optional(),
       recall: exports_external.object({
         max_memories: exports_external.number().int().min(0).optional(),

package/dist/vault/broker/server.js

@@ -11532,6 +11532,7 @@ var init_schema = __esm(() => {
     memory: exports_external.object({
       collection: exports_external.string().optional(),
       auto_recall: exports_external.boolean().optional(),
+      file: exports_external.boolean().optional(),
       isolation: exports_external.enum(["default", "strict"]).optional(),
       recall: exports_external.object({
         max_memories: exports_external.number().int().min(0).optional(),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.14.75",
+  "version": "0.14.77",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/profiles/default/workspace/CLAUDE.md.hbs

@@ -11,23 +11,21 @@ Before answering anything non-trivial:
 
 1. Confirm who you are (see `IDENTITY.md` if present).
 2. Confirm who you're talking to (see `USER.md` if present).
-3. Remember what matters — `MEMORY.md` is your long-term memory; the
-   `memory/` subdirectory has daily notes (`memory/YYYY-MM-DD.md`) with
-   recent context.
+3. Recall what matters — your memory is **Hindsight**: call
+   `mcp__hindsight__recall` when you need prior context, decisions, or who
+   someone is. (Full memory protocol is in your `CLAUDE.md`.)
 4. If tools are configured, `TOOLS.md` captures setup-specific notes
    (host paths, credentials, endpoints) that save you discovery work.
 
 Don't ask permission to read these files. They exist so you can use them.
 
-## Memory discipline
+## Memory
 
-- **Short-term / recent context** → `memory/YYYY-MM-DD.md` — raw log-style
-  notes of what happened today. Create the day's file when you need it.
-- **Long-term / curated** → `MEMORY.md` — distilled learnings, decisions,
-  preferences, identity of people you interact with.
-- **Lessons** → When you make a mistake or learn something worth keeping,
-  write it down. Future-you is fresh every session. Files are your
-  continuity.
+Memory is **Hindsight**, not files — `recall` to read, `sync_retain` to keep a
+fact across sessions, `delete_document` to forget. Claude Code's built-in
+file-based auto-memory is disabled for this agent; do not maintain a `MEMORY.md`
+index or a `memory/` daily-notes directory. Your `CLAUDE.md` has the full
+protocol.
 
 ## Safety defaults
 
@@ -55,8 +53,8 @@ Failed edits burn your own context and the user's patience. Verify first.
   tool exists.
 - Long-running commands: use the background flag and poll, rather than
   blocking.
-- `memory_search` and `memory_get` (when available) are your primary
-  interface to workspace knowledge; use them before asking the user.
+- `mcp__hindsight__recall` is your interface to past context and decisions;
+  recall before asking the user something you may already know.
 
 ## Working on code repositories
 

package/telegram-plugin/dist/gateway/gateway.js

@@ -24035,6 +24035,7 @@ var init_schema = __esm(() => {
     memory: exports_external.object({
       collection: exports_external.string().optional(),
       auto_recall: exports_external.boolean().optional(),
+      file: exports_external.boolean().optional(),
       isolation: exports_external.enum(["default", "strict"]).optional(),
       recall: exports_external.object({
         max_memories: exports_external.number().int().min(0).optional(),
@@ -52820,11 +52821,11 @@ function sweepStaleTurnActiveMarker(stateDir, opts) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.14.75";
-var COMMIT_SHA = "8c331b53";
-var COMMIT_DATE = "2026-06-06T06:33:56Z";
-var LATEST_PR = 2192;
-var COMMITS_AHEAD_OF_TAG = 0;
+var VERSION = "0.14.77";
+var COMMIT_SHA = "2473dbbf";
+var COMMIT_DATE = "2026-06-07T00:02:11+10:00";
+var LATEST_PR = null;
+var COMMITS_AHEAD_OF_TAG = 4;
 
 // gateway/boot-version.ts
 function formatRelativeAgo(iso) {

package/telegram-plugin/hooks/secret-guard-pretool.mjs

@@ -194,10 +194,19 @@ async function main() {
   }
   const hit = scanToolInput(toolInput, vaultValues)
   if (hit) {
+    // The reason is read by the model. It must be CORRECT and actionable:
+    // earlier versions said "reference it as vault:<key> instead", which
+    // suggested a `vault:` resolver that does not exist for tool arguments
+    // — sending agents (and operators) chasing a phantom mechanism. State
+    // the two real resolutions instead, and do NOT imply a resolver.
     process.stdout.write(
       JSON.stringify({
         decision: 'block',
-        reason: `tool_input contains a vaulted secret — reference it as vault:${hit.key} instead`,
+        reason:
+          `Blocked: this tool input contains the value of vault secret '${hit.key}'. ` +
+          `Secrets must never appear in a tool call. ` +
+          `If '${hit.key}' is a real secret, do not pass it as an argument — the launcher injects it into the tool's environment, so you never type it. ` +
+          `If '${hit.key}' is actually a public identifier (e.g. an account or customer ID that must appear in the call), it should not be in the vault — ask the operator to move it to plain config.`,
       }),
     )
     process.exit(0)

package/telegram-plugin/tests/secret-guard-pretool.test.ts

@@ -132,7 +132,13 @@ describe('secret-guard-pretool.mjs (broker-direct)', () => {
     })
     expect(r.status).toBe(0)
     expect(r.stdout).toContain('"decision":"block"')
-    expect(r.stdout).toContain('vault:gh-token')
+    // The reason must name the offending key and explain the real fix.
+    expect(r.stdout).toContain('gh-token')
+    expect(r.stdout).toContain('Secrets must never appear in a tool call')
+    // It must NOT resurrect the old, misleading "reference it as vault:<key>"
+    // suggestion — there is no vault: resolver for tool arguments, and that
+    // advice sent agents down a dead end (see the hook's block-reason note).
+    expect(r.stdout).not.toContain('reference it as vault:')
   })
 
   it('allows when tool_input contains no vaulted value', async () => {