switchroom 0.15.12 → 0.15.14

package/telegram-plugin/scoped-approval.ts

@@ -0,0 +1,253 @@
+/**
+ * Scoped, time-boxed approval — the "⏱ 30 min" tier, the middle rung
+ * between "✅ Allow once" (re-prompts on the very next call) and
+ * "🔁 Always…" (a durable `tools.allow` write that lasts forever). After
+ * the operator taps "⏱ 30 min" on a permission card, byte-identical
+ * in-scope requests auto-allow for a fixed window without re-carding.
+ *
+ * Design contract (reference/access-model.md — "you hold the leash"):
+ *
+ *  - **Operator-authored only.** Every cache entry is created by an
+ *    `allowFrom`-authenticated Telegram tap. No tool call can seed an
+ *    entry (first contact always cards) or extend one (the window is a
+ *    FIXED box — `recordScopedGrant` sets `expiresAt` once; a matching
+ *    request never moves it). So an agent can never author its own
+ *    authorization.
+ *  - **Gateway-side only.** This store lives in the gateway process. It
+ *    must NOT be pushed down to the bridge's `sessionAllowRules`
+ *    (`bridge.ts`) — that cache is agent-uid, untimed, and would silently
+ *    promote a 30-min grant to session-forever. The gateway dispatches
+ *    the in-flight allow WITHOUT the `rule` field for exactly this reason.
+ *  - **Conservative scope (this tier, v1).** Only the *narrow* scope is
+ *    ever time-boxed: an exact file path (`Edit(/x.ts)`) or a Bash
+ *    command-family (`Bash(git:*)`). Broad scopes ("any file", resource-
+ *    blind MCP, "any command") are NOT offered the ⏱ button — they stay
+ *    once / always. This covers the real fatigue (re-editing the same
+ *    file, re-running a safe command) without fanning one tap across an
+ *    unbounded action set.
+ *  - **Fail-closed on irreversible.** A Bash family grant (`Bash(git:*)`)
+ *    must never auto-allow a destructive member of that family
+ *    (`git push --force`, `git reset --hard`). `isDestructiveBashCommand`
+ *    is re-checked at BOTH grant time (don't offer ⏱) and match time
+ *    (a cached family grant fails closed → re-cards) so per-call consent
+ *    for irreversible actions is preserved.
+ *
+ * Pure + side-effect-free so it unit-tests under vitest AND bun without a
+ * Grammy context (mirrors permission-rule.ts). Callers pass `now`/`ttlMs`
+ * explicitly; nothing reads the clock here.
+ */
+
+import { basename } from "node:path";
+import { matchesAllowRule, type ScopedAllowChoices } from "./permission-rule.js";
+
+/** Default time-box window: 30 minutes. */
+export const SCOPED_APPROVAL_DEFAULT_TTL_MS = 30 * 60 * 1000;
+
+/**
+ * Resolve the configured window from the environment. `0` (or negative)
+ * disables the tier — the gateway hides the ⏱ button and never
+ * short-circuits. A blank/garbage value falls back to the 30-min default.
+ * Kill-switch: `SWITCHROOM_SCOPED_APPROVAL_TTL_MS=0`.
+ */
+export function scopedApprovalTtlMs(
+  env: Record<string, string | undefined> = process.env,
+): number {
+  const raw = env.SWITCHROOM_SCOPED_APPROVAL_TTL_MS;
+  if (raw === undefined || raw.trim() === "") return SCOPED_APPROVAL_DEFAULT_TTL_MS;
+  const n = Number(raw);
+  if (!Number.isFinite(n) || n < 0) return SCOPED_APPROVAL_DEFAULT_TTL_MS;
+  return Math.floor(n);
+}
+
+/** A single operator-tapped, time-boxed grant. */
+export interface ScopedGrant {
+  /** Narrow allow-rule, e.g. `Edit(/state/x.ts)` or `Bash(git:*)`. */
+  readonly rule: string;
+  /** Unix-ms when this grant stops auto-allowing. Fixed at grant time. */
+  readonly expiresAt: number;
+}
+
+/** Per-agent store of live time-boxed grants. Keyed by agent name. */
+export type ScopedGrantStore = Map<string, ScopedGrant[]>;
+
+/** The narrow rule + an honest operator-facing breadth phrase for the card. */
+export interface TimeBoxDecision {
+  readonly rule: string;
+  /** e.g. "edits to x.ts" / "any `git` command" — states the real breadth. */
+  readonly breadth: string;
+}
+
+const FILE_RULE = /^(Edit|Write|MultiEdit|NotebookEdit|Read)\((.+)\)$/;
+const BASH_FAMILY_RULE = /^Bash\(([^:]+):\*\)$/;
+
+/**
+ * Conservative time-box eligibility. Given the already-resolved scope
+ * choices for a permission request, return the NARROW rule to time-box
+ * plus an honest breadth phrase — or `null` when this request must not
+ * get a ⏱ button (broad-only tools, MCP, Skill, a destructive Bash
+ * command, or any tool with no narrow sub-scope).
+ *
+ *  - File tools with an exact path → time-boxable (bounded to the one
+ *    operator-seen file).
+ *  - Bash with a first-token family → time-boxable ONLY when the
+ *    triggering command itself is non-destructive. The family grant
+ *    still covers the whole `<tok>` family for matching, but match-time
+ *    re-checks each later command (see `lookupScopedGrant`).
+ */
+export function resolveTimeBox(
+  toolName: string,
+  inputPreview: string | undefined,
+  choices: ScopedAllowChoices | null,
+): TimeBoxDecision | null {
+  // Only ever time-box the narrow scope, and only when one exists.
+  const specific = choices?.specific;
+  if (!specific || specific.broad) return null;
+  const rule = specific.rule;
+
+  const fileMatch = FILE_RULE.exec(rule);
+  if (fileMatch) {
+    const verb = fileMatch[1] === "Read" ? "reads of" : "edits to";
+    return { rule, breadth: `${verb} ${basename(fileMatch[2]!)}` };
+  }
+
+  const bashMatch = BASH_FAMILY_RULE.exec(rule);
+  if (bashMatch) {
+    const cmd = readBashCommand(inputPreview);
+    // No command text to vet, or a destructive triggering command → don't
+    // offer the time-box at all (fall through to once / always).
+    if (!cmd || isDestructiveBashCommand(cmd)) return null;
+    return { rule, breadth: `any \`${bashMatch[1]}\` command` };
+  }
+
+  // MCP (resource-blind), Skill, broad-only tools → not time-boxed in the
+  // conservative tier.
+  return null;
+}
+
+/**
+ * Record an operator-tapped 30-min grant. The window is a FIXED box: a
+ * re-tap on the same rule resets it (the operator just re-approved), but
+ * nothing else ever moves `expiresAt`. Re-tapping the same rule replaces
+ * the prior entry rather than accumulating duplicates. A non-positive
+ * `ttlMs` is a no-op (tier disabled).
+ */
+export function recordScopedGrant(
+  store: ScopedGrantStore,
+  agent: string,
+  rule: string,
+  now: number,
+  ttlMs: number,
+): void {
+  if (ttlMs <= 0) return;
+  const list = store.get(agent) ?? [];
+  const others = list.filter((g) => g.rule !== rule);
+  others.push({ rule, expiresAt: now + ttlMs });
+  store.set(agent, others);
+}
+
+/**
+ * Is there a LIVE operator-tapped grant covering this request? Returns the
+ * matching rule (for the audit log line) or `null`.
+ *
+ * FAIL-CLOSED in two ways:
+ *   1. an expired grant never matches (→ re-card);
+ *   2. a destructive Bash command never auto-allows even when its family
+ *      grant (`Bash(git:*)`) matches — `git push --force` re-cards even
+ *      after `git status` was time-boxed.
+ *
+ * Never mutates the store (no window-sliding). Pure read.
+ */
+export function lookupScopedGrant(
+  store: ScopedGrantStore,
+  agent: string,
+  toolName: string,
+  inputPreview: string | undefined,
+  now: number,
+): string | null {
+  const list = store.get(agent);
+  if (!list || list.length === 0) return null;
+  for (const g of list) {
+    if (g.expiresAt <= now) continue; // expired → fail closed
+    if (!matchesAllowRule(g.rule, toolName, inputPreview)) continue;
+    if (toolName === "Bash") {
+      const cmd = readBashCommand(inputPreview);
+      // Family grant matched, but re-vet THIS command: destructive or
+      // un-vettable → fail closed, re-card.
+      if (!cmd || isDestructiveBashCommand(cmd)) return null;
+    }
+    return g.rule;
+  }
+  return null;
+}
+
+/** Drop expired grants. Call from the gateway's periodic sweep. */
+export function sweepScopedGrants(store: ScopedGrantStore, now: number): void {
+  for (const [agent, list] of store) {
+    const live = list.filter((g) => g.expiresAt > now);
+    if (live.length === 0) store.delete(agent);
+    else if (live.length !== list.length) store.set(agent, live);
+  }
+}
+
+/**
+ * Heuristic destructive/irreversible-command detector. FAIL-CLOSED: when
+ * a command can't be read or looks risky, return `true` so it is never
+ * time-boxed (it re-prompts instead). Better to re-card a safe command
+ * than auto-allow a destructive one. Covers the access-model crown-jewel
+ * cases that ride the tool-permission channel: pipe-to-shell, privilege
+ * escalation, destructive coreutils/disk ops, recursive perms, device
+ * redirects, destructive git, power/process control, and bulk
+ * docker/package teardown.
+ */
+export function isDestructiveBashCommand(command: string): boolean {
+  if (!command || !command.trim()) return true;
+  const c = command.toLowerCase();
+
+  // Backtick command substitution is un-vettable: the destructive op can
+  // hide inside `…` where the command-position anchors below (which include
+  // `$(` but not the backtick) would miss it — e.g. `git status \`rm -rf x\``
+  // matches the `Bash(git:*)` family but its first token is the harmless
+  // `git`. There is no need to time-box a backtick-substituted command, so
+  // fail closed (re-card). `$(…)` substitution stays handled by the `(`
+  // anchor in the rules below.
+  if (c.includes("`")) return true;
+
+  // download-and-execute: ... | sh|bash|python|node
+  if (/\|\s*(sudo\s+)?(sh|bash|zsh|fish|python\d?|perl|ruby|node)\b/.test(c)) return true;
+  // privilege escalation
+  if (/(^|\s|;|&&|\|\||\()sudo\b/.test(c)) return true;
+  if (/(^|\s|;|&&|\|\||\()(su|doas)\s/.test(c)) return true;
+  // destructive coreutils / disk
+  if (/(^|\s|;|&&|\|\||\()(rm|rmdir|dd|shred|truncate|fdisk|mkfs\S*|wipefs|blkdiscard|fallocate)\b/.test(c)) return true;
+  // recursive permission / ownership changes (-R / --recursive)
+  if (/\b(chmod|chown|chgrp)\b[^|;&]*(\s-(-recursive|[a-z]*r[a-z]*)\b)/.test(c)) return true;
+  // redirection clobbering devices or system dirs
+  if (/>\s*\/(dev|etc|boot|sys|proc)\b/.test(c)) return true;
+  // destructive git
+  if (/\bgit\b/.test(c) &&
+      /(push\b[^|;&]*(--force|-f\b|--force-with-lease)|push\s+[^\s]*\s+\+|reset\s+--hard|clean\s+-[a-z]*[fd]|filter-branch|reflog\s+expire|update-ref\s+-d|branch\s+-d{1,2}\b|checkout\s+--\s|restore\b)/.test(c)) return true;
+  // power / process control
+  if (/(^|\s|;|&&|\|\||\()(shutdown|reboot|halt|poweroff|kill|killall|pkill)\b/.test(c)) return true;
+  if (/(^|\s)init\s+0\b/.test(c)) return true;
+  // bulk docker teardown / package removal
+  if (/\bdocker\b[^|;&]*\b(rm|prune)\b/.test(c)) return true;
+  if (/(^|\s)(apt|apt-get|yum|dnf|brew|pacman|npm|pnpm|yarn|pip\d?)\b[^|;&]*\b(remove|uninstall|purge|prune)\b/.test(c)) return true;
+  // fork bomb
+  if (/:\s*\(\s*\)\s*\{/.test(c)) return true;
+
+  return false;
+}
+
+/** Extract the `command` string from a permission_request input preview. */
+function readBashCommand(inputPreview: string | undefined): string | null {
+  if (!inputPreview || typeof inputPreview !== "string") return null;
+  const trimmed = inputPreview.trim();
+  if (!trimmed.startsWith("{")) return null;
+  try {
+    const parsed = JSON.parse(trimmed) as Record<string, unknown>;
+    const cmd = parsed?.command;
+    return typeof cmd === "string" && cmd.length > 0 ? cmd : null;
+  } catch {
+    return null;
+  }
+}

package/telegram-plugin/tests/bridge-liveness-override.test.ts

@@ -0,0 +1,21 @@
+/**
+ * #2307 Tier-1 — the cron-session bridge writes its liveness file to a DISTINCT
+ * path so a live `<agent>-cron` bridge can't mask a dead MAIN bridge in the
+ * dashboard/doctor probe (RISK #2). The bridge is an IIFE (can't instantiate
+ * in-process), so this pins the wiring by source-read: the liveness file path
+ * honours `SWITCHROOM_BRIDGE_ALIVE_PATH`, falling back to the canonical
+ * STATE_DIR/.bridge-alive (unchanged for the main bridge).
+ */
+import { describe, it, expect } from "vitest";
+import { readFileSync } from "node:fs";
+import { resolve } from "node:path";
+
+const bridgeSrc = readFileSync(resolve(__dirname, "..", "bridge", "bridge.ts"), "utf-8");
+
+describe("bridge liveness path override (#2307 Tier-1)", () => {
+  it("honours SWITCHROOM_BRIDGE_ALIVE_PATH, falling back to STATE_DIR/.bridge-alive", () => {
+    expect(bridgeSrc).toMatch(
+      /livenessFilePath:\s*process\.env\.SWITCHROOM_BRIDGE_ALIVE_PATH\s*\?\?\s*join\(STATE_DIR,\s*["']\.bridge-alive["']\)/,
+    );
+  });
+});

package/telegram-plugin/tests/ipc-server-validate-send-outbound.test.ts

@@ -0,0 +1,54 @@
+/**
+ * Validation contract for the `send_outbound` IPC verb (#2307 Tier-0 action
+ * tier) — the MODEL-FREE outbound the agent-scheduler sends for a `kind: action`
+ * telegram-message. A rogue process on the same UDS must not inject a malformed
+ * payload: agentName required + name-shaped, chatId + text required non-empty,
+ * threadId (optional) an integer, parseMode (optional) html|text.
+ */
+import { describe, it, expect } from "vitest";
+import { validateClientMessage } from "../gateway/ipc-server.js";
+
+const base = { type: "send_outbound", agentName: "clerk", chatId: "12345", text: "Daily heartbeat" };
+
+describe("validateClientMessage — send_outbound", () => {
+  it("accepts a well-formed minimal message", () => {
+    expect(validateClientMessage(base)).toBe(true);
+  });
+
+  it("accepts threadId + parseMode", () => {
+    expect(validateClientMessage({ ...base, threadId: 7, parseMode: "html" })).toBe(true);
+    expect(validateClientMessage({ ...base, threadId: 1, parseMode: "text" })).toBe(true);
+  });
+
+  it("rejects a missing / non-string / malformed agentName", () => {
+    expect(validateClientMessage({ ...base, agentName: undefined })).toBe(false);
+    expect(validateClientMessage({ ...base, agentName: 123 })).toBe(false);
+    expect(validateClientMessage({ ...base, agentName: "" })).toBe(false);
+    expect(validateClientMessage({ ...base, agentName: "../etc" })).toBe(false);
+    expect(validateClientMessage({ ...base, agentName: "Clerk UPPER" })).toBe(false);
+  });
+
+  it("rejects a missing / empty chatId", () => {
+    expect(validateClientMessage({ ...base, chatId: undefined })).toBe(false);
+    expect(validateClientMessage({ ...base, chatId: "" })).toBe(false);
+    expect(validateClientMessage({ ...base, chatId: 123 })).toBe(false);
+  });
+
+  it("rejects a missing / empty / over-long text", () => {
+    expect(validateClientMessage({ ...base, text: undefined })).toBe(false);
+    expect(validateClientMessage({ ...base, text: "" })).toBe(false);
+    expect(validateClientMessage({ ...base, text: 5 })).toBe(false);
+    expect(validateClientMessage({ ...base, text: "x".repeat(4096) })).toBe(true); // at the cap
+    expect(validateClientMessage({ ...base, text: "x".repeat(4097) })).toBe(false); // over Telegram's limit
+  });
+
+  it("rejects a non-integer threadId", () => {
+    expect(validateClientMessage({ ...base, threadId: 1.5 })).toBe(false);
+    expect(validateClientMessage({ ...base, threadId: "1" })).toBe(false);
+  });
+
+  it("rejects an unknown parseMode", () => {
+    expect(validateClientMessage({ ...base, parseMode: "markdown" })).toBe(false);
+    expect(validateClientMessage({ ...base, parseMode: 1 })).toBe(false);
+  });
+});

package/telegram-plugin/tests/linear-agent-activity.test.ts

@@ -51,7 +51,7 @@ describe('linear_agent_activity — gateway wiring (#2298)', () => {
   })
 
   it('is allow-listed and dispatched', () => {
-    expect(gw).toMatch(/'linear_agent_activity',\n\]\)/)
+    expect(gw).toMatch(/'linear_agent_activity',/)
     expect(gw).toMatch(/case 'linear_agent_activity':\s*\n\s*return executeLinearAgentActivity\(args\)/)
   })
 })

package/telegram-plugin/tests/linear-create-issue.test.ts

@@ -0,0 +1,211 @@
+import { describe, it, expect } from 'vitest'
+import { readFileSync } from 'node:fs'
+import {
+  createLinearIssue,
+  captureDedupMarker,
+  type LinearTokenResult,
+} from '../gateway/linear-activity.js'
+
+/**
+ * Tests for the `linear_create_issue` MCP tool (#2312 — capture-on-reaction
+ * → Linear).
+ *
+ * Structural part: assert the tool is declared in bridge/bridge.ts and
+ * allow-listed + dispatched in gateway/gateway.ts (the gateway IIFE can't be
+ * imported in a test, so wiring is verified by reading the source — same
+ * constraint as linear-agent-activity.test.ts).
+ *
+ * Behavioural part: the create logic lives in gateway/linear-activity.ts with
+ * an injectable token-resolver + fetch, so team auto-resolve, dedup, priority,
+ * and the vault-denied path are exercised without a broker or the network.
+ */
+
+const okToken = (token: string) => async (): Promise<LinearTokenResult> => ({ ok: true, token })
+
+/** A fake fetch that routes by GraphQL operation so a single test can answer
+ *  the teams query, the searchIssues query, and the issueCreate mutation
+ *  independently. Each handler returns the `data` payload. */
+function routingFetch(handlers: {
+  teams?: () => unknown
+  searchIssues?: () => unknown
+  issueCreate?: () => unknown
+  status?: number
+}): {
+  fetchImpl: typeof fetch
+  calls: Array<{ url: string; query: string; variables: Record<string, unknown>; headers: Record<string, string> }>
+} {
+  const calls: Array<{ url: string; query: string; variables: Record<string, unknown>; headers: Record<string, string> }> = []
+  const status = handlers.status ?? 200
+  const fetchImpl = (async (url: string, init?: RequestInit) => {
+    const parsed = JSON.parse((init?.body as string) ?? '{}') as { query: string; variables: Record<string, unknown> }
+    calls.push({
+      url,
+      query: parsed.query,
+      variables: parsed.variables,
+      headers: (init?.headers as Record<string, string>) ?? {},
+    })
+    let data: unknown = {}
+    if (parsed.query.includes('teams')) data = handlers.teams?.() ?? {}
+    else if (parsed.query.includes('searchIssues')) data = handlers.searchIssues?.() ?? {}
+    else if (parsed.query.includes('issueCreate')) data = handlers.issueCreate?.() ?? {}
+    return {
+      ok: status >= 200 && status < 300,
+      status,
+      json: async () => ({ data }),
+      text: async () => JSON.stringify({ data }),
+    } as unknown as Response
+  }) as unknown as typeof fetch
+  return { fetchImpl, calls }
+}
+
+const oneTeam = () => ({ teams: { nodes: [{ id: 'team_1', key: 'ENG', name: 'Engineering' }] } })
+const issueOk = () => ({ issueCreate: { success: true, issue: { id: 'i1', identifier: 'ENG-42', url: 'https://linear.app/acme/issue/ENG-42' } } })
+
+describe('linear_create_issue — gateway wiring (#2312)', () => {
+  const gw = readFileSync(new URL('../gateway/gateway.ts', import.meta.url), 'utf8')
+  const bridge = readFileSync(new URL('../bridge/bridge.ts', import.meta.url), 'utf8')
+
+  it('declares the MCP tool with required {title,body}', () => {
+    const idx = bridge.indexOf(`name: 'linear_create_issue'`)
+    expect(idx).toBeGreaterThan(0)
+    const schema = bridge.slice(idx, idx + 2500)
+    expect(schema).toMatch(/required: \['title', 'body'\]/)
+    expect(schema).toMatch(/dedup_key/)
+    expect(schema).toMatch(/team_id/)
+  })
+
+  it('is allow-listed and dispatched', () => {
+    expect(gw).toMatch(/'linear_create_issue',\n\]\)/)
+    expect(gw).toMatch(/case 'linear_create_issue':\s*\n\s*return executeLinearCreateIssue\(args\)/)
+  })
+})
+
+describe('createLinearIssue — behaviour (#2312)', () => {
+  it('auto-resolves the single team and POSTs issueCreate (zero-config)', async () => {
+    const { fetchImpl, calls } = routingFetch({ teams: oneTeam, issueCreate: issueOk })
+    const r = await createLinearIssue(
+      { title: 'Fix Brevo retries', body: 'They double-fire on sync.' },
+      { agent: 'clerk', resolveToken: okToken('lin_tok'), fetchImpl, log: () => {} },
+    )
+    expect(r.content[0].text).toBe('Filed: Fix Brevo retries → https://linear.app/acme/issue/ENG-42')
+    // teams query first, then issueCreate.
+    expect(calls).toHaveLength(2)
+    expect(calls[0].query).toMatch(/teams/)
+    expect(calls[1].query).toMatch(/issueCreate/)
+    expect(calls[1].variables.input).toMatchObject({ teamId: 'team_1', title: 'Fix Brevo retries' })
+    // raw token, no Bearer prefix (Linear convention).
+    expect(calls[1].headers.Authorization).toBe('lin_tok')
+  })
+
+  it('skips team resolution when team_id is passed', async () => {
+    const { fetchImpl, calls } = routingFetch({ issueCreate: issueOk })
+    const r = await createLinearIssue(
+      { title: 'X', body: 'Y', team_id: 'team_explicit' },
+      { agent: 'clerk', resolveToken: okToken('t'), fetchImpl, log: () => {} },
+    )
+    expect(r.content[0].text).toMatch(/Filed:/)
+    expect(calls).toHaveLength(1)
+    expect(calls[0].query).toMatch(/issueCreate/)
+    expect(calls[0].variables.input).toMatchObject({ teamId: 'team_explicit' })
+  })
+
+  it('uses deps.defaultTeamId when no team_id is passed (multi-team default)', async () => {
+    const { fetchImpl, calls } = routingFetch({ issueCreate: issueOk })
+    const r = await createLinearIssue(
+      { title: 'X', body: 'Y' },
+      { resolveToken: okToken('t'), fetchImpl, defaultTeamId: 'team_default', log: () => {} },
+    )
+    expect(r.content[0].text).toMatch(/Filed:/)
+    // default team skips the teams() resolution entirely.
+    expect(calls).toHaveLength(1)
+    expect(calls[0].query).toMatch(/issueCreate/)
+    expect(calls[0].variables.input).toMatchObject({ teamId: 'team_default' })
+  })
+
+  it('explicit team_id overrides deps.defaultTeamId', async () => {
+    const { fetchImpl, calls } = routingFetch({ issueCreate: issueOk })
+    await createLinearIssue(
+      { title: 'X', body: 'Y', team_id: 'team_explicit' },
+      { resolveToken: okToken('t'), fetchImpl, defaultTeamId: 'team_default', log: () => {} },
+    )
+    expect(calls[0].variables.input).toMatchObject({ teamId: 'team_explicit' })
+  })
+
+  it('passes priority through when provided', async () => {
+    const { fetchImpl, calls } = routingFetch({ issueCreate: issueOk })
+    await createLinearIssue(
+      { title: 'X', body: 'Y', team_id: 't', priority: 1 },
+      { resolveToken: okToken('t'), fetchImpl, log: () => {} },
+    )
+    expect((calls[0].variables.input as Record<string, unknown>).priority).toBe(1)
+  })
+
+  it('errors actionably when the workspace has multiple teams and none is given', async () => {
+    const { fetchImpl } = routingFetch({
+      teams: () => ({ teams: { nodes: [{ id: 'a', key: 'ENG', name: 'Engineering' }, { id: 'b', key: 'OPS', name: 'Operations' }] } }),
+    })
+    const r = await createLinearIssue(
+      { title: 'X', body: 'Y' },
+      { resolveToken: okToken('t'), fetchImpl, log: () => {} },
+    )
+    expect(r.content[0].text).toMatch(/multiple teams/)
+    expect(r.content[0].text).toMatch(/ENG \(Engineering\)/)
+    expect(r.content[0].text).toMatch(/default_team_id/)
+  })
+
+  it('short-circuits to "Already filed" on a dedup hit', async () => {
+    const { fetchImpl, calls } = routingFetch({
+      searchIssues: () => ({ searchIssues: { nodes: [{ id: 'old', url: 'https://linear.app/acme/issue/ENG-7', title: 'prior' }] } }),
+      teams: oneTeam,
+      issueCreate: issueOk,
+    })
+    const r = await createLinearIssue(
+      { title: 'X', body: 'Y', dedup_key: 'chat:99' },
+      { resolveToken: okToken('t'), fetchImpl, log: () => {} },
+    )
+    expect(r.content[0].text).toBe('Already filed: https://linear.app/acme/issue/ENG-7')
+    // only the search ran — no team resolve, no create.
+    expect(calls).toHaveLength(1)
+    expect(calls[0].query).toMatch(/searchIssues/)
+  })
+
+  it('falls through to create when the dedup search misses, and embeds the marker', async () => {
+    const { fetchImpl, calls } = routingFetch({
+      searchIssues: () => ({ searchIssues: { nodes: [] } }),
+      teams: oneTeam,
+      issueCreate: issueOk,
+    })
+    const r = await createLinearIssue(
+      { title: 'X', body: 'Y', dedup_key: 'chat:99' },
+      { resolveToken: okToken('t'), fetchImpl, log: () => {} },
+    )
+    expect(r.content[0].text).toMatch(/Filed:/)
+    const create = calls.find((c) => c.query.includes('issueCreate'))!
+    expect((create.variables.input as Record<string, unknown>).description).toContain(captureDedupMarker('chat:99'))
+  })
+
+  it('returns vault_request_access guidance when the token is denied', async () => {
+    const r = await createLinearIssue(
+      { title: 'X', body: 'Y' },
+      { agent: 'clerk', resolveToken: async () => ({ ok: false, reason: 'denied' }), log: () => {} },
+    )
+    expect(r.content[0].text).toMatch(/Couldn't file to Linear: no token/)
+    expect(r.content[0].text).toMatch(/vault_request_access/)
+    expect(r.content[0].text).toMatch(/linear\/clerk\/token/)
+  })
+
+  it('requires a title', async () => {
+    await expect(
+      createLinearIssue({ body: 'Y' }, { resolveToken: okToken('t'), log: () => {} }),
+    ).rejects.toThrow(/title is required/)
+  })
+
+  it('surfaces a Linear API error status', async () => {
+    const { fetchImpl } = routingFetch({ teams: oneTeam, issueCreate: issueOk, status: 401 })
+    const r = await createLinearIssue(
+      { title: 'X', body: 'Y' },
+      { resolveToken: okToken('t'), fetchImpl, log: () => {} },
+    )
+    expect(r.content[0].text).toMatch(/Linear API 401/)
+  })
+})

package/telegram-plugin/tests/permission-verdict-resume-guard.test.ts

@@ -54,6 +54,17 @@ const dispatchCallsites = LINES.flatMap((line, i) =>
     : [],
 )
 
+// A SILENT auto-allow path (the "⏱ 30 min" scoped-approval short-circuit in
+// onPermissionRequest) posts NO card: the turn was never parked on 🙏, so it
+// must NOT call resumeReactionAfterVerdict() / postPermissionResumeMessage()
+// — doing so on every auto-allowed call is the exact noise that tier removes.
+// Such callsites carry the `no-card-verdict` sentinel within the 3 lines above
+// the dispatch and are exempt from the resume/post pairing. The invariant the
+// guard protects (a verdict that un-parks a CARD must visibly resume it) still
+// holds for every card-bearing path.
+const isSilentNoCardVerdict = (idx: number): boolean =>
+  LINES.slice(Math.max(0, idx - 3), idx + 1).some((l) => /no-card-verdict/.test(l))
+
 // How far below the dispatch the resume call is allowed to live. The
 // widest real gap today is ~9 lines (the slash-command path); 15 gives
 // refactor headroom without letting an unrelated resume "cover" a
@@ -68,6 +79,7 @@ describe('permission verdict → resume reaction wiring', () => {
   it('every dispatchPermissionVerdict() callsite flips the awaiting glyph back via resumeReactionAfterVerdict()', () => {
     const unpaired: number[] = []
     for (const idx of dispatchCallsites) {
+      if (isSilentNoCardVerdict(idx)) continue
       const window = LINES.slice(idx, idx + RESUME_WINDOW + 1).join('\n')
       if (!/\bresumeReactionAfterVerdict\s*\(\s*\)/.test(window)) {
         // 1-based line number for a human-readable failure.
@@ -98,6 +110,7 @@ describe('permission verdict → resume reaction wiring', () => {
   it('every dispatchPermissionVerdict() callsite posts the agent-voiced resume message via postPermissionResumeMessage()', () => {
     const unpaired: number[] = []
     for (const idx of dispatchCallsites) {
+      if (isSilentNoCardVerdict(idx)) continue
       const window = LINES.slice(idx, idx + POST_WINDOW + 1).join('\n')
       if (!/\bpostPermissionResumeMessage\s*\(/.test(window)) {
         unpaired.push(idx + 1)

package/telegram-plugin/tests/runtime-metrics.test.ts

@@ -82,6 +82,15 @@ describe('runtime-metrics — JSONL sink', () => {
     expect(parsed.ended_via).toBe('reply')
   })
 
+  it('cron_fell_back_to_main carries agent + prompt_key (#2307 Tier-1)', () => {
+    emitRuntimeMetric({ kind: 'cron_fell_back_to_main', agent: 'clerk', prompt_key: 'abc123' })
+    const parsed = JSON.parse(readFileSync(metricsPath, 'utf-8').trim())
+    expect(parsed.kind).toBe('cron_fell_back_to_main')
+    expect(parsed.agent).toBe('clerk')
+    expect(parsed.prompt_key).toBe('abc123')
+    expect(typeof parsed.ts).toBe('number')
+  })
+
   it('appends — does not overwrite — across calls', () => {
     for (let i = 0; i < 5; i++) {
       emitRuntimeMetric({