switchroom 0.15.17 → 0.15.19

package/telegram-plugin/gateway/effort-command.ts

@@ -0,0 +1,272 @@
+/**
+ * Telegram `/effort` command — show or switch the Claude reasoning effort
+ * for this agent's live session. The effort sibling of `/model`.
+ *
+ * `/effort` (bare) renders the effort menu: the configured default plus an
+ * inline keyboard of the five levels the CLI offers
+ * (`low · medium · high · xhigh · max`, faster→smarter), the live level
+ * marked ✅. A tap types claude's own `/effort <level>` into the agent's
+ * tmux pane via the allowlisted inject primitive (`/effort` is on the
+ * inject allowlist) — the Claude-native mechanism: the unmodified CLI's
+ * REPL command, no API, no SDK, no config mutation.
+ *
+ * `/effort <level>` does the same non-interactively.
+ *
+ * The switch is session-scoped. It lasts until the agent restarts, because
+ * `start.sh` always relaunches claude with `--effort <thinking_effort>`
+ * (the cascade-resolved default, "low" out of the box) which re-pins the
+ * session effort on boot. Persisting a new default is a `thinking_effort:`
+ * change in switchroom.yaml + restart, which the reply spells out.
+ *
+ * Split parser/handler shape mirrors `model-command.ts` so the logic is
+ * unit-testable without booting the bot.
+ */
+
+import type { InjectResult } from '../../src/agents/inject.js'
+
+/**
+ * The effort levels the installed CLI accepts (`claude --help`:
+ * "--effort <level> … (low, medium, high, xhigh, max)"). Fixed and
+ * ordered faster→smarter. Unlike model ids these don't churn, so they're
+ * listed here rather than discovered live — a new level needs a one-line
+ * edit, surfaced by the regression test.
+ */
+export const EFFORT_LEVELS = ['low', 'medium', 'high', 'xhigh', 'max'] as const
+export type EffortLevel = (typeof EFFORT_LEVELS)[number]
+
+/** Strict allowlist gate — the arg is typed verbatim into the agent pane. */
+export function isValidEffortArg(arg: string): boolean {
+  return (EFFORT_LEVELS as readonly string[]).includes(arg.toLowerCase())
+}
+
+export type ParsedEffortCommand =
+  | { kind: 'show' }
+  | { kind: 'set'; level: EffortLevel }
+  | { kind: 'help'; reason?: string }
+
+/**
+ * Parse an `/effort` message. Returns null when the text isn't an /effort
+ * command at all (caller bug — bot.command should pre-filter).
+ */
+export function parseEffortCommand(text: string): ParsedEffortCommand | null {
+  const m = text.match(/^\/effort(?:@[A-Za-z0-9_]+)?(?:\s+([\s\S]*))?$/)
+  if (!m) return null
+  const rest = (m[1] ?? '').trim()
+  if (rest.length === 0) return { kind: 'show' }
+  const parts = rest.split(/\s+/)
+  if (parts.length > 1) {
+    return { kind: 'help', reason: 'effort takes a single level' }
+  }
+  const arg = parts[0]
+  if (arg.toLowerCase() === 'help') return { kind: 'help' }
+  if (!isValidEffortArg(arg)) {
+    return { kind: 'help', reason: `not a valid effort level: ${arg}` }
+  }
+  return { kind: 'set', level: arg.toLowerCase() as EffortLevel }
+}
+
+export interface EffortCommandDeps {
+  /** Inject primitive — wired to injectSlashCommand in the gateway. */
+  inject: (agent: string, command: string) => Promise<InjectResult>
+  getAgentName: () => string
+  /**
+   * The agent's cascade-resolved `thinking_effort` from
+   * `switchroom agent list` (the value start.sh bakes into `--effort`).
+   * Null when unreadable — rendered as the built-in default.
+   */
+  getConfiguredEffort: () => string | null
+  escapeHtml: (s: string) => string
+  preBlock: (s: string) => string
+}
+
+export interface EffortCommandReply {
+  text: string
+  html: true
+}
+
+const PERSIST_NOTE =
+  '<i>Session-only — reverts to the configured default on restart. To change the default, set <code>thinking_effort:</code> in switchroom.yaml and restart.</i>'
+
+const LEVELS_INLINE = EFFORT_LEVELS.map(l => `<code>${l}</code>`).join(' · ')
+
+function helpText(deps: EffortCommandDeps, reason?: string): EffortCommandReply {
+  const lines: string[] = []
+  if (reason) lines.push(`⚠️ ${deps.escapeHtml(reason)}`)
+  lines.push(
+    '<b>/effort</b> — show or switch the reasoning effort (faster→smarter)',
+    '<code>/effort</code> — show the configured effort + a tap menu',
+    `<code>/effort &lt;level&gt;</code> — switch the live session (${LEVELS_INLINE})`,
+    PERSIST_NOTE,
+  )
+  return { text: lines.join('\n'), html: true }
+}
+
+export async function handleEffortCommand(
+  parsed: ParsedEffortCommand,
+  deps: EffortCommandDeps,
+): Promise<EffortCommandReply> {
+  if (parsed.kind === 'help') return helpText(deps, parsed.reason)
+
+  if (parsed.kind === 'show') {
+    const configured = deps.getConfiguredEffort()
+    const shown = configured && configured.length > 0 ? configured : 'low'
+    return {
+      text: [
+        `<b>Effort — ${deps.escapeHtml(deps.getAgentName())}</b>`,
+        `Configured default: <code>${deps.escapeHtml(shown)}</code>`,
+        `Switch the live session: ${EFFORT_LEVELS.map(l => `<code>/effort ${l}</code>`).join(' · ')}`,
+        PERSIST_NOTE,
+      ].join('\n'),
+      html: true,
+    }
+  }
+
+  // kind === 'set' — re-gate at the seam so a caller that skipped the
+  // parser can't type arbitrary keys into the pane.
+  if (!isValidEffortArg(parsed.level)) {
+    return helpText(deps, `not a valid effort level: ${parsed.level}`)
+  }
+  const verbHtml = `<code>/effort ${deps.escapeHtml(parsed.level)}</code>`
+  let result: InjectResult
+  try {
+    result = await deps.inject(deps.getAgentName(), `/effort ${parsed.level}`)
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err)
+    return { text: `❌ ${verbHtml} — inject failed: ${deps.escapeHtml(msg)}`, html: true }
+  }
+
+  if (result.outcome === 'ok') {
+    return {
+      text: [
+        `${verbHtml}`,
+        deps.preBlock(result.output),
+        ...(result.truncated ? ['<i>truncated</i>'] : []),
+        PERSIST_NOTE,
+      ].join('\n'),
+      html: true,
+    }
+  }
+  if (result.outcome === 'ok_no_output') {
+    return {
+      text: [
+        `${verbHtml} — sent, but no response captured. The agent may be mid-turn; check <code>/inject /status</code> to confirm the active effort.`,
+        PERSIST_NOTE,
+      ].join('\n'),
+      html: true,
+    }
+  }
+  // outcome === 'failed'
+  if (result.errorCode === 'session_missing') {
+    return {
+      text:
+        '❌ tmux session not found — the agent must be running under the tmux supervisor (the default). Remove <code>experimental.legacy_pty: true</code> if set.',
+      html: true,
+    }
+  }
+  return {
+    text: `❌ ${verbHtml} — ${deps.escapeHtml(result.errorMessage ?? 'inject failed')}`,
+    html: true,
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Button menu — five fixed levels, the live one marked ✅. No live discovery
+// (the levels don't churn) and no picker-driving (the inline `/effort <level>`
+// form sets it directly), so this is far simpler than the /model menu.
+// ---------------------------------------------------------------------------
+
+export interface EffortMenuKeyboardButton {
+  text: string
+  callback_data: string
+}
+
+export interface EffortMenuReply {
+  text: string
+  html: true
+  keyboard?: EffortMenuKeyboardButton[][]
+}
+
+export const EFFORT_CALLBACK_PREFIX = 'eff:'
+const EFFORT_CALLBACK_SELECT = 'eff:s:'
+
+export function effortSelectCallbackData(level: string): string {
+  return `${EFFORT_CALLBACK_SELECT}${level}`
+}
+
+function menuKeyboard(highlight: string): EffortMenuKeyboardButton[][] {
+  // Five short labels fit one row (Telegram allows up to 8/row). ✅ marks
+  // the level we believe is live.
+  return [
+    EFFORT_LEVELS.map(l => ({
+      text: l === highlight ? `✅ ${l}` : l,
+      callback_data: effortSelectCallbackData(l),
+    })),
+  ]
+}
+
+/**
+ * Build the `/effort` menu: configured default + a tap row of the five
+ * levels. `highlight` marks the level shown as live (defaults to the
+ * configured value; the callback path passes the just-selected level).
+ */
+export function buildEffortMenu(deps: EffortCommandDeps, highlight?: string): EffortMenuReply {
+  const configured = deps.getConfiguredEffort() || 'low'
+  const live = highlight ?? configured
+  return {
+    text: [
+      `<b>Effort — ${deps.escapeHtml(deps.getAgentName())}</b>`,
+      `Default: <code>${deps.escapeHtml(configured)}</code> · faster → smarter: ${LEVELS_INLINE}`,
+      'Tap to switch the live session:',
+      PERSIST_NOTE,
+    ].join('\n'),
+    html: true,
+    keyboard: menuKeyboard(live),
+  }
+}
+
+export interface EffortCallbackOutcome {
+  reply: EffortMenuReply
+  /** The level applied to the live session, if any (gateway records it). */
+  selectedEffort?: string
+}
+
+/**
+ * Handle an `eff:*` callback tap. `eff:s:<level>` injects claude's
+ * `/effort <level>` and re-renders the menu with a one-line banner and the
+ * new level checked. Never throws — failures render as a banner.
+ */
+export async function handleEffortMenuCallback(
+  data: string,
+  deps: EffortCommandDeps,
+): Promise<EffortCallbackOutcome> {
+  if (!data.startsWith(EFFORT_CALLBACK_SELECT)) {
+    return { reply: buildEffortMenu(deps) }
+  }
+  const level = data.slice(EFFORT_CALLBACK_SELECT.length)
+  if (!isValidEffortArg(level)) {
+    return { reply: buildEffortMenu(deps) }
+  }
+  let banner: string
+  let selected: string | undefined
+  try {
+    const result = await deps.inject(deps.getAgentName(), `/effort ${level}`)
+    if (result.outcome === 'ok' || result.outcome === 'ok_no_output') {
+      banner = `✅ Effort → <code>${deps.escapeHtml(level)}</code> for this session`
+      selected = level
+    } else if (result.errorCode === 'session_missing') {
+      banner = '❌ tmux session not found — is the agent running under the supervisor?'
+    } else {
+      banner = `❌ couldn't set effort: ${deps.escapeHtml(result.errorMessage ?? 'inject failed')}`
+    }
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err)
+    banner = `❌ inject failed: ${deps.escapeHtml(msg)}`
+  }
+  // Re-render with the just-selected level checked (or the configured
+  // default if the inject failed) and the banner on top.
+  const menu = buildEffortMenu(deps, selected)
+  return {
+    reply: { ...menu, text: `${banner}\n${menu.text}` },
+    selectedEffort: selected,
+  }
+}

package/telegram-plugin/gateway/gateway.ts

@@ -271,6 +271,15 @@ import {
   type ModelMenuReply,
 } from './model-command.js'
 import { discoverModels, selectModel } from '../../src/agents/model-picker.js'
+import {
+  parseEffortCommand,
+  handleEffortCommand,
+  buildEffortMenu,
+  handleEffortMenuCallback,
+  EFFORT_CALLBACK_PREFIX,
+  type EffortCommandDeps,
+  type EffortMenuReply,
+} from './effort-command.js'
 import { type BannerState } from '../slot-banner.js'
 import { refreshBanner } from '../slot-banner-driver.js'
 import { loadConfig as loadSwitchroomConfig, findConfigFile as findSwitchroomConfigFile } from '../../src/config/loader.js'; import { resolveAgentConfig } from '../../src/config/merge.js'
@@ -3660,8 +3669,9 @@ function sweepStaleAlwaysAllowCorrelations(now = Date.now()): void {
   }
 }
 
-// "⏱ 30 min" scoped-approval store (the middle tier between Allow-once and
-// 🔁 Always). Operator-tapped, gateway-side ONLY (never pushed to the
+// Scoped-approval store: the 30-min window that backs the "✅ Allow" tap for
+// narrow non-destructive scopes (not a separate button — it IS what Allow
+// means for those). Operator-tapped, gateway-side ONLY (never pushed to the
 // bridge's untimed sessionAllowRules), fixed-window, fail-closed. Keyed by
 // agent name for per-agent isolation. All policy lives in
 // ../scoped-approval.ts (pure + unit-tested); this gateway only wires it.
@@ -5605,24 +5615,27 @@ const pendingPermissionBuffer = createPendingPermissionBuffer()
  * are resolved at call-time, after module init.)
  */
 /**
- * The default permission-card action row: ❌ Deny · ✅ Allow once ·
+ * The default permission-card action row: ❌ Deny · ✅ Allow ·
  * 🔁 Always… (the last only when a meaningful always-rule exists).
  * Tapping "🔁 Always…" swaps this row for the scope sub-menu; "← Back"
  * rebuilds this row. callback_data stays tiny (verb + 5-char id) so we
  * never approach Telegram's 64-byte ceiling.
+ *
+ * "✅ Allow" is no longer always literally "once": for a NARROW,
+ * non-destructive scope it auto-grants a fixed 30-min window (so the same
+ * action stops re-asking) — that is the default behavior of the allow tap,
+ * not a separate button. Broad / MCP / destructive scopes stay truly once.
+ * The post-tap card states which happened (honest-card contract). The
+ * decision lives in the allow handler via resolveTimeBox; the label here is
+ * deliberately neutral ("Allow", not "Allow once" or "Allow 30 min").
  */
 function buildPermissionActionRow(
   requestId: string,
   showAlways: boolean,
-  showTimeBox = false,
 ): InlineKeyboard {
   const kb = new InlineKeyboard()
     .text('❌ Deny', `perm:deny:${requestId}`)
-    .text('✅ Allow once', `perm:allow:${requestId}`)
-  // "⏱ 30 min" sits between once and always. Only shown for a narrow,
-  // non-destructive scope (resolveTimeBox decides); broad/MCP/destructive
-  // requests get once/always only.
-  if (showTimeBox) kb.text('⏱ 30 min', `perm:tmb:${requestId}`)
+    .text('✅ Allow', `perm:allow:${requestId}`)
   if (showAlways) kb.text('🔁 Always…', `perm:always:${requestId}`)
   return kb
 }
@@ -6044,19 +6057,15 @@ const ipcServer: IpcServer = createIpcServer({
       description,
       agentName: _client.agentName,
     })
-    // Compact action row: ❌ Deny · ✅ Allow once · 🔁 Always… — the
-    // scope of an "always" grant stays hidden until the operator taps
-    // "🔁 Always…", which swaps the row for a scope choice (this file /
-    // any file ⚠️). The "🔁 Always…" button only appears when we can
-    // synthesize a meaningful rule for this tool; unknown tools get the
-    // two-button row only.
-    const scopeChoices = resolveScopedAllowChoices(toolName, inputPreview)
-    const showAlways = scopeChoices != null
-    // Offer "⏱ 30 min" only for a narrow, non-destructive scope, and only
-    // when the tier is enabled (TTL > 0).
-    const showTimeBox = scopedApprovalTtlMs() > 0 &&
-      resolveTimeBox(toolName, inputPreview, scopeChoices) != null
-    const keyboard = buildPermissionActionRow(requestId, showAlways, showTimeBox)
+    // Compact action row: ❌ Deny · ✅ Allow · 🔁 Always… — the scope of an
+    // "always" grant stays hidden until the operator taps "🔁 Always…",
+    // which swaps the row for a scope choice (this file / any file ⚠️). The
+    // "🔁 Always…" button only appears when we can synthesize a meaningful
+    // rule for this tool; unknown tools get the two-button row only. "Allow"
+    // itself auto-grants a 30-min window for narrow non-destructive scopes
+    // (decided in the allow handler), so there is no separate time-box button.
+    const showAlways = resolveScopedAllowChoices(toolName, inputPreview) != null
+    const keyboard = buildPermissionActionRow(requestId, showAlways)
     // Route the card to the SAME place the post-verdict resume message
     // lands (resolvePermissionCardTargets): the ORIGINATING chat+topic when
     // there's an active turn — so a supergroup agent's card appears IN the
@@ -14219,6 +14228,51 @@ bot.command('model', async ctx => {
   await switchroomReply(ctx, reply.text, { html: reply.html })
 })
 
+// `/effort` — show or switch the reasoning effort for the live session.
+// The effort sibling of `/model`: bare form renders a five-button menu
+// (low/medium/high/xhigh/max, the live level ✅), a typed form
+// `/effort <level>` sets it directly. Both ride the allowlisted inject
+// primitive (claude's own `/effort` REPL command), session-scoped — boot
+// re-pins the configured default via start.sh's `--effort`. Implementation
+// in effort-command.ts so it's unit-testable without booting the bot.
+function buildEffortDeps(): EffortCommandDeps {
+  return {
+    inject: injectSlashCommandImpl,
+    getAgentName: getMyAgentName,
+    getConfiguredEffort: () => {
+      type AgentListResp = { agents: Array<{ name: string; thinking_effort?: string | null }> }
+      const data = switchroomExecJson<AgentListResp>(['agent', 'list'])
+      return data?.agents?.find(a => a.name === getMyAgentName())?.thinking_effort ?? null
+    },
+    escapeHtml: escapeHtmlForTg,
+    preBlock,
+  }
+}
+
+function effortMenuReplyMarkup(reply: EffortMenuReply): InlineKeyboard | undefined {
+  if (!reply.keyboard) return undefined
+  const kb = new InlineKeyboard()
+  for (const row of reply.keyboard) {
+    for (const btn of row) kb.text(btn.text, btn.callback_data)
+    kb.row()
+  }
+  return kb
+}
+
+bot.command('effort', async ctx => {
+  if (!isAuthorizedSender(ctx)) return
+  const text = ctx.message?.text ?? ctx.channelPost?.text ?? ''
+  const parsed = parseEffortCommand(text) ?? { kind: 'show' as const }
+  const deps = buildEffortDeps()
+  if (parsed.kind === 'show') {
+    const menu = buildEffortMenu(deps)
+    await switchroomReply(ctx, menu.text, { html: true, reply_markup: effortMenuReplyMarkup(menu) })
+    return
+  }
+  const reply = await handleEffortCommand(parsed, deps)
+  await switchroomReply(ctx, reply.text, { html: reply.html })
+})
+
 bot.command('agentstart', async ctx => {
   if (!isAuthorizedSender(ctx)) return
   const name = ctx.match?.trim() || getMyAgentName()
@@ -18608,6 +18662,33 @@ bot.on('callback_query:data', async ctx => {
   // a stale index); `mdl:r` re-renders. Strict allowFrom gate like
   // every other mutating callback family — a model switch changes the
   // fleet's quota burn profile.
+  if (data.startsWith(EFFORT_CALLBACK_PREFIX)) {
+    const access = loadAccess()
+    const senderId = String(ctx.from?.id ?? '')
+    if (!access.allowFrom.includes(senderId)) {
+      await ctx.answerCallbackQuery({ text: 'Not authorized.' })
+      return
+    }
+    // No picker-driving (the inline `/effort <level>` form sets it
+    // directly via the inject primitive), so no mid-turn guard is needed
+    // here — just ack and apply.
+    await ctx.answerCallbackQuery({ text: 'Setting effort…' }).catch(() => {})
+    try {
+      const outcome = await handleEffortMenuCallback(data, buildEffortDeps())
+      await ctx
+        .editMessageText(outcome.reply.text, {
+          parse_mode: 'HTML',
+          reply_markup: effortMenuReplyMarkup(outcome.reply) ?? { inline_keyboard: [] },
+        })
+        .catch(() => {})
+    } catch (err) {
+      process.stderr.write(
+        `telegram gateway: effort-menu callback failed: ${(err as Error)?.message ?? String(err)}\n`,
+      )
+    }
+    return
+  }
+
   if (data.startsWith(MODEL_CALLBACK_PREFIX)) {
     const access = loadAccess()
     const senderId = String(ctx.from?.id ?? '')
@@ -19073,7 +19154,7 @@ bot.on('callback_query:data', async ctx => {
   }
 
   // Permission request buttons.
-  const m = /^perm:(allow|deny|always|asn|asb|back|tmb):([a-km-z]{5})$/.exec(data)
+  const m = /^perm:(allow|deny|always|asn|asb|back):([a-km-z]{5})$/.exec(data)
   if (!m) { await ctx.answerCallbackQuery().catch(() => {}); return }
   const access = loadAccess()
   const senderId = String(ctx.from.id)
@@ -19088,10 +19169,7 @@ bot.on('callback_query:data', async ctx => {
     if (!details) { await ctx.answerCallbackQuery({ text: 'Details no longer available.' }).catch(() => {}); return }
     let keyboard: InlineKeyboard
     if (behavior === 'back') {
-      const backChoices = resolveScopedAllowChoices(details.tool_name, details.input_preview)
-      const backTimeBox = scopedApprovalTtlMs() > 0 &&
-        resolveTimeBox(details.tool_name, details.input_preview, backChoices) != null
-      keyboard = buildPermissionActionRow(request_id, true, backTimeBox)
+      keyboard = buildPermissionActionRow(request_id, true)
     } else {
       const choices = resolveScopedAllowChoices(details.tool_name, details.input_preview)
       if (choices == null) {
@@ -19315,69 +19393,47 @@ bot.on('callback_query:data', async ctx => {
     return
   }
 
-  // "⏱ 30 min" — record a fixed-window scoped grant for the NARROW scope,
-  // then allow the in-flight call. Mirrors the asn/asb structure: dispatch
-  // the verdict immediately, then edit the card. CRITICAL: the verdict
-  // carries NO `rule` (unlike asn/asb), so the bridge does not cache it
-  // untimed — the window lives only in scopedGrants, gateway-side.
-  if (behavior === 'tmb') {
-    const details = pendingPermissions.get(request_id)
-    if (!details) { await ctx.answerCallbackQuery({ text: 'Details no longer available.' }).catch(() => {}); return }
-    const ttl = scopedApprovalTtlMs()
-    if (ttl <= 0) { await ctx.answerCallbackQuery({ text: 'Time-boxed approvals are disabled.' }).catch(() => {}); return }
-    const choices = resolveScopedAllowChoices(details.tool_name, details.input_preview)
-    const tb = resolveTimeBox(details.tool_name, details.input_preview, choices)
-    if (!tb) { await ctx.answerCallbackQuery({ text: 'This action can\'t be time-boxed.' }).catch(() => {}); return }
-    const agentName = selfAgentName()
-    if (!agentName) { await ctx.answerCallbackQuery({ text: 'Time-box needs SWITCHROOM_AGENT_NAME — gateway is misconfigured.' }).catch(() => {}); return }
-
-    pendingPermissions.delete(request_id)
-    // (1) Allow the in-flight call NOW — no `rule` (keeps the window
-    // strictly gateway-side; the bridge must not cache it untimed).
-    dispatchPermissionVerdict({ type: 'permission', requestId: request_id, behavior: 'allow' })
-    // (2) Record the fixed-window grant so matching calls auto-allow.
-    recordScopedGrant(scopedGrants, agentName, tb.rule, Date.now(), ttl)
-    resumeReactionAfterVerdict()
-    postPermissionResumeMessage({
-      behavior: 'allow',
-      action: naturalAction(details.tool_name, details.input_preview),
-    })
+  // Forward permission decision to connected bridges. Capture the pending
+  // details BEFORE deleting the entry — the resume message names the resumed
+  // work, and "Allow" on a narrow non-destructive scope auto-grants a 30-min
+  // window (resolveTimeBox) so the same action stops re-asking. This IS the
+  // default behavior of Allow (no separate button); broad / MCP / destructive
+  // scopes (resolveTimeBox → null) and the disabled tier (ttl<=0) stay truly
+  // once. The verdict is still dispatched WITHOUT a `rule` (below), so the
+  // bridge never caches it untimed — the window lives only in scopedGrants.
+  const pd = pendingPermissions.get(request_id)
+  const resumeAction = pd ? naturalAction(pd.tool_name, pd.input_preview) : ''
+  const scopedTtl = scopedApprovalTtlMs()
+  const timeBox = (behavior === 'allow' && scopedTtl > 0 && pd)
+    ? resolveTimeBox(pd.tool_name, pd.input_preview, resolveScopedAllowChoices(pd.tool_name, pd.input_preview))
+    : null
+  const grantAgent = selfAgentName()
+  pendingPermissions.delete(request_id)
+  if (timeBox && grantAgent) {
+    recordScopedGrant(scopedGrants, grantAgent, timeBox.rule, Date.now(), scopedTtl)
     process.stderr.write(
-      `telegram gateway: scoped-approval granted rule="${tb.rule}" agent=${agentName} ` +
-      `ttl_ms=${ttl} (request_id=${request_id})\n`,
+      `telegram gateway: scoped-approval granted via Allow rule="${timeBox.rule}" ` +
+      `agent=${grantAgent} ttl_ms=${scopedTtl} (request_id=${request_id})\n`,
     )
-
-    const mins = Math.max(1, Math.round(ttl / 60_000))
-    // Honest card: state the real BREADTH (e.g. "any `git` command"), not
-    // just the rule, plus the window — consent covers both (access-model
-    // honest-card contract).
-    const sourceMsg = ctx.callbackQuery?.message
-    const baseText = sourceMsg && 'text' in sourceMsg && sourceMsg.text
-      ? escapeHtmlForTg(sourceMsg.text)
-      : ''
-    const editLabel = `⏱ <b>Allowed for ${mins} min — ${escapeHtmlForTg(tb.breadth)}</b> · re-asks after that, and now for anything else`
-    await finalizeCallback(ctx, {
-      ackText: `⏱ Allowed for ${mins} min`.slice(0, 200),
-      newText: baseText ? `${baseText}\n\n${editLabel}` : editLabel,
-      parseMode: 'HTML',
-    })
-    return
   }
-
-  // Forward permission decision to connected bridges. Capture the work
-  // phrase BEFORE deleting the pending entry — postPermissionResumeMessage
-  // (fired in synthInbound below) names the resumed work.
-  const resumeAction = (() => {
-    const d = pendingPermissions.get(request_id)
-    return d ? naturalAction(d.tool_name, d.input_preview) : ''
-  })()
-  pendingPermissions.delete(request_id)
+  const scopedMins = Math.max(1, Math.round(scopedTtl / 60_000))
   // The card collapses to a plain verdict label. The distinct agent-voiced
   // "got it, continuing: …" message (posted on resume below) now carries
   // the "is it working or did my tap do nothing?" signal the old
   // `▶️ resuming…` card footnote used to — and names the work, which the
   // footnote never did. Keeps the card terse and the resume legible.
-  const label = behavior === 'allow' ? '✅ Allowed' : '❌ Denied'
+  // Honest-card: only claim the window when one was actually recorded
+  // (timeBox eligible AND we had an agent name to key it under) — never
+  // promise "won't ask again for 30 min" if nothing was stored.
+  const windowGranted = timeBox != null && grantAgent !== ''
+  const ackText = behavior === 'deny'
+    ? '❌ Denied'
+    : (windowGranted ? `✅ Allowed (${scopedMins} min)` : '✅ Allowed once')
+  const htmlLabel = behavior === 'deny'
+    ? '❌ <b>Denied</b>'
+    : (windowGranted
+        ? `✅ <b>Allowed — won't ask again about ${escapeHtmlForTg(timeBox!.breadth)} for ${scopedMins} min</b>`
+        : '✅ <b>Allowed once</b>')
   // HTML-escape the source text — same hazard as the scope-commit and
   // recent-denial paths above. The permission card body
   // (formatPermissionCardBody) appends claude-supplied `description`
@@ -19396,10 +19452,12 @@ bot.on('callback_query:data', async ctx => {
   // permission was already broadcast. Routing through finalizeCallback
   // strips the keyboard atomically with the status-line edit.
   await finalizeCallback(ctx, {
-    ackText: label,
-    newText: baseText ? `${baseText}\n\n${label}` : label,
+    ackText: ackText.slice(0, 200),
+    newText: baseText ? `${baseText}\n\n${htmlLabel}` : htmlLabel,
     parseMode: 'HTML',
     synthInbound: () => {
+      // No `rule` → the bridge does NOT cache this (truly once on the bridge);
+      // any 30-min stickiness lives only in scopedGrants (recorded above).
       dispatchPermissionVerdict({
         type: 'permission',
         requestId: request_id,

package/telegram-plugin/scoped-approval.ts

@@ -1,9 +1,13 @@
 /**
- * Scoped, time-boxed approval — the "⏱ 30 min" tier, the middle rung
- * between "✅ Allow once" (re-prompts on the very next call) and
- * "🔁 Always…" (a durable `tools.allow` write that lasts forever). After
- * the operator taps "⏱ 30 min" on a permission card, byte-identical
- * in-scope requests auto-allow for a fixed window without re-carding.
+ * Scoped, time-boxed approval — the default behavior of the "✅ Allow" tap
+ * for a NARROW, non-destructive scope. Tapping Allow on such a request
+ * auto-grants a fixed window so byte-identical in-scope requests auto-allow
+ * without re-carding (killing tap-fatigue on re-edits / re-runs). Broad /
+ * MCP / destructive scopes get no window — Allow stays truly once for them.
+ * "🔁 Always…" remains the separate durable (`tools.allow`, forever) tier.
+ * There is deliberately no separate time-box button: the window IS what
+ * "Allow" means for a narrow safe scope, disclosed honestly on the post-tap
+ * card ("won't ask again about <breadth> for 30 min" vs "allowed once").
  *
  * Design contract (reference/access-model.md — "you hold the leash"):
  *
@@ -21,14 +25,13 @@
  *  - **Conservative scope (this tier, v1).** Only the *narrow* scope is
  *    ever time-boxed: an exact file path (`Edit(/x.ts)`) or a Bash
  *    command-family (`Bash(git:*)`). Broad scopes ("any file", resource-
- *    blind MCP, "any command") are NOT offered the ⏱ button — they stay
- *    once / always. This covers the real fatigue (re-editing the same
+ *    blind MCP, "any command") get NO window — Allow stays truly once for them. This covers the real fatigue (re-editing the same
  *    file, re-running a safe command) without fanning one tap across an
  *    unbounded action set.
  *  - **Fail-closed on irreversible.** A Bash family grant (`Bash(git:*)`)
  *    must never auto-allow a destructive member of that family
  *    (`git push --force`, `git reset --hard`). `isDestructiveBashCommand`
- *    is re-checked at BOTH grant time (don't offer ⏱) and match time
+ *    is re-checked at BOTH grant time (no window granted) and match time
  *    (a cached family grant fails closed → re-cards) so per-call consent
  *    for irreversible actions is preserved.
  *
@@ -45,8 +48,8 @@ export const SCOPED_APPROVAL_DEFAULT_TTL_MS = 30 * 60 * 1000;
 
 /**
  * Resolve the configured window from the environment. `0` (or negative)
- * disables the tier — the gateway hides the ⏱ button and never
- * short-circuits. A blank/garbage value falls back to the 30-min default.
+ * disables the window — Allow becomes truly once for every scope and the
+ * gateway never short-circuits. A blank/garbage value falls back to the 30-min default.
  * Kill-switch: `SWITCHROOM_SCOPED_APPROVAL_TTL_MS=0`.
  */
 export function scopedApprovalTtlMs(
@@ -84,7 +87,7 @@ const BASH_FAMILY_RULE = /^Bash\(([^:]+):\*\)$/;
  * Conservative time-box eligibility. Given the already-resolved scope
  * choices for a permission request, return the NARROW rule to time-box
  * plus an honest breadth phrase — or `null` when this request must not
- * get a ⏱ button (broad-only tools, MCP, Skill, a destructive Bash
+ * get a window (broad-only tools, MCP, Skill, a destructive Bash
  * command, or any tool with no narrow sub-scope).
  *
  *  - File tools with an exact path → time-boxable (bounded to the one