switchroom 0.15.36 → 0.15.38

package/telegram-plugin/dist/gateway/gateway.js

@@ -23847,7 +23847,7 @@ var init_schema = __esm(() => {
   ScheduleEntrySchema = exports_external.object({
     cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
     prompt: exports_external.string().optional().describe("Prompt to send at the scheduled time (the escalation prompt when " + "kind=poll; templated with {{diff}}). Required for kind prompt/poll; " + "absent for kind=action (an action has no model fire, so no prompt)."),
-    kind: exports_external.enum(["poll", "prompt", "action"]).optional().describe("Tier-0 routing (docs/rfcs/cheap-cron-sessions.md). 'prompt' (default) " + "fires a model turn every tick (Tier 1/2 per `context`). 'poll' runs a " + "model-free deterministic check (requires `poll`) and only escalates to " + "a model fire on a hit. 'action' runs a model-free deterministic verb " + "(requires `action`) that COMPLETES the work and never escalates \u2014 zero " + "tokens, no session. poll/prompt tiering is on by default " + "(SWITCHROOM_CHEAP_CRON=0 is the kill-switch); an action is model-free " + "regardless (the kill-switch governs model tiering, not deterministic " + "actions)."),
+    kind: exports_external.enum(["poll", "prompt", "action"]).optional().describe("Tier-0 routing (reference/rfcs/cheap-cron-sessions.md). 'prompt' (default) " + "fires a model turn every tick (Tier 1/2 per `context`). 'poll' runs a " + "model-free deterministic check (requires `poll`) and only escalates to " + "a model fire on a hit. 'action' runs a model-free deterministic verb " + "(requires `action`) that COMPLETES the work and never escalates \u2014 zero " + "tokens, no session. poll/prompt tiering is on by default " + "(SWITCHROOM_CHEAP_CRON=0 is the kill-switch); an action is model-free " + "regardless (the kill-switch governs model tiering, not deterministic " + "actions)."),
     poll: PollSpecSchema.optional().describe("Required iff kind=poll. The declarative poll spec."),
     action: ActionSpecSchema.optional().describe("Required iff kind=action. The declarative action spec (telegram-message or webhook)."),
     model: exports_external.string().optional().describe("Cron model hint. Reactivated by SWITCHROOM_CHEAP_CRON (was DEPRECATED/" + "IGNORED in v0.8). A known-cheap id (sonnet/haiku family) routes the " + "fire to a fresh cheap cron session (Tier 1, `context: fresh`); 'opus', " + "a custom id, or unset routes to the agent's live session (Tier 2, " + "`context: agent`) \u2014 the conservative default that preserves pre-v0.8 " + "behaviour. Note: a live session's model is fixed at launch, so on Tier " + "2 this is informational. See docs/scheduling.md."),
@@ -23856,7 +23856,7 @@ var init_schema = __esm(() => {
     topic: exports_external.union([
       exports_external.string().min(1, "topic alias must be non-empty"),
       exports_external.number().int().positive("topic ID must be a positive integer")
-    ]).optional().describe("Forum topic this cron fires into when the owning agent is in " + "supergroup-owned mode (channels.telegram.chat_id set). Either a " + 'string alias resolved against `topic_aliases` (e.g. "planning") ' + "or a numeric topic ID. Falls back to the agent's `default_topic_id` " + "when unset. Ignored for agents in fleet-shared or dm_only mode. " + "Alias-resolution happens at config-load \u2014 typos surface immediately. " + "See docs/rfcs/supergroup-mode.md.")
+    ]).optional().describe("Forum topic this cron fires into when the owning agent is in " + "supergroup-owned mode (channels.telegram.chat_id set). Either a " + 'string alias resolved against `topic_aliases` (e.g. "planning") ' + "or a numeric topic ID. Falls back to the agent's `default_topic_id` " + "when unset. Ignored for agents in fleet-shared or dm_only mode. " + "Alias-resolution happens at config-load \u2014 typos surface immediately. " + "See reference/rfcs/supergroup-mode.md.")
   }).superRefine((entry, ctx) => {
     const kind = entry.kind ?? "prompt";
     if (kind === "poll" && !entry.poll) {
@@ -24029,15 +24029,15 @@ var init_schema = __esm(() => {
     webhook_rate_limit: exports_external.object({
       rpm: exports_external.number().int().positive()
     }).optional().describe("Per-source rate limit for the webhook ingest path (#714). " + "Off by default \u2014 when this key is absent the handler skips " + "rate-limit checks entirely. Opt in by setting `rpm` to an " + "integer requests-per-minute (token bucket per (agent, source); " + "burst equal to rpm). When enabled, exceeding the limit returns " + "429 with Retry-After header; first throttle event per " + "(agent, source) per 60s window is written to " + "<agent>/telegram/issues.jsonl. " + "Cascades from defaults.channels.telegram.webhook_rate_limit."),
-    webhook_via_gateway: exports_external.boolean().optional().describe("Route verified webhook events to the agent's in-container gateway " + "over a peercred-gated UDS (<agent>/telegram/webhook.sock) instead " + "of having the host-side web receiver write the agent dir directly. " + "Required under the Docker runtime: the receiver runs as the host " + "operator UID and cannot write the per-agent-UID-owned agent dir " + "(EACCES 500) nor connect the gateway socket. When true the gateway " + "(running as the agent UID) becomes the sole writer of " + "webhook-events.jsonl + dedup/cooldown state and also fires " + "webhook_dispatch. Off by default for back-compat with host-runtime " + "installs. See docs/rfcs/webhook-via-gateway-socket.md."),
-    webhook_require_edge: exports_external.boolean().optional().describe("Cloudflare-only edge lock: require the X-Switchroom-Edge header " + "(injected by a Cloudflare Transform Rule on hooks.switchroom.ai) to " + "match the operator's edge secret at ~/.switchroom/webhook-edge-secret " + "before any HMAC verification; reject 403 otherwise. Proves the " + "request entered through our Cloudflare edge \u2014 the per-agent HMAC " + "alone can't (it proves body provenance, not network path). Stacks " + "on the GitHub-IP WAF + per-agent HMAC. Fail-closed: when required " + "but the secret file is missing/empty every request is rejected. Off " + "by default. See docs/rfcs/webhook-cloudflare-edge-lock.md."),
+    webhook_via_gateway: exports_external.boolean().optional().describe("Route verified webhook events to the agent's in-container gateway " + "over a peercred-gated UDS (<agent>/telegram/webhook.sock) instead " + "of having the host-side web receiver write the agent dir directly. " + "Required under the Docker runtime: the receiver runs as the host " + "operator UID and cannot write the per-agent-UID-owned agent dir " + "(EACCES 500) nor connect the gateway socket. When true the gateway " + "(running as the agent UID) becomes the sole writer of " + "webhook-events.jsonl + dedup/cooldown state and also fires " + "webhook_dispatch. Off by default for back-compat with host-runtime " + "installs. See reference/rfcs/webhook-via-gateway-socket.md."),
+    webhook_require_edge: exports_external.boolean().optional().describe("Cloudflare-only edge lock: require the X-Switchroom-Edge header " + "(injected by a Cloudflare Transform Rule on hooks.switchroom.ai) to " + "match the operator's edge secret at ~/.switchroom/webhook-edge-secret " + "before any HMAC verification; reject 403 otherwise. Proves the " + "request entered through our Cloudflare edge \u2014 the per-agent HMAC " + "alone can't (it proves body provenance, not network path). Stacks " + "on the GitHub-IP WAF + per-agent HMAC. Fail-closed: when required " + "but the secret file is missing/empty every request is rejected. Off " + "by default. See reference/rfcs/webhook-cloudflare-edge-lock.md."),
     linear_agent: exports_external.object({
       enabled: exports_external.boolean(),
       token: exports_external.string().describe("vault:<key> reference to the Linear OAuth app token (actor=app). " + "Resolved at runtime via the vault broker (canonically " + "vault:linear/<agent>/token). Never an inline literal."),
       workspace_id: exports_external.string().optional().describe("Optional Linear workspace (organization) id this agent is " + "installed into. Informational \u2014 used for setup hints and " + "multi-workspace disambiguation; the token already scopes the " + "app to its workspace."),
       default_team_id: exports_external.string().optional().describe("Optional Linear team id new captured issues file into when the " + "agent doesn't pass an explicit team_id. Unnecessary for a " + "single-team workspace (auto-resolved); set it only when the " + "workspace has multiple teams. Manage via " + "`switchroom linear-agent set-team <agent> <team>`.")
     }).optional().describe("Linear first-class agent integration (#2298). When enabled, the " + "agent appears in a Linear workspace as an app actor (own name/" + "avatar, @-mentionable, delegate-assignable). Linear AgentSessionEvent " + "webhooks (mention / delegation) wake the agent instantly via the " + "same gateway inject path as webhook_dispatch, tagged " + 'meta.source="linear" with the agent_session_id, and the agent ' + "responds with structured AgentActivity (thought/message/complete/" + "error) via the linear_agent_activity MCP tool. Builds the " + "session-lifecycle layer on top of the plain webhook_sources:[linear] " + "+ webhook_dispatch support (#2272). The OAuth app token is stored in " + "the vault and referenced here as vault:linear/<agent>/token; run " + "`switchroom linear-agent setup <agent>` to provision it. Off by " + "default \u2014 opt in per agent. Cascades from " + "defaults.channels.telegram.linear_agent."),
-    chat_id: exports_external.string().regex(/^-\d+$/, 'supergroup chat_id must be a negative integer as a string (e.g. "-1001234567890")').optional().describe("Per-agent supergroup ID \u2014 overrides fleet `telegram.forum_chat_id`. " + "When set, requires `default_topic_id`. Negative integer as string. " + "Forbidden when `dm_only: true`. See docs/rfcs/supergroup-mode.md."),
+    chat_id: exports_external.string().regex(/^-\d+$/, 'supergroup chat_id must be a negative integer as a string (e.g. "-1001234567890")').optional().describe("Per-agent supergroup ID \u2014 overrides fleet `telegram.forum_chat_id`. " + "When set, requires `default_topic_id`. Negative integer as string. " + "Forbidden when `dm_only: true`. See reference/rfcs/supergroup-mode.md."),
     default_topic_id: exports_external.number().int().positive().optional().describe("Forum topic ID this agent's automated outbounds default to when " + "no more-specific alias resolves. Defaults to General (topic 1) when " + "`chat_id` is set and this is omitted \u2014 set it only to pin a different " + "fallback topic. " + "Telegram's General topic is `id=1` at MTProto but sends omit the " + "field \u2014 the outbound wrapper strips `message_thread_id === 1` " + "on send. Forbidden when `dm_only: true`."),
     topic_aliases: exports_external.record(exports_external.string(), exports_external.number().int().positive()).optional().describe("Operator-friendly names for forum topic IDs (e.g. " + "`{ general: 1, planning: 17, cron: 23, admin: 31, alerts: 41 }`). " + "Referenced from per-cron `topic:` fields and the outbound router " + "for autonomous events (boot \u2192 alerts, hostd \u2192 admin, etc.). " + "Cascades per-key through defaults \u2192 profile \u2192 agent.")
   }).optional().superRefine((tg, ctx) => {
@@ -24263,7 +24263,7 @@ var init_schema = __esm(() => {
     drive: AgentGoogleWorkspaceConfigSchema.describe("RFC D legacy key \u2014 use `google_workspace:` instead. Per-agent " + "google_workspace overrides (currently approvers + tier). When set, " + "replaces the top-level approvers list for this agent. " + "google_client_id/secret are not per-agent \u2014 they live at the top level."),
     google_workspace: AgentGoogleWorkspaceConfigSchema.describe("RFC G canonical key. Per-agent Google Workspace overrides \u2014 currently " + "approvers (replaces, does not extend the top-level list) and tier " + "(`core` | `extended` | `complete`, replaces top-level default). " + "google_client_id/secret are not per-agent \u2014 they live at the top level. " + "Mutually exclusive with `drive:` on the same agent (loader fails fast " + "if both are set)."),
     microsoft_workspace: AgentMicrosoftWorkspaceConfigSchema.describe("RFC #1873 (Microsoft 365 integration). Per-agent Microsoft Workspace " + "override \u2014 pins the Microsoft account this agent reads via the " + "auth-broker (must be a key in top-level `microsoft_accounts:` with " + "this agent in its `enabled_for[]`) and optionally overrides org_mode. " + "microsoft_client_id/secret are not per-agent."),
-    notion_workspace: AgentNotionWorkspaceConfigSchema.describe("RFC docs/rfcs/notion-integration.md. Per-agent Notion access. " + "Presence opts the agent IN (launcher scaffolded, MCP entry emitted, " + "broker grants the integration token). Optional `databases:` filter " + "narrows which DBs this agent may read/write \u2014 names must resolve in " + "top-level notion_workspace.databases. Absence opts the agent OUT."),
+    notion_workspace: AgentNotionWorkspaceConfigSchema.describe("RFC reference/rfcs/notion-integration.md. Per-agent Notion access. " + "Presence opts the agent IN (launcher scaffolded, MCP entry emitted, " + "broker grants the integration token). Optional `databases:` filter " + "narrows which DBs this agent may read/write \u2014 names must resolve in " + "top-level notion_workspace.databases. Absence opts the agent OUT."),
     repos: exports_external.record(exports_external.string().regex(/^[a-z0-9][a-z0-9-]*$/, "Repo slug must be kebab-case ASCII: start with a lowercase letter or digit, contain only lowercase letters, digits, and hyphens"), exports_external.object({
       url: exports_external.string().min(1).describe("Git remote URL for the repo (e.g. 'git@github.com:org/repo.git' or " + "'https://github.com/org/repo.git'). Used verbatim for git clone."),
       branch_default: exports_external.string().optional().describe("Default branch to track (defaults to the remote's HEAD, typically 'main'). " + "The per-agent branch 'agent/<agentName>/main' fast-forwards to this branch " + "when the worktree is clean on session start.")
@@ -24398,9 +24398,9 @@ var init_schema = __esm(() => {
     drive: GoogleWorkspaceConfigSchema.describe("RFC D legacy key \u2014 use `google_workspace:` instead. Optional Google " + "Workspace onboarding configuration. When set, supplies Google OAuth " + "client credentials, the approver allowlist for `switchroom drive " + "connect`, and the optional tier knob. Env vars " + "(SWITCHROOM_GOOGLE_CLIENT_ID, SWITCHROOM_GOOGLE_CLIENT_SECRET, " + "SWITCHROOM_APPROVER_USER_ID) take precedence over this block when " + "set, preserving back-compat with the env-only flow shipped in #766."),
     google_workspace: GoogleWorkspaceConfigSchema.describe("RFC G canonical key. Top-level Google Workspace configuration \u2014 " + "OAuth client credentials, approver allowlist, and tier knob (`core` " + "| `extended` | `complete`, default `core`). Mutually exclusive with " + "`drive:` at the top level (loader fails fast if both are set)."),
     microsoft_workspace: MicrosoftWorkspaceConfigSchema.describe("RFC #1873 (Microsoft 365 integration). Top-level Microsoft Workspace " + "configuration \u2014 OAuth client credentials (Entra app), authority " + "endpoint (defaults to /common for personal MSA + work), and the " + "org_mode opt-in for Teams/SharePoint surfaces. Block is optional; " + "when omitted the broker does not register the Microsoft provider."),
-    notion_workspace: NotionWorkspaceConfigSchema.describe("RFC docs/rfcs/notion-integration.md. Top-level Notion integration " + "config \u2014 vault key for the integration token, friendly-name \u2192 " + "database UUID map, optional MCP-package version pin, and optional " + "global rate-limit override (default 3 rps, Notion's documented " + "public-API limit). Block is optional; when omitted no agent gets a " + "Notion MCP entry regardless of per-agent config."),
+    notion_workspace: NotionWorkspaceConfigSchema.describe("RFC reference/rfcs/notion-integration.md. Top-level Notion integration " + "config \u2014 vault key for the integration token, friendly-name \u2192 " + "database UUID map, optional MCP-package version pin, and optional " + "global rate-limit override (default 3 rps, Notion's documented " + "public-API limit). Block is optional; when omitted no agent gets a " + "Notion MCP entry regardless of per-agent config."),
     quota: QuotaConfigSchema.optional().describe("Optional weekly/monthly USD spend budgets rendered in the session " + "greeting. Usage is read from ccusage at runtime; no network calls."),
-    host_control: HostControlConfigSchema.default({}).describe("Host-control daemon configuration. Defaults to enabled=true since " + "RFC C Phase 2 (docs/rfcs/host-control-daemon.md). Omit the block " + "to accept defaults; set `enabled: false` only on legacy systemd-" + "mode installs (removal tracked as RFC C Phase 3)."),
+    host_control: HostControlConfigSchema.default({}).describe("Host-control daemon configuration. Defaults to enabled=true since " + "RFC C Phase 2 (reference/rfcs/host-control-daemon.md). Omit the block " + "to accept defaults; set `enabled: false` only on legacy systemd-" + "mode installs (removal tracked as RFC C Phase 3)."),
     hostd: HostdConfigSchema.default({}).describe("hostd verb-level knobs (RFC admin-agent-config-edit). Distinct " + "from `host_control:` which governs whether the daemon runs at " + "all. Scopes the opt-in flag and rate cap for the " + "`config_propose_edit` verb (disabled by default)."),
     web_service: WebServiceConfigSchema.default({}).describe("Web-service container (dashboard + GitHub-webhook receiver) config. " + "Defaults to managed=false so existing systemd-mode installs are " + "untouched. Set managed: true after cutting over to the " + "`switchroom-web` container \u2014 then `switchroom update` keeps it " + "refreshed. See `switchroom webd install`."),
     google_accounts: exports_external.record(exports_external.string().regex(/^[^@\s:]+@[^@\s:]+\.[^@\s:]+$/, {
@@ -24422,7 +24422,7 @@ var init_schema = __esm(() => {
     agents: exports_external.record(exports_external.string().regex(/^[a-z0-9][a-z0-9_-]{0,50}$/, {
       message: "Agent name must start with a letter/digit, contain only lowercase letters/digits/hyphens/underscores, and be at most 51 characters (Telegram callback_data byte limit)"
     }), AgentSchema).describe("Map of agent name to agent configuration"),
-    cron: CronConfigSchema.optional().describe("Cheap-cron settings (docs/rfcs/cheap-cron-sessions.md). Operator-owned " + "egress allowlist + host-pinned secret bindings for Tier-0 http-diff " + "polls (\u00a76.1). Required to enable any http-diff poll; not agent-writable.")
+    cron: CronConfigSchema.optional().describe("Cheap-cron settings (reference/rfcs/cheap-cron-sessions.md). Operator-owned " + "egress allowlist + host-pinned secret bindings for Tier-0 http-diff " + "polls (\u00a76.1). Required to enable any http-diff poll; not agent-writable.")
   });
 });
 
@@ -29729,6 +29729,33 @@ function renderBucketedSkills(switchroom, agent) {
     parts.push(`Agent: ${agent.join(", ")}`);
   return parts.length === 0 ? "none resolved" : parts.join(" \u00b7 ");
 }
+async function probeConnections(agentDir, opts = {}) {
+  return withTimeout("Connections", (async () => {
+    const path = join24(agentDir, ".claude", "connection-health.json");
+    const read = opts.readFileImpl ?? ((p) => readFileSync25(p, "utf8"));
+    let issues = [];
+    try {
+      const parsed = JSON.parse(read(path));
+      issues = Array.isArray(parsed.issues) ? parsed.issues : [];
+    } catch {
+      return { status: "ok", label: "Connections", detail: "no issues" };
+    }
+    if (issues.length === 0) {
+      return { status: "ok", label: "Connections", detail: "all authed" };
+    }
+    const servers = [...new Set(issues.map((i) => i.server))];
+    const named = servers.slice(0, 4).join(", ");
+    const more = servers.length > 4 ? ` +${servers.length - 4} more` : "";
+    const first = issues[0];
+    const extra = issues.length > 1 ? ` (+${issues.length - 1} more \u2014 run \`switchroom doctor\`)` : "";
+    return {
+      status: "degraded",
+      label: "Connections",
+      detail: `${servers.length} integration(s) configured but not authed: ${named}${more}`,
+      nextStep: `${first.fix}${extra}`
+    };
+  })());
+}
 var execFile3, PROBE_TIMEOUT_MS = 2000, QUOTA_BROKER_TIMEOUT_MS = 7000, QUOTA_DIRECT_FALLBACK_TIMEOUT_MS = 5000, QUOTA_PROBE_OUTER_TIMEOUT_MS = 9000, TOKEN_EXPIRING_SOON_DAYS = 7, AGENT_RETRY_INTERVAL_MS = 1500, AGENT_RETRY_MAX_MS = 12000, AGENT_LIVE_WINDOW_MS = 45000, AGENT_LIVE_POLL_INTERVAL_MS = 2000, AGENT_LIVE_FOLLOWUP_REPOLL_MS = 30000, realProcFs, SCHEDULER_LOCK_PATH_DEFAULT = "/state/agent/scheduler.lock", SCHEDULER_JSONL_PATH_DEFAULT = "/state/agent/scheduler.jsonl", SCHEDULER_FRESH_BOOT_MS = 30000, realSchedulerFs, realSkillsFs;
 var init_boot_probes = __esm(() => {
   init_quota_cache();
@@ -30164,6 +30191,9 @@ async function runAllProbes(opts) {
     }),
     probeSkills(opts.agentDir, { agentName: opts.agentSlug ?? opts.agentName }).then((r) => {
       probes.skills = r;
+    }),
+    probeConnections(opts.agentDir).then((r) => {
+      probes.connections = r;
     })
   ]);
   return probes;
@@ -30404,7 +30434,8 @@ var init_boot_card = __esm(() => {
     scheduler: "Scheduler",
     broker: "Broker",
     kernel: "Kernel",
-    skills: "Skills"
+    skills: "Skills",
+    connections: "Connections"
   };
   PROBE_KEYS = [
     "account",
@@ -30415,7 +30446,8 @@ var init_boot_card = __esm(() => {
     "scheduler",
     "broker",
     "kernel",
-    "skills"
+    "skills",
+    "connections"
   ];
   REASON_EMOJI = {
     planned: "\u2705",
@@ -32953,6 +32985,32 @@ function parseSourceMessageId(raw) {
   return n;
 }
 
+// gateway/permission-timeout.ts
+var SIGNATURE_SEP = String.fromCharCode(0);
+function permissionSignature(toolName, inputPreview) {
+  return toolName + SIGNATURE_SEP + inputPreview;
+}
+function timeoutDenyMessage(timeoutMinutes) {
+  return `No operator responded within ${timeoutMinutes} minutes, so this request timed out. ` + `This is a TIMEOUT, not a denial \u2014 the operator is likely away. ` + `Do NOT retry this exact action automatically. Tell the user it is still ` + `awaiting their approval, then continue with other work or stop.`;
+}
+var duplicateDenyMessage = `This exact action already timed out awaiting the operator, and they have not ` + `responded since. Do NOT keep re-requesting it \u2014 tell the user it needs their ` + `approval when they are back, and move on to other work or stop.`;
+function isRecentTimeoutDuplicate(timeouts, sig, now, windowMs) {
+  const at = timeouts.get(sig);
+  return at != null && now - at <= windowMs;
+}
+
+// gateway/permission-card-origin.ts
+function pickRecoveredPermissionOrigin(recentTurns, now, maxAgeMs) {
+  let best = null;
+  for (const t of recentTurns) {
+    if (now - t.startedAt > maxAgeMs)
+      continue;
+    if (best == null || t.startedAt >= best.startedAt)
+      best = t;
+  }
+  return best == null ? null : { chatId: best.sessionChatId, threadId: best.sessionThreadId };
+}
+
 // tool-names.ts
 var TELEGRAM_TOOL_PREFIX_RE = /^mcp__[^_].*?telegram__/;
 function stripPrefix(toolName) {
@@ -46206,6 +46264,7 @@ function resolveOutboundTopic(config, event) {
     }
     case "boot":
     case "compact-watchdog":
+    case "linear-auth":
       if (!inSupergroupMode)
         return;
       return aliasToId(cfg, ALERTS_ALIAS) ?? cfg.default_topic_id;
@@ -54460,11 +54519,11 @@ function readTurnActiveMarkerAgeMs(stateDir, now) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.15.36";
-var COMMIT_SHA = "18736aec";
-var COMMIT_DATE = "2026-06-16T09:16:32Z";
-var LATEST_PR = 2395;
-var COMMITS_AHEAD_OF_TAG = 0;
+var VERSION = "0.15.38";
+var COMMIT_SHA = "d28a331f";
+var COMMIT_DATE = "2026-06-18T11:43:40+10:00";
+var LATEST_PR = null;
+var COMMITS_AHEAD_OF_TAG = 13;
 
 // gateway/boot-version.ts
 function formatRelativeAgo(iso) {
@@ -54759,7 +54818,79 @@ init_client2();
 
 // ../src/linear/oauth-refresh.ts
 var LINEAR_TOKEN_ENDPOINT = "https://api.linear.app/oauth/token";
+var LINEAR_AUTHORIZE_ENDPOINT = "https://linear.app/oauth/authorize";
+var LINEAR_AGENT_SCOPES = [
+  "read",
+  "write",
+  "app:assignable",
+  "app:mentionable"
+];
 var DEFAULT_REFRESH_SKEW_SEC = 2 * 3600;
+function buildLinearAuthorizeUrl(args) {
+  const params = new URLSearchParams({
+    client_id: args.clientId,
+    redirect_uri: args.redirectUri,
+    response_type: "code",
+    scope: (args.scopes ?? LINEAR_AGENT_SCOPES).join(","),
+    actor: "app",
+    prompt: "consent"
+  });
+  if (args.state)
+    params.set("state", args.state);
+  return `${LINEAR_AUTHORIZE_ENDPOINT}?${params.toString()}`;
+}
+async function exchangeLinearAuthCode(args, opts = {}) {
+  const fetchImpl = opts.fetchImpl ?? fetch;
+  const nowSec = opts.nowSec ?? (() => Math.floor(Date.now() / 1000));
+  const form = new URLSearchParams({
+    grant_type: "authorization_code",
+    code: args.code,
+    client_id: args.clientId,
+    client_secret: args.clientSecret,
+    redirect_uri: args.redirectUri
+  });
+  let resp;
+  try {
+    resp = await fetchImpl(LINEAR_TOKEN_ENDPOINT, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: form.toString()
+    });
+  } catch (err) {
+    return { ok: false, reason: "network", detail: err.message };
+  }
+  if (!resp.ok) {
+    const txt = await resp.text().catch(() => "");
+    const badCode = resp.status === 400 || /invalid_grant|invalid_request/i.test(txt);
+    return {
+      ok: false,
+      reason: badCode ? "bad_code" : "http_error",
+      detail: `HTTP ${resp.status}${txt ? ` ${txt.slice(0, 200)}` : ""}`
+    };
+  }
+  let json;
+  try {
+    json = await resp.json();
+  } catch {
+    return { ok: false, reason: "bad_response", detail: "non-JSON token response" };
+  }
+  const accessToken = json.access_token;
+  if (typeof accessToken !== "string" || accessToken.length === 0) {
+    return { ok: false, reason: "bad_response", detail: "no access_token in response" };
+  }
+  const refreshToken = json.refresh_token;
+  if (typeof refreshToken !== "string" || refreshToken.length === 0) {
+    return { ok: false, reason: "bad_response", detail: "no refresh_token in response (was actor=app + a fresh consent used?)" };
+  }
+  const expiresIn = typeof json.expires_in === "number" ? json.expires_in : 86400;
+  return {
+    ok: true,
+    accessToken,
+    refreshToken,
+    expiresAt: nowSec() + expiresIn,
+    ...typeof json.scope === "string" ? { scope: json.scope } : {}
+  };
+}
 async function refreshLinearAppToken(bundle, opts = {}) {
   const fetchImpl = opts.fetchImpl ?? fetch;
   const nowSec = opts.nowSec ?? (() => Math.floor(Date.now() / 1000));
@@ -54808,6 +54939,11 @@ async function refreshLinearAppToken(bundle, opts = {}) {
     ...typeof json.scope === "string" ? { scope: json.scope } : {}
   };
 }
+function needsRefresh(expiresAt, nowSec, skewSec = DEFAULT_REFRESH_SKEW_SEC) {
+  if (expiresAt == null)
+    return false;
+  return nowSec >= expiresAt - skewSec;
+}
 function parseBundle(raw) {
   if (raw == null || raw === "")
     return null;
@@ -54863,6 +54999,17 @@ async function performLinearRefresh(io) {
 
 // gateway/linear-activity.ts
 var LINEAR_GRAPHQL_ENDPOINT = "https://api.linear.app/graphql";
+function escapeHtmlMin(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function buildLinearAuthDeadMessage(agent, reason) {
+  const a = escapeHtmlMin(agent);
+  const why = reason === "no_bundle" ? `no refresh credentials are stored (<code>linear/${a}/oauth</code> is missing), so its daily-expiring token can't renew` : `its Linear refresh token was revoked`;
+  return `\uD83D\uDD11 <b>Linear auth needs you</b>
+` + `<b>${a}</b> can't reach Linear \u2014 ${why}. ` + `Its access token will keep failing until you re-authorize.
+
+` + `Re-auth (actor=app) then run <code>switchroom linear-agent setup --agent ${a} ` + `--token \u2026 --refresh-token \u2026 --client-id \u2026 --client-secret \u2026</code> on the host, ` + `or ask me to walk you through it.`;
+}
 async function defaultResolveLinearToken(agent) {
   const key = `linear/${agent}/token`;
   const token = readVaultTokenFile(agent) ?? undefined;
@@ -54899,7 +55046,7 @@ function brokerRefreshIO(agent, fetchImpl) {
     ...fetchImpl ? { fetchImpl } : {}
   };
 }
-async function linearPostWithRefresh(body, token, agent, fetchImpl, log, refreshIO) {
+async function linearPostWithRefresh(body, token, agent, fetchImpl, log, refreshIO, onAuthUnrecoverable) {
   const post = (t) => fetchImpl(LINEAR_GRAPHQL_ENDPOINT, {
     method: "POST",
     headers: { "Content-Type": "application/json", Authorization: t },
@@ -54914,6 +55061,11 @@ async function linearPostWithRefresh(body, token, agent, fetchImpl, log, refresh
     if (refreshed.reason === "revoked") {
       log(`telegram gateway: linear token REVOKED agent=${agent} \u2014 refresh token is dead; ` + `operator must re-authorize (linear-agent setup --refresh-token \u2026)
 `);
+      onAuthUnrecoverable?.({ agent, reason: "revoked", detail: refreshed.detail });
+    } else if (refreshed.reason === "no_bundle") {
+      log(`telegram gateway: linear token DEAD agent=${agent} \u2014 no refresh bundle stored ` + `(linear/${agent}/oauth absent); operator must re-authorize
+`);
+      onAuthUnrecoverable?.({ agent, reason: "no_bundle", detail: refreshed.detail });
     } else {
       log(`telegram gateway: linear token refresh failed agent=${agent} reason=${refreshed.reason}
 `);
@@ -54969,7 +55121,7 @@ async function emitLinearAgentActivity(args, deps = {}) {
   const fetchImpl = deps.fetchImpl ?? fetch;
   let resp;
   try {
-    ({ resp } = await linearPostWithRefresh(JSON.stringify({ query: mutation, variables }), tokenResult.token, agent, fetchImpl, log, deps.refreshIO));
+    ({ resp } = await linearPostWithRefresh(JSON.stringify({ query: mutation, variables }), tokenResult.token, agent, fetchImpl, log, deps.refreshIO, deps.onAuthUnrecoverable));
   } catch (err) {
     return {
       content: [{ type: "text", text: `linear_agent_activity failed: request error: ${err.message}` }]
@@ -55033,7 +55185,7 @@ async function createLinearIssue(args, deps = {}) {
   const gql = async (query2, variables) => {
     let resp;
     try {
-      const out = await linearPostWithRefresh(JSON.stringify({ query: query2, variables }), activeToken, agent, fetchImpl, log, deps.refreshIO);
+      const out = await linearPostWithRefresh(JSON.stringify({ query: query2, variables }), activeToken, agent, fetchImpl, log, deps.refreshIO, deps.onAuthUnrecoverable);
       resp = out.resp;
       activeToken = out.token;
     } catch (err) {
@@ -55102,6 +55254,261 @@ async function createLinearIssue(args, deps = {}) {
   return { content: [{ type: "text", text: `Filed: ${title} \u2192 ${issue.url}` }] };
 }
 
+// gateway/linear-setup.ts
+init_client2();
+var tokenKey = (agent) => `linear/${agent}/token`;
+var bundleKey = (agent) => `linear/${agent}/oauth`;
+function defaultPut(agent, key, value) {
+  const token = readVaultTokenFile(agent) ?? undefined;
+  const opt = token ? { token } : {};
+  return putViaBroker(key, { kind: "string", value }, opt).then((r) => {
+    if (r.kind === "ok")
+      return { kind: "ok" };
+    if (r.kind === "unreachable")
+      return { kind: "unreachable", msg: r.msg };
+    if (r.kind === "not_found")
+      return { kind: "not_found", msg: r.msg };
+    return { kind: "denied", msg: r.msg };
+  });
+}
+function text(s) {
+  return { content: [{ type: "text", text: s }] };
+}
+function writeGrantGuidance(agent) {
+  return `I need write access to store the Linear credentials. Call:
+` + `\u2022 vault_request_access(key: "${tokenKey(agent)}", scope: "write", reason: "store Linear app access token")
+` + `\u2022 vault_request_access(key: "${bundleKey(agent)}", scope: "write", reason: "store Linear OAuth refresh bundle")
+` + `Once the operator approves both, re-run linear_agent_setup with action "complete" (same code is single-use \u2014 if it expired, re-open the authorize URL first).`;
+}
+function durableConfigGuidance(agent) {
+  return `Stored. To make this durable (survive restarts + enable auto-refresh), propose a config edit ` + `(config_propose_edit) that, under agents.${agent}:
+` + `  \u2022 adds channels.telegram.linear_agent: { enabled: true, token: "vault:${tokenKey(agent)}" }
+` + `  \u2022 adds "${tokenKey(agent)}" and "${bundleKey(agent)}" to secrets[]
+` + `Then the operator approves it and you restart to pick up the linear_agent block.`;
+}
+async function runLinearAgentSetup(args, deps = {}) {
+  const log = deps.log ?? ((s) => process.stderr.write(s));
+  const agent = deps.agent ?? process.env.SWITCHROOM_AGENT_NAME ?? "-";
+  if (agent === "-" || !/^[a-z][a-z0-9_-]{0,63}$/.test(agent)) {
+    return text(`linear_agent_setup failed: could not resolve a valid agent name (got '${agent}').`);
+  }
+  const action = args.action;
+  if (action !== "authorize_url" && action !== "complete") {
+    return text(`linear_agent_setup failed: action must be "authorize_url" or "complete".`);
+  }
+  const clientId = args.client_id?.trim();
+  const redirectUri = args.redirect_uri?.trim();
+  if (!clientId)
+    return text("linear_agent_setup failed: client_id is required.");
+  if (!redirectUri || !/^https?:\/\//.test(redirectUri)) {
+    return text("linear_agent_setup failed: redirect_uri is required and must be an http(s) URL registered on the Linear OAuth app.");
+  }
+  if (action === "authorize_url") {
+    const url = buildLinearAuthorizeUrl({ clientId, redirectUri });
+    return text(`Open this URL in a browser to authorize <b>${agent}</b> as a Linear app actor (actor=app):
+
+${url}
+
+` + `After you approve, Linear redirects to ${redirectUri}?code=\u2026 (it may show a blank/error page \u2014 that's fine). ` + `Copy the code value from the URL bar, then run linear_agent_setup with action "complete", the same client_id + redirect_uri, ` + `your client_secret, and that code.`);
+  }
+  const clientSecret = args.client_secret?.trim();
+  const code = args.code?.trim();
+  if (!clientSecret)
+    return text('linear_agent_setup failed: client_secret is required for action "complete".');
+  if (!code)
+    return text('linear_agent_setup failed: code (from the redirect URL) is required for action "complete".');
+  const exchanged = await exchangeLinearAuthCode({ clientId, clientSecret, code, redirectUri }, deps.fetchImpl ? { fetchImpl: deps.fetchImpl } : {});
+  if (!exchanged.ok) {
+    log(`telegram gateway: linear_agent_setup exchange failed agent=${agent} reason=${exchanged.reason}
+`);
+    if (exchanged.reason === "bad_code") {
+      return text(`linear_agent_setup failed: Linear rejected the authorization code (expired, already used, or wrong redirect_uri). ` + `Re-run action "authorize_url", open the fresh URL, and copy a new code.`);
+    }
+    return text(`linear_agent_setup failed: token exchange ${exchanged.reason} \u2014 ${exchanged.detail}. Retry shortly.`);
+  }
+  const bundle = serializeBundle({
+    clientId,
+    clientSecret,
+    refreshToken: exchanged.refreshToken,
+    expiresAt: exchanged.expiresAt
+  });
+  const putBundle = deps.putBundle ?? ((a, j) => defaultPut(a, bundleKey(a), j));
+  const putToken = deps.putToken ?? ((a, t2) => defaultPut(a, tokenKey(a), t2));
+  const b = await putBundle(agent, bundle);
+  if (b.kind !== "ok") {
+    if (b.kind === "not_found" || b.kind === "denied") {
+      return text(writeGrantGuidance(agent));
+    }
+    log(`telegram gateway: linear_agent_setup bundle write ${b.kind} agent=${agent}
+`);
+    return text(`linear_agent_setup failed: couldn't store the refresh bundle (broker ${b.kind}: ${b.msg}).`);
+  }
+  const t = await putToken(agent, exchanged.accessToken);
+  if (t.kind !== "ok") {
+    if (t.kind === "not_found" || t.kind === "denied") {
+      return text(writeGrantGuidance(agent));
+    }
+    log(`telegram gateway: linear_agent_setup token write ${t.kind} agent=${agent}
+`);
+    return text(`linear_agent_setup failed: couldn't store the access token (broker ${t.kind}: ${t.msg}).`);
+  }
+  const hours = Math.max(1, Math.round((exchanged.expiresAt - Date.now() / 1000) / 3600));
+  log(`telegram gateway: linear_agent_setup stored token+bundle agent=${agent} (expires ~${hours}h)
+`);
+  return text(`\u2705 Linear app token + refresh bundle stored for ${agent} (access token expires in ~${hours}h; it now auto-renews).
+
+` + durableConfigGuidance(agent));
+}
+
+// gateway/linear-auth-watch.ts
+async function runLinearAuthCheck(deps) {
+  const log = deps.log ?? (() => {});
+  if (!deps.linearEnabled())
+    return "disabled";
+  let raw;
+  try {
+    raw = await deps.readBundle();
+  } catch (err) {
+    log(`telegram gateway: linear-auth-watch agent=${deps.agent} bundle read error: ${err.message}
+`);
+    return "refresh_failed";
+  }
+  const bundle = parseBundle(raw);
+  if (!bundle) {
+    log(`telegram gateway: linear-auth-watch agent=${deps.agent} \u2014 no refresh bundle (proactive)
+`);
+    deps.onAuthDead({ agent: deps.agent, reason: "no_bundle", detail: "proactive watch: linear/<agent>/oauth missing or invalid" });
+    return "no_bundle";
+  }
+  const now = deps.nowSec ? deps.nowSec() : Math.floor(Date.now() / 1000);
+  if (!needsRefresh(bundle.expiresAt, now)) {
+    return "fresh";
+  }
+  const res = await deps.refresh();
+  if (res.ok) {
+    log(`telegram gateway: linear-auth-watch agent=${deps.agent} proactively refreshed (was near expiry)
+`);
+    return "refreshed";
+  }
+  if (res.reason === "revoked") {
+    log(`telegram gateway: linear-auth-watch agent=${deps.agent} refresh REVOKED (proactive)
+`);
+    deps.onAuthDead({ agent: deps.agent, reason: "revoked", detail: res.detail });
+    return "revoked";
+  }
+  if (res.reason === "no_bundle") {
+    deps.onAuthDead({ agent: deps.agent, reason: "no_bundle", detail: res.detail });
+    return "no_bundle";
+  }
+  log(`telegram gateway: linear-auth-watch agent=${deps.agent} proactive refresh failed reason=${res.reason}
+`);
+  return "refresh_failed";
+}
+
+// ../src/linear/oauth-refresh.ts
+var LINEAR_TOKEN_ENDPOINT2 = "https://api.linear.app/oauth/token";
+var DEFAULT_REFRESH_SKEW_SEC2 = 2 * 3600;
+async function refreshLinearAppToken2(bundle, opts = {}) {
+  const fetchImpl = opts.fetchImpl ?? fetch;
+  const nowSec = opts.nowSec ?? (() => Math.floor(Date.now() / 1000));
+  const form = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: bundle.refreshToken,
+    client_id: bundle.clientId,
+    client_secret: bundle.clientSecret
+  });
+  let resp;
+  try {
+    resp = await fetchImpl(LINEAR_TOKEN_ENDPOINT2, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: form.toString()
+    });
+  } catch (err) {
+    return { ok: false, reason: "network", detail: err.message };
+  }
+  if (!resp.ok) {
+    const txt = await resp.text().catch(() => "");
+    const revoked = resp.status === 400 || /invalid_grant|invalid_token/i.test(txt);
+    return {
+      ok: false,
+      reason: revoked ? "revoked" : "http_error",
+      detail: `HTTP ${resp.status}${txt ? ` ${txt.slice(0, 200)}` : ""}`
+    };
+  }
+  let json;
+  try {
+    json = await resp.json();
+  } catch {
+    return { ok: false, reason: "bad_response", detail: "non-JSON token response" };
+  }
+  const accessToken = json.access_token;
+  if (typeof accessToken !== "string" || accessToken.length === 0) {
+    return { ok: false, reason: "bad_response", detail: "no access_token in response" };
+  }
+  const expiresIn = typeof json.expires_in === "number" ? json.expires_in : 86400;
+  const rotated = typeof json.refresh_token === "string" && json.refresh_token.length > 0 ? json.refresh_token : bundle.refreshToken;
+  return {
+    ok: true,
+    accessToken,
+    refreshToken: rotated,
+    expiresAt: nowSec() + expiresIn,
+    ...typeof json.scope === "string" ? { scope: json.scope } : {}
+  };
+}
+function parseBundle2(raw) {
+  if (raw == null || raw === "")
+    return null;
+  let o;
+  try {
+    o = JSON.parse(raw);
+  } catch {
+    return null;
+  }
+  if (typeof o.client_id === "string" && typeof o.client_secret === "string" && typeof o.refresh_token === "string" && o.client_id.length > 0 && o.client_secret.length > 0 && o.refresh_token.length > 0) {
+    return {
+      clientId: o.client_id,
+      clientSecret: o.client_secret,
+      refreshToken: o.refresh_token,
+      ...typeof o.expires_at === "number" ? { expiresAt: o.expires_at } : {}
+    };
+  }
+  return null;
+}
+function serializeBundle2(b) {
+  return JSON.stringify({
+    client_id: b.clientId,
+    client_secret: b.clientSecret,
+    refresh_token: b.refreshToken,
+    ...b.expiresAt != null ? { expires_at: b.expiresAt } : {}
+  });
+}
+async function performLinearRefresh2(io) {
+  const raw = await io.readBundle();
+  const bundle = parseBundle2(raw);
+  if (!bundle) {
+    return { ok: false, reason: "no_bundle", detail: "no/invalid refresh bundle" };
+  }
+  const res = await refreshLinearAppToken2(bundle, {
+    ...io.fetchImpl ? { fetchImpl: io.fetchImpl } : {},
+    ...io.nowSec ? { nowSec: io.nowSec } : {}
+  });
+  if (!res.ok)
+    return { ok: false, reason: res.reason, detail: res.detail };
+  try {
+    await io.writeBundle(serializeBundle2({
+      clientId: bundle.clientId,
+      clientSecret: bundle.clientSecret,
+      refreshToken: res.refreshToken,
+      expiresAt: res.expiresAt
+    }));
+    await io.writeToken(res.accessToken);
+  } catch (err) {
+    return { ok: false, reason: "persist_failed", detail: err.message };
+  }
+  return { ok: true, accessToken: res.accessToken, expiresAt: res.expiresAt };
+}
+
 // vault-approval-posture.ts
 function resolveVaultApprovalPosture(broker) {
   if (broker?.approvalAuth === "telegram-id") {
@@ -55637,10 +56044,10 @@ var GRAMMY_VERSION = (() => {
     return "unknown";
   }
 })();
-var sendMessageDraftFn = !DRAFT_ANSWER_LANE_RETIRED && typeof _rawSendMessageDraft === "function" ? (chatId, draftId, text, params) => _rawSendMessageDraft({
+var sendMessageDraftFn = !DRAFT_ANSWER_LANE_RETIRED && typeof _rawSendMessageDraft === "function" ? (chatId, draftId, text2, params) => _rawSendMessageDraft({
   chat_id: Number(chatId),
   draft_id: draftId,
-  text,
+  text: text2,
   ...params ?? {}
 }) : undefined;
 var _rawSendChecklist = bot.api.raw.sendChecklist;
@@ -56262,9 +56669,9 @@ function postQueuedStatus(chatId, bufferedThread, inFlightThread) {
   if (queuedStatusMsgIds.has(key))
     return;
   const otherTopic = inFlightThread != null ? `another topic` : `another conversation`;
-  const text = `\u23F3 Queued \u2014 replying in ${otherTopic} first, then I'll get to this.`;
+  const text2 = `\u23F3 Queued \u2014 replying in ${otherTopic} first, then I'll get to this.`;
   (async () => {
-    const sent = await swallowingApiCall(() => bot.api.sendMessage(chatId, text, { message_thread_id: bufferedThread }), { chat_id: chatId, verb: "queued-status.post", threadId: bufferedThread });
+    const sent = await swallowingApiCall(() => bot.api.sendMessage(chatId, text2, { message_thread_id: bufferedThread }), { chat_id: chatId, verb: "queued-status.post", threadId: bufferedThread });
     const messageId = sent?.message_id;
     if (typeof messageId !== "number")
       return;
@@ -56558,9 +56965,9 @@ async function postCompactCard(occ, cap) {
       resolvedTopic: resolveAgentOutboundTopic({ kind: "compact-watchdog" }) ?? chatThreadMap.get(chatId),
       supergroupChatId: resolveAgentSupergroupChatId()
     });
-    const text = `\uD83D\uDDDC\uFE0F <b>Context compaction</b>
+    const text2 = `\uD83D\uDDDC\uFE0F <b>Context compaction</b>
 ` + `Working context hit ~${occ.toLocaleString()} tokens (cap ${cap.toLocaleString()}) \u2014 running <code>/compact</code>. ` + `Older detail moves to Hindsight; I'll confirm here once the context has shrunk (may take a turn or two).`;
-    const sent = await swallowingApiCall(() => bot.api.sendMessage(chatId, text, {
+    const sent = await swallowingApiCall(() => bot.api.sendMessage(chatId, text2, {
       parse_mode: "HTML",
       ...threadId != null ? { message_thread_id: threadId } : {}
     }), { chat_id: chatId, verb: "proactiveCompact.start" });
@@ -56592,19 +56999,19 @@ async function resolveCompactCard(kind, occNow) {
   clearTimeout(card.timer);
   if (kind === "timeout")
     compactNotifyState = idleCompactNotifyState();
-  let text;
+  let text2;
   if (kind === "finished") {
-    text = `\u2705 <b>Context compacted</b>
+    text2 = `\u2705 <b>Context compacted</b>
 ` + `Working context reduced` + (occNow != null ? ` (~${card.occAtStart.toLocaleString()} \u2192 ` + `~${occNow.toLocaleString()} tokens)` : "") + `. Hindsight retains the detail.`;
   } else if (kind === "superseded") {
-    text = `\u21A9\uFE0F <b>Context compaction superseded</b>
+    text2 = `\u21A9\uFE0F <b>Context compaction superseded</b>
 ` + `A newer compaction started before this one confirmed.`;
   } else {
-    text = `\u26A0\uFE0F <b>Compaction issued</b>
+    text2 = `\u26A0\uFE0F <b>Compaction issued</b>
 ` + `<code>/compact</code> was requested but the context isn't confirmed reduced yet. Native compaction and Hindsight still apply.`;
   }
   try {
-    await swallowingApiCall(() => bot.api.editMessageText(card.chatId, card.messageId, text, {
+    await swallowingApiCall(() => bot.api.editMessageText(card.chatId, card.messageId, text2, {
       parse_mode: "HTML"
     }), { chat_id: card.chatId, verb: `proactiveCompact.${kind}` });
   } catch (err) {
@@ -56648,6 +57055,14 @@ function resolvePermissionCardTargets() {
   if (turn != null) {
     return [{ chatId: turn.sessionChatId, threadId: turn.sessionThreadId }];
   }
+  if (PERMISSION_CARD_ORIGIN_RECOVERY_ENABLED) {
+    const recovered = pickRecoveredPermissionOrigin(recentTurnsById.values(), Date.now(), PERMISSION_CARD_ORIGIN_MAX_AGE_MS);
+    if (recovered != null) {
+      process.stderr.write(`telegram gateway: permission-card origin recovered from recent turn chat=${recovered.chatId} thread=${recovered.threadId ?? "-"} ` + `(currentTurn was null \u2014 force-closed turn)
+`);
+      return [recovered];
+    }
+  }
   const sg = resolveAgentSupergroupChatId();
   const topic = resolveAgentOutboundTopic({
     kind: "permission",
@@ -56662,7 +57077,7 @@ function resolvePermissionCardTargets() {
 function postPermissionResumeMessage(opts) {
   if (process.env.SWITCHROOM_RESUME_MSG === "0")
     return;
-  const text = formatPermissionResumeMessage({
+  const text2 = formatPermissionResumeMessage({
     agentName: process.env.SWITCHROOM_AGENT_NAME ?? null,
     behavior: opts.behavior,
     action: opts.action,
@@ -56670,7 +57085,7 @@ function postPermissionResumeMessage(opts) {
   });
   const targets = resolvePermissionCardTargets();
   for (const { chatId, threadId } of targets) {
-    swallowingApiCall(() => bot.api.sendMessage(chatId, text, {
+    swallowingApiCall(() => bot.api.sendMessage(chatId, text2, {
       parse_mode: "HTML",
       ...threadId != null ? { message_thread_id: threadId } : {}
     }), { chat_id: chatId, verb: "permission-resume", ...threadId != null ? { threadId } : {} });
@@ -56712,11 +57127,11 @@ function probeAvailableReactions(chatId) {
   })();
 }
 var PHOTO_EXTS = new Set([".jpg", ".jpeg", ".png", ".gif", ".webp"]);
-function chunk2(text, limit, mode) {
-  if (text.length <= limit)
-    return [text];
+function chunk2(text2, limit, mode) {
+  if (text2.length <= limit)
+    return [text2];
   const out = [];
-  let rest = text;
+  let rest = text2;
   while (rest.length > limit) {
     let cut = limit;
     if (mode === "newline") {
@@ -56735,20 +57150,20 @@ function chunk2(text, limit, mode) {
     out.push(rest);
   return out;
 }
-function escapeMarkdownV2(text) {
+function escapeMarkdownV2(text2) {
   const specialChars = /[_*\[\]()~`>#+\-=|{}.!\\]/g;
   const parts = [];
   let last = 0;
   const codeRe = /(```[\s\S]*?```|`[^`\n]+`)/g;
   let m;
-  while ((m = codeRe.exec(text)) !== null) {
+  while ((m = codeRe.exec(text2)) !== null) {
     if (m.index > last)
-      parts.push(text.slice(last, m.index).replace(specialChars, "\\$&"));
+      parts.push(text2.slice(last, m.index).replace(specialChars, "\\$&"));
     parts.push(m[0]);
     last = m.index + m[0].length;
   }
-  if (last < text.length)
-    parts.push(text.slice(last).replace(specialChars, "\\$&"));
+  if (last < text2.length)
+    parts.push(text2.slice(last).replace(specialChars, "\\$&"));
   return parts.join("");
 }
 var typingIntervals = new Map;
@@ -56839,14 +57254,14 @@ function wrapBootCardApi(threadId) {
     ...threadId != null ? { threadId } : {}
   });
   return {
-    sendMessage: async (cid, text, sendOpts) => {
-      const sent = await robustApiCall(() => lockedBot.api.sendMessage(cid, text, sendOpts), opts(cid));
+    sendMessage: async (cid, text2, sendOpts) => {
+      const sent = await robustApiCall(() => lockedBot.api.sendMessage(cid, text2, sendOpts), opts(cid));
       return sent;
     },
-    editMessageText: (cid, mid, text, editOpts) => robustApiCall(() => lockedBot.api.editMessageText(cid, mid, text, editOpts), opts(cid)),
-    editMessageTextStrict: async (cid, mid, text, editOpts) => {
+    editMessageText: (cid, mid, text2, editOpts) => robustApiCall(() => lockedBot.api.editMessageText(cid, mid, text2, editOpts), opts(cid)),
+    editMessageTextStrict: async (cid, mid, text2, editOpts) => {
       try {
-        await lockedBot.api.editMessageText(cid, mid, text, editOpts);
+        await lockedBot.api.editMessageText(cid, mid, text2, editOpts);
         return "edited";
       } catch (err) {
         const desc = err instanceof import_grammy9.GrammyError ? err.description : err instanceof Error ? err.message : String(err);
@@ -56864,11 +57279,11 @@ function wrapIssuesCardApi(threadId) {
     ...threadId != null ? { threadId } : {}
   });
   return {
-    sendMessage: async (cid, text, sendOpts) => {
-      const sent = await robustApiCall(() => lockedBot.api.sendMessage(cid, text, sendOpts), opts(cid));
+    sendMessage: async (cid, text2, sendOpts) => {
+      const sent = await robustApiCall(() => lockedBot.api.sendMessage(cid, text2, sendOpts), opts(cid));
       return sent;
     },
-    editMessageText: (cid, mid, text, editOpts) => robustApiCall(() => lockedBot.api.editMessageText(cid, mid, text, editOpts), opts(cid)),
+    editMessageText: (cid, mid, text2, editOpts) => robustApiCall(() => lockedBot.api.editMessageText(cid, mid, text2, editOpts), opts(cid)),
     deleteMessage: (cid, mid) => robustApiCall(() => lockedBot.api.deleteMessage(cid, mid), opts(cid))
   };
 }
@@ -56884,6 +57299,19 @@ var STATUS_QUERY_RE = /^\s*status\??\s*$/i;
 var PERMISSION_REPLY_RE = /^\s*(y|yes|n|no)\s+([a-km-z]{5})\s*$/i;
 var pendingPermissions = new Map;
 var PERMISSION_TTL_MS = 600000;
+var PERMISSION_NO_REPEAT_ENABLED = process.env.SWITCHROOM_PERMISSION_NO_REPEAT !== "0";
+var PERMISSION_DUPLICATE_WINDOW_MS = 3600000;
+var permissionTimeoutSignatures = new Map;
+function clearPermissionTimeoutSuppression(reason) {
+  if (permissionTimeoutSignatures.size === 0)
+    return;
+  const n = permissionTimeoutSignatures.size;
+  permissionTimeoutSignatures.clear();
+  process.stderr.write(`telegram gateway: permission no-repeat suppression cleared (${n} sig(s)) \u2014 ${reason}
+`);
+}
+var PERMISSION_CARD_ORIGIN_RECOVERY_ENABLED = process.env.SWITCHROOM_PERMISSION_CARD_ORIGIN_RECOVERY !== "0";
+var PERMISSION_CARD_ORIGIN_MAX_AGE_MS = 1800000;
 var pendingAlwaysAllowCorrelations = new Map;
 var ALWAYS_ALLOW_CORRELATION_TTL_MS = 30000;
 function sweepStaleAlwaysAllowCorrelations(now = Date.now()) {
@@ -57113,18 +57541,31 @@ var pendingStateReaper = setInterval(() => {
   }
   for (const [k, v] of pendingPermissions) {
     if (now - v.startedAt > PERMISSION_TTL_MS) {
-      dispatchPermissionVerdict({ type: "permission", requestId: k, behavior: "deny" });
+      const timeoutMinutes = Math.round(PERMISSION_TTL_MS / 60000);
+      dispatchPermissionVerdict({
+        type: "permission",
+        requestId: k,
+        behavior: "deny",
+        message: timeoutDenyMessage(timeoutMinutes)
+      });
       resumeReactionAfterVerdict();
       postPermissionResumeMessage({
         behavior: "deny",
         action: naturalAction(v.tool_name, v.input_preview),
-        timeoutMinutes: Math.round(PERMISSION_TTL_MS / 60000)
+        timeoutMinutes
       });
-      process.stderr.write(`telegram gateway: permission TTL expired \u2014 auto-deny request=${k} tool=${v.tool_name} (no operator response in ${Math.round(PERMISSION_TTL_MS / 60000)}m)
+      if (PERMISSION_NO_REPEAT_ENABLED) {
+        permissionTimeoutSignatures.set(permissionSignature(v.tool_name, v.input_preview), now);
+      }
+      process.stderr.write(`telegram gateway: permission TTL expired \u2014 auto-deny request=${k} tool=${v.tool_name} (no operator response in ${timeoutMinutes}m)
 `);
       pendingPermissions.delete(k);
     }
   }
+  for (const [sig, at] of permissionTimeoutSignatures) {
+    if (now - at > PERMISSION_DUPLICATE_WINDOW_MS)
+      permissionTimeoutSignatures.delete(sig);
+  }
   for (const [k, v] of vaultPassphraseCache) {
     if (now > v.expiresAt)
       vaultPassphraseCache.delete(k);
@@ -57167,8 +57608,8 @@ var pendingStateReaper = setInterval(() => {
   }
 }, 60000);
 pendingStateReaper.unref();
-function looksLikeAuthCode(text) {
-  const trimmed = text.trim();
+function looksLikeAuthCode(text2) {
+  const trimmed = text2.trim();
   if (!trimmed || /\s/.test(trimmed))
     return false;
   if (trimmed.startsWith("session_"))
@@ -57266,10 +57707,10 @@ function emitGatewayOperatorEvent(event) {
   }
 }
 function postLegacyBanner(chatId, threadId, ackMessageId, ageSec, site) {
-  const text = `\uD83C\uDF9B\uFE0F Switchroom restarted \u2014 ready. (took ~${ageSec}s)`;
+  const text2 = `\uD83C\uDF9B\uFE0F Switchroom restarted \u2014 ready. (took ~${ageSec}s)`;
   process.stderr.write(`telegram gateway: ${site}: posting legacy banner chat_id=${chatId}
 `);
-  retryWithThreadFallback(robustApiCall, (tid) => lockedBot.api.sendMessage(chatId, text, {
+  retryWithThreadFallback(robustApiCall, (tid) => lockedBot.api.sendMessage(chatId, text2, {
     parse_mode: "HTML",
     link_preview_options: { is_disabled: true },
     ...tid != null ? { message_thread_id: tid } : {},
@@ -57281,7 +57722,7 @@ function postLegacyBanner(chatId, threadId, ackMessageId, ageSec, site) {
           chat_id: chatId,
           thread_id: threadId ?? null,
           message_ids: [sent.message_id],
-          texts: [text],
+          texts: [text2],
           attachment_kinds: []
         });
       } catch {}
@@ -57414,22 +57855,22 @@ startTimer({
       endTurn(ctx.key);
       return;
     }
-    let text = null;
+    let text2 = null;
     const upd = inFlightUpdate;
     if (upd != null) {
       try {
         const st = await hostdGetStatusOnce(getMyAgentName(), upd.requestId);
         if (st !== "not-configured" && st !== "unavailable") {
-          text = formatUpdateStatusLine(st, upd.startedAt, Date.now());
+          text2 = formatUpdateStatusLine(st, upd.startedAt, Date.now());
         }
       } catch {}
     }
-    if (text == null) {
+    if (text2 == null) {
       const blockedOnApproval = activeStatusReactions.get(statusKey(ctx.chatId, ctx.threadId))?.isAwaiting() ?? false;
-      text = formatFrameworkFallbackText(ctx.fallbackKind, ctx.silenceMs, ctx.inFlightTools, blockedOnApproval);
+      text2 = formatFrameworkFallbackText(ctx.fallbackKind, ctx.silenceMs, ctx.inFlightTools, blockedOnApproval);
     }
     try {
-      await robustApiCall(() => bot.api.sendMessage(ctx.chatId, text, {
+      await robustApiCall(() => bot.api.sendMessage(ctx.chatId, text2, {
         ...ctx.threadId != null ? { message_thread_id: ctx.threadId } : {},
         disable_notification: false
       }), { chat_id: ctx.chatId, ...ctx.threadId != null ? { threadId: ctx.threadId } : {} });
@@ -57915,12 +58356,26 @@ var ipcServer = createIpcServer({
       if (hit) {
         dispatchPermissionVerdict({ type: "permission", requestId, behavior: "allow" });
         process.stderr.write(`telegram gateway: scoped-approval auto-allow tool=${toolName} rule="${hit}" request=${requestId} (time-boxed window)
+`);
+        return;
+      }
+    }
+    if (PERMISSION_NO_REPEAT_ENABLED) {
+      const sig = permissionSignature(toolName, inputPreview);
+      if (isRecentTimeoutDuplicate(permissionTimeoutSignatures, sig, Date.now(), PERMISSION_DUPLICATE_WINDOW_MS)) {
+        dispatchPermissionVerdict({
+          type: "permission",
+          requestId,
+          behavior: "deny",
+          message: duplicateDenyMessage
+        });
+        process.stderr.write(`telegram gateway: permission no-repeat short-circuit \u2014 duplicate of a ` + `timed-out request tool=${toolName} request=${requestId} (no card posted)
 `);
         return;
       }
     }
     pendingPermissions.set(requestId, { tool_name: toolName, description, input_preview: inputPreview, startedAt: Date.now() });
-    const text = formatPermissionCardBody({
+    const text2 = formatPermissionCardBody({
       toolName,
       inputPreview,
       description,
@@ -57931,7 +58386,7 @@ var ipcServer = createIpcServer({
     const activeTurn = currentTurn;
     const targets = resolvePermissionCardTargets();
     for (const { chatId, threadId } of targets) {
-      retryWithThreadFallback(robustApiCall, (tid) => bot.api.sendMessage(chatId, text, {
+      retryWithThreadFallback(robustApiCall, (tid) => bot.api.sendMessage(chatId, text2, {
         parse_mode: "HTML",
         reply_markup: keyboard,
         ...tid != null ? { message_thread_id: tid } : {}
@@ -58365,7 +58820,8 @@ var ALLOWED_TOOLS = new Set([
   "vault_request_access",
   "request_secret",
   "linear_agent_activity",
-  "linear_create_issue"
+  "linear_create_issue",
+  "linear_agent_setup"
 ]);
 async function executeToolCall(tool, args) {
   if (!ALLOWED_TOOLS.has(tool)) {
@@ -58414,6 +58870,8 @@ async function executeToolCall(tool, args) {
       return executeLinearAgentActivity(args);
     case "linear_create_issue":
       return executeLinearCreateIssue(args);
+    case "linear_agent_setup":
+      return executeLinearAgentSetup(args);
     default:
       throw new Error(`unknown tool: ${tool}`);
   }
@@ -58444,11 +58902,45 @@ async function executeSendChecklist(args) {
 `);
   return { content: [{ type: "text", text: `checklist sent (id: ${sent.message_id})` }] };
 }
+var linearAuthAlertLast = new Map;
+var LINEAR_AUTH_ALERT_COOLDOWN_MS = 21600000;
+function notifyLinearAuthDead(info) {
+  if (process.env.SWITCHROOM_LINEAR_AUTH_ALERT === "0")
+    return;
+  const key = `${info.agent}:${info.reason}`;
+  const now = Date.now();
+  const last = linearAuthAlertLast.get(key);
+  if (last != null && now - last < LINEAR_AUTH_ALERT_COOLDOWN_MS)
+    return;
+  (async () => {
+    try {
+      const chatId = loadAccess().allowFrom[0];
+      if (!chatId)
+        return;
+      const threadId = topicForRecipient({
+        recipientChatId: chatId,
+        resolvedTopic: resolveAgentOutboundTopic({ kind: "linear-auth" }) ?? chatThreadMap.get(chatId),
+        supergroupChatId: resolveAgentSupergroupChatId()
+      });
+      const text2 = buildLinearAuthDeadMessage(info.agent, info.reason);
+      await swallowingApiCall(() => bot.api.sendMessage(chatId, text2, {
+        parse_mode: "HTML",
+        ...threadId != null ? { message_thread_id: threadId } : {}
+      }), { chat_id: chatId, verb: "linearAuthDead" });
+      linearAuthAlertLast.set(key, now);
+      process.stderr.write(`telegram gateway: linear auth-dead alert sent agent=${info.agent} reason=${info.reason}
+`);
+    } catch {}
+  })();
+}
 async function executeLinearAgentActivity(args) {
-  return emitLinearAgentActivity(args);
+  return emitLinearAgentActivity(args, { onAuthUnrecoverable: notifyLinearAuthDead });
 }
 async function executeLinearCreateIssue(args) {
-  return createLinearIssue(args);
+  return createLinearIssue(args, { onAuthUnrecoverable: notifyLinearAuthDead });
+}
+async function executeLinearAgentSetup(args) {
+  return runLinearAgentSetup(args);
 }
 async function executeUpdateChecklist(args) {
   const chat_id = args.chat_id;
@@ -58465,9 +58957,9 @@ async function executeUpdateChecklist(args) {
 `);
   return { content: [{ type: "text", text: `checklist updated (id: ${message_id})` }] };
 }
-function redactOutboundText(text, site) {
-  const masked = redact2(text);
-  if (masked !== text) {
+function redactOutboundText(text2, site) {
+  const masked = redact2(text2);
+  if (masked !== text2) {
     process.stderr.write(`telegram gateway: outbound secret masked site=${site}
 `);
   }
@@ -58481,12 +58973,12 @@ async function executeReply(args) {
   const rawText = args.text;
   if (rawText == null || rawText === "")
     throw new Error("reply: text is required and cannot be empty");
-  let text = repairEscapedWhitespace(rawText);
-  text = redactOutboundText(text, "reply");
+  let text2 = repairEscapedWhitespace(rawText);
+  text2 = redactOutboundText(text2, "reply");
   {
-    const scrub = scrubVoice(text);
+    const scrub = scrubVoice(text2);
     if (scrub.replaced > 0) {
-      text = scrub.scrubbed;
+      text2 = scrub.scrubbed;
       emitRuntimeMetric({
         kind: "voice_scrub_applied",
         chatKey: statusKey(chat_id, args.message_thread_id != null ? Number(args.message_thread_id) : undefined),
@@ -58495,11 +58987,11 @@ async function executeReply(args) {
       });
     }
   }
-  process.stderr.write(`telegram channel: reply: invoked chatId=${chat_id} charCount=${text.length} preview=${JSON.stringify(text.slice(0, 80))}
+  process.stderr.write(`telegram channel: reply: invoked chatId=${chat_id} charCount=${text2.length} preview=${JSON.stringify(text2.slice(0, 80))}
 `);
   {
     const replyThreadId = args.message_thread_id != null ? Number(args.message_thread_id) : undefined;
-    const dup = outboundDedup.check(chat_id, replyThreadId, text, Date.now(), currentTurn?.registryKey ?? null);
+    const dup = outboundDedup.check(chat_id, replyThreadId, text2, Date.now(), currentTurn?.registryKey ?? null);
     if (dup != null) {
       process.stderr.write(`telegram gateway: reply: deduped (#546) chatId=${chat_id} ageMs=${dup.ageMs} preview=${JSON.stringify(dup.preview)}
 `);
@@ -58543,13 +59035,13 @@ async function executeReply(args) {
   }
   const tg = access.telegraph;
   const tgThreshold = tg?.threshold ?? 3000;
-  if (tg?.enabled && files.length === 0 && text.length > tgThreshold) {
+  if (tg?.enabled && files.length === 0 && text2.length > tgThreshold) {
     const agentSlug = process.env.SWITCHROOM_AGENT_NAME ?? "switchroom-agent";
     const shortName = tg.short_name ?? agentSlug;
-    const url = await publishToTelegraph(text, shortName, tg.author_name);
+    const url = await publishToTelegraph(text2, shortName, tg.author_name);
     if (url != null) {
-      const title = deriveTelegraphTitle(text);
-      text = `<b>${title.replace(/[<>&]/g, (c) => c === "<" ? "&lt;" : c === ">" ? "&gt;" : "&amp;")}</b>
+      const title = deriveTelegraphTitle(text2);
+      text2 = `<b>${title.replace(/[<>&]/g, (c) => c === "<" ? "&lt;" : c === ">" ? "&gt;" : "&amp;")}</b>
 ${url}`;
     }
   }
@@ -58557,13 +59049,13 @@ ${url}`;
   let effectiveText;
   if (format === "html") {
     parseMode = "HTML";
-    effectiveText = markdownToHtml(text);
+    effectiveText = markdownToHtml(text2);
   } else if (format === "markdownv2") {
     parseMode = "MarkdownV2";
-    effectiveText = escapeMarkdownV2(text);
+    effectiveText = escapeMarkdownV2(text2);
   } else {
     parseMode = undefined;
-    effectiveText = text;
+    effectiveText = text2;
   }
   assertAllowedChat(chat_id);
   let replyRoutedOriginTurn = null;
@@ -58920,7 +59412,7 @@ ${url}`;
   process.stderr.write(`telegram channel: reply: finalized chatId=${chat_id} messageIds=[${sentIds.join(",")}] chunks=${chunks.length}
 `);
   if (sentIds.length > 0) {
-    outboundDedup.record(chat_id, threadId, text, Date.now(), currentTurn?.registryKey ?? null);
+    outboundDedup.record(chat_id, threadId, text2, Date.now(), currentTurn?.registryKey ?? null);
   }
   return { content: [{ type: "text", text: result }] };
 }
@@ -59105,12 +59597,12 @@ async function executeProgressUpdate(args) {
   if (!args.text)
     throw new Error("progress_update: text is required");
   const chat_id = args.chat_id;
-  let text = args.text;
+  let text2 = args.text;
   const threadId = resolveThreadId(chat_id, args.message_thread_id);
   const key = statusKey(chat_id, threadId);
   assertAllowedChat(chat_id);
-  if (text.length > 300) {
-    text = text.slice(0, 299) + "\u2026";
+  if (text2.length > 300) {
+    text2 = text2.slice(0, 299) + "\u2026";
   }
   const now = Date.now();
   const lastSent = progressUpdateLastSent.get(key);
@@ -59152,7 +59644,7 @@ async function executeProgressUpdate(args) {
     toolUseIdHint
   });
   if (subAgent != null && progressDriver != null) {
-    const cardText = text.length > 200 ? text.slice(0, 199) + "\u2026" : text;
+    const cardText = text2.length > 200 ? text2.slice(0, 199) + "\u2026" : text2;
     const result = progressDriver.recordSubAgentNarrative({
       chatId: chat_id,
       threadId: threadId != null ? String(threadId) : undefined,
@@ -59177,7 +59669,7 @@ async function executeProgressUpdate(args) {
   const access = loadAccess();
   const configParseMode = access.parseMode ?? "html";
   const parseMode = configParseMode === "html" ? "HTML" : undefined;
-  const effectiveText = configParseMode === "html" ? markdownToHtml(text) : text;
+  const effectiveText = configParseMode === "html" ? markdownToHtml(text2) : text2;
   const sendOpts = {
     ...parseMode ? { parse_mode: parseMode } : {},
     ...threadId != null ? { message_thread_id: threadId } : {}
@@ -59188,7 +59680,7 @@ async function executeProgressUpdate(args) {
       chat_id,
       thread_id: threadId ?? null,
       message_ids: [sent.message_id],
-      texts: [text]
+      texts: [text2]
     });
   }
   progressUpdateLastSent.set(key, now);
@@ -59355,7 +59847,7 @@ async function executeSendGif(rawArgs) {
     }]
   };
 }
-async function publishToTelegraph(text, shortName, authorName) {
+async function publishToTelegraph(text2, shortName, authorName) {
   const accountPath = join35(STATE_DIR, "telegraph-account.json");
   let account = null;
   try {
@@ -59386,8 +59878,8 @@ async function publishToTelegraph(text, shortName, authorName) {
 `);
     }
   }
-  const title = deriveTelegraphTitle(text);
-  const content = markdownToTelegraphNodes(text);
+  const title = deriveTelegraphTitle(text2);
+  const content = markdownToTelegraphNodes(text2);
   const page = await createTelegraphPage({
     accessToken: account.accessToken,
     title,
@@ -59399,7 +59891,7 @@ async function publishToTelegraph(text, shortName, authorName) {
 `);
     return null;
   }
-  process.stderr.write(`telegram gateway: telegraph published url=${page.value.url} title=${JSON.stringify(title)} chars=${text.length}
+  process.stderr.write(`telegram gateway: telegraph published url=${page.value.url} title=${JSON.stringify(title)} chars=${text2.length}
 `);
   return page.value.url;
 }
@@ -59461,11 +59953,11 @@ async function executeVaultRequestSave(args) {
   };
   pendingVaultRequestSaves.set(stageId, pending2);
   sweepPendingVaultRequestSaves();
-  const text = renderVaultRequestSaveCard(pending2, agentSlug);
+  const text2 = renderVaultRequestSaveCard(pending2, agentSlug);
   const threadId = args.message_thread_id != null ? Number(args.message_thread_id) : undefined;
   if (threadId != null)
     pending2.threadId = threadId;
-  const sent = await retryWithThreadFallback(robustApiCall, (tid) => lockedBot.api.sendMessage(chat_id, text, {
+  const sent = await retryWithThreadFallback(robustApiCall, (tid) => lockedBot.api.sendMessage(chat_id, text2, {
     parse_mode: "HTML",
     reply_markup: buildVaultRequestSaveKeyboard(stageId),
     ...tid != null && Number.isFinite(tid) ? { message_thread_id: tid } : {}
@@ -59537,11 +60029,11 @@ async function executeRequestSecret(args) {
   const pending2 = { agent: agentSlug, chat_id, key, reason, staged_at: Date.now() };
   pendingSecretRequests.set(stageId, pending2);
   sweepSecretRequests();
-  const text = renderSecretRequestCard(pending2);
+  const text2 = renderSecretRequestCard(pending2);
   const threadId = args.message_thread_id != null ? Number(args.message_thread_id) : undefined;
   if (threadId != null)
     pending2.threadId = threadId;
-  const sent = await retryWithThreadFallback(robustApiCall, (tid) => lockedBot.api.sendMessage(chat_id, text, {
+  const sent = await retryWithThreadFallback(robustApiCall, (tid) => lockedBot.api.sendMessage(chat_id, text2, {
     parse_mode: "HTML",
     reply_markup: buildSecretRequestKeyboard(stageId),
     ...tid != null && Number.isFinite(tid) ? { message_thread_id: tid } : {}
@@ -59782,11 +60274,11 @@ async function executeVaultRequestAccess(args) {
   };
   pendingVaultRequestAccesses.set(stageId, pending2);
   sweepPendingVaultRequestAccesses();
-  const text = renderVaultRequestAccessCard(pending2);
+  const text2 = renderVaultRequestAccessCard(pending2);
   const threadId = args.message_thread_id != null ? Number(args.message_thread_id) : undefined;
   if (threadId != null)
     pending2.threadId = threadId;
-  const sent = await retryWithThreadFallback(robustApiCall, (tid) => lockedBot.api.sendMessage(chat_id, text, {
+  const sent = await retryWithThreadFallback(robustApiCall, (tid) => lockedBot.api.sendMessage(chat_id, text2, {
     parse_mode: "HTML",
     reply_markup: buildVaultRequestAccessKeyboard(stageId),
     ...tid != null && Number.isFinite(tid) ? { message_thread_id: tid } : {}
@@ -60344,10 +60836,10 @@ function handleSessionEvent(ev) {
             isPrivateChat: turn.isDm,
             threadId: turn.sessionThreadId,
             ...ANSWER_LANE.usesDraftTransport ? { sendMessageDraft: sendMessageDraftFn, minInitialChars: ANSWER_LANE.minInitialChars } : { minInitialChars: ANSWER_LANE.minInitialChars },
-            sendMessage: async (chatId, text, params) => {
+            sendMessage: async (chatId, text2, params) => {
               const tid = params?.message_thread_id;
               const silent = params?.purpose !== "materialize";
-              const msg = await robustApiCall(() => bot.api.sendMessage(chatId, text, {
+              const msg = await robustApiCall(() => bot.api.sendMessage(chatId, text2, {
                 parse_mode: params?.parse_mode,
                 disable_notification: silent,
                 ...tid != null ? { message_thread_id: tid } : {},
@@ -60360,9 +60852,9 @@ function handleSessionEvent(ev) {
               });
               return { message_id: msg.message_id };
             },
-            editMessageText: (chatId, messageId, text, params) => {
+            editMessageText: (chatId, messageId, text2, params) => {
               const tid = params?.message_thread_id;
-              return robustApiCall(() => bot.api.editMessageText(chatId, messageId, text, {
+              return robustApiCall(() => bot.api.editMessageText(chatId, messageId, text2, {
                 parse_mode: params?.parse_mode,
                 ...tid != null ? { message_thread_id: tid } : {},
                 ...params?.link_preview_options != null ? { link_preview_options: params.link_preview_options } : {}
@@ -60386,13 +60878,13 @@ function handleSessionEvent(ev) {
                 }
               }
             },
-            checkDedup: (text) => {
-              return outboundDedup.check(turn.sessionChatId, turn.sessionThreadId, text, Date.now(), turn.registryKey ?? null) != null;
+            checkDedup: (text2) => {
+              return outboundDedup.check(turn.sessionChatId, turn.sessionThreadId, text2, Date.now(), turn.registryKey ?? null) != null;
             },
-            recordDedup: (text) => {
-              outboundDedup.record(turn.sessionChatId, turn.sessionThreadId, text, Date.now(), turn.registryKey ?? null);
+            recordDedup: (text2) => {
+              outboundDedup.record(turn.sessionChatId, turn.sessionThreadId, text2, Date.now(), turn.registryKey ?? null);
             },
-            recordOutbound: ({ messageId, text }) => {
+            recordOutbound: ({ messageId, text: text2 }) => {
               if (!HISTORY_ENABLED)
                 return;
               try {
@@ -60400,7 +60892,7 @@ function handleSessionEvent(ev) {
                   chat_id: turn.sessionChatId,
                   thread_id: turn.sessionThreadId ?? null,
                   message_ids: [messageId],
-                  texts: [text]
+                  texts: [text2]
                 });
               } catch {}
             }
@@ -60791,7 +61283,7 @@ function handleSessionEvent(ev) {
     }
   }
 }
-function handlePtyPartial(text) {
+function handlePtyPartial(text2) {
   const turn = currentTurn;
   const state4 = {
     currentSessionChatId: turn?.sessionChatId ?? null,
@@ -60802,7 +61294,7 @@ function handlePtyPartial(text) {
     suppressPtyPreview,
     lastPtyPreviewByChat
   };
-  handlePtyPartialPure(text, state4, {
+  handlePtyPartialPure(text2, state4, {
     bot,
     retry: robustApiCall,
     renderText: markdownToHtml,
@@ -60914,10 +61406,10 @@ function gate(ctx) {
 }
 function isMentioned(ctx, extraPatterns) {
   const entities = ctx.message?.entities ?? ctx.message?.caption_entities ?? [];
-  const text = ctx.message?.text ?? ctx.message?.caption ?? "";
+  const text2 = ctx.message?.text ?? ctx.message?.caption ?? "";
   for (const e of entities) {
     if (e.type === "mention") {
-      const mentioned = text.slice(e.offset, e.offset + e.length);
+      const mentioned = text2.slice(e.offset, e.offset + e.length);
       if (mentioned.toLowerCase() === `@${botUsername}`.toLowerCase())
         return true;
     }
@@ -60928,7 +61420,7 @@ function isMentioned(ctx, extraPatterns) {
     return true;
   for (const pat of extraPatterns ?? []) {
     try {
-      if (new RegExp(pat, "i").test(text))
+      if (new RegExp(pat, "i").test(text2))
         return true;
     } catch {}
   }
@@ -60957,14 +61449,14 @@ function isAuthorizedSender(ctx) {
 function safeName(s) {
   return s?.replace(/[<>\[\]\r\n;]/g, "_");
 }
-async function handleInboundCoalesced(ctx, text, downloadImage, attachment) {
-  if (parseInterruptMarker(text).isInterrupt) {
-    return handleInbound(ctx, text, downloadImage, attachment);
+async function handleInboundCoalesced(ctx, text2, downloadImage, attachment) {
+  if (parseInterruptMarker(text2).isInterrupt) {
+    return handleInbound(ctx, text2, downloadImage, attachment);
   }
   const hasAttachment = downloadImage != null || attachment != null;
   const maxAttachments = coalesceMaxAttachments();
   if (hasAttachment && ctx.message?.media_group_id != null && maxAttachments <= 1) {
-    return handleInbound(ctx, text, downloadImage, attachment);
+    return handleInbound(ctx, text2, downloadImage, attachment);
   }
   const from = ctx.from;
   if (!from)
@@ -60972,14 +61464,14 @@ async function handleInboundCoalesced(ctx, text, downloadImage, attachment) {
   if (hasAttachment) {
     const probeKey = inboundCoalesceKey(String(ctx.chat.id), ctx.message?.message_thread_id, String(from.id));
     if ((bufferedAttachmentKeys.get(probeKey) ?? 0) >= maxAttachments) {
-      return handleInbound(ctx, text, downloadImage, attachment);
+      return handleInbound(ctx, text2, downloadImage, attachment);
     }
   }
   maybeEarlyAckReaction(ctx, from);
   const key = inboundCoalesceKey(String(ctx.chat.id), ctx.message?.message_thread_id, String(from.id));
-  const result = inboundCoalescer.enqueue(key, { text, ctx, downloadImage, attachment });
+  const result = inboundCoalescer.enqueue(key, { text: text2, ctx, downloadImage, attachment });
   if (result.bypass)
-    return handleInbound(ctx, text, downloadImage, attachment);
+    return handleInbound(ctx, text2, downloadImage, attachment);
   if (hasAttachment)
     bufferedAttachmentKeys.set(key, (bufferedAttachmentKeys.get(key) ?? 0) + 1);
 }
@@ -61002,7 +61494,7 @@ function maybeEarlyAckReaction(ctx, from) {
   ]).catch(() => {});
   bot.api.sendChatAction(chatId, "typing").catch(() => {});
 }
-async function handleInbound(ctx, text, downloadImage, attachment, extraAttachments) {
+async function handleInbound(ctx, text2, downloadImage, attachment, extraAttachments) {
   const isTopicMessage = ctx.message?.is_topic_message ?? false;
   const messageThreadId = ctx.message?.message_thread_id;
   if (TOPIC_ID != null) {
@@ -61021,6 +61513,7 @@ async function handleInbound(ctx, text, downloadImage, attachment, extraAttachme
 /telegram:access pair ${result.code}`);
     return;
   }
+  clearPermissionTimeoutSuppression("operator inbound");
   const inboundReceivedAt = Date.now();
   const _shadowKey = statusKey(ctx.chat?.id != null ? String(ctx.chat.id) : "0", ctx.message?.message_thread_id);
   const machineInTurnAtReceipt = isDeliveryCutoverEnabled() ? isMachineInTurn() : null;
@@ -61042,7 +61535,7 @@ async function handleInbound(ctx, text, downloadImage, attachment, extraAttachme
   if (messageThreadId != null)
     chatThreadMap.set(chat_id, messageThreadId);
   try {
-    const classification = classifyInbound(text);
+    const classification = classifyInbound(text2);
     if (classification.isStatusQuery) {
       const priorKey = statusKey(chat_id, messageThreadId);
       const priorTurnStartedAt2 = activeTurnStartedAt.get(priorKey);
@@ -61052,7 +61545,7 @@ async function handleInbound(ctx, text, downloadImage, attachment, extraAttachme
         chat_id,
         message_id: msgId ?? null,
         thread_id: messageThreadId ?? null,
-        text_length: text.length,
+        text_length: text2.length,
         prior_turn_in_flight: priorTurnInFlight,
         seconds_since_turn_start: priorTurnStartedAt2 != null ? Math.round((inboundReceivedAt - priorTurnStartedAt2) / 1000) : null
       });
@@ -61061,7 +61554,7 @@ async function handleInbound(ctx, text, downloadImage, attachment, extraAttachme
     process.stderr.write(`telegram gateway: inbound classifier error: ${err.message}
 `);
   }
-  const interrupt = parseInterruptMarker(text);
+  const interrupt = parseInterruptMarker(text2);
   let deferInterrupt = false;
   if (interrupt.isInterrupt) {
     const agentName3 = process.env.SWITCHROOM_AGENT_NAME;
@@ -61102,9 +61595,9 @@ async function handleInbound(ctx, text, downloadImage, attachment, extraAttachme
       });
       return;
     }
-    text = interrupt.body;
+    text2 = interrupt.body;
   }
-  if (STATUS_QUERY_RE.test(text)) {
+  if (STATUS_QUERY_RE.test(text2)) {
     try {
       const threadKey = messageThreadId != null ? String(messageThreadId) : undefined;
       const cardState = progressDriver?.peek(chat_id, threadKey);
@@ -61120,7 +61613,7 @@ async function handleInbound(ctx, text, downloadImage, attachment, extraAttachme
 `);
     }
   }
-  const permMatch = PERMISSION_REPLY_RE.exec(text);
+  const permMatch = PERMISSION_REPLY_RE.exec(text2);
   if (permMatch) {
     const behavior = permMatch[1].toLowerCase().startsWith("y") ? "allow" : "deny";
     const request_id = permMatch[2].toLowerCase();
@@ -61145,12 +61638,12 @@ async function handleInbound(ctx, text, downloadImage, attachment, extraAttachme
   }
   const interceptKey = chatKey2(chat_id, messageThreadId);
   const pendingAdd = pendingAuthAddFlows.get(interceptKey);
-  if (pendingAdd && looksLikeAuthCode(text)) {
+  if (pendingAdd && looksLikeAuthCode(text2)) {
     const elapsed = Date.now() - pendingAdd.startedAt;
     if (elapsed < REAUTH_INTERCEPT_TTL_MS) {
       pendingAuthAddFlows.delete(interceptKey);
       try {
-        const credentials = await submitAccountAuthCode(pendingAdd, text.trim());
+        const credentials = await submitAccountAuthCode(pendingAdd, text2.trim());
         try {
           await addAccountViaBroker(pendingAdd.label, credentials, { replace: false });
           cleanScratchDir(pendingAdd.scratchDir);
@@ -61170,11 +61663,11 @@ The fleet's active account hasn't changed. Send <code>/auth use ${escapeHtmlForT
     pendingAuthAddFlows.delete(interceptKey);
   }
   const pendingReauth = pendingReauthFlows.get(interceptKey);
-  if (pendingReauth && looksLikeAuthCode(text)) {
+  if (pendingReauth && looksLikeAuthCode(text2)) {
     const elapsed = Date.now() - pendingReauth.startedAt;
     if (elapsed < REAUTH_INTERCEPT_TTL_MS) {
       pendingReauthFlows.delete(interceptKey);
-      const { result: result2, errorText } = execAuthCode(pendingReauth.agent, text.trim());
+      const { result: result2, errorText } = execAuthCode(pendingReauth.agent, text2.trim());
       if (errorText) {
         await switchroomReply(ctx, `<b>auth code failed:</b>
 ${preBlock(formatSwitchroomOutput(errorText))}`, { html: true });
@@ -61202,7 +61695,7 @@ ${preBlock(formatSwitchroomOutput(errorText))}`, { html: true });
     } else {
       pendingVaultOps.delete(chat_id);
       if (pendingVault.kind === "passphrase") {
-        const passphrase = text.trim();
+        const passphrase = text2.trim();
         if (!passphrase) {
           await switchroomReply(ctx, "Passphrase cannot be empty. Try /vault again.", { html: true });
           return;
@@ -61212,7 +61705,7 @@ ${preBlock(formatSwitchroomOutput(errorText))}`, { html: true });
           await deleteSensitiveMessage(chat_id, msgId, "vault passphrase");
         await executeVaultOp(ctx, chat_id, pendingVault.op, pendingVault.key, passphrase, undefined);
       } else if (pendingVault.kind === "unlock") {
-        const passphrase = text.trim();
+        const passphrase = text2.trim();
         if (!passphrase) {
           await switchroomReply(ctx, "Passphrase cannot be empty. Try /vault unlock again.", { html: true });
           return;
@@ -61226,7 +61719,7 @@ ${preBlock(formatSwitchroomOutput(errorText))}`, { html: true });
           await switchroomReply(ctx, `<b>vault unlock failed:</b> ${escapeHtmlForTg(result2.msg ?? "unknown error")}`, { html: true });
         }
       } else if (pendingVault.kind === "passphrase-for-deferred") {
-        const passphrase = text.trim();
+        const passphrase = text2.trim();
         if (!passphrase) {
           await switchroomReply(ctx, "Passphrase cannot be empty. Tap the unlock button again.", { html: true });
           return;
@@ -61236,7 +61729,7 @@ ${preBlock(formatSwitchroomOutput(errorText))}`, { html: true });
           await deleteSensitiveMessage(chat_id, msgId, "vault passphrase");
         await executeDeferredSecretSave(ctx, pendingVault.deferKey, passphrase, pendingVault.cardMessageId);
       } else if (pendingVault.kind === "passphrase-for-access-approve") {
-        const passphrase = text.trim();
+        const passphrase = text2.trim();
         if (!passphrase) {
           await switchroomReply(ctx, "Passphrase cannot be empty. Ask the agent to re-issue the request card.", { html: true });
           return;
@@ -61253,7 +61746,7 @@ ${preBlock(formatSwitchroomOutput(errorText))}`, { html: true });
           await performVaultAccessApproval(ctx, stagedAccess, item.stageId, item.senderId, { kind: "passphrase", passphrase });
         }
       } else if (pendingVault.kind === "grant-wizard" && pendingVault.awaitingCustomDuration) {
-        const input = text.trim();
+        const input = text2.trim();
         const ttlSeconds = parseGrantDuration(input);
         if (ttlSeconds === null) {
           pendingVaultOps.set(chat_id, { ...pendingVault, startedAt: Date.now() });
@@ -61265,15 +61758,15 @@ ${preBlock(formatSwitchroomOutput(errorText))}`, { html: true });
       } else if (pendingVault.kind === "grant-wizard") {
         pendingVaultOps.set(chat_id, { ...pendingVault, startedAt: Date.now() });
       } else if (pendingVault.kind === "value") {
-        let value = text;
-        const codeBlockMatch = /^```[\w]*\n?([\s\S]*?)```$/m.exec(text);
+        let value = text2;
+        const codeBlockMatch = /^```[\w]*\n?([\s\S]*?)```$/m.exec(text2);
         if (codeBlockMatch)
           value = codeBlockMatch[1];
         if (msgId != null)
           await deleteSensitiveMessage(chat_id, msgId, "vault secret value");
         await executeVaultOp(ctx, chat_id, "set", pendingVault.key, pendingVault.passphrase, value.trim());
       } else if (pendingVault.kind === "rename-vault-save") {
-        const newKey = text.trim();
+        const newKey = text2.trim();
         const staged = pendingVaultRequestSaves.get(pendingVault.stageId);
         if (!staged) {
           await switchroomReply(ctx, "\u231B That save card expired before you renamed. Ask the agent to re-issue.", { html: true });
@@ -61294,7 +61787,7 @@ ${preBlock(formatSwitchroomOutput(errorText))}`, { html: true });
       return;
     }
   }
-  const stagedMatch = /^\s*(stash|ignore|rename|forget)\b\s*(\S+)?/i.exec(text);
+  const stagedMatch = /^\s*(stash|ignore|rename|forget)\b\s*(\S+)?/i.exec(text2);
   if (stagedMatch) {
     const staged = secretStaging.latestForChat(chat_id);
     if (staged != null) {
@@ -61340,13 +61833,13 @@ ${preBlock(write.output)}`;
     }
   }
   bot.api.sendChatAction(chat_id, "typing", messageThreadId != null ? { message_thread_id: messageThreadId } : {}).catch(() => {});
-  const parsedSteer = parseSteerPrefix(text);
+  const parsedSteer = parseSteerPrefix(text2);
   const isSteerPrefix = parsedSteer.steering;
-  const parsedQueue = isSteerPrefix ? { queued: false, body: parsedSteer.body } : parseQueuePrefix(text);
+  const parsedQueue = isSteerPrefix ? { queued: false, body: parsedSteer.body } : parseQueuePrefix(text2);
   const isQueuedPrefix = parsedQueue.queued;
-  let effectiveText = isSteerPrefix ? parsedSteer.body : isQueuedPrefix ? parsedQueue.body : text;
+  let effectiveText = isSteerPrefix ? parsedSteer.body : isQueuedPrefix ? parsedQueue.body : text2;
   if (armedSecretCaptures.has(chat_id)) {
-    const consumed = await captureProvidedSecret(ctx, chat_id, msgId ?? undefined, text);
+    const consumed = await captureProvidedSecret(ctx, chat_id, msgId ?? undefined, text2);
     if (consumed)
       return;
   }
@@ -61516,7 +62009,7 @@ ${preBlock(write.output)}`;
           chat_id,
           message_id: msgId,
           thread_id: messageThreadId ?? null,
-          inbound_classified_as_status_query: classifyInbound(text).isStatusQuery
+          inbound_classified_as_status_query: classifyInbound(text2).isStatusQuery
         });
         const agentDir = resolveAgentDirFromEnv();
         if (agentDir != null) {
@@ -61762,21 +62255,21 @@ function formatSwitchroomOutput(output, maxLen = 4000) {
   return trimmed.slice(0, maxLen - 20) + `
 ... (truncated)`;
 }
-function stripAnsi2(text) {
-  return text.replace(/\x1b\[[0-9;]*[a-zA-Z]/g, "");
+function stripAnsi2(text2) {
+  return text2.replace(/\x1b\[[0-9;]*[a-zA-Z]/g, "");
 }
-function escapeHtmlForTg(text) {
-  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+function escapeHtmlForTg(text2) {
+  return text2.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
-function preBlock(text) {
-  return "<pre>" + escapeHtmlForTg(text) + "</pre>";
+function preBlock(text2) {
+  return "<pre>" + escapeHtmlForTg(text2) + "</pre>";
 }
-async function switchroomReply(ctx, text, options = {}) {
+async function switchroomReply(ctx, text2, options = {}) {
   const chatId = String(ctx.chat.id);
   const baseThreadId = resolveThreadId(chatId, ctx.message?.message_thread_id);
   const routedOpts = options.classification ? slashCommandReplyOpts(ctx, options.classification) : {};
   const threadId = routedOpts.message_thread_id ?? baseThreadId;
-  await ctx.reply(text, {
+  await ctx.reply(text2, {
     ...threadId != null ? { message_thread_id: threadId } : {},
     ...options.html ? { parse_mode: "HTML", link_preview_options: { is_disabled: true } } : {},
     ...options.reply_markup ? { reply_markup: options.reply_markup } : {}
@@ -61800,8 +62293,8 @@ function getCommandArgs(ctx) {
   const fromMatch = typeof ctx.match === "string" ? ctx.match.trim() : "";
   if (fromMatch)
     return fromMatch;
-  const text = ctx.msg?.text ?? ctx.message?.text ?? "";
-  const m = text.match(/^\/\S+\s+([\s\S]*)$/);
+  const text2 = ctx.msg?.text ?? ctx.message?.text ?? "";
+  const m = text2.match(/^\/\S+\s+([\s\S]*)$/);
   return m ? m[1].trim() : "";
 }
 function assertSafeAgentName(name) {
@@ -61927,6 +62420,40 @@ function resolveAgentSupergroupChatId() {
     return;
   }
 }
+function isSelfLinearAgentEnabled() {
+  const agentName3 = process.env.SWITCHROOM_AGENT_NAME;
+  if (!agentName3)
+    return false;
+  try {
+    const cfg = loadConfig2();
+    const rawAgent = cfg.agents?.[agentName3];
+    if (!rawAgent)
+      return false;
+    const resolved = resolveAgentConfig2(cfg.defaults, cfg.profiles, rawAgent);
+    const la = resolved.channels?.telegram?.linear_agent;
+    return la?.enabled === true;
+  } catch {
+    return false;
+  }
+}
+async function runLinearAuthWatch() {
+  const agent = process.env.SWITCHROOM_AGENT_NAME;
+  if (!agent)
+    return;
+  const io = brokerRefreshIO(agent);
+  const status = await runLinearAuthCheck({
+    agent,
+    linearEnabled: isSelfLinearAgentEnabled,
+    readBundle: io.readBundle,
+    refresh: () => performLinearRefresh2(io),
+    onAuthDead: notifyLinearAuthDead,
+    log: (s) => process.stderr.write(s)
+  });
+  if (status !== "disabled" && status !== "fresh") {
+    process.stderr.write(`telegram gateway: linear-auth-watch agent=${agent} status=${status}
+`);
+  }
+}
 function stampUserRestartReason(reason) {
   try {
     writeCleanShutdownMarker(GATEWAY_CLEAN_SHUTDOWN_MARKER_PATH, {
@@ -62039,9 +62566,9 @@ function notifyDetachedFailure(chatId, threadId, label) {
   return ({ code, tail }) => {
     clearRestartMarker();
     const snippet = tail ? tail.slice(-800) : "(no output captured)";
-    const text = `\u274C <b>${escapeHtmlForTg(label)} failed</b> (exit ${code}):
+    const text2 = `\u274C <b>${escapeHtmlForTg(label)} failed</b> (exit ${code}):
 ` + preBlock(snippet);
-    swallowingApiCall(() => lockedBot.api.sendMessage(chatId, text, {
+    swallowingApiCall(() => lockedBot.api.sendMessage(chatId, text2, {
       parse_mode: "HTML",
       link_preview_options: { is_disabled: true },
       ...threadId != null ? { message_thread_id: threadId } : {}
@@ -62475,7 +63002,8 @@ async function buildLiveProbeRows(agentName3) {
       "scheduler",
       "broker",
       "kernel",
-      "skills"
+      "skills",
+      "connections"
     ];
     for (const k of order) {
       const r = probes[k];
@@ -62550,7 +63078,7 @@ bot.command("inject", async (ctx) => {
   await handleInjectCommand(ctx, {
     isAuthorized: isAuthorizedSender,
     inject: injectSlashCommand,
-    reply: async (ctx2, text, opts) => switchroomReply(ctx2, text, { html: opts?.html }),
+    reply: async (ctx2, text2, opts) => switchroomReply(ctx2, text2, { html: opts?.html }),
     getAgentName: getMyAgentName,
     getArgs: getCommandArgs,
     escapeHtml: escapeHtmlForTg,
@@ -62603,8 +63131,8 @@ function modelMenuReplyMarkup(reply) {
 bot.command("model", async (ctx) => {
   if (!isAuthorizedSender(ctx))
     return;
-  const text = ctx.message?.text ?? ctx.channelPost?.text ?? "";
-  const parsed = parseModelCommand(text) ?? { kind: "show" };
+  const text2 = ctx.message?.text ?? ctx.channelPost?.text ?? "";
+  const parsed = parseModelCommand(text2) ?? { kind: "show" };
   const deps = buildModelDeps();
   if (parsed.kind === "show" && process.env.SWITCHROOM_MODEL_MENU !== "0") {
     const menu = await buildModelMenu(deps);
@@ -62639,8 +63167,8 @@ function effortMenuReplyMarkup(reply) {
 bot.command("effort", async (ctx) => {
   if (!isAuthorizedSender(ctx))
     return;
-  const text = ctx.message?.text ?? ctx.channelPost?.text ?? "";
-  const parsed = parseEffortCommand(text) ?? { kind: "show" };
+  const text2 = ctx.message?.text ?? ctx.channelPost?.text ?? "";
+  const parsed = parseEffortCommand(text2) ?? { kind: "show" };
   const deps = buildEffortDeps();
   if (parsed.kind === "show") {
     const menu = buildEffortMenu(deps);
@@ -63071,6 +63599,7 @@ async function handlePermissionSlash(ctx, behavior) {
     await switchroomReply(ctx, `No pending permission for id <code>${escapeHtmlForTg(request_id)}</code>. It may have already been answered or timed out.`, { html: true });
     return;
   }
+  clearPermissionTimeoutSuppression("operator answered via /approve|/deny");
   dispatchPermissionVerdict({ type: "permission", requestId: request_id, behavior });
   resumeReactionAfterVerdict();
   postPermissionResumeMessage({
@@ -63609,8 +64138,8 @@ bot.command("auth", async (ctx) => {
     }
     return;
   }
-  const text = ctx.message?.text ?? "";
-  const parsed = parseAuthCommand(text);
+  const text2 = ctx.message?.text ?? "";
+  const parsed = parseAuthCommand(text2);
   if (!parsed)
     return;
   const currentAgent = getMyAgentName();
@@ -64249,14 +64778,14 @@ async function grantWizardStep2(ctx, chatId, agent, wizardMsgId) {
   }
   const selected = new Set;
   const kb = buildGrantKeysKeyboard(keys, selected);
-  const text = `<b>Grant capability token \u2014 Step 2/3</b>
+  const text2 = `<b>Grant capability token \u2014 Step 2/3</b>
 
 Which keys for <code>${escapeHtmlForTg(agent)}</code>?
 <i>Tap to toggle; tap Continue when done.</i>`;
   if (wizardMsgId != null) {
-    await ctx.api.editMessageText(chatId, wizardMsgId, text, { parse_mode: "HTML", reply_markup: kb }).catch(() => {});
+    await ctx.api.editMessageText(chatId, wizardMsgId, text2, { parse_mode: "HTML", reply_markup: kb }).catch(() => {});
   } else {
-    const sent = await switchroomReply(ctx, text, { html: true, reply_markup: kb });
+    const sent = await switchroomReply(ctx, text2, { html: true, reply_markup: kb });
     wizardMsgId = sent?.message_id;
   }
   pendingVaultOps.set(chatId, {
@@ -64273,7 +64802,7 @@ async function grantWizardStep3(ctx, chatId, state4) {
   const kb = buildGrantDurationKeyboard();
   const keyList = state4.selectedKeys.map((k) => `\u2022 <code>${escapeHtmlForTg(k)}</code>`).join(`
 `);
-  const text = `<b>Grant capability token \u2014 Step 3/3</b>
+  const text2 = `<b>Grant capability token \u2014 Step 3/3</b>
 
 Keys for <code>${escapeHtmlForTg(state4.agent)}</code>:
 ${keyList}
@@ -64281,9 +64810,9 @@ ${keyList}
 How long should this grant be valid?`;
   const msgId = state4.wizardMsgId;
   if (msgId != null) {
-    await ctx.api.editMessageText(chatId, msgId, text, { parse_mode: "HTML", reply_markup: kb }).catch(() => {});
+    await ctx.api.editMessageText(chatId, msgId, text2, { parse_mode: "HTML", reply_markup: kb }).catch(() => {});
   } else {
-    const sent = await switchroomReply(ctx, text, { html: true, reply_markup: kb });
+    const sent = await switchroomReply(ctx, text2, { html: true, reply_markup: kb });
     state4.wizardMsgId = sent?.message_id;
   }
   pendingVaultOps.set(chatId, { ...state4, step: "duration" });
@@ -64293,7 +64822,7 @@ async function grantWizardConfirm(ctx, chatId, state4) {
   const expiresLabel = formatGrantExpiry(state4.ttlSeconds);
   const keyList = state4.selectedKeys.map((k) => `\u2022 <code>${escapeHtmlForTg(k)}</code>`).join(`
 `);
-  const text = [
+  const text2 = [
     "<b>Confirm grant</b>",
     "",
     `Agent: <code>${escapeHtmlForTg(state4.agent)}</code>`,
@@ -64306,9 +64835,9 @@ ${keyList}`,
 `);
   const msgId = state4.wizardMsgId;
   if (msgId != null) {
-    await ctx.api.editMessageText(chatId, msgId, text, { parse_mode: "HTML", reply_markup: kb }).catch(() => {});
+    await ctx.api.editMessageText(chatId, msgId, text2, { parse_mode: "HTML", reply_markup: kb }).catch(() => {});
   } else {
-    const sent = await switchroomReply(ctx, text, { html: true, reply_markup: kb });
+    const sent = await switchroomReply(ctx, text2, { html: true, reply_markup: kb });
     state4.wizardMsgId = sent?.message_id;
   }
   const kernelRequestId = await mintGrantWizardKernelRequest(state4.agent, loadAccess().allowFrom, state4.selectedKeys, state4.ttlSeconds ?? null);
@@ -64778,7 +65307,7 @@ async function handleAuthDashboardCallback(ctx) {
       const tz = process.env.SWITCHROOM_TIMEZONE ?? process.env.TZ ?? "UTC";
       const { renderAuthSnapshotFormat2: renderAuthSnapshotFormat23, buildSnapshotsFromState: buildSnapshotsFromState4, buildSnapshotKeyboard: buildSnapshotKeyboard3 } = await Promise.resolve().then(() => (init_auth_snapshot_format(), exports_auth_snapshot_format));
       const snapshots = buildSnapshotsFromState4(state4, quotas);
-      const text = renderAuthSnapshotFormat23(snapshots, {
+      const text2 = renderAuthSnapshotFormat23(snapshots, {
         tz,
         now: new Date,
         liveProbedAtMs: Date.now()
@@ -64793,7 +65322,7 @@ async function handleAuthDashboardCallback(ctx) {
       }));
       const msg = ctx.callbackQuery?.message;
       if (msg) {
-        await swallowingApiCall(() => bot.api.editMessageText(msg.chat.id, msg.message_id, text, {
+        await swallowingApiCall(() => bot.api.editMessageText(msg.chat.id, msg.message_id, text2, {
           parse_mode: "HTML",
           reply_markup: { inline_keyboard }
         }), { chat_id: String(msg.chat.id), verb: "auth:refresh:edit" });
@@ -65175,12 +65704,12 @@ bot.command("usage", async (ctx) => {
         const { renderAuthSnapshotFormat2: renderAuthSnapshotFormat23, buildSnapshotsFromState: buildSnapshotsFromState4 } = await Promise.resolve().then(() => (init_auth_snapshot_format(), exports_auth_snapshot_format));
         const tz = process.env.SWITCHROOM_TIMEZONE ?? process.env.TZ ?? "UTC";
         const snapshots = buildSnapshotsFromState4(state4, quotas);
-        const text = renderAuthSnapshotFormat23(snapshots, {
+        const text2 = renderAuthSnapshotFormat23(snapshots, {
           tz,
           now: new Date,
           liveProbedAtMs: Date.now()
         });
-        await switchroomReply(ctx, text, { html: true });
+        await switchroomReply(ctx, text2, { html: true });
         return;
       }
     }
@@ -65869,6 +66398,7 @@ ${editLabel}` : editLabel,
     });
     return;
   }
+  clearPermissionTimeoutSuppression("operator answered a permission card");
   const pd = pendingPermissions.get(request_id);
   const resumeAction = pd ? naturalAction(pd.tool_name, pd.input_preview) : "";
   const scopedTtl = scopedApprovalTtlMs();
@@ -65956,10 +66486,10 @@ bot.on("message:voice", async (ctx) => {
   if (voiceIn?.enabled && voiceIn?.provider === "openai") {
     const transcript = await maybeTranscribeVoice(voice.file_id, voice.mime_type, voiceIn.language);
     if (transcript != null) {
-      const text = ctx.message.caption ? `${ctx.message.caption}
+      const text2 = ctx.message.caption ? `${ctx.message.caption}
 
 [voice transcript] ${transcript}` : `[voice transcript] ${transcript}`;
-      await handleInboundCoalesced(ctx, text, undefined, {
+      await handleInboundCoalesced(ctx, text2, undefined, {
         kind: "voice",
         file_id: voice.file_id,
         size: voice.file_size,
@@ -66045,14 +66575,14 @@ bot.on("message:sticker", async (ctx) => {
     parts.push(sticker.emoji);
   if (sticker.set_name)
     parts.push(`from "${sticker.set_name}"`);
-  const text = parts.length > 0 ? `(sticker \u2014 ${parts.join(" ")})` : "(sticker)";
-  await handleInboundCoalesced(ctx, text, undefined, { kind: "sticker", file_id: sticker.file_id, size: sticker.file_size });
+  const text2 = parts.length > 0 ? `(sticker \u2014 ${parts.join(" ")})` : "(sticker)";
+  await handleInboundCoalesced(ctx, text2, undefined, { kind: "sticker", file_id: sticker.file_id, size: sticker.file_size });
 });
 bot.on("message:animation", async (ctx) => {
   const animation = ctx.message.animation;
   const caption = ctx.message.caption;
-  const text = caption ? `(gif) ${caption}` : "(gif)";
-  await handleInboundCoalesced(ctx, text, undefined, {
+  const text2 = caption ? `(gif) ${caption}` : "(gif)";
+  await handleInboundCoalesced(ctx, text2, undefined, {
     kind: "animation",
     file_id: animation.file_id,
     size: animation.file_size,
@@ -66127,10 +66657,10 @@ bot.on("message:contact", async (ctx) => {
     const last = safeName(c.last_name) ?? "";
     const name = [first, last].filter(Boolean).join(" ") || "?";
     const userIdPart = c.user_id != null ? ` user_id=${c.user_id}` : "";
-    const text = `(contact: name="${name}" phone="${phone}"${userIdPart})`;
+    const text2 = `(contact: name="${name}" phone="${phone}"${userIdPart})`;
     process.stderr.write(`telegram gateway: inbound contact from chat=${ctx.chat?.id ?? "?"}
 `);
-    await handleInbound(ctx, text, undefined);
+    await handleInbound(ctx, text2, undefined);
   } catch (err) {
     process.stderr.write(`telegram gateway: contact handler error: ${err.message}
 `);
@@ -66142,10 +66672,10 @@ bot.on("message:location", async (ctx) => {
     const lat = typeof loc.latitude === "number" ? loc.latitude.toFixed(6) : "?";
     const lon = typeof loc.longitude === "number" ? loc.longitude.toFixed(6) : "?";
     const live = loc.live_period != null ? ` live_period=${loc.live_period}s` : "";
-    const text = `(location: lat=${lat} lon=${lon}${live})`;
+    const text2 = `(location: lat=${lat} lon=${lon}${live})`;
     process.stderr.write(`telegram gateway: inbound location from chat=${ctx.chat?.id ?? "?"}
 `);
-    await handleInbound(ctx, text, undefined);
+    await handleInbound(ctx, text2, undefined);
   } catch (err) {
     process.stderr.write(`telegram gateway: location handler error: ${err.message}
 `);
@@ -66158,10 +66688,10 @@ bot.on("message:venue", async (ctx) => {
     const address = safeName(v.address) ?? "?";
     const lat = typeof v.location?.latitude === "number" ? v.location.latitude.toFixed(6) : "?";
     const lon = typeof v.location?.longitude === "number" ? v.location.longitude.toFixed(6) : "?";
-    const text = `(venue: title="${title}" address="${address}" lat=${lat} lon=${lon})`;
+    const text2 = `(venue: title="${title}" address="${address}" lat=${lat} lon=${lon})`;
     process.stderr.write(`telegram gateway: inbound venue from chat=${ctx.chat?.id ?? "?"}
 `);
-    await handleInbound(ctx, text, undefined);
+    await handleInbound(ctx, text2, undefined);
   } catch (err) {
     process.stderr.write(`telegram gateway: venue handler error: ${err.message}
 `);
@@ -66174,10 +66704,10 @@ bot.on("message:poll", async (ctx) => {
     const optsCount = Array.isArray(p.options) ? p.options.length : 0;
     const optsList = Array.isArray(p.options) ? p.options.slice(0, 10).map((o) => safeName(o.text) ?? "?").join(" | ") : "";
     const anon = p.is_anonymous ? " anonymous" : "";
-    const text = `(poll: question="${q}" options=${optsCount}${anon}${optsList ? ` choices=[${optsList}]` : ""})`;
+    const text2 = `(poll: question="${q}" options=${optsCount}${anon}${optsList ? ` choices=[${optsList}]` : ""})`;
     process.stderr.write(`telegram gateway: inbound poll from chat=${ctx.chat?.id ?? "?"}
 `);
-    await handleInbound(ctx, text, undefined);
+    await handleInbound(ctx, text2, undefined);
   } catch (err) {
     process.stderr.write(`telegram gateway: poll handler error: ${err.message}
 `);
@@ -66189,10 +66719,10 @@ bot.on("message:web_app_data", async (ctx) => {
     const raw = typeof w.data === "string" ? w.data : "";
     const data = raw.length > 4096 ? raw.slice(0, 4096) + "\u2026(truncated)" : raw;
     const button = safeName(w.button_text) ?? "?";
-    const text = `(web_app_data: button="${button}" data=${JSON.stringify(data)})`;
+    const text2 = `(web_app_data: button="${button}" data=${JSON.stringify(data)})`;
     process.stderr.write(`telegram gateway: inbound web_app_data from chat=${ctx.chat?.id ?? "?"} button="${button}" bytes=${raw.length}
 `);
-    await handleInbound(ctx, text, undefined);
+    await handleInbound(ctx, text2, undefined);
   } catch (err) {
     process.stderr.write(`telegram gateway: web_app_data handler error: ${err.message}
 `);
@@ -66203,10 +66733,10 @@ bot.on("message:users_shared", async (ctx) => {
     const u = ctx.message.users_shared;
     const users = Array.isArray(u.users) ? u.users : [];
     const ids = users.map((usr) => String(usr.user_id ?? "?")).join(",");
-    const text = `(users_shared: request_id=${u.request_id ?? "?"} user_ids=[${ids}] count=${users.length})`;
+    const text2 = `(users_shared: request_id=${u.request_id ?? "?"} user_ids=[${ids}] count=${users.length})`;
     process.stderr.write(`telegram gateway: inbound users_shared from chat=${ctx.chat?.id ?? "?"} count=${users.length}
 `);
-    await handleInbound(ctx, text, undefined);
+    await handleInbound(ctx, text2, undefined);
   } catch (err) {
     process.stderr.write(`telegram gateway: users_shared handler error: ${err.message}
 `);
@@ -66217,10 +66747,10 @@ bot.on("message:chat_shared", async (ctx) => {
     const c = ctx.message.chat_shared;
     const title = safeName(c.title) ?? "";
     const titlePart = title ? ` title="${title}"` : "";
-    const text = `(chat_shared: request_id=${c.request_id ?? "?"} chat_id=${c.chat_id ?? "?"}${titlePart})`;
+    const text2 = `(chat_shared: request_id=${c.request_id ?? "?"} chat_id=${c.chat_id ?? "?"}${titlePart})`;
     process.stderr.write(`telegram gateway: inbound chat_shared from chat=${ctx.chat?.id ?? "?"} shared_chat_id=${c.chat_id ?? "?"}
 `);
-    await handleInbound(ctx, text, undefined);
+    await handleInbound(ctx, text2, undefined);
   } catch (err) {
     process.stderr.write(`telegram gateway: chat_shared handler error: ${err.message}
 `);
@@ -66401,7 +66931,7 @@ function maybeDispatchReaction(args) {
 `);
     }
   }
-  const { text, meta } = buildReactionDispatchInbound({
+  const { text: text2, meta } = buildReactionDispatchInbound({
     emoji: args.emoji,
     chatId: args.chatId,
     messageId: args.messageId,
@@ -66419,7 +66949,7 @@ function maybeDispatchReaction(args) {
     user: args.user,
     userId: args.userId,
     ts,
-    text,
+    text: text2,
     meta
   };
   const delivered = ipcServer.sendToAgent(agentName3, inbound);
@@ -66439,7 +66969,7 @@ function flushReactionBatch(batch) {
     return;
   }
   const head = batch.reactions[batch.reactions.length - 1];
-  const text = buildReactionInboundText(batch);
+  const text2 = buildReactionInboundText(batch);
   const meta = buildReactionInboundMeta(batch);
   const ts = Date.now();
   const inbound = {
@@ -66450,7 +66980,7 @@ function flushReactionBatch(batch) {
     user: head.user,
     userId: head.userId,
     ts,
-    text,
+    text: text2,
     meta
   };
   const delivered = ipcServer.sendToAgent(agentName3, inbound);
@@ -66675,6 +67205,7 @@ async function shutdown(signal) {
   pendingReauthFlows.clear();
   pendingVaultOps.clear();
   pendingPermissions.clear();
+  permissionTimeoutSignatures.clear();
   try {
     await ipcServer.close();
   } catch (err) {
@@ -66988,6 +67519,21 @@ var didOneTimeSetup = false;
             });
           }, QUOTA_WATCH_POLL_MS).unref();
         }
+        const LINEAR_AUTH_WATCH_POLL_MS = Number(process.env.SWITCHROOM_LINEAR_AUTH_WATCH_POLL_MS ?? 21600000);
+        if (LINEAR_AUTH_WATCH_POLL_MS > 0) {
+          setTimeout(() => {
+            runLinearAuthWatch().catch((err) => {
+              process.stderr.write(`telegram gateway: linear-auth-watch initial run failed: ${err}
+`);
+            });
+          }, 35000);
+          setInterval(() => {
+            runLinearAuthWatch().catch((err) => {
+              process.stderr.write(`telegram gateway: linear-auth-watch scheduled run failed: ${err}
+`);
+            });
+          }, LINEAR_AUTH_WATCH_POLL_MS).unref();
+        }
         const RESTART_WATCHDOG_POLL_MS = Number(process.env.SWITCHROOM_RESTART_WATCHDOG_POLL_MS ?? 30000);
         const watchdogAgentName = process.env.SWITCHROOM_AGENT_NAME;
         const watchdogDockerMode = process.env.SWITCHROOM_RUNTIME === "docker";
@@ -67022,11 +67568,11 @@ var didOneTimeSetup = false;
             const orphanStatusEnabled = isOrphanSubagentStatusEnabled(process.env.SWITCHROOM_ORPHAN_SUBAGENT_STATUS);
             const workerActivityFeed = createWorkerActivityFeed({
               bot: {
-                sendMessage: async (cid, text, sendOpts) => {
-                  const sent = await robustApiCall(() => lockedBot.api.sendMessage(cid, text, sendOpts), { chat_id: cid, verb: "worker-feed" });
+                sendMessage: async (cid, text2, sendOpts) => {
+                  const sent = await robustApiCall(() => lockedBot.api.sendMessage(cid, text2, sendOpts), { chat_id: cid, verb: "worker-feed" });
                   return sent;
                 },
-                editMessageText: (cid, mid, text, editOpts) => robustApiCall(() => lockedBot.api.editMessageText(cid, mid, text, editOpts), { chat_id: cid, verb: "worker-feed" })
+                editMessageText: (cid, mid, text2, editOpts) => robustApiCall(() => lockedBot.api.editMessageText(cid, mid, text2, editOpts), { chat_id: cid, verb: "worker-feed" })
               },
               log: (msg) => process.stderr.write(`telegram gateway: ${msg}
 `)