switchroom 0.5.0

package/telegram-plugin/tests/secret-detect-oauth-code.test.ts

@@ -0,0 +1,308 @@
+/**
+ * Tests for the Anthropic OAuth browser-code detection added in issue #44.
+ *
+ * Channel A — anchored pattern (`anthropic_oauth_code`):
+ *   Positive: two URL-safe base64 segments (≥20 chars each) separated by `#`.
+ *   Negative: ordinary URL fragments, short anchors, markdown link targets.
+ *
+ * Channel B — context rule (`awaitingAuthCodeAt` map in gateway.ts):
+ *   Tested structurally: verify the gateway source wires the map, sets it
+ *   when emitting the "Paste the browser code here" prompt, checks it on
+ *   inbound, and clears it after one message.
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest'
+import { readFileSync } from 'node:fs'
+import { detectSecrets } from '../secret-detect/index.js'
+import { runPipeline } from '../secret-detect/pipeline.js'
+import { setAuditSink } from '../secret-detect/audit.js'
+import type { VaultWriteFn, VaultListFn } from '../secret-detect/vault-write.js'
+
+// ─── Channel A — pattern unit tests ──────────────────────────────────────────
+
+describe('anthropic_oauth_code pattern — Channel A', () => {
+  it('detects a bare auth code (two long url-safe-b64 segments with #)', () => {
+    // Shape emitted by the claude.com/cai authorize flow
+    const code = 'tle0rmXYZabc123defGHIjkl#00EySjXYZabc123defGHIjklmno'
+    const d = detectSecrets(code)
+    expect(d.some((h) => h.rule_id === 'anthropic_oauth_code')).toBe(true)
+    const hit = d.find((h) => h.rule_id === 'anthropic_oauth_code')!
+    expect(hit.confidence).toBe('high')
+    expect(hit.matched_text).toBe(code)
+  })
+
+  it('detects a code embedded in prose (prefixed with "here is the code:")', () => {
+    const code = 'aBcDeFgHiJkLmNoPqRsTuVwX#xYz123456789abcdefghijkl'
+    const text = `here is the browser code: ${code} please use it`
+    const d = detectSecrets(text)
+    expect(d.some((h) => h.rule_id === 'anthropic_oauth_code')).toBe(true)
+    const hit = d.find((h) => h.rule_id === 'anthropic_oauth_code')!
+    expect(hit.matched_text).toBe(code)
+  })
+
+  it('does NOT match https:// URL fragments (section anchor)', () => {
+    const text = 'see https://example.com/docs#installation for more'
+    const d = detectSecrets(text)
+    expect(d.some((h) => h.rule_id === 'anthropic_oauth_code')).toBe(false)
+  })
+
+  it('does NOT match a short first segment (ordinary markdown anchor)', () => {
+    // "callback" is only 8 chars — below the 20-char minimum
+    const text = 'https://claude.ai/callback#state123456789012345'
+    const d = detectSecrets(text)
+    expect(d.some((h) => h.rule_id === 'anthropic_oauth_code')).toBe(false)
+  })
+
+  it('does NOT match a markdown link target like [link](/foo#bar)', () => {
+    // "/foo" is 4 chars — well below minimum; "bar" is 3 chars — also below
+    const text = '[see here](/features#quickstart-guide)'
+    const d = detectSecrets(text)
+    expect(d.some((h) => h.rule_id === 'anthropic_oauth_code')).toBe(false)
+  })
+
+  it('does NOT match when either segment is shorter than 20 chars', () => {
+    // First segment: 19 chars (one short)
+    const text = 'aBcDeFgHiJkLmNoPqRs#xYz123456789abcdefghijkl'
+    const d = detectSecrets(text)
+    expect(d.some((h) => h.rule_id === 'anthropic_oauth_code')).toBe(false)
+
+    // Second segment: 19 chars
+    const text2 = 'aBcDeFgHiJkLmNoPqRsT#xYz123456789abcde'
+    const d2 = detectSecrets(text2)
+    // "xYz123456789abcde" is 18 chars — below minimum
+    expect(d2.some((h) => h.rule_id === 'anthropic_oauth_code')).toBe(false)
+  })
+
+  it('flows through runPipeline and stores the code in the vault', () => {
+    const store = new Map<string, string>()
+    const write: VaultWriteFn = (slug, value) => { store.set(slug, value); return { ok: true, output: 'ok' } }
+    const list: VaultListFn = () => ({ ok: true, keys: [...store.keys()] })
+
+    const code = 'tle0rmXYZabc123defGHIjkl#00EySjXYZabc123defGHIjklmno'
+    const res = runPipeline({
+      chat_id: 'test-chat',
+      message_id: 1,
+      text: code,
+      passphrase: 'pw',
+      vaultWrite: write,
+      vaultList: list,
+    })
+
+    expect(res.stored).toHaveLength(1)
+    expect(res.stored[0]!.detection.rule_id).toBe('anthropic_oauth_code')
+    expect(res.rewritten_text).not.toContain(code)
+    expect(res.rewritten_text).toContain('[secret stored as vault:')
+    expect([...store.values()]).toContain(code)
+  })
+})
+
+// ─── Channel B — context rule structural tests ────────────────────────────────
+
+describe('auth-flow context rule — Channel B (structural wiring in gateway.ts)', () => {
+  const src = readFileSync(
+    new URL('../gateway/gateway.ts', import.meta.url),
+    'utf8',
+  )
+
+  it('declares awaitingAuthCodeAt map and AUTH_CODE_CONTEXT_TTL_MS constant', () => {
+    expect(src).toMatch(/const awaitingAuthCodeAt = new Map<string, number>/)
+    expect(src).toMatch(/AUTH_CODE_CONTEXT_TTL_MS\s*=\s*5\s*\*\s*60_000/)
+  })
+
+  it('sets awaitingAuthCodeAt near the "Paste the browser code here" prompt (before or after)', () => {
+    // awaitingAuthCodeAt.set is armed before the ForceReply attempt so that a
+    // switchroomReply throw doesn't leave Channel B unarmed. Verify it lives
+    // within 500 chars of the prompt string in either direction.
+    const promptIdx = src.indexOf("'📋 Paste the browser code here ↓'")
+    expect(promptIdx).toBeGreaterThan(0)
+    const start = Math.max(0, promptIdx - 500)
+    const window = src.slice(start, promptIdx + 500)
+    expect(window).toMatch(/awaitingAuthCodeAt\.set\(/)
+  })
+
+  it('clears awaitingAuthCodeAt (delete) in the inbound handler when the flag is active', () => {
+    // The inbound handler must call delete after reading the flag
+    expect(src).toMatch(/awaitingAuthCodeAt\.delete\(chat_id\)/)
+  })
+
+  it('checks isAuthFlowContext in the secret-detect block (passphrase path)', () => {
+    const pipelineIdx = src.indexOf('runPipeline({')
+    expect(pipelineIdx).toBeGreaterThan(0)
+    // After the pipeline call, isAuthFlowContext must gate the fallback branch
+    const tail = src.slice(pipelineIdx, pipelineIdx + 2000)
+    expect(tail).toMatch(/isAuthFlowContext/)
+  })
+
+  it('checks isAuthFlowContext in the no-passphrase path (deferred branch)', () => {
+    // The no-passphrase branch must also check isAuthFlowContext so a context
+    // hit is deferred even without a cached passphrase. (Window widened in
+    // #44's PR — the comment block above the branch grew when the legacy
+    // "/vault list + re-paste" UX got replaced with the inline-button
+    // flow; the structural invariant we're pinning is unchanged.)
+    const noPpIdx = src.indexOf('No passphrase cached — detect, but defer')
+    expect(noPpIdx).toBeGreaterThan(0)
+    const window = src.slice(noPpIdx, noPpIdx + 1200)
+    expect(window).toMatch(/isAuthFlowContext/)
+  })
+
+  it('reaps awaitingAuthCodeAt in the TTL reaper alongside other pending-state maps', () => {
+    // The pendingStateReaper interval must sweep expired auth-code-context entries
+    const reaperIdx = src.indexOf('pendingStateReaper = setInterval')
+    expect(reaperIdx).toBeGreaterThan(0)
+    const reaperBlock = src.slice(reaperIdx, reaperIdx + 800)
+    expect(reaperBlock).toMatch(/awaitingAuthCodeAt/)
+    expect(reaperBlock).toMatch(/AUTH_CODE_CONTEXT_TTL_MS/)
+  })
+
+  it('auth-flow context rule sits BEFORE recordInbound() and broadcast()', () => {
+    const contextIdx = src.indexOf('isAuthFlowContext')
+    const recordIdx = src.indexOf('recordInbound(', contextIdx)
+    const broadcastIdx = src.indexOf('ipcServer.broadcast(inboundMsg)', contextIdx)
+    expect(contextIdx).toBeGreaterThan(0)
+    expect(recordIdx).toBeGreaterThan(contextIdx)
+    expect(broadcastIdx).toBeGreaterThan(contextIdx)
+  })
+})
+
+// ─── New tests for reviewer-requested coverage ────────────────────────────────
+
+// Test 1: Negative URL test — Channel A regex must NOT match real URLs with
+// long path segments + long fragment anchors (Blocker 2 regression test).
+describe('anthropic_oauth_code pattern — URL false-positive regression', () => {
+  it('does NOT match a URL with long path segment and long fragment (inline in sentence)', () => {
+    const text = 'see https://docs.com/getting-started-tutorial#installation-and-setup-guide for details'
+    const d = detectSecrets(text)
+    expect(d.some((h) => h.rule_id === 'anthropic_oauth_code')).toBe(false)
+  })
+
+  it('does NOT match a markdown link with long path + long anchor', () => {
+    const text = '[docs](https://docs.com/getting-started-tutorial#installation-and-setup-guide)'
+    const d = detectSecrets(text)
+    expect(d.some((h) => h.rule_id === 'anthropic_oauth_code')).toBe(false)
+  })
+
+  it('does NOT match a GitHub permalink URL (long path + long heading anchor)', () => {
+    const text = 'See https://github.com/owner/repo/blob/main/README.md#installation-and-setup-guide for info.'
+    const d = detectSecrets(text)
+    expect(d.some((h) => h.rule_id === 'anthropic_oauth_code')).toBe(false)
+  })
+})
+
+// Test 2: Blocker 1 sequencing — structural check that deleteMessage is called
+// inside the pendingReauthFlows intercept path, before setMessageReaction.
+describe('pendingReauthFlows intercept — deleteMessage sequencing (Blocker 1)', () => {
+  const src = readFileSync(
+    new URL('../gateway/gateway.ts', import.meta.url),
+    'utf8',
+  )
+
+  it('redacts the OAuth code message inside the pendingReauthFlows intercept', () => {
+    // Locate the pendingReauthFlows intercept block. Was previously
+    // checked by greppinng for `bot.api.deleteMessage(...)` and
+    // `setMessageReaction(...)` literals, but #488 consolidated all 6
+    // auth-code paste paths through `redactAuthCodeMessage`. The pin
+    // is now: the intercept block must call the helper.
+    const interceptIdx = src.indexOf('// Auth-code intercept')
+    expect(interceptIdx).toBeGreaterThan(0)
+
+    // Find the end of this intercept block — the next blank line after
+    // the redaction call. Bounds the window so we don't accidentally
+    // match a downstream auth-code path's redaction.
+    const window = src.slice(interceptIdx, interceptIdx + 2000)
+    // Allow the optional 4th `log` argument added in #561 (diagnostic
+    // sink for redaction failures) — required is the first three args.
+    // `bot.api` may be cast (e.g. `bot.api as never`) for the local
+    // BotApi-vs-grammy-Api type mismatch cleanup in #623; `msgId` may
+    // be narrowed (`msgId ?? null`).
+    expect(window).toMatch(/redactAuthCodeMessage\(bot\.api(?:\s+as\s+\w+)?,\s*chat_id,\s*msgId(?:\s*\?\?\s*null)?(?:,\s*[^)]+)?\)/)
+  })
+
+  it('redaction lands AFTER the success/error reply renders', () => {
+    // Sequencing pin: the user-visible reply (success or error) must
+    // be queued before the redaction so the user sees the auth result
+    // even if their original message disappears mid-render. Same
+    // ordering the helper preserves — fire-and-forget redaction
+    // happens after `await switchroomReply(...)`.
+    const interceptIdx = src.indexOf('// Auth-code intercept')
+    const window = src.slice(interceptIdx, interceptIdx + 2000)
+    const replyIdx = window.indexOf('switchroomReply(ctx,')
+    const redactIdx = window.indexOf('redactAuthCodeMessage(')
+    expect(replyIdx).toBeGreaterThan(0)
+    expect(redactIdx).toBeGreaterThan(0)
+    expect(replyIdx).toBeLessThan(redactIdx)
+  })
+})
+
+// Test 3: Flag consumption — awaitingAuthCodeAt is NOT cleared on a non-detection
+// inbound (a stray "ok" within the 5-min window should not disarm Channel B).
+describe('awaitingAuthCodeAt flag — consumption only on actual detection', () => {
+  const src = readFileSync(
+    new URL('../gateway/gateway.ts', import.meta.url),
+    'utf8',
+  )
+
+  it('delete(chat_id) does NOT appear at the top of the isAuthFlowContext block (no early consume)', () => {
+    // The old bug: delete fired unconditionally inside `if (isAuthFlowContext)`.
+    // After the fix, there must be no `awaitingAuthCodeAt.delete` within
+    // the isAuthFlowContext guard block itself — only in the downstream branches.
+    const contextIdx = src.indexOf('const isAuthFlowContext =')
+    expect(contextIdx).toBeGreaterThan(0)
+    // Grab the isAuthFlowContext if-block (ends at the next blank line after the log line)
+    const logLineEnd = src.indexOf('\n', src.indexOf('[secret-detect] auth-flow context rule active', contextIdx))
+    const guardBlock = src.slice(contextIdx, logLineEnd + 5)
+    // Must NOT contain a delete call in the guard itself
+    expect(guardBlock).not.toMatch(/awaitingAuthCodeAt\.delete/)
+  })
+
+  it('awaitingAuthCodeAt.delete appears inside the Channel B fallback branch (pipeRes.stored === 0)', () => {
+    // Verify the consume is co-located with the actual auth-flow handling
+    const fallbackIdx = src.indexOf('Channel B fallback: pattern didn\'t fire')
+    expect(fallbackIdx).toBeGreaterThan(0)
+    // Within 400 chars after the comment, delete must appear
+    const window = src.slice(fallbackIdx, fallbackIdx + 400)
+    expect(window).toMatch(/awaitingAuthCodeAt\.delete\(chat_id\)/)
+  })
+
+  it('awaitingAuthCodeAt.delete appears inside the no-passphrase hasHigh branch', () => {
+    const noPpIdx = src.indexOf('No passphrase cached — detect, but defer')
+    expect(noPpIdx).toBeGreaterThan(0)
+    // Window widened — see the matching note on the
+    // "checks isAuthFlowContext in the no-passphrase path" test.
+    const window = src.slice(noPpIdx, noPpIdx + 1200)
+    // Conditional consume: only fires if isAuthFlowContext
+    expect(window).toMatch(/if \(isAuthFlowContext\)/)
+    expect(window).toMatch(/awaitingAuthCodeAt\.delete\(chat_id\)/)
+  })
+})
+
+// Test 4: Armer-outside-catch — awaitingAuthCodeAt.set is before the try block,
+// so if switchroomReply throws, Channel B is still armed.
+describe('awaitingAuthCodeAt.set — arming is unconditional (outside catch)', () => {
+  const src = readFileSync(
+    new URL('../gateway/gateway.ts', import.meta.url),
+    'utf8',
+  )
+
+  it('awaitingAuthCodeAt.set appears BEFORE switchroomReply inside the formatted.url block', () => {
+    const urlBlockIdx = src.indexOf('if (formatted.url)')
+    expect(urlBlockIdx).toBeGreaterThan(0)
+    const urlBlock = src.slice(urlBlockIdx, urlBlockIdx + 800)
+    const setIdx = urlBlock.indexOf('awaitingAuthCodeAt.set(')
+    const replyIdx = urlBlock.indexOf("'📋 Paste the browser code here ↓'")
+    expect(setIdx).toBeGreaterThan(0)
+    expect(replyIdx).toBeGreaterThan(0)
+    // The .set must come BEFORE the ForceReply switchroomReply call
+    expect(setIdx).toBeLessThan(replyIdx)
+  })
+
+  it('awaitingAuthCodeAt.set is NOT inside the inner try block', () => {
+    // The inner try starts with "await switchroomReply(ctx, '📋 Paste..."
+    // The .set should appear before that try keyword in the formatted.url block
+    const urlBlockIdx = src.indexOf('if (formatted.url)')
+    const urlBlock = src.slice(urlBlockIdx, urlBlockIdx + 800)
+    const setIdx = urlBlock.indexOf('awaitingAuthCodeAt.set(')
+    // Find the try block that wraps the ForceReply call
+    const innerTryIdx = urlBlock.indexOf('try {', setIdx)
+    // The inner try (ForceReply try block) must come AFTER the .set call
+    expect(innerTryIdx).toBeGreaterThan(setIdx)
+  })
+})

package/telegram-plugin/tests/secret-detect-pipeline.test.ts

@@ -0,0 +1,123 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest'
+import { runPipeline } from '../secret-detect/pipeline.js'
+import { setAuditSink } from '../secret-detect/audit.js'
+import type { VaultWriteFn, VaultListFn } from '../secret-detect/vault-write.js'
+
+function mkFakeVault(): {
+  write: VaultWriteFn
+  list: VaultListFn
+  store: Map<string, string>
+} {
+  const store = new Map<string, string>()
+  const write: VaultWriteFn = (slug, value) => {
+    store.set(slug, value)
+    return { ok: true, output: 'ok' }
+  }
+  const list: VaultListFn = () => ({ ok: true, keys: [...store.keys()] })
+  return { write, list, store }
+}
+
+describe('pipeline.runPipeline', () => {
+  const captured: string[] = []
+  beforeEach(() => {
+    captured.length = 0
+    setAuditSink((line) => captured.push(line))
+  })
+  afterEach(() => setAuditSink(null))
+
+  it('stores a high-confidence hit and rewrites the prompt', () => {
+    const { write, list, store } = mkFakeVault()
+    const text = 'hey here is my key: sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22 thanks'
+    const res = runPipeline({
+      chat_id: '-100',
+      message_id: 5,
+      text,
+      passphrase: 'pw',
+      vaultWrite: write,
+      vaultList: list,
+    })
+    expect(res.stored).toHaveLength(1)
+    expect(res.rewritten_text).toContain('[secret stored as vault:')
+    expect(res.rewritten_text).not.toContain('sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22')
+    // The raw secret made it to the vault under the generated slug.
+    expect([...store.values()]).toContain('sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22')
+    // Audit emitted once with action=stored.
+    const storedLogs = captured.filter((l) => l.includes('"action":"stored"'))
+    expect(storedLogs).toHaveLength(1)
+    // Raw value never in logs.
+    expect(captured.some((l) => l.includes('Apq13yqRnPzx4MxK0TfAbY98Qw22'))).toBe(false)
+  })
+
+  it('stages ambiguous hits without writing to the vault', () => {
+    const { write, list, store } = mkFakeVault()
+    const text = 'my_password=B4k9NzQ1mT5vR8wP2xY7jH3fL6cD0sA'
+    const res = runPipeline({
+      chat_id: '-100',
+      message_id: 6,
+      text,
+      passphrase: 'pw',
+      vaultWrite: write,
+      vaultList: list,
+    })
+    expect(res.stored).toHaveLength(0)
+    expect(res.ambiguous.length).toBeGreaterThan(0)
+    // Nothing stored.
+    expect(store.size).toBe(0)
+    // Text unchanged.
+    expect(res.rewritten_text).toBe(text)
+    // Audit action=ambiguous.
+    expect(captured.some((l) => l.includes('"action":"ambiguous"'))).toBe(true)
+  })
+
+  it('treats suppressed high-confidence hits as ambiguous', () => {
+    const { write, list, store } = mkFakeVault()
+    const text = 'test sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22'
+    const res = runPipeline({
+      chat_id: 'c',
+      message_id: 1,
+      text,
+      passphrase: 'pw',
+      vaultWrite: write,
+      vaultList: list,
+    })
+    expect(res.stored).toHaveLength(0)
+    expect(res.ambiguous.length).toBeGreaterThan(0)
+    expect(store.size).toBe(0)
+  })
+
+  it('avoids slug collisions when writing multiple hits', () => {
+    const { write, list, store } = mkFakeVault()
+    store.set('anthropic_api_key_20260423', 'preexisting')
+    const text =
+      'first: sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22 second: sk-ant-BqZ13yqRnPzx4MxK0TfAbY98Qw22'
+    const res = runPipeline({
+      chat_id: 'c',
+      message_id: 2,
+      text,
+      passphrase: 'pw',
+      vaultWrite: write,
+      vaultList: list,
+    })
+    expect(res.stored).toHaveLength(2)
+    const slugs = res.stored.map((s) => s.actual_slug)
+    // All unique and none collide with the preexisting key.
+    expect(new Set(slugs).size).toBe(slugs.length)
+    expect(slugs).not.toContain('anthropic_api_key_20260423')
+  })
+
+  it('reports failures without crashing', () => {
+    const failingWrite: VaultWriteFn = () => ({ ok: false, output: 'vault busy' })
+    const list: VaultListFn = () => ({ ok: true, keys: [] })
+    const res = runPipeline({
+      chat_id: 'c',
+      message_id: 3,
+      text: 'key is sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22',
+      passphrase: 'pw',
+      vaultWrite: failingWrite,
+      vaultList: list,
+    })
+    expect(res.stored).toHaveLength(0)
+    expect(res.failed).toHaveLength(1)
+    expect(captured.some((l) => l.includes('"action":"failed"'))).toBe(true)
+  })
+})

package/telegram-plugin/tests/secret-detect-secretlint.test.ts

@@ -0,0 +1,101 @@
+import { describe, it, expect } from 'vitest'
+import {
+  detectViaSecretlint,
+  detectSecretsAsync,
+} from '../secret-detect/index.js'
+
+// All three fixtures are assembled at runtime so the source file never
+// contains a contiguous token pattern. Matches the corresponding
+// secretlint regex when evaluated; evades GitHub Push Protection's
+// static-text scan. See CLAUDE.md "Secrets in tests".
+const SLACK_FIXTURE = ['xoxb', '0000000000', '0000000000000', 'FIXTURE0NOTAREALTOKEN000'].join('-')
+const GITHUB_FIXTURE = 'ghp' + '_' + '16C7e42F292c6912E7710c838347Ae178B4a'
+const NPM_FIXTURE = 'npm' + '_' + 'AbCdEfGhIjKlMnOpQrStUvWxYz0123456789'
+
+describe('secretlint-source.detectViaSecretlint', () => {
+  it('catches a realistic-looking Slack bot token', async () => {
+    const text = 'Slack: ' + SLACK_FIXTURE
+    const hits = await detectViaSecretlint(text)
+    expect(hits.length).toBeGreaterThan(0)
+    const slack = hits.find((h) => h.rule_id.includes('slack'))
+    expect(slack).toBeDefined()
+    expect(slack!.confidence).toBe('high')
+    expect(slack!.suppressed).toBe(false)
+    // rule_id normalized from @secretlint/secretlint-rule-slack → secretlint_slack
+    expect(slack!.rule_id).toMatch(/^secretlint_/)
+    expect(slack!.rule_id).toContain('slack')
+    // Matched text should be the actual token bytes.
+    expect(slack!.matched_text.startsWith('xoxb-')).toBe(true)
+    // Slug derived from rule_id + date (rule_id fallback path).
+    expect(slack!.suggested_slug).toMatch(/^secretlint_slack_\d{8}/)
+  })
+
+  it('catches a GitHub personal access token', async () => {
+    const text = 'token=' + GITHUB_FIXTURE + ' rest of message'
+    const hits = await detectViaSecretlint(text)
+    const gh = hits.find((h) => h.rule_id.includes('github'))
+    expect(gh).toBeDefined()
+    expect(gh!.confidence).toBe('high')
+    expect(gh!.matched_text.startsWith('ghp_')).toBe(true)
+    expect(gh!.rule_id).toContain('github')
+  })
+
+  it('catches an NPM access token', async () => {
+    const text = 'NPM_TOKEN=' + NPM_FIXTURE
+    const hits = await detectViaSecretlint(text)
+    const npm = hits.find((h) => h.rule_id.includes('npm'))
+    expect(npm).toBeDefined()
+    expect(npm!.confidence).toBe('high')
+    expect(npm!.matched_text.startsWith('npm_')).toBe(true)
+  })
+
+  it('returns empty for empty input', async () => {
+    expect(await detectViaSecretlint('')).toEqual([])
+  })
+
+  it('returns empty for text with no secrets', async () => {
+    expect(await detectViaSecretlint('hello how are you today')).toEqual([])
+  })
+
+  it('marks nearby test/mock markers as suppressed', async () => {
+    const text = 'test example: ' + SLACK_FIXTURE
+    const hits = await detectViaSecretlint(text)
+    const slack = hits.find((h) => h.rule_id.includes('slack'))
+    expect(slack).toBeDefined()
+    expect(slack!.suppressed).toBe(true)
+  })
+})
+
+describe('detectSecretsAsync merge', () => {
+  it('merges Secretlint hits with vendored pattern hits, deduped by range', async () => {
+    // Slack token that matches both the vendored anchored pattern AND Secretlint.
+    const text = 'a ' + SLACK_FIXTURE + ' end'
+    const hits = await detectSecretsAsync(text)
+    // One entry for the Slack token — not two. Vendored wins on ties.
+    const slackHits = hits.filter(
+      (h) => h.matched_text.startsWith('xoxb-'),
+    )
+    expect(slackHits).toHaveLength(1)
+    // Vendored rule id wins on exact-range ties (listed first in merge).
+    expect(slackHits[0]!.rule_id).toBe('slack_token')
+  })
+
+  it('adds Secretlint-only hits for providers the vendored list misses', async () => {
+    // Shopify is covered by Secretlint preset-recommend but not by our
+    // vendored ANCHORED_PATTERNS.
+    const text = 'SHOPIFY=shpss_1234567890abcdef1234567890abcdef and go'
+    const hits = await detectSecretsAsync(text)
+    const shopify = hits.find((h) => h.matched_text.startsWith('shpss_'))
+    expect(shopify).toBeDefined()
+    expect(shopify!.rule_id).toMatch(/secretlint_shopify/)
+  })
+
+  it('produces unique slugs across the merged detection list', async () => {
+    const text =
+      'tok1=' + GITHUB_FIXTURE +
+      ' and tok2=' + SLACK_FIXTURE
+    const hits = await detectSecretsAsync(text)
+    const slugs = hits.map((h) => h.suggested_slug)
+    expect(new Set(slugs).size).toBe(slugs.length)
+  })
+})

package/telegram-plugin/tests/secret-detect-staging.test.ts

@@ -0,0 +1,45 @@
+import { describe, it, expect } from 'vitest'
+import { StagingMap } from '../secret-detect/staging.js'
+import type { Detection } from '../secret-detect/index.js'
+
+function mkDetection(slug = 'FOO'): Detection {
+  return {
+    rule_id: 'kv_entropy',
+    matched_text: 'abc',
+    start: 0,
+    end: 3,
+    confidence: 'ambiguous',
+    suppressed: false,
+    suggested_slug: slug,
+  }
+}
+
+describe('StagingMap', () => {
+  it('round-trips a set/get', () => {
+    const map = new StagingMap(5_000)
+    map.set({ chat_id: 'c', message_id: 1, detection: mkDetection(), staged_at: Date.now() })
+    const found = map.get('c', 1)
+    expect(found).toBeDefined()
+    expect(found!.detection.suggested_slug).toBe('FOO')
+  })
+  it('expires entries past the TTL', () => {
+    const map = new StagingMap(10)
+    map.set({ chat_id: 'c', message_id: 1, detection: mkDetection(), staged_at: Date.now() - 1_000 })
+    expect(map.get('c', 1)).toBeUndefined()
+  })
+  it('latestForChat returns the newest non-expired entry', () => {
+    const map = new StagingMap(60_000)
+    const now = Date.now()
+    map.set({ chat_id: 'c', message_id: 1, detection: mkDetection('A'), staged_at: now - 3000 })
+    map.set({ chat_id: 'c', message_id: 2, detection: mkDetection('B'), staged_at: now - 2000 })
+    map.set({ chat_id: 'c', message_id: 3, detection: mkDetection('C'), staged_at: now - 1000 })
+    const latest = map.latestForChat('c')
+    expect(latest?.detection.suggested_slug).toBe('C')
+  })
+  it('delete removes the entry', () => {
+    const map = new StagingMap(5_000)
+    map.set({ chat_id: 'c', message_id: 1, detection: mkDetection(), staged_at: Date.now() })
+    expect(map.delete('c', 1)).toBe(true)
+    expect(map.get('c', 1)).toBeUndefined()
+  })
+})

package/telegram-plugin/tests/secret-detect-suppressor-no-silent-allow.test.ts

@@ -0,0 +1,67 @@
+import { describe, it, expect } from 'vitest'
+import { detectSecrets } from '../secret-detect/index.js'
+import { runPipeline } from '../secret-detect/pipeline.js'
+import type { VaultWriteFn, VaultListFn } from '../secret-detect/vault-write.js'
+
+/**
+ * Regression: a suppressor hit (test/mock/example/dummy/fixture nearby)
+ * must NEVER silent-allow a structured-pattern match. The asymmetric
+ * risk model is: a false-negative leaks a real credential into the
+ * agent's session log, a false-positive just briefly redacts a fake
+ * one and the user can `ignore` / `forget` to dismiss.
+ *
+ * The contract:
+ *   1. detectSecrets() returns the detection with `suppressed: true`,
+ *      not an empty list.
+ *   2. runPipeline() routes suppressed-high hits into the `ambiguous`
+ *      bucket (NOT `stored`, NOT silently dropped).
+ *
+ * Both layers are exercised here so future refactors can't regress
+ * this without breaking a test.
+ */
+describe('suppressor: never silent-allows on structured matches', () => {
+  const phrasings = [
+    'this is a test, here is sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22',
+    'mock token: sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22',
+    'example: sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22',
+    'dummy sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22',
+    'fixture sk-ant-Apq13yqRnPzx4MxK0TfAbY98Qw22',
+  ]
+
+  for (const text of phrasings) {
+    it(`detectSecrets surfaces suppressed=true for: ${text.slice(0, 32)}…`, () => {
+      const detections = detectSecrets(text)
+      expect(detections.length).toBeGreaterThan(0)
+      const hit = detections.find((d) => d.rule_id === 'anthropic_api_key')
+      expect(hit).toBeDefined()
+      expect(hit!.suppressed).toBe(true)
+      // confidence is still 'high' — suppressed is the orthogonal flag
+      // that downgrades it into the ambiguous tier.
+      expect(hit!.confidence).toBe('high')
+    })
+
+    it(`runPipeline routes the suppressed hit to ambiguous (not stored, not dropped) for: ${text.slice(0, 32)}…`, () => {
+      const store = new Map<string, string>()
+      const write: VaultWriteFn = (slug, value) => {
+        store.set(slug, value)
+        return { ok: true, output: 'ok' }
+      }
+      const list: VaultListFn = () => ({ ok: true, keys: [...store.keys()] })
+      const res = runPipeline({
+        chat_id: 'c',
+        message_id: 1,
+        text,
+        passphrase: 'pw',
+        vaultWrite: write,
+        vaultList: list,
+      })
+      // Critical: suppressed hit must NOT silent-pass.
+      expect(res.ambiguous.length).toBeGreaterThan(0)
+      // Critical: suppressed hit must NOT auto-store.
+      expect(res.stored).toHaveLength(0)
+      expect(store.size).toBe(0)
+      // Text unchanged — the user gets to decide.
+      expect(res.rewritten_text).toBe(text)
+    })
+  }
+})