switchroom 0.7.15 → 0.10.0

package/telegram-plugin/secret-detect/vault-error.test.ts

@@ -62,17 +62,57 @@ describe("parseVaultCliError", () => {
 });
 
 describe("renderVaultCliError", () => {
-  it("renders sandbox_context with a host-CLI suggestion", () => {
+  // 2026-05-12: renderer copy migrated from host-CLI suggestions to
+  // Telegram-native next-step actions (vault_request_save, /vault
+  // audit, /vault broker status). Tests below assert the new copy.
+  // The pre-fix pins are documented in
+  // tests/jtbd-talk-from-anywhere.test.ts as the closed punch-list
+  // items.
+  it("renders sandbox_context for verb=set with the vault_request_save tool, surfacing the affected key", () => {
     const out = renderVaultCliError(
       { kind: "sandbox_context", original: "x" },
       { verb: "set", key: "my_key" },
     );
     expect(out.suppressRaw).toBe(true);
-    expect(out.html).toContain("must run on the host");
-    expect(out.html).toContain("switchroom vault set my_key");
+    expect(out.html).toMatch(/vault_request_save/);
+    expect(out.html).not.toMatch(/Open a host shell/);
+    // Reviewer-flagged on #1037: pre-fix test asserted the key
+    // appeared in output (so the operator knew which key triggered
+    // the card). New copy keeps the key in <code>…</code> form via
+    // htmlEscape — assert it.
+    expect(out.html).toContain("<code>my_key</code>");
   });
 
-  it("renders needs_approval with the affected key + host hint + P1a teaser", () => {
+  it("renders sandbox_context for verb=set WITHOUT a key (defensive fallback)", () => {
+    // The gateway sometimes doesn't have the key in hand (e.g. when
+    // the agent's stderr was opaque). Renderer should still produce
+    // useful output, not crash or render an empty <code></code>.
+    const out = renderVaultCliError(
+      { kind: "sandbox_context", original: "x" },
+      { verb: "set" },
+    );
+    expect(out.html).toMatch(/vault_request_save/);
+    expect(out.html).not.toContain("<code></code>");
+  });
+
+  it("renders sandbox_context for verb=get with /vault get", () => {
+    const out = renderVaultCliError(
+      { kind: "sandbox_context", original: "x" },
+      { verb: "get", key: "my_key" },
+    );
+    expect(out.html).toMatch(/\/vault get/);
+    expect(out.html).toMatch(/my_key/);
+  });
+
+  it("renders sandbox_context for verb=init with the one-time-host-shell note", () => {
+    const out = renderVaultCliError(
+      { kind: "sandbox_context", original: "x" },
+      { verb: "init" },
+    );
+    expect(out.html).toMatch(/one-time host-shell|switchroom vault init/);
+  });
+
+  it("renders needs_approval naming the live vault_request_save tool (not a 'on the way' stub)", () => {
     const out = renderVaultCliError(
       { kind: "needs_approval", original: "x", key: "telegram_bot_token" },
       { verb: "save" },
@@ -80,35 +120,47 @@ describe("renderVaultCliError", () => {
     expect(out.suppressRaw).toBe(true);
     expect(out.html).toContain("operator approval required");
     expect(out.html).toContain("<code>telegram_bot_token</code>");
-    expect(out.html).toContain("switchroom vault set telegram_bot_token");
-    expect(out.html).toContain("P1a"); // forward-pointer to the upcoming flow
+    expect(out.html).toMatch(/vault_request_save/);
+    expect(out.html).not.toMatch(/on the way/i);
   });
 
-  it("renders broker_unreachable with the status command", () => {
+  it("renders broker_unreachable as an honest 'tracked follow-up' instead of a false in-chat promise", () => {
+    // Pre-fix (rejected by #1037 reviewer): renderer pointed at
+    // `/vault broker status` / `/vault broker restart` — neither
+    // command is registered in the gateway dispatcher. Telling the
+    // operator to type unregistered commands is worse than the
+    // host-CLI punt it was meant to replace.
+    //
+    // Post-fix: renderer names the in-Telegram follow-up as
+    // tracked + unbuilt, and points at the host CLI for now.
+    // Honest about the gap until /vault broker {status,restart}
+    // actually ships.
     const out = renderVaultCliError(
       { kind: "broker_unreachable", original: "x" },
       { verb: "set" },
     );
     expect(out.suppressRaw).toBe(true);
     expect(out.html).toContain("broker isn't reachable");
-    expect(out.html).toContain("switchroom vault broker status");
+    expect(out.html).toMatch(/tracked as a follow-up/i);
+    expect(out.html).toMatch(/switchroom vault broker status/);
   });
 
-  it("renders broker_denied with a grant command + key", () => {
+  it("renders broker_denied pointing at /vault audit one-tap allow + vault_request_access", () => {
     const out = renderVaultCliError(
       { kind: "broker_denied", original: "x", key: "shared_token" },
       { verb: "set" },
     );
     expect(out.suppressRaw).toBe(true);
     expect(out.html).toContain("refused the request");
-    expect(out.html).toContain("switchroom vault grant");
+    expect(out.html).toMatch(/\/vault audit/);
+    expect(out.html).toMatch(/vault_request_access/);
     expect(out.html).toContain("shared_token");
   });
 
-  it("prefers verbHint.key over parser-extracted key (verbHint wins for host suggestion)", () => {
+  it("prefers verbHint.key over parser-extracted key (verbHint wins for in-Telegram next-step)", () => {
     // The gateway always knows the key the user asked for; rendering
     // must use that over any heuristic extraction so a parser glitch
-    // can't surface the wrong key in the host command suggestion.
+    // can't surface the wrong key in the in-chat next-step suggestion.
     const out = renderVaultCliError(
       { kind: "broker_denied", original: "x", key: "parser-extracted" },
       { verb: "set", key: "gateway-supplied" },

package/telegram-plugin/secret-detect/vault-error.ts

@@ -154,15 +154,22 @@ export function renderVaultCliError(
   const key = verbHint.key ?? err.key;
   switch (err.kind) {
     case "sandbox_context":
+      // The agent tried direct vault file IO from inside the sandbox.
+      // Route the operator at the Telegram-native equivalent for the
+      // verb in flight — only `init` needs a one-time host shell.
+      // Closes the "leave Telegram for a verb that exists in Telegram"
+      // anti-pattern from reference/talk-to-agents-from-anywhere.md.
       return {
         suppressRaw: true,
         html:
-          `⚠️ <b>This action must run on the host.</b>\n` +
-          `The vault file isn't mounted inside the agent sandbox; only ` +
-          `the broker socket is. Open a host shell and run:\n` +
-          `<pre>switchroom vault ${verbHint.verb}${key ? ` ${htmlEscape(key)}` : ""}</pre>`,
+          renderSandboxContextSuggestion(verbHint.verb, key),
       };
     case "needs_approval":
+      // Agent tried to save a new key. The `vault_request_save` MCP
+      // tool shipped in #969 P1a renders an approval card in
+      // operator chat — no host shell, no re-paste. Telling the
+      // operator to "run switchroom vault set on the host" punts
+      // them to the desktop for a feature that exists in Telegram.
       return {
         suppressRaw: true,
         html:
@@ -172,20 +179,34 @@ export function renderVaultCliError(
             : `The agent tried to save a new key, but `) +
           `agents can only rotate existing keys via the broker; introducing ` +
           `a new key needs an operator action.\n\n` +
-          `For now, run on a host shell:\n` +
-          `<pre>switchroom vault set${key ? ` ${htmlEscape(key)}` : " &lt;key&gt;"}</pre>\n` +
-          `<i>A one-tap approval card is on the way (#969 P1a).</i>`,
+          `<b>Ask the agent</b> to call its <code>vault_request_save</code> ` +
+          `tool — it'll render an approval card in this chat with ` +
+          `[✅ Save once] [🚫 Discard] [✏️ Rename] buttons. One tap saves the ` +
+          `secret to the vault; no re-paste needed.`,
       };
     case "broker_unreachable":
+      // No Telegram-native broker control plane exists yet —
+      // `/vault broker status` and `/vault broker restart` are on
+      // the JTBD punch list but not built (the broker socket lives
+      // outside the agent container; the gateway would need a
+      // host-side daemon to drive it). Be honest about that gap
+      // rather than promising commands that don't dispatch.
       return {
         suppressRaw: true,
         html:
           `⚠️ <b>Vault broker isn't reachable.</b>\n` +
           `From inside the agent sandbox there's no fallback path. ` +
-          `Operator can check on the host:\n` +
-          `<pre>switchroom vault broker status</pre>`,
+          `Telegram-native broker recovery is tracked as a follow-up — ` +
+          `for now, on the host:\n` +
+          `<pre>switchroom vault broker status</pre>\n` +
+          `<i>Or, if the broker is wedged: <code>docker compose -p switchroom restart vault-broker</code>.</i>`,
       };
     case "broker_denied":
+      // Telegram-native grant flow shipped in #969 P2b + #1012:
+      //   - operator runs `/vault audit <agent>`, taps [🔓 Allow <key>]
+      //     for a recent denial — one tap, no shell.
+      //   - OR the agent itself calls `vault_request_access` and the
+      //     approval card with [✅ Approve] / [🚫 Deny] lands here.
       return {
         suppressRaw: true,
         html:
@@ -193,10 +214,56 @@ export function renderVaultCliError(
           (key
             ? `The agent isn't authorized to access <code>${htmlEscape(key)}</code>. `
             : `The agent isn't authorized to access this key. `) +
-          `Operator can grant access from a host shell:\n` +
-          `<pre>switchroom vault grant &lt;agent&gt; --keys ${key ? htmlEscape(key) : "&lt;key&gt;"}</pre>`,
+          `Grant access in two taps:\n` +
+          `• <code>/vault audit &lt;agent&gt;</code> in this chat → tap ` +
+          `[🔓 Allow${key ? ` ${htmlEscape(key)}` : ""}] on the recent denial, OR\n` +
+          `• ask the agent to call <code>vault_request_access</code> — ` +
+          `an approval card lands here with [✅ Approve] / [🚫 Deny].`,
       };
     case "other":
       return { suppressRaw: false, html: "" };
   }
 }
+
+/**
+ * Suggest the Telegram-native command for each sandbox-context verb.
+ * Only `init` still needs a one-time host shell (vault bootstrap is
+ * a setup step, not a steering-while-mobile workflow).
+ */
+function renderSandboxContextSuggestion(
+  verb: "set" | "get" | "list" | "init" | "remove" | "save",
+  key: string | undefined,
+): string {
+  const head = `⚠️ <b>Direct vault file IO isn't available from inside the agent sandbox.</b>\n`;
+  switch (verb) {
+    case "set":
+    case "save":
+      return (
+        head +
+        (key
+          ? `<b>Ask the agent</b> to call its <code>vault_request_save</code> ` +
+            `tool for <code>${htmlEscape(key)}</code> — an approval card ` +
+            `lands here with [✅ Save once] / [🚫 Discard] / [✏️ Rename] buttons.`
+          : `<b>Ask the agent</b> to call its <code>vault_request_save</code> ` +
+            `tool — an approval card lands here with [✅ Save once] / [🚫 Discard] / [✏️ Rename] buttons.`)
+      );
+    case "get":
+      return (
+        head +
+        `From this chat: <code>/vault get${key ? ` ${htmlEscape(key)}` : " &lt;key&gt;"}</code>`
+      );
+    case "list":
+      return head + `From this chat: <code>/vault list</code>`;
+    case "remove":
+      return (
+        head +
+        `Use the operator host CLI for now — Telegram-native delete is tracked as a follow-up. ` +
+        `<i>(Removing a vault key is a rare, irreversible operation; an in-chat confirmation card is on the punch list.)</i>`
+      );
+    case "init":
+      return (
+        head +
+        `Vault bootstrap is a one-time host-shell step: <code>switchroom vault init</code>.`
+      );
+  }
+}

package/telegram-plugin/secret-detect/vault-write.ts

@@ -25,7 +25,13 @@ export type VaultWriteFn = (
 export type VaultListFn = (passphrase: string) => { ok: boolean; keys: string[] }
 
 export const defaultVaultWrite: VaultWriteFn = (slug, value, passphrase) => {
-  const env = { ...process.env, SWITCHROOM_VAULT_PASSPHRASE: passphrase }
+  // Suppress the #969 P3 deprecation warning — the gateway forwarding
+  // the operator's passphrase per-spawn is the canonical P1a flow.
+  const env = {
+    ...process.env,
+    SWITCHROOM_VAULT_PASSPHRASE: passphrase,
+    SWITCHROOM_NO_VAULT_DEPRECATION_WARNING: '1',
+  }
   try {
     const result = execFileSync(
       process.env.SWITCHROOM_CLI_PATH ?? 'switchroom',
@@ -41,7 +47,13 @@ export const defaultVaultWrite: VaultWriteFn = (slug, value, passphrase) => {
 }
 
 export const defaultVaultList: VaultListFn = (passphrase) => {
-  const env = { ...process.env, SWITCHROOM_VAULT_PASSPHRASE: passphrase }
+  // Suppress the #969 P3 deprecation warning — the gateway forwarding
+  // the operator's passphrase per-spawn is the canonical P1a flow.
+  const env = {
+    ...process.env,
+    SWITCHROOM_VAULT_PASSPHRASE: passphrase,
+    SWITCHROOM_NO_VAULT_DEPRECATION_WARNING: '1',
+  }
   try {
     const result = execFileSync(
       process.env.SWITCHROOM_CLI_PATH ?? 'switchroom',