switchroom 0.7.15 → 0.10.0

package/telegram-plugin/tests/inbound-classifier.test.ts

@@ -0,0 +1,76 @@
+import { describe, it, expect } from 'vitest'
+import { classifyInbound } from '../inbound-classifier.js'
+
+describe('inbound-classifier — status query', () => {
+  describe('positive matches (status_query=true)', () => {
+    const positives = [
+      '?',
+      '??',
+      '???',
+      'status',
+      'Status',
+      'STATUS',
+      'status?',
+      'status ?',
+      'update',
+      'update?',
+      'any update',
+      'any update?',
+      'still there',
+      'still there?',
+      'Still There?',
+      'still working',
+      'still working?',
+      'are you there',
+      'are you there?',
+      'you there',
+      'you there?',
+      'hello?',
+      'Hello??',
+      'hey?',
+      // surrounding whitespace
+      '  status?  ',
+      '\nstill there?\n',
+    ]
+    for (const text of positives) {
+      it(`matches: ${JSON.stringify(text)}`, () => {
+        expect(classifyInbound(text).isStatusQuery).toBe(true)
+      })
+    }
+  })
+
+  describe('negative matches (status_query=false)', () => {
+    const negatives = [
+      '',
+      '   ',
+      'hello',
+      'hi',
+      'what is the status of the deploy',
+      'status of the deploy?',
+      'are you there with the report',
+      'what update did you see',
+      'i need an update on the metrics',
+      // Plausible but rejected — message too long to be a standalone ping
+      'status? also can you check the deployment script for the lint errors please',
+      // Punctuation-shaped but not a query
+      '.',
+      '!',
+      '!?',
+    ]
+    for (const text of negatives) {
+      it(`does not match: ${JSON.stringify(text)}`, () => {
+        expect(classifyInbound(text).isStatusQuery).toBe(false)
+      })
+    }
+  })
+
+  it('handles null/undefined safely', () => {
+    expect(classifyInbound(null).isStatusQuery).toBe(false)
+    expect(classifyInbound(undefined).isStatusQuery).toBe(false)
+  })
+
+  it('does not match messages over 40 chars even if they start with a status word', () => {
+    const longPretendStatusQuery = 'status? but actually i wanted to ask about deploys'
+    expect(classifyInbound(longPretendStatusQuery).isStatusQuery).toBe(false)
+  })
+})

package/telegram-plugin/tests/inbound-message-types.test.ts

@@ -0,0 +1,267 @@
+/**
+ * Structural tests for the 13 previously-silent inbound message types
+ * registered on `bot.on('message:<type>')` in the gateway (#1077).
+ *
+ * Why structural: gateway/gateway.ts wires every handler inline against
+ * the live `bot` instance — none of these closures are exported, so a
+ * functional invocation would require booting the full grammy runtime
+ * against a real or mocked Bot API. The existing gateway test suite
+ * settled on file-level grep assertions (see
+ * `gateway-secret-detect.test.ts`) for exactly this reason: cheap,
+ * deterministic, and they catch the regression we actually care about
+ * — a future hand mistakenly deleting a handler or skipping the
+ * gate/ack call that gives the user feedback.
+ *
+ * Decision matrix being enforced here (issue #1077):
+ *
+ *   forward         → contact, location, venue, poll, web_app_data,
+ *                     users_shared, chat_shared
+ *   ack-only        → dice, game, story, paid_media, successful_payment
+ *   refuse (DENY)   → passport_data
+ *
+ * The contract per-type:
+ *   - A `bot.on('message:<type>', …)` registration exists.
+ *   - Forwarding handlers call `handleInbound(`.
+ *   - Ack-only handlers call `handleAckOnly(`.
+ *   - The refusal handler calls `handleRefusal(` and does NOT call
+ *     `handleInbound(` (passport data must never reach the agent).
+ *   - Every handler logs a stderr line so operators can see the
+ *     event landed.
+ *   - Every handler is wrapped in try/catch (or delegates to a helper
+ *     that is) so a malformed payload cannot tear down the dispatcher.
+ */
+
+import { describe, it, expect } from 'vitest'
+import { readFileSync } from 'node:fs'
+
+const SRC = readFileSync(
+  new URL('../gateway/gateway.ts', import.meta.url),
+  'utf8',
+)
+
+// ─── Helpers ─────────────────────────────────────────────────────────────
+
+/**
+ * Extract the body of a `bot.on('message:<kind>', …)` handler. Returns
+ * the substring from the `bot.on(` line up to the matching closing
+ * `})` at the outer scope. Good enough for grepping — not a full
+ * AST parse.
+ */
+function handlerBody(kind: string): string {
+  const needle = `bot.on('message:${kind}'`
+  const start = SRC.indexOf(needle)
+  expect(start, `handler bot.on('message:${kind}') not found`).toBeGreaterThan(0)
+  // Find the matching close — naive depth count of {/} from the first `{`.
+  const firstBrace = SRC.indexOf('{', start)
+  let depth = 0
+  for (let i = firstBrace; i < SRC.length; i++) {
+    const c = SRC[i]
+    if (c === '{') depth++
+    else if (c === '}') {
+      depth--
+      if (depth === 0) return SRC.slice(start, i + 1)
+    }
+  }
+  throw new Error(`could not find end of handler ${kind}`)
+}
+
+// ─── Registration completeness ───────────────────────────────────────────
+
+const ALL_KINDS = [
+  'contact',
+  'location',
+  'venue',
+  'dice',
+  'poll',
+  'game',
+  'story',
+  'paid_media',
+  'successful_payment',
+  'passport_data',
+  'web_app_data',
+  'users_shared',
+  'chat_shared',
+] as const
+
+describe('inbound message-type handlers: registration', () => {
+  for (const kind of ALL_KINDS) {
+    it(`registers a bot.on('message:${kind}') handler`, () => {
+      expect(SRC).toContain(`bot.on('message:${kind}'`)
+    })
+  }
+})
+
+// ─── Forwarding handlers ─────────────────────────────────────────────────
+
+const FORWARDING = [
+  'contact',
+  'location',
+  'venue',
+  'poll',
+  'web_app_data',
+  'users_shared',
+  'chat_shared',
+] as const
+
+describe('inbound message-type handlers: forwarding decisions', () => {
+  for (const kind of FORWARDING) {
+    it(`${kind} forwards via handleInbound and logs to stderr`, () => {
+      const body = handlerBody(kind)
+      expect(body).toMatch(/handleInbound\(ctx,/)
+      expect(body).toMatch(/process\.stderr\.write/)
+      // Must not divert to the ack-only path — that would silently
+      // hide the payload from the agent.
+      expect(body).not.toMatch(/handleAckOnly\(/)
+      expect(body).not.toMatch(/handleRefusal\(/)
+    })
+  }
+
+  it('forwarding envelopes describe the payload kind in the text', () => {
+    // Each handler builds a `(<kind>: …)` text envelope so the agent
+    // sees what category of payload arrived without having to decode
+    // the meta block.
+    expect(handlerBody('contact')).toContain('(contact:')
+    expect(handlerBody('location')).toContain('(location:')
+    expect(handlerBody('venue')).toContain('(venue:')
+    expect(handlerBody('poll')).toContain('(poll:')
+    expect(handlerBody('web_app_data')).toContain('(web_app_data:')
+    expect(handlerBody('users_shared')).toContain('(users_shared:')
+    expect(handlerBody('chat_shared')).toContain('(chat_shared:')
+  })
+
+  it('web_app_data caps untrusted payload length before forwarding', () => {
+    // web_app_data.data is arbitrary mini-app output — a malicious
+    // mini-app could otherwise flood the agent. Same defence as #553
+    // applied to text coalescing.
+    const body = handlerBody('web_app_data')
+    expect(body).toMatch(/slice\(0,\s*4096\)/)
+    expect(body).toMatch(/truncated/)
+  })
+})
+
+// ─── Ack-only handlers ───────────────────────────────────────────────────
+
+const ACK_ONLY = ['dice', 'game', 'story', 'paid_media', 'successful_payment'] as const
+
+describe('inbound message-type handlers: ack-only decisions', () => {
+  for (const kind of ACK_ONLY) {
+    it(`${kind} uses handleAckOnly (no forward to agent)`, () => {
+      const body = handlerBody(kind)
+      expect(body).toMatch(/handleAckOnly\(/)
+      expect(body).toMatch(/process\.stderr\.write/)
+      // Ack-only must NOT call handleInbound — the whole point is
+      // we don't bother the agent for these.
+      expect(body).not.toMatch(/handleInbound\(/)
+      // Nor should it pretend to refuse.
+      expect(body).not.toMatch(/handleRefusal\(/)
+    })
+  }
+
+  it('dice uses a 🎲 reaction for situational feedback', () => {
+    expect(handlerBody('dice')).toContain("emoji: '🎲'")
+  })
+
+  it('paid_media and successful_payment are marked warn:true', () => {
+    expect(handlerBody('paid_media')).toMatch(/warn:\s*true/)
+    expect(handlerBody('successful_payment')).toMatch(/warn:\s*true/)
+  })
+
+  it('successful_payment logs the structured payment fields', () => {
+    // Money-flow events need a reconciliation-friendly stderr line.
+    const body = handlerBody('successful_payment')
+    expect(body).toContain('currency=')
+    expect(body).toContain('total_amount=')
+    expect(body).toContain('telegram_charge=')
+  })
+})
+
+// ─── Refusal handler ─────────────────────────────────────────────────────
+
+describe('inbound message-type handlers: passport_data refusal', () => {
+  it('passport_data uses handleRefusal and NEVER calls handleInbound', () => {
+    const body = handlerBody('passport_data')
+    expect(body).toMatch(/handleRefusal\(/)
+    // Critical: passport data is regulated identity material. Even a
+    // diagnostic forward path would leak it onto the agent's wire.
+    expect(body).not.toMatch(/handleInbound\(/)
+    expect(body).not.toMatch(/ipcServer\.broadcast/)
+  })
+
+  it('passport_data refusal text mentions Telegram Passport', () => {
+    // The user gets a polite explanation so they don't think the
+    // message was simply dropped on the floor.
+    const body = handlerBody('passport_data')
+    expect(body).toMatch(/Telegram Passport/)
+  })
+})
+
+// ─── Shared helper invariants ────────────────────────────────────────────
+
+describe('inbound message-type helpers: handleAckOnly + handleRefusal', () => {
+  it('handleAckOnly is declared and gates before reacting', () => {
+    // The function must consult gate() so non-allowlisted senders
+    // don't get a reaction (which would confirm the bot exists to
+    // a stranger).
+    expect(SRC).toMatch(/async function handleAckOnly\(/)
+    const fnStart = SRC.indexOf('async function handleAckOnly(')
+    const fnSlice = SRC.slice(fnStart, fnStart + 2000)
+    expect(fnSlice).toContain('gate(ctx)')
+    expect(fnSlice).toContain('setMessageReaction')
+  })
+
+  it('handleAckOnly drops non-allowlisted senders silently', () => {
+    const fnStart = SRC.indexOf('async function handleAckOnly(')
+    const fnSlice = SRC.slice(fnStart, fnStart + 2000)
+    expect(fnSlice).toMatch(/action === 'drop'/)
+  })
+
+  it('handleAckOnly is wrapped in try/catch', () => {
+    const fnStart = SRC.indexOf('async function handleAckOnly(')
+    const fnSlice = SRC.slice(fnStart, fnStart + 2000)
+    expect(fnSlice).toMatch(/try\s*\{/)
+    expect(fnSlice).toMatch(/catch\s*\(/)
+  })
+
+  it('handleRefusal is declared and sends a reply via sendMessage', () => {
+    expect(SRC).toMatch(/async function handleRefusal\(/)
+    const fnStart = SRC.indexOf('async function handleRefusal(')
+    const fnSlice = SRC.slice(fnStart, fnStart + 2000)
+    expect(fnSlice).toContain('gate(ctx)')
+    expect(fnSlice).toContain('sendMessage')
+    // SECURITY-tagged log line so operators see the refusal in
+    // their stderr scrape.
+    expect(fnSlice).toMatch(/SECURITY/)
+  })
+
+  it('handleRefusal sits behind the gate (no leak to strangers)', () => {
+    // Mirrors handleAckOnly — we don't even confirm the bot exists
+    // to a sender who isn't allowlisted.
+    const fnStart = SRC.indexOf('async function handleRefusal(')
+    const fnSlice = SRC.slice(fnStart, fnStart + 2000)
+    expect(fnSlice).toMatch(/action === 'drop'/)
+  })
+})
+
+// ─── Decision-matrix completeness ────────────────────────────────────────
+
+describe('inbound message-type decisions cover all 13 types from #1077', () => {
+  it('every kind in the matrix has exactly one decision', () => {
+    const forwardSet = new Set<string>(FORWARDING)
+    const ackSet = new Set<string>(ACK_ONLY)
+    const refusalSet = new Set<string>(['passport_data'])
+    for (const kind of ALL_KINDS) {
+      const inForward = forwardSet.has(kind)
+      const inAck = ackSet.has(kind)
+      const inRefusal = refusalSet.has(kind)
+      const count = Number(inForward) + Number(inAck) + Number(inRefusal)
+      expect(count, `${kind} should appear in exactly one bucket, got ${count}`).toBe(1)
+    }
+  })
+
+  it('matrix totals: 7 forward, 5 ack-only, 1 refuse', () => {
+    expect(FORWARDING.length).toBe(7)
+    expect(ACK_ONLY.length).toBe(5)
+    // All 13 covered, no extras dropped.
+    expect(FORWARDING.length + ACK_ONLY.length + 1).toBe(ALL_KINDS.length)
+  })
+})

package/telegram-plugin/tests/issues-card.test.ts

@@ -493,3 +493,52 @@ describe("createIssuesCardHandle — persistence (#472 #19)", () => {
     }
   });
 });
+
+// ─── #1075 — THREAD_NOT_FOUND propagation ───────────────────────────────────
+//
+// In production the gateway wires the issues-card's `bot` adapter through
+// `robustApiCall`, which throws a wrapped error with `message ==
+// 'THREAD_NOT_FOUND'` when the underlying GrammyError matches "thread not
+// found". The card module's job is to NOT crash — it should log and
+// re-post on the next refresh (the same path it uses for "message not
+// found" stale-edit recovery). Both shapes are tested here.
+
+describe("createIssuesCardHandle — #1075 thread-deleted resilience", () => {
+  it("re-posts the card when an edit throws THREAD_NOT_FOUND", async () => {
+    const bot = makeFakeBot();
+    const handle = createIssuesCardHandle({
+      agentName: "klanker",
+      chatId: "1",
+      bot,
+      now: () => 1_000_000,
+    });
+    await handle.refresh([makeEvent({ summary: "first" })]);
+    expect(bot.sent).toHaveLength(1);
+
+    // Mid-flight, the topic gets deleted. The wrapped adapter throws
+    // the special THREAD_NOT_FOUND error on the next edit.
+    bot.editMessageText = async () => {
+      throw Object.assign(new Error("THREAD_NOT_FOUND"), { original: null });
+    };
+    await handle.refresh([makeEvent({ summary: "after thread delete" })]);
+    // Card was forced to re-post (sent twice).
+    expect(bot.sent).toHaveLength(2);
+    // And it should NOT have crashed — handle still operates.
+    expect(handle.messageId()).not.toBeNull();
+  });
+
+  it("does not crash when sendMessage itself throws THREAD_NOT_FOUND", async () => {
+    const bot = makeFakeBot();
+    bot.sendMessage = async () => {
+      throw Object.assign(new Error("THREAD_NOT_FOUND"), { original: null });
+    };
+    const handle = createIssuesCardHandle({
+      agentName: "klanker",
+      chatId: "1",
+      bot,
+    });
+    // First refresh — should swallow the THREAD_NOT_FOUND, no crash.
+    await expect(handle.refresh([makeEvent({})])).resolves.toBeUndefined();
+    expect(handle.messageId()).toBeNull();
+  });
+});

package/telegram-plugin/tests/pending-inbound-buffer.test.ts

@@ -0,0 +1,132 @@
+/**
+ * Pin the per-agent inbound buffer that closes the #1150 root cause:
+ * if the gateway tries to deliver a synthetic inbound while the agent's
+ * bridge isn't connected (mid-reconnect, claude-session bouncing, etc),
+ * the inbound used to be silently dropped. Now it's buffered and
+ * drained on the next bridge-register.
+ */
+
+import { describe, it, expect } from 'vitest'
+import { createPendingInboundBuffer, DEFAULT_PENDING_INBOUND_CAP } from '../gateway/pending-inbound-buffer.js'
+import type { InboundMessage } from '../gateway/ipc-protocol.js'
+
+function inbound(source: string, ts = Date.now()): InboundMessage {
+  return {
+    type: 'inbound',
+    chatId: 'c1',
+    messageId: ts,
+    user: 'vault-broker',
+    userId: 0,
+    ts,
+    text: `synthetic ${source}`,
+    meta: { source },
+  }
+}
+
+describe('pending-inbound-buffer', () => {
+  it('push + drain — FIFO order per agent', () => {
+    const buf = createPendingInboundBuffer({ log: () => {} })
+    buf.push('a', inbound('vault_grant_approved', 1))
+    buf.push('a', inbound('cron', 2))
+    buf.push('a', inbound('reaction', 3))
+    const drained = buf.drain('a')
+    expect(drained.map((m) => m.meta?.source)).toEqual([
+      'vault_grant_approved',
+      'cron',
+      'reaction',
+    ])
+  })
+
+  it('drain is idempotent — second call returns empty', () => {
+    const buf = createPendingInboundBuffer({ log: () => {} })
+    buf.push('a', inbound('x'))
+    expect(buf.drain('a')).toHaveLength(1)
+    expect(buf.drain('a')).toHaveLength(0)
+  })
+
+  it('drain only affects the named agent', () => {
+    const buf = createPendingInboundBuffer({ log: () => {} })
+    buf.push('a', inbound('x'))
+    buf.push('b', inbound('y'))
+    expect(buf.drain('a').map((m) => m.meta?.source)).toEqual(['x'])
+    expect(buf.depth('b')).toBe(1)
+    expect(buf.drain('b').map((m) => m.meta?.source)).toEqual(['y'])
+  })
+
+  it('respects per-agent cap — oldest evicted when full', () => {
+    const buf = createPendingInboundBuffer({ capPerAgent: 3, log: () => {} })
+    // Push 1 .. 5; cap is 3 so 1, 2 should be evicted.
+    buf.push('a', inbound('m1', 1))
+    buf.push('a', inbound('m2', 2))
+    buf.push('a', inbound('m3', 3))
+    buf.push('a', inbound('m4', 4))
+    buf.push('a', inbound('m5', 5))
+    expect(buf.depth('a')).toBe(3)
+    const drained = buf.drain('a')
+    expect(drained.map((m) => m.meta?.source)).toEqual(['m3', 'm4', 'm5'])
+  })
+
+  it('push returns false when eviction occurred', () => {
+    const buf = createPendingInboundBuffer({ capPerAgent: 2, log: () => {} })
+    expect(buf.push('a', inbound('m1'))).toBe(true)
+    expect(buf.push('a', inbound('m2'))).toBe(true)
+    expect(buf.push('a', inbound('m3'))).toBe(false) // evicted m1
+  })
+
+  it('default cap is 32', () => {
+    expect(DEFAULT_PENDING_INBOUND_CAP).toBe(32)
+    const buf = createPendingInboundBuffer({ log: () => {} })
+    for (let i = 0; i < 32; i++) buf.push('a', inbound(`m${i}`, i))
+    expect(buf.depth('a')).toBe(32)
+    buf.push('a', inbound('m33', 33))
+    expect(buf.depth('a')).toBe(32) // still at cap
+  })
+
+  it('logs on eviction', () => {
+    const logs: string[] = []
+    const buf = createPendingInboundBuffer({ capPerAgent: 1, log: (l) => logs.push(l) })
+    buf.push('a', inbound('m1', 1))
+    buf.push('a', inbound('m2', 2)) // evicts m1
+    expect(logs.some((l) => l.includes('cap=1') && l.includes('dropped oldest'))).toBe(true)
+    expect(logs.some((l) => l.includes('m1'))).toBe(true)
+  })
+
+  it('logs on push (depth tracking visibility)', () => {
+    const logs: string[] = []
+    const buf = createPendingInboundBuffer({ log: (l) => logs.push(l) })
+    buf.push('a', inbound('vault_grant_approved'))
+    expect(logs.some((l) => l.includes('agent=a buffered source=vault_grant_approved depth_after=1'))).toBe(true)
+  })
+
+  it('logs on drain with source listing', () => {
+    const logs: string[] = []
+    const buf = createPendingInboundBuffer({ log: (l) => logs.push(l) })
+    buf.push('a', inbound('vault_grant_approved'))
+    buf.push('a', inbound('cron'))
+    logs.length = 0
+    buf.drain('a')
+    expect(logs.some((l) => l.includes('drained agent=a count=2'))).toBe(true)
+    expect(logs.some((l) => l.includes('sources=[vault_grant_approved,cron]'))).toBe(true)
+  })
+
+  it('drain on empty agent does not log', () => {
+    const logs: string[] = []
+    const buf = createPendingInboundBuffer({ log: (l) => logs.push(l) })
+    expect(buf.drain('never-pushed')).toEqual([])
+    expect(logs).toEqual([])
+  })
+
+  it('depth and totalDepth track correctly across agents', () => {
+    const buf = createPendingInboundBuffer({ log: () => {} })
+    expect(buf.totalDepth()).toBe(0)
+    buf.push('a', inbound('x'))
+    buf.push('a', inbound('y'))
+    buf.push('b', inbound('z'))
+    expect(buf.depth('a')).toBe(2)
+    expect(buf.depth('b')).toBe(1)
+    expect(buf.depth('c')).toBe(0)
+    expect(buf.totalDepth()).toBe(3)
+    buf.drain('a')
+    expect(buf.totalDepth()).toBe(1)
+  })
+})

package/telegram-plugin/tests/permission-rule.test.ts

@@ -12,7 +12,7 @@
  */
 
 import { describe, it, expect } from 'vitest'
-import { resolveAlwaysAllowRule } from '../permission-rule.js'
+import { resolveAlwaysAllowRule, matchesAllowRule } from '../permission-rule.js'
 
 describe('resolveAlwaysAllowRule — Skill', () => {
   it('returns Skill(name) for a typical skill input', () => {
@@ -119,3 +119,82 @@ describe('resolveAlwaysAllowRule — fallback', () => {
     expect(resolveAlwaysAllowRule('', undefined)).toBeNull()
   })
 })
+
+describe('matchesAllowRule — bare tool names', () => {
+  // The whole point of #1138: a cached `Edit` rule covers every Edit
+  // call from the parent claude AND from sub-agents dispatched via the
+  // Task tool, no matter the file path.
+  it('matches any invocation of the same tool', () => {
+    expect(matchesAllowRule('Edit', 'Edit', undefined)).toBe(true)
+    expect(matchesAllowRule('Edit', 'Edit', JSON.stringify({ file_path: '/tmp/a' }))).toBe(true)
+    expect(matchesAllowRule('Edit', 'Edit', JSON.stringify({ file_path: '/etc/passwd' }))).toBe(true)
+  })
+
+  it('does not bleed into other tools', () => {
+    expect(matchesAllowRule('Edit', 'Write', undefined)).toBe(false)
+    expect(matchesAllowRule('Read', 'Edit', undefined)).toBe(false)
+    expect(matchesAllowRule('Bash', 'BashOutput', undefined)).toBe(false)
+  })
+
+  it.each(['Bash', 'Read', 'Write', 'MultiEdit', 'Glob', 'Grep', 'WebFetch', 'TodoWrite'])(
+    'roundtrips through resolve → match for %s',
+    (tool) => {
+      const resolved = resolveAlwaysAllowRule(tool, undefined)
+      expect(resolved).not.toBeNull()
+      expect(matchesAllowRule(resolved!.rule, tool, undefined)).toBe(true)
+    },
+  )
+})
+
+describe('matchesAllowRule — Skill(name)', () => {
+  it('matches only the specific skill', () => {
+    expect(matchesAllowRule('Skill(mail)', 'Skill', JSON.stringify({ skill: 'mail' }))).toBe(true)
+    expect(matchesAllowRule('Skill(mail)', 'Skill', JSON.stringify({ skill: 'calendar' }))).toBe(false)
+  })
+
+  it('uses the same field fallback chain as the resolver', () => {
+    expect(matchesAllowRule('Skill(mail)', 'Skill', JSON.stringify({ skill_name: 'mail' }))).toBe(true)
+    expect(matchesAllowRule('Skill(mail)', 'Skill', JSON.stringify({ skillName: 'mail' }))).toBe(true)
+    expect(matchesAllowRule('Skill(mail)', 'Skill', JSON.stringify({ name: 'mail' }))).toBe(true)
+    expect(matchesAllowRule(
+      'Skill(coolify)',
+      'Skill',
+      JSON.stringify({ path: 'skills/coolify/SKILL.md' }),
+    )).toBe(true)
+  })
+
+  it('does not match a different tool with the same arg', () => {
+    expect(matchesAllowRule('Skill(mail)', 'Bash', JSON.stringify({ skill: 'mail' }))).toBe(false)
+  })
+
+  it('returns false on malformed Skill input', () => {
+    expect(matchesAllowRule('Skill(mail)', 'Skill', undefined)).toBe(false)
+    expect(matchesAllowRule('Skill(mail)', 'Skill', 'not-json')).toBe(false)
+    expect(matchesAllowRule('Skill(mail)', 'Skill', JSON.stringify({ unrelated: 'x' }))).toBe(false)
+  })
+})
+
+describe('matchesAllowRule — MCP tools', () => {
+  it('matches the exact namespaced tool', () => {
+    expect(matchesAllowRule(
+      'mcp__switchroom-telegram__reply',
+      'mcp__switchroom-telegram__reply',
+      undefined,
+    )).toBe(true)
+  })
+
+  it('does not match a different MCP tool on the same server', () => {
+    expect(matchesAllowRule(
+      'mcp__switchroom-telegram__reply',
+      'mcp__switchroom-telegram__stream_reply',
+      undefined,
+    )).toBe(false)
+  })
+})
+
+describe('matchesAllowRule — defensive', () => {
+  it('returns false for empty inputs', () => {
+    expect(matchesAllowRule('', 'Edit', undefined)).toBe(false)
+    expect(matchesAllowRule('Edit', '', undefined)).toBe(false)
+  })
+})

package/telegram-plugin/tests/permission-title.test.ts

@@ -103,4 +103,35 @@ describe('summarizeToolForTitle (#186)', () => {
     const input = JSON.stringify({ skill: 'mail', name: 'wrong' })
     expect(summarizeToolForTitle('Skill', input)).toBe('Skill (mail)')
   })
+
+  test('MCP curated: agent-config tools render as human verb-phrases (#1215)', () => {
+    expect(summarizeToolForTitle('mcp__agent-config__skill_list', undefined)).toBe(
+      'List its own installed skills',
+    )
+    expect(summarizeToolForTitle('mcp__agent-config__cron_list', undefined)).toBe(
+      'List its own scheduled tasks',
+    )
+    expect(summarizeToolForTitle('mcp__agent-config__peers_list', undefined)).toBe(
+      'List the other agents on this instance',
+    )
+  })
+
+  test('MCP curated: hostd tools render as human verb-phrases (#1215)', () => {
+    expect(summarizeToolForTitle('mcp__hostd__agent_logs', undefined)).toBe(
+      "Read another agent's container logs",
+    )
+    expect(summarizeToolForTitle('mcp__hostd__agent_exec', undefined)).toBe(
+      'Run a read-only inspection inside another agent',
+    )
+  })
+
+  test('MCP fallback: unknown mcp tool renders as `<server>: <verb with spaces>`', () => {
+    expect(summarizeToolForTitle('mcp__some-server__do_thing', undefined)).toBe(
+      'some-server: do thing',
+    )
+  })
+
+  test('MCP malformed: bare mcp__ prefix without __<server>__<verb> shape is left alone', () => {
+    expect(summarizeToolForTitle('mcp__bad', undefined)).toBe('mcp__bad')
+  })
 })