switchroom 0.7.15 → 0.10.0

package/telegram-plugin/tests/vault-approval-posture.test.ts

@@ -0,0 +1,256 @@
+/**
+ * Contract pins for the `vault.broker.approvalAuth` posture toggle and
+ * its #1115 follow-up — broker-mediated attestation.
+ *
+ * Posture summary:
+ *   - `passphrase` (default): Approve on a grant card prompts the
+ *     operator for the vault passphrase. Two-factor (Telegram ID +
+ *     passphrase). Gateway holds the passphrase only briefly after
+ *     operator typing.
+ *   - `telegram-id` (opt-in): Approve mints immediately. The gateway
+ *     signals operator-tap intent to the broker via
+ *     `attest_via_posture: true` on the mint_grant call; the broker
+ *     uses its OWN retained passphrase internally. Single-factor;
+ *     passphrase never leaves the broker process.
+ *
+ * Load-bearing invariants pinned here:
+ *   1. The resolver returns the posture mode and nothing else — the
+ *      gateway no longer holds the passphrase in memory under
+ *      telegram-id (the #1115 first-cut and #1115-follow-up-v1
+ *      designs did, and the reviewer flagged it as a bypass).
+ *   2. The allowlist check is the FIRST gate in every vault callback
+ *      handler — no posture branching, no mint, no
+ *      `pendingVaultOps.set` runs before it.
+ *   3. handleVaultDeferCallback and handleVaultRequestSaveCallback
+ *      under telegram-id NO LONGER short-circuit on an in-memory
+ *      passphrase — they fall through to the standard
+ *      cached-passphrase path (#1115 follow-up cleanup; the original
+ *      shortcut was the same bypass class as the access-approve
+ *      one).
+ *   4. handleVaultRequestAccessCallback under telegram-id calls
+ *      `performVaultAccessApproval` with `{ kind: 'posture' }` — the
+ *      attestation type that drives `attest_via_posture: true` on
+ *      mint_grant.
+ *   5. `handleVaultGrantCallback` (operator-initiated wizard) NEVER
+ *      references `VAULT_APPROVAL_AUTH_MODE` — flipping posture
+ *      cannot change wizard behaviour.
+ */
+
+import { describe, expect, it } from 'vitest'
+import { readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+import { resolveVaultApprovalPosture } from '../vault-approval-posture.js'
+
+const gatewaySrc = readFileSync(
+  resolve(__dirname, '..', 'gateway', 'gateway.ts'),
+  'utf-8',
+)
+
+function sliceAccessApproveBlock(): string {
+  const fn =
+    gatewaySrc.split('async function handleVaultRequestAccessCallback')[1]?.split('async function')[0] ?? ''
+  return fn.split("if (action === 'approve')")[1]?.split("await ctx.answerCallbackQuery({ text: 'Unknown action'")[0] ?? ''
+}
+
+describe('vault grant approval posture — module-level wiring', () => {
+  it('declares the posture mode holder; does NOT hold the passphrase in memory', () => {
+    expect(gatewaySrc).toMatch(/let VAULT_APPROVAL_AUTH_MODE:\s*['"]passphrase['"]\s*\|\s*['"]telegram-id['"]/)
+    // Regression guard: post-#1115-follow-up the gateway must NOT
+    // declare AUTO_UNLOCK_PASSPHRASE — the passphrase stays in the
+    // broker. If a future change reintroduces this variable, the
+    // reviewer's "agent can self-mint" bypass returns.
+    expect(gatewaySrc).not.toMatch(/let AUTO_UNLOCK_PASSPHRASE/)
+    expect(gatewaySrc).not.toMatch(/AUTO_UNLOCK_PASSPHRASE\s*=/)
+  })
+
+  it('initialises posture from switchroom config at startup', () => {
+    expect(gatewaySrc).toMatch(/function initVaultApprovalPosture/)
+    expect(gatewaySrc).toMatch(/initVaultApprovalPosture\(\)/)
+    expect(gatewaySrc).toMatch(/resolveVaultApprovalPosture\(/)
+  })
+})
+
+describe('handleVaultRequestAccessCallback — posture branch', () => {
+  it('mints via posture attestation (NOT in-memory passphrase) when posture is telegram-id', () => {
+    const approveBlock = sliceAccessApproveBlock()
+    expect(approveBlock).toMatch(/VAULT_APPROVAL_AUTH_MODE === ['"]telegram-id['"]/)
+    // Pinned: the call shape MUST be `{ kind: 'posture' }`. If the
+    // gateway ever reverts to passing a real passphrase here, the
+    // bypass surface returns.
+    expect(approveBlock).toMatch(/performVaultAccessApproval\(ctx, pending, stageId, senderId, \{ kind: ['"]posture['"] \}\)/)
+    expect(approveBlock).toMatch(/Approved by @/)
+  })
+
+  it('preserves the allowlist guard regardless of posture', () => {
+    const handlerBlock =
+      gatewaySrc.split('async function handleVaultRequestAccessCallback')[1]?.split('async function')[0] ?? ''
+    expect(handlerBlock).toMatch(/if \(!access\.allowFrom\.includes\(senderId\)\)/)
+    expect(handlerBlock).toMatch(/Not authorized/)
+  })
+
+  it('passphrase-mode branch unchanged: cache lookup + prompt still present', () => {
+    const approveBlock = sliceAccessApproveBlock()
+    expect(approveBlock).toMatch(/vaultPassphraseCache\.get\(pending\.chat_id\)/)
+    expect(approveBlock).toMatch(/Reply with your passphrase/i)
+    expect(approveBlock).toMatch(/passphrase-for-access-approve/)
+    // Pinned: the queued-drain path passes the typed passphrase via
+    // the new attestation shape `{ kind: 'passphrase', passphrase }`.
+    expect(gatewaySrc).toMatch(/performVaultAccessApproval\(ctx, stagedAccess, item\.stageId, item\.senderId, \{ kind: ['"]passphrase['"], passphrase \}\)/)
+  })
+})
+
+describe('performVaultAccessApproval — broker-mediated attestation', () => {
+  it('builds brokerAuthOpts from the AccessApprovalAttestation discriminator', () => {
+    const fnBlock =
+      gatewaySrc
+        .split('async function performVaultAccessApproval')[1]
+        ?.split('async function handleVaultRequestAccessCallback')[0] ?? ''
+    // Pinned: the passphrase variant feeds the broker passphrase
+    // attestation; the posture variant feeds `attest_via_posture:
+    // true`. NOT a free-form union — the discriminator is what
+    // makes the call shapes type-safe.
+    expect(fnBlock).toMatch(/attestation\.kind === ['"]passphrase['"]/)
+    expect(fnBlock).toMatch(/attest_via_posture: true/)
+    expect(fnBlock).toMatch(/passphrase: attestation\.passphrase/)
+    // Pinned: the same brokerAuthOpts threads both
+    // listGrantsViaBroker (for #1051 grant-union) AND
+    // mintGrantViaBroker. If only one is wired, the union path
+    // silently re-strands the prior token under telegram-id.
+    expect(fnBlock).toMatch(/listGrantsViaBroker\(pending\.agent, brokerAuthOpts\)/)
+    expect(fnBlock).toMatch(/\.\.\.brokerAuthOpts/)
+  })
+})
+
+describe('handleVaultRequestSaveCallback — telegram-id silent path withdrawn', () => {
+  it('NO LONGER reads an in-memory passphrase for telegram-id; falls through to cached-passphrase path', () => {
+    const fnBlock =
+      gatewaySrc
+        .split('async function handleVaultRequestSaveCallback')[1]
+        ?.split('async function handleVaultDeferCallback')[0] ?? ''
+    // Regression guard: the original PR added a
+    // `VAULT_APPROVAL_AUTH_MODE === 'telegram-id'` shortcut that
+    // pulled an in-memory passphrase. That was a bypass surface.
+    // The save handler must NOT branch on the posture for an
+    // in-memory passphrase any more.
+    expect(fnBlock).not.toMatch(/AUTO_UNLOCK_PASSPHRASE/)
+    // Standard cache lookup still present.
+    expect(fnBlock).toMatch(/vaultPassphraseCache\.get\(pending\.chat_id\)/)
+  })
+})
+
+describe('handleVaultDeferCallback — telegram-id silent path withdrawn', () => {
+  it('NO LONGER reads an in-memory passphrase for telegram-id; falls through to cached-passphrase path', () => {
+    const fnBlock =
+      gatewaySrc
+        .split('async function handleVaultDeferCallback')[1]
+        ?.split('\nasync function ')[0] ?? ''
+    expect(fnBlock).not.toMatch(/AUTO_UNLOCK_PASSPHRASE/)
+    // Cached-passphrase path still present.
+    const unlockBranch = fnBlock.split("if (action === 'unlock')")[1] ?? ''
+    expect(unlockBranch).toMatch(/vaultPassphraseCache\.get\(/)
+  })
+})
+
+describe('handleVaultGrantCallback (wizard) — posture cannot affect wizard', () => {
+  it('wizard handler never references VAULT_APPROVAL_AUTH_MODE — posture flips are inert here', () => {
+    const fnBlock =
+      gatewaySrc
+        .split('async function handleVaultGrantCallback')[1]
+        ?.split('\nasync function ')[0] ?? ''
+    expect(fnBlock).not.toMatch(/VAULT_APPROVAL_AUTH_MODE/)
+    expect(fnBlock).not.toMatch(/AUTO_UNLOCK_PASSPHRASE/)
+    expect(fnBlock).not.toMatch(/attest_via_posture/)
+  })
+})
+
+describe('allowlist is the first gate in every vault callback handler', () => {
+  function handlerBody(name: string): string {
+    const after = gatewaySrc.split(`async function ${name}(`)[1] ?? ''
+    return after.split('\nasync function ')[0] ?? ''
+  }
+  for (const handler of [
+    'handleVaultRequestAccessCallback',
+    'handleVaultRequestSaveCallback',
+    'handleVaultDeferCallback',
+    'handleVaultGrantCallback',
+  ]) {
+    it(`${handler}: allowlist check fires before any other branching`, () => {
+      const body = handlerBody(handler)
+      expect(body).not.toBe('')
+      const idx = body.indexOf('if (')
+      const firstGuard = body.slice(idx, body.indexOf('\n', body.indexOf('\n', idx) + 1))
+      expect(firstGuard).toMatch(/access\.allowFrom\.includes\(senderId\)/)
+    })
+
+    it(`${handler}: no callback side-effect appears before the allowlist check`, () => {
+      const body = handlerBody(handler)
+      const beforeAllowlist = body.split('access.allowFrom.includes(senderId)')[0] ?? body
+      for (const sentinel of [
+        'mintGrantViaBroker',
+        'performVaultAccessApproval',
+        'pendingVaultOps.set',
+        "VAULT_APPROVAL_AUTH_MODE === 'telegram-id'",
+        'attest_via_posture',
+      ]) {
+        expect(
+          beforeAllowlist.includes(sentinel),
+          `${handler}: sentinel "${sentinel}" must NOT appear before the allowlist check`,
+        ).toBe(false)
+      }
+    })
+  }
+})
+
+describe('resolveVaultApprovalPosture — runtime behaviour', () => {
+  it('passphrase posture when approvalAuth is absent', () => {
+    expect(resolveVaultApprovalPosture(undefined)).toEqual({ mode: 'passphrase' })
+    expect(resolveVaultApprovalPosture({})).toEqual({ mode: 'passphrase' })
+  })
+
+  it('passphrase posture when approvalAuth is explicitly passphrase', () => {
+    expect(resolveVaultApprovalPosture({ approvalAuth: 'passphrase' })).toEqual({ mode: 'passphrase' })
+  })
+
+  it('telegram-id posture when approvalAuth is telegram-id', () => {
+    expect(resolveVaultApprovalPosture({ approvalAuth: 'telegram-id' })).toEqual({ mode: 'telegram-id' })
+  })
+
+  it('defence-in-depth: unknown approvalAuth values fall back to passphrase (schema rejects them, but trust nothing)', () => {
+    expect(resolveVaultApprovalPosture({ approvalAuth: 'TELEGRAM-ID' })).toEqual({ mode: 'passphrase' })
+    expect(resolveVaultApprovalPosture({ approvalAuth: 'telegram_id' })).toEqual({ mode: 'passphrase' })
+    expect(resolveVaultApprovalPosture({ approvalAuth: '' })).toEqual({ mode: 'passphrase' })
+    expect(resolveVaultApprovalPosture({ approvalAuth: 'nonsense' })).toEqual({ mode: 'passphrase' })
+  })
+
+  it('adversarial fuzz: 200 random inputs never return a non-passphrase, non-telegram-id mode and never throw', () => {
+    const rand = mulberry32(0xdeadbeef)
+    const choices: any[] = [
+      undefined,
+      'passphrase',
+      'telegram-id',
+      'PASSPHRASE',
+      '',
+      'nonsense',
+      null,
+      0,
+      false,
+      { nested: 'telegram-id' },
+    ]
+    for (let i = 0; i < 200; i++) {
+      const broker = { approvalAuth: choices[Math.floor(rand() * choices.length)] }
+      const result = resolveVaultApprovalPosture(broker as never)
+      expect(result.mode === 'passphrase' || result.mode === 'telegram-id', `iter ${i}: mode must be one of the two literals`).toBe(true)
+    }
+  })
+})
+
+function mulberry32(seed: number): () => number {
+  let a = seed >>> 0
+  return () => {
+    a = (a + 0x6D2B79F5) >>> 0
+    let t = a
+    t = Math.imul(t ^ (t >>> 15), t | 1)
+    t ^= t + Math.imul(t ^ (t >>> 7), t | 61)
+    return ((t ^ (t >>> 14)) >>> 0) / 4294967296
+  }
+}

package/telegram-plugin/tests/vault-grant-auto-resume.test.ts

@@ -0,0 +1,73 @@
+/**
+ * Contract pin for #1052 — agent auto-resumes after operator approves
+ * a vault_request_access card.
+ *
+ * Pre-fix: agent called vault_request_access → tool returned ack →
+ * agent's turn ended ("waiting for approval"). Operator approved later
+ * → grant minted → BUT the agent did nothing because its turn was
+ * already over. Operator had to send a fresh message to kick the
+ * agent back into action.
+ *
+ * Fix: after successful mint (via passphrase-attestation broker call
+ * + token-write), the gateway injects a synthetic InboundMessage into
+ * the agent's bridge via `ipcServer.sendToAgent`. The bridge sees it
+ * as a normal channel event (with meta.source="vault_grant_approved"
+ * for distinct rendering) and starts a new turn. Re-uses the existing
+ * inject_inbound primitive that cron has used since #890+.
+ *
+ * This file pins the call site so a future refactor can't quietly
+ * drop the injection.
+ */
+
+import { describe, it, expect } from "vitest";
+import { readFileSync } from "node:fs";
+import { resolve } from "node:path";
+
+const gatewaySrc = readFileSync(
+  resolve(__dirname, "..", "gateway", "gateway.ts"),
+  "utf-8",
+);
+
+function extractPerformBlock(): string {
+  const start = gatewaySrc.indexOf("async function performVaultAccessApproval");
+  if (start < 0) throw new Error("performVaultAccessApproval not found");
+  const restAfter = gatewaySrc.slice(start + 1);
+  const endRel = restAfter.indexOf("\nasync function ");
+  return gatewaySrc.slice(start, start + 1 + (endRel >= 0 ? endRel : restAfter.length));
+}
+
+describe("performVaultAccessApproval injects a synthetic inbound on success (#1052)", () => {
+  const block = extractPerformBlock();
+
+  it("calls ipcServer.sendToAgent AFTER successful mint + token-write", () => {
+    // fails when: the auto-resume injection gets dropped. Pre-fix
+    // operator had to message the agent again to resume the task —
+    // the injection is the load-bearing wiring.
+    expect(block, "missing ipcServer.sendToAgent call").toMatch(/ipcServer\.sendToAgent\(/);
+    // Must run AFTER the mint-success path (i.e., after the
+    // `result.kind === 'error'` early-return guard).
+    const errorReturn = block.indexOf("result.kind === 'error'");
+    const sendIdx = block.indexOf("ipcServer.sendToAgent(");
+    expect(errorReturn).toBeGreaterThan(0);
+    expect(sendIdx, "sendToAgent must come AFTER the error-return early exit").toBeGreaterThan(errorReturn);
+  });
+
+  it("delegates inbound construction to buildVaultGrantApprovedInbound", () => {
+    // PR #1168 extracted the InboundMessage literals (meta.source,
+    // user, userId, meta.{agent,key,scope,grant_id,stage_id,operator_id})
+    // into `gateway/vault-grant-inbound-builders.ts`. The shape itself
+    // is now pinned by `vault-grant-inbound-builders.test.ts` against
+    // the builder directly. What this test still pins is the call-site
+    // contract: `performVaultAccessApproval` must keep wiring to the
+    // builder — a regression that inlines or replaces the builder
+    // would silently drop the meta fields downstream filters rely on.
+    expect(block).toMatch(/buildVaultGrantApprovedInbound\(/);
+  });
+
+  it("logs delivery outcome to stderr for forensics", () => {
+    // Mirrors the cron inject_inbound logging at gateway.ts:2470 so
+    // ops can confirm an injection actually delivered (vs the agent's
+    // bridge being down).
+    expect(block).toMatch(/vault_grant_approved injection[\s\S]*delivered/);
+  });
+});

package/telegram-plugin/tests/vault-grant-inbound-builders.test.ts

@@ -0,0 +1,226 @@
+/**
+ * Pin the InboundMessage shapes the gateway synthesizes when the
+ * operator taps Approve / Deny on a `vault_request_access` card
+ * (#1052 / #1150). A regression that drops a `meta.source` field, or
+ * changes the source string, would silently break the agent's wake-
+ * up — the bridge wouldn't recognize the source, the message would
+ * render as a generic channel event, and the model wouldn't know it
+ * was an approval response.
+ *
+ * These tests are the cheap regression guard. The wire shape is
+ * load-bearing — downstream filters / dashboards / future replay
+ * tooling may anchor on individual meta fields.
+ */
+
+import { describe, it, expect } from 'vitest'
+import {
+  buildVaultGrantApprovedInbound,
+  buildVaultGrantDeniedInbound,
+  type VaultGrantInboundContext,
+} from '../gateway/vault-grant-inbound-builders.js'
+
+const FIXED_NOW = 1_700_000_000_000
+
+const CTX_READ: VaultGrantInboundContext = {
+  agent: 'gymbro',
+  key: 'fatsecret/credentials',
+  scope: 'read',
+  chat_id: '8248703757',
+  ttl_seconds: 30 * 86400,
+}
+
+const CTX_WRITE: VaultGrantInboundContext = {
+  ...CTX_READ,
+  key: 'analytics/api-token',
+  scope: 'write',
+  ttl_seconds: 7 * 86400,
+}
+
+describe('buildVaultGrantApprovedInbound', () => {
+  it('emits the canonical envelope (type, chat_id, user, userId, ts, messageId)', () => {
+    const msg = buildVaultGrantApprovedInbound({
+      ctx: CTX_READ,
+      grantId: 'vg_a1b2c3',
+      stageId: 'stage-001',
+      operatorId: '8248703757',
+      nowMs: FIXED_NOW,
+    })
+    expect(msg.type).toBe('inbound')
+    expect(msg.chatId).toBe('8248703757')
+    expect(msg.user).toBe('vault-broker')
+    expect(msg.userId).toBe(0)
+    expect(msg.ts).toBe(FIXED_NOW)
+    // messageId is synthetic — pin that it equals ts so the gateway
+    // can produce a stable id under fake-clock tests without colliding
+    // with real Telegram messageIds.
+    expect(msg.messageId).toBe(FIXED_NOW)
+  })
+
+  it('pins meta.source = "vault_grant_approved" — load-bearing for the bridge', () => {
+    const msg = buildVaultGrantApprovedInbound({
+      ctx: CTX_READ,
+      grantId: 'vg_x',
+      stageId: 's',
+      operatorId: '1',
+    })
+    expect(msg.meta?.source).toBe('vault_grant_approved')
+  })
+
+  it('carries all forensic fields in meta', () => {
+    const msg = buildVaultGrantApprovedInbound({
+      ctx: CTX_READ,
+      grantId: 'vg_a1b2c3',
+      stageId: 'stage-001',
+      operatorId: '8248703757',
+    })
+    expect(msg.meta).toEqual({
+      source: 'vault_grant_approved',
+      agent: 'gymbro',
+      key: 'fatsecret/credentials',
+      scope: 'read',
+      grant_id: 'vg_a1b2c3',
+      stage_id: 'stage-001',
+      operator_id: '8248703757',
+    })
+  })
+
+  it('text names the key, scope, ttl-in-days, and grant id', () => {
+    const msg = buildVaultGrantApprovedInbound({
+      ctx: CTX_READ,
+      grantId: 'vg_a1b2c3',
+      stageId: 's',
+      operatorId: '1',
+    })
+    expect(msg.text).toContain('approved')
+    expect(msg.text).toContain('`fatsecret/credentials`')
+    expect(msg.text).toContain('scope=read')
+    expect(msg.text).toContain('30d')
+    expect(msg.text).toContain('grant=vg_a1b2c3')
+    // Instructional: tells the agent how to recover the value.
+    expect(msg.text).toContain('switchroom vault get')
+  })
+
+  it('rounds ttl_seconds to days', () => {
+    const ctx7d: VaultGrantInboundContext = { ...CTX_READ, ttl_seconds: 7 * 86400 }
+    const msg = buildVaultGrantApprovedInbound({
+      ctx: ctx7d,
+      grantId: 'vg_x',
+      stageId: 's',
+      operatorId: '1',
+    })
+    expect(msg.text).toContain('7d')
+  })
+
+  it('honors write scope in text + meta', () => {
+    const msg = buildVaultGrantApprovedInbound({
+      ctx: CTX_WRITE,
+      grantId: 'vg_x',
+      stageId: 's',
+      operatorId: '1',
+    })
+    expect(msg.text).toContain('scope=write')
+    expect(msg.meta?.scope).toBe('write')
+  })
+
+  it('defaults nowMs to Date.now() when omitted', () => {
+    const before = Date.now()
+    const msg = buildVaultGrantApprovedInbound({
+      ctx: CTX_READ,
+      grantId: 'vg_x',
+      stageId: 's',
+      operatorId: '1',
+    })
+    const after = Date.now()
+    expect(msg.ts).toBeGreaterThanOrEqual(before)
+    expect(msg.ts).toBeLessThanOrEqual(after)
+    expect(msg.messageId).toBe(msg.ts)
+  })
+})
+
+describe('buildVaultGrantDeniedInbound', () => {
+  it('pins meta.source = "vault_grant_denied" — the deny-side wake-up was added in #1156', () => {
+    const msg = buildVaultGrantDeniedInbound({
+      ctx: CTX_READ,
+      stageId: 's',
+      operatorId: '1',
+    })
+    expect(msg.meta?.source).toBe('vault_grant_denied')
+  })
+
+  it('omits grant_id (denial never mints a grant)', () => {
+    const msg = buildVaultGrantDeniedInbound({
+      ctx: CTX_READ,
+      stageId: 'stage-001',
+      operatorId: '8248703757',
+    })
+    expect(msg.meta).toEqual({
+      source: 'vault_grant_denied',
+      agent: 'gymbro',
+      key: 'fatsecret/credentials',
+      scope: 'read',
+      stage_id: 'stage-001',
+      operator_id: '8248703757',
+    })
+    expect((msg.meta as { grant_id?: string }).grant_id).toBeUndefined()
+  })
+
+  it('text steers toward a fallback path', () => {
+    const msg = buildVaultGrantDeniedInbound({
+      ctx: CTX_READ,
+      stageId: 's',
+      operatorId: '1',
+    })
+    expect(msg.text).toContain('denied')
+    expect(msg.text).toContain('`fatsecret/credentials`')
+    expect(msg.text).toContain('fallback')
+    // The "DO NOT re-request" line is load-bearing UX — prevents the
+    // model from spam-tapping a fresh request immediately after a
+    // deny. Pin it.
+    expect(msg.text).toMatch(/Do NOT re-request/)
+  })
+
+  it('shares envelope shape with the approve builder (type, user, chat)', () => {
+    const denied = buildVaultGrantDeniedInbound({
+      ctx: CTX_READ,
+      stageId: 's',
+      operatorId: '1',
+      nowMs: FIXED_NOW,
+    })
+    expect(denied.type).toBe('inbound')
+    expect(denied.user).toBe('vault-broker')
+    expect(denied.userId).toBe(0)
+    expect(denied.chatId).toBe('8248703757')
+    expect(denied.ts).toBe(FIXED_NOW)
+    expect(denied.messageId).toBe(FIXED_NOW)
+  })
+})
+
+describe('approve vs deny shape invariants', () => {
+  it('both emit type=inbound, user=vault-broker — bridge anchors on these', () => {
+    const approve = buildVaultGrantApprovedInbound({
+      ctx: CTX_READ, grantId: 'g', stageId: 's', operatorId: '1',
+    })
+    const deny = buildVaultGrantDeniedInbound({
+      ctx: CTX_READ, stageId: 's', operatorId: '1',
+    })
+    for (const m of [approve, deny]) {
+      expect(m.type).toBe('inbound')
+      expect(m.user).toBe('vault-broker')
+      expect(m.userId).toBe(0)
+    }
+  })
+
+  it('source strings are disjoint — no shared substring that could route both to the same handler', () => {
+    const approve = buildVaultGrantApprovedInbound({
+      ctx: CTX_READ, grantId: 'g', stageId: 's', operatorId: '1',
+    })
+    const deny = buildVaultGrantDeniedInbound({
+      ctx: CTX_READ, stageId: 's', operatorId: '1',
+    })
+    expect(approve.meta?.source).not.toBe(deny.meta?.source)
+    // Defensive: a fuzzy match like `meta.source.includes('approve')`
+    // shouldn't accidentally fire on the deny side. Pin the prefixes.
+    expect(String(approve.meta?.source)).toMatch(/^vault_grant_approved$/)
+    expect(String(deny.meta?.source)).toMatch(/^vault_grant_denied$/)
+  })
+})