CVE-2026-35637

@@ -8,45 +8,47 @@ Docs: https://docs.openclaw.ai
 
 ### Changes
 
-- ModelStudio/Qwen: add standard (pay-as-you-go) DashScope endpoints for China and global Qwen API keys alongside the existing Coding Plan endpoints, and relabel the provider group to `Qwen (Alibaba Cloud Model Studio)`. (#43878)
-- UI/clarity: consolidate button primitives (`btn--icon`, `btn--ghost`, `btn--xs`), refine the Knot theme to a black-and-red palette with WCAG 2.1 AA contrast, add config icons for Diagnostics/CLI/Secrets/ACP/MCP sections, replace the roundness slider with discrete stops, and improve accessibility with aria-labels across usage filters. (#53272) Thanks @BunsDev.
-- CSP/Control UI: compute SHA-256 hashes for inline `<script>` blocks in the served `index.html` and include them in the `script-src` CSP directive, keeping inline scripts blocked by default while allowing explicitly hashed bootstrap code. (#53307) Thanks @BunsDev.
-
 ### Fixes
 
-- Plugins/ClawHub: resolve plugin API compatibility against the active runtime version at install time, and add regression coverage for current `>=2026.3.22` ClawHub package checks so installs no longer fail behind the stale `1.2.0` constant. (#53157) Thanks @futhgar.
-- CLI/channel auth: auto-select the single login-capable configured channel for `channels login`/`logout` instead of relying on the outbound message-channel resolver, so env-only or non-auth channels no longer cause false ambiguity errors. (#53254) Thanks @BunsDev.
-- Control UI/auth: preserve operator scopes through the device-auth bypass path, ignore cached under-scoped operator tokens, and show a clear `operator.read` fallback message when a connection really lacks read scope, so operator sessions stop failing or blanking on read-backed pages. (#53110) Thanks @BunsDev.
-- Plugins/uninstall: accept installed `clawhub:` specs and versionless ClawHub package names as uninstall targets, so `openclaw plugins uninstall clawhub:<package>` works again even when the recorded install was pinned to a version.
-- Auth/OpenAI tokens: stop live gateway auth-profile writes from reverting freshly saved credentials back to stale in-memory values, and make `models auth paste-token` write to the resolved agent store, so Configure, Onboard, and token-paste flows stop snapping back to expired OpenAI tokens. Fixes #53207. Related to #45516.
-- Agents/failover: classify generic `api_error` payloads as retryable only when they include transient failure signals, so MiniMax-style backend failures still trigger model fallback without misclassifying billing, auth, or format/context errors. (#49611) Thanks @ayushozha.
-- Diagnostics/cache trace: strip credential fields from cache-trace JSONL output while preserving non-sensitive diagnostic fields and image redaction metadata.
-- Docs/Feishu: replace `botName` with `name` in the channel config examples so the docs match the strict account schema for per-account display names. (#52753) Thanks @haroldfabla2-hue.
-- Doctor/plugins: make `openclaw doctor --fix` remove stale `plugins.allow` and `plugins.entries` refs left behind after plugin removal. Thanks @sallyom
-- Agents/replay: canonicalize malformed assistant transcript content before session-history sanitization so legacy or corrupted assistant turns stop crashing Pi replay and subagent recovery paths.
-- ClawHub/skills: keep updating already-tracked legacy Unicode slugs after the ASCII-only slug hardening, so older installs do not get stuck behind `Invalid skill slug` errors during `openclaw skills update`. (#53206) Thanks @drobison00.
-- Infra/exec trust: preserve shell-multiplexer wrapper binaries for policy checks without breaking approved-command reconstruction, so BusyBox/ToyBox allowlist and audit flows bind to the real wrapper while execution plans stay coherent. (#53134) Thanks @vincentkoc.
-- LINE/runtime-api: pre-export overlapping runtime symbols before the `line-runtime` star export so jiti no longer throws `TypeError: Cannot redefine property` on startup. (#53221) Thanks @Drickon.
-- CLI/cron: make `openclaw cron add|edit --at ... --tz <iana>` honor the requested local wall-clock time for offset-less one-shot datetimes, including DST boundaries, and keep `--tz` rejected for `--every`. (#53224) Thanks @RolfHegr.
-- Commands/auth: stop slash-command authorization from crashing or dropping valid allowlists when channel `allowFrom` resolution hits unresolved SecretRef-backed accounts, and fail closed only for the affected provider inference path. (#52791) Thanks @Lukavyi.
-
 ## 2026.3.23
 
 ### Breaking
 
 ### Changes
 
+- ModelStudio/Qwen: add standard (pay-as-you-go) DashScope endpoints for China and global Qwen API keys alongside the existing Coding Plan endpoints, and relabel the provider group to `Qwen (Alibaba Cloud Model Studio)`. (#43878)
+- UI/clarity: consolidate button primitives (`btn--icon`, `btn--ghost`, `btn--xs`), refine the Knot theme to a black-and-red palette with WCAG 2.1 AA contrast, add config icons for Diagnostics/CLI/Secrets/ACP/MCP sections, replace the roundness slider with discrete stops, and improve accessibility with aria-labels across usage filters. (#53272) Thanks @BunsDev.
+- CSP/Control UI: compute SHA-256 hashes for inline `<script>` blocks in the served `index.html` and include them in the `script-src` CSP directive, keeping inline scripts blocked by default while allowing explicitly hashed bootstrap code. (#53307) Thanks @BunsDev.
+
 ### Fixes
 
+- Plugins/bundled runtimes: ship bundled plugin runtime sidecars like WhatsApp `light-runtime-api.js`, Matrix `runtime-api.js`, and other plugin runtime entry files in the npm package again, so global installs stop failing on missing bundled plugin runtime surfaces.
+- CLI/channel auth: auto-select the single configured login-capable channel for `channels login`/`logout`, harden channel ids against prototype-chain and control-character abuse, and fall back cleanly to catalog-backed channel installs, so channel auth works again for single-channel setups and on-demand channel installs. (#53254) Thanks @BunsDev.
+- Auth/OpenAI tokens: stop live gateway auth-profile writes from reverting freshly saved credentials back to stale in-memory values, and make `models auth paste-token` write to the resolved agent store, so Configure, Onboard, and token-paste flows stop snapping back to expired OpenAI tokens. Fixes #53207. Related to #45516.
+- Control UI/auth: preserve operator scopes through the device-auth bypass path, ignore cached under-scoped operator tokens, and show a clear `operator.read` fallback message when a connection really lacks read scope, so operator sessions stop failing or blanking on read-backed pages. (#53110) Thanks @BunsDev.
+- Plugins/ClawHub: resolve plugin API compatibility against the active runtime version at install time, and add regression coverage for current `>=2026.3.22` ClawHub package checks so installs no longer fail behind the stale `1.2.0` constant. (#53157) Thanks @futhgar.
+- Plugins/uninstall: accept installed `clawhub:` specs and versionless ClawHub package names as uninstall targets, so `openclaw plugins uninstall clawhub:<package>` works again even when the recorded install was pinned to a version.
 - Browser/Chrome MCP: wait for existing-session browser tabs to become usable after attach instead of treating the initial Chrome MCP handshake as ready, which reduces user-profile timeouts and repeated consent churn on macOS Chrome attach flows. Fixes #52930. Thanks @vincentkoc.
 - Browser/CDP: reuse an already-running loopback browser after a short initial reachability miss instead of immediately falling back to relaunch detection, which fixes second-run browser start/open regressions on slower headless Linux setups. Fixes #53004. Thanks @vincentkoc.
+- Agents/web_search: use the active runtime `web_search` provider instead of stale/default selection, so agent turns keep hitting the provider you actually configured. Fixes #53020. Thanks @jzakirov.
+- Mistral/models: lower bundled Mistral max-token defaults to safe output budgets and teach `openclaw doctor --fix` to repair old persisted Mistral provider configs that still carry context-sized output limits, avoiding deterministic Mistral 422 rejects on fresh and existing setups. Fixes #52599. Thanks @vincentkoc.
 - ClawHub/macOS auth: honor macOS auth config and XDG auth paths for saved ClawHub credentials, so `openclaw skills ...` and gateway skill browsing keep using the signed-in auth state instead of silently falling back to unauthenticated mode. Fixes #53034.
 - ClawHub/macOS: read the local ClawHub login from the macOS Application Support path and still honor XDG config on macOS, so skill browsing uses the logged-in token on both default and XDG-style setups. Fixes #52949. Thanks @scoootscooob.
 - ClawHub/skills: resolve the local ClawHub auth token for gateway skill browsing and switch browse-all requests to search so ClawControl stops falling into unauthenticated 429s and empty authenticated skill lists. Fixes #52949. Thanks @vincentkoc.
+- Config/warnings: suppress the confusing “newer OpenClaw” warning when a config written by a same-base correction release like `2026.3.23-2` is read by `2026.3.23`, while still warning for truly newer or incompatible versions.
+- CLI/cron: make `openclaw cron add|edit --at ... --tz <iana>` honor the requested local wall-clock time for offset-less one-shot datetimes, including DST boundaries, and keep `--tz` rejected for `--every`. (#53224) Thanks @RolfHegr.
+- Commands/auth: stop slash-command authorization from crashing or dropping valid allowlists when channel `allowFrom` resolution hits unresolved SecretRef-backed accounts, and fail closed only for the affected provider inference path. (#52791) Thanks @Lukavyi.
+- Agents/failover: classify generic `api_error` payloads as retryable only when they include transient failure signals, so MiniMax-style backend failures still trigger model fallback without misclassifying billing, auth, or format/context errors. (#49611) Thanks @ayushozha.
+- LINE/runtime-api: pre-export overlapping runtime symbols before the `line-runtime` star export so jiti no longer throws `TypeError: Cannot redefine property` on startup. (#53221) Thanks @Drickon.
+- Telegram/threading: populate `currentThreadTs` in the threading tool-context fallback for Telegram DM topics so thread-aware tools still receive the active topic context when the main thread metadata is missing. (#52217)
+- Diagnostics/cache trace: strip credential fields from cache-trace JSONL output while preserving non-sensitive diagnostic fields and image redaction metadata.
+- Docs/Feishu: replace `botName` with `name` in the channel config examples so the docs match the strict account schema for per-account display names. (#52753) Thanks @haroldfabla2-hue.
+- Doctor/plugins: make `openclaw doctor --fix` remove stale `plugins.allow` and `plugins.entries` refs left behind after plugin removal. Thanks @sallyom
+- Agents/replay: canonicalize malformed assistant transcript content before session-history sanitization so legacy or corrupted assistant turns stop crashing Pi replay and subagent recovery paths.
+- ClawHub/skills: keep updating already-tracked legacy Unicode slugs after the ASCII-only slug hardening, so older installs do not get stuck behind `Invalid skill slug` errors during `openclaw skills update`. (#53206) Thanks @drobison00.
+- Infra/exec trust: preserve shell-multiplexer wrapper binaries for policy checks without breaking approved-command reconstruction, so BusyBox/ToyBox allowlist and audit flows bind to the real wrapper while execution plans stay coherent. (#53134) Thanks @vincentkoc.
 - Plugins/message tool: make Discord `components` and Slack `blocks` optional again, and route Feishu `message(..., media=...)` sends through the outbound media path, so pin/unpin/react flows stop failing schema validation and Feishu file/image attachments actually send. Fixes #52970 and #52962. Thanks @vincentkoc.
 - Gateway/model pricing: stop `openrouter/auto` pricing refresh from recursing indefinitely during bootstrap, so OpenRouter auto routes can populate cached pricing and `usage.cost` again. Fixes #53035. Thanks @vincentkoc.
-- Mistral/models: lower bundled Mistral max-token defaults to safe output budgets and teach `openclaw doctor --fix` to repair old persisted Mistral provider configs that still carry context-sized output limits, avoiding deterministic Mistral 422 rejects on fresh and existing setups. Fixes #52599. Thanks @vincentkoc.
-- Agents/web_search: use the active runtime `web_search` provider instead of stale/default selection, so agent turns keep hitting the provider you actually configured. Fixes #53020. Thanks @jzakirov.
 - Models/OpenAI Codex OAuth: bootstrap the env-configured HTTP/HTTPS proxy dispatcher on the stored-credential refresh path before token renewal runs, so expired Codex OAuth profiles can refresh successfully in proxy-required environments instead of locking users out after the first token expiry.
 - Models/OpenAI Codex OAuth and Plugins/MiniMax OAuth: ensure env-configured HTTP/HTTPS proxy dispatchers are initialized before OAuth preflight and token exchange requests so proxy-required environments can complete MiniMax and OpenAI Codex sign-in flows again. (#52228; fixes #51619, #51569) Thanks @openperf.
 - Plugins/memory-lancedb: bootstrap LanceDB into plugin runtime state on first use when the bundled npm install does not already have it, so `plugins.slots.memory="memory-lancedb"` works again after global npm installs without moving LanceDB into OpenClaw core dependencies. Fixes #26100.

@@ -2620,7 +2620,7 @@
           "exportName": "resolveCommandAuthorization",
           "kind": "function",
           "source": {
-            "line": 303,
+            "line": 440,
             "path": "src/auto-reply/command-auth.ts"
           }
         },

@@ -287,7 +287,7 @@
 {"declaration":"export function parseCommandArgs(command: ChatCommandDefinition, raw?: string | undefined): CommandArgs | undefined;","entrypoint":"command-auth","exportName":"parseCommandArgs","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":254,"sourcePath":"src/auto-reply/commands-registry.ts"}
 {"declaration":"export function resolveCommandArgChoices(params: { command: ChatCommandDefinition; arg: CommandArgDefinition; cfg?: OpenClawConfig | undefined; provider?: string | undefined; model?: string | undefined; }): ResolvedCommandArgChoice[];","entrypoint":"command-auth","exportName":"resolveCommandArgChoices","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":316,"sourcePath":"src/auto-reply/commands-registry.ts"}
 {"declaration":"export function resolveCommandArgMenu(params: { command: ChatCommandDefinition; args?: CommandArgs | undefined; cfg?: OpenClawConfig | undefined; }): { arg: CommandArgDefinition; choices: ResolvedCommandArgChoice[]; title?: string | undefined; } | null;","entrypoint":"command-auth","exportName":"resolveCommandArgMenu","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":346,"sourcePath":"src/auto-reply/commands-registry.ts"}
-{"declaration":"export function resolveCommandAuthorization(params: { ctx: MsgContext; cfg: OpenClawConfig; commandAuthorized: boolean; }): CommandAuthorization;","entrypoint":"command-auth","exportName":"resolveCommandAuthorization","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":303,"sourcePath":"src/auto-reply/command-auth.ts"}
+{"declaration":"export function resolveCommandAuthorization(params: { ctx: MsgContext; cfg: OpenClawConfig; commandAuthorized: boolean; }): CommandAuthorization;","entrypoint":"command-auth","exportName":"resolveCommandAuthorization","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":440,"sourcePath":"src/auto-reply/command-auth.ts"}
 {"declaration":"export function resolveCommandAuthorizedFromAuthorizers(params: { useAccessGroups: boolean; authorizers: CommandAuthorizer[]; modeWhenAccessGroupsOff?: CommandGatingModeWhenAccessGroupsOff | undefined; }): boolean;","entrypoint":"command-auth","exportName":"resolveCommandAuthorizedFromAuthorizers","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":8,"sourcePath":"src/channels/command-gating.ts"}
 {"declaration":"export function resolveControlCommandGate(params: { useAccessGroups: boolean; authorizers: CommandAuthorizer[]; allowTextCommands: boolean; hasControlCommand: boolean; modeWhenAccessGroupsOff?: CommandGatingModeWhenAccessGroupsOff | undefined; }): { ...; };","entrypoint":"command-auth","exportName":"resolveControlCommandGate","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":31,"sourcePath":"src/channels/command-gating.ts"}
 {"declaration":"export function resolveDirectDmAuthorizationOutcome(params: { isGroup: boolean; dmPolicy: string; senderAllowedForCommands: boolean; }): \"disabled\" | \"unauthorized\" | \"allowed\";","entrypoint":"command-auth","exportName":"resolveDirectDmAuthorizationOutcome","importSpecifier":"openclaw/plugin-sdk/command-auth","kind":"function","recordType":"export","sourceLine":120,"sourcePath":"src/plugin-sdk/command-auth.ts"}

@@ -101,6 +101,7 @@ Docs: https://docs.openclaw.ai
 - Docs/Mintlify: fix MDX marker syntax on Perplexity, Model Providers, Moonshot, and exec approvals pages so local docs preview no longer breaks rendering or leaves stale pages unpublished. (#46695) Thanks @velvet-shark.
 - Gateway/config validation: stop treating the implicit default memory slot as a required explicit plugin config, so startup no longer fails with `plugins.slots.memory: plugin not found: memory-core` when `memory-core` was only inferred. (#47494) Thanks @ngutman.
 - Tlon: honor explicit empty allowlists and defer cite expansion. (#46788) Thanks @zpbrent and @vincentkoc.
+- Tlon/DM auth: defer cited-message expansion until after DM authorization and owner command handling, so unauthorized DMs and owner approval/admin commands no longer trigger cross-channel cite fetches before the deny or command path.
 - Nodes/pending actions: re-check queued foreground actions against the current node command policy before returning them to the node. (#46815) Thanks @zpbrent and @vincentkoc.
 - Node/startup: remove leftover debug `console.log("node host PATH: ...")` that printed the resolved PATH on every `openclaw node run` invocation. (#46515) Fixes #46411. Thanks @ademczuk.
 - CLI/completion: reduce recursive completion-script string churn and fix nested PowerShell command-path matching so generated nested completions resolve on PowerShell too. (#45537) Thanks @yiShanXin and @vincentkoc.

@@ -36,6 +36,7 @@ import {
   stripBotMention,
   isDmAllowed,
   isSummarizationRequest,
+  resolveAuthorizedMessageText,
   type ParsedCite,
 } from "./utils.js";
 
@@ -1245,9 +1246,12 @@ export async function monitorTlonProvider(opts: MonitorTlonOpts = {}): Promise<v
         }
       }
 
-      // Resolve quoted content only after the sender passed channel authorization.
-      const citedContent = await resolveAllCites(content.content);
-      const messageText = citedContent + rawText;
+      const messageText = await resolveAuthorizedMessageText({
+        rawText,
+        content: content.content,
+        authorizedForCites: true,
+        resolveAllCites,
+      });
 
       const parsed = parseChannelNest(nest);
       await processMessage({
@@ -1370,8 +1374,6 @@ export async function monitorTlonProvider(opts: MonitorTlonOpts = {}): Promise<v
       if (!rawText.trim()) {
         return;
       }
-      const citedContent = await resolveAllCites(essay.content);
-      const resolvedMessageText = citedContent + rawText;
 
       // Check if this is the owner sending an approval response
       const messageText = rawText;
@@ -1394,6 +1396,12 @@ export async function monitorTlonProvider(opts: MonitorTlonOpts = {}): Promise<v
 
       // Owner is always allowed to DM (bypass allowlist)
       if (isOwner(senderShip)) {
+        const resolvedMessageText = await resolveAuthorizedMessageText({
+          rawText,
+          content: essay.content,
+          authorizedForCites: true,
+          resolveAllCites,
+        });
         runtime.log?.(`[tlon] Processing DM from owner ${senderShip}`);
         await processMessage({
           messageId: messageId ?? "",
@@ -1429,9 +1437,14 @@ export async function monitorTlonProvider(opts: MonitorTlonOpts = {}): Promise<v
       }
 
       await processMessage({
+        messageText: await resolveAuthorizedMessageText({
+          rawText,
+          content: essay.content,
+          authorizedForCites: true,
+          resolveAllCites,
+        }),
         messageId: messageId ?? "",
         senderShip,
-        messageText: resolvedMessageText,
         messageContent: essay.content, // Pass raw content for media extraction
         isGroup: false,
         timestamp: essay.sent || Date.now(),

@@ -161,6 +161,24 @@ export function isGroupInviteAllowed(
   return allowlist.map((ship) => normalizeShip(ship)).some((ship) => ship === normalizedInviter);
 }
 
+/**
+ * Resolve quoted/cited content only after the caller has passed authorization.
+ * Unauthorized paths must keep raw text and must not trigger cross-channel cite fetches.
+ */
+export async function resolveAuthorizedMessageText(params: {
+  rawText: string;
+  content: unknown;
+  authorizedForCites: boolean;
+  resolveAllCites: (content: unknown) => Promise<string>;
+}): Promise<string> {
+  const { rawText, content, authorizedForCites, resolveAllCites } = params;
+  if (!authorizedForCites) {
+    return rawText;
+  }
+  const citedContent = await resolveAllCites(content);
+  return citedContent + rawText;
+}
+
 // Helper to recursively extract text from inline content
 function renderInlineItem(
   item: any,

@@ -8,12 +8,14 @@
  * - Bot mention detection boundaries
  */
 
-import { describe, expect, it } from "vitest";
+import { describe, expect, it, vi } from "vitest";
 import {
+  extractCites,
   isDmAllowed,
   isGroupInviteAllowed,
   isBotMentioned,
   extractMessageText,
+  resolveAuthorizedMessageText,
 } from "./monitor/utils.js";
 import { normalizeShip } from "./targets.js";
 
@@ -340,6 +342,186 @@ describe("Security: Authorization Edge Cases", () => {
   });
 });
 
+describe("Security: Cite Resolution Authorization Ordering", () => {
+  async function resolveAllCitesForPoC(
+    content: unknown,
+    api: { scry: (path: string) => Promise<unknown> },
+  ): Promise<string> {
+    const cites = extractCites(content);
+    if (cites.length === 0) {
+      return "";
+    }
+
+    const resolved: string[] = [];
+    for (const cite of cites) {
+      if (cite.type !== "chan" || !cite.nest || !cite.postId) {
+        continue;
+      }
+      const data = (await api.scry(`/channels/v4/${cite.nest}/posts/post/${cite.postId}.json`)) as {
+        essay?: { content?: unknown };
+      };
+      const text = data?.essay?.content ? extractMessageText(data.essay.content) : "";
+      if (text) {
+        resolved.push(`> ${cite.author || "unknown"} wrote: ${text}`);
+      }
+    }
+
+    return resolved.length > 0 ? resolved.join("\n") + "\n\n" : "";
+  }
+
+  function buildCitedMessage(
+    secretNest = "chat/~private-ship/ops",
+    postId = "1701411845077995094",
+  ) {
+    return [
+      {
+        block: {
+          cite: {
+            chan: {
+              nest: secretNest,
+              where: `/msg/~victim-ship/${postId}`,
+            },
+          },
+        },
+      },
+      { inline: ["~bot-ship please summarize this"] },
+    ];
+  }
+
+  it("does not resolve channel cites for unauthorized senders", async () => {
+    const content = buildCitedMessage();
+    const rawText = extractMessageText(content);
+    const api = {
+      scry: vi.fn(async () => ({
+        essay: { content: [{ inline: ["TOP-SECRET"] }] },
+      })),
+    };
+
+    const messageText = await resolveAuthorizedMessageText({
+      rawText,
+      content,
+      authorizedForCites: false,
+      resolveAllCites: (nextContent) => resolveAllCitesForPoC(nextContent, api),
+    });
+
+    expect(messageText).toBe(rawText);
+    expect(api.scry).not.toHaveBeenCalled();
+  });
+
+  it("resolves channel cites after sender authorization passes", async () => {
+    const secretNest = "chat/~private-ship/ops";
+    const postId = "170141184507799509469114119040828178432";
+    const content = buildCitedMessage(secretNest, postId);
+    const rawText = extractMessageText(content);
+    const api = {
+      scry: vi.fn(async (path: string) => {
+        expect(path).toBe(`/channels/v4/${secretNest}/posts/post/${postId}.json`);
+        return {
+          essay: { content: [{ inline: ["TOP-SECRET: migration key is rotate-me"] }] },
+        };
+      }),
+    };
+
+    const messageText = await resolveAuthorizedMessageText({
+      rawText,
+      content,
+      authorizedForCites: true,
+      resolveAllCites: (nextContent) => resolveAllCitesForPoC(nextContent, api),
+    });
+
+    expect(api.scry).toHaveBeenCalledTimes(1);
+    expect(messageText).toContain("TOP-SECRET: migration key is rotate-me");
+    expect(messageText).toContain("> ~victim-ship wrote: TOP-SECRET: migration key is rotate-me");
+  });
+
+  it("does not resolve DM cites before a deny path", async () => {
+    const content = buildCitedMessage("chat/~secret-dm/ops", "1701411845077995095");
+    const rawText = extractMessageText(content);
+    const senderShip = "~attacker-ship";
+    const allowlist = ["~trusted-ship"];
+    const api = {
+      scry: vi.fn(async () => ({
+        essay: { content: [{ inline: ["DM-SECRET"] }] },
+      })),
+    };
+
+    const senderAllowed = allowlist
+      .map((ship) => normalizeShip(ship))
+      .includes(normalizeShip(senderShip));
+    expect(senderAllowed).toBe(false);
+
+    const messageText = await resolveAuthorizedMessageText({
+      rawText,
+      content,
+      authorizedForCites: senderAllowed,
+      resolveAllCites: (nextContent) => resolveAllCitesForPoC(nextContent, api),
+    });
+
+    expect(messageText).toBe(rawText);
+    expect(api.scry).not.toHaveBeenCalled();
+  });
+
+  it("does not resolve DM cites before owner approval command handling", async () => {
+    const content = [
+      {
+        block: {
+          cite: {
+            chan: {
+              nest: "chat/~private-ship/admin",
+              where: "/msg/~victim-ship/1701411845077995096",
+            },
+          },
+        },
+      },
+      { inline: ["/approve 1"] },
+    ];
+    const rawText = extractMessageText(content);
+    const api = {
+      scry: vi.fn(async () => ({
+        essay: { content: [{ inline: ["ADMIN-SECRET"] }] },
+      })),
+    };
+
+    const messageText = await resolveAuthorizedMessageText({
+      rawText,
+      content,
+      authorizedForCites: false,
+      resolveAllCites: (nextContent) => resolveAllCitesForPoC(nextContent, api),
+    });
+
+    expect(rawText).toContain("/approve 1");
+    expect(messageText).toBe(rawText);
+    expect(messageText).not.toContain("ADMIN-SECRET");
+    expect(api.scry).not.toHaveBeenCalled();
+  });
+
+  it("resolves DM cites for allowed senders after authorization passes", async () => {
+    const secretNest = "chat/~private-ship/dm";
+    const postId = "1701411845077995097";
+    const content = buildCitedMessage(secretNest, postId);
+    const rawText = extractMessageText(content);
+    const api = {
+      scry: vi.fn(async (path: string) => {
+        expect(path).toBe(`/channels/v4/${secretNest}/posts/post/${postId}.json`);
+        return {
+          essay: { content: [{ inline: ["ALLOWED-DM-SECRET"] }] },
+        };
+      }),
+    };
+
+    const messageText = await resolveAuthorizedMessageText({
+      rawText,
+      content,
+      authorizedForCites: true,
+      resolveAllCites: (nextContent) => resolveAllCitesForPoC(nextContent, api),
+    });
+
+    expect(api.scry).toHaveBeenCalledTimes(1);
+    expect(messageText).toContain("ALLOWED-DM-SECRET");
+    expect(messageText).toContain("> ~victim-ship wrote: ALLOWED-DM-SECRET");
+  });
+});
+
 describe("Security: Sender Role Identification", () => {
   /**
    * Tests for sender role identification (owner vs user).

@@ -301,7 +301,7 @@ export async function monitorTlonProvider(opts: MonitorTlonOpts = {}): Promise<v
         `[tlon] Using autoDiscoverChannels from settings store: ${effectiveAutoDiscoverChannels}`,
       );
     }
-    if (currentSettings.dmAllowlist?.length) {
+    if (currentSettings.dmAllowlist !== undefined) {
       effectiveDmAllowlist = currentSettings.dmAllowlist;
       runtime.log?.(
         `[tlon] Using dmAllowlist from settings store: ${effectiveDmAllowlist.join(", ")}`,
@@ -322,7 +322,7 @@ export async function monitorTlonProvider(opts: MonitorTlonOpts = {}): Promise<v
         `[tlon] Using autoAcceptGroupInvites from settings store: ${effectiveAutoAcceptGroupInvites}`,
       );
     }
-    if (currentSettings.groupInviteAllowlist?.length) {
+    if (currentSettings.groupInviteAllowlist !== undefined) {
       effectiveGroupInviteAllowlist = currentSettings.groupInviteAllowlist;
       runtime.log?.(
         `[tlon] Using groupInviteAllowlist from settings store: ${effectiveGroupInviteAllowlist.join(", ")}`,
@@ -1176,17 +1176,14 @@ export async function monitorTlonProvider(opts: MonitorTlonOpts = {}): Promise<v
         return;
       }
 
-      // Resolve any cited/quoted messages first
-      const citedContent = await resolveAllCites(content.content);
       const rawText = extractMessageText(content.content);
-      const messageText = citedContent + rawText;
-      if (!messageText.trim()) {
+      if (!rawText.trim()) {
         return;
       }
 
       cacheMessage(nest, {
         author: senderShip,
-        content: messageText,
+        content: rawText,
         timestamp: content.sent || Date.now(),
         id: messageId,
       });
@@ -1200,7 +1197,7 @@ export async function monitorTlonProvider(opts: MonitorTlonOpts = {}): Promise<v
       // Check if we should respond:
       // 1. Direct mention always triggers response
       // 2. Thread replies where we've participated - respond if relevant (let agent decide)
-      const mentioned = isBotMentioned(messageText, botShipName, botNickname ?? undefined);
+      const mentioned = isBotMentioned(rawText, botShipName, botNickname ?? undefined);
       const inParticipatedThread =
         isThreadReply && parentId && participatedThreads.has(String(parentId));
 
@@ -1227,10 +1224,10 @@ export async function monitorTlonProvider(opts: MonitorTlonOpts = {}): Promise<v
                 type: "channel",
                 requestingShip: senderShip,
                 channelNest: nest,
-                messagePreview: messageText.substring(0, 100),
+                messagePreview: rawText.substring(0, 100),
                 originalMessage: {
                   messageId: messageId ?? "",
-                  messageText,
+                  messageText: rawText,
                   messageContent: content.content,
                   timestamp: content.sent || Date.now(),
                   parentId: parentId ?? undefined,
@@ -1248,6 +1245,10 @@ export async function monitorTlonProvider(opts: MonitorTlonOpts = {}): Promise<v
         }
       }
 
+      // Resolve quoted content only after the sender passed channel authorization.
+      const citedContent = await resolveAllCites(content.content);
+      const messageText = citedContent + rawText;
+
       const parsed = parseChannelNest(nest);
       await processMessage({
         messageId: messageId ?? "",
@@ -1365,15 +1366,15 @@ export async function monitorTlonProvider(opts: MonitorTlonOpts = {}): Promise<v
         );
       }
 
-      // Resolve any cited/quoted messages first
-      const citedContent = await resolveAllCites(essay.content);
       const rawText = extractMessageText(essay.content);
-      const messageText = citedContent + rawText;
-      if (!messageText.trim()) {
+      if (!rawText.trim()) {
         return;
       }
+      const citedContent = await resolveAllCites(essay.content);
+      const resolvedMessageText = citedContent + rawText;
 
       // Check if this is the owner sending an approval response
+      const messageText = rawText;
       if (isOwner(senderShip) && isApprovalResponse(messageText)) {
         const handled = await handleApprovalResponse(messageText);
         if (handled) {
@@ -1397,7 +1398,7 @@ export async function monitorTlonProvider(opts: MonitorTlonOpts = {}): Promise<v
         await processMessage({
           messageId: messageId ?? "",
           senderShip,
-          messageText,
+          messageText: resolvedMessageText,
           messageContent: essay.content,
           isGroup: false,
           timestamp: essay.sent || Date.now(),
@@ -1430,7 +1431,7 @@ export async function monitorTlonProvider(opts: MonitorTlonOpts = {}): Promise<v
       await processMessage({
         messageId: messageId ?? "",
         senderShip,
-        messageText,
+        messageText: resolvedMessageText,
         messageContent: essay.content, // Pass raw content for media extraction
         isGroup: false,
         timestamp: essay.sent || Date.now(),
@@ -1524,8 +1525,7 @@ export async function monitorTlonProvider(opts: MonitorTlonOpts = {}): Promise<v
 
       // Update DM allowlist
       if (newSettings.dmAllowlist !== undefined) {
-        effectiveDmAllowlist =
-          newSettings.dmAllowlist.length > 0 ? newSettings.dmAllowlist : account.dmAllowlist;
+        effectiveDmAllowlist = newSettings.dmAllowlist;
         runtime.log?.(`[tlon] Settings: dmAllowlist updated to ${effectiveDmAllowlist.join(", ")}`);
       }
 
@@ -1551,10 +1551,7 @@ export async function monitorTlonProvider(opts: MonitorTlonOpts = {}): Promise<v
 
       // Update group invite allowlist
       if (newSettings.groupInviteAllowlist !== undefined) {
-        effectiveGroupInviteAllowlist =
-          newSettings.groupInviteAllowlist.length > 0
-            ? newSettings.groupInviteAllowlist
-            : account.groupInviteAllowlist;
+        effectiveGroupInviteAllowlist = newSettings.groupInviteAllowlist;
         runtime.log?.(
           `[tlon] Settings: groupInviteAllowlist updated to ${effectiveGroupInviteAllowlist.join(", ")}`,
         );