#23656: fix(routing): trust binding agentId even when not in agents.list

## Summary When a channel binding explicitly specifies an `agentId`, the routing layer should trust it even if that agent is not registered in `agents.list`. The current fallback to `resolveDefaultAgentId()` causes silent misdirection in multi-agent setups — messages intended for one agent are delivered to a different agent with no indication. This is security-relevant: cross-agent information leakage occurs when messages containing sensitive context for agent A are silently routed to agent B. Supersedes #13780 (rebased against current HEAD after upstream refactored binding matching logic). Fixes #13423 ## Changes - **resolve-route.ts**: Change `pickFirstExistingAgentId()` final fallback from `resolveDefaultAgentId(cfg)` to `trimmed` (the binding's explicit agentId). - **resolve-route.test.ts**: New test case verifying binding agentId is trusted when not in agents.list. ## Test plan - [ ] All 35 routing tests pass (`npx vitest run src/routing/resolve-route.test.ts`) - [ ] Multi-agent Telegram setup: binding with `agentId: "main"` routes to main even when only "specialist" is in agents.list - [ ] Default routing (no bindings) still works — falls through to default agent 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> <!-- greptile_comment --> <h3>Greptile Summary</h3> Changed `pickFirstExistingAgentId()` to trust explicit `agentId` from bindings even when not in `agents.list`, fixing silent message misdirection in multi-agent setups. - Previously fell back to default agent when binding's `agentId` wasn't in `agents.list`, causing cross-agent information leakage - Now returns the binding's explicit `agentId` (still sanitized) to honor routing configuration - Test validates that binding to "main" routes correctly even when only "specialist" is in `agents.list` - Security fix: prevents messages for agent A from leaking to agent B <h3>Confidence Score: 5/5</h3> - Safe to merge - fixes a security issue with minimal risk - The change is a focused 4-line fix with clear intent, comprehensive test coverage, and addresses a documented security issue (cross-agent information leakage). The agentId is still sanitized, preventing injection issues. The test explicitly validates both the fix and that existing behavior remains intact. - No files require special attention _{Last reviewed commit: 9281474} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->