diff --git a/install.sh b/install.sh
index c041796..db4913c 100755
--- a/install.sh
+++ b/install.sh
@@ -704,6 +704,12 @@ while [[ $# -gt 0 ]]; do
         exit 1
       fi
       KIRO_FROM_SECRET="$2"; shift 2 ;;
+    --telegram-bot-token)
+      if [[ $# -lt 2 || "$2" == --* ]]; then
+        echo -e "\033[0;31m✗\033[0m --telegram-bot-token requires a token value" >&2
+        exit 1
+      fi
+      TELEGRAM_BOT_TOKEN_RAW="$2"; shift 2 ;;
     --telegram-bot-token-secret)
       if [[ $# -lt 2 || "$2" == --* ]]; then
         echo -e "\033[0;31m✗\033[0m --telegram-bot-token-secret requires a Secrets Manager id or arn" >&2
@@ -738,9 +744,11 @@ Options:
   --method <cfn|terraform|tf>    Deploy method (default: cfn)
   --kiro-from-secret <id|arn>    Secrets Manager id/arn for Kiro API key
                                  (kiro-cli headless mode)
+  --telegram-bot-token <token>  Telegram bot token (roundhouse pack;
+                                 saved to Secrets Manager automatically)
   --telegram-bot-token-secret <id|arn>
                                  Secrets Manager id/arn for Telegram bot token
-                                 (roundhouse pack)
+                                 (roundhouse pack, advanced/pre-created)
   --telegram-user <username>     Telegram username for bot pairing
                                  (roundhouse pack, without @)
   --debug-in-repo                Dev-only: run installer from cwd
@@ -909,6 +917,17 @@ prompt() {
   printf -v "$var" '%s' "${value:-$default}"
 }
 
+prompt_secret() {
+  local text="$1" var="$2" default="${3:-}"
+  if [[ "$AUTO_YES" == true && -n "$default" ]]; then
+    printf -v "$var" '%s' "$default"
+    return
+  fi
+  local value
+  _gum_or_die value $GUM input --password --header "$text" --placeholder "$text" || value="$default"
+  printf -v "$var" '%s' "${value:-$default}"
+}
+
 confirm() {
   local text="$1" default="${2:-default_no}"
   if [[ "$AUTO_YES" == true ]]; then return 0; fi
@@ -2985,14 +3004,24 @@ run_config_and_review() {
   # Pack-specific parameter collection (after build_deploy_params so we can amend)
   if [[ "${PACK_NAME:-}" == "roundhouse" ]]; then
     if [[ -z "${TELEGRAM_BOT_TOKEN_SECRET:-}" ]]; then
-      echo ""
-      echo -e "  ${BOLD}Roundhouse requires a Telegram bot token.${NC}"
-      echo -e "  Store it in AWS Secrets Manager and provide the secret id/arn."
-      echo ""
-      prompt "Secrets Manager id for Telegram bot token" TELEGRAM_BOT_TOKEN_SECRET ""
-      if [[ -z "${TELEGRAM_BOT_TOKEN_SECRET:-}" ]]; then
-        fail "Telegram bot token secret is required for roundhouse pack"
+      _RH_BOT_TOKEN="${TELEGRAM_BOT_TOKEN_RAW:-}"
+      if [[ -z "$_RH_BOT_TOKEN" ]]; then
+        echo ""
+        echo -e "  ${BOLD}Roundhouse connects to Telegram.${NC}"
+        echo -e "  Create a bot via @BotFather and paste the token below."
+        echo ""
+        prompt_secret "Telegram bot token" _RH_BOT_TOKEN ""
+      fi
+      if [[ -z "$_RH_BOT_TOKEN" ]]; then
+        fail "Telegram bot token is required for roundhouse pack"
       fi
+      # Validate token format
+      if [[ ! "$_RH_BOT_TOKEN" =~ ^[0-9]+:[A-Za-z0-9_-]+$ ]]; then
+        fail "Invalid Telegram bot token format (expected: 123456:ABC-DEF...)"
+      fi
+      # Secret name determined now; actual write deferred until after user confirms
+      _RH_SECRET_NAME="/lowkey/${ENV_NAME}/telegram-bot-token"
+      TELEGRAM_BOT_TOKEN_SECRET="$_RH_SECRET_NAME"
     fi
     if [[ -z "${TELEGRAM_USER:-}" ]]; then
       prompt "Telegram username (without @)" TELEGRAM_USER ""
@@ -3041,6 +3070,35 @@ main() {
   _telem_pack_selected 2>/dev/null || true
   _telem_method_selected 2>/dev/null || true
 
+  # Roundhouse: save bot token to Secrets Manager (deferred until after user confirmation)
+  if [[ -n "${_RH_BOT_TOKEN:-}" && -n "${_RH_SECRET_NAME:-}" ]]; then
+    info "Storing bot token in Secrets Manager: ${_RH_SECRET_NAME}"
+    local token_file
+    token_file=$(mktemp /tmp/lowkey-rh-token.XXXXXX)
+    chmod 600 "$token_file"
+    printf '%s' "$_RH_BOT_TOKEN" > "$token_file"
+    # Restore if in pending-deletion state
+    aws secretsmanager restore-secret --secret-id "$_RH_SECRET_NAME" --region "$DEPLOY_REGION" >/dev/null 2>&1 || true
+    local sm_err=""
+    if sm_err=$(aws secretsmanager create-secret \
+      --name "$_RH_SECRET_NAME" \
+      --secret-string "file://${token_file}" \
+      --description "Telegram bot token for roundhouse pack (${ENV_NAME})" \
+      --region "$DEPLOY_REGION" 2>&1); then
+      ok "Token saved to Secrets Manager"
+    elif sm_err=$(aws secretsmanager put-secret-value \
+      --secret-id "$_RH_SECRET_NAME" \
+      --secret-string "file://${token_file}" \
+      --region "$DEPLOY_REGION" 2>&1); then
+      ok "Token updated in Secrets Manager"
+    else
+      rm -f "$token_file"
+      fail "Failed to save bot token to Secrets Manager: ${sm_err}"
+    fi
+    rm -f "$token_file"
+    unset _RH_BOT_TOKEN
+  fi
+
   # Console deploy exits early (no clone, no bootstrap wait)
   if [[ "$DEPLOY_METHOD" == "$DEPLOY_CFN_CONSOLE" ]]; then
     TOTAL_STEPS=5