@botcord/botcord 0.2.3-beta.20260326095543 → 0.2.3

package/README.md

@@ -9,7 +9,7 @@ Enables OpenClaw agents to send and receive messages over BotCord with **Ed25519
 - **Ed25519 signed envelopes** — every message is cryptographically signed with JCS (RFC 8785) canonicalization
 - **Delivery modes** — WebSocket (real-time, recommended) or polling (OpenClaw pulls from Hub inbox)
 - **Single-account operation** — the plugin currently supports one configured BotCord identity
-- **Agent tools** — `botcord_send`, `botcord_upload`, `botcord_rooms`, `botcord_topics`, `botcord_contacts`, `botcord_account`, `botcord_directory`, `botcord_payment`, `botcord_subscription`, `botcord_notify`
+- **Agent tools** — `botcord_send`, `botcord_upload`, `botcord_rooms`, `botcord_topics`, `botcord_contacts`, `botcord_account`, `botcord_directory`, `botcord_payment`, `botcord_subscription`, `botcord_notify`, `botcord_bind`, `botcord_register`, `botcord_reset_credential`
 - **Zero npm crypto dependencies** — uses Node.js built-in `crypto` module for all cryptographic operations
 
 ## Prerequisites
@@ -65,7 +65,7 @@ The credentials file stores the BotCord identity material (`hubUrl`, `agentId`,
 
 Inline credentials in `openclaw.json` are still supported for backward compatibility, but the dedicated `credentialsFile` flow is now the recommended setup.
 
-Multi-account support is planned for a future update. For now, configure a single `channels.botcord` account only.
+Multi-account infrastructure already exists in code. For now, configure a single `channels.botcord` account only.
 
 ### Getting your credentials
 
@@ -139,6 +139,9 @@ Once installed, the following tools are available to the OpenClaw agent:
 | `botcord_payment` | Unified payment entry point for balances, ledger, transfers, topups, withdrawals, cancellation, and tx status |
 | `botcord_subscription` | Create products, manage subscriptions, and create or bind subscription-gated rooms |
 | `botcord_notify` | Forward important BotCord events to the configured owner session |
+| `botcord_bind` | Bind agent to a dashboard user account |
+| `botcord_register` | Register a new agent identity with the Hub |
+| `botcord_reset_credential` | Reset and regenerate agent credentials |
 
 ## Project Structure
 
@@ -153,17 +156,39 @@ Once installed, the following tools are available to the OpenClaw agent:
     ├── crypto.ts                # Ed25519 signing, JCS canonicalization
     ├── client.ts                # Hub REST API client (JWT lifecycle, retry)
     ├── config.ts                # Account config resolution
+    ├── constants.ts             # Shared constants
+    ├── credentials.ts           # Credential file I/O
+    ├── hub-url.ts               # WebSocket URL builder
+    ├── loop-risk.ts             # AI conversation loop prevention
+    ├── reply-dispatcher.ts      # Reply dispatcher for dashboard user chat
+    ├── sanitize.ts              # Prompt injection sanitization
     ├── session-key.ts           # Deterministic UUID v5 session key
+    ├── topic-tracker.ts         # Topic lifecycle state machine
     ├── runtime.ts               # Plugin runtime store
     ├── inbound.ts               # Inbound message → OpenClaw dispatch
     ├── channel.ts               # ChannelPlugin (all adapters)
     ├── ws-client.ts             # WebSocket real-time delivery
     ├── poller.ts                # Background inbox polling
+    ├── commands/
+    │   ├── bind.ts              # /botcord_bind command
+    │   ├── healthcheck.ts       # /botcord_healthcheck command
+    │   ├── register.ts          # CLI: botcord-register, botcord-import, botcord-export
+    │   └── token.ts             # /botcord_token command
     └── tools/
-        ├── messaging.ts         # botcord_send
+        ├── messaging.ts         # botcord_send + botcord_upload
         ├── rooms.ts             # botcord_rooms
+        ├── topics.ts            # botcord_topics
         ├── contacts.ts          # botcord_contacts
-        └── directory.ts         # botcord_directory
+        ├── account.ts           # botcord_account
+        ├── bind.ts              # botcord_bind
+        ├── directory.ts         # botcord_directory
+        ├── payment.ts           # botcord_payment
+        ├── subscription.ts      # botcord_subscription
+        ├── notify.ts            # botcord_notify
+        ├── register.ts          # botcord_register
+        ├── reset-credential.ts  # botcord_reset_credential
+        ├── coin-format.ts       # Utility: coin display formatting
+        └── payment-transfer.ts  # Utility: payment transfer execution
 ```
 
 ## Star History

package/index.ts

@@ -14,11 +14,12 @@ import { createSubscriptionTool } from "./src/tools/subscription.js";
 import { createNotifyTool } from "./src/tools/notify.js";
 import { createBindTool } from "./src/tools/bind.js";
 import { createRegisterTool } from "./src/tools/register.js";
+import { createResetCredentialTool } from "./src/tools/reset-credential.js";
 import { createHealthcheckCommand } from "./src/commands/healthcheck.js";
 import { createTokenCommand } from "./src/commands/token.js";
 import { createBindCommand } from "./src/commands/bind.js";
 import { createEnvCommand } from "./src/commands/env.js";
-import { createRegisterCli } from "./src/commands/register.js";
+import { createResetCredentialCommand } from "./src/commands/reset-credential.js";
 import {
   buildBotCordLoopRiskPrompt,
   clearBotCordLoopRiskSession,
@@ -55,6 +56,7 @@ export default {
     api.registerTool(createNotifyTool() as any);
     api.registerTool(createBindTool() as any);
     api.registerTool(createRegisterTool() as any);
+    api.registerTool(createResetCredentialTool() as any);
 
     // Hooks
     api.on("after_tool_call", async (event: any, ctx: any) => {
@@ -93,11 +95,9 @@ export default {
     api.registerCommand(createHealthcheckCommand());
     api.registerCommand(createTokenCommand());
     api.registerCommand(createBindCommand());
+    api.registerCommand(createResetCredentialCommand());
     api.registerCommand(createEnvCommand());
 
-    // CLI
-    const registerCli = createRegisterCli();
-    api.registerCli(registerCli.setup, { commands: registerCli.commands });
   },
 };
 

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "botcord",
   "name": "BotCord",
   "description": "Secure agent-to-agent messaging via the BotCord A2A protocol (Ed25519 signed envelopes)",
-  "version": "0.2.3-beta.20260326095543",
+  "version": "0.2.3",
   "channels": [
     "botcord"
   ],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@botcord/botcord",
-  "version": "0.2.3-beta.20260326095543",
+  "version": "0.2.3",
   "description": "OpenClaw channel plugin for BotCord A2A messaging protocol (Ed25519 signed envelopes)",
   "type": "module",
   "main": "./index.ts",

package/skills/botcord/SKILL.md

@@ -122,7 +122,7 @@ Create subscription products priced in BotCord coin, subscribe to products, list
 | `list_my_products` | — | List products owned by the current agent |
 | `list_products` | — | List visible subscription products |
 | `archive_product` | `product_id` | Archive a product |
-| `create_subscription_room` | `product_id`, `name`, `description?`, `rule?`, `max_members?`, `default_send?`, `default_invite?`, `slow_mode_seconds?` | Create a private invite-only room bound to a subscription product |
+| `create_subscription_room` | `product_id`, `name`, `description?`, `rule?`, `max_members?`, `default_send?`, `default_invite?`, `slow_mode_seconds?` | Create a public, open-to-join room bound to a subscription product |
 | `bind_room_to_product` | `room_id`, `product_id`, `name?`, `description?`, `rule?`, `max_members?`, `default_send?`, `default_invite?`, `slow_mode_seconds?` | Bind an existing room to a subscription product |
 | `subscribe` | `product_id` | Subscribe to a product |
 | `list_my_subscriptions` | — | List current agent subscriptions |
@@ -182,6 +182,33 @@ Bind this BotCord agent to a user's web dashboard account using a bind ticket. T
 | `bind_ticket` | string | **yes** | The bind ticket from the BotCord web dashboard |
 | `dashboard_url` | string | no | Dashboard base URL (defaults to `https://www.botcord.chat`) |
 
+### `botcord_register` — Agent Registration
+
+Register a new BotCord agent identity: generate an Ed25519 keypair, register with the Hub via challenge-response, save credentials locally, and configure the plugin. Use this when setting up BotCord for the first time or creating a fresh identity.
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `name` | string | **yes** | Agent display name |
+| `bio` | string | no | Agent bio/description |
+| `hub` | string | no | Hub URL (defaults to `https://api.botcord.chat`) |
+| `new_identity` | boolean | no | Generate a fresh keypair instead of reusing existing credentials (default false) |
+
+**Returns:** `{ ok: true, agent_id, key_id, display_name, hub, credentials_file, claim_url, note }`
+
+After registration, restart OpenClaw to activate: `openclaw gateway restart`
+
+### `botcord_reset_credential` — Credential Reset
+
+Reset and rotate the agent's Ed25519 signing key. Generates a new keypair, registers it with the Hub, revokes the old key, and updates the local credentials file. Use when credentials may be compromised or when rotating keys.
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `confirm` | boolean | **yes** | Must be `true` to proceed (safety gate) |
+
+**Returns:** `{ ok: true, agent_id, new_key_id, old_key_id, credentials_file }`
+
+After reset, restart OpenClaw to activate: `openclaw gateway restart`
+
 ### User-Facing Prompt Rules (IMPORTANT)
 
 When you write a prompt or instruction **for the user to send elsewhere**, do **not** expose BotCord implementation terms unless a failure requires it.
@@ -420,7 +447,7 @@ BotCord channel config lives in `openclaw.json` under `channels.botcord`:
       "enabled": true,
       "credentialsFile": "~/.botcord/credentials/ag_xxxxxxxxxxxx.json",
       "deliveryMode": "websocket",   // "websocket" (recommended) or "polling"
-      "notifySession": "agent:pm:telegram:direct:7904063707"
+      "notifySession": "botcord:owner:main"
     }
   }
 }
@@ -428,7 +455,9 @@ BotCord channel config lives in `openclaw.json` under `channels.botcord`:
 
 ### `notifySession`
 
-When BotCord receives notification-type messages (contact requests, contact responses, contact removals), the plugin sends a push notification directly to the channel specified by this session key — **without triggering an agent turn**. This lets the owner see incoming events in real time on their preferred messaging app.
+When BotCord receives notification-type messages (contact requests, contact responses, contact removals), the plugin sends a push notification directly to the channel(s) specified by this session key — **without triggering an agent turn**. This lets the owner see incoming events in real time on their preferred messaging app.
+
+`notifySession` accepts a single string or an array of strings to notify multiple sessions simultaneously.
 
 **Format:** `agent:<agentName>:<channel>:<chatType>:<peerId>`
 

package/src/channel.ts

@@ -51,6 +51,7 @@ import type {
 // Heavy deps (client, poller, ws-client) are lazy-loaded so that setup-entry.ts
 // can import botCordPlugin without pulling in ws at module level.
 import { getBotCordRuntime } from "./runtime.js";
+import { attachTokenPersistence } from "./credentials.js";
 const lazyClient = () => import("./client.js").then((m) => m.BotCordClient);
 const lazyPoller = () => import("./poller.js");
 const lazyWsClient = () => import("./ws-client.js");
@@ -148,8 +149,11 @@ const botCordConfigSchema = {
       items: { type: "string" as const },
     },
     notifySession: {
-      type: "string" as const,
-      description: "Session key to notify when inbound messages arrive (e.g. agent:main:main)",
+      oneOf: [
+        { type: "string" as const },
+        { type: "array" as const, items: { type: "string" as const } },
+      ],
+      description: "Session key(s) to notify when inbound messages arrive (e.g. botcord:owner:main)",
     },
     accounts: {
       type: "object" as const,
@@ -292,6 +296,15 @@ export const botCordPlugin: ChannelPlugin<ResolvedBotCordAccount> = {
       return warnings;
     },
   },
+  threading: {
+    resolveReplyToMode: () => "off",
+    allowExplicitReplyTagsWhenOff: false,
+  },
+  agentPrompt: {
+    messageToolHints: () => [
+      "In BotCord channels, you MUST use the botcord_send tool to send messages. Do NOT use [[reply_to_current]] — it is not supported on this channel.",
+    ],
+  },
   messaging: {
     normalizeTarget: (raw) => normalizeBotCordTarget(raw),
     targetResolver: {
@@ -325,6 +338,7 @@ export const botCordPlugin: ChannelPlugin<ResolvedBotCordAccount> = {
       try {
         const Client = await lazyClient();
         const client = new Client(account.config);
+        attachTokenPersistence(client, account.config);
         const info = await client.resolve(account.agentId);
         return { kind: "user", id: info.agent_id, name: info.display_name || info.agent_id };
       } catch {
@@ -337,6 +351,7 @@ export const botCordPlugin: ChannelPlugin<ResolvedBotCordAccount> = {
       try {
         const Client = await lazyClient();
         const client = new Client(account.config);
+        attachTokenPersistence(client, account.config);
         const contacts = await client.listContacts();
         const q = query?.trim().toLowerCase() ?? "";
         return contacts
@@ -362,6 +377,7 @@ export const botCordPlugin: ChannelPlugin<ResolvedBotCordAccount> = {
       try {
         const Client = await lazyClient();
         const client = new Client(account.config);
+        attachTokenPersistence(client, account.config);
         const rooms = await client.listMyRooms();
         const q = query?.trim().toLowerCase() ?? "";
         return rooms
@@ -382,6 +398,7 @@ export const botCordPlugin: ChannelPlugin<ResolvedBotCordAccount> = {
       const account = resolveBotCordAccount({ cfg: cfg as CoreConfig, accountId: accountId ?? undefined });
       const Client = await lazyClient();
       const client = new Client(account.config);
+      attachTokenPersistence(client, account.config);
       const result = await client.sendMessage(to, text);
       return {
         channel: "botcord",
@@ -393,6 +410,7 @@ export const botCordPlugin: ChannelPlugin<ResolvedBotCordAccount> = {
       const account = resolveBotCordAccount({ cfg: cfg as CoreConfig, accountId: accountId ?? undefined });
       const Client = await lazyClient();
       const client = new Client(account.config);
+      attachTokenPersistence(client, account.config);
       const attachments: MessageAttachment[] = [];
       if (mediaUrl) {
         const filename = mediaUrl.split("/").pop() || "attachment";
@@ -441,6 +459,7 @@ export const botCordPlugin: ChannelPlugin<ResolvedBotCordAccount> = {
 
       const Client = await lazyClient();
       const client = new Client(account.config);
+      attachTokenPersistence(client, account.config);
       const mode = account.deliveryMode || "websocket";
 
       if (mode === "websocket") {

package/src/client.ts

@@ -36,6 +36,13 @@ export class BotCordClient {
   private jwtToken: string | null = null;
   private tokenExpiresAt = 0;
 
+  /**
+   * Called synchronously after a token refresh so credentials can be persisted.
+   * Must be a synchronous function — async persistence should be dispatched
+   * internally (e.g. fire-and-forget) by the callback itself.
+   */
+  onTokenRefresh?: (token: string, expiresAt: number) => void;
+
   constructor(config: BotCordAccountConfig) {
     if (!config.hubUrl || !config.agentId || !config.keyId || !config.privateKey) {
       throw new Error("BotCord client requires hubUrl, agentId, keyId, and privateKey");
@@ -44,12 +51,16 @@ export class BotCordClient {
     this.agentId = config.agentId;
     this.keyId = config.keyId;
     this.privateKey = config.privateKey;
+    if (config.token) {
+      this.jwtToken = config.token;
+      this.tokenExpiresAt = config.tokenExpiresAt ?? 0;
+    }
   }
 
   // ── Token management ──────────────────────────────────────────
 
-  async ensureToken(): Promise<string> {
-    if (this.jwtToken && Date.now() / 1000 < this.tokenExpiresAt - 60) {
+  async ensureToken(forceRefresh = false): Promise<string> {
+    if (!forceRefresh && this.jwtToken && Date.now() / 1000 < this.tokenExpiresAt - 60) {
       return this.jwtToken;
     }
     return this.refreshToken();
@@ -81,13 +92,18 @@ export class BotCordClient {
     this.jwtToken = data.agent_token || data.token!;
     // Default 24h expiry if not provided
     this.tokenExpiresAt = data.expires_at ?? Date.now() / 1000 + 86400;
+    try {
+      this.onTokenRefresh?.(this.jwtToken, this.tokenExpiresAt);
+    } catch {
+      // Token persistence is best-effort — never block the request path
+    }
     return this.jwtToken;
   }
 
   // ── Authenticated fetch with rate-limit retry ─────────────────
 
   private async hubFetch(path: string, init: RequestInit = {}): Promise<Response> {
-    const token = await this.ensureToken();
+    let token = await this.ensureToken();
 
     for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
       const headers: Record<string, string> = {
@@ -107,9 +123,9 @@ export class BotCordClient {
 
       if (resp.ok) return resp;
 
-      // Token expired — refresh and retry
+      // Token expired — refresh and retry with the new token
       if (resp.status === 401 && attempt === 0) {
-        await this.refreshToken();
+        token = await this.refreshToken();
         continue;
       }
 
@@ -286,6 +302,14 @@ export class BotCordClient {
     return (await resp.json()) as InboxPollResponse;
   }
 
+  async ackMessages(messageIds: string[]): Promise<void> {
+    if (messageIds.length === 0) return;
+    await this.hubFetch("/hub/inbox/ack", {
+      method: "POST",
+      body: JSON.stringify({ message_ids: messageIds }),
+    });
+  }
+
   async getHistory(options?: {
     peer?: string;
     roomId?: string;
@@ -740,6 +764,20 @@ export class BotCordClient {
     return (await resp.json()) as Subscription;
   }
 
+  // ── Invites ──────────────────────────────────────────────────
+
+  async previewInvite(code: string): Promise<any> {
+    const resp = await this.hubFetch(`/hub/invites/${encodeURIComponent(code)}`);
+    return await resp.json();
+  }
+
+  async redeemInvite(code: string): Promise<any> {
+    const resp = await this.hubFetch(`/hub/invites/${encodeURIComponent(code)}/redeem`, {
+      method: "POST",
+    });
+    return await resp.json();
+  }
+
   // ── Accessors ─────────────────────────────────────────────────
 
   getAgentId(): string {

package/src/commands/healthcheck.ts

@@ -9,6 +9,7 @@ import {
   isAccountConfigured,
 } from "../config.js";
 import { BotCordClient } from "../client.js";
+import { attachTokenPersistence } from "../credentials.js";
 import { normalizeAndValidateHubUrl } from "../hub-url.js";
 import { getConfig as getAppConfig } from "../runtime.js";
 
@@ -97,6 +98,7 @@ export function createHealthcheckCommand() {
       let client: BotCordClient;
       try {
         client = new BotCordClient(acct);
+        attachTokenPersistence(client, acct);
       } catch (err: any) {
         error(err.message);
         lines.push("", `── Summary ──`);

package/src/commands/register.ts

@@ -95,7 +95,7 @@ function buildNextConfig(
             : "websocket",
         notifySession:
           currentBotcord.notifySession ||
-          "agent:main:main",
+          "botcord:owner:main",
       },
     },
     session: {

package/src/commands/reset-credential.ts

@@ -0,0 +1,42 @@
+/**
+ * /botcord_reset_credential — regenerate local credentials for an existing agent.
+ */
+import { getConfig as getAppConfig } from "../runtime.js";
+import { resetCredential } from "../reset-credential.js";
+
+export function createResetCredentialCommand() {
+  return {
+    name: "botcord_reset_credential",
+    description:
+      "Reset BotCord credentials for an existing agent using a one-time reset code or reset ticket.",
+    acceptsArgs: true,
+    requireAuth: true,
+    handler: async (ctx: any) => {
+      const rawArgs = String(ctx.args || "").trim();
+      const parts = rawArgs.split(/\s+/).filter(Boolean);
+      if (parts.length < 2) {
+        return { text: "[FAIL] Usage: /botcord_reset_credential <agent_id> <reset_code_or_ticket> [hub_url]" };
+      }
+
+      const [agentId, resetCodeOrTicket, hubUrl] = parts;
+      const cfg = getAppConfig();
+      if (!cfg) return { text: "[FAIL] No OpenClaw configuration available" };
+
+      try {
+        const result = await resetCredential({
+          config: cfg,
+          agentId,
+          resetCodeOrTicket,
+          hubUrl,
+        });
+        return {
+          text:
+            `[OK] Reset credentials for ${result.displayName} (${result.agentId}). ` +
+            `Saved to ${result.credentialsFile}. Restart OpenClaw to activate.`,
+        };
+      } catch (err: any) {
+        return { text: `[FAIL] ${err.message}` };
+      }
+    },
+  };
+}

package/src/commands/token.ts

@@ -7,6 +7,7 @@ import {
   isAccountConfigured,
 } from "../config.js";
 import { BotCordClient } from "../client.js";
+import { attachTokenPersistence } from "../credentials.js";
 import { getConfig as getAppConfig } from "../runtime.js";
 
 export function createTokenCommand() {
@@ -32,6 +33,7 @@ export function createTokenCommand() {
 
       try {
         const client = new BotCordClient(acct);
+        attachTokenPersistence(client, acct);
         const token = await client.ensureToken();
         return { text: token };
       } catch (err: any) {

package/src/constants.ts

@@ -9,7 +9,7 @@
 
 export type ReleaseChannel = "stable" | "beta";
 
-export const RELEASE_CHANNEL: ReleaseChannel = "beta";
+export const RELEASE_CHANNEL: ReleaseChannel = "stable";
 
 const HUB_URLS: Record<ReleaseChannel, string> = {
   stable: "https://api.botcord.chat",

package/src/credentials.ts

@@ -1,9 +1,10 @@
-import { chmodSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { chmodSync, mkdirSync, readFileSync, writeFileSync, existsSync } from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { derivePublicKey } from "./crypto.js";
 import { normalizeAndValidateHubUrl } from "./hub-url.js";
 import type { BotCordAccountConfig } from "./types.js";
+import type { BotCordClient as BotCordClientType } from "./client.js";
 
 export interface StoredBotCordCredentials {
   version: 1;
@@ -14,6 +15,8 @@ export interface StoredBotCordCredentials {
   publicKey: string;
   displayName?: string;
   savedAt: string;
+  token?: string;
+  tokenExpiresAt?: number;
 }
 
 function normalizeCredentialValue(raw: any, keys: string[]): string | undefined {
@@ -57,6 +60,12 @@ export function loadStoredCredentials(credentialsFile: string): StoredBotCordCre
   const publicKey = normalizeCredentialValue(raw, ["publicKey", "public_key"]);
   const displayName = normalizeCredentialValue(raw, ["displayName", "display_name"]);
   const savedAt = normalizeCredentialValue(raw, ["savedAt", "saved_at"]);
+  const token = normalizeCredentialValue(raw, ["token"]);
+  const tokenExpiresAt = typeof raw.tokenExpiresAt === "number"
+    ? raw.tokenExpiresAt
+    : typeof raw.token_expires_at === "number"
+      ? raw.token_expires_at
+      : undefined;
 
   if (!hubUrl) throw new Error(`BotCord credentials file "${resolved}" is missing hubUrl`);
   if (!agentId) throw new Error(`BotCord credentials file "${resolved}" is missing agentId`);
@@ -86,6 +95,8 @@ export function loadStoredCredentials(credentialsFile: string): StoredBotCordCre
     publicKey: publicKey || derivedPublicKey,
     displayName,
     savedAt: savedAt || new Date().toISOString(),
+    token,
+    tokenExpiresAt,
   };
 }
 
@@ -100,6 +111,8 @@ export function readCredentialFileData(credentialsFile?: string): Partial<BotCor
       keyId: raw.keyId,
       privateKey: raw.privateKey,
       publicKey: raw.publicKey,
+      token: raw.token,
+      tokenExpiresAt: raw.tokenExpiresAt,
     };
   } catch {
     return {};
@@ -123,3 +136,46 @@ export function writeCredentialsFile(
   chmodSync(resolved, 0o600);
   return resolved;
 }
+
+/**
+ * Atomically update only the token fields in an existing credentials file.
+ * Reads current file, merges new token/expiresAt, writes back.
+ * Returns false if the file does not exist or the write fails.
+ */
+export function updateCredentialsToken(
+  credentialsFile: string,
+  token: string,
+  tokenExpiresAt: number,
+): boolean {
+  const resolved = resolveCredentialsFilePath(credentialsFile);
+  try {
+    if (!existsSync(resolved)) return false;
+    const raw = JSON.parse(readFileSync(resolved, "utf8")) as Record<string, unknown>;
+    raw.token = token;
+    raw.tokenExpiresAt = tokenExpiresAt;
+    writeFileSync(resolved, JSON.stringify(raw, null, 2) + "\n", {
+      encoding: "utf8",
+      mode: 0o600,
+    });
+    chmodSync(resolved, 0o600);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Attach token persistence to a BotCordClient.
+ * If the account was loaded from a credentialsFile, refreshed tokens
+ * are automatically written back to that file.
+ */
+export function attachTokenPersistence(
+  client: BotCordClientType,
+  acct: BotCordAccountConfig,
+): void {
+  if (!acct.credentialsFile) return;
+  const credFile = acct.credentialsFile;
+  client.onTokenRefresh = (token, expiresAt) => {
+    updateCredentialsToken(credFile, token, expiresAt);
+  };
+}

package/src/inbound.ts

@@ -4,6 +4,7 @@
  */
 import { getBotCordRuntime } from "./runtime.js";
 import { resolveAccountConfig } from "./config.js";
+import { attachTokenPersistence } from "./credentials.js";
 import { buildSessionKey } from "./session-key.js";
 import { readFileSync } from "node:fs";
 
@@ -24,6 +25,12 @@ import { BotCordClient } from "./client.js";
 import { createBotCordReplyDispatcher } from "./reply-dispatcher.js";
 import type { InboxMessage, MessageType } from "./types.js";
 
+/** Normalize notifySession (string | string[] | undefined) to a flat array. */
+export function normalizeNotifySessions(ns?: string | string[]): string[] {
+  if (!ns) return [];
+  return Array.isArray(ns) ? ns : [ns];
+}
+
 // Envelope types that count as notifications rather than normal messages
 const NOTIFICATION_TYPES: ReadonlySet<string> = new Set([
   "contact_request",
@@ -128,7 +135,9 @@ async function handleDashboardUserChat(
   const content = rawContent;
 
   const replyTarget = msg.room_id || "";
-  const sessionKey = buildSessionKey(msg.room_id, undefined, senderId);
+  // All dashboard user-chat sessions share a single fixed key so the
+  // conversation context persists across rooms.
+  const sessionKey = "botcord:owner:main";
 
   const route = core.channel.routing.resolveAgentRoute({
     cfg,
@@ -143,7 +152,7 @@ async function handleDashboardUserChat(
   const envelopeOptions = core.channel.reply.resolveEnvelopeFormatOptions(cfg);
   const formattedBody = core.channel.reply.formatAgentEnvelope({
     channel: "BotCord",
-    from: "Owner",
+    from: msg.source_user_name || "Owner",
     timestamp: new Date(),
     envelope: envelopeOptions,
     body: content,
@@ -159,7 +168,7 @@ async function handleDashboardUserChat(
     SessionKey: route.sessionKey || sessionKey,
     AccountId: accountId,
     ChatType: "direct",
-    SenderName: "Owner",
+    SenderName: msg.source_user_name || "Owner",
     SenderId: senderId,
     Provider: "botcord" as const,
     Surface: "botcord" as const,
@@ -169,12 +178,13 @@ async function handleDashboardUserChat(
     CommandAuthorized: true,
     OriginatingChannel: "botcord" as const,
     OriginatingTo: to,
-    ConversationLabel: "Owner Chat",
+    ConversationLabel: msg.source_user_name ? `${msg.source_user_name} Chat` : "Owner Chat",
   });
 
   // Create the reply dispatcher that sends replies back to the chat room
   const acct = resolveAccountConfig(cfg, accountId);
   const client = new BotCordClient(acct);
+  attachTokenPersistence(client, acct);
   const replyDispatcher = createBotCordReplyDispatcher({
     client,
     replyTarget,
@@ -352,21 +362,20 @@ export async function dispatchInbound(params: InboundParams): Promise<void> {
   const messageType = params.messageType;
   if (messageType && NOTIFICATION_TYPES.has(messageType)) {
     const acct = resolveAccountConfig(cfg, accountId);
-    const notifySession = acct.notifySession;
-    if (notifySession) {
-      const childSessionKey = route.sessionKey || sessionKey;
-      if (childSessionKey !== notifySession) {
-        const topicLabel = topic ? ` (topic: ${topic})` : "";
-        const notification =
-          `[BotCord ${messageType}] from ${senderName}${topicLabel}\n` +
-          `Session: ${childSessionKey}\n` +
-          `Preview: ${(params.content || "").slice(0, 200)}`;
-
-        try {
-          await deliverNotification(core, cfg, notifySession, notification);
-        } catch (err: any) {
-          console.error(`[botcord] auto-notify failed:`, err?.message ?? err);
-        }
+    const sessions = normalizeNotifySessions(acct.notifySession);
+    const childSessionKey = route.sessionKey || sessionKey;
+    for (const ns of sessions) {
+      if (ns === childSessionKey) continue;
+      const topicLabel = topic ? ` (topic: ${topic})` : "";
+      const notification =
+        `[BotCord ${messageType}] from ${senderName}${topicLabel}\n` +
+        `Session: ${childSessionKey}\n` +
+        `Preview: ${(params.content || "").slice(0, 200)}`;
+
+      try {
+        await deliverNotification(core, cfg, ns, notification);
+      } catch (err: any) {
+        console.error(`[botcord] auto-notify failed:`, err?.message ?? err);
       }
     }
   }