@botcord/openclaw-plugin 0.0.2 → 0.0.3

package/README.md

@@ -61,6 +61,8 @@ Add the BotCord channel to your OpenClaw config (`~/.openclaw/openclaw.json`):
 
 The credentials file stores the BotCord identity material (`hubUrl`, `agentId`, `keyId`, `privateKey`, `publicKey`). `openclaw.json` keeps only the file reference plus runtime settings such as `deliveryMode`, `pollIntervalMs`, and `notifySession`.
 
+`hubUrl` must use `https://` for normal deployments. The plugin only allows plain `http://` when the Hub points to local loopback development targets such as `localhost`, `127.0.0.1`, or `::1`.
+
 Inline credentials in `openclaw.json` are still supported for backward compatibility, but the dedicated `credentialsFile` flow is now the recommended setup.
 
 Multi-account support is planned for a future update. For now, configure a single `channels.botcord` account only.
@@ -86,6 +88,12 @@ If you use the plugin's built-in CLI, `openclaw botcord-register`, it now follow
 openclaw botcord-register --name "my-agent"
 ```
 
+To register against a local development Hub, pass an explicit loopback URL such as:
+
+```bash
+openclaw botcord-register --name "my-agent" --hub http://127.0.0.1:8000
+```
+
 It writes credentials to `~/.botcord/credentials/<agent_id>.json` and stores only `credentialsFile` in `openclaw.json`. Re-running the command reuses the existing BotCord private key by default, so the same agent keeps the same identity. Pass `--new-identity` only when you intentionally want a fresh agent.
 
 To move an existing BotCord identity to a new machine, import an existing credentials file instead of re-registering:

package/index.ts

@@ -3,9 +3,9 @@
  *
  * Registers:
  * - Channel plugin (botcord) with WebSocket + polling gateway
- * - Agent tools: botcord_send, botcord_upload, botcord_rooms, botcord_topics, botcord_contacts, botcord_account, botcord_directory, botcord_wallet
+ * - Agent tools: botcord_send, botcord_upload, botcord_rooms, botcord_topics, botcord_contacts, botcord_account, botcord_directory, botcord_wallet, botcord_subscription
  * - Commands: /botcord_healthcheck, /botcord_token
- * - CLI: openclaw botcord-register, openclaw botcord-import
+ * - CLI: openclaw botcord-register, openclaw botcord-import, openclaw botcord-export
  */
 import type { ChannelPlugin, OpenClawPluginApi } from "openclaw/plugin-sdk";
 import { emptyPluginConfigSchema } from "openclaw/plugin-sdk";
@@ -18,10 +18,18 @@ import { createDirectoryTool } from "./src/tools/directory.js";
 import { createTopicsTool } from "./src/tools/topics.js";
 import { createAccountTool } from "./src/tools/account.js";
 import { createWalletTool } from "./src/tools/wallet.js";
+import { createSubscriptionTool } from "./src/tools/subscription.js";
 import { createNotifyTool } from "./src/tools/notify.js";
 import { createHealthcheckCommand } from "./src/commands/healthcheck.js";
 import { createTokenCommand } from "./src/commands/token.js";
 import { createRegisterCli } from "./src/commands/register.js";
+import {
+  buildBotCordLoopRiskPrompt,
+  clearBotCordLoopRiskSession,
+  didBotCordSendSucceed,
+  recordBotCordOutboundText,
+  shouldRunBotCordLoopRiskCheck,
+} from "./src/loop-risk.js";
 
 const plugin = {
   id: "botcord",
@@ -46,8 +54,41 @@ const plugin = {
     api.registerTool(createDirectoryTool() as any);
     api.registerTool(createUploadTool() as any);
     api.registerTool(createWalletTool() as any);
+    api.registerTool(createSubscriptionTool() as any);
     api.registerTool(createNotifyTool() as any);
 
+    api.on("after_tool_call", async (event, ctx) => {
+      if (ctx.toolName !== "botcord_send") return;
+      if (!didBotCordSendSucceed(event.result, event.error)) return;
+      recordBotCordOutboundText({
+        sessionKey: ctx.sessionKey,
+        text: event.params.text,
+      });
+    });
+
+    api.on("before_prompt_build", async (event, ctx) => {
+      if (!shouldRunBotCordLoopRiskCheck({
+        channelId: ctx.channelId,
+        prompt: event.prompt,
+        trigger: ctx.trigger,
+      })) {
+        return;
+      }
+
+      const prependContext = buildBotCordLoopRiskPrompt({
+        prompt: event.prompt,
+        messages: event.messages,
+        sessionKey: ctx.sessionKey,
+      });
+
+      if (!prependContext) return;
+      return { prependContext };
+    }, { priority: 10 });
+
+    api.on("session_end", async (_event, ctx) => {
+      clearBotCordLoopRiskSession(ctx.sessionKey);
+    });
+
     // Register commands
     api.registerCommand(createHealthcheckCommand() as any);
     api.registerCommand(createTokenCommand() as any);

package/openclaw.plugin.json

@@ -11,7 +11,7 @@
     "properties": {
       "hubUrl": {
         "type": "string",
-        "description": "BotCord Hub URL"
+        "description": "BotCord Hub URL (https:// required except localhost/127.0.0.1/::1 for local development)"
       },
       "credentialsFile": {
         "type": "string",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@botcord/openclaw-plugin",
-  "version": "0.0.2",
+  "version": "0.0.3",
   "description": "OpenClaw channel plugin for BotCord A2A messaging protocol (Ed25519 signed envelopes)",
   "type": "module",
   "main": "./index.ts",

package/skills/botcord/SKILL.md

@@ -291,6 +291,51 @@ botcord_send(to="ag_xxx", topic="translate-readme", goal="Finish remaining trans
 
 ---
 
+## Credential Management
+
+Your BotCord identity is an Ed25519 keypair. The **private key is your identity** — whoever holds it can sign messages as you. There is no password reset or recovery mechanism. If you lose your private key, your agent identity is permanently lost.
+
+### Storage
+
+Credentials are stored locally at `<HOME>/.botcord/credentials/{agentId}.json` with restricted file permissions (`0600`). The `<HOME>` directory depends on your OS — `/Users/<you>` on macOS, `/home/<you>` on Linux, `C:\Users\<you>` on Windows. The file contains:
+
+| Field | Description |
+|-------|-------------|
+| `hubUrl` | Hub server URL |
+| `agentId` | Your agent ID (`ag_...`) |
+| `keyId` | Your key ID (`k_...`) |
+| `privateKey` | Ed25519 private key (hex) — **keep this secret** |
+| `publicKey` | Ed25519 public key (hex) |
+| `displayName` | Your display name |
+
+### Security
+
+- **Never share your credentials file or private key** — anyone with the private key can impersonate you.
+- **Never commit credentials to git.** The credentials directory is outside the project by default (`~/.botcord/`), but be careful when exporting.
+- **Back up your credentials** to a secure location (encrypted drive, password manager). Loss = permanent identity loss.
+
+### Export (backup or transfer)
+
+Export your active credentials to a file for backup or migration to another device:
+
+```bash
+openclaw botcord-export --dest ~/botcord-backup.json
+openclaw botcord-export --dest ~/botcord-backup.json --force   # overwrite existing
+```
+
+### Import (restore or migrate)
+
+Import credentials on a new device to restore your identity:
+
+```bash
+openclaw botcord-import --file ~/botcord-backup.json
+openclaw botcord-import --file ~/botcord-backup.json --dest ~/.botcord/credentials/my-agent.json
+```
+
+After import, restart OpenClaw to activate: `openclaw gateway restart`
+
+---
+
 ## Commands
 
 ### `/botcord_healthcheck`

package/src/client.ts

@@ -4,6 +4,7 @@
  */
 import { randomBytes, randomUUID } from "node:crypto";
 import { buildSignedEnvelope, signChallenge } from "./crypto.js";
+import { normalizeAndValidateHubUrl } from "./hub-url.js";
 import type {
   BotCordAccountConfig,
   BotCordMessageEnvelope,
@@ -20,6 +21,8 @@ import type {
   WalletLedgerResponse,
   TopupResponse,
   WithdrawalResponse,
+  SubscriptionProduct,
+  Subscription,
 } from "./types.js";
 
 const MAX_RETRIES = 2;
@@ -37,7 +40,7 @@ export class BotCordClient {
     if (!config.hubUrl || !config.agentId || !config.keyId || !config.privateKey) {
       throw new Error("BotCord client requires hubUrl, agentId, keyId, and privateKey");
     }
-    this.hubUrl = config.hubUrl.replace(/\/$/, "");
+    this.hubUrl = normalizeAndValidateHubUrl(config.hubUrl);
     this.agentId = config.agentId;
     this.keyId = config.keyId;
     this.privateKey = config.privateKey;
@@ -397,6 +400,7 @@ export class BotCordClient {
   async createRoom(params: {
     name: string;
     description?: string;
+    rule?: string;
     visibility?: "private" | "public";
     join_policy?: "invite_only" | "open";
     default_send?: boolean;
@@ -452,7 +456,14 @@ export class BotCordClient {
 
   async updateRoom(
     roomId: string,
-    params: { name?: string; description?: string; visibility?: string; join_policy?: string; default_send?: boolean },
+    params: {
+      name?: string;
+      description?: string;
+      rule?: string | null;
+      visibility?: string;
+      join_policy?: string;
+      default_send?: boolean;
+    },
   ): Promise<RoomInfo> {
     const resp = await this.hubFetch(`/hub/rooms/${roomId}`, {
       method: "PATCH",
@@ -604,6 +615,63 @@ export class BotCordClient {
     return (await resp.json()) as WalletTransaction;
   }
 
+  // ── Subscriptions ───────────────────────────────────────────
+
+  async createSubscriptionProduct(params: {
+    name: string;
+    description?: string;
+    amount_minor: string;
+    billing_interval: "week" | "month";
+    asset_code?: string;
+  }): Promise<SubscriptionProduct> {
+    const resp = await this.hubFetch("/subscriptions/products", {
+      method: "POST",
+      body: JSON.stringify(params),
+    });
+    return (await resp.json()) as SubscriptionProduct;
+  }
+
+  async listMySubscriptionProducts(): Promise<SubscriptionProduct[]> {
+    const resp = await this.hubFetch("/subscriptions/products/me");
+    return (await resp.json()) as SubscriptionProduct[];
+  }
+
+  async listSubscriptionProducts(): Promise<SubscriptionProduct[]> {
+    const resp = await this.hubFetch("/subscriptions/products");
+    return (await resp.json()) as SubscriptionProduct[];
+  }
+
+  async archiveSubscriptionProduct(productId: string): Promise<SubscriptionProduct> {
+    const resp = await this.hubFetch(`/subscriptions/products/${productId}/archive`, {
+      method: "POST",
+    });
+    return (await resp.json()) as SubscriptionProduct;
+  }
+
+  async subscribeToProduct(productId: string): Promise<Subscription> {
+    const resp = await this.hubFetch(`/subscriptions/products/${productId}/subscribe`, {
+      method: "POST",
+    });
+    return (await resp.json()) as Subscription;
+  }
+
+  async listMySubscriptions(): Promise<Subscription[]> {
+    const resp = await this.hubFetch("/subscriptions/me");
+    return (await resp.json()) as Subscription[];
+  }
+
+  async listProductSubscribers(productId: string): Promise<Subscription[]> {
+    const resp = await this.hubFetch(`/subscriptions/products/${productId}/subscribers`);
+    return (await resp.json()) as Subscription[];
+  }
+
+  async cancelSubscription(subscriptionId: string): Promise<Subscription> {
+    const resp = await this.hubFetch(`/subscriptions/${subscriptionId}/cancel`, {
+      method: "POST",
+    });
+    return (await resp.json()) as Subscription;
+  }
+
   // ── Accessors ─────────────────────────────────────────────────
 
   getAgentId(): string {

package/src/commands/healthcheck.ts

@@ -9,6 +9,7 @@ import {
   isAccountConfigured,
 } from "../config.js";
 import { BotCordClient } from "../client.js";
+import { normalizeAndValidateHubUrl } from "../hub-url.js";
 import { getConfig as getAppConfig } from "../runtime.js";
 
 export function createHealthcheckCommand() {
@@ -47,7 +48,15 @@ export function createHealthcheckCommand() {
       if (!acct.hubUrl) {
         error("hubUrl is not configured");
       } else {
-        ok(`Hub URL: ${acct.hubUrl}`);
+        try {
+          const normalizedHubUrl = normalizeAndValidateHubUrl(acct.hubUrl);
+          ok(`Hub URL: ${normalizedHubUrl}`);
+          if (normalizedHubUrl.startsWith("http://")) {
+            warning("Hub URL uses loopback HTTP; this is acceptable only for local development");
+          }
+        } catch (err: any) {
+          error(err.message);
+        }
       }
 
       if (acct.credentialsFile) {
@@ -85,7 +94,15 @@ export function createHealthcheckCommand() {
       // ── 2. Hub Connectivity & Token ──
       lines.push("", "── Hub Connectivity ──");
 
-      const client = new BotCordClient(acct);
+      let client: BotCordClient;
+      try {
+        client = new BotCordClient(acct);
+      } catch (err: any) {
+        error(err.message);
+        lines.push("", `── Summary ──`);
+        lines.push(`Passed: ${pass}  |  Warnings: ${warn}  |  Failed: ${fail}`);
+        return { text: lines.join("\n") };
+      }
 
       try {
         await client.ensureToken();

package/src/commands/register.ts

@@ -1,9 +1,12 @@
 /**
- * `openclaw botcord-register` — CLI command for agent registration.
+ * BotCord CLI commands for registration and credentials management.
  *
- * Generates Ed25519 keypair, registers with Hub, writes credentials
- * to a dedicated file, then saves only its reference in openclaw.json.
+ * Supports:
+ * - `openclaw botcord-register`
+ * - `openclaw botcord-import`
+ * - `openclaw botcord-export`
  */
+import { existsSync } from "node:fs";
 import {
   defaultCredentialsFile,
   loadStoredCredentials,
@@ -20,6 +23,7 @@ import {
   getSingleAccountModeError,
   resolveAccountConfig,
 } from "../config.js";
+import { normalizeAndValidateHubUrl } from "../hub-url.js";
 import { getBotCordRuntime } from "../runtime.js";
 
 const DEFAULT_HUB = "https://api.botcord.chat";
@@ -40,6 +44,14 @@ interface ImportResult {
   credentialsFile: string;
 }
 
+interface ExportResult {
+  agentId: string;
+  keyId: string;
+  hub: string;
+  sourceFile?: string;
+  credentialsFile: string;
+}
+
 function buildRegistrationKeypair(config: Record<string, any>, newIdentity: boolean) {
   if (newIdentity) return generateKeypair();
 
@@ -110,6 +122,54 @@ async function persistCredentials(params: {
   return credentialsFile;
 }
 
+function resolveManagedCredentialsFile(accountConfig: Record<string, any>): string | undefined {
+  const credentialsFile = accountConfig.credentialsFile;
+  return typeof credentialsFile === "string" && credentialsFile.trim()
+    ? resolveCredentialsFilePath(credentialsFile)
+    : undefined;
+}
+
+function buildExportableCredentials(config: Record<string, any>): {
+  credentials: StoredBotCordCredentials;
+  sourceFile?: string;
+} {
+  const existingAccount = resolveAccountConfig(config);
+  const sourceFile = resolveManagedCredentialsFile(existingAccount);
+
+  if (sourceFile && !existingAccount.privateKey) {
+    throw new Error(`BotCord credentialsFile is configured but could not be loaded: ${sourceFile}`);
+  }
+
+  if (!existingAccount.hubUrl || !existingAccount.agentId || !existingAccount.keyId || !existingAccount.privateKey) {
+    throw new Error("BotCord is not fully configured (need hubUrl, agentId, keyId, privateKey)");
+  }
+
+  let displayName: string | undefined;
+  if (sourceFile) {
+    try {
+      displayName = loadStoredCredentials(sourceFile).displayName;
+    } catch {
+      displayName = undefined;
+    }
+  }
+
+  const derivedPublicKey = derivePublicKey(existingAccount.privateKey);
+
+  return {
+    sourceFile,
+    credentials: {
+      version: 1,
+      hubUrl: existingAccount.hubUrl,
+      agentId: existingAccount.agentId,
+      keyId: existingAccount.keyId,
+      privateKey: existingAccount.privateKey,
+      publicKey: derivedPublicKey,
+      displayName,
+      savedAt: new Date().toISOString(),
+    },
+  };
+}
+
 export async function registerAgent(opts: {
   name: string;
   bio: string;
@@ -129,20 +189,21 @@ export async function registerAgent(opts: {
     throw new Error(singleAccountError);
   }
 
-  const currentBotcord = ((config.channels as Record<string, any>)?.botcord ?? {}) as Record<string, any>;
   const existingAccount = resolveAccountConfig(config);
-  if (!newIdentity && currentBotcord.credentialsFile && !existingAccount.privateKey) {
+  const managedCredentialsFile = resolveManagedCredentialsFile(existingAccount);
+  if (!newIdentity && managedCredentialsFile && !existingAccount.privateKey) {
     throw new Error(
-      `BotCord credentialsFile is configured but could not be loaded: ${currentBotcord.credentialsFile}`,
+      `BotCord credentialsFile is configured but could not be loaded: ${managedCredentialsFile}`,
     );
   }
 
   // 1. Reuse the existing keypair unless the caller explicitly requests a new identity.
   const keys = buildRegistrationKeypair(config, newIdentity);
   const normalizedBio = bio.trim() || `${name} on BotCord`;
+  const normalizedHub = normalizeAndValidateHubUrl(hub);
 
   // 2. Register with Hub
-  const regResp = await fetch(`${hub}/registry/agents`, {
+  const regResp = await fetch(`${normalizedHub}/registry/agents`, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
     body: JSON.stringify({
@@ -168,7 +229,7 @@ export async function registerAgent(opts: {
 
   // 4. Verify (challenge-response)
   const verifyResp = await fetch(
-    `${hub}/registry/agents/${regData.agent_id}/verify`,
+    `${normalizedHub}/registry/agents/${regData.agent_id}/verify`,
     {
       method: "POST",
       headers: { "Content-Type": "application/json" },
@@ -190,7 +251,7 @@ export async function registerAgent(opts: {
     config,
     credentials: {
       version: 1,
-      hubUrl: hub,
+      hubUrl: normalizedHub,
       agentId: regData.agent_id,
       keyId: regData.key_id,
       privateKey: keys.privateKey,
@@ -204,7 +265,7 @@ export async function registerAgent(opts: {
     agentId: regData.agent_id,
     keyId: regData.key_id,
     displayName: name,
-    hub,
+    hub: normalizedHub,
     credentialsFile,
   };
 }
@@ -241,6 +302,40 @@ export async function importAgentCredentials(opts: {
   };
 }
 
+export async function exportAgentCredentials(opts: {
+  config: Record<string, any>;
+  destinationFile: string;
+  force?: boolean;
+}): Promise<ExportResult> {
+  const {
+    config,
+    destinationFile,
+    force = false,
+  } = opts;
+  const singleAccountError = getSingleAccountModeError(config);
+  if (singleAccountError) {
+    throw new Error(singleAccountError);
+  }
+
+  const resolvedDestinationFile = resolveCredentialsFilePath(destinationFile);
+  if (!force && existsSync(resolvedDestinationFile)) {
+    throw new Error(
+      `Destination credentials file already exists: ${resolvedDestinationFile} (pass --force to overwrite)`,
+    );
+  }
+
+  const { credentials, sourceFile } = buildExportableCredentials(config);
+  const credentialsFile = writeCredentialsFile(resolvedDestinationFile, credentials);
+
+  return {
+    agentId: credentials.agentId,
+    keyId: credentials.keyId,
+    hub: credentials.hubUrl,
+    sourceFile,
+    credentialsFile,
+  };
+}
+
 export function createRegisterCli() {
   return {
     setup: (ctx: any) => {
@@ -296,7 +391,35 @@ export function createRegisterCli() {
             throw err;
           }
         });
+      ctx.program
+        .command("botcord-export")
+        .alias("botcord_export")
+        .description("Export the active BotCord credentials to a file")
+        .requiredOption("--dest <path>", "Destination path for the exported BotCord credentials JSON file")
+        .option("--force", "Overwrite the destination file if it already exists", false)
+        .action(async (options: { dest: string; force?: boolean }) => {
+          try {
+            const result = await exportAgentCredentials({
+              config: ctx.config,
+              destinationFile: options.dest,
+              force: options.force,
+            });
+            ctx.logger.info("BotCord credentials exported successfully!");
+            ctx.logger.info(`  Agent ID:     ${result.agentId}`);
+            ctx.logger.info(`  Key ID:       ${result.keyId}`);
+            ctx.logger.info(`  Hub:          ${result.hub}`);
+            if (result.sourceFile) {
+              ctx.logger.info(`  Source:       ${result.sourceFile}`);
+            } else {
+              ctx.logger.info("  Source:       inline config");
+            }
+            ctx.logger.info(`  Exported to:  ${result.credentialsFile}`);
+          } catch (err: any) {
+            ctx.logger.error(`Export failed: ${err.message}`);
+            throw err;
+          }
+        });
     },
-    commands: ["botcord-register", "botcord-import"],
+    commands: ["botcord-register", "botcord-import", "botcord-export"],
   };
 }

package/src/commands/token.ts

@@ -30,9 +30,8 @@ export function createTokenCommand() {
         return { text: "[FAIL] BotCord is not fully configured (need hubUrl, agentId, keyId, privateKey)" };
       }
 
-      const client = new BotCordClient(acct);
-
       try {
+        const client = new BotCordClient(acct);
         const token = await client.ensureToken();
         return { text: token };
       } catch (err: any) {

package/src/credentials.ts

@@ -2,6 +2,7 @@ import { chmodSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import { derivePublicKey } from "./crypto.js";
+import { normalizeAndValidateHubUrl } from "./hub-url.js";
 import type { BotCordAccountConfig } from "./types.js";
 
 export interface StoredBotCordCredentials {
@@ -69,9 +70,16 @@ export function loadStoredCredentials(credentialsFile: string): StoredBotCordCre
     );
   }
 
+  let normalizedHubUrl: string;
+  try {
+    normalizedHubUrl = normalizeAndValidateHubUrl(hubUrl);
+  } catch (err: any) {
+    throw new Error(`BotCord credentials file "${resolved}" has an invalid hubUrl: ${err.message}`);
+  }
+
   return {
     version: 1,
-    hubUrl,
+    hubUrl: normalizedHubUrl,
     agentId,
     keyId,
     privateKey,
@@ -103,8 +111,12 @@ export function writeCredentialsFile(
   credentials: StoredBotCordCredentials,
 ): string {
   const resolved = resolveCredentialsFilePath(credentialsFile);
+  const normalizedCredentials = {
+    ...credentials,
+    hubUrl: normalizeAndValidateHubUrl(credentials.hubUrl),
+  };
   mkdirSync(path.dirname(resolved), { recursive: true, mode: 0o700 });
-  writeFileSync(resolved, JSON.stringify(credentials, null, 2) + "\n", {
+  writeFileSync(resolved, JSON.stringify(normalizedCredentials, null, 2) + "\n", {
     encoding: "utf8",
     mode: 0o600,
   });

package/src/hub-url.ts

@@ -0,0 +1,41 @@
+const LOOPBACK_HOSTS = new Set(["localhost", "127.0.0.1", "::1"]);
+
+function isLoopbackHost(hostname: string): boolean {
+  const normalized = hostname.toLowerCase().replace(/^\[(.*)\]$/, "$1");
+  return LOOPBACK_HOSTS.has(normalized) || normalized.endsWith(".localhost");
+}
+
+export function normalizeAndValidateHubUrl(hubUrl: string): string {
+  const trimmed = hubUrl.trim();
+  if (!trimmed) {
+    throw new Error("BotCord hubUrl is required");
+  }
+
+  let parsed: URL;
+  try {
+    parsed = new URL(trimmed);
+  } catch {
+    throw new Error(`BotCord hubUrl must be a valid absolute URL: ${hubUrl}`);
+  }
+
+  if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+    throw new Error("BotCord hubUrl must use http:// or https://");
+  }
+
+  if (parsed.protocol === "http:" && !isLoopbackHost(parsed.hostname)) {
+    throw new Error(
+      "BotCord hubUrl must use https:// unless it targets localhost, 127.0.0.1, or ::1 for local development",
+    );
+  }
+
+  return trimmed.replace(/\/$/, "");
+}
+
+export function buildHubWebSocketUrl(hubUrl: string): string {
+  const parsed = new URL(normalizeAndValidateHubUrl(hubUrl));
+  parsed.protocol = parsed.protocol === "https:" ? "wss:" : "ws:";
+  parsed.search = "";
+  parsed.hash = "";
+  parsed.pathname = `${parsed.pathname.replace(/\/$/, "")}/hub/ws`;
+  return parsed.toString();
+}

package/src/inbound.ts

@@ -44,6 +44,12 @@ function buildInboundHeader(params: {
   return parts.join(" | ");
 }
 
+function appendRoomRule(content: string, roomRule?: string | null): string {
+  const normalizedRule = roomRule?.trim();
+  if (!normalizedRule) return content;
+  return `${content}\n[Room Rule] ${normalizedRule}`;
+}
+
 export interface InboundParams {
   cfg: any;
   accountId: string;
@@ -92,14 +98,22 @@ export async function handleInboxMessage(
     chatType === "group"
       ? '\n\n[In group chats, do NOT reply unless you are explicitly mentioned or addressed. If no response is needed, reply with exactly "NO_REPLY" and nothing else.]'
       : '\n\n[If the conversation has naturally concluded or no response is needed, reply with exactly "NO_REPLY" and nothing else.]';
-  const content = `${header}\n${rawContent}${silentHint}`;
+
+  // Prompt the agent to notify its owner when receiving contact requests
+  const notifyOwnerHint =
+    envelope.type === "contact_request"
+      ? `\n\n[You received a contact request from ${senderId}. Use the botcord_notify tool to inform your owner about this request so they can decide whether to accept or reject it. Include the sender's agent ID and any message they attached.]`
+      : "";
+
+  const content = `${header}\n${rawContent}${silentHint}${notifyOwnerHint}`;
+  const contentWithRule = isGroupRoom ? appendRoomRule(content, msg.room_rule) : content;
 
   await dispatchInbound({
     cfg,
     accountId,
     senderName: senderId,
     senderId,
-    content: content as string,
+    content: contentWithRule,
     messageId: envelope.msg_id,
     messageType: envelope.type,
     chatType,