@cfio/cohort-sync 0.8.0 → 0.9.1

package/dist/index.js

@@ -16,9 +16,9 @@ __export(keychain_exports, {
   setCredential: () => setCredential
 });
 import { execFile } from "node:child_process";
-import os3 from "node:os";
+import os4 from "node:os";
 function assertMacOS(operation) {
-  if (os3.platform() !== "darwin") {
+  if (os4.platform() !== "darwin") {
     throw new Error(
       `cohort-sync: ${operation} requires macOS Keychain. On Linux/Windows, set your API key in OpenClaw config: plugins.entries.cohort-sync.config.apiKey`
     );
@@ -44,20 +44,20 @@ function isNotFoundError(err) {
   }
   return false;
 }
-async function setCredential(apiUrl, apiKey) {
+async function setCredential(apiUrl2, apiKey2) {
   assertMacOS("storing credentials");
   await securityCmd([
     "add-generic-password",
     "-s",
     SERVICE,
     "-a",
-    apiUrl,
+    apiUrl2,
     "-w",
-    apiKey,
+    apiKey2,
     "-U"
   ]);
 }
-async function getCredential(apiUrl) {
+async function getCredential(apiUrl2) {
   assertMacOS("reading credentials");
   try {
     const { stdout } = await securityCmd([
@@ -65,7 +65,7 @@ async function getCredential(apiUrl) {
       "-s",
       SERVICE,
       "-a",
-      apiUrl,
+      apiUrl2,
       "-w"
     ]);
     return stdout.trim();
@@ -74,7 +74,7 @@ async function getCredential(apiUrl) {
     throw err;
   }
 }
-async function deleteCredential(apiUrl) {
+async function deleteCredential(apiUrl2) {
   assertMacOS("deleting credentials");
   try {
     await securityCmd([
@@ -82,7 +82,7 @@ async function deleteCredential(apiUrl) {
       "-s",
       SERVICE,
       "-a",
-      apiUrl
+      apiUrl2
     ]);
     return true;
   } catch (err) {
@@ -98,10 +98,6 @@ var init_keychain = __esm({
   }
 });
 
-// src/hooks.ts
-import fs3 from "node:fs";
-import path3 from "node:path";
-
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.48/node_modules/@sinclair/typebox/build/esm/type/guard/value.mjs
 var value_exports = {};
 __export(value_exports, {
@@ -2708,17 +2704,43 @@ __export(type_exports2, {
 // ../../node_modules/.pnpm/@sinclair+typebox@0.34.48/node_modules/@sinclair/typebox/build/esm/type/type/index.mjs
 var Type = type_exports2;
 
+// src/hooks.ts
+import fs3 from "node:fs";
+import os3 from "node:os";
+import path3 from "node:path";
+
 // src/sync.ts
 import { execSync } from "node:child_process";
 function extractJson(raw) {
   const jsonStart = raw.search(/[\[{]/);
-  const jsonEndBracket = raw.lastIndexOf("]");
-  const jsonEndBrace = raw.lastIndexOf("}");
-  const jsonEnd = Math.max(jsonEndBracket, jsonEndBrace);
-  if (jsonStart === -1 || jsonEnd === -1 || jsonEnd < jsonStart) {
-    throw new Error("No JSON found in output");
+  if (jsonStart === -1) throw new Error("No JSON found in output");
+  const openChar = raw[jsonStart];
+  const closeChar = openChar === "[" ? "]" : "}";
+  let depth = 0;
+  let inString = false;
+  let escape = false;
+  for (let i = jsonStart; i < raw.length; i++) {
+    const ch = raw[i];
+    if (escape) {
+      escape = false;
+      continue;
+    }
+    if (ch === "\\") {
+      escape = true;
+      continue;
+    }
+    if (ch === '"') {
+      inString = !inString;
+      continue;
+    }
+    if (inString) continue;
+    if (ch === openChar) depth++;
+    else if (ch === closeChar) {
+      depth--;
+      if (depth === 0) return raw.slice(jsonStart, i + 1);
+    }
   }
-  return raw.slice(jsonStart, jsonEnd + 1);
+  throw new Error("No complete JSON found in output");
 }
 function fetchSkills(logger) {
   try {
@@ -2745,32 +2767,45 @@ var VALID_STATUSES = /* @__PURE__ */ new Set(["idle", "working", "waiting"]);
 function normalizeStatus(status) {
   return VALID_STATUSES.has(status) ? status : "idle";
 }
-async function v1Get(apiUrl, apiKey, path4) {
-  const res = await fetch(`${apiUrl.replace(/\/+$/, "")}${path4}`, {
-    headers: { Authorization: `Bearer ${apiKey}` },
+async function v1Get(apiUrl2, apiKey2, path4) {
+  const res = await fetch(`${apiUrl2.replace(/\/+$/, "")}${path4}`, {
+    headers: { Authorization: `Bearer ${apiKey2}` },
     signal: AbortSignal.timeout(1e4)
   });
   if (!res.ok) throw new Error(`GET ${path4} \u2192 ${res.status}`);
   return res.json();
 }
-async function v1Patch(apiUrl, apiKey, path4, body) {
-  const res = await fetch(`${apiUrl.replace(/\/+$/, "")}${path4}`, {
+async function v1Patch(apiUrl2, apiKey2, path4, body) {
+  const res = await fetch(`${apiUrl2.replace(/\/+$/, "")}${path4}`, {
     method: "PATCH",
-    headers: { Authorization: `Bearer ${apiKey}`, "Content-Type": "application/json" },
+    headers: { Authorization: `Bearer ${apiKey2}`, "Content-Type": "application/json" },
     body: JSON.stringify(body),
     signal: AbortSignal.timeout(1e4)
   });
   if (!res.ok) throw new Error(`PATCH ${path4} \u2192 ${res.status}`);
 }
-async function v1Post(apiUrl, apiKey, path4, body) {
-  const res = await fetch(`${apiUrl.replace(/\/+$/, "")}${path4}`, {
+async function v1Post(apiUrl2, apiKey2, path4, body) {
+  const res = await fetch(`${apiUrl2.replace(/\/+$/, "")}${path4}`, {
     method: "POST",
-    headers: { Authorization: `Bearer ${apiKey}`, "Content-Type": "application/json" },
+    headers: { Authorization: `Bearer ${apiKey2}`, "Content-Type": "application/json" },
     body: JSON.stringify(body),
     signal: AbortSignal.timeout(1e4)
   });
   if (!res.ok) throw new Error(`POST ${path4} \u2192 ${res.status}`);
 }
+function isNewerVersion(a, b) {
+  const strip = (v2) => v2.replace(/-.*$/, "");
+  const pa = strip(a).split(".").map(Number);
+  const pb = strip(b).split(".").map(Number);
+  for (let i = 0; i < Math.max(pa.length, pb.length); i++) {
+    const na = pa[i] ?? 0;
+    const nb = pb[i] ?? 0;
+    if (isNaN(na) || isNaN(nb)) return false;
+    if (na > nb) return true;
+    if (na < nb) return false;
+  }
+  return false;
+}
 async function checkForUpdate(currentVersion, logger) {
   try {
     const res = await fetch("https://registry.npmjs.org/@cfio/cohort-sync/latest", {
@@ -2779,9 +2814,9 @@ async function checkForUpdate(currentVersion, logger) {
     if (!res.ok) return;
     const data = await res.json();
     const latest = data.version;
-    if (latest && latest !== currentVersion) {
+    if (latest && latest !== currentVersion && isNewerVersion(latest, currentVersion)) {
       logger.warn(
-        `cohort-sync: update available (${currentVersion} \u2192 ${latest}) \u2014 run "npm install -g @cfio/cohort-sync" to update`
+        `cohort-sync: update available (${currentVersion} \u2192 ${latest}) \u2014 run "openclaw plugins install @cfio/cohort-sync" to update`
       );
     }
   } catch {
@@ -2811,16 +2846,20 @@ async function syncAgentStatus(agentName, status, model, cfg, logger) {
   }
 }
 async function syncSkillsToV1(skills, cfg, logger) {
+  let synced = 0;
   for (const skill of skills) {
     try {
       await v1Post(cfg.apiUrl, cfg.apiKey, "/api/v1/skills", {
         name: skill.name,
         description: skill.description
       });
+      synced++;
+      if (synced % 5 === 0) await new Promise((r) => setTimeout(r, 500));
     } catch (err) {
       logger.warn(`cohort-sync: failed to sync skill "${skill.name}": ${String(err)}`);
     }
   }
+  if (synced > 0) logger.info(`cohort-sync: synced ${synced}/${skills.length} skills`);
 }
 var lastKnownRoster = [];
 function getLastKnownRoster() {
@@ -2930,6 +2969,9 @@ async function fullSync(agentName, model, cfg, logger, openClawAgents) {
   logger.info("cohort-sync: full sync complete");
 }
 
+// src/convex-bridge.ts
+import { createHash } from "crypto";
+
 // ../../node_modules/.pnpm/convex@1.33.0_patch_hash=l43bztwr6e2lbmpd6ao6hmcg24_react@19.2.1/node_modules/convex/dist/esm/index.js
 var version = "1.33.0";
 
@@ -7860,14 +7902,14 @@ var require_node_gyp_build = __commonJS({
   "../common/temp/node_modules/.pnpm/node-gyp-build@4.8.4/node_modules/node-gyp-build/node-gyp-build.js"(exports, module) {
     var fs4 = __require("fs");
     var path4 = __require("path");
-    var os4 = __require("os");
+    var os5 = __require("os");
     var runtimeRequire = typeof __webpack_require__ === "function" ? __non_webpack_require__ : __require;
     var vars = process.config && process.config.variables || {};
     var prebuildsOnly = !!process.env.PREBUILDS_ONLY;
     var abi = process.versions.modules;
     var runtime = isElectron() ? "electron" : isNwjs() ? "node-webkit" : "node";
-    var arch = process.env.npm_config_arch || os4.arch();
-    var platform = process.env.npm_config_platform || os4.platform();
+    var arch = process.env.npm_config_arch || os5.arch();
+    var platform = process.env.npm_config_platform || os5.platform();
     var libc = process.env.LIBC || (isAlpine(platform) ? "musl" : "glibc");
     var armv = process.env.ARM_VERSION || (arch === "arm64" ? "8" : vars.arm_version) || "";
     var uv = (process.versions.uv || "").split(".")[0];
@@ -10219,7 +10261,7 @@ var require_websocket = __commonJS({
     var http = __require("http");
     var net = __require("net");
     var tls = __require("tls");
-    var { randomBytes, createHash } = __require("crypto");
+    var { randomBytes, createHash: createHash2 } = __require("crypto");
     var { Duplex, Readable } = __require("stream");
     var { URL: URL2 } = __require("url");
     var PerMessageDeflate = require_permessage_deflate();
@@ -10876,7 +10918,7 @@ var require_websocket = __commonJS({
           abortHandshake(websocket, socket, "Invalid Upgrade header");
           return;
         }
-        const digest = createHash("sha1").update(key + GUID).digest("base64");
+        const digest = createHash2("sha1").update(key + GUID).digest("base64");
         if (res.headers["sec-websocket-accept"] !== digest) {
           abortHandshake(websocket, socket, "Invalid Sec-WebSocket-Accept header");
           return;
@@ -11141,7 +11183,7 @@ var require_websocket_server = __commonJS({
     var EventEmitter = __require("events");
     var http = __require("http");
     var { Duplex } = __require("stream");
-    var { createHash } = __require("crypto");
+    var { createHash: createHash2 } = __require("crypto");
     var extension = require_extension();
     var PerMessageDeflate = require_permessage_deflate();
     var subprotocol = require_subprotocol();
@@ -11436,7 +11478,7 @@ var require_websocket_server = __commonJS({
           );
         }
         if (this._state > RUNNING) return abortHandshake(socket, 503);
-        const digest = createHash("sha1").update(key + GUID).digest("base64");
+        const digest = createHash2("sha1").update(key + GUID).digest("base64");
         const headers = [
           "HTTP/1.1 101 Switching Protocols",
           "Upgrade: websocket",
@@ -11773,12 +11815,40 @@ function reverseResolveAgentName(cohortName, forwardMap) {
 }
 
 // src/commands.ts
-var cronRunNowPoll = null;
+var RATE_LIMIT_WINDOW_MS = 6e4;
+var RATE_LIMIT_MAX = 10;
+var commandTimestamps = [];
+function checkRateLimit() {
+  const now = Date.now();
+  while (commandTimestamps.length > 0 && commandTimestamps[0] < now - RATE_LIMIT_WINDOW_MS) {
+    commandTimestamps.shift();
+  }
+  if (commandTimestamps.length >= RATE_LIMIT_MAX) {
+    return false;
+  }
+  commandTimestamps.push(now);
+  return true;
+}
+var MAX_CRON_MESSAGE_LENGTH = 1e3;
 async function executeCommand(cmd, gwClient, cfg, resolveAgentName, logger) {
+  logger.info(`cohort-sync: executing command type=${cmd.type} id=${cmd._id}`);
+  if (!checkRateLimit()) {
+    logger.warn(`cohort-sync: rate limit exceeded (>${RATE_LIMIT_MAX} commands/min), rejecting command ${cmd._id}`);
+    throw new Error(`Rate limit exceeded: more than ${RATE_LIMIT_MAX} commands per minute`);
+  }
+  if (cmd.payload?.message && cmd.payload.message.length > MAX_CRON_MESSAGE_LENGTH) {
+    logger.warn(`cohort-sync: cron message too long (${cmd.payload.message.length} chars, max ${MAX_CRON_MESSAGE_LENGTH}), rejecting command ${cmd._id}`);
+    throw new Error(`Cron message exceeds maximum length of ${MAX_CRON_MESSAGE_LENGTH} characters`);
+  }
   if (cmd.type === "restart") {
-    logger.info("cohort-sync: restart command, terminating in 500ms");
-    await new Promise((r) => setTimeout(r, 500));
-    process.kill(process.pid, "SIGTERM");
+    if (gwClient && gwClient.isAlive()) {
+      logger.warn(`cohort-sync: RESTART command received (id=${cmd._id}), issuing graceful gateway restart`);
+      await gwClient.request("gateway.restart", { reason: "Cohort restart command" });
+    } else {
+      logger.warn(`cohort-sync: RESTART command received (id=${cmd._id}), no gateway client \u2014 falling back to SIGTERM`);
+      await new Promise((r) => setTimeout(r, 500));
+      process.kill(process.pid, "SIGTERM");
+    }
     return;
   }
   if (cmd.type.startsWith("cron")) {
@@ -11806,41 +11876,7 @@ async function executeCommand(cmd, gwClient, cfg, resolveAgentName, logger) {
         });
         break;
       case "cronRunNow": {
-        const runResult = await gwClient.request(
-          "cron.run",
-          { jobId: cmd.payload?.jobId }
-        );
-        if (runResult?.ok && runResult?.ran) {
-          const jobId = cmd.payload?.jobId;
-          let polls = 0;
-          if (cronRunNowPoll) clearInterval(cronRunNowPoll);
-          const pollInterval = setInterval(async () => {
-            polls++;
-            if (polls >= 15) {
-              clearInterval(pollInterval);
-              cronRunNowPoll = null;
-              return;
-            }
-            try {
-              if (!gwClient || !gwClient.isAlive()) {
-                clearInterval(pollInterval);
-                cronRunNowPoll = null;
-                return;
-              }
-              const pollResult = await gwClient.request("cron.list");
-              const freshJobs = Array.isArray(pollResult) ? pollResult : pollResult?.jobs ?? [];
-              const job = freshJobs.find((j) => j.id === jobId);
-              if (job && !job.state?.runningAtMs) {
-                clearInterval(pollInterval);
-                cronRunNowPoll = null;
-                const mapped = freshJobs.map((j) => mapCronJob(j, resolveAgentName));
-                await pushCronSnapshot(cfg.apiKey, mapped);
-              }
-            } catch {
-            }
-          }, 2e3);
-          cronRunNowPoll = pollInterval;
-        }
+        await gwClient.request("cron.run", { jobId: cmd.payload?.jobId });
         break;
       }
       case "cronCreate": {
@@ -11875,7 +11911,7 @@ async function executeCommand(cmd, gwClient, cfg, resolveAgentName, logger) {
     }
     if (gwClient.isAlive()) {
       try {
-        const snapResult = await gwClient.request("cron.list");
+        const snapResult = await gwClient.request("cron.list", { includeDisabled: true });
         const freshJobs = Array.isArray(snapResult) ? snapResult : snapResult?.jobs ?? [];
         const mapped = freshJobs.map((j) => mapCronJob(j, resolveAgentName));
         await pushCronSnapshot(cfg.apiKey, mapped);
@@ -11889,8 +11925,15 @@ async function executeCommand(cmd, gwClient, cfg, resolveAgentName, logger) {
 }
 
 // src/convex-bridge.ts
-function deriveConvexUrl(apiUrl) {
-  return apiUrl.replace(/\.convex\.site\/?$/, ".convex.cloud");
+function hashApiKey(key) {
+  return createHash("sha256").update(key).digest("hex");
+}
+function deriveConvexUrl(apiUrl2) {
+  const normalized = apiUrl2.replace(/\/+$/, "");
+  if (/^https?:\/\/api\.cohort\.bot$/i.test(normalized)) {
+    return normalized.replace(/api\.cohort\.bot$/i, "ws.cohort.bot");
+  }
+  return apiUrl2.replace(/\.convex\.site\/?$/, ".convex.cloud");
 }
 var savedLogger = null;
 function setLogger(logger) {
@@ -11911,6 +11954,7 @@ function createClient(convexUrl) {
     client.close();
   }
   savedConvexUrl = convexUrl;
+  authCircuitOpen = false;
   client = new ConvexClient(convexUrl);
   return client;
 }
@@ -11938,6 +11982,17 @@ function closeBridge() {
   }
   savedConvexUrl = null;
 }
+var authCircuitOpen = false;
+function isUnauthorizedError(err) {
+  return String(err).includes("Unauthorized");
+}
+function tripAuthCircuit() {
+  if (authCircuitOpen) return;
+  authCircuitOpen = true;
+  getLogger().error(
+    "cohort-sync: API key rejected \u2014 all outbound mutations disabled until gateway restart. Re-run `openclaw cohort auth` to issue a new key, then restart the gateway."
+  );
+}
 var commandUnsubscriber = null;
 var upsertTelemetryFromPlugin = makeFunctionReference("telemetryPlugin:upsertTelemetryFromPlugin");
 var upsertSessionsFromPlugin = makeFunctionReference("telemetryPlugin:upsertSessionsFromPlugin");
@@ -11949,62 +12004,101 @@ var getPendingCommandsForPlugin = makeFunctionReference("gatewayCommands:getPend
 var acknowledgeCommandRef = makeFunctionReference("gatewayCommands:acknowledgeCommand");
 var failCommandRef = makeFunctionReference("gatewayCommands:failCommand");
 var addCommentFromPluginRef = makeFunctionReference("comments:addCommentFromPlugin");
-async function pushTelemetry(apiKey, data) {
+async function pushTelemetry(apiKey2, data) {
+  if (authCircuitOpen) return;
   const c = getClient();
   if (!c) return;
   try {
-    await c.mutation(upsertTelemetryFromPlugin, { apiKey, ...data });
+    await c.mutation(upsertTelemetryFromPlugin, { apiKeyHash: hashApiKey(apiKey2), ...data });
   } catch (err) {
+    if (isUnauthorizedError(err)) {
+      tripAuthCircuit();
+      return;
+    }
     getLogger().error(`cohort-sync: pushTelemetry failed: ${err}`);
   }
 }
-async function pushSessions(apiKey, agentName, sessions) {
+async function pushSessions(apiKey2, agentName, sessions) {
+  if (authCircuitOpen) return;
   const c = getClient();
   if (!c) return;
   try {
-    await c.mutation(upsertSessionsFromPlugin, { apiKey, agentName, sessions });
+    await c.mutation(upsertSessionsFromPlugin, { apiKeyHash: hashApiKey(apiKey2), agentName, sessions });
   } catch (err) {
+    if (isUnauthorizedError(err)) {
+      tripAuthCircuit();
+      return;
+    }
     getLogger().error(`cohort-sync: pushSessions failed: ${err}`);
   }
 }
-async function pushActivity(apiKey, entries) {
-  if (entries.length === 0) return;
+async function pushActivity(apiKey2, entries) {
+  if (authCircuitOpen || entries.length === 0) return;
   const c = getClient();
   if (!c) return;
   try {
-    await c.mutation(pushActivityFromPluginRef, { apiKey, entries });
+    await c.mutation(pushActivityFromPluginRef, { apiKeyHash: hashApiKey(apiKey2), entries });
   } catch (err) {
+    if (isUnauthorizedError(err)) {
+      tripAuthCircuit();
+      return;
+    }
     getLogger().error(`cohort-sync: pushActivity failed: ${err}`);
   }
 }
-async function pushCronSnapshot(apiKey, jobs) {
+async function pushCronSnapshot(apiKey2, jobs) {
+  if (authCircuitOpen) return false;
   const c = getClient();
   if (!c) return false;
   try {
-    await c.mutation(upsertCronSnapshotFromPluginRef, { apiKey, jobs });
+    await c.mutation(upsertCronSnapshotFromPluginRef, { apiKeyHash: hashApiKey(apiKey2), jobs });
     return true;
   } catch (err) {
+    if (isUnauthorizedError(err)) {
+      tripAuthCircuit();
+      return false;
+    }
     getLogger().error(`cohort-sync: pushCronSnapshot failed: ${err}`);
     return false;
   }
 }
-async function callAddCommentFromPlugin(apiKey, args) {
+async function callAddCommentFromPlugin(apiKey2, args) {
+  if (authCircuitOpen) {
+    throw new Error("API key rejected \u2014 re-run `openclaw cohort auth` and restart the gateway");
+  }
   const c = getClient();
   if (!c) {
     throw new Error("Convex client not initialized \u2014 subscription may not be active");
   }
-  return await c.mutation(addCommentFromPluginRef, {
-    apiKey,
-    taskNumber: args.taskNumber,
-    agentName: args.agentName,
-    content: args.content,
-    noReply: args.noReply
-  });
+  try {
+    return await c.mutation(addCommentFromPluginRef, {
+      apiKeyHash: hashApiKey(apiKey2),
+      taskNumber: args.taskNumber,
+      agentName: args.agentName,
+      content: args.content,
+      noReply: args.noReply
+    });
+  } catch (err) {
+    if (isUnauthorizedError(err)) {
+      tripAuthCircuit();
+    }
+    throw err;
+  }
 }
 var DEFAULT_BEHAVIORAL_PROMPT = `BEFORE RESPONDING:
 - Does your planned response address the task's stated scope? If not, do not comment.
 - Do not post acknowledgment-only responses ("got it", "sounds good", "confirmed"). If you have no new information to add, do not comment.
 - If the work is complete, transition the task to "waiting" and set noReply=true on your final comment, then stop working on this task.`;
+var TOOLS_REFERENCE = `
+TOOLS: Use these \u2014 do NOT call the REST API directly.
+- cohort_comment(task_number, comment) \u2014 post a comment
+- cohort_task(task_number) \u2014 fetch full task details + comments
+- cohort_transition(task_number, status) \u2014 change status
+- cohort_assign(task_number, assignee) \u2014 assign/unassign
+- cohort_context() \u2014 get your session briefing`;
+function sanitizePreview(raw) {
+  return raw.replace(/<\/?user_comment>/gi, "");
+}
 function buildNotificationMessage(n) {
   let header;
   let cta;
@@ -12013,11 +12107,11 @@ function buildNotificationMessage(n) {
       if (n.isMentioned) {
         header = `You were @mentioned on task #${n.taskNumber} "${n.taskTitle}"
 By: ${n.actorName}`;
-        cta = "You were directly mentioned. Read the comment and respond using the cohort_comment tool.";
+        cta = `You were directly mentioned. Read the comment and respond using the cohort_comment tool (taskNumber: ${n.taskNumber}).`;
       } else {
         header = `New comment on task #${n.taskNumber} "${n.taskTitle}"
 From: ${n.actorName}`;
-        cta = "Read the comment thread and respond using the cohort_comment tool if appropriate.";
+        cta = `You were NOT @mentioned \u2014 you are receiving this because you are subscribed to this task. Do not respond unless you see something incorrect, urgent, or directly relevant to your expertise that others have missed.`;
       }
       break;
     case "assignment":
@@ -12035,8 +12129,19 @@ By: ${n.actorName}`;
 From: ${n.actorName}`;
       cta = "Check the task and respond if needed.";
   }
-  const body = n.preview ? `
-Comment: "${n.preview}"` : "";
+  let body = "";
+  if (n.preview) {
+    if (n.type === "comment") {
+      const safe = sanitizePreview(n.preview);
+      body = `
+<user_comment>
+${safe}
+</user_comment>`;
+    } else {
+      body = `
+Comment: "${n.preview}"`;
+    }
+  }
   let scope = "";
   if (n.taskDescription && n.type === "comment") {
     const truncated = n.taskDescription.length > 500 ? n.taskDescription.slice(0, 500) + "..." : n.taskDescription;
@@ -12053,7 +12158,7 @@ ${DEFAULT_BEHAVIORAL_PROMPT}` : DEFAULT_BEHAVIORAL_PROMPT;
 ${prompt}` : "";
   return `${header}${scope}${body}
 
-${cta}${promptBlock}`;
+${cta}${promptBlock}${TOOLS_REFERENCE}`;
 }
 async function injectNotification(port, hooksToken, n, agentId = "main") {
   const response = await fetch(`http://localhost:${port}/hooks/agent`, {
@@ -12068,13 +12173,16 @@ async function injectNotification(port, hooksToken, n, agentId = "main") {
       agentId,
       deliver: false,
       sessionKey: `hook:cohort:task-${n.taskNumber}`
-    })
+    }),
+    signal: AbortSignal.timeout(1e4)
   });
   if (!response.ok) {
     throw new Error(`/hooks/agent returned ${response.status} ${response.statusText}`);
   }
 }
-async function startNotificationSubscription(port, cfg, hooksToken, logger) {
+var deliveryFailures = /* @__PURE__ */ new Map();
+var MAX_DELIVERY_ATTEMPTS = 3;
+async function startNotificationSubscription(port, cfg, hooksToken, logger, gwClient) {
   const c = getClient();
   if (!c) {
     logger.warn("cohort-sync: no ConvexClient \u2014 notification subscription skipped");
@@ -12084,7 +12192,6 @@ async function startNotificationSubscription(port, cfg, hooksToken, logger) {
     logger.warn(
       `cohort-sync: hooks.token not configured \u2014 real-time notifications disabled (telemetry will still be pushed).`
     );
-    return;
   }
   const agentNames = cfg.agentNameMap ? Object.values(cfg.agentNameMap) : ["main"];
   const reverseNameMap = {};
@@ -12097,23 +12204,54 @@ async function startNotificationSubscription(port, cfg, hooksToken, logger) {
     const openclawAgentId = reverseNameMap[agentName] ?? agentName;
     logger.info(`cohort-sync: subscribing to notifications for agent "${agentName}" (openclawId: "${openclawAgentId}")`);
     let processing = false;
+    const apiKeyHash = hashApiKey(cfg.apiKey);
     const unsubscribe = c.onUpdate(
       getUndeliveredForPlugin,
-      { agent: agentName, apiKey: cfg.apiKey },
+      { agent: agentName, apiKeyHash },
       async (notifications) => {
-        if (processing) return;
+        if (authCircuitOpen || processing) return;
         processing = true;
         try {
           for (const n of notifications) {
+            const failCount = deliveryFailures.get(n._id) ?? 0;
+            if (failCount >= MAX_DELIVERY_ATTEMPTS) {
+              continue;
+            }
             try {
-              await injectNotification(port, hooksToken, n, openclawAgentId);
-              logger.info(`cohort-sync: injected notification for task #${n.taskNumber} (${agentName})`);
+              if (hooksToken) {
+                await injectNotification(port, hooksToken, n, openclawAgentId);
+                logger.info(`cohort-sync: injected notification for task #${n.taskNumber} (${agentName})`);
+              } else {
+                throw new Error(
+                  `no transport available for notification ${n._id} (gwClient alive: ${gwClient?.isAlive() ?? "null"}, hooksToken: ${!!hooksToken})`
+                );
+              }
               await c.mutation(markDeliveredByPlugin, {
                 notificationId: n._id,
-                apiKey: cfg.apiKey
+                apiKeyHash
               });
+              deliveryFailures.delete(n._id);
             } catch (err) {
-              logger.warn(`cohort-sync: failed to inject notification ${n._id}: ${String(err)}`);
+              const newFailCount = failCount + 1;
+              deliveryFailures.set(n._id, newFailCount);
+              if (newFailCount >= MAX_DELIVERY_ATTEMPTS) {
+                logger.error(
+                  `cohort-sync: dead-letter notification ${n._id} for task #${n.taskNumber} (${n.type} from ${n.actorName}) after ${MAX_DELIVERY_ATTEMPTS} failed delivery attempts: ${String(err)}`
+                );
+                try {
+                  await c.mutation(markDeliveredByPlugin, {
+                    notificationId: n._id,
+                    apiKeyHash
+                  });
+                  deliveryFailures.delete(n._id);
+                } catch (markErr) {
+                  logger.error(`cohort-sync: failed to dead-letter ${n._id}: ${String(markErr)}`);
+                }
+              } else {
+                logger.warn(
+                  `cohort-sync: failed to inject notification ${n._id} (attempt ${newFailCount}/${MAX_DELIVERY_ATTEMPTS}): ${String(err)}`
+                );
+              }
             }
           }
         } finally {
@@ -12121,6 +12259,10 @@ async function startNotificationSubscription(port, cfg, hooksToken, logger) {
         }
       },
       (err) => {
+        if (isUnauthorizedError(err)) {
+          tripAuthCircuit();
+          return;
+        }
         logger.error(`cohort-sync: subscription error for "${agentName}": ${String(err)}`);
       }
     );
@@ -12134,11 +12276,12 @@ function startCommandSubscription(cfg, logger, resolveAgentName, gwClient) {
     return null;
   }
   let processing = false;
+  const apiKeyHash = hashApiKey(cfg.apiKey);
   const unsubscribe = c.onUpdate(
     getPendingCommandsForPlugin,
-    { apiKey: cfg.apiKey },
+    { apiKeyHash },
     async (commands) => {
-      if (processing) return;
+      if (authCircuitOpen || processing) return;
       if (commands.length === 0) return;
       processing = true;
       try {
@@ -12147,19 +12290,27 @@ function startCommandSubscription(cfg, logger, resolveAgentName, gwClient) {
           try {
             await c.mutation(acknowledgeCommandRef, {
               commandId: cmd._id,
-              apiKey: cfg.apiKey
+              apiKeyHash
             });
             await executeCommand(cmd, gwClient, cfg, resolveAgentName, logger);
             if (cmd.type === "restart") return;
           } catch (err) {
+            if (isUnauthorizedError(err)) {
+              tripAuthCircuit();
+              return;
+            }
             logger.error(`cohort-sync: failed to process command ${cmd._id}: ${String(err)}`);
             try {
               await c.mutation(failCommandRef, {
                 commandId: cmd._id,
-                apiKey: cfg.apiKey,
+                apiKeyHash,
                 reason: String(err).slice(0, 500)
               });
             } catch (failErr) {
+              if (isUnauthorizedError(failErr)) {
+                tripAuthCircuit();
+                return;
+              }
               logger.error(`cohort-sync: failed to mark command ${cmd._id} as failed: ${String(failErr)}`);
             }
           }
@@ -12169,6 +12320,10 @@ function startCommandSubscription(cfg, logger, resolveAgentName, gwClient) {
       }
     },
     (err) => {
+      if (isUnauthorizedError(err)) {
+        tripAuthCircuit();
+        return;
+      }
       logger.error(`cohort-sync: command subscription error: ${String(err)}`);
     }
   );
@@ -12293,7 +12448,8 @@ var ALLOWED_METHODS = /* @__PURE__ */ new Set([
   "sessions.preview",
   "agent",
   "snapshot",
-  "system.presence"
+  "system.presence",
+  "gateway.restart"
 ]);
 function buildConnectFrame(id, token, pluginVersion, identity, nonce) {
   const signedAtMs = Date.now();
@@ -12302,7 +12458,7 @@ function buildConnectFrame(id, token, pluginVersion, identity, nonce) {
     clientId: "gateway-client",
     clientMode: "backend",
     role: "operator",
-    scopes: ["operator.read", "operator.write"],
+    scopes: ["operator.read", "operator.write", "operator.admin"],
     signedAtMs,
     token,
     nonce,
@@ -12324,7 +12480,7 @@ function buildConnectFrame(id, token, pluginVersion, identity, nonce) {
         mode: "backend"
       },
       role: "operator",
-      scopes: ["operator.read", "operator.write"],
+      scopes: ["operator.read", "operator.write", "operator.admin"],
       auth: { token },
       device: {
         id: identity.deviceId,
@@ -12352,8 +12508,9 @@ function parseHelloOk(response) {
     throw new Error(`Unexpected payload type: ${String(payload?.type ?? "missing")}`);
   }
   const policy = payload.policy ?? {};
-  const methods = payload.methods ?? [];
-  const events = payload.events ?? [];
+  const features = payload.features;
+  const methods = features?.methods ?? payload.methods ?? [];
+  const events = features?.events ?? payload.events ?? [];
   return {
     methods: new Set(methods),
     events: new Set(events),
@@ -12825,6 +12982,15 @@ function parseSessionKey(key) {
     if (rest[0] === "main") {
       return { kind: "direct", channel: "signal" };
     }
+    if (rest[0] === "cron") {
+      return { kind: "cron", channel: "cron", identifier: rest.slice(1).join(":") };
+    }
+    if (rest[0] === "subagent") {
+      return { kind: "subagent", channel: "subagent", identifier: rest.slice(1).join(":") };
+    }
+    if (rest[0] === "acp") {
+      return { kind: "acp", channel: "acp", identifier: rest.slice(1).join(":") };
+    }
     if (rest[0] === "signal") {
       if (rest[1] === "group") {
         return { kind: "group", channel: "signal", identifier: rest.slice(2).join(":") };
@@ -12838,6 +13004,14 @@ function parseSessionKey(key) {
     if (rest[0] === "slack" && rest[1] === "channel") {
       return { kind: "group", channel: "slack", identifier: rest[2] };
     }
+    const channel = rest[0];
+    if (rest.includes("group") || rest.includes("channel")) {
+      return { kind: "group", channel, identifier: rest.slice(1).join(":") };
+    }
+    if (rest.includes("dm") || rest.includes("direct")) {
+      return { kind: "direct", channel, identifier: rest.slice(1).join(":") };
+    }
+    return { kind: "direct", channel, identifier: rest.slice(1).join(":") || void 0 };
   }
   return { kind: "cli", channel: "cli" };
 }
@@ -13315,6 +13489,30 @@ var POCKET_GUIDE = `# Cohort Agent Guide (Pocket Version)
 - Don't ignore workspace-specific overrides from your context response.
 `;
 
+// src/types.ts
+var DEFAULT_API_URL = "https://api.cohort.bot";
+
+// src/tool-runtime.ts
+var apiKey = null;
+var apiUrl = DEFAULT_API_URL;
+var resolveAgentNameFn = null;
+var loggerRef = null;
+function setToolRuntime(state) {
+  apiKey = state.apiKey;
+  apiUrl = state.apiUrl;
+  resolveAgentNameFn = state.resolveAgentName;
+  loggerRef = state.logger;
+}
+function getToolRuntime() {
+  return {
+    apiKey,
+    apiUrl,
+    resolveAgentName: resolveAgentNameFn,
+    logger: loggerRef,
+    isReady: apiKey !== null && resolveAgentNameFn !== null
+  };
+}
+
 // src/hooks.ts
 var REDACT_KEYS = /* @__PURE__ */ new Set([
   "token",
@@ -13362,6 +13560,12 @@ try {
 } catch {
 }
 diag("MODULE_LOADED", { PLUGIN_VERSION });
+var _gatewayStartHandler = null;
+async function handleGatewayStart(event) {
+  if (_gatewayStartHandler) {
+    await _gatewayStartHandler(event);
+  }
+}
 function resolveGatewayToken(api) {
   const rawToken = api.config?.gateway?.auth?.token;
   if (typeof rawToken === "string") return rawToken;
@@ -13447,7 +13651,7 @@ function saveSessionsToDisk(tracker2) {
         data.sessions.push({ agentName: name, key });
       }
     }
-    fs3.writeFileSync(STATE_FILE_PATH, JSON.stringify(data));
+    fs3.writeFileSync(STATE_FILE_PATH, JSON.stringify(data), { mode: 384 });
   } catch {
   }
 }
@@ -13478,54 +13682,35 @@ function loadSessionsFromDisk(tracker2, logger) {
   } catch {
   }
 }
-async function fetchAgentContext(apiKey, apiUrl, logger) {
-  try {
-    const response = await fetch(`${apiUrl}/api/v1/context`, {
-      method: "GET",
-      headers: { "Authorization": `Bearer ${apiKey}` }
-    });
-    if (!response.ok) {
-      logger.warn(`cohort-sync: /context returned ${response.status}, using pocket guide`);
-      return POCKET_GUIDE;
-    }
-    const data = await response.json();
-    return data.briefing || POCKET_GUIDE;
-  } catch (err) {
-    logger.warn(`cohort-sync: /context fetch failed: ${String(err)}, using pocket guide`);
-    return POCKET_GUIDE;
-  }
-}
-async function initGatewayClient(port, token, cfg, resolveAgentName, logger) {
+function initGatewayClient(port, token, cfg, resolveAgentName, logger) {
   const client2 = new GatewayClient(port, token, logger, PLUGIN_VERSION);
-  await client2.connect();
   persistentGwClient = client2;
   gwClientInitialized = true;
-  registerCronEventHandlers(client2, cfg, resolveAgentName);
-  if (client2.availableEvents.has("shutdown")) {
-    client2.on("shutdown", () => {
-      diag("GW_CLIENT_SHUTDOWN_EVENT", {});
-      logger.info("cohort-sync: gateway shutdown event received");
-    });
-  }
-  client2.onReconnect = async () => {
-    diag("GW_CLIENT_RECONNECTED_RESUBSCRIBE", {});
+  const onConnected = async () => {
+    diag("GW_CLIENT_CONNECTED", { methods: client2.availableMethods.size, events: client2.availableEvents.size });
+    logger.info(`cohort-sync: gateway client connected (methods=${client2.availableMethods.size}, events=${client2.availableEvents.size})`);
     registerCronEventHandlers(client2, cfg, resolveAgentName);
+    if (client2.availableEvents.has("shutdown")) {
+      client2.on("shutdown", () => {
+        diag("GW_CLIENT_SHUTDOWN_EVENT", {});
+        logger.info("cohort-sync: gateway shutdown event received");
+      });
+    }
     try {
-      const cronResult2 = await client2.request("cron.list", { includeDisabled: true });
-      const jobs2 = Array.isArray(cronResult2) ? cronResult2 : cronResult2?.jobs ?? [];
-      const mapped2 = jobs2.map((j) => mapCronJob(j, resolveAgentName));
-      await pushCronSnapshot(cfg.apiKey, mapped2);
-      diag("GW_CLIENT_RECONNECT_CRON_PUSH", { count: mapped2.length });
+      const cronResult = await client2.request("cron.list", { includeDisabled: true });
+      const jobs = Array.isArray(cronResult) ? cronResult : cronResult?.jobs ?? [];
+      const mapped = jobs.map((j) => mapCronJob(j, resolveAgentName));
+      await pushCronSnapshot(cfg.apiKey, mapped);
+      diag("GW_CLIENT_CRON_PUSH", { count: mapped.length });
     } catch (err) {
-      diag("GW_CLIENT_RECONNECT_CRON_FAILED", { error: String(err) });
+      diag("GW_CLIENT_CRON_PUSH_FAILED", { error: String(err) });
     }
   };
-  diag("GW_CLIENT_CONNECTED", { methods: client2.availableMethods.size, events: client2.availableEvents.size });
-  const cronResult = await client2.request("cron.list", { includeDisabled: true });
-  const jobs = Array.isArray(cronResult) ? cronResult : cronResult?.jobs ?? [];
-  const mapped = jobs.map((j) => mapCronJob(j, resolveAgentName));
-  await pushCronSnapshot(cfg.apiKey, mapped);
-  diag("GW_CLIENT_INITIAL_CRON_PUSH", { count: mapped.length });
+  client2.onReconnect = onConnected;
+  client2.connect().then(() => onConnected()).catch((err) => {
+    diag("GW_CLIENT_INITIAL_CONNECT_DEFERRED", { error: String(err) });
+    logger.warn(`cohort-sync: GW connect will retry: ${String(err)}`);
+  });
 }
 function registerHooks(api, cfg) {
   STATE_FILE_PATH = path3.join(cfg.stateDir, "session-state.json");
@@ -13535,6 +13720,12 @@ function registerHooks(api, cfg) {
   const convexUrl = cfg.convexUrl ?? deriveConvexUrl(cfg.apiUrl);
   createClient(convexUrl);
   setLogger(logger);
+  gatewayPort = api.config?.gateway?.port ?? null;
+  gatewayToken = resolveGatewayToken(api);
+  if (gatewayPort && gatewayToken) {
+    initGatewayClient(gatewayPort, gatewayToken, cfg, resolveAgentName, logger);
+  }
+  const cronStorePath = api.config?.cron?.store ?? path3.join(os3.homedir(), ".openclaw", "cron", "jobs.json");
   logger.info(`cohort-sync: registerHooks v${PLUGIN_VERSION}`);
   diag("REGISTER_HOOKS", {
     PLUGIN_VERSION,
@@ -13575,6 +13766,12 @@ function registerHooks(api, cfg) {
   function resolveAgentName(agentId) {
     return (nameMap?.[agentId] ?? identityNameMap[agentId] ?? agentId).toLowerCase();
   }
+  setToolRuntime({
+    apiKey: cfg.apiKey,
+    apiUrl: cfg.apiUrl,
+    resolveAgentName,
+    logger
+  });
   function resolveAgentFromContext(ctx) {
     const allCtxKeys = Object.keys(ctx);
     diag("RESOLVE_AGENT_FROM_CTX_START", {
@@ -13656,101 +13853,6 @@ function registerHooks(api, cfg) {
     const unsub = startCommandSubscription(cfg, logger, resolveAgentName, persistentGwClient);
     commandUnsubscriber2 = unsub;
   }
-  api.registerTool((toolCtx) => {
-    const agentId = toolCtx.agentId ?? "main";
-    const agentName = resolveAgentName(agentId);
-    return {
-      name: "cohort_comment",
-      label: "cohort_comment",
-      description: "Post a comment on a Cohort task. Use this to respond to @mentions or collaborate on tasks.",
-      parameters: Type.Object({
-        task_number: Type.Number({ description: "Task number (e.g. 312)" }),
-        comment: Type.String({ description: "Comment text to post" }),
-        no_reply: Type.Optional(Type.Boolean({
-          description: "If true, no notifications will be sent for this comment. Use for final/closing comments."
-        }))
-      }),
-      async execute(_toolCallId, params) {
-        try {
-          const result = await callAddCommentFromPlugin(cfg.apiKey, {
-            taskNumber: params.task_number,
-            agentName,
-            content: params.comment,
-            noReply: params.no_reply ?? false
-          });
-          const lines = [`Comment posted on task #${params.task_number}.`];
-          if (result.stats) {
-            lines.push("");
-            lines.push(`This task has ${result.stats.totalComments} comments. ${result.stats.myRecentCount}/${result.stats.threshold} hourly limit used on this task.`);
-          }
-          if (result.budget) {
-            lines.push(`Daily budget: ${result.budget.used}/${result.budget.limit}`);
-          }
-          return {
-            content: [{ type: "text", text: lines.join("\n") }],
-            details: result
-          };
-        } catch (err) {
-          const msg = err instanceof Error ? err.message : String(err);
-          if (msg.includes("AGENT_COMMENTS_LOCKED")) {
-            return {
-              content: [{
-                type: "text",
-                text: `Cannot comment on task #${params.task_number}.
-Reason: Agent comments are locked on this task.
-Do not re-attempt to comment on this task.`
-              }],
-              details: { error: "AGENT_COMMENTS_LOCKED", taskNumber: params.task_number }
-            };
-          }
-          if (msg.includes("TASK_HOUR_LIMIT_REACHED")) {
-            const parts = msg.split("|");
-            const count = parts[1] ?? "?";
-            const limit = parts[2] ?? "?";
-            return {
-              content: [{
-                type: "text",
-                text: `Cannot comment on task #${params.task_number}.
-Reason: You have posted ${count} comments on this task in the last hour (limit: ${limit}).
-Step back from this task. Do not comment again until the next hour.`
-              }],
-              details: { error: "TASK_HOUR_LIMIT_REACHED", count, limit, taskNumber: params.task_number }
-            };
-          }
-          if (msg.includes("DAILY_LIMIT_REACHED")) {
-            const parts = msg.split("|");
-            const used = parts[1] ?? "?";
-            const max = parts[2] ?? "?";
-            const resetAt = parts[3] ?? "tomorrow";
-            return {
-              content: [{
-                type: "text",
-                text: `Cannot comment on task #${params.task_number}.
-Reason: Daily comment limit reached (${used}/${max}).
-Do not attempt to make more comments until ${resetAt}.`
-              }],
-              details: { error: "DAILY_LIMIT_REACHED", used, max, resetAt, taskNumber: params.task_number }
-            };
-          }
-          throw err;
-        }
-      }
-    };
-  });
-  api.registerTool(() => {
-    return {
-      name: "cohort_context",
-      label: "cohort_context",
-      description: "Get your Cohort session briefing. Call this at the start of every work session to receive your guidelines, current assignments, active projects, and recent team activity.",
-      parameters: Type.Object({}),
-      async execute() {
-        const briefing = await fetchAgentContext(cfg.apiKey, cfg.apiUrl, logger);
-        return {
-          content: [{ type: "text", text: briefing }]
-        };
-      }
-    };
-  });
   function resolveModel(agentId) {
     const agent = config?.agents?.list?.find((a) => a.id === agentId);
     const m = agent?.model;
@@ -13770,7 +13872,7 @@ Do not attempt to make more comments until ${resetAt}.`
     if (m.includes("deepseek")) return 128e3;
     return 2e5;
   }
-  api.on("gateway_start", async (event) => {
+  _gatewayStartHandler = async (event) => {
     diag("HOOK_gateway_start", { port: event.port, eventKeys: Object.keys(event) });
     try {
       checkForUpdate(PLUGIN_VERSION, logger).catch(() => {
@@ -13821,7 +13923,8 @@ Do not attempt to make more comments until ${resetAt}.`
       event.port,
       cfg,
       api.config.hooks?.token,
-      logger
+      logger,
+      persistentGwClient
     ).catch((err) => {
       logger.error(`cohort-sync: subscription init failed: ${String(err)}`);
     });
@@ -13858,7 +13961,7 @@ Do not attempt to make more comments until ${resetAt}.`
       saveSessionsToDisk(tracker2);
     }, KEEPALIVE_INTERVAL_MS);
     logger.info(`cohort-sync: keepalive interval started (${KEEPALIVE_INTERVAL_MS / 1e3}s)`);
-  });
+  };
   api.on("agent_end", async (event, ctx) => {
     diag("HOOK_agent_end", { ctx: dumpCtx(ctx), success: event.success, error: event.error, durationMs: event.durationMs });
     const agentId = ctx.agentId ?? "main";
@@ -13873,6 +13976,19 @@ Do not attempt to make more comments until ${resetAt}.`
           tracker2.markTelemetryPushed(agentName);
         }
       }
+      const sessionKey = ctx.sessionKey;
+      if (sessionKey && sessionKey.includes(":cron:")) {
+        try {
+          const raw = fs3.readFileSync(cronStorePath, "utf8");
+          const store = JSON.parse(raw);
+          const jobs = store.jobs ?? [];
+          const mapped = jobs.map((j) => mapCronJob(j, resolveAgentName));
+          await pushCronSnapshot(cfg.apiKey, mapped);
+          diag("CRON_AGENT_END_PUSH", { count: mapped.length, sessionKey });
+        } catch (err) {
+          diag("CRON_AGENT_END_PUSH_FAILED", { error: String(err) });
+        }
+      }
       if (event.success === false) {
         const entry = buildActivityEntry(agentName, "agent_end", {
           success: false,
@@ -14195,11 +14311,11 @@ Do not attempt to make more comments until ${resetAt}.`
 import { execFile as execFile2 } from "node:child_process";
 
 // src/device-auth.ts
-function baseUrl(apiUrl) {
-  return apiUrl.replace(/\/+$/, "");
+function baseUrl(apiUrl2) {
+  return apiUrl2.replace(/\/+$/, "");
 }
-async function startDeviceAuth(apiUrl, manifest) {
-  const url = `${baseUrl(apiUrl)}/api/v1/device-auth/start`;
+async function startDeviceAuth(apiUrl2, manifest) {
+  const url = `${baseUrl(apiUrl2)}/api/v1/device-auth/start`;
   const res = await fetch(url, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
@@ -14214,8 +14330,8 @@ async function startDeviceAuth(apiUrl, manifest) {
   }
   return res.json();
 }
-async function pollDeviceAuth(apiUrl, deviceCode) {
-  const url = `${baseUrl(apiUrl)}/api/v1/device-auth/poll`;
+async function pollDeviceAuth(apiUrl2, deviceCode) {
+  const url = `${baseUrl(apiUrl2)}/api/v1/device-auth/poll`;
   const res = await fetch(url, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
@@ -14230,7 +14346,7 @@ async function pollDeviceAuth(apiUrl, deviceCode) {
   }
   return res.json();
 }
-async function waitForApproval(apiUrl, deviceCode, opts) {
+async function waitForApproval(apiUrl2, deviceCode, opts) {
   const intervalMs = opts?.intervalMs ?? 5e3;
   const timeoutMs = opts?.timeoutMs ?? 9e5;
   const onPoll = opts?.onPoll;
@@ -14241,7 +14357,7 @@ async function waitForApproval(apiUrl, deviceCode, opts) {
       return { status: "timeout" };
     }
     try {
-      const result = await pollDeviceAuth(apiUrl, deviceCode);
+      const result = await pollDeviceAuth(apiUrl2, deviceCode);
       onPoll?.(result.status);
       if (result.status === "approved") {
         return { status: "approved", apiKey: result.apiKey };
@@ -14352,46 +14468,298 @@ function registerCohortCli(ctx, cfg) {
 
 // index.ts
 init_keychain();
-var DEFAULT_API_URL = "https://fortunate-chipmunk-286.convex.site";
 var plugin = {
   id: "cohort-sync",
   name: "Cohort Sync",
   description: "Syncs agent status and skills to Cohort dashboard",
   register(api) {
     const cfg = api.pluginConfig;
-    const apiUrl = cfg?.apiUrl ?? DEFAULT_API_URL;
+    const apiUrl2 = cfg?.apiUrl || DEFAULT_API_URL;
+    if (!apiUrl2.startsWith("https://") && !apiUrl2.startsWith("http://localhost") && !apiUrl2.startsWith("http://127.0.0.1")) {
+      api.logger.error(
+        "cohort-sync: apiUrl must use HTTPS for security. Got: " + apiUrl2.replace(/\/\/.*@/, "//***@")
+      );
+      return;
+    }
     api.registerCli(
       (ctx) => registerCohortCli(ctx, {
-        apiUrl,
+        apiUrl: apiUrl2,
         apiKey: cfg?.apiKey,
         agentNameMap: cfg?.agentNameMap
       }),
       { commands: ["cohort"] }
     );
+    const gatewayPort2 = api.config?.gateway?.port ?? 18789;
+    api.registerHook(
+      "gateway:startup",
+      async (...args) => {
+        const event = args[0] ?? {};
+        const port = event?.port ?? gatewayPort2;
+        api.logger.info(`cohort-sync: gateway:startup hook fired (port=${port})`);
+        await handleGatewayStart({ ...event, port });
+      },
+      {
+        name: "cohort-sync.gateway-startup",
+        description: "Sync agents and start notification subscription on gateway startup"
+      }
+    );
+    api.registerTool((toolCtx) => {
+      const agentId = toolCtx.agentId ?? "main";
+      return {
+        name: "cohort_comment",
+        label: "cohort_comment",
+        description: "Post a comment on a Cohort task. Use this to respond to @mentions or collaborate on tasks.",
+        parameters: Type.Object({
+          task_number: Type.Number({ description: "Task number (e.g. 312)" }),
+          comment: Type.String({ description: "Comment text to post" }),
+          no_reply: Type.Optional(Type.Boolean({
+            description: "If true, no notifications will be sent for this comment. Use for final/closing comments."
+          }))
+        }),
+        async execute(_toolCallId, params) {
+          const rt = getToolRuntime();
+          if (!rt.isReady) {
+            return {
+              content: [{ type: "text", text: "cohort_comment is not ready yet \u2014 the plugin is still starting up. Try again in a few seconds." }]
+            };
+          }
+          const agentName = rt.resolveAgentName(agentId);
+          try {
+            const result = await callAddCommentFromPlugin(rt.apiKey, {
+              taskNumber: params.task_number,
+              agentName,
+              content: params.comment,
+              noReply: params.no_reply ?? false
+            });
+            const lines = [`Comment posted on task #${params.task_number}.`];
+            if (result.stats) {
+              lines.push("");
+              lines.push(`This task has ${result.stats.totalComments} comments. ${result.stats.myRecentCount}/${result.stats.threshold} hourly limit used on this task.`);
+            }
+            if (result.budget) {
+              lines.push(`Daily budget: ${result.budget.used}/${result.budget.limit}`);
+            }
+            return {
+              content: [{ type: "text", text: lines.join("\n") }],
+              details: result
+            };
+          } catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            if (msg.includes("AGENT_COMMENTS_LOCKED")) {
+              return { content: [{ type: "text", text: `Cannot comment on task #${params.task_number}.
+Reason: Agent comments are locked on this task.
+Do not re-attempt.` }] };
+            }
+            if (msg.includes("TASK_HOUR_LIMIT_REACHED")) {
+              return { content: [{ type: "text", text: `Cannot comment on task #${params.task_number}.
+Reason: Per-task hourly limit reached.
+Step back from this task.` }] };
+            }
+            if (msg.includes("DAILY_LIMIT_REACHED")) {
+              return { content: [{ type: "text", text: `Cannot comment on task #${params.task_number}.
+Reason: Daily comment limit reached.
+Do not attempt more comments until tomorrow.` }] };
+            }
+            throw err;
+          }
+        }
+      };
+    });
+    api.registerTool(() => {
+      return {
+        name: "cohort_context",
+        label: "cohort_context",
+        description: "Get your Cohort session briefing. Call this at the start of every work session to receive your guidelines, current assignments, active projects, and recent team activity.",
+        parameters: Type.Object({}),
+        async execute() {
+          const rt = getToolRuntime();
+          if (!rt.isReady) {
+            return { content: [{ type: "text", text: POCKET_GUIDE }] };
+          }
+          try {
+            const response = await fetch(`${rt.apiUrl}/api/v1/context`, {
+              method: "GET",
+              headers: { "Authorization": `Bearer ${rt.apiKey}` },
+              signal: AbortSignal.timeout(1e4)
+            });
+            if (!response.ok) return { content: [{ type: "text", text: POCKET_GUIDE }] };
+            const data = await response.json();
+            return { content: [{ type: "text", text: data.briefing || POCKET_GUIDE }] };
+          } catch {
+            return { content: [{ type: "text", text: POCKET_GUIDE }] };
+          }
+        }
+      };
+    });
+    api.registerTool(() => {
+      return {
+        name: "cohort_task",
+        label: "cohort_task",
+        description: "Fetch full details for a Cohort task by number, including description and recent comments. Use this before responding to a notification if you need more context about the task.",
+        parameters: Type.Object({
+          task_number: Type.Number({ description: "Task number (e.g. 370)" }),
+          include_comments: Type.Optional(Type.Boolean({ description: "Include recent comments (default: true)" })),
+          comment_limit: Type.Optional(Type.Number({ description: "Max comments to return (default: 10)" }))
+        }),
+        async execute(_toolCallId, params) {
+          const rt = getToolRuntime();
+          if (!rt.isReady) {
+            return { content: [{ type: "text", text: "cohort_task is not ready yet \u2014 the plugin is still starting up." }] };
+          }
+          try {
+            const taskRes = await fetch(`${rt.apiUrl}/api/v1/tasks/${params.task_number}`, {
+              headers: { "Authorization": `Bearer ${rt.apiKey}` },
+              signal: AbortSignal.timeout(1e4)
+            });
+            if (!taskRes.ok) {
+              return { content: [{ type: "text", text: `Task #${params.task_number} not found (${taskRes.status}).` }] };
+            }
+            const task = await taskRes.json();
+            const lines = [
+              `# Task #${task.taskNumber}: ${task.title}`,
+              `**Status:** ${task.status} | **Priority:** ${task.priority ?? "none"} | **Effort:** ${task.effort ?? "none"}`,
+              `**Assigned to:** ${task.assignedTo ?? "unassigned"}`,
+              `**Created:** ${task.createdAt}`,
+              "",
+              "## Description",
+              task.description || "(no description)"
+            ];
+            if (params.include_comments !== false) {
+              const limit = params.comment_limit ?? 10;
+              const commentsRes = await fetch(
+                `${rt.apiUrl}/api/v1/tasks/${params.task_number}/comments?limit=${limit}`,
+                {
+                  headers: { "Authorization": `Bearer ${rt.apiKey}` },
+                  signal: AbortSignal.timeout(1e4)
+                }
+              );
+              if (commentsRes.ok) {
+                const commentsData = await commentsRes.json();
+                const comments = commentsData.data ?? [];
+                if (comments.length > 0) {
+                  lines.push("", "## Recent Comments");
+                  for (const c of comments) {
+                    lines.push(`**${c.authorName}** (${c.authorType}, ${c.createdAt.slice(0, 16)}): ${c.body.slice(0, 300)}`);
+                  }
+                  if (comments.length >= limit) {
+                    lines.push(`(showing ${limit} most recent \u2014 there may be more)`);
+                  }
+                }
+              }
+            }
+            return { content: [{ type: "text", text: lines.join("\n") }] };
+          } catch (err) {
+            return { content: [{ type: "text", text: `Failed to fetch task #${params.task_number}: ${err instanceof Error ? err.message : String(err)}` }] };
+          }
+        }
+      };
+    });
+    api.registerTool(() => {
+      return {
+        name: "cohort_transition",
+        label: "cohort_transition",
+        description: "Change the status of a Cohort task. Valid statuses: backlog, todo, in_progress, waiting, done. Always leave a comment explaining the transition before calling this.",
+        parameters: Type.Object({
+          task_number: Type.Number({ description: "Task number (e.g. 370)" }),
+          status: Type.String({ description: "Target status: backlog, todo, in_progress, waiting, or done" })
+        }),
+        async execute(_toolCallId, params) {
+          const rt = getToolRuntime();
+          if (!rt.isReady) {
+            return { content: [{ type: "text", text: "cohort_transition is not ready yet \u2014 the plugin is still starting up." }] };
+          }
+          const validStatuses = ["backlog", "todo", "in_progress", "waiting", "done"];
+          if (!validStatuses.includes(params.status)) {
+            return { content: [{ type: "text", text: `Invalid status "${params.status}". Valid statuses: ${validStatuses.join(", ")}` }] };
+          }
+          try {
+            const res = await fetch(`${rt.apiUrl}/api/v1/tasks/${params.task_number}/transition`, {
+              method: "POST",
+              headers: {
+                "Authorization": `Bearer ${rt.apiKey}`,
+                "Content-Type": "application/json"
+              },
+              body: JSON.stringify({ to: params.status }),
+              signal: AbortSignal.timeout(1e4)
+            });
+            if (!res.ok) {
+              const body = await res.text();
+              return { content: [{ type: "text", text: `Failed to transition task #${params.task_number} to "${params.status}": ${res.status} ${body.slice(0, 200)}` }] };
+            }
+            const task = await res.json();
+            return { content: [{ type: "text", text: `Task #${params.task_number} transitioned to "${params.status}".` }] };
+          } catch (err) {
+            return { content: [{ type: "text", text: `Failed to transition task #${params.task_number}: ${err instanceof Error ? err.message : String(err)}` }] };
+          }
+        }
+      };
+    });
+    api.registerTool((toolCtx) => {
+      const agentId = toolCtx.agentId ?? "main";
+      return {
+        name: "cohort_assign",
+        label: "cohort_assign",
+        description: "Assign a Cohort task to a team member (agent or human) by name. Use your own name to self-assign. Set assignee to null or empty string to unassign.",
+        parameters: Type.Object({
+          task_number: Type.Number({ description: "Task number (e.g. 370)" }),
+          assignee: Type.Union([
+            Type.String({ description: "Name of the assignee (e.g. 'tosh', 'dave')" }),
+            Type.Null({ description: "Set to null to unassign" })
+          ])
+        }),
+        async execute(_toolCallId, params) {
+          const rt = getToolRuntime();
+          if (!rt.isReady) {
+            return { content: [{ type: "text", text: "cohort_assign is not ready yet \u2014 the plugin is still starting up." }] };
+          }
+          try {
+            const assignee = params.assignee?.trim() || null;
+            const res = await fetch(`${rt.apiUrl}/api/v1/tasks/${params.task_number}`, {
+              method: "PATCH",
+              headers: {
+                "Authorization": `Bearer ${rt.apiKey}`,
+                "Content-Type": "application/json"
+              },
+              body: JSON.stringify({ assignedTo: assignee }),
+              signal: AbortSignal.timeout(1e4)
+            });
+            if (!res.ok) {
+              const body = await res.text();
+              return { content: [{ type: "text", text: `Failed to assign task #${params.task_number}: ${res.status} ${body.slice(0, 200)}` }] };
+            }
+            const task = await res.json();
+            const msg = assignee ? `Task #${params.task_number} assigned to ${assignee}.` : `Task #${params.task_number} unassigned.`;
+            return { content: [{ type: "text", text: msg }] };
+          } catch (err) {
+            return { content: [{ type: "text", text: `Failed to assign task #${params.task_number}: ${err instanceof Error ? err.message : String(err)}` }] };
+          }
+        }
+      };
+    });
     api.registerService({
       id: "cohort-sync-core",
       async start(svcCtx) {
-        api.logger.info(`cohort-sync: service starting (api: ${apiUrl})`);
-        let apiKey = cfg?.apiKey;
-        if (!apiKey) {
+        api.logger.info(`cohort-sync: service starting (api: ${apiUrl2})`);
+        let apiKey2 = cfg?.apiKey;
+        if (!apiKey2) {
           try {
-            apiKey = await getCredential(apiUrl) ?? void 0;
+            apiKey2 = await getCredential(apiUrl2) ?? void 0;
           } catch (err) {
             api.logger.error(
               `cohort-sync: keychain lookup failed: ${err instanceof Error ? err.message : String(err)}`
             );
           }
         }
-        if (!apiKey) {
+        if (!apiKey2) {
           api.logger.warn(
             "cohort-sync: no API key found \u2014 run 'openclaw cohort auth' to authenticate"
           );
           return;
         }
-        api.logger.info(`cohort-sync: activated (api: ${apiUrl})`);
+        api.logger.info(`cohort-sync: activated (api: ${apiUrl2})`);
         registerHooks(api, {
-          apiUrl,
-          apiKey,
+          apiUrl: apiUrl2,
+          apiKey: apiKey2,
           stateDir: svcCtx.stateDir,
           agentNameMap: cfg?.agentNameMap
         });