@gajae-code/coding-agent 0.7.3 → 0.7.5

package/src/notifications/index.ts

@@ -12,7 +12,7 @@
  * - `ask` (unattended/RPC): observes emitted workflow gates and resolves the real
  *   gate on a remote reply via `ctx.workflowGate`.
  * - `turn_end` -> `action_needed` (kind `idle`, deduped per turn).
- * - `session_shutdown` -> stop the server + deregister the answer source.
+ * - `session_shutdown` -> `session_closed` frame, stop server, deregister answer source.
  *
  * Enable with Settings notifications config, `GJC_NOTIFICATIONS=1` (a token is
  * generated), or `GJC_NOTIFICATIONS_TOKEN`.
@@ -41,6 +41,193 @@ import {
 import { imageAttachmentsFromMessage, notificationActionPayload, summaryFromMessage } from "./helpers";
 import { ensureTelegramDaemonRunning } from "./telegram-daemon";
 
+// ===========================================================================
+// Session lifecycle control protocol (TypeScript mirror of the Rust wire
+// contract in `crates/gjc-notifications/src/lifecycle.rs`).
+//
+// These describe the frames exchanged over the daemon-owned, session-independent
+// control endpoint for remote session create / close / resume. Field names are
+// camelCase on the wire; `type`/`kind` discriminators are snake_case. The Rust
+// ingress authenticates and forwards; the daemon (TypeScript) owns all policy,
+// spawn orchestration, idempotency, rate limiting, audit, and UX.
+// ===========================================================================
+
+/** Where a `session_create` should run. Discriminated by `kind`. */
+export type SessionCreateTarget =
+	| { kind: "existing_path"; path: string }
+	| { kind: "worktree"; repo: string; branch: string }
+	| { kind: "plain_dir"; path: string };
+
+/** Identifies the session a `session_close` targets. */
+export interface SessionCloseTarget {
+	sessionId: string;
+	/** Expected GJC-managed tmux session name (defense-in-depth match). */
+	tmuxSession?: string;
+	/** Expected `@gjc-session-state-file` tag (defense-in-depth match). */
+	sessionStateFile?: string;
+}
+
+/** Identifies the session a `session_resume` targets. */
+export interface SessionResumeTarget {
+	sessionIdOrPrefix: string;
+	/** Optional repo/working-dir hint to disambiguate matches. */
+	path?: string;
+}
+
+/** Create a new session. */
+export interface SessionCreateFrame {
+	type: "session_create";
+	requestId: string;
+	/** Deterministic lifecycle marker preallocated by the daemon before spawn. */
+	lifecycleRequestId: string;
+	/** Session id the daemon preallocated and propagates to the child. */
+	intendedSessionId: string;
+	/** Telegram update id (idempotency key on the daemon side). */
+	updateId: number;
+	chatId: string;
+	/** Control-endpoint token authorizing this frame. */
+	token: string;
+	target: SessionCreateTarget;
+	/** Reference to the daemon-written, once-consumed startup-prompt file. */
+	startupPromptRef?: string;
+}
+
+/** Close (hard-kill, history preserved) a session. */
+export interface SessionCloseFrame {
+	type: "session_close";
+	requestId: string;
+	updateId: number;
+	chatId: string;
+	token: string;
+	target: SessionCloseTarget;
+	/** Hard-kill even if a live pane is attached (GJC-managed only). */
+	force?: boolean;
+}
+
+/** Resume a session (reattach if alive, else cold-restart from history). */
+export interface SessionResumeFrame {
+	type: "session_resume";
+	requestId: string;
+	updateId: number;
+	chatId: string;
+	token: string;
+	target: SessionResumeTarget;
+	startupPromptRef?: string;
+}
+
+/** Any client -> ingress lifecycle request frame. */
+export type SessionLifecycleRequest = SessionCreateFrame | SessionCloseFrame | SessionResumeFrame;
+
+/** Terminal status of a lifecycle request. */
+export type LifecycleStatus = "ok" | "error";
+
+/** A connected session's per-session endpoint, returned to the control client. */
+export interface LifecycleEndpoint {
+	url: string;
+	token: string;
+}
+
+/** The Telegram topic/thread a session is surfaced in. */
+export interface LifecycleTopic {
+	chatId: string;
+	threadId: string;
+}
+
+/** How a create request was correlated to its spawned session. */
+export type MatchedBy = "spawn_marker" | "session_ready";
+
+/** Response to a successful `session_create`. */
+export interface SessionCreateResponseFrame {
+	type: "session_create_response";
+	requestId: string;
+	status: LifecycleStatus;
+	lifecycleRequestId: string;
+	sessionId: string;
+	matchedBy: MatchedBy;
+	endpoint: LifecycleEndpoint;
+	topic: LifecycleTopic;
+	target: SessionCreateTarget;
+}
+
+/** Response to a successful `session_close`. */
+export interface SessionCloseResponseFrame {
+	type: "session_close_response";
+	requestId: string;
+	status: LifecycleStatus;
+	sessionId: string;
+	processGone: boolean;
+	historyPreserved: boolean;
+	endpointStale: boolean;
+}
+
+/** Whether a resume reattached to a live session or cold-restarted a dead one. */
+export type ResumeMode = "reattached" | "cold_restarted";
+
+/** Response to a successful `session_resume`. */
+export interface SessionResumeResponseFrame {
+	type: "session_resume_response";
+	requestId: string;
+	status: LifecycleStatus;
+	sessionId: string;
+	mode: ResumeMode;
+	endpoint: LifecycleEndpoint;
+	topic: LifecycleTopic;
+}
+
+/** Machine-readable reason a lifecycle request failed. */
+export type LifecycleErrorReason =
+	| "unauthorized"
+	| "rate_limited"
+	| "duplicate_conflict"
+	| "invalid_target"
+	| "ambiguous_target"
+	| "spawn_failed"
+	| "discovery_timeout"
+	| "readiness_timeout"
+	| "close_refused"
+	| "not_found"
+	| "terminal_uncertain";
+
+/** A candidate returned with an `ambiguous_target` resume error. */
+export interface ResumeCandidate {
+	sessionId: string;
+	path?: string;
+	/** Last-activity epoch-millis (session history file mtime), if known. */
+	mtimeMs?: number;
+}
+
+/** A structured lifecycle error frame. */
+export interface SessionLifecycleErrorFrame {
+	type: "session_lifecycle_error";
+	requestId: string;
+	status: LifecycleStatus;
+	reason: LifecycleErrorReason;
+	message: string;
+	candidates?: ResumeCandidate[];
+}
+
+/** Any ingress -> client lifecycle response frame. */
+export type SessionLifecycleResponse =
+	| SessionCreateResponseFrame
+	| SessionCloseResponseFrame
+	| SessionResumeResponseFrame
+	| SessionLifecycleErrorFrame;
+
+/**
+ * Replayable per-session readiness signal (mirror of the Rust `session_ready`
+ * frame). Buffered and replayed to late clients so WS-open alone never implies
+ * the session is live and surfaced.
+ */
+export interface SessionReadyFrame {
+	type: "session_ready";
+	sessionId: string;
+	lifecycleRequestId?: string;
+	startupPromptRef?: string;
+	repo?: string;
+	branch?: string;
+	title?: string;
+}
+
 /** Resolve the git dir for `cwd`, handling worktrees where `.git` is a file. */
 function gitDir(cwd: string): string | undefined {
 	const dot = path.join(cwd, ".git");
@@ -141,6 +328,7 @@ interface SessionRuntime {
 	/** Deregisters this session's Telegram file sink. */
 	disposeFileSink: () => void;
 	redact: boolean;
+	verbosity: "lean" | "verbose";
 	sessionTag: string;
 	/** Whether the agent loop is currently running (drives the typing indicator). */
 	busy: boolean;
@@ -248,7 +436,7 @@ function registerInteractiveAnswerSource(
 	id: string,
 	server: NotificationServer,
 	pendingInteractive: Map<string, PendingInteractiveAsk>,
-	redact: boolean,
+	getRedact: () => boolean,
 	tag: string,
 ): () => void {
 	return registerAskAnswerSource(id, {
@@ -260,7 +448,7 @@ function registerInteractiveAnswerSource(
 					JSON.stringify(
 						notificationActionPayload(
 							{ id: askId, kind: "ask", sessionId: id, question, options },
-							{ redact, sessionTag: tag },
+							{ redact: getRedact(), sessionTag: tag },
 						),
 					),
 					true,
@@ -296,8 +484,9 @@ export const createNotificationsExtension: ExtensionFactory = api => {
 	const runtimes = new Map<string, SessionRuntime>();
 	const disabledSessions = new Set<string>();
 	const sessionId = (ctx: ExtensionContext): string => ctx.sessionManager.getSessionId();
+	const sleep = (ms: number): Promise<void> => new Promise(resolve => setTimeout(resolve, ms));
 
-	function stopSession(id: string): boolean {
+	async function stopSession(id: string): Promise<boolean> {
 		const rt = runtimes.get(id);
 		if (!rt) return false;
 		runtimes.delete(id);
@@ -308,6 +497,14 @@ export const createNotificationsExtension: ExtensionFactory = api => {
 		// Resolve any still-pending interactive asks so the ask tool is not left hanging.
 		for (const pending of rt.pendingInteractive.values()) pending.resolve(undefined);
 		rt.pendingInteractive.clear();
+		let closeFrameSent = false;
+		try {
+			rt.server.pushFrame(JSON.stringify({ type: "session_closed", sessionId: id }));
+			closeFrameSent = true;
+		} catch (e) {
+			logger.warn(`notifications: session_closed failed: ${String(e)}`);
+		}
+		if (closeFrameSent) await sleep(100);
 		try {
 			rt.server.stop();
 		} catch (e) {
@@ -336,6 +533,7 @@ export const createNotificationsExtension: ExtensionFactory = api => {
 		const pendingInteractive = new Map<string, PendingInteractiveAsk>();
 		const tag = sessionTag(id);
 		const redact = cfg.redact;
+		const verbosity = cfg.verbosity;
 		let runtime: SessionRuntime | undefined;
 
 		// The SDK can always answer now (interactive via the answer source, or the
@@ -410,7 +608,31 @@ export const createNotificationsExtension: ExtensionFactory = api => {
 				return;
 			}
 			if (inbound.kind === "config_command") {
-				if (runtime && typeof inbound.redact === "boolean") runtime.redact = inbound.redact;
+				if (!runtime) return;
+				const update: {
+					type: "config_update";
+					sessionId: string;
+					verbosity?: "lean" | "verbose";
+					redact?: boolean;
+				} = {
+					type: "config_update",
+					sessionId: id,
+				};
+				if (inbound.verbosity === "lean" || inbound.verbosity === "verbose") {
+					runtime.verbosity = inbound.verbosity;
+					update.verbosity = inbound.verbosity;
+				}
+				if (typeof inbound.redact === "boolean") {
+					runtime.redact = inbound.redact;
+					update.redact = inbound.redact;
+				}
+				if (update.verbosity !== undefined || update.redact !== undefined) {
+					try {
+						runtime.server.pushFrame(JSON.stringify(update));
+					} catch (e) {
+						logger.warn(`notifications: config_update failed: ${String(e)}`);
+					}
+				}
 			}
 		});
 
@@ -418,7 +640,13 @@ export const createNotificationsExtension: ExtensionFactory = api => {
 			const endpoint = await server.start();
 
 			// Interactive answer source: the ask tool races the local UI against this.
-			const disposeAnswerSource = registerInteractiveAnswerSource(id, server, pendingInteractive, redact, tag);
+			const disposeAnswerSource = registerInteractiveAnswerSource(
+				id,
+				server,
+				pendingInteractive,
+				() => runtime?.redact ?? redact,
+				tag,
+			);
 			const disposeFileSink = registerTelegramFileSink(id, async file => {
 				try {
 					const data = await fs.promises.readFile(file.path);
@@ -444,6 +672,7 @@ export const createNotificationsExtension: ExtensionFactory = api => {
 				disposeAnswerSource,
 				disposeFileSink,
 				redact,
+				verbosity,
 				sessionTag: tag,
 				busy: false,
 				pendingInbound: new Set<number>(),
@@ -519,7 +748,7 @@ export const createNotificationsExtension: ExtensionFactory = api => {
 
 			if (command === "off") {
 				disabledSessions.add(id);
-				const stopped = stopSession(id);
+				const stopped = await stopSession(id);
 				ctx.ui.notify(
 					stopped
 						? "Notifications disabled for this session."
@@ -567,8 +796,9 @@ export const createNotificationsExtension: ExtensionFactory = api => {
 			const running = runtimes.has(id);
 			const locallyDisabled = disabledSessions.has(id);
 			const enabled = isEnabledForSession(id, resolved.cfg);
+			const runtime = runtimes.get(id);
 			ctx.ui.notify(
-				`Notifications ${running ? "running" : enabled ? "enabled" : "disabled"} for this session; redaction ${resolved.cfg.redact ? "on" : "off"}${locallyDisabled ? "; locally off" : ""}.`,
+				`Notifications ${running ? "running" : enabled ? "enabled" : "disabled"} for this session; redaction ${(runtime?.redact ?? resolved.cfg.redact) ? "on" : "off"}; verbosity ${runtime?.verbosity ?? resolved.cfg.verbosity}${locallyDisabled ? "; locally off" : ""}.`,
 				"info",
 			);
 		},
@@ -616,7 +846,7 @@ export const createNotificationsExtension: ExtensionFactory = api => {
 			newId,
 			rt.server,
 			rt.pendingInteractive,
-			rt.redact,
+			() => rt.redact,
 			rt.sessionTag,
 		);
 		rt.disposeFileSink = registerTelegramFileSink(newId, async file => {
@@ -735,7 +965,7 @@ export const createNotificationsExtension: ExtensionFactory = api => {
 		// On idle, stream a context update with metadata (token/model usage +
 		// working-tree diff) unless redaction is on. The agent's last message is
 		// NOT repeated here — it is already streamed once via `turn_stream`.
-		if (!rt.redact) {
+		if (!rt.redact && rt.verbosity === "verbose") {
 			const usage = (
 				ctx as { getContextUsage?: () => { tokens: number | null; contextWindow: number } | undefined }
 			).getContextUsage?.();
@@ -836,7 +1066,7 @@ export const createNotificationsExtension: ExtensionFactory = api => {
 		}
 	});
 
-	api.on("session_shutdown", (_event, ctx) => {
-		stopSession(sessionId(ctx));
+	api.on("session_shutdown", async (_event, ctx) => {
+		await stopSession(sessionId(ctx));
 	});
 };

package/src/notifications/lifecycle-commands.ts

@@ -0,0 +1,228 @@
+/**
+ * Paired-chat /session_* command grammar (G009).
+ *
+ * Pure parser + shared target validator for the Telegram session-lifecycle
+ * commands. The daemon parses an inbound paired-chat message here, then attaches
+ * transport identity (chatId/updateId/token/requestId) and routes the resulting
+ * frame to the orchestrator. Keeping this pure makes the grammar, the MVP
+ * prompt-rejection, and target validation unit-testable without the daemon.
+ *
+ * MVP scope: an initial prompt (`-- <prompt>`) is REJECTED with usage text — no
+ * prompt text ever enters a frame, audit, log, or response until daemon-owned
+ * 0600 prompt refs are designed.
+ */
+import type { SessionCloseTarget, SessionCreateTarget, SessionLifecycleResponse, SessionResumeTarget } from "./index";
+
+export type LifecycleCommandVerb = "session_create" | "session_close" | "session_resume";
+
+/** A parsed, validated lifecycle command (transport identity added by caller). */
+export type ParsedLifecycleCommand =
+	| { kind: "create"; target: SessionCreateTarget }
+	| { kind: "close"; target: SessionCloseTarget }
+	| { kind: "resume"; target: SessionResumeTarget }
+	| { kind: "recent"; which: "create" | "resume" | "all" }
+	| { kind: "usage"; message: string }
+	| { kind: "reject"; reason: "invalid_target" | "prompt_unsupported"; message: string }
+	| { kind: "none" };
+
+const USAGE = [
+	"Session commands:",
+	"/session_create path <dir>",
+	"/session_create worktree <repo> <branch>",
+	"/session_create dir <newdir>",
+	"/session_close <sessionId>",
+	"/session_resume <sessionId|prefix>",
+	"/session_recent [create|resume]",
+].join("\n");
+
+/** True when the text begins a /session_* command (cheap pre-gate). */
+export function isLifecycleCommandText(text: string | undefined): boolean {
+	if (!text) return false;
+	return /^\/session_(create|close|resume|recent)\b/.test(text.trim());
+}
+
+/**
+ * Parse a paired-chat message into a lifecycle command. Returns `none` for
+ * non-lifecycle text, `usage`/`reject` for malformed input (no side effect), or
+ * a validated `create`/`close`/`resume`/`recent` intent.
+ *
+ * The caller MUST have already enforced paired-chat authorization; this function
+ * performs grammar + target validation only.
+ */
+export function parseLifecycleCommand(text: string | undefined): ParsedLifecycleCommand {
+	if (!isLifecycleCommandText(text)) return { kind: "none" };
+	const raw = (text ?? "").trim();
+
+	// MVP: reject any initial-prompt separator outright (no prompt handling yet).
+	if (/\s--(\s|$)/.test(raw)) {
+		return {
+			kind: "reject",
+			reason: "prompt_unsupported",
+			message: `Initial prompts (\`-- <prompt>\`) are not supported yet. Create the session, then send a normal message in its thread.\n\n${USAGE}`,
+		};
+	}
+
+	const [command, ...args] = raw.split(/\s+/);
+
+	if (command === "/session_recent") {
+		const which = args[0];
+		if (which === undefined || which === "create" || which === "resume") {
+			return { kind: "recent", which: which ?? "all" };
+		}
+		return { kind: "usage", message: USAGE };
+	}
+
+	if (command === "/session_close") {
+		if (args.length !== 1) return { kind: "usage", message: USAGE };
+		const sessionId = args[0]!;
+		if (!isSafeIdentifier(sessionId)) {
+			return { kind: "reject", reason: "invalid_target", message: `Invalid session id.\n\n${USAGE}` };
+		}
+		return { kind: "close", target: { sessionId } };
+	}
+
+	if (command === "/session_resume") {
+		if (args.length !== 1) return { kind: "usage", message: USAGE };
+		const idOrPrefix = args[0]!;
+		if (!isSafeIdentifier(idOrPrefix)) {
+			return { kind: "reject", reason: "invalid_target", message: `Invalid session id/prefix.\n\n${USAGE}` };
+		}
+		return { kind: "resume", target: { sessionIdOrPrefix: idOrPrefix } };
+	}
+
+	// /session_create <kind> ...
+	const kind = args[0];
+	if (kind === "path") {
+		if (args.length !== 2) return { kind: "usage", message: USAGE };
+		const p = args[1]!;
+		if (!isSafePath(p)) return { kind: "reject", reason: "invalid_target", message: `Invalid path.\n\n${USAGE}` };
+		return { kind: "create", target: { kind: "existing_path", path: p } };
+	}
+	if (kind === "dir") {
+		if (args.length !== 2) return { kind: "usage", message: USAGE };
+		const p = args[1]!;
+		if (!isSafePath(p)) return { kind: "reject", reason: "invalid_target", message: `Invalid dir.\n\n${USAGE}` };
+		return { kind: "create", target: { kind: "plain_dir", path: p } };
+	}
+	if (kind === "worktree") {
+		if (args.length !== 3) return { kind: "usage", message: USAGE };
+		const repo = args[1]!;
+		const branch = args[2]!;
+		if (!isSafePath(repo))
+			return { kind: "reject", reason: "invalid_target", message: `Invalid repo path.\n\n${USAGE}` };
+		if (!isSafeBranch(branch)) {
+			return { kind: "reject", reason: "invalid_target", message: `Invalid branch name.\n\n${USAGE}` };
+		}
+		return { kind: "create", target: { kind: "worktree", repo, branch } };
+	}
+	return { kind: "usage", message: USAGE };
+}
+
+/** The canonical usage text (exported for the daemon's help replies). */
+export function lifecycleUsage(): string {
+	return USAGE;
+}
+
+/**
+ * Shared target validator reused at the policy/effect boundary (after paired-chat
+ * auth, before any side effect). Returns null when valid, or an `invalid_target`
+ * reason. The orchestrator remains authoritative; this is a defensive pre-check
+ * the parser and any other entry point share.
+ */
+export function validateLifecycleTarget(
+	verb: LifecycleCommandVerb,
+	target: SessionCreateTarget | SessionCloseTarget | SessionResumeTarget,
+): { ok: true } | { ok: false; reason: "invalid_target"; message: string } {
+	const bad = (message: string) => ({ ok: false as const, reason: "invalid_target" as const, message });
+	if (verb === "session_create") {
+		const t = target as SessionCreateTarget;
+		if (t.kind === "existing_path" || t.kind === "plain_dir") {
+			return isSafePath(t.path) ? { ok: true } : bad("invalid path");
+		}
+		if (t.kind === "worktree") {
+			if (!isSafePath(t.repo)) return bad("invalid repo path");
+			return isSafeBranch(t.branch) ? { ok: true } : bad("invalid branch");
+		}
+		return bad("unknown create target");
+	}
+	if (verb === "session_close") {
+		const t = target as SessionCloseTarget;
+		return isSafeIdentifier(t.sessionId) ? { ok: true } : bad("invalid session id");
+	}
+	const t = target as SessionResumeTarget;
+	return isSafeIdentifier(t.sessionIdOrPrefix) ? { ok: true } : bad("invalid session id/prefix");
+}
+
+// --- Safety primitives (defensive; the full-trust paired chat is accepted, but
+// we still reject obviously malformed/injection-shaped inputs early). ---
+
+function isSafeIdentifier(value: string): boolean {
+	return /^[A-Za-z0-9._-]{1,128}$/.test(value);
+}
+
+function isSafePath(value: string): boolean {
+	// Reject empty, shell-metacharacter, or newline-bearing paths. Absolute or
+	// relative are both allowed (full-trust chat), but not injection shapes.
+	if (value.length === 0 || value.length > 4096) return false;
+	if (/[\n\r\0]/.test(value)) return false;
+	return !/[;&|`$(){}<>*?!\\"']/.test(value);
+}
+
+function isSafeBranch(value: string): boolean {
+	// Defense-in-depth: also reject leading-hyphen names so a branch can never be
+	// mistaken for a CLI flag downstream.
+	return /^[A-Za-z0-9._/-]{1,255}$/.test(value) && !value.includes("..") && !value.startsWith("-");
+}
+
+/**
+ * Map a lifecycle response/error to a user-facing Telegram message (G010).
+ *
+ * Only derives text from sessionId, mode, reason, a safe message, and candidate
+ * {sessionId,path} — never a token or prompt. Each error reason gets tailored,
+ * actionable copy; an "in progress" pending response is surfaced distinctly.
+ */
+export function formatLifecycleOutcome(r: SessionLifecycleResponse): string {
+	switch (r.type) {
+		case "session_create_response":
+			return `\u{1f680} Launching session ${r.sessionId} in tmux. It will appear once ready \u2014 check /session_recent.`;
+		case "session_close_response":
+			return `\u2705 Closed session ${r.sessionId} (history preserved \u2014 you can resume it later).`;
+		case "session_resume_response":
+			return r.mode === "reattached"
+				? `\u2705 Reattached to live session ${r.sessionId}.`
+				: `\u{1f680} Cold-restarting session ${r.sessionId} from saved history in tmux \u2014 check /session_recent.`;
+		case "session_lifecycle_error":
+			break;
+		default:
+			return "Unknown lifecycle response.";
+	}
+	if (r.reason === "ambiguous_target" && r.candidates?.length) {
+		const list = r.candidates.map(c => `\u2022 ${c.sessionId}${c.path ? ` (${c.path})` : ""}`).join("\n");
+		return `\u2753 Multiple sessions match \u2014 reply with the exact id:\n${list}`;
+	}
+	switch (r.reason) {
+		case "unauthorized":
+			return "\u26d4 Not authorized for session lifecycle commands.";
+		case "rate_limited":
+			return "\u23f3 Too many create requests \u2014 please wait a bit and try again.";
+		case "duplicate_conflict":
+			return "\u26a0\ufe0f That command id was already used for a different request; send a fresh command.";
+		case "invalid_target":
+			return `\u26a0\ufe0f Invalid target. ${r.message}`;
+		case "spawn_failed":
+			return "\u26a0\ufe0f The session failed to start. Nothing was left running.";
+		case "discovery_timeout":
+		case "readiness_timeout":
+			return "\u23f3 The session did not become ready in time. It may still be starting \u2014 check /session_recent.";
+		case "close_refused":
+			return "\u26a0\ufe0f Close refused: that session is not GJC-managed or did not match.";
+		case "not_found":
+			return "\u2753 No matching session was found.";
+		case "terminal_uncertain":
+			return /in progress/i.test(r.message)
+				? "\u23f3 That request is already in progress \u2014 hold on."
+				: "\u26a0\ufe0f Outcome uncertain. Check /session_recent before retrying so you don't double-spawn.";
+		default:
+			return `\u26a0\ufe0f ${r.reason}: ${r.message}`;
+	}
+}