@leviyuan/lodestar 0.1.6 → 0.1.8

package/src/feishu.ts

@@ -8,11 +8,11 @@
 
 import * as lark from '@larksuiteoapi/node-sdk'
 import { execSync } from 'node:child_process'
-import { mkdirSync, readFileSync, realpathSync, statSync, writeFileSync } from 'node:fs'
+import { existsSync, mkdirSync, readFileSync, realpathSync, statSync, unlinkSync, writeFileSync } from 'node:fs'
 import { homedir } from 'node:os'
 import { basename, extname, join } from 'node:path'
 import { config } from './config'
-import { DATA_DIR, INBOX_DIR, SESSION_CHAT_MAP_FILE, SESSION_RESUME_MAP_FILE } from './paths'
+import { ALIVE_MARKER_FILE, DATA_DIR, INBOX_DIR, SESSION_CHAT_MAP_FILE, SESSION_RESUME_MAP_FILE } from './paths'
 import { log } from './log'
 
 const APP_ID = config.feishu.app_id
@@ -106,6 +106,36 @@ export function getSessionResume(sessionName: string): string | null {
   return lastSessionIdByName.get(sessionName) ?? null
 }
 
+// ── Alive-on-shutdown marker ──────────────────────────────────────────
+// Persists the list of session names that were still running when the
+// daemon went down. Next boot reads + unlinks the file and auto-spawns
+// (via session.restart(true)) only those — sessions that were already
+// `stop`ped before shutdown are deliberately NOT in this list, so they
+// stay stopped after restart.
+
+export function writeAliveMarker(sessionNames: string[]): void {
+  try {
+    writeFileSync(ALIVE_MARKER_FILE, JSON.stringify(sessionNames, null, 2))
+  } catch (e) { log(`feishu: write alive marker failed: ${e}`) }
+}
+
+/** Read + unlink in one shot — marker is single-use: revival should
+ * happen exactly once per boot, not re-run on every subsequent crash
+ * loop where systemd might keep re-launching us. */
+export function readAndConsumeAliveMarker(): string[] {
+  if (!existsSync(ALIVE_MARKER_FILE)) return []
+  try {
+    const raw = readFileSync(ALIVE_MARKER_FILE, 'utf8')
+    try { unlinkSync(ALIVE_MARKER_FILE) } catch {}
+    const data = JSON.parse(raw)
+    return Array.isArray(data) ? data.filter((x: unknown): x is string => typeof x === 'string') : []
+  } catch (e) {
+    log(`feishu: read alive marker failed: ${e}`)
+    try { unlinkSync(ALIVE_MARKER_FILE) } catch {}
+    return []
+  }
+}
+
 export function chatIdForSession(sessionName: string): string | null {
   const preferred = preferredChatForSession.get(sessionName)
   if (preferred && chatNameCache.get(preferred) === sessionName) return preferred
@@ -174,6 +204,50 @@ export async function addReaction(messageId: string, emojiType: string): Promise
   } catch (e) { log(`feishu: addReaction ${emojiType} on ${messageId} failed: ${e}`) }
 }
 
+// ── Urgent push ───────────────────────────────────────────────────────
+/** Fire Feishu's "加急 — 应用内" push for an already-sent message.
+ * Bypasses chat-level mute and pops a full-screen prompt on the
+ * recipient's phone. Bot must be the original sender of the message
+ * AND must still be a member of the chat.
+ *
+ * Endpoint:
+ *   PATCH /open-apis/im/v1/messages/{message_id}/urgent_app
+ *   ?user_id_type=open_id
+ *   body: { user_id_list: ["ou_..."] }
+ *
+ * Required app scope (either one):
+ *   - `im:message.urgent`            (「发送应用内加急消息」)
+ *   - `im:message.urgent:app_send`   (「…（历史版本）」)
+ *
+ * Limits: 50 QPS app-wide; per-recipient cap is 200 unread urgent
+ * messages (230023). No daily quota.
+ *
+ * Common error codes:
+ *   230012 — message not sent by this bot
+ *   230023 — recipient has 200 unread urgent already
+ *   230052 — missing scope / chat restricts urgent */
+export async function urgentApp(messageId: string, openIds: string[]): Promise<void> {
+  if (!messageId) { log(`feishu: urgentApp skip — missing messageId`); return }
+  if (openIds.length === 0) { log(`feishu: urgentApp skip — empty openIds (msg=${messageId})`); return }
+  const token = await getTenantToken()
+  const url = `https://open.feishu.cn/open-apis/im/v1/messages/${messageId}/urgent_app?user_id_type=open_id`
+  try {
+    const res = await fetch(url, {
+      method: 'PATCH',
+      headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' },
+      body: JSON.stringify({ user_id_list: openIds }),
+    })
+    const json = await res.json() as any
+    if (json?.code !== 0) {
+      log(`feishu: urgentApp ${messageId} code=${json?.code} msg=${json?.msg}`)
+      return
+    }
+    const invalid = json.data?.invalid_user_id_list ?? []
+    const delivered = openIds.length - invalid.length
+    log(`feishu: urgentApp ${messageId} ok — delivered=${delivered}${invalid.length ? ` invalid=${invalid.length}` : ''}`)
+  } catch (e) { log(`feishu: urgentApp ${messageId} failed: ${e}`) }
+}
+
 // ── Attachment download (image/file) ───────────────────────────────────
 export async function downloadAttachment(
   messageId: string, key: string, type: 'image' | 'file', name?: string,

package/src/paths.ts

@@ -40,4 +40,10 @@ export const PID_FILE = join(DATA_DIR, 'daemon.pid')
 export const LOG_FILE = join(DATA_DIR, 'daemon.log')
 export const SESSION_CHAT_MAP_FILE = join(DATA_DIR, 'session-chat-map.json')
 export const SESSION_RESUME_MAP_FILE = join(DATA_DIR, 'session-resume-map.json')
+/** Marker file written at shutdown listing the session names that
+ * were still alive. The next daemon boot reads it (and unlinks it)
+ * to auto-revive those sessions via `restart(true)` — bridges the
+ * gap between systemctl-restart killing every child Claude and
+ * Lodestar's "you have to send a message to re-spawn it" default. */
+export const ALIVE_MARKER_FILE = join(DATA_DIR, 'alive-on-shutdown.json')
 export const INBOX_DIR = join(DATA_DIR, 'inbox')

package/src/session.ts

@@ -16,9 +16,18 @@ import * as cards from './cards'
 import * as feishu from './feishu'
 import { log } from './log'
 import { INBOX_DIR } from './paths'
+import { readUsage } from './usage'
 
 interface TurnState {
   cardId: string
+  /** Feishu message_id of the card — needed for urgent_app push on clean
+   * turn close. Kept separate from cardId because cardkit's stream APIs
+   * operate on card_id but the urgent_app endpoint takes message_id. */
+  messageId: string
+  /** open_id of the user who started this turn. Used to scope the
+   * urgent_app push so only the initiator gets pinged (in case there
+   * are other members in the group). Empty string → skip the ping. */
+  userOpenId: string
   userText: string
   thinkingText: string
   toolCount: number
@@ -73,6 +82,14 @@ interface CumStats {
 }
 
 export class Session {
+  /** Process-wide registry of every Session ever constructed in this daemon.
+   * Used by the `hi` console panel to enumerate sibling sessions across
+   * Feishu groups. Sessions are never removed (matches the daemon's
+   * `sessions` map lifecycle — one Session per chat for the daemon's
+   * lifetime). Callers should filter on `isRunning()` when they only
+   * want currently-alive Claude processes. */
+  static readonly all: Set<Session> = new Set()
+
   private proc: ClaudeProcess | null = null
   private currentTurn: TurnState | null = null
   private pendingPermissions = new Map<string, { toolUseId: string }>()
@@ -89,12 +106,19 @@ export class Session {
     questions: cards.AskQuestion[]
     i: number
     requestId?: string
-    deferredAnswer?: {
-      questionIdx: number
-      optionIdx?: number
-      customText?: string
-      user: string
-    }
+    /** 累计答案 — key 是 question 原文 (SDK 把这条 record 格式
+     * 化进 tool_result), value 是用户选的 option label 或自定
+     * 义文字。全部 question 都答完时一并塞进 updatedInput.answers
+     * 发回 SDK。 */
+    answers: Record<string, string>
+    /** 已答详情 (按 question idx 索引)，用来给历史面板和 terminal
+     * 状态画选中态。answers 同步累计，但这里多保留 customText /
+     * optionIdx 字段以便 UI 区分两种回答路径。 */
+    answered: Map<number, cards.AskAnswered>
+    /** 当前展示的 question idx。undefined 表示全部答完 (terminal)
+     * —— 这时若 requestId 已就位则 finalize；否则等 renderPermission
+     * 一来立即 finalize。 */
+    currentIdx?: number
   }>()
   private turnCounter = 0
   // Last seen sessionId — preserved across `kill`/`stop` so a later
@@ -118,6 +142,7 @@ export class Session {
     public readonly chatId: string,
     private opts: SessionOpts = {},
   ) {
+    Session.all.add(this)
     // Restore last-known claude session_id from disk so a daemon restart
     // (systemctl, crash, watchdog) doesn't strand the user with a fresh
     // conversation when they next type `restart`.
@@ -127,6 +152,16 @@ export class Session {
     }
   }
 
+  /** Minimal cross-chat snapshot for the `hi` peer-list section.
+   * `startedAt` stays private so this is the documented read path. */
+  peerSnapshot(): { name: string; status: Status; uptimeMs?: number } {
+    return {
+      name: this.sessionName,
+      status: this.status,
+      uptimeMs: this.startedAt ? (Date.now() - this.startedAt) : undefined,
+    }
+  }
+
   get workDir(): string { return join(feishu.PROJECTS_ROOT, this.sessionName) }
   isRunning(): boolean { return !!this.proc && this.proc.isAlive() }
 
@@ -168,12 +203,21 @@ export class Session {
       await feishu.sendText(this.chatId, `⚪ session "${this.sessionName}" 当前未运行`)
       return
     }
-    this.lastSessionId = this.proc.sessionId ?? this.lastSessionId
-    await this.proc.kill()
+    // Flip lifecycle state SYNCHRONOUSLY before awaiting kill — daemon's
+    // SIGTERM cleanup snapshots `isRunning()` and if we're still mid-
+    // `proc.kill()` await it'll see proc!=null and write us into the
+    // alive marker, which makes the next boot auto-revive a session
+    // the user explicitly killed. Reordering the null-out fixes that
+    // race (bug observed 2026-05-15: `kill` immediately followed by
+    // `systemctl restart` revived the killed session on boot).
+    log(`session "${this.sessionName}": stop (${reason})`)
+    const proc = this.proc
+    this.lastSessionId = proc.sessionId ?? this.lastSessionId
     this.proc = null
     this.currentTurn = null
     this.pendingPermissions.clear()
     this.status = 'stopped'
+    await proc.kill()
     await feishu.sendText(this.chatId, `🔴 ${reason} (session: ${this.sessionName})`)
   }
 
@@ -257,6 +301,14 @@ export class Session {
       model,
       effort: 'max',
       uptimeMs,
+      peers: [...Session.all]
+        .filter(s => s.isRunning())
+        .map(s => ({ ...s.peerSnapshot(), isCurrent: s === this })),
+      // Initial paint without usage → cards.ts renders the
+      // `_加载中…_` placeholder in the consoleUsage element. We patch
+      // it in below once readUsage() resolves (ccusage cold-call is
+      // ~5s; not worth blocking the panel on it).
+      usage: undefined,
       contextTokens: this.currentContextTokens(),
       cumStats: this.cumStats,
       lastTurn: this.lastTurnDelta
@@ -269,7 +321,22 @@ export class Session {
       sessionId: this.proc?.sessionId ?? this.lastSessionId,
       hasSession: this.isRunning(),
     })
-    await feishu.sendCard(this.chatId, card)
+    const messageId = await feishu.sendCard(this.chatId, card)
+    if (!messageId) return
+    // Patch the usage element asynchronously so the rest of the panel
+    // stays responsive. We don't await; failures are logged and the
+    // placeholder stays visible (no fallback fabrication).
+    void (async () => {
+      try {
+        const cardId = await cardkit.convertMessageToCard(messageId)
+        const usage = await readUsage()
+        await cardkit.replaceElement(cardId, cards.ELEMENTS.consoleUsage, {
+          tag: 'markdown',
+          element_id: cards.ELEMENTS.consoleUsage,
+          content: cards.consoleUsageContent(usage),
+        })
+      } catch (e) { log(`session "${this.sessionName}": consoleUsage patch failed: ${e}`) }
+    })()
   }
 
   interrupt(): void {
@@ -279,7 +346,7 @@ export class Session {
   }
 
   // ── Inbound from Feishu ────────────────────────────────────────────
-  async onUserMessage(text: string, files: string[] = []): Promise<void> {
+  async onUserMessage(text: string, files: string[] = [], userOpenId = ''): Promise<void> {
     if (!this.isRunning()) {
       const ok = await this.start()
       if (!ok) return
@@ -289,7 +356,7 @@ export class Session {
       this.proc!.sendInterrupt()
       await this.closeTurnCard('🛑 用户打断')
     }
-    await this.openTurnCard(text)
+    await this.openTurnCard(text, userOpenId)
     this.proc!.sendUserText(text, files)
     this.status = 'working'
   }
@@ -340,11 +407,11 @@ export class Session {
     return this.pendingAsks.size > 0
   }
 
-  /** Funnel an arbitrary chat message into the oldest pending ask as
-   * a `customText` answer. Falls back to a normal turn if for some
-   * reason there's nothing pending (defensive — handleMessage's gate
-   * should prevent that). Picks the first entry by Map insertion
-   * order, which is the earliest unanswered ask. */
+  /** Funnel an arbitrary chat message into the *current* question
+   * of the oldest pending ask as a `customText` answer. Multi-
+   * question semantics: from the user's perspective, the chat
+   * input always answers whatever question is on screen right now
+   * (`pending.currentIdx`), and a new question slides in after. */
   async onAskMessageAnswer(text: string, user: string): Promise<void> {
     const firstEntry = this.pendingAsks.entries().next()
     if (firstEntry.done) {
@@ -352,102 +419,121 @@ export class Session {
       await this.onUserMessage(text)
       return
     }
-    const [toolUseId, _pending] = firstEntry.value
-    await this.onAskCustomAnswer(toolUseId, 0, text, user)
+    const [toolUseId, pending] = firstEntry.value
+    if (pending.currentIdx === undefined) {
+      log(`session "${this.sessionName}": pending ask ${toolUseId} already terminal — ignoring message`)
+      return
+    }
+    await this.onAskCustomAnswer(toolUseId, pending.currentIdx, text, user)
   }
 
-  /** Click handler for an AskUserQuestion option button. Dispatches
-   * to `resolveAsk` if can_use_tool has already arrived, otherwise
-   * parks the click on the pendingAsk record for renderPermission
-   * to drain. */
+  /** Click handler for an option button. The click must target the
+   * question currently on screen (`pending.currentIdx`); a stale
+   * click (e.g. user clicked an older render before it swapped in
+   * the next question) is logged and dropped — better than double-
+   * answering. */
   async onAskAnswer(toolUseId: string, questionIdx: number, optionIdx: number, user: string): Promise<void> {
     const pending = this.pendingAsks.get(toolUseId)
     if (!pending) { log(`session "${this.sessionName}": stray ask answer for ${toolUseId}`); return }
-    if (pending.requestId) {
-      this.resolveAsk(toolUseId, pending.requestId, { questionIdx, optionIdx, user })
-    } else {
-      pending.deferredAnswer = { questionIdx, optionIdx, user }
-      log(`session "${this.sessionName}": ask answer deferred for ${toolUseId} (no requestId yet)`)
+    if (questionIdx !== pending.currentIdx) {
+      log(`session "${this.sessionName}": stale ask click q=${questionIdx} current=${pending.currentIdx}`)
+      return
     }
+    this.advanceAsk(toolUseId, { optionIdx, user })
   }
 
-  /** Form-submit handler for the custom-answer input on an
-   * AskUserQuestion panel. Same dispatch pattern as `onAskAnswer`,
-   * just routes a free-form string into `resolveAsk` instead of an
-   * option index. Empty/whitespace input is ignored (no answer
-   * sent, panel stays pending). */
+  /** Custom-text branch. Same staleness rule as onAskAnswer; empty
+   * input is silently ignored (panel stays pending). */
   async onAskCustomAnswer(toolUseId: string, questionIdx: number, customText: string, user: string): Promise<void> {
     const pending = this.pendingAsks.get(toolUseId)
     if (!pending) { log(`session "${this.sessionName}": stray ask custom for ${toolUseId}`); return }
     const trimmed = (customText ?? '').trim()
     if (!trimmed) { log(`session "${this.sessionName}": empty custom answer, ignoring`); return }
-    if (pending.requestId) {
-      this.resolveAsk(toolUseId, pending.requestId, { questionIdx, customText: trimmed, user })
-    } else {
-      pending.deferredAnswer = { questionIdx, customText: trimmed, user }
-      log(`session "${this.sessionName}": ask custom deferred for ${toolUseId} (no requestId yet)`)
+    if (questionIdx !== pending.currentIdx) {
+      log(`session "${this.sessionName}": stale ask custom q=${questionIdx} current=${pending.currentIdx}`)
+      return
     }
+    this.advanceAsk(toolUseId, { customText: trimmed, user })
   }
 
-  /** Settle an AskUserQuestion: emit the permission allow with the
-   * picked option OR custom text folded into `updatedInput.answers`
-   * (this is the shape the SDK reads to synthesise the tool_result
-   * string), repaint the panel ✅, drop bookkeeping. Single source
-   * of truth — option-click, custom-submit, and the deferred drain
-   * all go through here. */
-  private resolveAsk(
+  /** Record an answer for the current question, advance the state
+   * machine, repaint. If every question is now answered, finalize
+   * (or defer the finalize until can_use_tool lands — the race is
+   * handled by renderPermission). */
+  private advanceAsk(
     toolUseId: string,
-    requestId: string,
-    answer: { questionIdx: number; optionIdx?: number; customText?: string; user: string },
+    answer: { optionIdx?: number; customText?: string; user: string },
   ): void {
     const pending = this.pendingAsks.get(toolUseId)
-    if (!pending) return
-    const q = pending.questions[answer.questionIdx]
-    if (!q) {
-      log(`session "${this.sessionName}": ask answer out of range q=${answer.questionIdx}`)
-      return
-    }
-    // Determine the literal string that will become the SDK's
-    // `answers` value for this question — custom wins if both are
-    // somehow set (shouldn't happen, but defensive).
-    let answerValue: string
-    if (answer.customText) {
-      answerValue = answer.customText
+    if (!pending || pending.currentIdx === undefined) return
+    const cur = pending.currentIdx
+    const q = pending.questions[cur]
+    if (!q) { log(`session "${this.sessionName}": advanceAsk currentIdx=${cur} out of range`); return }
+    // Resolve the literal answer value — custom text wins if both set.
+    let value: string
+    if (answer.customText !== undefined) {
+      value = answer.customText
     } else if (answer.optionIdx !== undefined) {
       const opt = q.options?.[answer.optionIdx]
-      if (!opt) {
-        log(`session "${this.sessionName}": ask option out of range o=${answer.optionIdx}`)
-        return
-      }
-      answerValue = opt.label
+      if (!opt) { log(`session "${this.sessionName}": advanceAsk option ${answer.optionIdx} out of range`); return }
+      value = opt.label
     } else {
-      log(`session "${this.sessionName}": resolveAsk called with neither optionIdx nor customText`)
+      log(`session "${this.sessionName}": advanceAsk with neither customText nor optionIdx`)
       return
     }
-    const turn = this.currentTurn
-    const meta = turn?.toolByUseId.get(toolUseId)
-    const originalInput = meta?.input ?? {}
-    // SDK keys the answer record by the question's text — confirmed
-    // by the v0.1.2 jsonl trace (empty record formatted to "User has
-    // answered your questions: .").
-    const answers: Record<string, string> = { [q.question]: answerValue }
-    this.proc?.sendPermissionResponse(requestId, 'allow', {
-      updatedInput: { ...originalInput, answers },
+    pending.answers[q.question] = value
+    pending.answered.set(cur, {
+      optionIdx: answer.optionIdx,
+      customText: answer.customText,
+      user: answer.user,
     })
-    this.pendingPermissions.delete(requestId)
-    this.pendingAsks.delete(toolUseId)
+    // Next unanswered idx — linear from cur+1. Implementation
+    // always moves forward; we don't currently let users revisit a
+    // previous question (would need richer UI affordance for that).
+    const total = pending.questions.length
+    let nextIdx: number | undefined = undefined
+    for (let i = cur + 1; i < total; i++) {
+      if (!pending.answered.has(i)) { nextIdx = i; break }
+    }
+    pending.currentIdx = nextIdx
 
+    const turn = this.currentTurn
+    const meta = turn?.toolByUseId.get(toolUseId)
     if (turn && meta) {
-      meta.output = JSON.stringify({ answers })
-      meta.isError = false
-      const el = cards.askUserQuestionElement(meta.i, toolUseId, pending.questions, '✅', {
-        optionIdx: answer.optionIdx,
-        customText: answer.customText,
-        user: answer.user || '匿名',
-      })
+      const el = cards.askUserQuestionElement(
+        meta.i, toolUseId, pending.questions,
+        nextIdx === undefined ? '✅' : '🤔',
+        { currentIdx: nextIdx, answered: pending.answered },
+      )
       void cardkit.replaceElement(turn.cardId, cards.ELEMENTS.tool(meta.i), el)
     }
 
+    if (nextIdx === undefined) {
+      // All done. Finalize iff we have the permission request id;
+      // otherwise renderPermission will pick it up when it arrives.
+      if (pending.requestId) this.finalizeAsk(toolUseId)
+      else log(`session "${this.sessionName}": ask ${toolUseId} all answered, waiting for can_use_tool`)
+    }
+  }
+
+  /** Settle a fully-answered AskUserQuestion: emit the SDK allow
+   * with the full `answers` record folded into `updatedInput`,
+   * drop bookkeeping, restore status. The terminal panel paint was
+   * already done by the final advanceAsk; this is just protocol. */
+  private finalizeAsk(toolUseId: string): void {
+    const pending = this.pendingAsks.get(toolUseId)
+    if (!pending || !pending.requestId) return
+    const meta = this.currentTurn?.toolByUseId.get(toolUseId)
+    const originalInput = meta?.input ?? {}
+    this.proc?.sendPermissionResponse(pending.requestId, 'allow', {
+      updatedInput: { ...originalInput, answers: pending.answers },
+    })
+    this.pendingPermissions.delete(pending.requestId)
+    if (meta) {
+      meta.output = JSON.stringify({ answers: pending.answers })
+      meta.isError = false
+    }
+    this.pendingAsks.delete(toolUseId)
     if (this.pendingPermissions.size === 0 && this.status === 'awaiting_permission') {
       this.status = 'working'
     }
@@ -543,7 +629,7 @@ export class Session {
     return this.lastTurnDelta?.inputTokens ?? 0
   }
 
-  private async openTurnCard(userText: string): Promise<void> {
+  private async openTurnCard(userText: string, userOpenId: string): Promise<void> {
     const turn = ++this.turnCounter
     const card = cards.mainConversationCard({
       sessionName: this.sessionName,
@@ -558,6 +644,8 @@ export class Session {
     catch (e) { log(`session "${this.sessionName}": id_convert failed: ${e}`); return }
     this.currentTurn = {
       cardId,
+      messageId,
+      userOpenId,
       userText,
       thinkingText: '',
       toolCount: 0,
@@ -594,6 +682,11 @@ export class Session {
       segId,
       this.currentTurn.currentAssistantText,
     )
+    // Chat-list preview: tail of the latest assistant text. Feishu
+    // truncates anyway; ~60 chars is what shows on a typical phone
+    // preview line. patchSummaryThrottled is rate-limited on its own.
+    const tail = this.currentTurn.currentAssistantText.slice(-60)
+    cardkit.patchSummaryThrottled(this.currentTurn.cardId, tail)
   }
 
   private appendThinking(delta: string): void {
@@ -634,12 +727,28 @@ export class Session {
     // don't match the actual N options).
     if (name === 'AskUserQuestion') {
       const questions = Array.isArray(input?.questions) ? input.questions as cards.AskQuestion[] : []
-      this.pendingAsks.set(toolUseId, { questions, i })
-      const el = cards.askUserQuestionElement(i, toolUseId, questions, '🤔')
+      const startIdx = questions.length > 0 ? 0 : undefined
+      const answered = new Map<number, cards.AskAnswered>()
+      this.pendingAsks.set(toolUseId, {
+        questions,
+        i,
+        answers: {},
+        answered,
+        currentIdx: startIdx,
+      })
+      const el = cards.askUserQuestionElement(i, toolUseId, questions, '🤔', {
+        currentIdx: startIdx,
+        answered,
+      })
       void cardkit.addElement(this.currentTurn.cardId, el, {
         type: 'insert_before',
         targetElementId: cards.ELEMENTS.footer,
       })
+      // Phone push — user has to come back and answer before Claude can
+      // continue. urgentApp no-ops when userOpenId is empty.
+      if (this.currentTurn.userOpenId && this.currentTurn.messageId) {
+        void feishu.urgentApp(this.currentTurn.messageId, [this.currentTurn.userOpenId])
+      }
       return
     }
     // Pending Task* panels still show the *pre-op* todo mirror so users
@@ -799,30 +908,26 @@ export class Session {
     if (meta.name === 'AskUserQuestion') {
       const ask = this.pendingAsks.get(toolUseId)
       if (!ask) {
-        // Defensive: addTool should have populated pendingAsks. If it
-        // didn't, fall back to a denial so Claude doesn't hang.
         log(`session "${this.sessionName}": AskUserQuestion ${toolUseId} missing pendingAsk — deny`)
         this.proc?.sendPermissionResponse(req.request_id, 'deny', { denyMessage: 'no pending ask' })
         return
       }
       ask.requestId = req.request_id
       this.pendingPermissions.set(req.request_id, { toolUseId })
-      if (ask.deferredAnswer) {
-        const d = ask.deferredAnswer
-        ask.deferredAnswer = undefined
-        this.resolveAsk(toolUseId, req.request_id, {
-          questionIdx: d.questionIdx,
-          optionIdx: d.optionIdx,
-          customText: d.customText,
-          user: d.user,
-        })
-      }
+      // Fast-clicker race: the user may have answered every question
+      // while we were still waiting for can_use_tool to arrive. If so,
+      // advanceAsk parked the all-done state and we drain it now.
+      if (ask.currentIdx === undefined) this.finalizeAsk(toolUseId)
       return
     }
     this.status = 'awaiting_permission'
     this.pendingPermissions.set(req.request_id, { toolUseId })
     const el = cards.toolCallPermissionElement(meta.i, meta.name, meta.input, req.request_id)
     void cardkit.replaceElement(turn.cardId, cards.ELEMENTS.tool(meta.i), el)
+    // Phone push — Claude is blocked until the user approves/denies.
+    if (turn.userOpenId && turn.messageId) {
+      void feishu.urgentApp(turn.messageId, [turn.userOpenId])
+    }
   }
 
   private async closeTurnCard(suffix?: string): Promise<void> {
@@ -867,9 +972,26 @@ export class Session {
     const sendNote = sendPaths.length ? ` · 📎 ${sendPaths.length}` : ''
     const footer = `⏱ ${elapsed}s${suffix ? ' · ' + suffix : ''}${sendNote} · ✅ done`
     await cardkit.streamText(cardId, cards.ELEMENTS.footer, footer)
-    await cardkit.patchSettings(cardId, cards.STREAMING_OFF_SETTINGS)
+    // Final chat-list preview: clean finish shows "⏱ Xs · NK tokens";
+    // interrupted shows the suffix instead (no usage event landed).
+    // cancelSummary kills any in-flight throttled write so a stale
+    // mid-stream tail can't clobber this terminal summary.
+    cardkit.cancelSummary(cardId)
+    await cardkit.patchSettings(cardId, cards.streamingOffSettings({
+      durationSec: elapsed,
+      tokens: suffix ? undefined : this.lastTurnDelta?.tokens,
+      suffix,
+    }))
     await cardkit.dispose(cardId)
 
+    // Phone push on clean turn close so the user knows Claude is done
+    // even with the chat backgrounded. Skip on interrupts (no real
+    // completion) and when we don't know who to ping. Fire-and-forget;
+    // urgent_app failures are non-fatal and already logged in feishu.ts.
+    if (!suffix && turn.userOpenId && turn.messageId) {
+      void feishu.urgentApp(turn.messageId, [turn.userOpenId])
+    }
+
     // Fire uploads sequentially AFTER the card is sealed so each file
     // posts as its own Feishu message below the conversation card.
     // Path gate: workDir (Claude's project sandbox), the inbox where