@link-assistant/hive-mind 1.74.6 → 1.74.8

package/CHANGELOG.md

@@ -1,5 +1,23 @@
 # @link-assistant/hive-mind
 
+## 1.74.8
+
+### Patch Changes
+
+- c132ce0: Fix `/stop <issue-or-pr-url>` so it can stop tasks that started immediately
+  (empty queue) or were already dispatched to a detached isolation session. The
+  URL lookup now also consults the session-monitor registry and forwards CTRL+C
+  to the tracked start-command UUID, so all three stop modes (issue URL, PR URL,
+  and session UUID) work end-to-end (#1871).
+
+## 1.74.7
+
+### Patch Changes
+
+- 8ea7110: Document the issue #1858 case study and add an experimental private Telegram
+  `/auth` command for allowlisted chat owners to check or start GitHub, Claude,
+  and Codex auth flows.
+
 ## 1.74.6
 
 ### Patch Changes

package/README.hi.md

@@ -559,6 +559,7 @@ Shows:
 - ✅ **Screen सत्र**: कमांड डिटैच्ड screen सत्रों में चलते हैं
 - ✅ **Live Terminal Watch**: `/terminal_watch` और opt-in auto-start live session logs दिखाते हैं
 - ✅ **चैट प्रतिबंध**: अनुमत चैट ID की वैकल्पिक सफेद सूची
+- ✅ **Private Auth Check**: allowlisted chat owners के लिए experimental `/auth --status <gh|claude|codex>` और `/auth --login <gh|claude|codex>`
 - ✅ **डायग्नोस्टिक टूल**: चैट ID और कॉन्फ़िगरेशन जानकारी प्राप्त करें
 
 #### Live Terminal Watch
@@ -577,6 +578,8 @@ sessions के लिए अपने आप एक अलग live terminal wat
 
 - केवल उन ग्रुप चैट में काम करता है जहाँ बॉट एडमिन है
 - `TELEGRAM_ALLOWED_CHATS` के माध्यम से वैकल्पिक चैट ID प्रतिबंध
+- private `/auth` तब disabled रहता है जब `TELEGRAM_ALLOWED_CHATS` set नहीं है,
+  और इसे केवल listed chats के owners इस्तेमाल कर सकते हैं
 - बॉट चलाने वाले सिस्टम उपयोगकर्ता के रूप में कमांड चलते हैं
 - उचित प्रमाणीकरण सुनिश्चित करें (`gh auth login`, `claude-profiles`)
 

package/README.md

@@ -580,6 +580,7 @@ Shows:
 - ✅ **Screen Sessions**: Commands run in detached screen sessions
 - ✅ **Live Terminal Watch**: `/terminal_watch` and opt-in auto-start show live session logs
 - ✅ **Chat Restrictions**: Optional whitelist of allowed chat IDs
+- ✅ **Private Auth Check**: Experimental `/auth --status <gh|claude|codex>` and `/auth --login <gh|claude|codex>` for owners of allowlisted chats
 - ✅ **Diagnostic Tools**: Get chat ID and configuration info
 
 #### Live Terminal Watch
@@ -597,6 +598,8 @@ When enabled with `--auto-start-screen-watch-message`, the bot automatically sta
 
 - Only works in group chats where the bot is admin
 - Optional chat ID restrictions via `TELEGRAM_ALLOWED_CHATS`
+- Private `/auth` is disabled unless `TELEGRAM_ALLOWED_CHATS` is set and only
+  owners of listed chats can use it
 - Commands run as the system user running the bot
 - Ensure proper authentication (`gh auth login`, `claude-profiles`)
 

package/README.ru.md

@@ -561,6 +561,7 @@ Shows:
 - ✅ **Screen-сессии**: команды запускаются в отсоединённых screen-сессиях
 - ✅ **Live Terminal Watch**: `/terminal_watch` и opt-in auto-start показывают live session logs
 - ✅ **Ограничения по чатам**: опциональный белый список разрешённых ID чатов
+- ✅ **Приватная проверка auth**: экспериментальные `/auth --status <gh|claude|codex>` и `/auth --login <gh|claude|codex>` для владельцев разрешённых чатов
 - ✅ **Диагностические инструменты**: получение ID чата и информации о конфигурации
 
 #### Live Terminal Watch
@@ -579,6 +580,8 @@ Shows:
 
 - Работает только в групповых чатах, где бот является администратором
 - Опциональное ограничение по ID чата через `TELEGRAM_ALLOWED_CHATS`
+- Приватная `/auth` отключена, если `TELEGRAM_ALLOWED_CHATS` не задан, и
+  доступна только владельцам перечисленных чатов
 - Команды выполняются от имени системного пользователя, запустившего бота
 - Убедитесь в наличии надлежащей аутентификации (`gh auth login`, `claude-profiles`)
 

package/README.zh.md

@@ -555,6 +555,7 @@ Shows:
 - ✅ **Screen 会话**：命令在后台 Screen 会话中运行
 - ✅ **Live Terminal Watch**：`/terminal_watch` 和 opt-in auto-start 显示 live session logs
 - ✅ **聊天限制**：可选配置允许的聊天 ID 白名单
+- ✅ **私聊 Auth 检查**：为白名单聊天所有者提供实验性的 `/auth --status <gh|claude|codex>` 和 `/auth --login <gh|claude|codex>`
 - ✅ **诊断工具**：获取聊天 ID 和配置信息
 
 #### Live Terminal Watch
@@ -573,6 +574,7 @@ Shows:
 
 - 仅在机器人为管理员的群聊中有效
 - 可通过 `TELEGRAM_ALLOWED_CHATS` 配置可选的聊天 ID 限制
+- 如果未设置 `TELEGRAM_ALLOWED_CHATS`，私聊 `/auth` 会被禁用，且只有所列聊天的所有者可以使用
 - 命令以运行机器人的系统用户身份执行
 - 请确保已完成正确的身份验证（`gh auth login`、`claude-profiles`）
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-assistant/hive-mind",
-  "version": "1.74.6",
+  "version": "1.74.8",
   "description": "AI-powered issue solver and hive mind for collaborative problem solving",
   "main": "src/hive.mjs",
   "type": "module",

package/src/session-monitor.lib.mjs

@@ -150,7 +150,11 @@ function isMessageAlreadyUpdatedError(error) {
 }
 
 function normalizeSessionUrl(url) {
-  return url.replace(/\/+$/, '').replace(/#.*$/, '').toLowerCase();
+  // Strip the fragment first, then any trailing slashes, so URLs that carry a
+  // fragment after a trailing slash (e.g. `.../issues/18/#comment`) normalize to
+  // the same value as the bare `.../issues/18`. Doing it in the other order
+  // would leave a dangling trailing slash. (Issue #1871.)
+  return url.replace(/#.*$/, '').replace(/\/+$/, '').toLowerCase();
 }
 
 function isNonIsolationSessionActive(sessionName, sessionInfo, verbose = false) {
@@ -488,6 +492,73 @@ export function hasActiveSessionForUrl(url, verbose = false) {
   return { isActive: false, sessionName: null };
 }
 
+const SESSION_UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+
+/**
+ * Issue #1871: Find a tracked, still-running session for a GitHub issue/PR URL
+ * and report whether it can be stopped by forwarding CTRL+C to the
+ * start-command session UUID.
+ *
+ * The `/stop <url>` Telegram flow originally consulted only the in-memory solve
+ * queue. But a `/solve` or `/codex` that starts immediately (queue empty)
+ * dispatches straight to a detached isolation session and is removed from the
+ * queue's `processing` Map the moment it is launched. From that point on the
+ * session-monitor's in-memory registry is the only place that still knows the
+ * URL → start-command-UUID mapping, so `/stop <url>` reported "no task found"
+ * even though the task was clearly running. This helper exposes that registry
+ * so the stop flow can recover the UUID and interrupt the session.
+ *
+ * A session is stoppable when it was launched with an isolation backend and its
+ * start-command UUID is UUID-shaped (the value `$ --stop <uuid>` expects). Plain
+ * non-isolation screen sessions are reported but marked `stoppable: false`
+ * because `$ --stop` cannot interrupt them.
+ *
+ * @param {string} url - GitHub issue or PR URL (any normalization)
+ * @param {boolean} verbose - Whether to log verbose output
+ * @returns {{ sessionName: string, sessionId: string|null, sessionInfo: Object,
+ *   isolationBackend: string|null, stoppable: boolean }|null} Match or null
+ */
+export function findStoppableSessionByUrl(url, verbose = false) {
+  if (!url) return null;
+
+  const normalizedUrl = normalizeSessionUrl(url);
+
+  for (const [sessionName, sessionInfo] of activeSessions.entries()) {
+    if (!sessionInfo.url || normalizeSessionUrl(sessionInfo.url) !== normalizedUrl) {
+      continue;
+    }
+    // Issue #1586: skip expired non-isolation sessions — they are no longer running.
+    if (!sessionInfo.isolationBackend && !isNonIsolationSessionActive(sessionName, sessionInfo, verbose)) {
+      continue;
+    }
+
+    // The UUID `$ --stop` expects is the start-command session id. For
+    // isolation sessions it is tracked either as sessionInfo.sessionId or as
+    // the (UUID-shaped) session key itself.
+    const candidateId = sessionInfo.sessionId || sessionName;
+    const sessionId = SESSION_UUID_RE.test(candidateId) ? candidateId : null;
+    const stoppable = Boolean(sessionInfo.isolationBackend && sessionId);
+
+    if (verbose) {
+      const mode = sessionInfo.isolationBackend ? `isolation:${sessionInfo.isolationBackend}` : 'non-isolation';
+      console.log(`[VERBOSE] findStoppableSessionByUrl: matched ${sessionName} for ${url} (${mode}, stoppable=${stoppable})`);
+    }
+
+    return {
+      sessionName,
+      sessionId,
+      sessionInfo,
+      isolationBackend: sessionInfo.isolationBackend || null,
+      stoppable,
+    };
+  }
+
+  if (verbose) {
+    console.log(`[VERBOSE] findStoppableSessionByUrl: no tracked session for ${url}`);
+  }
+  return null;
+}
+
 /**
  * Async active-session check for command handlers.
  *

package/src/telegram-auth-command.lib.mjs

@@ -0,0 +1,298 @@
+import { spawn } from 'child_process';
+import { parseCommandArgs } from './telegram-solve-command.lib.mjs';
+
+export const AUTH_PROVIDERS = Object.freeze(['gh', 'claude', 'codex']);
+
+const AUTH_PROVIDER_SET = new Set(AUTH_PROVIDERS);
+const AUTH_USAGE = 'Usage: /auth --status <gh|claude|codex> or /auth --login <gh|claude|codex>';
+// eslint-disable-next-line no-control-regex
+const ANSI_RE = /\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])/g;
+const TOKEN_RE = /\b(?:gh[opsu]_[A-Za-z0-9_]{20,}|github_pat_[A-Za-z0-9_]{20,}|sk-proj-[A-Za-z0-9_-]{20,}|sk-[A-Za-z0-9_-]{20,}|xox[baprs]-[A-Za-z0-9-]{20,})\b/g;
+const TOKEN_FIELD_RE = /\b(token|access_token|refresh_token|api[_-]?key|authorization)\s*[:=]\s*["']?[^"'\s,}]+/gi;
+
+function trimOutput(text, max = 3500) {
+  const value = String(text || '').trim();
+  if (value.length <= max) return value;
+  return value.slice(0, max) + `\n... truncated ${value.length - max} characters`;
+}
+
+function escapeCodeFence(text) {
+  return String(text || '').replace(/```/g, '` ` `');
+}
+
+function normalizeProvider(provider) {
+  return String(provider || '')
+    .trim()
+    .toLowerCase();
+}
+
+function readActionValue(arg) {
+  if (arg === '--status') return { action: 'status', provider: null, consumesNext: true };
+  if (arg === '--login') return { action: 'login', provider: null, consumesNext: true };
+  if (arg.startsWith('--status=')) return { action: 'status', provider: arg.slice('--status='.length), consumesNext: false };
+  if (arg.startsWith('--login=')) return { action: 'login', provider: arg.slice('--login='.length), consumesNext: false };
+  return null;
+}
+
+export function parseAuthRequest(text) {
+  const args = parseCommandArgs(text || '');
+  let action = null;
+  let provider = null;
+
+  for (let i = 0; i < args.length; i++) {
+    const parsed = readActionValue(args[i]);
+    if (!parsed) {
+      return { action: null, provider: null, error: `Unsupported /auth argument: ${args[i]}\n\n${AUTH_USAGE}` };
+    }
+    if (action) {
+      return { action: null, provider: null, error: `Use exactly one of --status or --login.\n\n${AUTH_USAGE}` };
+    }
+    action = parsed.action;
+    provider = normalizeProvider(parsed.provider);
+    if (parsed.consumesNext) {
+      const next = args[i + 1];
+      if (!next || next.startsWith('--')) {
+        return { action: null, provider: null, error: AUTH_USAGE };
+      }
+      provider = normalizeProvider(next);
+      i++;
+    }
+  }
+
+  if (!action || !provider) {
+    return { action: null, provider: null, error: AUTH_USAGE };
+  }
+  if (!AUTH_PROVIDER_SET.has(provider)) {
+    return { action, provider: null, error: `Unsupported auth provider: ${provider}\n\n${AUTH_USAGE}` };
+  }
+
+  return { action, provider, error: null };
+}
+
+export function buildAuthCommand(action, provider) {
+  if (action === 'status') {
+    if (provider === 'gh') return { command: 'gh', args: ['auth', 'status', '--hostname', 'github.com'] };
+    if (provider === 'claude') return { command: 'claude', args: ['auth', 'status'] };
+    if (provider === 'codex') return { command: 'codex', args: ['login', 'status'] };
+  }
+  if (action === 'login') {
+    if (provider === 'gh') return { command: 'gh', args: ['auth', 'login', '--hostname', 'github.com', '--git-protocol', 'https', '--web'] };
+    if (provider === 'claude') return { command: 'claude', args: ['auth', 'login', '--claudeai'] };
+    if (provider === 'codex') return { command: 'codex', args: ['login', '--device-auth'] };
+  }
+  throw new Error(`Unsupported auth command: ${action} ${provider}`);
+}
+
+export function redactAuthOutput(output) {
+  return String(output || '')
+    .replace(ANSI_RE, '')
+    .replace(TOKEN_RE, '[REDACTED_TOKEN]')
+    .replace(TOKEN_FIELD_RE, (_, name) => `${name}: [REDACTED_TOKEN]`);
+}
+
+function collectAuthOutput(result) {
+  return redactAuthOutput([result?.stdout, result?.stderr].filter(Boolean).join('\n'));
+}
+
+export function extractAuthStartDetails(output) {
+  const text = redactAuthOutput(output);
+  const urls = [...new Set([...text.matchAll(/https?:\/\/[^\s<>)"']+/g)].map(match => match[0].replace(/[.,;:!?]+$/, '')))];
+
+  const codePatterns = [/\bone-time code\s*[:=]\s*([A-Z0-9][A-Z0-9-]{3,})/i, /\b(?:user code|verification code|code)\s*[:=]\s*([A-Z0-9][A-Z0-9-]{3,})/i, /\b([A-Z0-9]{4,}-[A-Z0-9-]{4,})\b/];
+  let code = null;
+  for (const pattern of codePatterns) {
+    const match = text.match(pattern);
+    if (match) {
+      code = match[1].toUpperCase();
+      break;
+    }
+  }
+
+  return { urls, code };
+}
+
+export function formatAuthStatusMessage(provider, result) {
+  const code = result?.code;
+  const ok = code === 0;
+  const output = trimOutput(collectAuthOutput(result)) || '(no output)';
+  return `${ok ? 'OK' : 'ERROR'} *${provider} auth status*\n\nExit code: ${code ?? 'unknown'}\n\n\`\`\`\n${escapeCodeFence(output)}\n\`\`\``;
+}
+
+export function formatAuthLoginMessage(provider, result) {
+  const output = collectAuthOutput(result);
+  const details = extractAuthStartDetails(output);
+  const lines = [`*${provider} auth login started*`, '', 'The local login command was cancelled locally after capturing the browser step, so this bot command did not replace existing credentials.'];
+
+  if (details.urls.length > 0) {
+    lines.push('', 'Open this URL:');
+    for (const url of details.urls) lines.push(url);
+  }
+  if (details.code) {
+    lines.push('', `Code: \`${details.code}\``);
+  }
+  if (details.urls.length === 0 && !details.code) {
+    const shownOutput = trimOutput(output) || '(no output captured)';
+    lines.push('', 'Captured output:', '', '```', escapeCodeFence(shownOutput), '```');
+  }
+  if (result?.cancelled) {
+    lines.push('', 'Status: cancelled locally after capture.');
+  } else if (typeof result?.code === 'number') {
+    lines.push('', `Status: login command exited with code ${result.code}.`);
+  }
+  lines.push('', 'Continuation by replying with a provider code is not automated yet; this is the first experimental CLI-backed /auth path.');
+  return lines.join('\n');
+}
+
+export const resolveAllowedAuthChatIds = allowedChats => {
+  if (!allowedChats) return [];
+  const raw = typeof allowedChats === 'function' ? allowedChats() : allowedChats;
+  if (!Array.isArray(raw)) return [];
+  return raw.map(value => String(value)).filter(Boolean);
+};
+
+export async function isAuthOperator({ telegram, userId, allowedChatIds }) {
+  if (!telegram || !userId || !allowedChatIds || allowedChatIds.length === 0) {
+    return false;
+  }
+  for (const chatId of allowedChatIds) {
+    if (String(chatId) === String(userId)) return true;
+    try {
+      const member = await telegram.getChatMember(chatId, userId);
+      if (member?.status === 'creator') return true;
+    } catch {
+      // Try the next configured chat. The bot may no longer be a member.
+    }
+  }
+  return false;
+}
+
+export function runAuthCommand(command, args, options = {}) {
+  const { mode = 'status', loginCaptureMs = 15000, outputLimit = 20000, env = process.env } = options;
+  return new Promise(resolve => {
+    const child = spawn(command, args, {
+      stdio: ['ignore', 'pipe', 'pipe'],
+      env,
+    });
+    let stdout = '';
+    let stderr = '';
+    let settled = false;
+    let captureTimer = null;
+
+    const settle = result => {
+      if (settled) return;
+      settled = true;
+      if (captureTimer) clearTimeout(captureTimer);
+      resolve({
+        stdout: stdout.slice(0, outputLimit),
+        stderr: stderr.slice(0, outputLimit),
+        ...result,
+      });
+    };
+
+    const maybeCancelLogin = () => {
+      if (mode !== 'login' || settled) return;
+      const details = extractAuthStartDetails(`${stdout}\n${stderr}`);
+      if (details.urls.length === 0 && !details.code) return;
+      child.kill('SIGTERM');
+      settle({ code: null, signal: 'SIGTERM', cancelled: true });
+    };
+
+    child.stdout.on('data', data => {
+      stdout += data.toString();
+      maybeCancelLogin();
+    });
+    child.stderr.on('data', data => {
+      stderr += data.toString();
+      maybeCancelLogin();
+    });
+    child.on('error', error => {
+      settle({ code: null, error: error.message });
+    });
+    child.on('close', (code, signal) => {
+      settle({ code, signal, cancelled: false });
+    });
+
+    if (mode === 'login') {
+      captureTimer = setTimeout(() => {
+        child.kill('SIGTERM');
+        settle({ code: null, signal: 'SIGTERM', cancelled: true });
+      }, loginCaptureMs);
+    }
+  });
+}
+
+export function registerAuthCommand(bot, options = {}) {
+  const { VERBOSE = false, isOldMessage, isForwardedOrReply, allowedChats, authEnabled = true } = options;
+  const execute = options.runCommand || runAuthCommand;
+  const reply = options.safeReply || ((ctx, text, replyOptions) => ctx.reply(text, replyOptions));
+
+  async function handleAuthCommand(ctx) {
+    VERBOSE && console.log('[VERBOSE] /auth command received');
+
+    if (isOldMessage && isOldMessage(ctx)) {
+      VERBOSE && console.log('[VERBOSE] /auth ignored: old message');
+      return;
+    }
+    if (isForwardedOrReply && isForwardedOrReply(ctx)) {
+      VERBOSE && console.log('[VERBOSE] /auth ignored: forwarded or reply');
+      return;
+    }
+    if (!authEnabled) {
+      await reply(ctx, 'The /auth command is disabled on this bot instance.', { reply_to_message_id: ctx.message?.message_id });
+      return;
+    }
+    if (!ctx.chat || !ctx.from || !ctx.message) return;
+    if (ctx.chat.type !== 'private') {
+      await reply(ctx, 'The /auth command is only available in private messages.', { reply_to_message_id: ctx.message.message_id });
+      return;
+    }
+
+    const allowedChatIds = resolveAllowedAuthChatIds(allowedChats);
+    if (allowedChatIds.length === 0) {
+      await reply(ctx, 'The /auth command is disabled because TELEGRAM_ALLOWED_CHATS is not configured.', { reply_to_message_id: ctx.message.message_id });
+      return;
+    }
+
+    const authorized = await isAuthOperator({ telegram: ctx.telegram, userId: ctx.from.id, allowedChatIds });
+    if (!authorized) {
+      VERBOSE && console.log(`[VERBOSE] /auth denied: user ${ctx.from.id} is not creator of any allowed chat`);
+      await reply(ctx, 'The /auth command is only available to owners of allowlisted chats.', { reply_to_message_id: ctx.message.message_id });
+      return;
+    }
+
+    const request = parseAuthRequest(ctx.message.text || '');
+    if (request.error) {
+      await reply(ctx, request.error, { reply_to_message_id: ctx.message.message_id });
+      return;
+    }
+
+    const { command, args } = buildAuthCommand(request.action, request.provider);
+    let result;
+    try {
+      result = await execute(command, args, { mode: request.action, provider: request.provider });
+    } catch (error) {
+      await reply(ctx, `Failed to run ${request.provider} auth ${request.action}: ${error.message || String(error)}`, { reply_to_message_id: ctx.message.message_id });
+      return;
+    }
+
+    const message = request.action === 'status' ? formatAuthStatusMessage(request.provider, result) : formatAuthLoginMessage(request.provider, result);
+    await reply(ctx, message, { parse_mode: 'Markdown', reply_to_message_id: ctx.message.message_id });
+  }
+
+  bot.command('auth', handleAuthCommand);
+  return { handleAuthCommand };
+}
+
+export default {
+  AUTH_PROVIDERS,
+  buildAuthCommand,
+  extractAuthStartDetails,
+  formatAuthLoginMessage,
+  formatAuthStatusMessage,
+  isAuthOperator,
+  parseAuthRequest,
+  redactAuthOutput,
+  registerAuthCommand,
+  resolveAllowedAuthChatIds,
+  runAuthCommand,
+};

package/src/telegram-bot.mjs

@@ -43,7 +43,7 @@ const { isOldMessage: _isOldMessage, isGroupChat: _isGroupChat, isChatAuthorized
 const { installTelegramFormattingFallback, isTelegramFormattingError, isTelegramMessageTooLongError, safeEditMessageText, safeReply, TELEGRAM_TEXT_LIMIT } = await import('./telegram-safe-reply.lib.mjs');
 const { registerTerminalWatchCommand, startAutoTerminalWatchForSession } = await import('./telegram-terminal-watch-command.lib.mjs');
 const { launchBotWithRetry } = await import('./telegram-bot-launcher.lib.mjs');
-const { trackSession, startSessionMonitoring, hasActiveSessionForUrlAsync } = await import('./session-monitor.lib.mjs');
+const { trackSession, startSessionMonitoring, hasActiveSessionForUrlAsync, findStoppableSessionByUrl } = await import('./session-monitor.lib.mjs');
 const { formatExecutingWorkSessionMessage, formatStartingWorkSessionMessage } = await import('./work-session-formatting.lib.mjs');
 const { buildTelegramHelpMessage, buildTelegramInfoBlock, buildSolveQueuedMessage } = await import('./telegram-ui-messages.lib.mjs');
 
@@ -100,6 +100,11 @@ const config = yargs(hideBin(process.argv))
     description: 'Enable /task and /split commands (use --no-task to disable)',
     default: getenv('TELEGRAM_TASK', 'true') !== 'false',
   })
+  .option('auth', {
+    type: 'boolean',
+    description: 'Enable experimental private /auth command for allowlisted chat owners (use --no-auth to disable)',
+    default: getenv('TELEGRAM_AUTH', 'true') !== 'false',
+  })
   .option('dryRun', {
     type: 'boolean',
     description: 'Validate configuration and options without starting the bot',
@@ -163,6 +168,7 @@ const hiveOverrides = resolvedHiveOverrides
 const solveEnabled = config.solve;
 const hiveEnabled = config.hive;
 const taskEnabled = config.task;
+const authEnabled = config.auth;
 // Isolation mode (experimental): uses `$` from start-command with specified backend
 const ISOLATION_BACKEND = (config.isolation || getenv('TELEGRAM_ISOLATION', '')).trim().toLowerCase();
 let isolationRunner = null;
@@ -283,7 +289,7 @@ if (config.dryRun) {
   if (allowedTopics && allowedTopics.length > 0) {
     console.log('  Allowed topics:', lino.formatLinks(allowedTopics));
   }
-  console.log('  Commands enabled:', { solve: solveEnabled, hive: hiveEnabled, task: taskEnabled });
+  console.log('  Commands enabled:', { solve: solveEnabled, hive: hiveEnabled, task: taskEnabled, auth: authEnabled });
   if (solveOverrides.length > 0) {
     console.log('  Solve overrides:', lino.format(solveOverrides));
   }
@@ -606,6 +612,8 @@ const { registerSubscribeCommands } = await import('./telegram-subscribers.lib.m
 registerSubscribeCommands(bot, sharedCommandOpts);
 const { registerTaskCommands } = await import('./telegram-task-command.lib.mjs');
 const { handleTaskCommand, TASK_COMMAND_NAMES } = registerTaskCommands(bot, { ...sharedCommandOpts, taskEnabled, safeReply, executeAndUpdateMessage, resolveLocale: resolveLocaleFromTelegramCtx });
+const { registerAuthCommand } = await import('./telegram-auth-command.lib.mjs');
+const { handleAuthCommand } = registerAuthCommand(bot, { ...sharedCommandOpts, allowedChats, authEnabled, safeReply });
 
 // Named handler for /solve command - extracted for reuse by text-based fallback (issue #1207)
 async function handleSolveCommand(ctx) {
@@ -1060,7 +1068,7 @@ const { registerTopCommand } = await import('./telegram-top-command.lib.mjs');
 const { registerStartStopCommands } = await import('./telegram-start-stop-command.lib.mjs');
 const { registerLogCommand } = await import('./telegram-log-command.lib.mjs');
 registerTopCommand(bot, sharedCommandOpts);
-registerStartStopCommands(bot, { ...sharedCommandOpts, getSolveQueue });
+registerStartStopCommands(bot, { ...sharedCommandOpts, getSolveQueue, findRunningSessionByUrl: (url, verbose) => findStoppableSessionByUrl(url, verbose) });
 await registerLogCommand(bot, sharedCommandOpts);
 await registerTerminalWatchCommand(bot, sharedCommandOpts);
 
@@ -1170,7 +1178,7 @@ bot.on('message', async (ctx, next) => {
   const solveHandlers = Object.fromEntries(SOLVE_COMMAND_NAMES.map(command => [command, handleSolveCommand]));
   const taskHandlers = Object.fromEntries(TASK_COMMAND_NAMES.map(command => [command, handleTaskCommand]));
   // /queue is the short alias for /solve_queue (issue #1837)
-  const handlers = { ...solveHandlers, ...taskHandlers, hive: handleHiveCommand, solve_queue: handleSolveQueueCommand, solvequeue: handleSolveQueueCommand, queue: handleSolveQueueCommand };
+  const handlers = { ...solveHandlers, ...taskHandlers, auth: handleAuthCommand, hive: handleHiveCommand, solve_queue: handleSolveQueueCommand, solvequeue: handleSolveQueueCommand, queue: handleSolveQueueCommand };
 
   const handler = handlers[extracted.command];
   if (!handler) return next();
@@ -1279,7 +1287,7 @@ if (allowedChats && allowedChats.length > 0) {
 if (allowedTopics && allowedTopics.length > 0) {
   console.log('Allowed topics (lino):', lino.formatLinks(allowedTopics));
 }
-console.log('Commands enabled:', { solve: solveEnabled, hive: hiveEnabled, task: taskEnabled });
+console.log('Commands enabled:', { solve: solveEnabled, hive: hiveEnabled, task: taskEnabled, auth: authEnabled });
 if (solveOverrides.length > 0) console.log('Solve overrides (lino):', lino.format(solveOverrides));
 if (hiveOverrides.length > 0) console.log('Hive overrides (lino):', lino.format(hiveOverrides));
 if (VERBOSE) {

package/src/telegram-start-stop-command.lib.mjs

@@ -16,10 +16,15 @@
  * - `/stop <issue-or-pr-url>` (or reply to a message that contains one) looks
  *   the URL up in the in-memory solve queue and either cancels the queued
  *   item or forwards CTRL+C to the running isolated session (issue #1780).
+ * - `/stop <issue-or-pr-url>` also consults the session-monitor registry of
+ *   running detached sessions, so it can interrupt a task that started
+ *   immediately (queue empty) and was therefore never left in the queue's
+ *   `processing` Map — the case shown in issue #1871's screenshots.
  *
  * @see https://github.com/link-assistant/hive-mind/issues/1081
  * @see https://github.com/link-assistant/hive-mind/issues/524
  * @see https://github.com/link-assistant/hive-mind/issues/1780
+ * @see https://github.com/link-assistant/hive-mind/issues/1871
  * @see https://github.com/link-foundation/start/issues/112
  */
 
@@ -257,6 +262,12 @@ export function isStopTargetRequester({ userId, queueItem = null, sessionInfo =
  *   When omitted, the URL flow degrades gracefully to a "no queue available"
  *   message so unit tests for non-URL paths don't need to construct a queue.
  *   See https://github.com/link-assistant/hive-mind/issues/1780.
+ * @param {Function} [options.findRunningSessionByUrl] - Override for tests; looks
+ *   the URL up in the session-monitor registry of running detached sessions so
+ *   `/stop <url>` can interrupt tasks that started immediately (queue empty) and
+ *   were therefore never left in the queue's `processing` Map. When omitted, the
+ *   real `findStoppableSessionByUrl` from session-monitor is lazy-imported.
+ *   See https://github.com/link-assistant/hive-mind/issues/1871.
  */
 export function registerStartStopCommands(bot, options) {
   const { VERBOSE = false, isOldMessage, isForwardedOrReply, isGroupChat, isChatAuthorized, isTopicAuthorized, buildAuthErrorMessage, getSolveQueue } = options;
@@ -274,6 +285,26 @@ export function registerStartStopCommands(bot, options) {
     return mod.getTrackedSessionInfo(sessionId);
   }
 
+  // Issue #1871: look a URL up in the session-monitor registry of running
+  // detached sessions. A /solve or /codex that started immediately (queue
+  // empty) is dispatched straight to an isolation session and removed from the
+  // queue's `processing` Map, so the queue lookup alone reports "no task found"
+  // for a task that is clearly running. The session monitor still knows the
+  // URL → start-command-UUID mapping, which lets /stop <url> recover and
+  // interrupt the session. Test stubs can inject findRunningSessionByUrl.
+  async function lookupRunningSessionByUrl(url) {
+    try {
+      if (typeof options.findRunningSessionByUrl === 'function') {
+        return await options.findRunningSessionByUrl(url, VERBOSE);
+      }
+      const mod = await import('./session-monitor.lib.mjs');
+      return mod.findStoppableSessionByUrl(url, VERBOSE);
+    } catch (error) {
+      console.error('[ERROR] /stop: findStoppableSessionByUrl failed:', error);
+      return null;
+    }
+  }
+
   /**
    * Validate command context: checks old message, forwarded, group chat, authorized, and owner status.
    * @param {Object} ctx - Telegraf context
@@ -529,18 +560,42 @@ export function registerStartStopCommands(bot, options) {
       const url = target.value;
       VERBOSE && console.log(`[VERBOSE] /stop: detected URL ${url} (source=${target.source})`);
 
-      // Look up the queue item BEFORE auth so we can allow the original task
-      // requester to cancel their own task in a group (#1783). The lookup
-      // here does NOT mutate the queue — actual cancel happens below in
-      // resolveQueueLookupForUrl after auth has passed.
+      // Look up the queue item AND any running detached session BEFORE auth so
+      // we can allow the original task requester to cancel their own task in a
+      // group (#1783), regardless of whether the task is still queued or already
+      // dispatched to an isolation session (#1871). Neither lookup mutates
+      // state — actual cancel/stop happens below after auth has passed.
       const candidate = findQueueCandidateForUrl(url);
-      const ok = await authorizeTargetedStop(ctx, 'URL', { queueItem: candidate.item || null });
+      const runningSession = await lookupRunningSessionByUrl(url);
+      const ok = await authorizeTargetedStop(ctx, 'URL', { queueItem: candidate.item || null, sessionInfo: runningSession?.sessionInfo || null });
       if (!ok) return;
 
       const lookup = resolveQueueLookupForUrl(url);
       VERBOSE && console.log(`[VERBOSE] /stop: queue lookup for ${url} → ${lookup.action}`);
 
+      // Issue #1871: when the queue has no record of the task (it started
+      // immediately and was dispatched to a detached session) but the session
+      // monitor still tracks a running isolated session for this URL, forward
+      // CTRL+C to its start-command UUID. This is the common case for tasks
+      // that begin executing right away with `--isolation screen`.
+      const queueHasTask = lookup.action === 'cancel-queued' || lookup.action === 'stop-running';
+      if (!queueHasTask && runningSession?.stoppable && runningSession.sessionId) {
+        VERBOSE && console.log(`[VERBOSE] /stop: forwarding CTRL+C to tracked session ${runningSession.sessionId} for ${url} (queue action=${lookup.action})`);
+        await runStopIsolatedSessionFlow(ctx, runningSession.sessionId);
+        return;
+      }
+
       if (lookup.action === 'no-queue') {
+        // No solve queue in this context. If the session monitor found a
+        // running-but-non-stoppable (non-isolation) session, say so; otherwise
+        // fall back to the UUID hint.
+        if (runningSession) {
+          await ctx.reply(`⚠️ Found a running task for ${url}, but it was not started with an isolation backend, so \`/stop\` cannot forward CTRL+C to it.\n\nNext time you can run the command with \`--isolation screen\` to make this task interruptible via \`/stop\`.`, {
+            parse_mode: 'Markdown',
+            reply_to_message_id: message.message_id,
+          });
+          return;
+        }
         await ctx.reply(`ℹ️ Cannot look up tasks by URL right now (the bot has no solve queue available in this context).\n\nIf you have the session UUID, you can use \`/stop <UUID>\` instead.`, {
           parse_mode: 'Markdown',
           reply_to_message_id: message.message_id,
@@ -549,6 +604,16 @@ export function registerStartStopCommands(bot, options) {
       }
 
       if (lookup.action === 'not-found') {
+        // The session monitor also had no stoppable session (otherwise we would
+        // have forwarded CTRL+C above). If it tracked a non-isolation session,
+        // explain why it can't be stopped; otherwise report not found.
+        if (runningSession) {
+          await ctx.reply(`⚠️ Found a running task for ${url}, but it was not started with an isolation backend, so \`/stop\` cannot forward CTRL+C to it.\n\nNext time you can run the command with \`--isolation screen\` to make this task interruptible via \`/stop\`.`, {
+            parse_mode: 'Markdown',
+            reply_to_message_id: message.message_id,
+          });
+          return;
+        }
         await ctx.reply(`ℹ️ No queued or running task found for ${url}.\n\nIf the task is running with \`--isolation screen\`, try \`/stop <UUID>\` (the UUID is shown in the bot's session-id message).`, {
           parse_mode: 'Markdown',
           reply_to_message_id: message.message_id,