@nordbyte/nordrelay 0.2.1 → 0.3.1

package/dist/bot.js

@@ -7,19 +7,23 @@ import { Bot, InlineKeyboard, InputFile } from "grammy";
 import { hasTelegramPermission, permissionForCallbackData, permissionForCommand, } from "./access-control.js";
 import { buildFileInstructions, outboxPath, stageFile, } from "./attachments.js";
 import { collectArtifactReport, collectRecentWorkspaceArtifacts, createArtifactZipBundle, ensureOutDir, formatArtifactSummary, getArtifactTurnReport, isTelegramImagePreview, listRecentArtifactReports, persistWorkspaceArtifactReport, pruneConnectorTurnDirs, removeArtifactTurn, telegramArtifactFilename, totalArtifactSize, } from "./artifacts.js";
+import { listAgentAdapterDescriptors } from "./agent-adapter.js";
+import { AuditLogStore } from "./audit-log.js";
 import { formatSessionLabel, renderHelpMessage, renderWelcomeFirstTime, renderWelcomeReturning, } from "./bot-ui.js";
 import { BotPreferencesStore, formatQuietHours, isQuietNow, parseMirrorMode, parseNotifyMode, parseQuietHours, parseVoiceBackendPreference, } from "./bot-preferences.js";
+import { listChannelDescriptors } from "./channel-adapter.js";
 import { CODEX_REASONING_EFFORTS, CODEX_AGENT_CAPABILITIES, PI_THINKING_LEVELS, agentLabel, agentReasoningLabel, } from "./agent.js";
 import { enabledAgents } from "./agent-factory.js";
 import { checkAuthStatus, clearAuthCache, startLogin, startLogout } from "./codex-auth.js";
 import { findLaunchProfile, formatLaunchProfileBehavior, formatLaunchProfileLabel, } from "./codex-launch.js";
 import { getThreadActivity, getThreadActivityLog, getThreadRolloutSnapshot, } from "./codex-state.js";
-import { contextKeyFromCtx, isTopicContextKey, parseContextKey } from "./context-key.js";
+import { contextKeyFromCtx, isTelegramContextKey, isTopicContextKey, parseContextKey } from "./context-key.js";
 import { friendlyErrorText } from "./error-messages.js";
 import { escapeHTML, formatTelegramHTML } from "./format.js";
-import { getConnectorHealth, getUpdateLogPath, readConnectorState, readLogTail, spawnConnectorRestart, spawnSelfUpdate, } from "./operations.js";
+import { getConnectorHealth, getUpdateLogPath, getVersionChecks, readConnectorState, readFormattedLogTail, spawnConnectorRestart, spawnSelfUpdate, } from "./operations.js";
 import { PromptStore, toPromptEnvelope } from "./prompt-store.js";
 import { configureRedaction, redactText } from "./redaction.js";
+import { canWriteWithLock, SessionLockStore } from "./session-locks.js";
 import { formatFileSize, renderLaunchSummaryHTML, renderLaunchSummaryPlain, renderSessionInfoHTML, renderSessionInfoPlain, } from "./session-format.js";
 import { SessionRegistry } from "./session-registry.js";
 import { getAvailableBackends, transcribeAudio } from "./voice.js";
@@ -82,8 +86,10 @@ export function createBot(config, registry) {
     const pendingAgentPicks = new Map();
     const pendingMediaGroups = new Map();
     const turnProgress = new Map();
-    const promptStore = new PromptStore(config.workspace);
-    const preferencesStore = new BotPreferencesStore(config.workspace);
+    const promptStore = new PromptStore(config.workspace, config.stateBackend);
+    const preferencesStore = new BotPreferencesStore(config.workspace, config.stateBackend);
+    const auditLog = new AuditLogStore(config.workspace, config.stateBackend, config.auditMaxEvents);
+    const lockStore = new SessionLockStore(config.workspace, config.stateBackend);
     const drainingQueues = new Set();
     const externalQueueTimers = new Map();
     const externalMirrors = new Map();
@@ -259,7 +265,10 @@ export function createBot(config, registry) {
             const age = formatRelativeTime(new Date(item.createdAt));
             const attempts = item.attempts && item.attempts > 0 ? ` · attempts ${item.attempts}` : "";
             const error = item.lastError ? ` · last error: ${trimLine(item.lastError, 80)}` : "";
-            const eta = index === 0 ? "next" : `after ${index} queued item${index === 1 ? "" : "s"}`;
+            const scheduled = item.notBefore && item.notBefore > Date.now()
+                ? `scheduled ${formatLocalDateTime(new Date(item.notBefore))}`
+                : index === 0 ? "next" : `after ${index} queued item${index === 1 ? "" : "s"}`;
+            const eta = scheduled;
             return `${index + 1}. ${item.id} · ${age} · ${eta}${attempts}${error} · ${item.description}`;
         });
         const keyboard = new InlineKeyboard();
@@ -322,12 +331,15 @@ export function createBot(config, registry) {
         const contextKeys = new Set([
             ...registry.listContexts().map((context) => context.contextKey),
             ...promptStore.listContextKeys(),
-        ]);
+        ].filter(isTelegramContextKey));
         for (const contextKey of contextKeys) {
             await monitorExternalContext(contextKey);
         }
     };
     const monitorExternalContext = async (contextKey) => {
+        if (!isTelegramContextKey(contextKey)) {
+            return;
+        }
         const session = await registry.getOrCreate(contextKey, { deferThreadStart: true }).catch(() => null);
         if (!session) {
             return;
@@ -579,6 +591,42 @@ export function createBot(config, registry) {
         }
         return permissionForCommand(command);
     };
+    const audit = (event) => {
+        try {
+            auditLog.append(event);
+        }
+        catch (error) {
+            console.warn("Failed to write audit event:", error instanceof Error ? error.message : String(error));
+        }
+    };
+    const auditContext = (ctx, contextKey, session, patch) => {
+        const info = session.getInfo();
+        audit({
+            contextKey,
+            actorId: ctx.from?.id,
+            actorRole: getUserRole(ctx),
+            agentId: idOf(info),
+            threadId: info.threadId,
+            workspace: info.workspace,
+            ...patch,
+        });
+    };
+    const denyIfLocked = async (ctx, contextKey, session) => {
+        const lock = lockStore.get(contextKey);
+        const isAdmin = getUserRole(ctx) === "admin";
+        if (canWriteWithLock(lock, ctx.from?.id, isAdmin)) {
+            return false;
+        }
+        const owner = formatLockOwner(lock);
+        const text = `Session is locked by ${owner}. Use /locks to inspect or ask an admin to /unlock.`;
+        auditContext(ctx, contextKey, session, {
+            action: "prompt_started",
+            status: "denied",
+            detail: text,
+        });
+        await safeReply(ctx, escapeHTML(text), { fallbackText: text });
+        return true;
+    };
     const setReaction = async (ctx, emoji) => {
         if (!config.enableTelegramReactions) {
             return;
@@ -669,6 +717,9 @@ export function createBot(config, registry) {
         const parsed = parseContextKey(contextKey);
         const messageThreadId = parsed.messageThreadId;
         const envelope = isPromptEnvelopeLike(prompt) ? prompt : toPromptEnvelope(prompt);
+        if (!options.fromQueue && await denyIfLocked(ctx, contextKey, session)) {
+            return;
+        }
         const busy = getBusyReason(contextKey);
         if (busy.busy) {
             if (options.fromQueue) {
@@ -689,6 +740,13 @@ export function createBot(config, registry) {
                 fallbackText: queuedMessage,
                 replyMarkup: createQueuedPromptCancelKeyboard(contextKey, item.id),
             });
+            auditContext(ctx, contextKey, session, {
+                action: "prompt_queued",
+                status: "ok",
+                promptId: item.id,
+                description: item.description,
+                detail: busy.kind,
+            });
             if (busy.kind === "external") {
                 scheduleExternalQueueDrain(ctx, contextKey, chatId, session);
             }
@@ -1101,6 +1159,11 @@ export function createBot(config, registry) {
                 return;
             }
             promptStore.setLastPrompt(contextKey, envelope);
+            auditContext(ctx, contextKey, session, {
+                action: "prompt_started",
+                status: "ok",
+                description: envelope.description,
+            });
             await session.prompt(envelope.input, callbacks);
             updateSessionMetadata(contextKey, session);
             await finalizeResponse();
@@ -1115,10 +1178,21 @@ export function createBot(config, registry) {
             progress.status = "completed";
             progress.completedAt = Date.now();
             progress.updatedAt = progress.completedAt;
+            auditContext(ctx, contextKey, session, {
+                action: "prompt_completed",
+                status: "ok",
+                description: envelope.description,
+            });
         }
         catch (error) {
             progress.status = "failed";
             progress.error = friendlyErrorText(error);
+            auditContext(ctx, contextKey, session, {
+                action: "prompt_failed",
+                status: "failed",
+                description: envelope.description,
+                detail: progress.error,
+            });
             progress.completedAt = Date.now();
             progress.updatedAt = progress.completedAt;
             stopTyping();
@@ -1175,6 +1249,11 @@ export function createBot(config, registry) {
                 }
                 const next = promptStore.dequeue(contextKey);
                 if (!next) {
+                    const nextRunnableAt = promptStore.nextRunnableAt(contextKey);
+                    const queued = promptStore.list(contextKey).length;
+                    if (nextRunnableAt && queued > 0) {
+                        await updateQueueStatusMessage(contextKey, `Next queued prompt is scheduled for ${formatLocalDateTime(new Date(nextRunnableAt))}. ${queued} queued.`);
+                    }
                     return;
                 }
                 const remainingBeforeRun = promptStore.list(contextKey).length + 1;
@@ -1457,6 +1536,50 @@ export function createBot(config, registry) {
         const help = renderHelpMessage();
         await safeReply(ctx, help.html, { fallbackText: help.plain });
     });
+    bot.command("channels", async (ctx) => {
+        const descriptors = listChannelDescriptors();
+        const lines = descriptors.map((descriptor) => {
+            const status = descriptor.status === "available" ? "available" : "planned";
+            return `${descriptor.label}: ${status} · ${descriptor.capabilities.join(", ")}`;
+        });
+        const html = [
+            "<b>Channel adapters:</b>",
+            ...descriptors.map((descriptor) => {
+                const statusIcon = descriptor.status === "available" ? "✅" : "🟡";
+                const notes = descriptor.notes ? `\n  ${escapeHTML(descriptor.notes)}` : "";
+                return `${statusIcon} <b>${escapeHTML(descriptor.label)}</b> <code>${escapeHTML(descriptor.status)}</code>\n  <code>${escapeHTML(descriptor.capabilities.join(", "))}</code>${notes}`;
+            }),
+        ].join("\n");
+        await safeReply(ctx, html, { fallbackText: ["Channel adapters:", ...lines].join("\n") });
+    });
+    bot.command("agents", async (ctx) => {
+        const descriptors = listAgentAdapterDescriptors();
+        const plain = [
+            "Agent adapters:",
+            ...descriptors.map((descriptor) => {
+                const enabled = descriptor.id === "codex"
+                    ? config.codexEnabled
+                    : descriptor.id === "pi"
+                        ? config.piEnabled
+                        : false;
+                return `${descriptor.label}: ${descriptor.status}${descriptor.status === "available" ? ` · ${enabled ? "enabled" : "disabled"}` : ""}`;
+            }),
+        ].join("\n");
+        const html = [
+            "<b>Agent adapters:</b>",
+            ...descriptors.map((descriptor) => {
+                const enabled = descriptor.id === "codex"
+                    ? config.codexEnabled
+                    : descriptor.id === "pi"
+                        ? config.piEnabled
+                        : false;
+                const status = descriptor.status === "available" ? `${enabled ? "enabled" : "disabled"}` : "planned";
+                const notes = descriptor.notes ? `\n  ${escapeHTML(descriptor.notes)}` : "";
+                return `${descriptor.status === "available" ? "✅" : "🟡"} <b>${escapeHTML(descriptor.label)}</b> <code>${escapeHTML(status)}</code>${notes}`;
+            }),
+        ].join("\n");
+        await safeReply(ctx, html, { fallbackText: plain });
+    });
     bot.command("agent", async (ctx) => {
         const contextSession = await getContextSession(ctx, { deferThreadStart: true });
         if (!contextSession) {
@@ -1817,17 +1940,22 @@ export function createBot(config, registry) {
     bot.command("version", async (ctx) => {
         const health = await getConnectorHealth();
         const state = await readConnectorState();
+        const versions = await getVersionChecks({ piCliPath: config.piCliPath });
         const plain = [
-            `NordRelay ${health.version}`,
+            renderVersionCheckPlain(versions.nordrelay),
             `Runtime status: ${state.status ?? "unknown"}`,
-            `Codex CLI: ${health.codexCli}`,
-            `Pi CLI: ${health.piCli}`,
+            formatCliPathPlain("Codex CLI", health.codexCliPath, health.codexCli),
+            renderVersionCheckPlain(versions.codex),
+            formatCliPathPlain("Pi CLI", health.piCliPath, health.piCli),
+            renderVersionCheckPlain(versions.pi),
         ].join("\n");
         const html = [
-            `<b>NordRelay</b> <code>${escapeHTML(health.version)}</code>`,
+            renderVersionCheckHTML(versions.nordrelay),
             `<b>Runtime status:</b> <code>${escapeHTML(state.status ?? "unknown")}</code>`,
-            `<b>Codex CLI:</b> <code>${escapeHTML(health.codexCli)}</code>`,
-            `<b>Pi CLI:</b> <code>${escapeHTML(health.piCli)}</code>`,
+            formatCliPathHTML("Codex CLI", health.codexCliPath, health.codexCli),
+            renderVersionCheckHTML(versions.codex),
+            formatCliPathHTML("Pi CLI", health.piCliPath, health.piCli),
+            renderVersionCheckHTML(versions.pi),
         ].join("\n");
         await safeReply(ctx, html, { fallbackText: plain });
     });
@@ -1882,6 +2010,61 @@ export function createBot(config, registry) {
         }
         await safeReply(ctx, rendered.html, { fallbackText: rendered.plain });
     });
+    bot.command("audit", async (ctx) => {
+        const rawText = ctx.message?.text ?? "";
+        const limitArg = rawText.replace(/^\/audit(?:@\w+)?\s*/i, "").trim();
+        const limit = /^\d+$/.test(limitArg) ? Number(limitArg) : 20;
+        const events = auditLog.list(limit);
+        const rendered = renderAuditEvents(events);
+        await safeReply(ctx, rendered.html, { fallbackText: rendered.plain });
+    });
+    bot.command("lock", async (ctx) => {
+        const contextSession = await getContextSession(ctx, { deferThreadStart: true });
+        if (!contextSession || !ctx.from) {
+            return;
+        }
+        const { contextKey, session } = contextSession;
+        const existing = lockStore.get(contextKey);
+        if (existing && existing.ownerId !== ctx.from.id && getUserRole(ctx) !== "admin") {
+            const text = `Session is already locked by ${formatLockOwner(existing)}.`;
+            await safeReply(ctx, escapeHTML(text), { fallbackText: text });
+            return;
+        }
+        const lock = lockStore.set(contextKey, ctx.from.id, formatTelegramName(ctx), config.sessionLockTtlMs);
+        auditContext(ctx, contextKey, session, {
+            action: "lock_updated",
+            status: "ok",
+            detail: `locked by ${lock.ownerId}`,
+        });
+        const text = `Session locked by ${formatLockOwner(lock)}${lock.expiresAt ? ` until ${formatLocalDateTime(new Date(lock.expiresAt))}` : ""}.`;
+        await safeReply(ctx, escapeHTML(text), { fallbackText: text });
+    });
+    bot.command("unlock", async (ctx) => {
+        const contextSession = await getContextSession(ctx, { deferThreadStart: true });
+        if (!contextSession) {
+            return;
+        }
+        const { contextKey, session } = contextSession;
+        const lock = lockStore.get(contextKey);
+        if (lock && lock.ownerId !== ctx.from?.id && getUserRole(ctx) !== "admin") {
+            const text = `Only ${formatLockOwner(lock)} or an admin can unlock this session.`;
+            await safeReply(ctx, escapeHTML(text), { fallbackText: text });
+            return;
+        }
+        const removed = lockStore.clear(contextKey);
+        auditContext(ctx, contextKey, session, {
+            action: "lock_updated",
+            status: "ok",
+            detail: removed ? "unlocked" : "no lock",
+        });
+        const text = removed ? "Session lock released." : "No active lock for this session.";
+        await safeReply(ctx, escapeHTML(text), { fallbackText: text });
+    });
+    bot.command("locks", async (ctx) => {
+        const locks = lockStore.list();
+        const rendered = renderSessionLocks(locks);
+        await safeReply(ctx, rendered.html, { fallbackText: rendered.plain });
+    });
     bot.command("diagnostics", async (ctx) => {
         const health = await getConnectorHealth();
         const authStatus = await checkAuthStatus(config.codexApiKey);
@@ -1944,10 +2127,20 @@ export function createBot(config, registry) {
     bot.command("logs", async (ctx) => {
         const rawText = ctx.message?.text ?? "";
         const argument = rawText.replace(/^\/logs(?:@\w+)?\s*/i, "").trim();
-        const lines = Number.parseInt(argument || "80", 10);
-        const logTail = await readLogTail(Number.isNaN(lines) ? 80 : lines);
-        const plain = `Connector log tail:\n\n${logTail || "(empty)"}`;
-        const html = `<b>Connector log tail:</b>\n\n<pre>${escapeHTML(logTail || "(empty)")}</pre>`;
+        const logRequest = parseLogsCommand(argument);
+        const logs = logRequest.target === "all"
+            ? [
+                { title: "Connector", tail: await readFormattedLogTail(logRequest.lines) },
+                { title: "Update", tail: await readFormattedLogTail(logRequest.lines, getUpdateLogPath()) },
+            ]
+            : [
+                {
+                    title: logRequest.target === "update" ? "Update" : "Connector",
+                    tail: await readFormattedLogTail(logRequest.lines, logRequest.target === "update" ? getUpdateLogPath() : undefined),
+                },
+            ];
+        const plain = logs.map(({ title, tail }) => renderLogTailPlain(title, tail)).join("\n\n");
+        const html = logs.map(({ title, tail }) => renderLogTailHTML(title, tail)).join("\n\n");
         await safeReply(ctx, html, { fallbackText: plain });
     });
     bot.command("restart", async (ctx) => {
@@ -1959,18 +2152,22 @@ export function createBot(config, registry) {
         }, 300);
     });
     bot.command("update", async (ctx) => {
-        const updateLog = spawnSelfUpdate();
+        const update = spawnSelfUpdate();
         const plain = [
             "Update started.",
-            "The connector will pull main, install dependencies, run check, tests, build, and restart only if all steps pass.",
-            `Log: ${updateLog}`,
-            "Use /logs after the restart or inspect update.log on the host.",
+            `Method: ${update.method}`,
+            update.summary,
+            `Source: ${update.sourceRoot}`,
+            `Log: ${update.logPath}`,
+            "Use /logs update after the restart or inspect update.log on the host.",
         ].join("\n");
         const html = [
             "<b>Update started.</b>",
-            "The connector will pull <code>main</code>, install dependencies, run check, tests, build, and restart only if all steps pass.",
-            `<b>Log:</b> <code>${escapeHTML(updateLog)}</code>`,
-            `Use <code>/logs</code> after the restart or inspect <code>${escapeHTML(getUpdateLogPath())}</code> on the host.`,
+            `<b>Method:</b> <code>${escapeHTML(update.method)}</code>`,
+            escapeHTML(update.summary),
+            `<b>Source:</b> <code>${escapeHTML(update.sourceRoot)}</code>`,
+            `<b>Log:</b> <code>${escapeHTML(update.logPath)}</code>`,
+            `Use <code>/logs update</code> after the restart or inspect <code>${escapeHTML(getUpdateLogPath())}</code> on the host.`,
         ].join("\n");
         await safeReply(ctx, html, { fallbackText: plain });
     });
@@ -2085,6 +2282,39 @@ export function createBot(config, registry) {
         const { contextKey, session } = contextSession;
         const rawText = ctx.message?.text ?? "";
         const argument = rawText.replace(/^\/queue(?:@\w+)?\s*/i, "").trim();
+        const laterMatch = argument.match(/^later\s+(\d+)(?:m|min|minutes?)?\s+([\s\S]+)$/i);
+        if (laterMatch) {
+            const minutes = Math.min(7 * 24 * 60, Math.max(1, Number(laterMatch[1])));
+            const text = laterMatch[2].trim();
+            const notBefore = Date.now() + minutes * 60 * 1000;
+            const item = promptStore.enqueue(contextKey, toPromptEnvelope(text), { notBefore });
+            const message = `Queued prompt ${item.id} for ${formatLocalDateTime(new Date(notBefore))}.`;
+            await safeReply(ctx, escapeHTML(message), {
+                fallbackText: message,
+                replyMarkup: createQueuedPromptCancelKeyboard(contextKey, item.id),
+            });
+            auditContext(ctx, contextKey, session, {
+                action: "prompt_queued",
+                status: "ok",
+                promptId: item.id,
+                description: item.description,
+                detail: "scheduled",
+            });
+            return;
+        }
+        const inspectMatch = argument.match(/^inspect\s+([a-z0-9]+)$/i);
+        if (inspectMatch) {
+            const item = promptStore.get(contextKey, inspectMatch[1]);
+            if (!item) {
+                await safeReply(ctx, escapeHTML(`No queued prompt found with id ${inspectMatch[1]}.`), {
+                    fallbackText: `No queued prompt found with id ${inspectMatch[1]}.`,
+                });
+                return;
+            }
+            const rendered = renderQueuedPromptDetail(item);
+            await safeReply(ctx, rendered.html, { fallbackText: rendered.plain });
+            return;
+        }
         if (/^pause$/i.test(argument)) {
             promptStore.pause(contextKey);
             const message = `Queue paused. ${promptStore.list(contextKey).length} queued.`;
@@ -2151,8 +2381,8 @@ export function createBot(config, registry) {
             return;
         }
         if (argument) {
-            await safeReply(ctx, escapeHTML("Usage: /queue, /queue pause, /queue resume, /queue move <id> top|up|down, /queue run <id>"), {
-                fallbackText: "Usage: /queue, /queue pause, /queue resume, /queue move <id> top|up|down, /queue run <id>",
+            await safeReply(ctx, escapeHTML("Usage: /queue, /queue pause, /queue resume, /queue later <minutes> <prompt>, /queue inspect <id>, /queue move <id> top|up|down, /queue run <id>"), {
+                fallbackText: "Usage: /queue, /queue pause, /queue resume, /queue later <minutes> <prompt>, /queue inspect <id>, /queue move <id> top|up|down, /queue run <id>",
             });
             return;
         }
@@ -2218,6 +2448,34 @@ export function createBot(config, registry) {
         }
         if (argument) {
             const parts = argument.split(/\s+/).filter(Boolean);
+            if (parts[0]?.toLowerCase() === "delete" && parts[1]) {
+                const selected = reports.find((report) => report.turnId === parts[1] || report.turnId.startsWith(parts[1]));
+                if (!selected) {
+                    await safeReply(ctx, escapeHTML(`No artifact turn found for "${parts[1]}".`), {
+                        fallbackText: `No artifact turn found for "${parts[1]}".`,
+                    });
+                    return;
+                }
+                const removed = await removeArtifactTurn(workspace, selected.turnId);
+                const text = removed ? `Deleted artifact turn: ${selected.turnId}` : `Artifact turn not found: ${selected.turnId}`;
+                await safeReply(ctx, escapeHTML(text), { fallbackText: text });
+                return;
+            }
+            const filtered = filterArtifactReports(reports, argument);
+            if (filtered) {
+                if (filtered.length === 0) {
+                    await safeReply(ctx, escapeHTML(`No artifacts matched "${argument}".`), {
+                        fallbackText: `No artifacts matched "${argument}".`,
+                    });
+                    return;
+                }
+                const rendered = renderArtifactReports(filtered);
+                await safeReply(ctx, rendered.html, {
+                    fallbackText: rendered.plain,
+                    replyMarkup: buildArtifactActionsKeyboard(filtered),
+                });
+                return;
+            }
             const shouldZip = parts[0]?.toLowerCase() === "zip";
             const requestedTurn = shouldZip ? parts[1] : parts[0];
             const selected = !requestedTurn || requestedTurn.toLowerCase() === "latest"
@@ -3641,6 +3899,8 @@ export async function registerCommands(bot) {
     await bot.api.setMyCommands([
         { command: "start", description: "Welcome & status" },
         { command: "help", description: "Command reference" },
+        { command: "channels", description: "Messaging adapter status" },
+        { command: "agents", description: "Agent adapter status" },
         { command: "agent", description: "Select Codex or Pi" },
         { command: "new", description: "Start a new thread" },
         { command: "session", description: "Current thread details" },
@@ -3670,11 +3930,15 @@ export async function registerCommands(bot) {
         { command: "tasks", description: "Current turn progress" },
         { command: "progress", description: "Current turn progress" },
         { command: "activity", description: "Thread activity timeline" },
+        { command: "audit", description: "Admin: recent audit events" },
         { command: "status", description: "Connector runtime status" },
         { command: "health", description: "Connector health report" },
         { command: "version", description: "Connector version" },
         { command: "logs", description: "Admin: show connector logs" },
         { command: "diagnostics", description: "Admin: connector diagnostics" },
+        { command: "lock", description: "Lock session writes to you" },
+        { command: "unlock", description: "Release session write lock" },
+        { command: "locks", description: "List session write locks" },
         { command: "restart", description: "Admin: restart connector" },
         { command: "update", description: "Admin: update connector" },
         { command: "handback", description: "Hand session back to CLI" },
@@ -3688,11 +3952,210 @@ function renderArtifactReports(reports) {
         const skipped = report.skippedCount > 0 ? `, ${report.skippedCount} skipped` : "";
         return `${index + 1}. ${report.turnId} · ${formatRelativeTime(report.updatedAt)} · ${report.artifacts.length} file${report.artifacts.length === 1 ? "" : "s"} · ${size}${skipped}`;
     });
-    const usage = "Tap an action below, or use /artifacts latest, /artifacts zip latest, or /artifacts <turn-id>.";
+    const usage = "Tap an action below, or use /artifacts latest, /artifacts zip latest, /artifacts images, /artifacts docs, /artifacts search <text>, or /artifacts delete <turn-id>.";
     const plain = ["Recent artifacts:", ...lines, "", usage].join("\n");
     const html = ["<b>Recent artifacts:</b>", ...lines.map(escapeHTML), "", escapeHTML(usage)].join("\n");
     return { html, plain };
 }
+function renderVersionCheckPlain(check) {
+    const icon = versionStatusIcon(check);
+    const label = check.label === "NordRelay" ? "NordRelay" : `${check.label} version`;
+    return `${label}: ${icon} ${formatVersionCheckDetailPlain(check)}`;
+}
+function renderVersionCheckHTML(check) {
+    const icon = versionStatusIcon(check);
+    const label = check.label === "NordRelay" ? "NordRelay" : `${check.label} version`;
+    return `<b>${escapeHTML(label)}:</b> ${icon} ${formatVersionCheckDetailHTML(check)}`;
+}
+function formatCliPathPlain(label, cliPath, fallback) {
+    return cliPath ? `${label} path: ${cliPath}` : `${label}: ${fallback}`;
+}
+function formatCliPathHTML(label, cliPath, fallback) {
+    return cliPath
+        ? `<b>${escapeHTML(label)} path:</b> <code>${escapeHTML(cliPath)}</code>`
+        : `<b>${escapeHTML(label)}:</b> <code>${escapeHTML(fallback)}</code>`;
+}
+function formatVersionCheckDetailPlain(check) {
+    if (check.status === "not-installed") {
+        return "not installed";
+    }
+    if (check.status === "outdated") {
+        return `${check.installedLabel} (latest ${check.latestVersion ?? "unknown"})`;
+    }
+    if (check.status === "current") {
+        return `${check.installedLabel} (latest)`;
+    }
+    return `${check.installedLabel} (latest unknown${check.detail ? `: ${check.detail}` : ""})`;
+}
+function formatVersionCheckDetailHTML(check) {
+    if (check.status === "not-installed") {
+        return "<code>not installed</code>";
+    }
+    if (check.status === "outdated") {
+        return `<code>${escapeHTML(check.installedLabel)}</code> <i>(latest ${escapeHTML(check.latestVersion ?? "unknown")})</i>`;
+    }
+    if (check.status === "current") {
+        return `<code>${escapeHTML(check.installedLabel)}</code> <i>(latest)</i>`;
+    }
+    return `<code>${escapeHTML(check.installedLabel)}</code> <i>(latest unknown${check.detail ? `: ${escapeHTML(check.detail)}` : ""})</i>`;
+}
+function versionStatusIcon(check) {
+    return check.status === "current" ? "✅" : "⚠️";
+}
+function parseLogsCommand(argument) {
+    const tokens = argument.split(/\s+/).filter(Boolean);
+    let target = "connector";
+    let lines = 80;
+    for (const token of tokens) {
+        const normalized = token.toLowerCase();
+        if (normalized === "connector" || normalized === "main") {
+            target = "connector";
+            continue;
+        }
+        if (normalized === "update" || normalized === "updates") {
+            target = "update";
+            continue;
+        }
+        if (normalized === "all") {
+            target = "all";
+            continue;
+        }
+        const parsedLines = Number.parseInt(token, 10);
+        if (!Number.isNaN(parsedLines)) {
+            lines = parsedLines;
+        }
+    }
+    return { target, lines };
+}
+function renderLogTailPlain(title, tail) {
+    return [
+        `${title} log tail`,
+        `File: ${tail.filePath}`,
+        `Updated: ${tail.updatedAt ? formatLogDate(tail.updatedAt) : "-"}`,
+        `Lines: ${tail.lineCount}/${tail.requestedLines}`,
+        "",
+        tail.plain || "(empty)",
+    ].join("\n");
+}
+function renderLogTailHTML(title, tail) {
+    const body = tail.plain
+        ? tail.plain.split("\n").map(renderLogLineHTML).join("\n")
+        : "<code>(empty)</code>";
+    return [
+        `<b>${escapeHTML(title)} log tail</b>`,
+        `<b>File:</b> <code>${escapeHTML(tail.filePath)}</code>`,
+        `<b>Updated:</b> <code>${escapeHTML(tail.updatedAt ? formatLogDate(tail.updatedAt) : "-")}</code>`,
+        `<b>Lines:</b> <code>${tail.lineCount}/${tail.requestedLines}</code>`,
+        "",
+        body,
+    ].join("\n");
+}
+function formatLogDate(date) {
+    return [
+        `${date.getFullYear()}-${pad2(date.getMonth() + 1)}-${pad2(date.getDate())}`,
+        `${pad2(date.getHours())}:${pad2(date.getMinutes())}:${pad2(date.getSeconds())}`,
+    ].join(" ");
+}
+function renderLogLineHTML(line) {
+    const structured = line.match(/^(?<timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}|unknown time\s*)\s+(?<level>INFO|WARN|ERROR)\s+(?<message>.*)$/);
+    if (structured?.groups) {
+        const level = structured.groups.level;
+        const levelHtml = level === "INFO" ? escapeHTML(level) : `<b>${escapeHTML(level)}</b>`;
+        return [
+            `<code>${escapeHTML(structured.groups.timestamp.trim())}</code>`,
+            levelHtml,
+            escapeHTML(structured.groups.message),
+        ].join(" ");
+    }
+    return escapeHTML(line);
+}
+function renderAuditEvents(events) {
+    if (events.length === 0) {
+        return {
+            plain: "Audit log is empty.",
+            html: escapeHTML("Audit log is empty."),
+        };
+    }
+    const lines = events.map((event) => {
+        const time = formatLocalDateTime(new Date(event.timestamp));
+        const actor = event.actorId ? `user ${event.actorId}` : "system";
+        const prompt = event.promptId ? ` · ${event.promptId}` : "";
+        const detail = event.detail ? ` · ${trimLine(event.detail, 90)}` : "";
+        const description = event.description ? ` · ${trimLine(event.description, 90)}` : "";
+        return `${time} · ${event.status.toUpperCase()} · ${event.action} · ${actor}${prompt}${description}${detail}`;
+    });
+    return {
+        plain: ["Audit:", ...lines].join("\n"),
+        html: [
+            "<b>Audit:</b>",
+            ...lines.map((line) => escapeHTML(line)),
+        ].join("\n"),
+    };
+}
+function renderSessionLocks(locks) {
+    if (locks.length === 0) {
+        return {
+            plain: "No active session locks.",
+            html: escapeHTML("No active session locks."),
+        };
+    }
+    const lines = locks.map((lock) => {
+        const expires = lock.expiresAt ? ` · expires ${formatLocalDateTime(new Date(lock.expiresAt))}` : "";
+        return `${lock.contextKey} · ${formatLockOwner(lock)}${expires}`;
+    });
+    return {
+        plain: ["Session locks:", ...lines].join("\n"),
+        html: ["<b>Session locks:</b>", ...lines.map((line) => escapeHTML(line))].join("\n"),
+    };
+}
+function renderQueuedPromptDetail(item) {
+    const lines = [
+        "Queued prompt:",
+        `ID: ${item.id}`,
+        `Created: ${formatLocalDateTime(new Date(item.createdAt))}`,
+        item.notBefore ? `Scheduled: ${formatLocalDateTime(new Date(item.notBefore))}` : undefined,
+        `Attempts: ${item.attempts ?? 0}`,
+        item.lastError ? `Last error: ${item.lastError}` : undefined,
+        `Description: ${item.description}`,
+    ].filter((line) => Boolean(line));
+    return {
+        plain: lines.join("\n"),
+        html: [
+            "<b>Queued prompt:</b>",
+            `<b>ID:</b> <code>${escapeHTML(item.id)}</code>`,
+            `<b>Created:</b> <code>${escapeHTML(formatLocalDateTime(new Date(item.createdAt)))}</code>`,
+            item.notBefore ? `<b>Scheduled:</b> <code>${escapeHTML(formatLocalDateTime(new Date(item.notBefore)))}</code>` : undefined,
+            `<b>Attempts:</b> <code>${item.attempts ?? 0}</code>`,
+            item.lastError ? `<b>Last error:</b> ${escapeHTML(item.lastError)}` : undefined,
+            `<b>Description:</b> ${escapeHTML(item.description)}`,
+        ].filter((line) => Boolean(line)).join("\n"),
+    };
+}
+function formatLockOwner(lock) {
+    if (!lock) {
+        return "nobody";
+    }
+    return lock.ownerName ? `${lock.ownerName} (${lock.ownerId})` : `user ${lock.ownerId}`;
+}
+function formatTelegramName(ctx) {
+    const firstName = ctx.from?.first_name?.trim();
+    const lastName = ctx.from?.last_name?.trim();
+    const username = ctx.from?.username?.trim();
+    const fullName = [firstName, lastName].filter(Boolean).join(" ").trim();
+    return fullName || (username ? `@${username}` : undefined);
+}
+function formatLocalDateTime(date) {
+    if (Number.isNaN(date.getTime())) {
+        return "-";
+    }
+    return [
+        `${date.getFullYear()}-${pad2(date.getMonth() + 1)}-${pad2(date.getDate())}`,
+        `${pad2(date.getHours())}:${pad2(date.getMinutes())}:${pad2(date.getSeconds())}`,
+    ].join(" ");
+}
+function pad2(value) {
+    return String(value).padStart(2, "0");
+}
 function buildArtifactActionsKeyboard(reports) {
     const keyboard = new InlineKeyboard();
     for (const [index, report] of reports.slice(0, 5).entries()) {
@@ -3705,6 +4168,35 @@ function buildArtifactActionsKeyboard(reports) {
     }
     return keyboard;
 }
+function filterArtifactReports(reports, argument) {
+    const normalized = argument.trim().toLowerCase();
+    if (!normalized) {
+        return null;
+    }
+    let predicate = null;
+    if (normalized === "images" || normalized === "image" || normalized === "photos") {
+        predicate = (artifact) => isTelegramImagePreview(artifact);
+    }
+    else if (normalized === "docs" || normalized === "documents" || normalized === "files") {
+        predicate = (artifact) => !isTelegramImagePreview(artifact);
+    }
+    else if (normalized.startsWith("search ")) {
+        const query = normalized.slice("search ".length).trim();
+        if (!query) {
+            return [];
+        }
+        predicate = (artifact) => artifact.name.toLowerCase().includes(query);
+    }
+    if (!predicate) {
+        return null;
+    }
+    return reports
+        .map((report) => ({
+        ...report,
+        artifacts: report.artifacts.filter(predicate),
+    }))
+        .filter((report) => report.artifacts.length > 0);
+}
 function renderProgressPlain(progress, queueLength, busyState, info) {
     const busyFlags = formatBusyFlags(busyState);
     if (!progress) {
@@ -3966,6 +4458,8 @@ function renderDiagnosticsPlain(config, registry, health, authenticated, role, q
         `PID: ${health.state.pid ?? "-"} (${health.pidRunning ? "running" : "not running"})`,
         `App PID: ${health.state.appPid ?? "-"} (${health.appPidRunning ? "running" : "not running"})`,
         `Workspace: ${config.workspace}`,
+        `State backend: ${config.stateBackend}`,
+        `Telegram transport: ${config.telegramTransport}`,
         `Codex CLI: ${health.codexCli}`,
         `Pi CLI: ${health.piCli}`,
         `Enabled agents/default: ${enabledAgents(config).join(", ")} / ${config.defaultAgent}`,
@@ -3986,6 +4480,8 @@ function renderDiagnosticsPlain(config, registry, health, authenticated, role, q
         `Artifact retention: ${config.artifactRetentionDays}d / ${config.artifactMaxTurnDirs} turns / ${config.artifactMaxInboxDirs} inbox dirs`,
         `Workspace allowed/warn roots: ${config.workspaceAllowedRoots.length}/${config.workspaceWarnRoots.length}`,
         `Allowed users/chats/admins/readonly: ${config.telegramAllowedUserIds.length}/${config.telegramAllowedChatIds.length}/${config.telegramAdminUserIds.length}/${config.telegramReadOnlyUserIds.length}`,
+        `Session lock TTL: ${config.sessionLockTtlMs} ms`,
+        `Audit max events: ${config.auditMaxEvents}`,
         `Loaded sessions: ${contexts.length}`,
         `Current queue: ${queueLength}`,
         `Current progress: ${progress?.status ?? "idle"}`,
@@ -4002,6 +4498,8 @@ function renderDiagnosticsHTML(config, registry, health, authenticated, role, qu
         `<b>PID:</b> <code>${escapeHTML(String(health.state.pid ?? "-"))} (${health.pidRunning ? "running" : "not running"})</code>`,
         `<b>App PID:</b> <code>${escapeHTML(String(health.state.appPid ?? "-"))} (${health.appPidRunning ? "running" : "not running"})</code>`,
         `<b>Workspace:</b> <code>${escapeHTML(config.workspace)}</code>`,
+        `<b>State backend:</b> <code>${escapeHTML(config.stateBackend)}</code>`,
+        `<b>Telegram transport:</b> <code>${escapeHTML(config.telegramTransport)}</code>`,
         `<b>Codex CLI:</b> <code>${escapeHTML(health.codexCli)}</code>`,
         `<b>Pi CLI:</b> <code>${escapeHTML(health.piCli)}</code>`,
         `<b>Enabled agents/default:</b> <code>${escapeHTML(`${enabledAgents(config).join(", ")} / ${config.defaultAgent}`)}</code>`,
@@ -4022,6 +4520,8 @@ function renderDiagnosticsHTML(config, registry, health, authenticated, role, qu
         `<b>Artifact retention:</b> <code>${config.artifactRetentionDays}d / ${config.artifactMaxTurnDirs} turns / ${config.artifactMaxInboxDirs} inbox dirs</code>`,
         `<b>Workspace allowed/warn roots:</b> <code>${config.workspaceAllowedRoots.length}/${config.workspaceWarnRoots.length}</code>`,
         `<b>Allowed users/chats/admins/readonly:</b> <code>${config.telegramAllowedUserIds.length}/${config.telegramAllowedChatIds.length}/${config.telegramAdminUserIds.length}/${config.telegramReadOnlyUserIds.length}</code>`,
+        `<b>Session lock TTL:</b> <code>${config.sessionLockTtlMs} ms</code>`,
+        `<b>Audit max events:</b> <code>${config.auditMaxEvents}</code>`,
         `<b>Loaded sessions:</b> <code>${contexts.length}</code>`,
         `<b>Current queue:</b> <code>${queueLength}</code>`,
         `<b>Current progress:</b> <code>${escapeHTML(progress?.status ?? "idle")}</code>`,