@openape/ape-agent 2.9.2 → 2.11.0

package/dist/bridge.mjs

@@ -33,15 +33,15 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 
 // ../../packages/apes/dist/chunk-OBF7IMQ2.js
-import { homedir as homedir3 } from "os";
-import { join as join3 } from "path";
-var CONFIG_DIR, AUTH_FILE, CONFIG_FILE;
+import { homedir as homedir4 } from "os";
+import { join as join4 } from "path";
+var CONFIG_DIR2, AUTH_FILE, CONFIG_FILE;
 var init_chunk_OBF7IMQ2 = __esm({
   "../../packages/apes/dist/chunk-OBF7IMQ2.js"() {
     "use strict";
-    CONFIG_DIR = join3(homedir3(), ".config", "apes");
-    AUTH_FILE = join3(CONFIG_DIR, "auth.json");
-    CONFIG_FILE = join3(CONFIG_DIR, "config.toml");
+    CONFIG_DIR2 = join4(homedir4(), ".config", "apes");
+    AUTH_FILE = join4(CONFIG_DIR2, "auth.json");
+    CONFIG_FILE = join4(CONFIG_DIR2, "config.toml");
   }
 });
 
@@ -117,9 +117,9 @@ function requirePicocolors() {
   hasRequiredPicocolors = 1;
   let p = process || {}, argv2 = p.argv || [], env2 = p.env || {};
   let isColorSupported2 = !(!!env2.NO_COLOR || argv2.includes("--no-color")) && (!!env2.FORCE_COLOR || argv2.includes("--color") || p.platform === "win32" || (p.stdout || {}).isTTY && env2.TERM !== "dumb" || !!env2.CI);
-  let formatter = (open, close, replace = open) => (input) => {
-    let string = "" + input, index = string.indexOf(close, open.length);
-    return ~index ? open + replaceClose2(string, close, replace, index) + close : open + string + close;
+  let formatter = (open2, close, replace = open2) => (input) => {
+    let string = "" + input, index = string.indexOf(close, open2.length);
+    return ~index ? open2 + replaceClose2(string, close, replace, index) + close : open2 + string + close;
   };
   let replaceClose2 = (string, close, replace, index) => {
     let result = "", cursor = 0;
@@ -802,17 +802,58 @@ ${e.cyan(d)}
   }
 });
 
-// ../../node_modules/.pnpm/shell-quote@1.8.3/node_modules/shell-quote/quote.js
+// ../../node_modules/.pnpm/shell-quote@1.8.4/node_modules/shell-quote/quote.js
 var require_quote = __commonJS({
-  "../../node_modules/.pnpm/shell-quote@1.8.3/node_modules/shell-quote/quote.js"(exports, module) {
+  "../../node_modules/.pnpm/shell-quote@1.8.4/node_modules/shell-quote/quote.js"(exports, module) {
     "use strict";
+    var OPS = [
+      "||",
+      "&&",
+      ";;",
+      "|&",
+      "<(",
+      "<<<",
+      ">>",
+      ">&",
+      "<&",
+      "&",
+      ";",
+      "(",
+      ")",
+      "|",
+      "<",
+      ">"
+    ];
+    var LINE_TERMINATORS = /[\n\r\u2028\u2029]/;
+    var GLOB_SHELL_SPECIAL = /[\s#!"$&'():;<=>@\\^`|]/g;
     module.exports = function quote(xs) {
       return xs.map(function(s2) {
         if (s2 === "") {
           return "''";
         }
         if (s2 && typeof s2 === "object") {
-          return s2.op.replace(/(.)/g, "\\$1");
+          if (s2.op === "glob") {
+            if (typeof s2.pattern !== "string") {
+              throw new TypeError("glob token requires a string `pattern`");
+            }
+            if (LINE_TERMINATORS.test(s2.pattern)) {
+              throw new TypeError("glob `pattern` must not contain line terminators");
+            }
+            return s2.pattern.replace(GLOB_SHELL_SPECIAL, "\\$&");
+          }
+          if (typeof s2.op === "string") {
+            if (OPS.indexOf(s2.op) < 0) {
+              throw new TypeError("invalid `op` value: " + JSON.stringify(s2.op));
+            }
+            return s2.op.replace(/[\s\S]/g, "\\$&");
+          }
+          if (typeof s2.comment === "string") {
+            if (LINE_TERMINATORS.test(s2.comment)) {
+              throw new TypeError("`comment` must not contain line terminators");
+            }
+            return "#" + s2.comment;
+          }
+          throw new TypeError("unrecognized object token shape");
         }
         if (/["\s\\]/.test(s2) && !/'/.test(s2)) {
           return "'" + s2.replace(/(['])/g, "\\$1") + "'";
@@ -826,9 +867,9 @@ var require_quote = __commonJS({
   }
 });
 
-// ../../node_modules/.pnpm/shell-quote@1.8.3/node_modules/shell-quote/parse.js
+// ../../node_modules/.pnpm/shell-quote@1.8.4/node_modules/shell-quote/parse.js
 var require_parse = __commonJS({
-  "../../node_modules/.pnpm/shell-quote@1.8.3/node_modules/shell-quote/parse.js"(exports, module) {
+  "../../node_modules/.pnpm/shell-quote@1.8.4/node_modules/shell-quote/parse.js"(exports, module) {
     "use strict";
     var CONTROL = "(?:" + [
       "\\|\\|",
@@ -1023,9 +1064,9 @@ var require_parse = __commonJS({
   }
 });
 
-// ../../node_modules/.pnpm/shell-quote@1.8.3/node_modules/shell-quote/index.js
+// ../../node_modules/.pnpm/shell-quote@1.8.4/node_modules/shell-quote/index.js
 var require_shell_quote = __commonJS({
-  "../../node_modules/.pnpm/shell-quote@1.8.3/node_modules/shell-quote/index.js"(exports) {
+  "../../node_modules/.pnpm/shell-quote@1.8.4/node_modules/shell-quote/index.js"(exports) {
     "use strict";
     exports.quote = require_quote();
     exports.parse = require_parse();
@@ -1033,9 +1074,9 @@ var require_shell_quote = __commonJS({
 });
 
 // src/bridge.ts
-import { existsSync as existsSync6, readFileSync as readFileSync8 } from "fs";
-import { homedir as homedir9 } from "os";
-import { join as join8 } from "path";
+import { existsSync as existsSync7, mkdirSync as mkdirSync5, readFileSync as readFileSync9, writeFileSync as writeFileSync5 } from "fs";
+import { homedir as homedir10 } from "os";
+import { dirname as dirname4, join as join10 } from "path";
 import process3 from "process";
 
 // ../../packages/cli-auth/dist/index.js
@@ -1054,22 +1095,33 @@ import { Buffer as Buffer3 } from "buffer";
 import { createPrivateKey } from "crypto";
 import { ofetch as ofetch4 } from "ofetch";
 import { ofetch as ofetch5 } from "ofetch";
-function getConfigDir() {
+function getConfigDir(authHome) {
+  if (authHome) return join(authHome, ".config", "apes");
   const override = process.env.OPENAPE_CLI_AUTH_HOME;
   if (override) return override;
   return join(homedir(), ".config", "apes");
 }
-function getAuthFile() {
-  return join(getConfigDir(), "auth.json");
+function getAuthFile(authHome) {
+  return join(getConfigDir(authHome), "auth.json");
+}
+function getSpTokensDir() {
+  return join(getConfigDir(), "sp-tokens");
+}
+function ensureConfigDir(authHome) {
+  const dir = getConfigDir(authHome);
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 448 });
+  }
 }
-function ensureConfigDir() {
-  const dir = getConfigDir();
+function ensureSpTokensDir() {
+  ensureConfigDir();
+  const dir = getSpTokensDir();
   if (!existsSync(dir)) {
     mkdirSync(dir, { recursive: true, mode: 448 });
   }
 }
-function loadIdpAuth() {
-  const file = getAuthFile();
+function loadIdpAuth(authHome) {
+  const file = getAuthFile(authHome);
   if (!existsSync(file)) return null;
   try {
     const raw = readFileSync(file, "utf-8");
@@ -1079,9 +1131,9 @@ function loadIdpAuth() {
     return null;
   }
 }
-function saveIdpAuth(auth) {
-  ensureConfigDir();
-  const file = getAuthFile();
+function saveIdpAuth(auth, authHome) {
+  ensureConfigDir(authHome);
+  const file = getAuthFile(authHome);
   let extra = {};
   if (existsSync(file)) {
     try {
@@ -1101,6 +1153,27 @@ function saveIdpAuth(auth) {
   const merged = { ...extra, ...auth };
   writeFileSync(file, JSON.stringify(merged, null, 2), { mode: 384 });
 }
+function audToFilename(aud) {
+  return aud.replace(/[^\w.-]/g, "_");
+}
+function spTokenPath(aud) {
+  return join(getSpTokensDir(), `${audToFilename(aud)}.json`);
+}
+function loadSpToken(aud) {
+  const path = spTokenPath(aud);
+  if (!existsSync(path)) return null;
+  try {
+    const raw = readFileSync(path, "utf-8");
+    if (!raw.trim()) return null;
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function saveSpToken(token) {
+  ensureSpTokensDir();
+  writeFileSync(spTokenPath(token.aud), JSON.stringify(token, null, 2), { mode: 384 });
+}
 var AuthError = class extends Error {
   status;
   hint;
@@ -1122,6 +1195,39 @@ var NotLoggedInError = class extends AuthError {
     this.name = "NotLoggedInError";
   }
 };
+async function exchangeForSpToken(idpAuth, request, now = Math.floor(Date.now() / 1e3)) {
+  const url = `${request.endpoint.replace(/\/$/, "")}/api/cli/exchange`;
+  let response;
+  try {
+    response = await ofetch(url, {
+      method: "POST",
+      body: {
+        subject_token: idpAuth.access_token,
+        ...request.scopes ? { scopes: request.scopes } : {}
+      }
+    });
+  } catch (err) {
+    const status = err.status ?? err.statusCode ?? 0;
+    const data = err.data;
+    const title = data?.title ?? `Token exchange failed (HTTP ${status})`;
+    const hint = status === 401 ? `IdP token rejected at ${url}. Try \`apes login\` again \u2014 token may be expired or audience-mismatched.` : data?.detail;
+    throw new AuthError(status, title, hint);
+  }
+  if (!response.access_token) {
+    throw new AuthError(0, `Exchange response from ${url} missing access_token`);
+  }
+  const expiresAt = response.expires_at ?? (response.expires_in ? now + response.expires_in : now + 3600);
+  const token = {
+    endpoint: request.endpoint,
+    aud: response.aud ?? request.aud,
+    access_token: response.access_token,
+    expires_at: expiresAt,
+    ...request.scopes ? { scopes: request.scopes } : {},
+    issued_from_idp_iat: now
+  };
+  saveSpToken(token);
+  return token;
+}
 var OPENSSH_MAGIC = "openssh-key-v1\0";
 function loadEd25519PrivateKey(pem) {
   if (pem.includes("BEGIN OPENSSH PRIVATE KEY")) {
@@ -1277,8 +1383,8 @@ async function getTokenEndpoint(idp) {
   }
   return `${idp}/token`;
 }
-async function ensureFreshIdpAuth(now = Math.floor(Date.now() / 1e3)) {
-  const auth = loadIdpAuth();
+async function ensureFreshIdpAuth(now = Math.floor(Date.now() / 1e3), authHome) {
+  const auth = loadIdpAuth(authHome);
   if (!auth) {
     throw new NotLoggedInError();
   }
@@ -1288,7 +1394,7 @@ async function ensureFreshIdpAuth(now = Math.floor(Date.now() / 1e3)) {
   if (!auth.refresh_token) {
     const refreshed = await refreshAgentToken(auth, now);
     if (refreshed) {
-      saveIdpAuth(refreshed);
+      saveIdpAuth(refreshed, authHome);
       return refreshed;
     }
     throw new NotLoggedInError(
@@ -1310,7 +1416,7 @@ async function ensureFreshIdpAuth(now = Math.floor(Date.now() / 1e3)) {
   } catch (err) {
     const status = err.status ?? err.statusCode ?? 0;
     if (status === 400 || status === 401) {
-      saveIdpAuth({ ...auth, refresh_token: void 0 });
+      saveIdpAuth({ ...auth, refresh_token: void 0 }, authHome);
       throw new NotLoggedInError(
         `Refresh token rejected by ${auth.idp}. Run \`apes login\` again.`
       );
@@ -1330,9 +1436,26 @@ async function ensureFreshIdpAuth(now = Math.floor(Date.now() / 1e3)) {
     refresh_token: response.refresh_token ?? auth.refresh_token,
     expires_at: now + (response.expires_in ?? 3600)
   };
-  saveIdpAuth(next);
+  saveIdpAuth(next, authHome);
   return next;
 }
+var SP_TOKEN_SKEW_SECONDS = 60;
+async function getAuthorizedBearer(opts) {
+  const now = Math.floor(Date.now() / 1e3);
+  if (!opts.forceRefresh) {
+    const cached = loadSpToken(opts.aud);
+    if (cached && cached.expires_at > now + SP_TOKEN_SKEW_SECONDS) {
+      return `Bearer ${cached.access_token}`;
+    }
+  }
+  const idpAuth = await ensureFreshIdpAuth(now);
+  const sp = await exchangeForSpToken(idpAuth, {
+    endpoint: opts.endpoint,
+    aud: opts.aud,
+    ...opts.scopes ? { scopes: opts.scopes } : {}
+  }, now);
+  return `Bearer ${sp.access_token}`;
+}
 
 // ../../packages/prompt-injection-detector/dist/index.js
 var DEFAULT_THRESHOLD = 0.7;
@@ -1398,152 +1521,69 @@ function createHeuristicDetector() {
 import { decodeJwt } from "jose";
 import WebSocket from "ws";
 
-// src/troop-chat-api.ts
-import { ofetch as ofetch6 } from "ofetch";
-var MAX_BODY = 64 * 1024;
-var SYNTHETIC_THREAD_ID = "main";
-function asHistory(msg, agentEmail, ownerEmail) {
-  return {
-    id: msg.id,
-    roomId: msg.chatId,
-    threadId: SYNTHETIC_THREAD_ID,
-    senderEmail: msg.role === "agent" ? agentEmail : ownerEmail,
-    senderAct: msg.role,
-    body: msg.body,
-    replyTo: msg.replyTo,
-    createdAt: msg.createdAt
-  };
-}
-function asPosted(msg) {
-  return {
-    id: msg.id,
-    roomId: msg.chatId,
-    threadId: SYNTHETIC_THREAD_ID,
-    body: msg.body,
-    createdAt: msg.createdAt
-  };
-}
-var TroopChatApi = class {
-  constructor(endpoint, bearer) {
-    this.endpoint = endpoint;
-    this.bearer = bearer;
-  }
-  endpoint;
-  bearer;
-  bootstrap = null;
-  /** Resolve + cache the agent's chat row (lazy fetch on first use). */
-  async getBootstrap() {
-    if (this.bootstrap) return this.bootstrap;
-    this.bootstrap = await ofetch6(`${this.endpoint}/api/agents/me/chat`, {
-      method: "GET",
-      headers: { Authorization: await this.bearer() }
-    });
-    return this.bootstrap;
-  }
-  /** chat.id + (lazy-fetched) ownerEmail for the bridge's frame-translation path. */
-  async getChatContext() {
-    const b2 = await this.getBootstrap();
-    return { chatId: b2.chat.id, ownerEmail: b2.chat.ownerEmail, agentEmail: b2.chat.agentEmail };
-  }
-  async postMessage(roomId, body, opts = {}) {
-    void roomId;
-    void opts.threadId;
-    const payload = {
-      body: body.length > MAX_BODY ? `${body.slice(0, MAX_BODY - 1)}\u2026` : body
-    };
-    if (opts.replyTo) payload.reply_to = opts.replyTo;
-    if (opts.streaming) payload.streaming = true;
-    const msg = await ofetch6(`${this.endpoint}/api/agents/me/chat/messages`, {
-      method: "POST",
-      headers: { Authorization: await this.bearer() },
-      body: payload
-    });
-    return asPosted(msg);
-  }
-  async listMessages(roomId, threadId, limit = 50) {
-    void roomId;
-    void threadId;
-    void limit;
-    const fresh = await ofetch6(`${this.endpoint}/api/agents/me/chat`, {
-      method: "GET",
-      headers: { Authorization: await this.bearer() }
-    });
-    this.bootstrap = fresh;
-    return fresh.messages.map((m2) => asHistory(m2, fresh.chat.agentEmail, fresh.chat.ownerEmail));
-  }
-  async patchMessage(messageId, opts = {}) {
-    const payload = {};
-    if (opts.body !== void 0) {
-      payload.body = opts.body.length > MAX_BODY ? `${opts.body.slice(0, MAX_BODY - 1)}\u2026` : opts.body;
-    }
-    if (opts.streaming !== void 0) payload.streaming = opts.streaming;
-    if (opts.streamingStatus !== void 0) payload.streaming_status = opts.streamingStatus;
-    if (Object.keys(payload).length === 0) return;
-    await ofetch6(`${this.endpoint}/api/agents/me/chat/messages/${encodeURIComponent(messageId)}`, {
-      method: "PATCH",
-      headers: { Authorization: await this.bearer() },
-      body: payload
-    });
-  }
-  /**
-   * Troop's chat doesn't have contacts — synthesize a single
-   *  always-connected entry pointing at the owner so the bridge's
-   *  initial-contact + allowlist flows are no-ops.
-   */
-  async listContacts() {
-    const b2 = await this.getBootstrap();
-    return [{
-      peerEmail: b2.chat.ownerEmail,
-      myStatus: "accepted",
-      theirStatus: "accepted",
-      connected: true,
-      roomId: b2.chat.id
-    }];
-  }
-  async requestContact(peerEmail) {
-    void peerEmail;
-    return (await this.listContacts())[0];
-  }
-  async acceptContact(peerEmail) {
-    void peerEmail;
-    return (await this.listContacts())[0];
-  }
-  /**
-   * Troop has no threads — return a synthetic one. The bridge's
-   *  cron-runner falls back to the main thread on createThread
-   *  failure already, so a stable "main" stand-in is the right shape.
-   */
-  async createThread(roomId, name) {
-    void roomId;
-    return { id: SYNTHETIC_THREAD_ID, name: name.slice(0, 100) };
-  }
-};
-
-// src/cron-runner.ts
-import { existsSync as existsSync3, mkdirSync as mkdirSync3, readdirSync as readdirSync3, readFileSync as readFileSync5, writeFileSync as writeFileSync3 } from "fs";
-import { homedir as homedir6 } from "os";
-import { join as join4 } from "path";
-
-// ../../packages/apes/dist/chunk-BA2V3BBO.js
-init_chunk_OBF7IMQ2();
-
-// ../../node_modules/.pnpm/citty@0.2.2/node_modules/citty/dist/index.mjs
-import { parseArgs as parseArgs$1 } from "util";
-function defineCommand(def) {
-  return def;
-}
-
-// ../../packages/shapes/dist/index.js
-import { createHash } from "crypto";
-import { existsSync as existsSync22, readdirSync as readdirSync2, readFileSync as readFileSync3 } from "fs";
-import { homedir as homedir22 } from "os";
-import { basename, join as join22 } from "path";
+// ../../packages/apes/dist/chunk-3LH4FT4R.js
+import { existsSync as existsSync3, mkdirSync as mkdirSync2, readdirSync as readdirSync2, readFileSync as readFileSync3, statSync, watch, writeFileSync as writeFileSync2 } from "fs";
+import { homedir as homedir3 } from "os";
+import { dirname, join as join3 } from "path";
 
 // ../../packages/core/dist/index.js
 import * as jose from "jose";
+import {
+  createCipheriv,
+  createDecipheriv,
+  createPrivateKey as createPrivateKey2,
+  createPublicKey,
+  diffieHellman,
+  generateKeyPairSync,
+  hkdfSync,
+  randomBytes
+} from "crypto";
 import { lookup } from "dns/promises";
 import { isIP } from "net";
 var HKDF_INFO = new TextEncoder().encode("openape-sealed-box-v1");
+var IV_LEN = 12;
+var TAG_LEN = 16;
+var RAW_KEY_LEN = 32;
+function b64u(data) {
+  return Buffer.from(data).toString("base64url");
+}
+function unb64u(s2) {
+  return Buffer.from(s2, "base64url");
+}
+function rawPub(key) {
+  const pub = key.type === "private" ? createPublicKey(key) : key;
+  const jwk = pub.export({ format: "jwk" });
+  return unb64u(jwk.x);
+}
+function ephPublicFromRaw(raw) {
+  return createPublicKey({
+    key: { kty: "OKP", crv: "X25519", x: b64u(raw) },
+    format: "jwk"
+  });
+}
+function deriveKey(shared, ephPubRaw, recipPubRaw) {
+  const salt = Buffer.concat([ephPubRaw, recipPubRaw]);
+  return Buffer.from(hkdfSync("sha256", shared, salt, HKDF_INFO, 32));
+}
+function open(box2, recipientPrivateKey) {
+  if (box2.v !== 1) throw new Error(`unsupported sealed-box version: ${box2.v}`);
+  const epkRaw = unb64u(box2.epk);
+  if (epkRaw.length !== RAW_KEY_LEN) throw new Error("invalid ephemeral public key length");
+  const iv = unb64u(box2.iv);
+  if (iv.length !== IV_LEN) throw new Error("invalid IV length");
+  const tag = unb64u(box2.tag);
+  if (tag.length !== TAG_LEN) throw new Error("invalid auth tag length");
+  const recipPriv = createPrivateKey2({ key: unb64u(recipientPrivateKey), format: "der", type: "pkcs8" });
+  const ephPub = ephPublicFromRaw(epkRaw);
+  const shared = diffieHellman({ privateKey: recipPriv, publicKey: ephPub });
+  const key = deriveKey(shared, epkRaw, rawPub(recipPriv));
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(unb64u(box2.ct)), decipher.final()]);
+}
+function openString(box2, recipientPrivateKey) {
+  return Buffer.from(open(box2, recipientPrivateKey)).toString("utf8");
+}
 function isBlockedAddress(ip) {
   const fam = isIP(ip);
   if (fam === 4) {
@@ -1598,6 +1638,100 @@ async function assertPublicUrl(rawUrl, opts = {}) {
   return url;
 }
 
+// ../../packages/apes/dist/chunk-3LH4FT4R.js
+var CONFIG_DIR = join3(homedir3(), ".config", "openape");
+var SECRETS_DIR = join3(CONFIG_DIR, "secrets.d");
+var X25519_KEY_PATH = join3(CONFIG_DIR, "agent-x25519.key");
+var X25519_PUBKEY_PATH = `${X25519_KEY_PATH}.pub`;
+function envNameFromFile(file) {
+  if (!file.endsWith(".blob")) return null;
+  const env2 = file.slice(0, -".blob".length);
+  return /^[A-Z][A-Z0-9_]*$/.test(env2) ? env2 : null;
+}
+function readAgentEncryptionKey(keyPath = X25519_KEY_PATH) {
+  if (!existsSync3(keyPath)) return null;
+  const k2 = readFileSync3(keyPath, "utf8").trim();
+  return k2.length > 0 ? k2 : null;
+}
+function materializeSecrets(opts = {}) {
+  const dir = opts.dir ?? SECRETS_DIR;
+  const env2 = opts.env ?? process.env;
+  const log2 = opts.log ?? (() => {
+  });
+  const applied = [];
+  const failed = [];
+  const key = readAgentEncryptionKey(opts.keyPath);
+  const files = key && existsSync3(dir) ? readdirSync2(dir) : [];
+  for (const file of files) {
+    const name = envNameFromFile(file);
+    if (!name) continue;
+    try {
+      const box2 = JSON.parse(readFileSync3(join3(dir, file), "utf8"));
+      const plaintext = openString(box2, key);
+      const target = typeof box2.materializeTo === "string" ? box2.materializeTo : null;
+      if (target) {
+        const blobMtime = statSync(join3(dir, file)).mtimeMs;
+        if (!existsSync3(target) || statSync(target).mtimeMs < blobMtime) {
+          mkdirSync2(dirname(target), { recursive: true });
+          writeFileSync2(target, plaintext, { mode: 384 });
+        }
+      } else {
+        env2[name] = plaintext;
+      }
+      applied.push(name);
+    } catch (e2) {
+      failed.push(file);
+      log2(`secrets: failed to open ${file}: ${e2.message}`);
+    }
+  }
+  const live = new Set(applied);
+  for (const prev of opts.previouslyApplied ?? []) {
+    if (!live.has(prev)) {
+      delete env2[prev];
+      log2(`secrets: revoked ${prev}`);
+    }
+  }
+  return { applied, failed };
+}
+function startSecretsWatcher(opts = {}) {
+  const dir = opts.dir ?? SECRETS_DIR;
+  const log2 = opts.log ?? (() => {
+  });
+  let appliedNames = /* @__PURE__ */ new Set();
+  const run = () => {
+    const r3 = materializeSecrets({ ...opts, previouslyApplied: appliedNames });
+    appliedNames = new Set(r3.applied);
+  };
+  run();
+  if (!existsSync3(dir)) return () => {
+  };
+  let timer = null;
+  const watcher = watch(dir, () => {
+    if (timer) clearTimeout(timer);
+    timer = setTimeout(run, 150);
+  });
+  watcher.on("error", (err) => log2(`secrets: watcher error: ${err.message}`));
+  return () => {
+    if (timer) clearTimeout(timer);
+    watcher.close();
+  };
+}
+
+// ../../packages/apes/dist/chunk-BA2V3BBO.js
+init_chunk_OBF7IMQ2();
+
+// ../../node_modules/.pnpm/citty@0.2.2/node_modules/citty/dist/index.mjs
+import { parseArgs as parseArgs$1 } from "util";
+function defineCommand(def) {
+  return def;
+}
+
+// ../../packages/shapes/dist/index.js
+import { createHash } from "crypto";
+import { existsSync as existsSync22, readdirSync as readdirSync3, readFileSync as readFileSync4 } from "fs";
+import { homedir as homedir22 } from "os";
+import { basename, join as join22 } from "path";
+
 // ../../packages/grants/dist/index.js
 function normalizeSelector(selector) {
   if (!selector)
@@ -2366,20 +2500,20 @@ var isColorSupported = !isDisabled && (isForced || isWindows && !isDumbTerminal
 function replaceClose(index, string, close, replace, head = string.slice(0, Math.max(0, index)) + replace, tail = string.slice(Math.max(0, index + close.length)), next = tail.indexOf(close)) {
   return head + (next < 0 ? tail : replaceClose(next, tail, close, replace));
 }
-function clearBleed(index, string, open, close, replace) {
-  return index < 0 ? open + string + close : open + replaceClose(index, string, close, replace) + close;
+function clearBleed(index, string, open2, close, replace) {
+  return index < 0 ? open2 + string + close : open2 + replaceClose(index, string, close, replace) + close;
 }
-function filterEmpty(open, close, replace = open, at = open.length + 1) {
+function filterEmpty(open2, close, replace = open2, at = open2.length + 1) {
   return (string) => string || !(string === "" || string === void 0) ? clearBleed(
     ("" + string).indexOf(close, at),
     string,
-    open,
+    open2,
     close,
     replace
   ) : "";
 }
-function init(open, close, replace) {
-  return filterEmpty(`\x1B[${open}m`, `\x1B[${close}m`, replace);
+function init(open2, close, replace) {
+  return filterEmpty(`\x1B[${open2}m`, `\x1B[${close}m`, replace);
 }
 var colorDefs = {
   reset: init(0, 0),
@@ -2999,10 +3133,10 @@ function findByExecutable(executable) {
     if (!existsSync22(dir))
       continue;
     try {
-      const files = readdirSync2(dir).filter((f3) => f3.endsWith(".toml"));
+      const files = readdirSync3(dir).filter((f3) => f3.endsWith(".toml"));
       for (const file of files) {
         const path = join22(dir, file);
-        const content = readFileSync3(path, "utf-8");
+        const content = readFileSync4(path, "utf-8");
         const match = content.match(/^\s*executable\s*=\s*"([^"]+)"/m);
         if (match && match[1] === executable)
           return path;
@@ -3029,7 +3163,7 @@ function resolveAdapterPath(cliId, explicitPath) {
 }
 function loadAdapter(cliId, explicitPath) {
   const source = resolveAdapterPath(cliId, explicitPath);
-  const content = readFileSync3(source, "utf-8");
+  const content = readFileSync4(source, "utf-8");
   const adapter = parseAdapterToml(content);
   const idMatch = adapter.cli.id === cliId;
   const fileMatch = basename(source) === `${cliId}.toml`;
@@ -3130,7 +3264,7 @@ function extractOption(args, name) {
   return void 0;
 }
 
-// ../../packages/apes/dist/chunk-NYJSBFLG.js
+// ../../packages/apes/dist/chunk-MMBFV5WN.js
 init_chunk_OBF7IMQ2();
 var debug = process.argv.includes("--debug");
 
@@ -3139,13 +3273,16 @@ init_chunk_OBF7IMQ2();
 
 // ../../packages/agent-runtime/dist/index.js
 import { spawn } from "child_process";
-import { mkdirSync as mkdirSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
-import { homedir as homedir4 } from "os";
-import { dirname, normalize, resolve } from "path";
+import { mkdirSync as mkdirSync3, readFileSync as readFileSync5, writeFileSync as writeFileSync3 } from "fs";
+import { homedir as homedir6 } from "os";
+import { dirname as dirname2, normalize, resolve } from "path";
 import { homedir as homedir23 } from "os";
 import { resolve as resolve2 } from "path";
 import process2 from "process";
 import { execFileSync } from "child_process";
+import { readFileSync as readFileSync22 } from "fs";
+import { homedir as homedir32 } from "os";
+import { join as join6 } from "path";
 import { execFileSync as execFileSync2 } from "child_process";
 var DEFAULT_TIMEOUT_MS = 5 * 60 * 1e3;
 var MAX_STDIO_BYTES = 64 * 1024;
@@ -3156,13 +3293,14 @@ function capStdio(s2) {
   return `${buf.subarray(0, MAX_STDIO_BYTES).toString("utf8")}
 [truncated to ${MAX_STDIO_BYTES} bytes]`;
 }
-function runApeShell(cmd, timeoutMs = DEFAULT_TIMEOUT_MS) {
+function runApeShell(cmd, timeoutMs = DEFAULT_TIMEOUT_MS, cwd) {
   const bypass = process.env.OPENAPE_BYPASS_APE_SHELL === "1";
   const [execBin, execArgs] = bypass ? ["/bin/bash", ["-c", cmd]] : [BIN, ["-c", cmd]];
   return new Promise((resolveResult) => {
     const child = spawn(execBin, execArgs, {
       env: { ...process.env, APE_WAIT: "1" },
-      stdio: ["ignore", "pipe", "pipe"]
+      stdio: ["ignore", "pipe", "pipe"],
+      ...cwd ? { cwd } : {}
     });
     let stdout2 = "";
     let stderr = "";
@@ -3238,21 +3376,31 @@ var bashTools = [
   }
 ];
 var MAX_BYTES = 1024 * 1024;
-function jailPath(input) {
+var extraReadRoots = /* @__PURE__ */ new Set();
+function addReadRoot(absPath) {
+  if (typeof absPath === "string" && absPath.startsWith("/")) extraReadRoots.add(normalize(absPath));
+}
+function isUnder(candidate, root) {
+  return candidate === root || candidate.startsWith(`${root}/`);
+}
+function jailPath(input, opts = {}) {
   if (typeof input !== "string" || input === "") {
     throw new Error("path must be a non-empty string");
   }
-  const home = homedir4();
+  const home = homedir6();
   const candidate = input.startsWith("~/") ? resolve(home, input.slice(2)) : input.startsWith("/") ? normalize(input) : resolve(home, input);
-  if (candidate !== home && !candidate.startsWith(`${home}/`)) {
-    throw new Error(`path "${input}" resolves outside the agent's home`);
+  if (isUnder(candidate, home)) return candidate;
+  if (opts.allowReadRoots) {
+    for (const root of extraReadRoots) {
+      if (isUnder(candidate, root)) return candidate;
+    }
   }
-  return candidate;
+  throw new Error(`path "${input}" resolves outside the agent's home`);
 }
 var fileTools = [
   {
     name: "file.read",
-    description: "Read a UTF-8 file from the agent's home directory ($HOME). Capped at 1MB. Path traversal blocked.",
+    description: "Read a UTF-8 file from the agent's home directory ($HOME) or a bundled skill directory (e.g. a skill's SKILL.md). Capped at 1MB. Path traversal blocked.",
     parameters: {
       type: "object",
       properties: {
@@ -3262,8 +3410,8 @@ var fileTools = [
     },
     execute: async (args) => {
       const a2 = args;
-      const p = jailPath(a2.path);
-      const content = readFileSync4(p, "utf8");
+      const p = jailPath(a2.path, { allowReadRoots: true });
+      const content = readFileSync5(p, "utf8");
       if (Buffer.byteLength(content, "utf8") > MAX_BYTES) {
         return { path: p, truncated: true, content: content.slice(0, MAX_BYTES) };
       }
@@ -3288,8 +3436,8 @@ var fileTools = [
         throw new Error(`content exceeds ${MAX_BYTES} byte cap`);
       }
       const p = jailPath(a2.path);
-      mkdirSync2(dirname(p), { recursive: true });
-      writeFileSync2(p, a2.content, { encoding: "utf8" });
+      mkdirSync3(dirname2(p), { recursive: true });
+      writeFileSync3(p, a2.content, { encoding: "utf8" });
       return { path: p, bytes: Buffer.byteLength(a2.content, "utf8") };
     }
   },
@@ -3319,7 +3467,7 @@ var fileTools = [
       }
       const replaceAll = a2.replace_all === true;
       const p = jailPath(a2.path);
-      const before = readFileSync4(p, "utf8");
+      const before = readFileSync5(p, "utf8");
       const occurrences = before.split(a2.old_string).length - 1;
       if (occurrences === 0) {
         throw new Error("old_string not found in file");
@@ -3331,7 +3479,7 @@ var fileTools = [
       if (Buffer.byteLength(after, "utf8") > MAX_BYTES) {
         throw new Error(`result exceeds ${MAX_BYTES} byte cap`);
       }
-      writeFileSync2(p, after, { encoding: "utf8" });
+      writeFileSync3(p, after, { encoding: "utf8" });
       return { path: p, replacements: replaceAll ? occurrences : 1 };
     }
   }
@@ -3804,50 +3952,146 @@ var mailTools = [
     }
   }
 ];
-function ape(args) {
-  try {
-    return execFileSync2("ape-tasks", args, { encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] });
-  } catch (err) {
-    const e2 = err;
-    const stderr = typeof e2.stderr === "string" ? e2.stderr : e2.stderr?.toString("utf8");
-    throw new Error(`ape-tasks failed: ${stderr ?? e2.message ?? err}`);
+function troopBase() {
+  return (process.env.OPENAPE_TROOP_URL ?? "https://troop.openape.ai").replace(/\/+$/, "");
+}
+function readAgentToken() {
+  const path = process.env.OPENAPE_CLI_AUTH_HOME ? join6(process.env.OPENAPE_CLI_AUTH_HOME, "auth.json") : join6(homedir32(), ".config", "apes", "auth.json");
+  const auth = JSON.parse(readFileSync22(path, "utf8"));
+  if (!auth.access_token) throw new Error(`no access_token in ${path}`);
+  return auth.access_token;
+}
+async function exchangeBearer(base, scope) {
+  const res = await fetch(`${base}/api/cli/exchange`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ subject_token: readAgentToken(), scopes: [scope] })
+  });
+  if (!res.ok) {
+    throw new Error(`token exchange ${res.status} \u2014 ${(await res.text().catch(() => "")).slice(0, 200)} (does this agent hold the ${scope} scope?)`);
   }
+  return (await res.json()).access_token;
 }
-var tasksTools = [
+var spawnTools = [
   {
-    name: "tasks.list",
-    description: "List the owner's open ape-tasks (the user's personal task list at tasks.openape.ai).",
+    name: "agent.spawn",
+    description: "Spawn a worker agent on the nest via troop, tiering its compute by task difficulty: pick `model` (gpt-5.4-mini | gpt-5.4 | gpt-5.5) and `reasoning_effort` (minimal | low | medium | high) \u2014 quick-win = cheap+low, research/architecture = gpt-5.5+high. Optionally attach a `recipe_ref` so the worker runs a known persona. Returns the spawn intent id. Use multiple calls to fan out several workers in parallel.",
     parameters: {
       type: "object",
       properties: {
-        status: { type: "string", enum: ["open", "doing", "done", "archived"] },
-        team_id: { type: "string" }
+        name: { type: "string", description: "unique worker name, /^[a-z][a-z0-9-]{0,23}$/" },
+        model: { type: "string", description: "gpt-5.4-mini | gpt-5.4 | gpt-5.5" },
+        reasoning_effort: { type: "string", description: "minimal | low | medium | high" },
+        recipe_ref: { type: "string", description: "optional recipe, e.g. github.com/openape-ai/agent-catalog/backend-engineer@v0.2.0" },
+        system_prompt: { type: "string", description: "optional system prompt / task brief" }
       },
-      required: []
+      required: ["name"]
     },
     execute: async (args) => {
-      const a2 = args ?? {};
-      const argv2 = ["list", "--json"];
-      if (a2.status) argv2.push("--status", a2.status);
-      if (a2.team_id) argv2.push("--team", a2.team_id);
-      const out = ape(argv2);
+      const a2 = args;
+      const base = troopBase();
+      let bearer;
       try {
-        return JSON.parse(out);
-      } catch {
-        return { raw: out };
+        bearer = await exchangeBearer(base, "troop:spawn-agent");
+      } catch (err) {
+        return `spawn failed: ${err instanceof Error ? err.message : String(err)}`;
+      }
+      const body = { name: a2.name };
+      if (a2.model) body.bridge_model = a2.model;
+      if (a2.reasoning_effort) body.bridge_reasoning_effort = a2.reasoning_effort;
+      if (a2.system_prompt) body.system_prompt = a2.system_prompt;
+      if (a2.recipe_ref) body.recipe = { repo_ref: a2.recipe_ref, params: {} };
+      const spRes = await fetch(`${base}/api/agents/spawn-intent`, {
+        method: "POST",
+        headers: { "content-type": "application/json", authorization: `Bearer ${bearer}` },
+        body: JSON.stringify(body)
+      });
+      if (!spRes.ok) {
+        return `spawn failed: spawn-intent ${spRes.status} \u2014 ${(await spRes.text().catch(() => "")).slice(0, 200)}`;
+      }
+      const sp = await spRes.json();
+      return `spawned worker "${a2.name}" (model=${a2.model ?? "default"}, reasoning=${a2.reasoning_effort ?? "default"}); intent=${sp.intent_id ?? "?"}`;
+    }
+  },
+  {
+    name: "agent.destroy",
+    description: "Destroy a worker agent on the nest (full teardown: OS user, IdP, bridge). The PM calls this after collecting an ephemeral worker's result, so workers do not linger idle. Requires the troop:destroy-agent scope.",
+    parameters: {
+      type: "object",
+      properties: {
+        name: { type: "string", description: "the worker agent name to destroy" }
+      },
+      required: ["name"]
+    },
+    execute: async (args) => {
+      const a2 = args;
+      const base = troopBase();
+      let bearer;
+      try {
+        bearer = await exchangeBearer(base, "troop:destroy-agent");
+      } catch (err) {
+        return `destroy failed: ${err instanceof Error ? err.message : String(err)}`;
+      }
+      const res = await fetch(`${base}/api/agents/destroy-intent`, {
+        method: "POST",
+        headers: { "content-type": "application/json", authorization: `Bearer ${bearer}` },
+        body: JSON.stringify({ name: a2.name })
+      });
+      if (!res.ok) {
+        return `destroy failed: destroy-intent ${res.status} \u2014 ${(await res.text().catch(() => "")).slice(0, 200)}`;
+      }
+      const d2 = await res.json();
+      return `destroying worker "${a2.name}"; intent=${d2.intent_id ?? "?"}`;
+    }
+  }
+];
+function ape(args) {
+  try {
+    return execFileSync2("ape-tasks", args, { encoding: "utf8", stdio: ["ignore", "pipe", "pipe"] });
+  } catch (err) {
+    const e2 = err;
+    const stderr = typeof e2.stderr === "string" ? e2.stderr : e2.stderr?.toString("utf8");
+    throw new Error(`ape-tasks failed: ${stderr ?? e2.message ?? err}`);
+  }
+}
+var tasksTools = [
+  {
+    name: "tasks.list",
+    description: "List the owner's open ape-tasks (the user's personal task list at tasks.openape.ai).",
+    parameters: {
+      type: "object",
+      properties: {
+        status: { type: "string", enum: ["open", "doing", "done", "archived"] },
+        team_id: { type: "string" }
+      },
+      required: []
+    },
+    execute: async (args) => {
+      const a2 = args ?? {};
+      const argv2 = ["list", "--json"];
+      if (a2.status) argv2.push("--status", a2.status);
+      if (a2.team_id) argv2.push("--team", a2.team_id);
+      const out = ape(argv2);
+      try {
+        return JSON.parse(out);
+      } catch {
+        return { raw: out };
       }
     }
   },
   {
     name: "tasks.create",
-    description: "Create a new ape-task on the owner's task list at tasks.openape.ai.",
+    description: "Create a new ape-task at tasks.openape.ai. Pass `team` (the team id) to file it on a shared team board, and `assignee` (an email) to delegate it to a teammate.",
     parameters: {
       type: "object",
       properties: {
         title: { type: "string" },
         notes: { type: "string" },
         priority: { type: "string", enum: ["low", "med", "high"] },
-        due_at: { type: "string", description: "ISO date or +Nh/+Nd shorthand." }
+        due_at: { type: "string", description: "ISO date or +Nh/+Nd shorthand." },
+        team: { type: "string", description: "Team id to file the task on (required when you belong to a team)." },
+        assignee: { type: "string", description: "Email of the teammate to assign the task to." },
+        dedup_key: { type: "string", description: "Stable id for the source (e.g. a mail Message-ID). If an open task with this key already exists, no duplicate is created \u2014 pass it for recurring triage so the same item is not filed twice." }
       },
       required: ["title"]
     },
@@ -3857,6 +4101,9 @@ var tasksTools = [
       if (a2.notes) argv2.push("--notes", a2.notes);
       if (a2.priority) argv2.push("--priority", a2.priority);
       if (a2.due_at) argv2.push("--due", a2.due_at);
+      if (a2.team) argv2.push("--team", a2.team);
+      if (a2.assignee) argv2.push("--assignee", a2.assignee);
+      if (a2.dedup_key) argv2.push("--dedup-key", a2.dedup_key);
       const out = ape(argv2);
       try {
         return JSON.parse(out);
@@ -3881,6 +4128,83 @@ var timeTools = [
     }
   }
 ];
+var TROOP = "https://troop.openape.ai";
+var RESOURCES = ["objectives", "reports", "members", "cost-snapshots", "overview"];
+function pathFor(resource, orgId) {
+  const id = encodeURIComponent(orgId);
+  return resource === "overview" ? `/api/orgs/${id}` : `/api/orgs/${id}/${resource}`;
+}
+var OBJECTIVE_STATUS = ["planned", "in_progress", "done", "abandoned"];
+var troopTools = [
+  {
+    name: "troop.company.read",
+    description: "Read your troop company data on troop.openape.ai. resource: objectives | reports | members | cost-snapshots | overview (vision+budget). Read-only.",
+    parameters: {
+      type: "object",
+      properties: {
+        resource: { type: "string", enum: [...RESOURCES], description: "Which company resource to read." },
+        org_id: { type: "string", description: "Your company (org) id." }
+      },
+      required: ["resource", "org_id"]
+    },
+    execute: async (args) => {
+      const { resource, org_id } = args ?? {};
+      if (!resource || !RESOURCES.includes(resource)) {
+        throw new Error(`troop.company.read: unknown resource '${resource}' (expected ${RESOURCES.join(" | ")})`);
+      }
+      if (!org_id) throw new Error("troop.company.read: org_id is required");
+      const bearer = await getAuthorizedBearer({ endpoint: TROOP, aud: "troop.openape.ai" });
+      const res = await fetch(`${TROOP}${pathFor(resource, org_id)}`, {
+        headers: { authorization: bearer }
+      });
+      if (!res.ok) {
+        throw new Error(`troop.company.read ${resource} \u2192 ${res.status}: ${(await res.text()).slice(0, 200)}`);
+      }
+      return JSON.stringify(await res.json());
+    }
+  },
+  {
+    name: "troop.objective.upsert",
+    description: "Create or update a company objective on troop.openape.ai. Pass objective_id to update an existing one; omit it to create. Authenticated as the agent (acting for the owner).",
+    parameters: {
+      type: "object",
+      properties: {
+        org_id: { type: "string", description: "Your company (org) id." },
+        objective_id: { type: "string", description: "Omit to create; pass to update an existing objective." },
+        title: { type: "string" },
+        description: { type: "string" },
+        status: { type: "string", enum: [...OBJECTIVE_STATUS] },
+        target_date: { type: "number", description: "Unix seconds, or null to clear." }
+      },
+      required: ["org_id"]
+    },
+    execute: async (args) => {
+      const a2 = args ?? {};
+      if (!a2.org_id) throw new Error("troop.objective.upsert: org_id is required");
+      if (a2.status && !OBJECTIVE_STATUS.includes(a2.status)) {
+        throw new Error(`troop.objective.upsert: bad status '${a2.status}'`);
+      }
+      if (!a2.objective_id && !a2.title) throw new Error("troop.objective.upsert: title is required to create an objective");
+      const bearer = await getAuthorizedBearer({ endpoint: TROOP, aud: "troop.openape.ai" });
+      const id = encodeURIComponent(a2.org_id);
+      const body = {};
+      if (a2.title !== void 0) body.title = a2.title;
+      if (a2.description !== void 0) body.description = a2.description;
+      if (a2.status !== void 0) body.status = a2.status;
+      if (a2.target_date !== void 0) body.target_date = a2.target_date;
+      const url = a2.objective_id ? `${TROOP}/api/orgs/${id}/objectives/${encodeURIComponent(a2.objective_id)}` : `${TROOP}/api/orgs/${id}/objectives`;
+      const res = await fetch(url, {
+        method: a2.objective_id ? "PATCH" : "POST",
+        headers: { authorization: bearer, "content-type": "application/json" },
+        body: JSON.stringify(body)
+      });
+      if (!res.ok) {
+        throw new Error(`troop.objective.upsert \u2192 ${res.status}: ${(await res.text()).slice(0, 200)}`);
+      }
+      return JSON.stringify(await res.json());
+    }
+  }
+];
 var CWD_RE = /^[\w./-]{1,256}$/;
 async function runVerify(cwd, command, timeoutMs) {
   if (typeof cwd !== "string" || !CWD_RE.test(cwd)) {
@@ -3927,7 +4251,9 @@ var ALL_TOOLS = [
   ...bashTools,
   ...gitWorktreeTools,
   ...verifyTools,
-  ...forgeTools
+  ...forgeTools,
+  ...spawnTools,
+  ...troopTools
 ];
 var TOOLS = Object.fromEntries(
   ALL_TOOLS.map((t2) => [t2.name, t2])
@@ -4028,6 +4354,7 @@ async function runLoop(opts) {
     const requestBody = {
       model: opts.config.model,
       messages,
+      ...opts.config.reasoningEffort ? { reasoning_effort: opts.config.reasoningEffort } : {},
       ...tools.length > 0 ? { tools, tool_choice: "auto" } : {},
       ...opts.streamAggregate ? { stream: true } : {}
     };
@@ -4138,10 +4465,180 @@ var REVIEW_SYSTEM = [
   'Respond ONLY as JSON: {"approved": boolean, "reason": string}.'
 ].join(" ");
 
+// src/bridge-config.ts
+var DEFAULT_ENDPOINT = "https://troop.openape.ai";
+var DEFAULT_APES_BIN = "apes";
+var DEFAULT_MAX_STEPS = 10;
+var DEFAULT_SYSTEM_PROMPT = `You are a helpful assistant in a 1:1 chat. Be concise and friendly. When asked for facts, say "I don't know" rather than guess.`;
+var REASONING_EFFORTS = ["minimal", "low", "medium", "high"];
+function readTelegramConfig(env2) {
+  const botToken = env2.TELEGRAM_BOT_TOKEN;
+  if (!botToken) return void 0;
+  const raw = env2.TELEGRAM_OWNER_USER_ID;
+  if (raw === void 0 || raw === "") return { botToken };
+  const ownerUserId = Number.parseInt(raw, 10);
+  if (!Number.isInteger(ownerUserId)) {
+    throw new TypeError(`TELEGRAM_OWNER_USER_ID is set but not a number: ${JSON.stringify(raw)}`);
+  }
+  return { botToken, ownerUserId };
+}
+function readConfig(env2 = process.env) {
+  const toolsRaw = env2.APE_CHAT_BRIDGE_TOOLS ?? "";
+  const tools = toolsRaw.split(",").map((s2) => s2.trim()).filter(Boolean);
+  const maxStepsRaw = env2.APE_CHAT_BRIDGE_MAX_STEPS;
+  const maxSteps = maxStepsRaw ? Number.parseInt(maxStepsRaw, 10) : DEFAULT_MAX_STEPS;
+  const model = env2.APE_CHAT_BRIDGE_MODEL;
+  if (!model) {
+    throw new Error(
+      "APE_CHAT_BRIDGE_MODEL is not set. Set it in the container env (compose environment: block) or globally in `~/litellm/.env`. Common values: `gpt-5.4` (ChatGPT-only LiteLLM proxy), `claude-haiku-4-5` (Anthropic-only)."
+    );
+  }
+  const effortRaw = env2.APE_CHAT_BRIDGE_REASONING_EFFORT;
+  const reasoningEffort = REASONING_EFFORTS.includes(effortRaw) ? effortRaw : void 0;
+  return {
+    endpoint: (env2.OPENAPE_TROOP_URL ?? DEFAULT_ENDPOINT).replace(/\/$/, ""),
+    apesBin: env2.APE_CHAT_BRIDGE_APES_BIN ?? DEFAULT_APES_BIN,
+    model,
+    reasoningEffort,
+    systemPrompt: env2.APE_CHAT_BRIDGE_SYSTEM_PROMPT ?? DEFAULT_SYSTEM_PROMPT,
+    tools,
+    maxSteps: Number.isFinite(maxSteps) && maxSteps > 0 ? maxSteps : DEFAULT_MAX_STEPS,
+    roomFilter: env2.APE_CHAT_BRIDGE_ROOM,
+    telegram: readTelegramConfig(env2)
+  };
+}
+
+// src/troop-chat-api.ts
+import { ofetch as ofetch6 } from "ofetch";
+var MAX_BODY = 64 * 1024;
+var SYNTHETIC_THREAD_ID = "main";
+function asHistory(msg, agentEmail, ownerEmail) {
+  return {
+    id: msg.id,
+    roomId: msg.chatId,
+    threadId: SYNTHETIC_THREAD_ID,
+    senderEmail: msg.role === "agent" ? agentEmail : ownerEmail,
+    senderAct: msg.role,
+    body: msg.body,
+    replyTo: msg.replyTo,
+    createdAt: msg.createdAt
+  };
+}
+function asPosted(msg) {
+  return {
+    id: msg.id,
+    roomId: msg.chatId,
+    threadId: SYNTHETIC_THREAD_ID,
+    body: msg.body,
+    createdAt: msg.createdAt
+  };
+}
+var TroopChatApi = class {
+  constructor(endpoint, bearer) {
+    this.endpoint = endpoint;
+    this.bearer = bearer;
+  }
+  endpoint;
+  bearer;
+  bootstrap = null;
+  /** Resolve + cache the agent's chat row (lazy fetch on first use). */
+  async getBootstrap() {
+    if (this.bootstrap) return this.bootstrap;
+    this.bootstrap = await ofetch6(`${this.endpoint}/api/agents/me/chat`, {
+      method: "GET",
+      headers: { Authorization: await this.bearer() }
+    });
+    return this.bootstrap;
+  }
+  /** chat.id + (lazy-fetched) ownerEmail for the bridge's frame-translation path. */
+  async getChatContext() {
+    const b2 = await this.getBootstrap();
+    return { chatId: b2.chat.id, ownerEmail: b2.chat.ownerEmail, agentEmail: b2.chat.agentEmail };
+  }
+  async postMessage(roomId, body, opts = {}) {
+    void roomId;
+    void opts.threadId;
+    const payload = {
+      body: body.length > MAX_BODY ? `${body.slice(0, MAX_BODY - 1)}\u2026` : body
+    };
+    if (opts.replyTo) payload.reply_to = opts.replyTo;
+    if (opts.streaming) payload.streaming = true;
+    const msg = await ofetch6(`${this.endpoint}/api/agents/me/chat/messages`, {
+      method: "POST",
+      headers: { Authorization: await this.bearer() },
+      body: payload
+    });
+    return asPosted(msg);
+  }
+  async listMessages(roomId, threadId, limit = 50) {
+    void roomId;
+    void threadId;
+    void limit;
+    const fresh = await ofetch6(`${this.endpoint}/api/agents/me/chat`, {
+      method: "GET",
+      headers: { Authorization: await this.bearer() }
+    });
+    this.bootstrap = fresh;
+    return fresh.messages.map((m2) => asHistory(m2, fresh.chat.agentEmail, fresh.chat.ownerEmail));
+  }
+  async patchMessage(messageId, opts = {}) {
+    const payload = {};
+    if (opts.body !== void 0) {
+      payload.body = opts.body.length > MAX_BODY ? `${opts.body.slice(0, MAX_BODY - 1)}\u2026` : opts.body;
+    }
+    if (opts.streaming !== void 0) payload.streaming = opts.streaming;
+    if (opts.streamingStatus !== void 0) payload.streaming_status = opts.streamingStatus;
+    if (Object.keys(payload).length === 0) return;
+    await ofetch6(`${this.endpoint}/api/agents/me/chat/messages/${encodeURIComponent(messageId)}`, {
+      method: "PATCH",
+      headers: { Authorization: await this.bearer() },
+      body: payload
+    });
+  }
+  /**
+   * Troop's chat doesn't have contacts — synthesize a single
+   *  always-connected entry pointing at the owner so the bridge's
+   *  initial-contact + allowlist flows are no-ops.
+   */
+  async listContacts() {
+    const b2 = await this.getBootstrap();
+    return [{
+      peerEmail: b2.chat.ownerEmail,
+      myStatus: "accepted",
+      theirStatus: "accepted",
+      connected: true,
+      roomId: b2.chat.id
+    }];
+  }
+  async requestContact(peerEmail) {
+    void peerEmail;
+    return (await this.listContacts())[0];
+  }
+  async acceptContact(peerEmail) {
+    void peerEmail;
+    return (await this.listContacts())[0];
+  }
+  /**
+   * Troop has no threads — return a synthetic one. The bridge's
+   *  cron-runner falls back to the main thread on createThread
+   *  failure already, so a stable "main" stand-in is the right shape.
+   */
+  async createThread(roomId, name) {
+    void roomId;
+    return { id: SYNTHETIC_THREAD_ID, name: name.slice(0, 100) };
+  }
+};
+
 // src/cron-runner.ts
-var TASK_CACHE_DIR = join4(homedir6(), ".openape", "agent", "tasks");
-var AGENT_CONFIG_PATH = join4(homedir6(), ".openape", "agent", "agent.json");
-var TASK_THREADS_PATH = join4(homedir6(), ".openape", "agent", "task-threads.json");
+import { existsSync as existsSync4, mkdirSync as mkdirSync4, readdirSync as readdirSync4, readFileSync as readFileSync6, writeFileSync as writeFileSync4 } from "fs";
+import { homedir as homedir7 } from "os";
+import { join as join7 } from "path";
+var TASK_CACHE_DIR = join7(homedir7(), ".openape", "agent", "tasks");
+var AGENT_CONFIG_PATH = join7(homedir7(), ".openape", "agent", "agent.json");
+function resolveRecipeDir() {
+  return process.env.OPENAPE_RECIPE_DEV_DIR || join7(homedir7(), "recipe");
+}
+var TASK_THREADS_PATH = join7(homedir7(), ".openape", "agent", "task-threads.json");
 var TICK_INTERVAL_MS = 6e4;
 function parseField(token, range, allowStep) {
   if (token === "*") return { type: "any" };
@@ -4183,13 +4680,13 @@ function cronMatches(expr, now) {
   return fieldMatches(expr.minute, now.getMinutes()) && fieldMatches(expr.hour, now.getHours()) && fieldMatches(expr.dom, now.getDate()) && fieldMatches(expr.month, now.getMonth() + 1) && (fieldMatches(expr.dow, dow) || expr.dow.type === "fixed" && expr.dow.value === 7 && dow === 0);
 }
 function readTaskSpecs() {
-  if (!existsSync3(TASK_CACHE_DIR)) return [];
+  if (!existsSync4(TASK_CACHE_DIR)) return [];
   const out = [];
-  for (const entry of readdirSync3(TASK_CACHE_DIR)) {
+  for (const entry of readdirSync4(TASK_CACHE_DIR)) {
     if (!entry.endsWith(".json")) continue;
-    const path = join4(TASK_CACHE_DIR, entry);
+    const path = join7(TASK_CACHE_DIR, entry);
     try {
-      const t2 = JSON.parse(readFileSync5(path, "utf8"));
+      const t2 = JSON.parse(readFileSync6(path, "utf8"));
       if (t2.taskId && t2.cron && t2.enabled !== false) out.push(t2);
     } catch {
     }
@@ -4207,10 +4704,13 @@ ${tail(out, 2500)}`);
 ${tail(err, 2500)}`);
   return parts.join("\n\n");
 }
+function shouldReportCommandRun(exitCode, stdout2, stderr) {
+  return exitCode !== 0 || `${stdout2}${stderr}`.trim() !== "";
+}
 function readSystemPrompt() {
-  if (!existsSync3(AGENT_CONFIG_PATH)) return "";
+  if (!existsSync4(AGENT_CONFIG_PATH)) return "";
   try {
-    const parsed = JSON.parse(readFileSync5(AGENT_CONFIG_PATH, "utf8"));
+    const parsed = JSON.parse(readFileSync6(AGENT_CONFIG_PATH, "utf8"));
     return typeof parsed.systemPrompt === "string" ? parsed.systemPrompt : "";
   } catch {
     return "";
@@ -4237,9 +4737,9 @@ var CronRunner = class {
    */
   taskThreads = /* @__PURE__ */ new Map();
   loadTaskThreads() {
-    if (!existsSync3(TASK_THREADS_PATH)) return;
+    if (!existsSync4(TASK_THREADS_PATH)) return;
     try {
-      const parsed = JSON.parse(readFileSync5(TASK_THREADS_PATH, "utf8"));
+      const parsed = JSON.parse(readFileSync6(TASK_THREADS_PATH, "utf8"));
       for (const [k2, v2] of Object.entries(parsed)) {
         if (typeof v2 === "string") this.taskThreads.set(k2, v2);
       }
@@ -4248,9 +4748,9 @@ var CronRunner = class {
   }
   persistTaskThreads() {
     try {
-      const dir = join4(homedir6(), ".openape", "agent");
-      mkdirSync3(dir, { recursive: true });
-      writeFileSync3(
+      const dir = join7(homedir7(), ".openape", "agent");
+      mkdirSync4(dir, { recursive: true });
+      writeFileSync4(
         TASK_THREADS_PATH,
         `${JSON.stringify(Object.fromEntries(this.taskThreads), null, 2)}
 `,
@@ -4327,13 +4827,15 @@ var CronRunner = class {
   async runTask(sessionId, systemPrompt, spec) {
     if (spec.command) {
       try {
-        const res = await runApeShell(spec.command, 30 * 60 * 1e3);
+        const recipeDir = resolveRecipeDir();
+        const res = await runApeShell(spec.command, 30 * 60 * 1e3, existsSync4(recipeDir) ? recipeDir : void 0);
         const turn = this.pending.get(sessionId);
         if (!turn) return;
         turn.status = res.exit_code === 0 ? "ok" : "error";
         turn.accumulated = composeTaskOutput(spec.command, res.exit_code, res.stdout, res.stderr);
         await this.finaliseRun(turn, 1);
-        await this.postResult(sessionId, turn);
+        if (shouldReportCommandRun(res.exit_code, res.stdout, res.stderr))
+          await this.postResult(sessionId, turn);
         this.pending.delete(sessionId);
       } catch (err) {
         const turn = this.pending.get(sessionId);
@@ -4347,8 +4849,9 @@ var CronRunner = class {
       return;
     }
     try {
+      const apiKey = this.deps.refreshApiKey ? await this.deps.refreshApiKey() : this.deps.runtimeConfig.apiKey;
       const result = await runLoop({
-        config: this.deps.runtimeConfig,
+        config: { ...this.deps.runtimeConfig, apiKey },
         systemPrompt,
         userMessage: spec.userPrompt,
         tools: taskTools(spec.tools),
@@ -4428,22 +4931,36 @@ ${text}`.slice(0, 9e3);
   }
 };
 
+// src/llm-gateway-key.ts
+async function resolveLlmGatewayKey(base, fallback, log2, exchange = getAuthorizedBearer) {
+  if (!base.includes("llms.openape.ai"))
+    return fallback;
+  try {
+    const u3 = new URL(base);
+    const bearer = await exchange({ endpoint: u3.origin, aud: u3.host });
+    return bearer.replace(/^Bearer\s+/i, "");
+  } catch (err) {
+    log2(`llm gateway token exchange failed (keeping current key): ${err instanceof Error ? err.message : String(err)}`);
+    return fallback;
+  }
+}
+
 // src/identity.ts
-import { existsSync as existsSync4, readFileSync as readFileSync6 } from "fs";
-import { homedir as homedir7 } from "os";
-import { join as join6 } from "path";
-function authPath() {
-  return join6(homedir7(), ".config", "apes", "auth.json");
+import { existsSync as existsSync5, readFileSync as readFileSync7 } from "fs";
+import { homedir as homedir8 } from "os";
+import { join as join8 } from "path";
+function authPath(home) {
+  return join8(home, ".config", "apes", "auth.json");
 }
 function allowlistPath() {
-  return join6(homedir7(), ".config", "openape", "bridge-allowlist.json");
+  return join8(homedir8(), ".config", "openape", "bridge-allowlist.json");
 }
-function readAgentIdentity() {
-  const path = authPath();
-  if (!existsSync4(path)) {
+function readAgentIdentity(home = homedir8()) {
+  const path = authPath(home);
+  if (!existsSync5(path)) {
     throw new Error(`agent identity not found at ${path}`);
   }
-  const raw = readFileSync6(path, "utf8");
+  const raw = readFileSync7(path, "utf8");
   const parsed = JSON.parse(raw);
   if (!parsed.email) throw new Error(`auth.json at ${path} missing 'email'`);
   if (!parsed.idp) throw new Error(`auth.json at ${path} missing 'idp'`);
@@ -4457,9 +4974,9 @@ function readAgentIdentity() {
 }
 function readAllowlist() {
   const path = allowlistPath();
-  if (!existsSync4(path)) return /* @__PURE__ */ new Set();
+  if (!existsSync5(path)) return /* @__PURE__ */ new Set();
   try {
-    const parsed = JSON.parse(readFileSync6(path, "utf8"));
+    const parsed = JSON.parse(readFileSync7(path, "utf8"));
     if (!Array.isArray(parsed.emails)) return /* @__PURE__ */ new Set();
     return new Set(parsed.emails.map((e2) => e2.toLowerCase()));
   } catch {
@@ -4474,24 +4991,24 @@ function shouldAutoAccept(peerEmail, identity, allowlist) {
 
 // src/skills.ts
 import { execFileSync as execFileSync3 } from "child_process";
-import { existsSync as existsSync5, readdirSync as readdirSync4, readFileSync as readFileSync7, statSync } from "fs";
-import { homedir as homedir8 } from "os";
-import { dirname as dirname2, join as join7, resolve as resolve3 } from "path";
+import { existsSync as existsSync6, readdirSync as readdirSync5, readFileSync as readFileSync8, statSync as statSync2 } from "fs";
+import { homedir as homedir9 } from "os";
+import { dirname as dirname3, join as join9, resolve as resolve3 } from "path";
 import { fileURLToPath } from "url";
 import { parse as parseYaml } from "yaml";
 var SKILLS_SUBDIR = [".openape", "agent", "skills"];
 var SOUL_PATH_PARTS = [".openape", "agent", "SOUL.md"];
-function soulPath(home = homedir8()) {
-  return join7(home, ...SOUL_PATH_PARTS);
+function soulPath(home = homedir9()) {
+  return join9(home, ...SOUL_PATH_PARTS);
 }
-function skillsDir(home = homedir8()) {
-  return join7(home, ...SKILLS_SUBDIR);
+function skillsDir(home = homedir9()) {
+  return join9(home, ...SKILLS_SUBDIR);
 }
-function readSoul(home = homedir8()) {
+function readSoul(home = homedir9()) {
   const path = soulPath(home);
-  if (!existsSync5(path)) return null;
+  if (!existsSync6(path)) return null;
   try {
-    const body = readFileSync7(path, "utf8").trim();
+    const body = readFileSync8(path, "utf8").trim();
     return body.length > 0 ? body : null;
   } catch {
     return null;
@@ -4547,27 +5064,27 @@ function hasBinaryOnPath(bin) {
   return found;
 }
 function scanSkillsDir(dir) {
-  if (!existsSync5(dir)) return [];
+  if (!existsSync6(dir)) return [];
   let entries;
   try {
-    entries = readdirSync4(dir);
+    entries = readdirSync5(dir);
   } catch {
     return [];
   }
   const out = [];
   for (const entry of entries) {
-    const skillPath = join7(dir, entry, "SKILL.md");
-    if (!existsSync5(skillPath)) continue;
+    const skillPath = join9(dir, entry, "SKILL.md");
+    if (!existsSync6(skillPath)) continue;
     let st;
     try {
-      st = statSync(skillPath);
+      st = statSync2(skillPath);
     } catch {
       continue;
     }
     if (!st.isFile()) continue;
     let body;
     try {
-      body = readFileSync7(skillPath, "utf8");
+      body = readFileSync8(skillPath, "utf8");
     } catch {
       continue;
     }
@@ -4584,7 +5101,7 @@ function scanSkillsDir(dir) {
   return out;
 }
 function defaultSkillsDir() {
-  const here = dirname2(fileURLToPath(import.meta.url));
+  const here = dirname3(fileURLToPath(import.meta.url));
   return resolve3(here, "..", "default-skills");
 }
 function composeSkills(home, enabledTools) {
@@ -4631,7 +5148,7 @@ function formatSkillsBlock(skills) {
   return lines.join("\n");
 }
 function composeSystemPrompt(input) {
-  const home = input.home ?? homedir8();
+  const home = input.home ?? homedir9();
   const parts = [];
   const defaultPersona = readDefaultPersona();
   if (defaultPersona) parts.push(defaultPersona);
@@ -4648,13 +5165,13 @@ var _defaultPersonaCache;
 function readDefaultPersona() {
   if (_defaultPersonaCache !== void 0) return _defaultPersonaCache;
   try {
-    const here = dirname2(fileURLToPath(import.meta.url));
+    const here = dirname3(fileURLToPath(import.meta.url));
     const path = resolve3(here, "..", "default-persona.md");
-    if (!existsSync5(path)) {
+    if (!existsSync6(path)) {
       _defaultPersonaCache = null;
       return null;
     }
-    const raw = readFileSync7(path, "utf8").trim();
+    const raw = readFileSync8(path, "utf8").trim();
     _defaultPersonaCache = raw.length > 0 ? raw : null;
     return _defaultPersonaCache;
   } catch {
@@ -4773,6 +5290,7 @@ var ThreadSession = class {
       }
     };
     const { systemPrompt, tools } = this.deps.resolveConfig();
+    const runtimeConfig = this.deps.refreshRuntimeConfig ? await this.deps.refreshRuntimeConfig() : this.deps.runtimeConfig;
     await this.backfillHistoryOnce(replyToMessageId, body);
     let sawActivity = false;
     let turnSettled = false;
@@ -4788,7 +5306,7 @@ var ThreadSession = class {
     }, NO_ACTIVITY_TIMEOUT_MS);
     try {
       const result = await runLoop({
-        config: this.deps.runtimeConfig,
+        config: runtimeConfig,
         systemPrompt,
         userMessage: body,
         tools: taskTools(tools),
@@ -4911,21 +5429,392 @@ var ThreadSession = class {
   }
 };
 
+// src/agent-session.ts
+var AgentSession = class {
+  constructor(email, ownerEmail, config) {
+    this.email = email;
+    this.ownerEmail = ownerEmail;
+    this.config = config;
+  }
+  email;
+  ownerEmail;
+  config;
+  /**
+   * Lazily-created prompt-injection detector, shared across this session's
+   * messages. Matches the per-agent bridge, which holds one
+   * `createHeuristicDetector()` for its lifetime.
+   */
+  injectionDetector;
+  describe() {
+    return `${this.email} (owner ${this.ownerEmail})`;
+  }
+  /**
+   * Build this agent's troop chat WebSocket URL from its resolved endpoint and
+   * a bearer token. Ports the exact derivation the per-agent bridge uses in
+   * `pumpOnce` (http→ws, token carried as a query param, a leading `Bearer `
+   * prefix stripped, the value URL-encoded) so the nest's in-process WS-open
+   * increment connects to the same socket the bridge process opens today — with
+   * no second copy of the URL rule once the nest drives the connection.
+   */
+  chatSocketUrl(bearer) {
+    const base = this.config.endpoint.replace(/^http/, "ws");
+    const token = encodeURIComponent(bearer.replace(/^Bearer\s+/i, ""));
+    return `${base}/_ws/chat?token=${token}`;
+  }
+  /**
+   * Decode one raw troop chat-socket frame into a {@link TroopChatFrame}, or
+   * `null` for frames the agent ignores. Ports the exact decode + filter the
+   * per-agent bridge applies in `pumpOnce`: tolerate string or `Buffer` data,
+   * skip anything that is not valid JSON, and keep only `{type:'message'}`
+   * frames that carry a payload. This is the canonical home for the framing
+   * rule once the nest drives the connection — the WS-message increment routes
+   * accepted frames into the agent loop with no second copy of the rule.
+   */
+  parseChatFrame(data) {
+    const text = typeof data === "string" ? data : Buffer.isBuffer(data) ? data.toString("utf8") : "";
+    if (!text)
+      return null;
+    let frame;
+    try {
+      frame = JSON.parse(text);
+    } catch {
+      return null;
+    }
+    if (frame.type !== "message" || !frame.payload)
+      return null;
+    return { chatId: frame.chat_id ?? "", payload: frame.payload };
+  }
+  /**
+   * Translate an accepted {@link TroopChatFrame} into the {@link TroopMessage}
+   * the agent loop runs on. Ports the bridge's `translateTroopPayload`: troop's
+   * payload carries `role` (human|agent) but no sender email, so the email is
+   * synthesized from role (agent → this session's own email, human → the owner)
+   * — the bridge skips its own echoes via `senderEmail === selfEmail`, so this
+   * mapping must match. `threadId` is the synthetic `'main'` because troop has
+   * no threads. This is the canonical home for the payload→message rule once the
+   * nest drives the connection: the runLoop-dispatch increment feeds this
+   * message straight into the loop with no second copy of the translation.
+   */
+  toMessage(frame) {
+    const { chatId, payload } = frame;
+    const role = payload.role === "agent" ? "agent" : "human";
+    return {
+      id: String(payload.id ?? ""),
+      roomId: chatId || String(payload.chatId ?? ""),
+      threadId: "main",
+      senderEmail: role === "agent" ? this.email : this.ownerEmail,
+      senderAct: role,
+      body: typeof payload.body === "string" ? payload.body : "",
+      replyTo: typeof payload.replyTo === "string" ? payload.replyTo : null,
+      createdAt: typeof payload.createdAt === "number" ? payload.createdAt : Math.floor(Date.now() / 1e3),
+      editedAt: typeof payload.editedAt === "number" ? payload.editedAt : null
+    };
+  }
+  /**
+   * Whether a translated {@link TroopMessage} is this agent's own echo. troop
+   * fans every chat message back to the socket that sent it, so the agent sees
+   * its own replies; feeding those into the loop would be an infinite feedback
+   * cycle. Ports the bridge's `handleInbound` guard (`senderEmail === selfEmail`)
+   * — the canonical home for the self-echo rule once the nest drives the
+   * connection: the runLoop-dispatch increment skips own echoes before it runs
+   * the loop, with no second copy of the comparison.
+   */
+  isOwnEcho(message) {
+    return message.senderEmail === this.email;
+  }
+  /**
+   * Whether a translated, non-echo {@link TroopMessage} should reach the agent
+   * loop. Ports the bridge's remaining pre-loop guards in `handleInbound`: an
+   * empty or whitespace-only body carries nothing to act on, and a configured
+   * `roomFilter` scopes the agent to a single chat. (The bridge's `threadId`
+   * guard is moot here — {@link toMessage} always synthesizes `'main'`.) The
+   * own-echo guard stays {@link isOwnEcho}, applied first by the caller. This is
+   * the canonical home for the dispatch-filter rule once the nest drives the
+   * connection: the runLoop-dispatch increment runs the loop only for messages
+   * this accepts, with no second copy of the guards.
+   */
+  shouldDispatch(message) {
+    if (!message.body.trim())
+      return false;
+    if (this.config.roomFilter && message.roomId !== this.config.roomFilter)
+      return false;
+    return true;
+  }
+  /**
+   * Screen an accepted, non-echo {@link TroopMessage} for prompt injection
+   * before it reaches the agent loop. Ports the bridge's `handleInbound`
+   * choke-point: the bridge runs every inbound message through a heuristic
+   * detector and refuses to forward it when the score crosses the threshold,
+   * because once the text is in the loop's history a refusal is harder and
+   * inconsistent. The owner gets a higher bar (legitimate "run shell, do X"
+   * instructions aren't refused) — handled by `decide` keying the threshold off
+   * `sender.isOwner`. This is the canonical home for the screening rule once the
+   * nest drives the connection: the runLoop-dispatch increment refuses blocked
+   * messages with no second copy of the detector setup or the sender mapping.
+   */
+  async screenInjection(message) {
+    this.injectionDetector ??= createHeuristicDetector();
+    return decide(this.injectionDetector, {
+      text: message.body,
+      sender: {
+        email: message.senderEmail,
+        isOwner: message.senderEmail === this.ownerEmail
+      }
+    });
+  }
+  /**
+   * The short, neutral refusal the agent posts back when {@link screenInjection}
+   * blocks a message. Ports the bridge's `refusalText`: the matched reason is
+   * appended so the owner sees in their chat history + audit log why a specific
+   * message was blocked, but the phrasing deliberately avoids language an
+   * attacker could copy back ("ignore previous instructions and …") to
+   * re-trigger the detector. This is the canonical home for the refusal-message
+   * rule once the nest drives the connection: the runLoop-dispatch increment
+   * posts this text on a block with no second copy of the wording.
+   */
+  refusalText(reason) {
+    const base = "I won't process this message \u2014 it looks like a prompt-injection attempt.";
+    return reason ? `${base}
+
+(matched: ${reason})` : base;
+  }
+};
+
+// src/telegram-api.ts
+import { ofetch as ofetch7 } from "ofetch";
+function createTelegramTransport(botToken) {
+  const base = `https://api.telegram.org/bot${botToken}`;
+  return async (method, params) => {
+    return await ofetch7(`${base}/${method}`, {
+      method: "POST",
+      body: params,
+      ignoreResponseError: true
+    });
+  };
+}
+function chatIdParam(roomId) {
+  return /^-?\d+$/.test(roomId) ? Number(roomId) : roomId;
+}
+
+// src/telegram-chat-api.ts
+var PLACEHOLDER_TEXT = "\u2026";
+var SYNTHETIC_THREAD_ID2 = "main";
+function encodeId(roomId, messageId) {
+  return `${roomId}|${messageId}`;
+}
+function decodeId(id) {
+  const i2 = id.lastIndexOf("|");
+  return { chatId: chatIdParam(id.slice(0, i2)), messageId: Number(id.slice(i2 + 1)) };
+}
+var TelegramChatApi = class {
+  constructor(call) {
+    this.call = call;
+  }
+  call;
+  async postMessage(roomId, body, opts = {}) {
+    const text = body.length > 0 ? body : PLACEHOLDER_TEXT;
+    const params = { chat_id: chatIdParam(roomId), text };
+    if (opts.threadId && opts.threadId !== SYNTHETIC_THREAD_ID2) {
+      params.message_thread_id = Number(opts.threadId);
+    }
+    if (opts.replyTo && /^\d+$/.test(opts.replyTo)) {
+      params.reply_parameters = { message_id: Number(opts.replyTo), allow_sending_without_reply: true };
+    }
+    const res = await this.call("sendMessage", params);
+    if (!res.ok || !res.result) {
+      throw new Error(`telegram sendMessage failed: ${res.description ?? "unknown error"}`);
+    }
+    const sent = res.result;
+    return {
+      id: encodeId(roomId, sent.message_id),
+      roomId,
+      threadId: opts.threadId ?? SYNTHETIC_THREAD_ID2,
+      body: text,
+      createdAt: sent.date ?? Math.floor(Date.now() / 1e3)
+    };
+  }
+  async patchMessage(messageId, opts = {}) {
+    if (opts.streaming !== false || opts.body === void 0) return;
+    const { chatId, messageId: msgId } = decodeId(messageId);
+    const res = await this.call("editMessageText", {
+      chat_id: chatId,
+      message_id: msgId,
+      text: opts.body.length > 0 ? opts.body : PLACEHOLDER_TEXT
+    });
+    if (!res.ok && !/not modified/i.test(res.description ?? "")) {
+      throw new Error(`telegram editMessageText failed: ${res.description ?? "unknown error"}`);
+    }
+  }
+  // Telegram exposes no history-fetch API. A live ThreadSession keeps its own
+  // in-process history across turns; only a bridge restart loses Telegram
+  // context (acceptable for M0 — persisted backfill is later work).
+  async listMessages() {
+    return [];
+  }
+  // Contacts are a troop concept; the Telegram inbound path never invokes the
+  // bridge's contact handshake, so these are inert stand-ins for the interface.
+  async listContacts() {
+    return [];
+  }
+  async requestContact(peerEmail) {
+    return { peerEmail, myStatus: "accepted", theirStatus: "accepted", connected: true, roomId: null };
+  }
+  async acceptContact(peerEmail) {
+    return { peerEmail, myStatus: "accepted", theirStatus: "accepted", connected: true, roomId: null };
+  }
+  // M0 has no Telegram threads; forum-topic creation is M1.
+  async createThread(roomId, name) {
+    void roomId;
+    return { id: SYNTHETIC_THREAD_ID2, name: name.slice(0, 100) };
+  }
+};
+
+// src/telegram-channel.ts
+var LONG_POLL_SECONDS = 30;
+var POLL_ERROR_BACKOFF_MS = 3e3;
+function sleep(ms) {
+  return new Promise((resolve4) => setTimeout(resolve4, ms));
+}
+var TelegramChannel = class {
+  constructor(deps) {
+    this.deps = deps;
+    this.owner = deps.ownerUserId ?? deps.loadOwnerPin?.();
+  }
+  deps;
+  name = "telegram";
+  offset = 0;
+  // Chats we've already told "not authorized" — one hint per chat, not per message.
+  warned = /* @__PURE__ */ new Set();
+  // The locked owner: explicit id, else a previously-pinned one, else undefined
+  // until the first message pins it (TOFU).
+  owner;
+  async start(onInbound) {
+    await this.skipBacklog();
+    this.deps.log("telegram channel up");
+    while (true) {
+      let updates = [];
+      try {
+        updates = await this.poll();
+      } catch (err) {
+        this.deps.log(`telegram poll error: ${err instanceof Error ? err.message : String(err)}`);
+        await sleep(POLL_ERROR_BACKOFF_MS);
+        continue;
+      }
+      for (const u3 of updates) {
+        this.offset = Math.max(this.offset, u3.update_id + 1);
+        await this.dispatch(u3, onInbound);
+      }
+    }
+  }
+  /**
+   * On boot, advance the offset past any messages Telegram buffered while the
+   * bridge was down (it holds updates ~24h) so a restart doesn't replay a
+   * day of old messages as fresh turns.
+   */
+  async skipBacklog() {
+    const res = await this.deps.call("getUpdates", { timeout: 0, offset: -1 });
+    if (res.ok && Array.isArray(res.result) && res.result.length > 0) {
+      const updates = res.result;
+      const last = updates.at(-1);
+      this.offset = last.update_id + 1;
+      this.deps.log(`telegram: skipped ${updates.length} backlog update(s) on boot`);
+    }
+  }
+  async poll() {
+    const res = await this.deps.call("getUpdates", { timeout: LONG_POLL_SECONDS, offset: this.offset });
+    if (!res.ok) {
+      throw new Error(res.description ?? "getUpdates failed");
+    }
+    return Array.isArray(res.result) ? res.result : [];
+  }
+  async dispatch(u3, onInbound) {
+    const m2 = u3.message;
+    if (!m2 || typeof m2.text !== "string" || m2.text.length === 0) return;
+    const from = m2.from?.id;
+    if (from === void 0) return;
+    if (this.owner === void 0) {
+      this.owner = from;
+      this.deps.saveOwnerPin?.(from);
+      this.deps.log(`telegram: owner pinned to user ${from} on first contact`);
+    } else if (from !== this.owner) {
+      await this.refuseStranger(m2);
+      return;
+    }
+    if (m2.text === "/start" || m2.text.startsWith("/start ")) {
+      await this.reply(m2.chat.id, "Hi \u{1F44B} \u2014 schreib mir einfach, ich bin dein Agent und antworte direkt hier.", m2.message_thread_id);
+      return;
+    }
+    const msg = {
+      id: String(m2.message_id),
+      roomId: String(m2.chat.id),
+      threadId: m2.message_thread_id ? String(m2.message_thread_id) : "main",
+      senderEmail: this.deps.ownerEmail,
+      senderAct: "human",
+      body: m2.text,
+      replyTo: null,
+      createdAt: m2.date ?? Math.floor(Date.now() / 1e3),
+      editedAt: null
+    };
+    await onInbound(msg, this.deps.backend);
+  }
+  async refuseStranger(m2) {
+    if (this.warned.has(m2.chat.id)) return;
+    this.warned.add(m2.chat.id);
+    this.deps.log(`telegram: ignoring message from non-owner user ${m2.from?.id ?? "unknown"}`);
+    await this.reply(m2.chat.id, "Dieser Bot ist privat und nur f\xFCr seinen Owner.", m2.message_thread_id);
+  }
+  async reply(chatId, text, threadId) {
+    const params = { chat_id: chatIdParam(String(chatId)), text };
+    if (threadId) params.message_thread_id = threadId;
+    try {
+      await this.deps.call("sendMessage", params);
+    } catch (err) {
+      this.deps.log(`telegram reply failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+};
+
 // src/bridge.ts
-var AGENT_CONFIG_PATH2 = join8(homedir9(), ".openape", "agent", "agent.json");
+var AGENT_CONFIG_PATH2 = join10(homedir10(), ".openape", "agent", "agent.json");
+var TELEGRAM_OWNER_PIN_PATH = join10(homedir10(), ".openape", "agent", "telegram-owner.json");
+var MEMORY_PATH = join10(homedir10(), ".openape", "agent", "MEMORY.md");
+function ensureMemoryFile() {
+  if (existsSync7(MEMORY_PATH)) return;
+  try {
+    mkdirSync5(dirname4(MEMORY_PATH), { recursive: true });
+    writeFileSync5(MEMORY_PATH, "", { flag: "wx" });
+    log("seeded empty MEMORY.md");
+  } catch {
+  }
+}
+function readTelegramOwnerPin() {
+  try {
+    const parsed = JSON.parse(readFileSync9(TELEGRAM_OWNER_PIN_PATH, "utf8"));
+    return typeof parsed.ownerUserId === "number" ? parsed.ownerUserId : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function writeTelegramOwnerPin(id) {
+  try {
+    writeFileSync5(TELEGRAM_OWNER_PIN_PATH, JSON.stringify({ ownerUserId: id }));
+  } catch (err) {
+    log(`failed to persist telegram owner pin: ${err instanceof Error ? err.message : String(err)}`);
+  }
+}
 function resolveSystemPrompt(envFallback) {
-  if (!existsSync6(AGENT_CONFIG_PATH2)) return envFallback;
+  if (!existsSync7(AGENT_CONFIG_PATH2)) return envFallback;
   try {
-    const parsed = JSON.parse(readFileSync8(AGENT_CONFIG_PATH2, "utf8"));
+    const parsed = JSON.parse(readFileSync9(AGENT_CONFIG_PATH2, "utf8"));
     return typeof parsed.systemPrompt === "string" ? parsed.systemPrompt : envFallback;
   } catch {
     return envFallback;
   }
 }
 function resolveTools(envFallback) {
-  if (existsSync6(AGENT_CONFIG_PATH2)) {
+  if (existsSync7(AGENT_CONFIG_PATH2)) {
     try {
-      const parsed = JSON.parse(readFileSync8(AGENT_CONFIG_PATH2, "utf8"));
+      const parsed = JSON.parse(readFileSync9(AGENT_CONFIG_PATH2, "utf8"));
       if (Array.isArray(parsed.tools)) {
         return parsed.tools.filter((t2) => typeof t2 === "string");
       }
@@ -4934,35 +5823,10 @@ function resolveTools(envFallback) {
   }
   return envFallback;
 }
-var DEFAULT_ENDPOINT = "https://troop.openape.ai";
-var DEFAULT_APES_BIN = "apes";
-var DEFAULT_MAX_STEPS = 10;
-var DEFAULT_SYSTEM_PROMPT = `You are a helpful assistant in a 1:1 chat. Be concise and friendly. When asked for facts, say "I don't know" rather than guess.`;
 var PING_INTERVAL_MS = 3e4;
 var RECONNECT_BASE_MS = 1e3;
 var RECONNECT_MAX_MS = 3e4;
 var ALLOWLIST_POLL_INTERVAL_MS = 3e4;
-function readConfig() {
-  const toolsRaw = process3.env.APE_CHAT_BRIDGE_TOOLS ?? "";
-  const tools = toolsRaw.split(",").map((s2) => s2.trim()).filter(Boolean);
-  const maxStepsRaw = process3.env.APE_CHAT_BRIDGE_MAX_STEPS;
-  const maxSteps = maxStepsRaw ? Number.parseInt(maxStepsRaw, 10) : DEFAULT_MAX_STEPS;
-  const model = process3.env.APE_CHAT_BRIDGE_MODEL;
-  if (!model) {
-    throw new Error(
-      "APE_CHAT_BRIDGE_MODEL is not set. Set it in the container env (compose environment: block) or globally in `~/litellm/.env`. Common values: `gpt-5.4` (ChatGPT-only LiteLLM proxy), `claude-haiku-4-5` (Anthropic-only)."
-    );
-  }
-  return {
-    endpoint: (process3.env.OPENAPE_TROOP_URL ?? DEFAULT_ENDPOINT).replace(/\/$/, ""),
-    apesBin: process3.env.APE_CHAT_BRIDGE_APES_BIN ?? DEFAULT_APES_BIN,
-    model,
-    systemPrompt: process3.env.APE_CHAT_BRIDGE_SYSTEM_PROMPT ?? DEFAULT_SYSTEM_PROMPT,
-    tools,
-    maxSteps: Number.isFinite(maxSteps) && maxSteps > 0 ? maxSteps : DEFAULT_MAX_STEPS,
-    roomFilter: process3.env.APE_CHAT_BRIDGE_ROOM
-  };
-}
 async function getIdentity() {
   const idp = await ensureFreshIdpAuth();
   const claims = decodeJwt(idp.access_token);
@@ -4975,23 +5839,18 @@ function log(line) {
   process3.stderr.write(`${(/* @__PURE__ */ new Date()).toISOString()}  ${line}
 `);
 }
-function sleep(ms) {
+function sleep2(ms) {
   return new Promise((resolve4) => setTimeout(resolve4, ms));
 }
 function truncate(s2, n2) {
   return s2.length <= n2 ? s2 : `${s2.slice(0, n2 - 1)}\u2026`;
 }
-function refusalText(reason) {
-  const base = "I won't process this message \u2014 it looks like a prompt-injection attempt.";
-  return reason ? `${base}
-
-(matched: ${reason})` : base;
-}
 var Bridge = class {
-  constructor(cfg, selfEmail, ownerEmail) {
+  constructor(cfg, selfEmail, ownerEmail, session) {
     this.cfg = cfg;
     this.selfEmail = selfEmail;
     this.ownerEmail = ownerEmail;
+    this.session = session;
     this.bearer = async () => {
       const idp = await ensureFreshIdpAuth();
       return `Bearer ${idp.access_token}`;
@@ -4999,6 +5858,10 @@ var Bridge = class {
     this.chat = new TroopChatApi(this.cfg.endpoint, this.bearer);
     this.cron = new CronRunner({
       runtimeConfig: this.runtimeConfig(),
+      // Cron fires off-thread, so it can't ride freshRuntimeConfig() like chat
+      // turns do — give it the same DDISA exchange directly so cron stops
+      // leaning on the boot master key (Todo 1).
+      refreshApiKey: () => resolveLlmGatewayKey(process3.env.LITELLM_BASE_URL ?? "", this.llmKey, log),
       chat: this.chat,
       ownerEmail: this.ownerEmail,
       log,
@@ -5006,10 +5869,13 @@ var Bridge = class {
       bearer: this.bearer
     });
     this.cron.start();
+    void this.refreshLlmGatewayKey();
+    setInterval(() => void this.refreshLlmGatewayKey(), 40 * 60 * 1e3);
   }
   cfg;
   selfEmail;
   ownerEmail;
+  session;
   // Sessions keyed by `${roomId}:${threadId}`. Each ThreadSession holds
   // its own message history and calls @openape/apes' runLoop directly
   // (no stdio JSON-RPC subprocess — see thread-session.ts).
@@ -5021,6 +5887,25 @@ var Bridge = class {
   // backend later. The bridge is the choke-point for every chat message
   // before it reaches the agent runtime, so this is the right place.
   injectionDetector = createHeuristicDetector();
+  // LLM gateway key. Starts as the env key (master_key — the rollout fallback);
+  // upgraded to this agent's own DDISA-exchanged token by refreshLlmGatewayKey()
+  // when the gateway is llms.openape.ai. ponytail: cron keeps the boot key,
+  // chat threads pick up the refreshed token — drop master_key + cron-DDISA later.
+  llmKey = process3.env.LITELLM_API_KEY ?? process3.env.LITELLM_MASTER_KEY ?? "";
+  async refreshLlmGatewayKey() {
+    const base = process3.env.LITELLM_BASE_URL ?? "";
+    this.llmKey = await resolveLlmGatewayKey(base, this.llmKey, log);
+  }
+  /**
+   * Re-exchange the gateway token (if stale) and return a fresh runtimeConfig.
+   * Thread sessions call this per turn so a long-lived thread never presents an
+   * expired DDISA token. getAuthorizedBearer is cheap when the cached SP-token
+   * is still valid and re-mints only when it's within the expiry skew.
+   */
+  async freshRuntimeConfig() {
+    await this.refreshLlmGatewayKey();
+    return this.runtimeConfig();
+  }
   /**
    * RuntimeConfig is shared across thread sessions and the cron runner.
    * The bridge resolves it from its own env at boot and reuses for the
@@ -5028,11 +5913,38 @@ var Bridge = class {
    */
   runtimeConfig() {
     const apiBase = (process3.env.LITELLM_BASE_URL ?? "http://127.0.0.1:4000/v1").replace(/\/$/, "");
-    const apiKey = process3.env.LITELLM_API_KEY ?? process3.env.LITELLM_MASTER_KEY ?? "";
+    const apiKey = this.llmKey;
     if (!apiKey) {
       throw new Error("LITELLM_API_KEY (or LITELLM_MASTER_KEY) must be set in the bridge env.");
     }
-    return { apiBase, apiKey, model: this.cfg.model };
+    return { apiBase, apiKey, model: this.cfg.model, reasoningEffort: this.cfg.reasoningEffort };
+  }
+  /**
+   * Start the per-agent chat adapters configured via sealed secrets (today:
+   * Telegram). Each runs its own long-lived inbound loop concurrently with
+   * the troop WebSocket and feeds messages through the same handleInbound
+   * choke-point, but with its own backend so replies go back to that channel.
+   * Fire-and-forget: a channel crash is logged, never takes the bridge down.
+   */
+  startExtraChannels() {
+    const tg = this.cfg.telegram;
+    if (!tg) return;
+    const call = createTelegramTransport(tg.botToken);
+    const backend = new TelegramChatApi(call);
+    const channel = new TelegramChannel({
+      call,
+      ownerUserId: tg.ownerUserId,
+      // Persist the trust-on-first-use owner pin next to agent.json so a bridge
+      // restart keeps the lock instead of re-learning (and re-opening the window).
+      loadOwnerPin: readTelegramOwnerPin,
+      saveOwnerPin: writeTelegramOwnerPin,
+      ownerEmail: this.ownerEmail,
+      backend,
+      log
+    });
+    void channel.start((msg, b2) => this.handleInbound(msg, b2)).catch((err) => {
+      log(`telegram channel crashed: ${err instanceof Error ? err.message : String(err)}`);
+    });
   }
   async sendInitialOwnerRequestIfNeeded() {
     const contacts = await this.chat.listContacts();
@@ -5094,7 +6006,13 @@ var Bridge = class {
       editedAt: typeof payload.editedAt === "number" ? payload.editedAt : null
     };
   }
-  async handleInbound(msg) {
+  /**
+   * Handle one inbound message from any channel. `backend` is the channel's
+   * own outbound surface (troop or telegram) — refusals and the agent's reply
+   * go back out through it, so the agent communicates on the same channel it
+   * was reached on.
+   */
+  async handleInbound(msg, backend) {
     if (msg.senderEmail === this.selfEmail) return;
     if (!msg.body.trim()) return;
     if (this.cfg.roomFilter && msg.roomId !== this.cfg.roomFilter) return;
@@ -5113,7 +6031,7 @@ var Bridge = class {
     if (decision.blocked) {
       log(`[${msg.roomId}/${msg.threadId.slice(0, 8)}] BLOCKED prompt-injection (score=${decision.score.toFixed(2)}, reason=${decision.reason ?? "n/a"})`);
       try {
-        await this.chat.postMessage(msg.roomId, refusalText(decision.reason), {
+        await backend.postMessage(msg.roomId, this.session.refusalText(decision.reason), {
           replyTo: msg.id,
           threadId: msg.threadId
         });
@@ -5123,18 +6041,21 @@ var Bridge = class {
       }
       return;
     }
-    const session = this.getOrCreateThread(msg.roomId, msg.threadId);
+    const session = this.getOrCreateThread(msg.roomId, msg.threadId, backend);
     session.enqueue(msg.body, msg.id);
   }
-  getOrCreateThread(roomId, threadId) {
+  getOrCreateThread(roomId, threadId, backend) {
     const key = `${roomId}:${threadId}`;
     let s2 = this.threads.get(key);
     if (s2) return s2;
     s2 = new ThreadSession({
       roomId,
       threadId,
-      chat: this.chat,
+      chat: backend,
       runtimeConfig: this.runtimeConfig(),
+      // Re-resolve the gateway token per turn (short-lived DDISA token would
+      // otherwise expire on a long-lived thread -> 401).
+      refreshRuntimeConfig: () => this.freshRuntimeConfig(),
       // Resolve tools + systemPrompt on every turn from agent.json
       // (latest sync from troop). Owner edits in the troop UI thus
       // take effect on the very next message in an existing thread —
@@ -5190,7 +6111,7 @@ var Bridge = class {
         }
         if (frame.type !== "message" || !frame.payload) return;
         const msg = this.translateTroopPayload(frame.chat_id ?? "", frame.payload);
-        void this.handleInbound(msg);
+        void this.handleInbound(msg, this.chat);
       });
       ws.on("close", () => {
         if (pingTimer) clearInterval(pingTimer);
@@ -5206,7 +6127,14 @@ var Bridge = class {
   }
 };
 async function main() {
+  try {
+    startSecretsWatcher({ log: (m2) => log(m2) });
+  } catch (err) {
+    log(`secrets watcher failed to start: ${err instanceof Error ? err.message : String(err)}`);
+  }
   const cfg = readConfig();
+  addReadRoot(defaultSkillsDir());
+  ensureMemoryFile();
   const idpId = await getIdentity();
   const onDisk = readAgentIdentity();
   if (onDisk.email.toLowerCase() !== idpId.email.toLowerCase()) {
@@ -5214,10 +6142,12 @@ async function main() {
       `auth.json email (${onDisk.email}) doesn't match IdP token sub (${idpId.email}) \u2014 refusing to start`
     );
   }
+  const session = new AgentSession(onDisk.email, onDisk.ownerEmail, cfg);
   log(
-    `bridge starting \u2014 agent=${onDisk.email} owner=${onDisk.ownerEmail} apes=${cfg.apesBin} model=${cfg.model} tools=[${cfg.tools.join(",") || "none"}] max_steps=${cfg.maxSteps} room=${cfg.roomFilter ?? "*"}`
+    `bridge starting \u2014 agent=${session.describe()} apes=${cfg.apesBin} model=${cfg.model} tools=[${cfg.tools.join(",") || "none"}] max_steps=${cfg.maxSteps} room=${cfg.roomFilter ?? "*"}`
   );
-  const bridge = new Bridge(cfg, onDisk.email, onDisk.ownerEmail);
+  const bridge = new Bridge(cfg, onDisk.email, onDisk.ownerEmail, session);
+  bridge.startExtraChannels();
   let attempt = 0;
   while (true) {
     try {
@@ -5228,7 +6158,7 @@ async function main() {
       attempt++;
       const msg = err instanceof Error ? err.message : String(err);
       log(`disconnected (${msg}) \u2014 reconnecting in ${Math.round(delay / 1e3)}s`);
-      await sleep(delay);
+      await sleep2(delay);
     }
   }
 }