@ouro.bot/cli 0.1.0-alpha.483 → 0.1.0-alpha.485

package/changelog.json

@@ -1,6 +1,20 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.485",
+      "changes": [
+        "Session JSON storage no longer accumulates duplicate event ids when two writers race for the same session — `parseSessionEnvelope` now dedupes on read (last-occurrence-wins) so existing corrupted sessions self-heal on the next save, `buildCanonicalSessionEnvelope` assigns the next sequence as `max(existing) + 1` instead of `events.length + 1` so pruning gaps cannot collide, and `deferPostTurnPersist` serializes per-`sessPath` through an in-process queue so concurrent BlueBubbles webhooks for the same chat (or CLI postTurn racing the inner-dialog turn for the same MCP session) cannot interleave their writes.",
+        "Auto-created BlueBubbles group friends are now marked with a `notes.autoCreatedGroup` flag at resolver time, and the trust gate's family-member bypass surfaces a one-time inner-pending notice the first time messages route through an unacknowledged stranger-trust group so the agent can label, rename, or dismiss the relationship before activity accumulates invisibly.",
+        "Inner-dialog worker now caps consecutive `instinct` follow-on turns at `MAX_CONSECUTIVE_INSTINCT_TURNS = 3` to break self-sustaining loops where a tool that writes to the inner-dialog pending dir during a turn would otherwise re-fire the worker indefinitely; externally-queued messages reset the counter so legitimate cascading follow-ups still run, and a new `senses.inner_dialog_worker_instinct_loop_capped` event surfaces when the cap fires."
+      ]
+    },
+    {
+      "version": "0.1.0-alpha.484",
+      "changes": [
+        "Agent-driven failover (the `switch to <provider>` reply path) now re-pings the candidate provider before mutating provider state. If credentials are missing or the ping fails, the active lane is left untouched, a `senses.failover_switch_refused` event is emitted, and the agent receives an operational refusal context message naming the lane it is still standing on plus the verified alternatives that remain so the next turn does not re-enter discovery mode."
+      ]
+    },
     {
       "version": "0.1.0-alpha.483",
       "changes": [

package/dist/heart/provider-failover.js

@@ -5,6 +5,7 @@ exports.formatReadyProviderLabel = formatReadyProviderLabel;
 exports.buildFailoverContext = buildFailoverContext;
 exports.handleFailoverReply = handleFailoverReply;
 exports.runMachineProviderFailoverInventory = runMachineProviderFailoverInventory;
+exports.validateFailoverSwitchCandidate = validateFailoverSwitchCandidate;
 const identity_1 = require("./identity");
 const provider_ping_1 = require("./provider-ping");
 const provider_models_1 = require("./provider-models");
@@ -170,6 +171,7 @@ function buildFailoverContext(errorMessage, classification, currentProvider, cur
         errorSummary,
         classification,
         currentProvider,
+        currentModel,
         currentLane,
         agentName,
         workingProviders,
@@ -264,3 +266,36 @@ async function runMachineProviderFailoverInventory(agentName, currentProvider, o
     });
     return inventory;
 }
+/**
+ * Re-verify a failover candidate is actually reachable right before we mutate
+ * provider state. The inventory ping that produced the candidate may be stale
+ * (creds revoked between inventory and reply); without this preflight, an
+ * agent-driven "switch to <provider>" can move the lane onto an unreachable
+ * provider and brick the next turn.
+ */
+async function validateFailoverSwitchCandidate(agentName, candidate, options = {}) {
+    const ping = options.ping ?? provider_ping_1.pingProvider;
+    const refreshPool = options.refreshPool ?? provider_credentials_1.refreshProviderCredentialPool;
+    const poolResult = await refreshPool(agentName);
+    if (!poolResult.ok) {
+        return {
+            ok: false,
+            classification: "auth-failure",
+            message: `provider credential pool unavailable (${poolResult.reason}): ${poolResult.error}`,
+        };
+    }
+    const record = poolResult.pool.providers[candidate.provider];
+    if (!record) {
+        return {
+            ok: false,
+            classification: "auth-failure",
+            message: `no credentials configured for ${candidate.provider}`,
+        };
+    }
+    const config = { ...record.credentials, ...record.config };
+    const result = await ping(candidate.provider, config, { model: candidate.model });
+    if (!result.ok) {
+        return { ok: false, classification: result.classification, message: result.message };
+    }
+    return { ok: true };
+}

package/dist/heart/session-events.js

@@ -254,6 +254,35 @@ function messageFingerprint(message) {
 function makeEventId(sequence) {
     return `evt-${String(sequence).padStart(6, "0")}`;
 }
+/**
+ * Collapse duplicate event ids to a single entry, last-occurrence-wins.
+ *
+ * Concurrent writers in older versions of postTurnPersist could each load the
+ * envelope, compute `events.length + 1` for the next sequence, and both write
+ * an event with the same id. The duplicates would persist in the saved JSON
+ * and confuse downstream replay (the same outbound message could appear to
+ * have been sent twice from the agent's perspective without the agent knowing
+ * it sent it). We dedupe defensively on every load so corrupted sessions
+ * self-heal on the next save and so any future race produces a consistent
+ * view.
+ */
+function dedupeEventsByIdLastWins(events) {
+    // Index id → last position so we can preserve original order while
+    // collapsing duplicates to their final occurrence.
+    const lastIndexById = new Map();
+    for (let i = 0; i < events.length; i++) {
+        lastIndexById.set(events[i].id, i);
+    }
+    return events.filter((event, index) => lastIndexById.get(event.id) === index);
+}
+/**
+ * The next sequence to assign for a freshly-built event. Uses max(existing
+ * sequences) + 1 rather than `events.length + 1` so that gaps from earlier
+ * pruning, archive replay, or self-heal dedup never produce a colliding id.
+ */
+function nextEventSequence(existing) {
+    return existing.reduce((max, event) => Math.max(max, event.sequence), 0) + 1;
+}
 function validateSessionMessages(messages) {
     const violations = [];
     let prevNonToolRole = null;
@@ -665,7 +694,7 @@ function parseSessionEnvelope(raw, options = {}) {
     if (record.version !== 2 || !Array.isArray(record.events) || !record.projection || typeof record.projection !== "object") {
         return null;
     }
-    const events = record.events
+    const rawEvents = record.events
         .filter((event) => event != null && typeof event === "object")
         .map((event, index) => {
         const role = normalizeRole(event.role);
@@ -705,6 +734,12 @@ function parseSessionEnvelope(raw, options = {}) {
             },
         };
     });
+    // Self-heal duplicate event ids that may have been written by concurrent
+    // writers in older harness versions. Last-occurrence-wins by id (later
+    // entries in the persisted file are the more recent state for that id).
+    // We preserve the original document order otherwise, so projection.eventIds
+    // still resolves predictably.
+    const events = dedupeEventsByIdLastWins(rawEvents);
     const projection = record.projection;
     return {
         version: 2,
@@ -821,8 +856,10 @@ function buildCanonicalSessionEnvelope(options) {
         else {
             if (!isSystem)
                 nonSystemSeen++;
-            // Create a new event
-            const event = buildEventFromMessage(currentMessages[i], events.length + 1, options.recordedAt, "live", null, null, currentIngressTimes[i]);
+            // Create a new event. Use nextEventSequence(events) instead of
+            // `events.length + 1` so that any gap (from pruning, archive replay,
+            // or self-heal dedup) cannot collide with an existing id.
+            const event = buildEventFromMessage(currentMessages[i], nextEventSequence(events), options.recordedAt, "live", null, null, currentIngressTimes[i]);
             events.push(event);
             currentEventIds.push(event.id);
         }

package/dist/mind/context.js

@@ -315,11 +315,43 @@ function postTurnPersist(sessPath, prepared, usage, state) {
     return envelope.events;
 }
 /**
- * Deferred persist: same as postTurnPersist but runs on the next event loop tick.
- * Returns a promise that resolves when the persist completes.
+ * Per-sessPath serialization queue. Without this, two concurrent
+ * `deferPostTurnPersist` calls (e.g. two BlueBubbles webhooks for the same
+ * chat firing back-to-back, or a CLI postTurn racing the inner-dialog turn
+ * for the same MCP session) would each load the envelope, both compute the
+ * same "next sequence", and write events with colliding ids. The session
+ * file would silently accumulate duplicates and replay would diverge from
+ * what was actually sent on the wire.
+ *
+ * The queue is in-process only — it does not protect against multiple Node
+ * processes writing to the same file. The dedup-on-load behaviour in
+ * parseSessionEnvelope keeps cross-process races from leaving permanent
+ * corruption; this serializer just keeps the common (single-process) case
+ * race-free in the first place.
+ */
+const sessionPersistQueues = new Map();
+function enqueueSessionPersist(sessPath, fn) {
+    const previous = sessionPersistQueues.get(sessPath) ?? Promise.resolve();
+    // Chain on the previous tail. fn runs whether previous resolved or rejected,
+    // so one failed turn cannot block subsequent turns on the same session.
+    const next = previous.then(fn, fn);
+    // Save a swallowed-rejection sentinel as the new tail so the next caller's
+    // `previous.then(fn, fn)` sees a clean resolution; the original `next` still
+    // propagates rejection to its own caller as expected.
+    /* v8 ignore start -- the swallow only matters when fn rejects, which is the failure path covered separately */
+    const sentinel = next.then(() => undefined, () => undefined);
+    /* v8 ignore stop */
+    sessionPersistQueues.set(sessPath, sentinel);
+    return next;
+}
+/**
+ * Deferred persist: same as postTurnPersist but runs on the next event loop
+ * tick AND serializes against any other deferred persist for the same
+ * sessPath, so concurrent turns cannot race and produce duplicate event ids
+ * in the saved session.
  */
 function deferPostTurnPersist(sessPath, prepared, usage, state) {
-    return new Promise((resolve) => {
+    return enqueueSessionPersist(sessPath, () => new Promise((resolve) => {
         setImmediate(() => {
             try {
                 const events = postTurnPersist(sessPath, prepared, usage, state);
@@ -336,7 +368,7 @@ function deferPostTurnPersist(sessPath, prepared, usage, state) {
                 resolve([]);
             }
         });
-    });
+    }));
 }
 function deleteSession(filePath) {
     try {

package/dist/mind/friends/resolver.js

@@ -87,6 +87,21 @@ class FriendResolver {
             hasAnyFriends = false;
         }
         const isFirstImprint = !hasAnyFriends;
+        // BlueBubbles group chats route through here as `imessage-handle` with an
+        // externalId of the form `group:any;+;<chatHash>`. When the harness auto-
+        // creates the group friend at stranger trust, we mark the record so that
+        // the trust gate can surface the relationship for explicit acknowledgment
+        // later instead of letting messages accumulate silently.
+        const isImessageGroup = this.params.provider === "imessage-handle" &&
+            typeof this.params.externalId === "string" &&
+            this.params.externalId.startsWith("group:");
+        const notes = {};
+        if (this.params.displayName !== "Unknown") {
+            notes.name = { value: this.params.displayName, savedAt: now };
+        }
+        if (isImessageGroup && !isFirstImprint) {
+            notes.autoCreatedGroup = { value: "true", savedAt: now };
+        }
         const friend = {
             id: (0, crypto_1.randomUUID)(),
             name: this.params.displayName,
@@ -96,7 +111,7 @@ class FriendResolver {
             externalIds: [externalId],
             tenantMemberships,
             toolPreferences: {},
-            notes: this.params.displayName !== "Unknown" ? { name: { value: this.params.displayName, savedAt: now } } : {},
+            notes,
             totalTokens: 0,
             createdAt: now,
             updatedAt: now,

package/dist/senses/inner-dialog-worker.js

@@ -33,6 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.MAX_CONSECUTIVE_INSTINCT_TURNS = void 0;
 exports.createInnerDialogWorker = createInnerDialogWorker;
 exports.startInnerDialogWorker = startInnerDialogWorker;
 const path = __importStar(require("path"));
@@ -41,6 +42,20 @@ const runtime_1 = require("../nerves/runtime");
 const identity_1 = require("../heart/identity");
 const pending_1 = require("../mind/pending");
 const habit_runtime_state_1 = require("../heart/habits/habit-runtime-state");
+/**
+ * Cap on consecutive `instinct` follow-on turns triggered by `hasPendingWork()`
+ * with no externally-queued work in between. Without this cap, a turn that
+ * writes anything back into the inner-dialog pending dir as a side effect of
+ * processing (e.g. a surface tool routing a response) puts the worker into
+ * a self-sustaining loop where the next turn's drain produces another write,
+ * and so on. Real workflows rarely chain more than 2–3 instinct turns; an
+ * external trigger (habit, poke, chat) resets the counter so legitimate
+ * follow-on work is unaffected.
+ *
+ * Three feels right: legitimate cascading follow-ups (e.g. processing a
+ * batch of delegated returns) get through; a true self-loop caps fast.
+ */
+exports.MAX_CONSECUTIVE_INSTINCT_TURNS = 3;
 function createInnerDialogWorker(runTurn = (options) => (0, inner_dialog_1.runInnerDialogTurn)(options), hasPendingWork = () => (0, pending_1.hasPendingMessages)((0, pending_1.getInnerDialogPendingDir)((0, identity_1.getAgentName)()))) {
     let running = false;
     const queue = [];
@@ -54,6 +69,7 @@ function createInnerDialogWorker(runTurn = (options) => (0, inner_dialog_1.runIn
             let nextReason = reason;
             let nextTaskId = taskId;
             let nextHabitName = habitName;
+            let consecutiveInstinctTurns = reason === "instinct" ? 1 : 0;
             do {
                 try {
                     await runTurn({ reason: nextReason, taskId: nextTaskId, habitName: nextHabitName });
@@ -82,16 +98,36 @@ function createInnerDialogWorker(runTurn = (options) => (0, inner_dialog_1.runIn
                         // Habit file/state may be unavailable during the turn — skip gracefully
                     }
                 }
-                // Drain queue first
+                // Drain queue first. Externally-queued work resets the instinct cap
+                // because a real outside trigger arrived between turns.
                 if (queue.length > 0) {
                     const next = queue.shift();
                     nextReason = next.reason;
                     nextTaskId = next.taskId;
                     nextHabitName = next.habitName;
+                    consecutiveInstinctTurns = nextReason === "instinct" ? consecutiveInstinctTurns + 1 : 0;
                     continue;
                 }
-                // Then check hasPendingWork fallback
+                // Then check hasPendingWork fallback. This is the loop site: any
+                // tool that writes to the inner-dialog pending dir during a turn
+                // would cause hasPendingWork() to be true here, producing a
+                // self-sustaining "instinct" loop with no external input. Cap it.
                 if (hasPendingWork()) {
+                    if (consecutiveInstinctTurns >= exports.MAX_CONSECUTIVE_INSTINCT_TURNS) {
+                        (0, runtime_1.emitNervesEvent)({
+                            level: "warn",
+                            component: "senses",
+                            event: "senses.inner_dialog_worker_instinct_loop_capped",
+                            message: "inner dialog worker stopped chaining instinct turns; pending work remains for next external trigger",
+                            meta: {
+                                consecutiveInstinctTurns,
+                                cap: exports.MAX_CONSECUTIVE_INSTINCT_TURNS,
+                                lastReason: nextReason,
+                            },
+                        });
+                        break;
+                    }
+                    consecutiveInstinctTurns += 1;
                     nextReason = "instinct";
                     nextTaskId = undefined;
                     nextHabitName = undefined;

package/dist/senses/pipeline.js

@@ -97,7 +97,23 @@ function resolveCurrentFailoverBinding(agentName, lane) {
     const fallback = lane === "inner" ? agentConfig.agentFacing : agentConfig.humanFacing;
     return { provider: fallback.provider, model: fallback.model };
 }
-function writeFailoverProviderStateSwitch(agentName, action) {
+/**
+ * Apply an agent-driven failover switch to provider state, but only after
+ * re-pinging the candidate. The inventory ping that produced the candidate
+ * may be stale by the time the agent replies — without this preflight, a
+ * "switch to <provider>" reply can move the lane onto an unreachable provider.
+ *
+ * Returns:
+ *   { ok: true }              — preflight passed, state mutated
+ *   { ok: false, refused }    — preflight failed, state untouched, caller should
+ *                                surface the refusal to the agent
+ * Throws on disk errors only (caught by caller as before).
+ */
+async function writeFailoverProviderStateSwitch(agentName, action) {
+    const validation = await (0, provider_failover_1.validateFailoverSwitchCandidate)(agentName, { provider: action.provider, model: action.model });
+    if (!validation.ok) {
+        return { ok: false, refused: true, classification: validation.classification, message: validation.message };
+    }
     const agentRoot = (0, identity_1.getAgentRoot)(agentName);
     const stateResult = (0, provider_state_1.readProviderState)(agentRoot);
     if (!stateResult.ok) {
@@ -125,11 +141,36 @@ function writeFailoverProviderStateSwitch(agentName, action) {
         lanes,
         readiness,
     });
+    return { ok: true };
 }
 function formatFailoverSwitchLabel(action) {
     const provenance = (0, provider_failover_1.formatCredentialProvenanceLabel)(action);
     return `${action.provider} (${action.model}${provenance ? `; ${provenance}` : ""})`;
 }
+/**
+ * Build the operational refusal context message handed back to the agent when
+ * a failover switch is rejected by the preflight ping. Slugger-tested format:
+ * lead with the refusal + reason, restate the lane that's still standing, then
+ * list remaining ready alternatives so the next turn doesn't have to re-enter
+ * discovery mode.
+ */
+function buildFailoverSwitchRefusedMessage(pendingContext, refusedAction, refusal) {
+    const refusedLabel = formatFailoverSwitchLabel(refusedAction);
+    const remaining = pendingContext.readyProviders.filter((candidate) => candidate.provider !== refusedAction.provider);
+    const alternativesLine = remaining.length > 0
+        ? `available verified alternatives right now: ${remaining.map((c) => `${c.provider} (${c.model})`).join(", ")}.`
+        : "no other verified alternatives are ready right now.";
+    const nextMove = remaining.length > 0
+        ? `next move: reply "switch to <provider>" picking one of the alternatives above, or tell the user you cannot continue and why.`
+        : `next move: ask the operator to repair credentials for ${refusedAction.provider} (or another provider), or tell the user you cannot continue and why.`;
+    return [
+        `[provider switch refused: tried to switch ${refusedAction.lane} lane to ${refusedLabel}.`,
+        `reason: preflight ping failed (${refusal.classification}: ${refusal.message}).`,
+        `current lane unchanged: ${pendingContext.currentProvider} / ${pendingContext.currentModel} on the ${pendingContext.currentLane} lane.`,
+        alternativesLine,
+        nextMove + "]",
+    ].join(" ");
+}
 function prependTurnSections(message, sections) {
     /* v8 ignore next -- defensive: only user messages with non-empty sections reach here @preserve */
     if (message.role !== "user" || sections.length === 0)
@@ -176,10 +217,9 @@ async function handleInboundTurn(input) {
         const failoverAgentName = pendingContext.agentName;
         input.failoverState.pending = null; // always clear before acting
         if (failoverAction.action === "switch") {
-            let switchSucceeded = false;
+            let switchOutcome = null;
             try {
-                writeFailoverProviderStateSwitch(failoverAgentName, failoverAction);
-                switchSucceeded = true;
+                switchOutcome = await writeFailoverProviderStateSwitch(failoverAgentName, failoverAction);
                 /* v8 ignore start -- defensive: write failure during provider switch @preserve */
             }
             catch (switchError) {
@@ -192,8 +232,7 @@ async function handleInboundTurn(input) {
                 });
             }
             /* v8 ignore stop */
-            /* v8 ignore next -- false branch: write-failure fallthrough @preserve */
-            if (switchSucceeded) {
+            if (switchOutcome?.ok) {
                 (0, runtime_1.emitNervesEvent)({
                     component: "senses",
                     event: "senses.failover_switch",
@@ -217,6 +256,29 @@ async function handleInboundTurn(input) {
                     }];
                 input.switchedProvider = failoverAction.provider;
             }
+            else if (switchOutcome && !switchOutcome.ok) {
+                // Preflight refused the switch — the candidate provider is not actually
+                // reachable right now. Keep the existing lane intact and tell the agent
+                // what happened so it can pick something else next turn.
+                (0, runtime_1.emitNervesEvent)({
+                    level: "warn",
+                    component: "senses",
+                    event: "senses.failover_switch_refused",
+                    message: `refused failover switch of ${failoverAction.lane} lane to ${failoverAction.provider}: ${switchOutcome.message}`,
+                    meta: {
+                        agentName: failoverAgentName,
+                        lane: failoverAction.lane,
+                        provider: failoverAction.provider,
+                        model: failoverAction.model,
+                        classification: switchOutcome.classification,
+                        error: switchOutcome.message,
+                    },
+                });
+                input.messages = [{
+                        role: "user",
+                        content: buildFailoverSwitchRefusedMessage(pendingContext, failoverAction, switchOutcome),
+                    }];
+            }
             // Switch failed OR succeeded — either way, fall through to normal processing.
         }
     }

package/dist/senses/trust-gate.js

@@ -93,6 +93,91 @@ function writeInnerPendingNotice(bundleRoot, noticeContent, nowIso) {
     fs.mkdirSync(innerPendingDir, { recursive: true });
     fs.writeFileSync(filePath, JSON.stringify(payload), "utf-8");
 }
+const ACKNOWLEDGED_GROUPS_FILENAME = "acknowledged-auto-groups.json";
+function acknowledgedGroupsPath(bundleRoot) {
+    return path.join(bundleRoot, "state", ACKNOWLEDGED_GROUPS_FILENAME);
+}
+function loadAcknowledgedGroupsState(bundleRoot) {
+    try {
+        const raw = fs.readFileSync(acknowledgedGroupsPath(bundleRoot), "utf-8");
+        if (!raw.trim())
+            return {};
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+            return {};
+        return parsed;
+    }
+    catch {
+        return {};
+    }
+}
+function persistAcknowledgedGroupsState(bundleRoot, state) {
+    const target = acknowledgedGroupsPath(bundleRoot);
+    fs.mkdirSync(path.dirname(target), { recursive: true });
+    fs.writeFileSync(target, `${JSON.stringify(state, null, 2)}\n`, "utf-8");
+}
+/**
+ * For BlueBubbles group chats that were auto-created at stranger trust (no
+ * explicit operator/agent action ever bound the harness to this group), the
+ * gate's family-member bypass would otherwise let messages flow through
+ * silently and the agent would accumulate a session it has no mental model
+ * for. Surface the relationship as an inner-pending notice exactly once so
+ * the agent can categorize / rename / dismiss the group on its next turn.
+ *
+ * Returns true if a notice was written so callers can emit a telemetry event.
+ */
+function maybeSurfaceAutoCreatedGroup(input, bundleRoot, nowIso) {
+    // Caller guarantees isGroupChat = true (only invoked from the family-member
+    // bypass branch); skip a redundant guard here.
+    if (input.friend.trustLevel !== "stranger")
+        return false;
+    if (!input.friend.notes?.["autoCreatedGroup"])
+        return false;
+    // loadAcknowledgedGroupsState is defensive (its own try/catch returns {})
+    // so we don't wrap it in another try here.
+    const state = loadAcknowledgedGroupsState(bundleRoot);
+    if (state[input.friend.id])
+        return false;
+    const noticeContent = `New BlueBubbles group "${input.friend.name}" became active without explicit acknowledgment. ` +
+        `It was auto-created at stranger trust the first time a message routed through it. ` +
+        `If you recognize the group, label or rename it (and consider promoting trust); if not, you can leave it as a stranger group or rename it for clarity. ` +
+        `external id: ${input.externalId}; friend id: ${input.friend.id}.`;
+    try {
+        writeInnerPendingNotice(bundleRoot, noticeContent, nowIso);
+        persistAcknowledgedGroupsState(bundleRoot, {
+            ...state,
+            [input.friend.id]: { surfacedAt: nowIso },
+        });
+        (0, runtime_1.emitNervesEvent)({
+            level: "info",
+            component: "senses",
+            event: "senses.trust_gate_group_acknowledgment_surfaced",
+            message: "auto-created group surfaced for agent acknowledgment",
+            meta: {
+                friendId: input.friend.id,
+                friendName: input.friend.name,
+                externalId: input.externalId,
+                provider: input.provider,
+            },
+        });
+        return true;
+        /* v8 ignore start -- defensive: surfacing failure must not block the gate decision @preserve */
+    }
+    catch (error) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            component: "senses",
+            event: "senses.trust_gate_error",
+            message: "failed to surface auto-created group for acknowledgment",
+            meta: {
+                friendId: input.friend.id,
+                reason: error instanceof Error ? error.message : String(error),
+            },
+        });
+        return false;
+    }
+    /* v8 ignore stop */
+}
 function enforceTrustGate(input) {
     const { senseType } = input;
     // Local (CLI) and internal (inner dialog) — always allow
@@ -104,8 +189,18 @@ function enforceTrustGate(input) {
         return { allowed: true };
     }
     // Open senses (BlueBubbles/iMessage) — enforce trust rules
-    // Group chat with a family member present — allow regardless of trust level
+    // Group chat with a family member present — allow regardless of trust level.
+    // BUT if this is an auto-created stranger group (the harness picked it up
+    // silently via the family-member shortcut and the agent never explicitly
+    // acknowledged it), surface a one-time inner-pending notice so the agent
+    // gets a chance to categorize / rename / dismiss the relationship instead
+    // of accumulating activity invisibly.
     if (input.isGroupChat && input.groupHasFamilyMember) {
+        /* v8 ignore start -- defaults shared with the rest of the gate; tested via the stranger-trust path */
+        const bundleRoot = input.bundleRoot ?? (0, identity_1.getAgentRoot)();
+        const nowIso = (input.now ?? (() => new Date()))().toISOString();
+        /* v8 ignore stop */
+        maybeSurfaceAutoCreatedGroup(input, bundleRoot, nowIso);
         return { allowed: true };
     }
     const trustLevel = input.friend.trustLevel ?? "friend";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ouro.bot/cli",
-  "version": "0.1.0-alpha.483",
+  "version": "0.1.0-alpha.485",
   "main": "dist/heart/daemon/ouro-entry.js",
   "bin": {
     "cli": "dist/heart/daemon/ouro-bot-entry.js",