npm - @pedrohnas/opencode-telegram - Versions diffs - 1.2.1 → 1.3.1 - Mend

@pedrohnas/opencode-telegram 1.2.1 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/.claude/skills/playwright-cli/data/page-2026-02-09T02-40-45-070Z.png +0 -0
package/.claude/skills/playwright-cli/data/page-2026-02-09T02-41-15-698Z.yml +168 -0
package/.claude/skills/playwright-cli/data/page-2026-02-09T02-41-25-514Z.yml +219 -0
package/.claude/skills/playwright-cli/data/page-2026-02-09T02-41-40-888Z.yml +221 -0
package/.claude/skills/playwright-cli/data/page-2026-02-09T02-41-46-079Z.yml +230 -0
package/.claude/skills/playwright-cli/data/page-2026-02-09T02-41-53-985Z.yml +235 -0
package/.claude/skills/playwright-cli/data/page-2026-02-09T02-42-03-227Z.yml +235 -0
package/.claude/skills/playwright-cli/data/page-2026-02-09T02-42-08-587Z.yml +248 -0
package/.claude/skills/playwright-cli/data/page-2026-02-09T02-42-16-524Z.yml +234 -0
package/.claude/skills/playwright-cli/data/page-2026-02-09T02-42-26-086Z.yml +196 -0
package/docs/AUDIT.md +193 -0
package/docs/PROGRESS.md +191 -0
package/docs/plans/phase-5.md +410 -0
package/docs/plans/phase-6.5.md +426 -0
package/docs/plans/phase-6.md +349 -0
package/e2e/helpers.ts +34 -0
package/e2e/phase-5.test.ts +295 -0
package/e2e/phase-6.5.test.ts +239 -0
package/e2e/phase-6.test.ts +302 -0
package/package.json +5 -2
package/src/api-server.test.ts +309 -0
package/src/api-server.ts +201 -0
package/src/bot.test.ts +354 -0
package/src/bot.ts +200 -2
package/src/config.test.ts +16 -0
package/src/config.ts +4 -0
package/src/event-bus.test.ts +337 -1
package/src/event-bus.ts +83 -3
package/src/handlers/agents.test.ts +122 -0
package/src/handlers/agents.ts +93 -0
package/src/handlers/media.test.ts +264 -0
package/src/handlers/media.ts +168 -0
package/src/handlers/models.test.ts +319 -0
package/src/handlers/models.ts +191 -0
package/src/index.ts +15 -0
package/src/send/draft-stream.test.ts +76 -0
package/src/send/draft-stream.ts +13 -1
package/src/session-manager.test.ts +46 -0
package/src/session-manager.ts +10 -1

package/.claude/skills/playwright-cli/data/page-2026-02-09T02-42-16-524Z.yml ADDED Viewed

@@ -0,0 +1,234 @@
+- generic [active] [ref=e1]:
+  - generic [ref=e3]:
+    - region "Site notifications" [ref=e4]:
+      - generic [ref=e8]:
+        - generic [ref=e9]: ⚠️
+        - alert [ref=e11]:
+          - text: "Security Update: Classic tokens have been revoked. Granular tokens are now limited to 90 days and require 2FA by default. Update your CI/CD workflows to avoid disruption."
+          - link "Learn more about npm authentication changes" [ref=e12] [cursor=pointer]:
+            - /url: https://gh.io/all-npm-classic-tokens-revoked
+            - text: Learn more
+          - text: .
+        - button "Close notification" [ref=e13] [cursor=pointer]: ×
+    - generic [ref=e14]:
+      - banner [ref=e15]:
+        - generic [ref=e16]:
+          - generic [ref=e17]:
+            - text: "skip to:"
+            - link "skip to content" [ref=e18] [cursor=pointer]:
+              - /url: "#main"
+              - text: content
+            - link "skip to package search" [ref=e19] [cursor=pointer]:
+              - /url: "#search"
+              - text: package search
+          - generic [ref=e20]:
+            - generic [ref=e21]: ❤
+            - navigation "Product Navigation" [ref=e22]:
+              - list [ref=e23]:
+                - listitem [ref=e24]:
+                  - link "Pro" [ref=e25] [cursor=pointer]:
+                    - /url: /products/pro
+                - listitem [ref=e26]:
+                  - link "Teams" [ref=e27] [cursor=pointer]:
+                    - /url: /products/teams
+                - listitem [ref=e28]:
+                  - link "Pricing" [ref=e29] [cursor=pointer]:
+                    - /url: /products
+                - listitem [ref=e30]:
+                  - link "Documentation" [ref=e31] [cursor=pointer]:
+                    - /url: https://docs.npmjs.com
+        - generic [ref=e33]:
+          - generic [ref=e34]: npm
+          - link "Npm" [ref=e36] [cursor=pointer]:
+            - /url: /
+            - img [ref=e37]
+          - generic [ref=e40]:
+            - generic [ref=e42]:
+              - img [ref=e44]
+              - combobox "Search packages" [ref=e50]
+            - button "Search" [ref=e52]
+          - navigation [ref=e54]:
+            - button "Profile menu" [ref=e55]:
+              - generic [ref=e56]: Menu
+              - img [ref=e57]
+              - img [ref=e59]
+      - main [ref=e62]:
+        - generic [ref=e63]:
+          - complementary [ref=e64]:
+            - heading "Sidebar" [level=2] [ref=e65]
+            - generic [ref=e66]:
+              - navigation "Settings navigation" [ref=e67]:
+                - list [ref=e68]:
+                  - listitem [ref=e69]:
+                    - link "Profile" [ref=e70] [cursor=pointer]:
+                      - /url: /~pedrohnas
+                      - img [ref=e71]
+                      - text: Profile
+                  - listitem [ref=e73]:
+                    - link "Packages" [ref=e74] [cursor=pointer]:
+                      - /url: /settings/pedrohnas/packages
+                      - img [ref=e75]
+                      - text: Packages
+                  - listitem [ref=e77]:
+                    - link "Account" [ref=e78] [cursor=pointer]:
+                      - /url: /settings/pedrohnas/profile
+                      - img [ref=e79]
+                      - text: Account
+                  - listitem [ref=e81]:
+                    - link "Billing Info" [ref=e82] [cursor=pointer]:
+                      - /url: /settings/pedrohnas/billing
+                      - img [ref=e83]
+                      - text: Billing Info
+                  - listitem [ref=e85]:
+                    - link "Access Tokens" [ref=e86] [cursor=pointer]:
+                      - /url: /settings/pedrohnas/tokens
+                      - img [ref=e87]
+                      - text: Access Tokens
+              - generic [ref=e89]:
+                - heading "Organizations" [level=3] [ref=e90]
+                - link "Create New Organization" [ref=e91] [cursor=pointer]:
+                  - /url: /org/create
+                  - text: +
+                  - generic [ref=e92]: Create New Organization
+              - paragraph [ref=e93]: None
+          - generic [ref=e169]:
+            - generic [ref=e170]:
+              - generic [ref=e171]:
+                - heading "New Granular Access Token" [level=1] [ref=e172]
+                - link "View token documentation" [ref=e173] [cursor=pointer]:
+                  - /url: https://docs.npmjs.com/creating-and-viewing-access-tokens#creating-granular-access-tokens-on-the-website
+              - paragraph [ref=e176]:
+                - link "Granular access tokens" [ref=e177] [cursor=pointer]:
+                  - /url: https://docs.npmjs.com/about-access-tokens#about-granular-access-tokens
+                - text: provide the most control by allowing you to configure fine-grained, tightly scoped permissions for your packages and organizations.
+            - generic [ref=e178]:
+              - generic [ref=e179]:
+                - heading "General" [level=2] [ref=e180]
+                - generic [ref=e182]:
+                  - generic [ref=e183]: Token name *
+                  - caption [ref=e184]: Provide a unique name.
+                  - textbox "Token name" [ref=e186]: opencode-telegram-publish
+                - generic [ref=e187]:
+                  - generic [ref=e189]: Description (optional)
+                  - caption [ref=e190]: What is this token for?
+                  - textbox "Description (optional)" [ref=e192]
+                - generic [ref=e193]:
+                  - generic [ref=e195]:
+                    - checkbox "Bypass two-factor authentication (2FA) for this token" [checked] [ref=e196]
+                    - generic [ref=e197]: Bypass two-factor authentication (2FA)
+                  - paragraph [ref=e256]: There are security risks with this option. For automation or CI/CD uses, please use Trusted Publishing instead.
+                - group "Allowed IP ranges (optional) Must be valid CIDR notation." [ref=e198]:
+                  - generic [ref=e199]:
+                    - generic [ref=e200]: Allowed IP ranges (optional)
+                    - caption [ref=e201]:
+                      - text: Must be valid
+                      - link "CIDR notation" [ref=e202] [cursor=pointer]:
+                        - /url: https://docs.npmjs.com/creating-and-viewing-access-tokens/#cidr-restricted-token-errors
+                      - text: .
+                  - generic [ref=e204]:
+                    - text: Input Range 1
+                    - textbox "Input Range 1" [ref=e205]
+                  - button "Add IP Range" [ref=e206]
+              - generic [ref=e207]:
+                - heading "Packages and scopes" [level=2] [ref=e208]
+                - generic [ref=e210]:
+                  - paragraph [ref=e211]: Permissions
+                  - group [ref=e212]:
+                    - generic "Packages and scopes Permissions" [ref=e213] [cursor=pointer]:
+                      - text: Read and write
+                      - img [ref=e215]
+                - group "Select packages" [ref=e267]:
+                  - generic [ref=e269]: Select packages
+                  - generic [ref=e270]:
+                    - generic [ref=e271]:
+                      - radio "All packages" [checked] [ref=e273]
+                      - generic [ref=e274]:
+                        - text: All packages
+                        - paragraph [ref=e275]: Applies to current and future packages.
+                    - generic [ref=e276]:
+                      - radio "Only select packages and scopes" [ref=e278]
+                      - generic [ref=e279]:
+                        - text: Only select packages and scopes
+                        - paragraph [ref=e280]: Select at least one. Max 50.
+                - paragraph
+              - generic [ref=e218]:
+                - heading "Organizations" [level=2] [ref=e219]
+                - generic [ref=e221]:
+                  - paragraph [ref=e222]: Permissions
+                  - group [ref=e223]:
+                    - generic "Organizations Permissions" [ref=e224] [cursor=pointer]:
+                      - text: No access
+                      - img [ref=e226]
+                - paragraph
+              - generic [ref=e229]:
+                - heading "Expiration" [level=2] [ref=e230]
+                - generic [ref=e232]:
+                  - generic [ref=e233]: Expiration Date
+                  - group [ref=e236]:
+                    - generic "Expiration Date" [ref=e237] [cursor=pointer]:
+                      - text: 90 days
+                      - img [ref=e239]
+              - generic [ref=e242]:
+                - heading "Summary" [level=2] [ref=e243]
+                - generic [ref=e245]:
+                  - paragraph [ref=e246]: "This token will:"
+                  - list [ref=e247]:
+                    - listitem [ref=e248]: Provide read and write access to all packages
+                    - listitem [ref=e249]: Provide no access to organizations
+                    - listitem [ref=e250]: Expires on Saturday, May 9, 2026
+              - generic [ref=e252]:
+                - button "Generate token" [ref=e253]
+                - button "Cancel" [ref=e254]
+      - contentinfo [ref=e123]:
+        - heading "Footer" [level=2] [ref=e124]
+        - generic [ref=e125]:
+          - generic [ref=e126]:
+            - link "Visit npm GitHub page" [ref=e128] [cursor=pointer]:
+              - /url: https://github.com/npm
+              - img [ref=e129]
+            - link "GitHub" [ref=e133] [cursor=pointer]:
+              - /url: https://github.com
+              - img [ref=e134]
+          - generic [ref=e136]:
+            - heading "Support" [level=3] [ref=e137]
+            - list "Support" [ref=e138]:
+              - listitem [ref=e139]:
+                - link "Help" [ref=e140] [cursor=pointer]:
+                  - /url: https://docs.npmjs.com
+              - listitem [ref=e141]:
+                - link "Advisories" [ref=e142] [cursor=pointer]:
+                  - /url: https://github.com/advisories
+              - listitem [ref=e143]:
+                - link "Status" [ref=e144] [cursor=pointer]:
+                  - /url: http://status.npmjs.org/
+              - listitem [ref=e145]:
+                - link "Contact npm" [ref=e146] [cursor=pointer]:
+                  - /url: /support
+          - generic [ref=e147]:
+            - heading "Company" [level=3] [ref=e148]
+            - list "Company" [ref=e149]:
+              - listitem [ref=e150]:
+                - link "About" [ref=e151] [cursor=pointer]:
+                  - /url: /about
+              - listitem [ref=e152]:
+                - link "Blog" [ref=e153] [cursor=pointer]:
+                  - /url: https://github.blog/tag/npm/
+              - listitem [ref=e154]:
+                - link "Press" [ref=e155] [cursor=pointer]:
+                  - /url: /press
+          - generic [ref=e156]:
+            - heading "Terms & Policies" [level=3] [ref=e157]
+            - list "Terms & Policies" [ref=e158]:
+              - listitem [ref=e159]:
+                - link "Policies" [ref=e160] [cursor=pointer]:
+                  - /url: /policies/
+              - listitem [ref=e161]:
+                - link "Terms of Use" [ref=e162] [cursor=pointer]:
+                  - /url: /policies/terms
+              - listitem [ref=e163]:
+                - link "Code of Conduct" [ref=e164] [cursor=pointer]:
+                  - /url: /policies/conduct
+              - listitem [ref=e165]:
+                - link "Privacy" [ref=e166] [cursor=pointer]:
+                  - /url: /policies/privacy
+  - generic [ref=e168]: New Granular Access Token

package/.claude/skills/playwright-cli/data/page-2026-02-09T02-42-26-086Z.yml ADDED Viewed

@@ -0,0 +1,196 @@
+- generic [active] [ref=e1]:
+  - generic [ref=e3]:
+    - region "Site notifications" [ref=e4]:
+      - generic [ref=e8]:
+        - generic [ref=e9]: ⚠️
+        - alert [ref=e11]:
+          - text: "Security Update: Classic tokens have been revoked. Granular tokens are now limited to 90 days and require 2FA by default. Update your CI/CD workflows to avoid disruption."
+          - link "Learn more about npm authentication changes" [ref=e12] [cursor=pointer]:
+            - /url: https://gh.io/all-npm-classic-tokens-revoked
+            - text: Learn more
+          - text: .
+        - button "Close notification" [ref=e13] [cursor=pointer]: ×
+    - generic [ref=e14]:
+      - banner [ref=e15]:
+        - generic [ref=e16]:
+          - generic [ref=e17]:
+            - text: "skip to:"
+            - link "skip to content" [ref=e18] [cursor=pointer]:
+              - /url: "#main"
+              - text: content
+            - link "skip to package search" [ref=e19] [cursor=pointer]:
+              - /url: "#search"
+              - text: package search
+          - generic [ref=e20]:
+            - generic [ref=e21]: ❤
+            - navigation "Product Navigation" [ref=e22]:
+              - list [ref=e23]:
+                - listitem [ref=e24]:
+                  - link "Pro" [ref=e25] [cursor=pointer]:
+                    - /url: /products/pro
+                - listitem [ref=e26]:
+                  - link "Teams" [ref=e27] [cursor=pointer]:
+                    - /url: /products/teams
+                - listitem [ref=e28]:
+                  - link "Pricing" [ref=e29] [cursor=pointer]:
+                    - /url: /products
+                - listitem [ref=e30]:
+                  - link "Documentation" [ref=e31] [cursor=pointer]:
+                    - /url: https://docs.npmjs.com
+        - generic [ref=e33]:
+          - generic [ref=e34]: npm
+          - link "Npm" [ref=e36] [cursor=pointer]:
+            - /url: /
+            - img [ref=e37]
+          - generic [ref=e40]:
+            - generic [ref=e42]:
+              - img [ref=e44]
+              - combobox "Search packages" [ref=e50]
+            - button "Search" [ref=e52]
+          - navigation [ref=e54]:
+            - button "Profile menu" [ref=e55]:
+              - generic [ref=e56]: Menu
+              - img [ref=e57]
+              - img [ref=e59]
+      - main [ref=e62]:
+        - generic [ref=e63]:
+          - complementary [ref=e64]:
+            - heading "Sidebar" [level=2] [ref=e65]
+            - generic [ref=e66]:
+              - navigation "Settings navigation" [ref=e67]:
+                - list [ref=e68]:
+                  - listitem [ref=e69]:
+                    - link "Profile" [ref=e70] [cursor=pointer]:
+                      - /url: /~pedrohnas
+                      - img [ref=e71]
+                      - text: Profile
+                  - listitem [ref=e73]:
+                    - link "Packages" [ref=e74] [cursor=pointer]:
+                      - /url: /settings/pedrohnas/packages
+                      - img [ref=e75]
+                      - text: Packages
+                  - listitem [ref=e77]:
+                    - link "Account" [ref=e78] [cursor=pointer]:
+                      - /url: /settings/pedrohnas/profile
+                      - img [ref=e79]
+                      - text: Account
+                  - listitem [ref=e81]:
+                    - link "Billing Info" [ref=e82] [cursor=pointer]:
+                      - /url: /settings/pedrohnas/billing
+                      - img [ref=e83]
+                      - text: Billing Info
+                  - listitem [ref=e85]:
+                    - link "Access Tokens" [ref=e86] [cursor=pointer]:
+                      - /url: /settings/pedrohnas/tokens
+                      - img [ref=e87]
+                      - text: Access Tokens
+              - generic [ref=e89]:
+                - heading "Organizations" [level=3] [ref=e90]
+                - link "Create New Organization" [ref=e91] [cursor=pointer]:
+                  - /url: /org/create
+                  - text: +
+                  - generic [ref=e92]: Create New Organization
+              - paragraph [ref=e93]: None
+          - generic [ref=e297]:
+            - generic [ref=e298]:
+              - generic [ref=e299]:
+                - heading "Access Tokens" [level=1] [ref=e300]
+                - link "Generate New Token" [ref=e302] [cursor=pointer]:
+                  - /url: /settings/pedrohnas/tokens/granular-access-tokens/new
+                - button "Delete Selected Tokens" [ref=e304]
+              - generic [ref=e305]:
+                - alert [ref=e306]:
+                  - paragraph [ref=e307]: Token successfully generated
+                  - paragraph [ref=e308]: Make sure to copy your token. It will never be displayed again.
+                  - paragraph [ref=e309]: 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
+                - generic [ref=e310]:
+                  - textbox "Newly generated token" [ref=e311]: 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
+                  - button "Copy" [ref=e312]:
+                    - img [ref=e313]
+              - table [ref=e317]:
+                - rowgroup [ref=e318]:
+                  - row "Select all Name Bypass 2FA Created Last used Expires Delete" [ref=e319]:
+                    - columnheader "Select all" [ref=e320]:
+                      - checkbox "Select all" [ref=e321]
+                    - columnheader "Name" [ref=e322]
+                    - columnheader "Bypass 2FA" [ref=e323]
+                    - columnheader "Created" [ref=e324]
+                    - columnheader "Last used" [ref=e325]
+                    - columnheader "Expires" [ref=e326]
+                    - columnheader "Delete" [ref=e327]:
+                      - generic [ref=e328]: Delete
+                - rowgroup [ref=e329]:
+                  - row "label for npm_VAaO......wJ41 opencode-telegram-publish npm_VAaO......wJ41 Feb 8, 2026 May 9, 2026 Delete token ending in wJ41" [ref=e330]:
+                    - cell "label for npm_VAaO......wJ41" [ref=e331]:
+                      - checkbox "label for npm_VAaO......wJ41" [ref=e332]
+                    - cell "opencode-telegram-publish npm_VAaO......wJ41" [ref=e333]:
+                      - generic [ref=e334]:
+                        - link "opencode-telegram-publish" [ref=e335] [cursor=pointer]:
+                          - /url: /settings/pedrohnas/tokens/granular-access-tokens/3aeafce1-5f79-45dc-a4fb-18c79567eb7f
+                        - code [ref=e337]: npm_VAaO......wJ41
+                    - cell [ref=e338]:
+                      - img [ref=e340]
+                    - cell "Feb 8, 2026" [ref=e342]:
+                      - time [ref=e343]: Feb 8, 2026
+                    - cell [ref=e344]
+                    - cell "May 9, 2026" [ref=e345]:
+                      - time [ref=e346]: May 9, 2026
+                    - cell "Delete token ending in wJ41" [ref=e347]:
+                      - button "Delete token ending in wJ41" [ref=e349] [cursor=pointer]: ×
+              - generic [ref=e352]: Rows 1 to 1 of 1
+            - paragraph [ref=e353]:
+              - link "📋 Read the Documentation" [ref=e354] [cursor=pointer]:
+                - /url: https://docs.npmjs.com/about-authentication-tokens
+      - contentinfo [ref=e123]:
+        - heading "Footer" [level=2] [ref=e124]
+        - generic [ref=e125]:
+          - generic [ref=e126]:
+            - link "Visit npm GitHub page" [ref=e128] [cursor=pointer]:
+              - /url: https://github.com/npm
+              - img [ref=e129]
+            - link "GitHub" [ref=e133] [cursor=pointer]:
+              - /url: https://github.com
+              - img [ref=e134]
+          - generic [ref=e136]:
+            - heading "Support" [level=3] [ref=e137]
+            - list "Support" [ref=e138]:
+              - listitem [ref=e139]:
+                - link "Help" [ref=e140] [cursor=pointer]:
+                  - /url: https://docs.npmjs.com
+              - listitem [ref=e141]:
+                - link "Advisories" [ref=e142] [cursor=pointer]:
+                  - /url: https://github.com/advisories
+              - listitem [ref=e143]:
+                - link "Status" [ref=e144] [cursor=pointer]:
+                  - /url: http://status.npmjs.org/
+              - listitem [ref=e145]:
+                - link "Contact npm" [ref=e146] [cursor=pointer]:
+                  - /url: /support
+          - generic [ref=e147]:
+            - heading "Company" [level=3] [ref=e148]
+            - list "Company" [ref=e149]:
+              - listitem [ref=e150]:
+                - link "About" [ref=e151] [cursor=pointer]:
+                  - /url: /about
+              - listitem [ref=e152]:
+                - link "Blog" [ref=e153] [cursor=pointer]:
+                  - /url: https://github.blog/tag/npm/
+              - listitem [ref=e154]:
+                - link "Press" [ref=e155] [cursor=pointer]:
+                  - /url: /press
+          - generic [ref=e156]:
+            - heading "Terms & Policies" [level=3] [ref=e157]
+            - list "Terms & Policies" [ref=e158]:
+              - listitem [ref=e159]:
+                - link "Policies" [ref=e160] [cursor=pointer]:
+                  - /url: /policies/
+              - listitem [ref=e161]:
+                - link "Terms of Use" [ref=e162] [cursor=pointer]:
+                  - /url: /policies/terms
+              - listitem [ref=e163]:
+                - link "Code of Conduct" [ref=e164] [cursor=pointer]:
+                  - /url: /policies/conduct
+              - listitem [ref=e165]:
+                - link "Privacy" [ref=e166] [cursor=pointer]:
+                  - /url: /policies/privacy
+  - generic [ref=e168]: New Granular Access Token

package/docs/AUDIT.md ADDED Viewed

@@ -0,0 +1,193 @@
+# Audit Report — OpenCode Telegram Bot vs OpenClaw Reference
+**Date:** 2026-02-08
+**Scope:** Phases 0-6 complete, comparison against OpenClaw Telegram integration (~3,500 LOC, 41 files)
+---
+## 1. Project Stats
+| Metric | Our Bot | OpenClaw |
+|--------|---------|----------|
+| Source LOC | 2,580 (21 files) | ~3,500 (41 files) |
+| Unit tests | 252 | ~200+ (estimated) |
+| E2E tests | 32 | Manual |
+| Total LOC (incl tests + E2E) | ~7,000 | ~10,000+ |
+| Architecture | SDK HTTP bridge | Direct agent integration |
+| Framework | Grammy | Grammy |
+| Runtime | Bun | Node.js |
+---
+## 2. Quality Assessment by Phase
+### Phases 0-4: Excellent
+The core foundation is solid:
+- **Anti-leak architecture** consistently applied (LRU, AbortController, bounded Maps)
+- **TDD discipline** maintained — every file has colocated tests
+- **EventBus** single SSE design is clean and memory-efficient
+- **DraftStream** throttled editing works well
+- **Permission/Question** handling with PendingRequests + inline keyboards is correct
+- **Session management** with restore-on-restart is production-ready
+### Phase 5 (Model & Agent Selection): Good
+- Clean separation: `models.ts` (139 LOC) and `agents.ts` (93 LOC)
+- Callback data fits 64-byte limit using direct IDs
+- Override persistence across `/new` and session switches — properly fixed
+- 28 unit tests + 9 E2E tests
+- **Minor issue:** No pagination for providers with many models (deferred, acceptable)
+### Phase 6 (Media & Files): Good
+- Download/conversion pipeline is correct and well-tested
+- MIME map is comprehensive (43 extensions)
+- File size limit enforcement works
+- DraftStream race condition properly fixed with `sending` flag
+- 21 unit tests + 6 E2E tests (including fragmentation regression)
+- **Minor issue:** `handleMedia` in bot.ts is an inline anonymous function, not exported for direct unit testing. It works via E2E tests, but differs from the pattern of other exported handlers.
+---
+## 3. Production Gaps (vs OpenClaw)
+### Critical — Should fix before production
+| # | Gap | Impact | Effort |
+|---|-----|--------|--------|
+| **G1** | **EventBus has no auto-reconnect** | SSE stream break = bot stops receiving events silently. No exponential backoff. | Medium |
+| **G2** | **No Grammy `apiThrottler()` middleware** | Telegram API 429 rate limits not handled. Under high load, API calls fail. | Low |
+| **G3** | **No `sequentialize()` middleware** | Race conditions possible if Grammy processes concurrent updates for same chat (unlikely in polling mode, but risky with webhooks). | Low |
+### Important — Should fix for robustness
+| # | Gap | Impact | Effort |
+|---|-----|--------|--------|
+| **G4** | **No error classification** | Network errors (ECONNRESET, ETIMEDOUT) not distinguished from fatal errors. All treated the same. | Medium |
+| **G5** | **EventBus `listen()` doesn't retry** | If the SSE stream ends (server restart, network issue), the bot goes deaf. No automatic reconnection. | Medium |
+| **G6** | **No update deduplication** | Telegram can deliver duplicate updates. We process them again. | Low |
+### Nice to have — For future phases
+| # | Gap | Impact | Effort |
+|---|-----|--------|--------|
+| G7 | No text fragment assembly | Users who paste >4096 chars get each fragment processed separately | Medium |
+| G8 | No media group buffering | Multi-photo sends = N separate prompts instead of one combined | Medium |
+| G9 | No inbound debouncing | Rapid messages processed individually (can flood the AI) | Low |
+| G10 | No sent-message cache | Can't deduplicate outbound messages | Low |
+| G11 | No update offset persistence | Bot restart may re-process recent updates | Low |
+---
+## 4. Code Structure Analysis
+### Strengths
+1. **Clean module boundaries** — Each handler file is self-contained with pure functions + async handlers
+2. **Dependency injection** — `DraftStreamDeps`, `BotDeps`, SDK as params (not globals)
+3. **Testability** — Every handler can be tested without Grammy context
+4. **Anti-leak guarantees** — AbortController per turn, LRU bounded SessionManager, TTL on PendingRequests
+5. **Session restore** — Bot survives restarts by matching "Telegram {chatId}" title pattern
+### Areas for Improvement
+1. **`bot.ts` is growing** (479 LOC) — Approaching the split threshold. Consider extracting:
+   - Callback routing → `handlers/callbacks.ts`
+   - `handleMedia` → export from `handlers/media.ts` for testability
+   - `handleMessage` is already well-structured
+2. **`index.ts` does too much** (283 LOC) — Event routing and `finalizeResponse` live in the entry point. Should be in a dedicated `event-router.ts` for unit testability.
+3. **Event types are `any`** — EventBus uses `any` for event types. Type-safe event handling would catch bugs at compile time.
+4. **No structured logging** — All errors go to `console.error`. No log levels, no structured format, no error context.
+---
+## 5. What We Do Better Than OpenClaw
+| Aspect | Our Advantage |
+|--------|--------------|
+| **Architecture** | SDK bridge is thinner (~2,580 LOC vs ~3,500). Delegates AI complexity to server. |
+| **Testing** | 252 unit + 32 E2E with TDD rigor. Phase-gated with full regression at each step. |
+| **Memory safety** | Explicit anti-leak design: LRU, AbortController, bounded everything. |
+| **Deployment** | Simple env vars (4-5 vars). No YAML config, no multi-account, no pairing system. |
+| **Session management** | Server-side persistence with local LRU cache. Clean restore on restart. |
+| **Phase gating** | Clear boundaries, docs per phase, regression testing. Sustainable development. |
+---
+## 6. Feature Parity Matrix
+| Feature | Our Bot | OpenClaw | Notes |
+|---------|---------|----------|-------|
+| Text messages | ✅ | ✅ | |
+| Photo/Document/Audio/Video | ✅ | ✅ | Phase 6 |
+| Voice messages | ✅ | ✅ | |
+| Streaming (edit draft) | ✅ | ✅ | With `sending` fix |
+| Permissions (inline buttons) | ✅ | N/A | OpenClaw has no permission system |
+| Questions (inline buttons) | ✅ | N/A | OpenClaw has no question system |
+| /cancel (abort) | ✅ | ✅ | |
+| Session management | ✅ | ✅ | /list, /rename, /delete, /info, /history |
+| Session restore on restart | ✅ | ✅ | Title pattern matching |
+| Model selection | ✅ | ✅ | Phase 5 |
+| Agent selection | ✅ | N/A | OpenClaw has different agent system |
+| Allowlist | ✅ | ✅ | |
+| Markdown → HTML | ✅ | ✅ | |
+| Message chunking | ✅ | ✅ | |
+| HTML fallback | ✅ | ✅ | |
+| Typing indicator | ✅ | ✅ | |
+| Tool progress | ✅ | N/A | |
+| Auto-reconnect SSE | ❌ | ✅ | **Gap G1/G5** |
+| Rate limit middleware | ❌ | ✅ | **Gap G2** |
+| Sequentialize middleware | ❌ | ✅ | **Gap G3** |
+| Text fragment assembly | ❌ | ✅ | Gap G7 |
+| Media group buffering | ❌ | ✅ | Gap G8 |
+| Inbound debouncing | ❌ | ✅ | Gap G9 |
+| Group chat support | ❌ | ✅ | Phase 8 planned |
+| Forum topics | ❌ | ✅ | Phase 8 planned |
+| Webhook mode | ❌ | ✅ | Phase 9 planned |
+| Sticker vision cache | ❌ | ✅ | Nice to have |
+| Voice → voice bubble | ❌ | ✅ | Nice to have |
+| Multi-account | ❌ | ✅ | Not needed |
+| Audit logging | ❌ | ✅ | Not needed |
+| Update offset persistence | ❌ | ✅ | Gap G11 |
+---
+## 7. Recommendations
+### Before Production (Priority)
+1. **Fix EventBus reconnection (G1+G5)** — Add exponential backoff loop in `listen()`. When SSE stream ends or errors, wait 2s→30s (1.8x factor) and reconnect. This is the most critical gap.
+2. **Add `apiThrottler()` (G2)** — One line of Grammy middleware. Prevents 429 errors.
+3. **Add `sequentialize()` (G3)** — One line of Grammy middleware. Prevents per-chat race conditions (important if switching to webhooks later).
+### Before Phase 7 (Recommended)
+4. **Extract event routing from index.ts** — Move `onEvent` callback and `finalizeResponse` to `event-router.ts`. Enables unit testing of event logic.
+5. **Type SSE events** — Replace `any` with typed event union in EventBus.
+### For Future Phases
+6. **Text fragment assembly (G7)** — Buffer near-limit messages for 1500ms, merge.
+7. **Media group buffering (G8)** — Buffer same `media_group_id` for 200ms.
+8. **Inbound debouncing (G9)** — 300-500ms buffer for rapid messages.
+---
+## 8. Overall Assessment
+**The codebase quality is good.** Phases 5 and 6 maintained the same standards as earlier phases:
+- Clean module boundaries
+- Comprehensive test coverage
+- Anti-leak design throughout
+- Bugs found via manual testing were properly diagnosed and fixed with tests
+**The main gaps are infrastructure-level** (reconnection, rate limiting, middleware), not code quality issues. These are expected at the Phase 6 stage and should be addressed in Phase 9 (Infrastructure & Security) or as a hardening pass before production deployment.
+**LOC target from spec was ~2,000 for Phase 1.** At Phase 6 we're at 2,580 for all source — well within the expected trajectory toward the spec's full target.