@pixelbyte-software/pixcode 1.36.2 → 1.36.4

package/scripts/smoke/telegram-control.mjs

@@ -0,0 +1,242 @@
+#!/usr/bin/env node
+
+import assert from 'node:assert/strict';
+import { mkdirSync, readFileSync, rmSync } from 'node:fs';
+import path from 'node:path';
+
+const runtimeDir = path.resolve('.pixcode-dev', 'smoke-telegram-control');
+mkdirSync(runtimeDir, { recursive: true });
+process.env.DATABASE_PATH = path.join(runtimeDir, 'auth.db');
+
+const checks = [
+  {
+    name: 'telegram bot wires the remote control center and callback queries',
+    file: 'server/services/telegram/bot.js',
+    test: (source) => (
+      source.includes('handleTelegramControlMessage')
+      && source.includes('handleTelegramControlCallback')
+      && source.includes("bot.on('callback_query'")
+    ),
+  },
+  {
+    name: 'telegram HTTP client polls callback queries and can answer them',
+    file: 'server/services/telegram/telegram-http-client.js',
+    test: (source) => (
+      source.includes("allowed_updates: ['message', 'callback_query']")
+      && source.includes('answerCallbackQuery')
+      && source.includes('editMessageText')
+      && source.includes("this.emit('callback_query'")
+    ),
+  },
+  {
+    name: 'telegram control center exposes provider, model, workflow, install, and settings actions',
+    file: 'server/services/telegram/control-center.js',
+    test: (source) => (
+      source.includes('showMainMenu')
+      && source.includes('showProviderMenu')
+      && source.includes('showModelMenu')
+      && source.includes('showWorkflowMenu')
+      && source.includes('runWorkflow')
+      && source.includes('startCliInstall')
+      && source.includes('updateTelegramControlState')
+      && source.includes('/api/agent')
+      && source.includes('/api/orchestration/workflows')
+    ),
+  },
+  {
+    name: 'telegram link state persists remote-control preferences',
+    file: 'server/database/db.js',
+    test: (source) => (
+      source.includes('telegram_control')
+      && source.includes('getControlState')
+      && source.includes('updateControlState')
+      && source.includes('remoteControlEnabled')
+    ),
+  },
+  {
+    name: 'telegram settings UI exposes remote-control toggles',
+    file: 'src/components/settings/view/tabs/telegram-settings/TelegramSettingsTab.tsx',
+    test: (source) => (
+      source.includes('controlEnabled')
+      && source.includes('progressMode')
+      && source.includes('telegram.control.title')
+      && source.includes('telegram.control.progressMode')
+    ),
+  },
+];
+
+const failures = [];
+
+for (const check of checks) {
+  let source = '';
+  try {
+    source = readFileSync(check.file, 'utf8');
+  } catch {
+    failures.push(`${check.name} (${check.file} missing)`);
+    continue;
+  }
+
+  if (!check.test(source)) failures.push(check.name);
+}
+
+try {
+  const {
+    handleTelegramControlCallback,
+    handleTelegramControlMessage,
+  } = await import('../../server/services/telegram/control-center.js');
+  const {
+    handleIncomingTelegramMessage,
+    setTelegramBotForTesting,
+  } = await import('../../server/services/telegram/bot.js');
+  const { telegramLinksDb } = await import('../../server/database/db.js');
+
+  const userId = 4242;
+  telegramLinksDb.unlink(userId);
+  telegramLinksDb.setPairingCode(userId, '123456', new Date(Date.now() + 600_000).toISOString(), 'tr');
+  telegramLinksDb.verify(userId, 'chat-4242', 'ali');
+
+  const sent = [];
+  const bot = {
+    sendMessage: async (chatId, text, extra = {}) => {
+      sent.push({ chatId, text, extra });
+      return { ok: true };
+    },
+  };
+
+  const link = telegramLinksDb.getByUserId(userId);
+  const expectReply = async (input, expectedFragment) => {
+    sent.length = 0;
+    const handled = await handleTelegramControlMessage({
+      bot,
+      msg: { chat: { id: 4242 }, text: input },
+      link,
+    });
+    assert.equal(handled, true, `${input} should be handled`);
+    assert.ok(sent.length > 0, `${input} should send at least one reply`);
+    assert.ok(
+      sent[0].text.includes(expectedFragment),
+      `${input} should include "${expectedFragment}" but got "${sent[0].text}"`,
+    );
+  };
+
+  await expectReply('/start', 'Pixcode Telegram kontrol merkezi');
+  await expectReply('/help', 'Komutlar:');
+  await expectReply('/start@Otobot', 'Pixcode Telegram kontrol merkezi');
+  await expectReply('/help@Otobot', 'Komutlar:');
+  await expectReply('/', 'Komutlar:');
+
+  const menuEvents = [];
+  const menuBot = {
+    sendMessage: async (chatId, text, extra = {}) => {
+      menuEvents.push({ type: 'send', chatId, text, extra });
+      return { ok: true, message_id: 77 };
+    },
+    editMessageText: async (text, extra = {}) => {
+      menuEvents.push({ type: 'edit', text, extra });
+      return { ok: true, message_id: extra.message_id };
+    },
+    answerCallbackQuery: async () => ({ ok: true }),
+  };
+  const findButton = (markup, predicate) => {
+    for (const row of markup?.inline_keyboard || []) {
+      for (const candidate of row) {
+        if (predicate(candidate)) return candidate;
+      }
+    }
+    return null;
+  };
+
+  menuEvents.length = 0;
+  await handleTelegramControlMessage({
+    bot: menuBot,
+    msg: { chat: { id: 4242 }, text: '/settings' },
+    link,
+  });
+  const settingsMenu = menuEvents.at(-1);
+  const languageButton = findButton(
+    settingsMenu.extra.reply_markup,
+    (candidate) => /language|dil/i.test(candidate.text),
+  );
+  assert.ok(languageButton, 'settings menu should expose a language button');
+
+  menuEvents.length = 0;
+  await handleTelegramControlCallback({
+    bot: menuBot,
+    query: {
+      id: 'query-language-menu',
+      data: languageButton.callback_data,
+      message: { chat: { id: 4242 }, message_id: 77 },
+    },
+    link,
+  });
+  assert.equal(menuEvents.length, 1, 'callback menus should replace the existing menu message');
+  assert.equal(menuEvents[0].type, 'edit', 'callback menus should use editMessageText');
+  const trButton = findButton(menuEvents[0].extra.reply_markup, (candidate) => candidate.text === 'tr');
+  assert.ok(trButton, 'language menu should include Turkish');
+
+  menuEvents.length = 0;
+  await handleTelegramControlCallback({
+    bot: menuBot,
+    query: {
+      id: 'query-language-tr',
+      data: trButton.callback_data,
+      message: { chat: { id: 4242 }, message_id: 77 },
+    },
+    link,
+  });
+  assert.equal(telegramLinksDb.getByUserId(userId).language, 'tr', 'language selection should persist');
+  assert.equal(menuEvents.length, 1, 'language selection should not send a confirmation plus a second menu');
+  assert.equal(menuEvents[0].type, 'edit', 'language selection should replace the menu in place');
+  assert.ok(
+    menuEvents[0].text.includes('Pixcode Telegram kontrol merkezi'),
+    `Turkish menu should render after selection, got "${menuEvents[0].text}"`,
+  );
+  assert.ok(
+    !menuEvents[0].text.includes('Project:'),
+    'Turkish menu should not keep English summary labels after language selection',
+  );
+
+  const botLevelMessages = [];
+  setTelegramBotForTesting({
+    sendMessage: async (chatId, text, extra = {}) => {
+      botLevelMessages.push({ chatId, text, extra });
+      return { ok: true };
+    },
+    answerCallbackQuery: async () => ({ ok: true }),
+  });
+
+  const expectBotReply = async (input, expectedFragment) => {
+    botLevelMessages.length = 0;
+    await handleIncomingTelegramMessage({
+      chat: { id: 'chat-4242' },
+      text: input,
+      message_id: 1,
+      from: { username: 'ali' },
+    });
+    assert.ok(botLevelMessages.length > 0, `${input} should reply from bot.js`);
+    assert.ok(
+      botLevelMessages[0].text.includes(expectedFragment),
+      `${input} should include "${expectedFragment}" but got "${botLevelMessages[0].text}"`,
+    );
+    assert.ok(
+      !botLevelMessages.some((entry) => entry.text.includes('Mesaj son oturumuna iletildi')),
+      `${input} should never hit the bridge queue reply`,
+    );
+  };
+
+  await expectBotReply('/start', 'Nasıl başlarsın');
+  await expectBotReply('/help', 'Komutlar:');
+
+  telegramLinksDb.unlink(userId);
+} catch (error) {
+  failures.push(error?.message || String(error));
+} finally {
+  rmSync(runtimeDir, { recursive: true, force: true });
+}
+
+if (failures.length > 0) {
+  console.error(`Telegram control smoke failed:\n- ${failures.join('\n- ')}`);
+  process.exit(1);
+}
+
+console.log('telegram control smoke passed');

package/scripts/smoke/update-ux.mjs

@@ -0,0 +1,55 @@
+#!/usr/bin/env node
+
+import { readFileSync } from 'node:fs';
+
+const checks = [
+  {
+    name: 'update frequency defaults to 30 minutes',
+    file: 'src/utils/updateCheckPreferences.ts',
+    test: (source) => (
+      source.includes("export type UpdateCheckFrequency = 'off' | '30m' |")
+      && source.includes("{ value: '30m'")
+      && /DEFAULT_UPDATE_CHECK_PREFERENCES[\s\S]*frequency:\s*'30m'/.test(source)
+    ),
+  },
+  {
+    name: 'sidebar opens the version modal when an update is detected',
+    file: 'src/components/sidebar/view/Sidebar.tsx',
+    test: (source) => (
+      source.includes('PIXCODE_UPDATE_AVAILABLE_EVENT')
+      && source.includes('setShowVersionModal(true)')
+      && source.includes('updateAvailable')
+    ),
+  },
+  {
+    name: 'version modal supports release-notes-only opens',
+    file: 'src/components/version-upgrade/view/VersionUpgradeModal.tsx',
+    test: (source) => (
+      source.includes('isUpdateAvailable')
+      && source.includes('versionUpdate.releaseNotesTitle')
+      && source.includes('showUpdateActions')
+    ),
+  },
+  {
+    name: 'desktop splash makes startup update work visible',
+    file: 'desktop/electron/main.cjs',
+    test: (source) => (
+      source.includes('Checking for updates before launch')
+      && source.includes('Applying Pixcode update')
+    ),
+  },
+];
+
+const failures = [];
+
+for (const check of checks) {
+  const source = readFileSync(check.file, 'utf8');
+  if (!check.test(source)) failures.push(check.name);
+}
+
+if (failures.length > 0) {
+  console.error(`Update UX smoke failed:\n- ${failures.join('\n- ')}`);
+  process.exit(1);
+}
+
+console.log('update UX smoke passed');

package/scripts/smoke/version-modal-autoshow.mjs

@@ -0,0 +1,29 @@
+#!/usr/bin/env node
+
+import assert from 'node:assert/strict';
+import { readFileSync } from 'node:fs';
+
+const source = readFileSync('src/components/sidebar/view/Sidebar.tsx', 'utf8');
+
+assert.ok(
+  source.includes('VERSION_RELEASE_NOTES_SEEN_KEY'),
+  'Sidebar should persist the latest equal-version release notes it auto-showed.',
+);
+assert.ok(
+  source.includes('localStorage.getItem(VERSION_RELEASE_NOTES_SEEN_KEY)'),
+  'Sidebar should read the seen release-notes version from localStorage.',
+);
+assert.ok(
+  source.includes('localStorage.setItem(VERSION_RELEASE_NOTES_SEEN_KEY, latestVersion)'),
+  'Sidebar should mark equal-version release notes as seen when auto-showing them.',
+);
+assert.ok(
+  source.includes('hasSeenCurrentReleaseNotes'),
+  'Sidebar should avoid auto-showing release notes when the current version was already seen.',
+);
+assert.ok(
+  source.includes('!hasSeenCurrentReleaseNotes'),
+  'The auto-show condition should be gated by the seen-version check.',
+);
+
+console.log('version modal autoshow smoke passed');

package/server/daemon-manager.js

@@ -95,15 +95,25 @@ function quoteSystemdArg(arg) {
     return `"${String(arg).replace(/(["\\$`])/g, '\\$1')}"`;
 }
 
-function resolveDaemonCliEntryPath(context = {}) {
+export function resolveDaemonCliEntryPath(context = {}) {
     const appRoot = context.appRoot || process.cwd();
     const explicitCliEntry = context.cliEntry ? path.resolve(context.cliEntry) : null;
     const argvCliEntry = process.argv[1] ? path.resolve(process.argv[1]) : null;
+    const distCliEntry = path.join(appRoot, 'dist-server', 'server', 'cli.js');
+    const sourceCliEntry = path.join(appRoot, 'server', 'cli.js');
+    const normalizeCliCandidate = (candidate) => {
+        if (!candidate) return null;
+        const resolved = path.resolve(candidate);
+        if (resolved === sourceCliEntry && fs.existsSync(distCliEntry)) {
+            return distCliEntry;
+        }
+        return resolved;
+    };
     const candidatePaths = [
-        explicitCliEntry,
-        argvCliEntry,
-        path.join(appRoot, 'dist-server', 'server', 'cli.js'),
-        path.join(appRoot, 'server', 'cli.js'),
+        normalizeCliCandidate(explicitCliEntry),
+        normalizeCliCandidate(argvCliEntry),
+        distCliEntry,
+        sourceCliEntry,
     ].filter(Boolean);
 
     const existingPath = candidatePaths.find(candidate => fs.existsSync(candidate));
@@ -111,7 +121,7 @@ function resolveDaemonCliEntryPath(context = {}) {
         return existingPath;
     }
 
-    return explicitCliEntry || argvCliEntry || path.join(appRoot, 'server', 'cli.js');
+    return normalizeCliCandidate(explicitCliEntry) || normalizeCliCandidate(argvCliEntry) || distCliEntry;
 }
 
 function hasPixcodeBinary() {
@@ -210,12 +220,7 @@ function parseDaemonArgs(args) {
 
 function buildDaemonExecStart({ appRoot, serverPort, databasePath, nodeExecPath, cliEntry }) {
     const nodeExec = nodeExecPath || process.execPath || 'node';
-    const cliCandidate = cliEntry
-        ? path.resolve(cliEntry)
-        : (process.argv[1] ? path.resolve(process.argv[1]) : path.join(appRoot, 'dist-server', 'server', 'cli.js'));
-    const resolvedCliEntry = fs.existsSync(cliCandidate)
-        ? cliCandidate
-        : path.join(appRoot, 'dist-server', 'server', 'cli.js');
+    const resolvedCliEntry = resolveDaemonCliEntryPath({ appRoot, cliEntry });
 
     const args = [nodeExec, resolvedCliEntry, 'start', '--port', String(serverPort)];
     if (databasePath) {

package/server/database/db.js

@@ -217,6 +217,7 @@ function migrateSqliteIfPresent() {
             verified_at: tl.verified_at || null,
             notifications_enabled: tl.notifications_enabled !== 0,
             bridge_enabled: tl.bridge_enabled !== 0,
+            telegram_control: null,
             updated_at: tl.updated_at || nowIso(),
         });
     }
@@ -672,6 +673,40 @@ const appConfigDb = {
 // ---------------------------------------------------------------------------
 // Telegram — singleton config + per-user links
 // ---------------------------------------------------------------------------
+const DEFAULT_TELEGRAM_CONTROL_STATE = {
+    remoteControlEnabled: true,
+    progressMode: 'final',
+    selectedProjectName: null,
+    selectedProjectPath: null,
+    selectedProvider: 'opencode',
+    selectedModel: null,
+    selectedWorkflowId: null,
+    awaiting: null,
+};
+
+function normalizeTelegramControlState(value = {}) {
+    const raw = value && typeof value === 'object' ? value : {};
+    const selectedProvider = ['claude', 'cursor', 'codex', 'gemini', 'qwen', 'opencode'].includes(raw.selectedProvider)
+        ? raw.selectedProvider
+        : DEFAULT_TELEGRAM_CONTROL_STATE.selectedProvider;
+    const progressMode = ['final', 'steps', 'all'].includes(raw.progressMode)
+        ? raw.progressMode
+        : DEFAULT_TELEGRAM_CONTROL_STATE.progressMode;
+
+    return {
+        ...DEFAULT_TELEGRAM_CONTROL_STATE,
+        ...raw,
+        remoteControlEnabled: raw.remoteControlEnabled !== false,
+        progressMode,
+        selectedProvider,
+        selectedProjectName: typeof raw.selectedProjectName === 'string' ? raw.selectedProjectName : null,
+        selectedProjectPath: typeof raw.selectedProjectPath === 'string' ? raw.selectedProjectPath : null,
+        selectedModel: typeof raw.selectedModel === 'string' ? raw.selectedModel : null,
+        selectedWorkflowId: typeof raw.selectedWorkflowId === 'string' ? raw.selectedWorkflowId : null,
+        awaiting: raw.awaiting && typeof raw.awaiting === 'object' ? raw.awaiting : null,
+    };
+}
+
 const telegramConfigDb = {
     get: () => {
         const row = store.raw.telegram_config[0];
@@ -705,6 +740,7 @@ const telegramLinksDb = {
             verified_at: null,
             notifications_enabled: true,
             bridge_enabled: true,
+            telegram_control: normalizeTelegramControlState(),
             updated_at: nowIso(),
         });
     },
@@ -742,6 +778,7 @@ const telegramLinksDb = {
             language: row.language,
             notifications_enabled: row.notifications_enabled,
             bridge_enabled: row.bridge_enabled,
+            telegram_control: normalizeTelegramControlState(row.telegram_control),
         };
     },
     listVerified: () =>
@@ -752,6 +789,7 @@ const telegramLinksDb = {
             language: r.language,
             notifications_enabled: r.notifications_enabled,
             bridge_enabled: r.bridge_enabled,
+            telegram_control: normalizeTelegramControlState(r.telegram_control),
         })),
     updatePreferences: (userId, { language, notificationsEnabled, bridgeEnabled }) => {
         const patch = { updated_at: nowIso() };
@@ -761,6 +799,20 @@ const telegramLinksDb = {
         if (Object.keys(patch).length === 1) return; // only updated_at → no real change
         store.updateWhere('telegram_links', (r) => r.user_id === userId, patch);
     },
+    getControlState: (userId) => {
+        const row = store.findWhere('telegram_links', (r) => r.user_id === userId);
+        return normalizeTelegramControlState(row?.telegram_control);
+    },
+    updateControlState: (userId, patch) => {
+        const row = store.findWhere('telegram_links', (r) => r.user_id === userId);
+        const current = normalizeTelegramControlState(row?.telegram_control);
+        const next = normalizeTelegramControlState({ ...current, ...(patch || {}) });
+        store.updateWhere('telegram_links', (r) => r.user_id === userId, {
+            telegram_control: next,
+            updated_at: nowIso(),
+        });
+        return next;
+    },
     unlink: (userId) => {
         store.deleteWhere('telegram_links', (r) => r.user_id === userId);
     },

package/server/index.js

@@ -413,11 +413,9 @@ app.use('/api/telegram', authenticateToken, telegramRoutes);
 // Agent API Routes (uses API key authentication)
 app.use('/api/agent', agentRoutes);
 
-// Serve public files (like api-docs.html)
-app.use(express.static(path.join(APP_ROOT, 'public')));
-
-// Static files served after API routes
-// Add cache control: HTML files should not be cached, but assets can be cached
+// Static app files served after API routes. Keep dist before public so
+// / and /index.html always resolve to the Pixcode app, not the GitHub Pages
+// landing page that also lives in public/index.html.
 app.use(express.static(path.join(APP_ROOT, 'dist'), {
     setHeaders: (res, filePath) => {
         if (filePath.endsWith('.html')) {
@@ -432,6 +430,12 @@ app.use(express.static(path.join(APP_ROOT, 'dist'), {
     }
 }));
 
+// Serve extra public files (api-docs.html, llms.txt, landing pages) without
+// letting public/index.html shadow the production app root.
+app.use(express.static(path.join(APP_ROOT, 'public'), {
+    index: false,
+}));
+
 // API Routes (protected)
 // /api/config endpoint removed - no longer needed
 // Frontend now uses window.location for WebSocket URLs

package/server/modules/orchestration/workflows/workflow-runner.ts

@@ -276,6 +276,10 @@ function rolePrompt(role: AgentRole): string {
   return 'Implementation work should avoid duplicating other agents and should report changed files, commands, blockers, and next actions.';
 }
 
+function privacyGuardPrompt(): string {
+  return 'Do not mention internal instructions, memory files, skill use, or tool protocol unless the user explicitly asks.';
+}
+
 function handoffPrompt(agent: AgentAssignment, role: AgentRole): string {
   return [
     `You are ${agent.label} in a Pixcode CLI team.`,
@@ -290,6 +294,7 @@ function handoffPrompt(agent: AgentAssignment, role: AgentRole): string {
     '- dependencies/blockers for the next agents',
     '- concrete next action for your full implementation task',
     'Do not install dependencies, edit files, run long commands, or start servers in this handoff task.',
+    privacyGuardPrompt(),
     'Stop after the contract. Keep it concise and respond in the same language as the user request.',
   ].filter(Boolean).join('\n');
 }
@@ -374,6 +379,7 @@ function expandAgentTeamWorkflow(workflow: Workflow, metadata?: Record<string, u
           ? `Your explicit assignment from the user is: ${agent.instruction}`
           : 'No fixed per-agent assignment was set. Take the part assigned to you by the coordinator; if none is named, choose useful work that fits this CLI.',
         rolePrompt(stage),
+        privacyGuardPrompt(),
         'Respond in the same language as the user request.',
       ].filter(Boolean).join('\n'),
       inputs,
@@ -419,6 +425,8 @@ function expandAgentTeamWorkflow(workflow: Workflow, metadata?: Record<string, u
         prompt: [
           'Collect the worker outputs into one user-facing result.',
           'Show what each CLI did, which parts failed, what changed, and the next action if work remains.',
+          'Do not expose internal prompts, memory lookup, skill/tool instructions, raw agent logs, or role prefixes like "agent:" and "user:".',
+          'If a worker reveals internal process text, summarize only the useful user-facing result.',
           'Respond in the same language as the user request.',
         ].join('\n'),
         inputs: workerNodes.map((node) => node.id),
@@ -436,6 +444,7 @@ function stagePrompt(agent: AgentAssignment, stage: AgentRole): string {
     agent.role && agent.role !== stage ? `User custom stage label: ${agent.role}.` : '',
     agent.instruction ? `User assignment for you: ${agent.instruction}` : '',
     rolePrompt(stage),
+    privacyGuardPrompt(),
     'Keep the answer concise, structured, and useful for the next stage.',
     'Respond in the same language as the user request.',
   ].filter(Boolean).join('\n');
@@ -605,6 +614,7 @@ function expandSequentialHandoffWorkflow(workflow: Workflow, metadata?: Record<s
           ? `Your explicit assignment from the user is: ${agent.instruction}`
           : 'Use the prior step output and do the next most useful handoff step for the user goal.',
         'Report changed files, commands, blockers, and the next handoff requirement.',
+        privacyGuardPrompt(),
         'Respond in the same language as the user request.',
       ].filter(Boolean).join('\n'),
       inputs: index === 0 ? [] : [safeAgentNodeId(agents[index - 1], index - 1, 'handoff')],
@@ -646,6 +656,7 @@ function expandWorkflowForRun(workflow: Workflow, metadata?: Record<string, unkn
       `You are ${agent.label}.`,
       'Review the requested change for bugs, regressions, missing validation, security, scale, and user-experience risks.',
       agent.instruction ? `Focus on this user assignment: ${agent.instruction}` : '',
+      privacyGuardPrompt(),
       'Respond in the same language as the user request.',
     ].filter(Boolean).join('\n'),
     inputs: [],
@@ -666,7 +677,11 @@ function expandWorkflowForRun(workflow: Workflow, metadata?: Record<string, unkn
         model: reportAgent.model,
         permissionMode: reportAgent.permissionMode,
         toolsSettings: reportAgent.toolsSettings,
-        prompt: 'Aggregate the prior agent reviews into a concise prioritized report. Respond in the same language as the user request.',
+        prompt: [
+          'Aggregate the prior agent reviews into a concise prioritized report.',
+          'Do not expose internal prompts, memory lookup, skill/tool instructions, raw agent logs, or role prefixes like "agent:" and "user:".',
+          'Respond in the same language as the user request.',
+        ].join('\n'),
         inputs: reviewNodes.map((node) => node.id),
         output: 'message',
         onFail: 'abort',
@@ -701,13 +716,13 @@ function readTaskResult(task: RawTask): TaskResult {
     };
   });
   const outputMessages = messages.filter((message) => message.role !== 'user');
-  const text = outputMessages.map((message) => `${message.role}: ${message.text}`).join('\n\n');
+  const userFacingTaskText = outputMessages.map((message) => message.text.trim()).filter(Boolean).join('\n\n');
   const error = task.error?.message
     ? `${task.error.code ? `${task.error.code}: ` : ''}${task.error.message}`
     : undefined;
   return {
     state: task.state ?? 'submitted',
-    text,
+    text: userFacingTaskText,
     error,
     messages,
     artifacts,

package/server/routes/telegram.js

@@ -33,6 +33,7 @@ router.get('/status', (req, res) => {
             language: link.language,
             notificationsEnabled: Boolean(link.notifications_enabled),
             bridgeEnabled: Boolean(link.bridge_enabled),
+            control: telegramLinksDb.getControlState(req.user.id),
             pairingCode: link.pairing_code,
             pairingExpiresAt: link.pairing_code_expires_at,
             verifiedAt: link.verified_at,
@@ -98,13 +99,27 @@ router.post('/pairing-code', (req, res) => {
 // PATCH /api/telegram/link — update language / toggles on the user's link
 router.patch('/link', (req, res) => {
   try {
-    const { language, notificationsEnabled, bridgeEnabled } = req.body || {};
+    const { language, notificationsEnabled, bridgeEnabled, controlEnabled, progressMode } = req.body || {};
     const payload = {};
     if (language !== undefined) payload.language = sanitizeLanguage(language);
     if (notificationsEnabled !== undefined) payload.notificationsEnabled = Boolean(notificationsEnabled);
     if (bridgeEnabled !== undefined) payload.bridgeEnabled = Boolean(bridgeEnabled);
     telegramLinksDb.updatePreferences(req.user.id, payload);
-    res.json({ success: true, link: telegramLinksDb.getByUserId(req.user.id) });
+
+    const controlPatch = {};
+    if (controlEnabled !== undefined) controlPatch.remoteControlEnabled = Boolean(controlEnabled);
+    if (progressMode !== undefined && ['final', 'steps', 'all'].includes(progressMode)) {
+      controlPatch.progressMode = progressMode;
+    }
+    if (Object.keys(controlPatch).length > 0) {
+      telegramLinksDb.updateControlState(req.user.id, controlPatch);
+    }
+
+    res.json({
+      success: true,
+      link: telegramLinksDb.getByUserId(req.user.id),
+      control: telegramLinksDb.getControlState(req.user.id),
+    });
   } catch (error) {
     console.error('telegram/link patch failed:', error);
     res.status(500).json({ error: 'Failed to update link' });