@promus/cli 0.24.17

package/src/commands/resume.ts

@@ -0,0 +1,181 @@
+import { cancel, confirm, intro, isCancel, note, outro, spinner } from '@clack/prompts'
+import {
+  type PromusNetwork,
+  SANDBOX_PROVIDER_URL_GALILEO,
+  SandboxProviderClient,
+  iNFTAgentId,
+} from '@promus/core'
+import type { Address, Hex } from 'viem'
+import { findAndLoadConfig } from '../config/load'
+import { loadProfileScopeKeyHex } from '../util/profile-key'
+import { loadTelegramHandoffSecrets } from '../util/telegram-secrets'
+import { loadOrPickOperatorSigner } from './init/operator-picker'
+import {
+  preflightProviderDeposit,
+  resumeArchivedSandbox,
+  unlockAgentKeystore,
+} from './init/sandbox-provision'
+
+interface ResumeOpts {
+  yes?: boolean
+}
+
+/**
+ * `promus resume`: wake a stopped/archived sandbox and re-handoff the agent
+ * privkey to the (newly restarted) harness. Use when:
+ *
+ *  - Daytona's billing daemon archived the sandbox (INSUFFICIENT_BALANCE)
+ *  - The autoArchiveInterval timer fired after a Daytona infra event stopped
+ *    the sandbox briefly
+ *  - You manually called `archive` and now want it back
+ *
+ * Same sandbox UUID + endpoint preserved. ~30s for stopped sandboxes,
+ * 2-5 min for archived (Daytona restores filesystem from object storage).
+ */
+export async function runResume(opts: ResumeOpts = {}): Promise<void> {
+  intro('promus resume')
+
+  const loaded = await findAndLoadConfig()
+  if (!loaded) {
+    cancel('No promus.config.ts found.')
+    return
+  }
+  const { config } = loaded
+  if (!config.identity.iNFT || !config.identity.agent) {
+    cancel('Config has no iNFT or agent.')
+    return
+  }
+  if (config.deployTarget !== 'sandbox' || !config.sandbox?.id || !config.sandbox.endpoint) {
+    cancel(
+      `Agent is not deployed to a sandbox. (deployTarget=${config.deployTarget ?? 'local'}). Nothing to resume.`,
+    )
+    return
+  }
+  if (!config.brain.provider) {
+    cancel('Brain provider not configured. Run `promus model` first.')
+    return
+  }
+
+  const contractAddress = config.identity.iNFT.contract as Address
+  const tokenId = BigInt(config.identity.iNFT.tokenId)
+  const agentAddress = config.identity.agent as Address
+  const sandboxId = config.sandbox.id
+
+  const operator = await loadOrPickOperatorSigner({
+    network: config.network,
+    hint: config.operator,
+  })
+  if (!operator) {
+    cancel('No operator wallet available; cannot decrypt keystore.')
+    return
+  }
+
+  // Pre-flight Galileo deposit check. The May 2 INSUFFICIENT_BALANCE incident
+  // archived enigma; refusing up-front with a clear suggestion is much better
+  // UX than letting resume run, sign the keystore unlock, then fail mid-flow.
+  if (!(await preflightProviderDeposit(operator))) {
+    await operator.close?.()
+    return
+  }
+
+  if (!opts.yes) {
+    const ok = await confirm({
+      message: `Resume sandbox ${sandboxId.slice(0, 8)}? (~30s if stopped, ~2-5min if archived)`,
+      initialValue: true,
+    })
+    if (isCancel(ok) || !ok) {
+      cancel('Aborted.')
+      await operator.close?.()
+      return
+    }
+  }
+
+  const sUnlock = spinner()
+  sUnlock.start('Fetching keystore + decrypting via operator wallet')
+  let agentPrivkey: Hex
+  try {
+    agentPrivkey = await unlockAgentKeystore({
+      operator,
+      network: config.network,
+      contractAddress,
+      tokenId,
+      agentAddress,
+    })
+    sUnlock.stop('unlocked')
+  } catch (e) {
+    sUnlock.stop(`unlock failed: ${(e as Error).message.slice(0, 160)}`)
+    await operator.close?.()
+    return
+  }
+
+  const operatorAccount = await operator.account()
+  const provider = new SandboxProviderClient({
+    endpoint: SANDBOX_PROVIDER_URL_GALILEO,
+    operator: operatorAccount,
+  })
+
+  // Ship telegram secrets via secondary envelope so the resumed harness
+  // restores its grammY listener. Without this, every pause→resume cycle
+  // silently strips the bot — gateway comes back with `plugins: ['telegram']`
+  // but no token, and `build-runtime.ts` skips listener registration.
+  const telegramSecretsPlain = await loadTelegramHandoffSecrets({
+    signer: operator,
+    agentAddress,
+    contractAddress,
+    tokenId,
+    onNotice: msg => note(`${msg}; resume continues without TG.`, 'warning'),
+  })
+  const resumeAgentId = iNFTAgentId({ contractAddress, tokenId })
+  const resumeProfileKeyHex = loadProfileScopeKeyHex(resumeAgentId)
+  if (!resumeProfileKeyHex) {
+    note('no cached PROFILE key; resumed sandbox will boot without profile-slot anchoring', 'note')
+  }
+
+  const sBox = spinner()
+  sBox.start('Resuming sandbox')
+  try {
+    const result = await resumeArchivedSandbox({
+      provider,
+      sandboxId,
+      sandboxEndpoint: config.sandbox.endpoint,
+      operatorAccount,
+      agentPrivkey,
+      agentAddress,
+      iNFTRef: { contract: contractAddress, tokenId },
+      iNFTNetwork: config.network as PromusNetwork,
+      brain: { provider: config.brain.provider as Address, model: config.brain.model ?? '' },
+      subname: config.subname,
+      plugins: config.plugins,
+      telegramSecrets: telegramSecretsPlain,
+      profileScopeKeyHex: resumeProfileKeyHex,
+      onProgress: msg => sBox.message(msg),
+    })
+    if (result.alreadyReady) {
+      sBox.stop(`sandbox ${sandboxId.slice(0, 8)} already Ready (no-op)`)
+    } else {
+      sBox.stop(`sandbox ${sandboxId.slice(0, 8)} resumed from ${result.initialState} → started`)
+    }
+    outro(
+      [
+        '',
+        `  sandbox       ${sandboxId} (unchanged)`,
+        `  endpoint      ${config.sandbox.endpoint} (unchanged)`,
+        `  state before  ${result.initialState}`,
+        '  state now     started',
+        '',
+        'Next: `promus` to chat',
+      ].join('\n'),
+    )
+  } catch (e) {
+    sBox.stop(`resume failed: ${(e as Error).message.slice(0, 200)}`)
+    note(
+      [
+        'The sandbox could not be brought back to started state.',
+        'If state is `error`, the underlying snapshot may be lost. Run `promus upgrade --reprovision` to spin a fresh container.',
+      ].join('\n'),
+      'recoverable',
+    )
+  } finally {
+    await operator.close?.()
+  }
+}

package/src/commands/status.ts

@@ -0,0 +1,119 @@
+import { existsSync, statSync } from 'node:fs'
+import {
+  NETWORK_CHAIN_ID,
+  NETWORK_RPC,
+  SANDBOX_PROVIDER_URL_GALILEO,
+  SandboxProviderClient,
+  agentPaths,
+} from '@promus/core'
+import { http, createPublicClient } from 'viem'
+import { findAndLoadConfig } from '../config/load'
+import { SandboxClient } from '../sandbox/client'
+import { listAgentIds } from './_agents'
+import { loadOrPickOperatorSigner } from './init/operator-picker'
+
+export async function runStatus(opts?: { cwd?: string }): Promise<void> {
+  const cwd = opts?.cwd ?? process.cwd()
+  const found = await findAndLoadConfig(cwd)
+  if (!found) {
+    console.log('No promus.config.ts found. Run `promus init` first.')
+    process.exit(1)
+  }
+  const { config, path } = found
+  console.log(`config    ${path}`)
+  console.log(`network   ${config.network} (chain ${NETWORK_CHAIN_ID[config.network]})`)
+  console.log(`rpc       ${NETWORK_RPC[config.network]}`)
+  console.log(`plugins   ${config.plugins.join(', ')}`)
+  console.log(`target    ${config.deployTarget ?? 'local'}`)
+  if (config.identity.iNFT) {
+    const { contract, tokenId, network } = config.identity.iNFT
+    console.log(`iNFT      #${tokenId} at ${contract} (${network})`)
+  } else {
+    console.log('iNFT      (not minted)')
+  }
+  if (config.identity.operator) console.log(`operator  ${config.identity.operator}`)
+  if (config.identity.agent) console.log(`agent EOA ${config.identity.agent}`)
+  console.log(`brain     ${config.brain.provider ?? '(not picked)'}`)
+
+  // Phase 11 sandbox-mode status: fetch /healthz + provider record + show
+  // sandbox-side state instead of per-agent local dirs (those don't exist
+  // on the laptop in sandbox mode).
+  if (config.deployTarget === 'sandbox' && config.sandbox?.endpoint && config.sandbox.id) {
+    console.log('')
+    console.log(`sandbox   ${config.sandbox.id}`)
+    console.log(`endpoint  ${config.sandbox.endpoint}`)
+    console.log(`snapshot  ${config.sandbox.snapshotName ?? '(default)'}`)
+
+    const operator = await loadOrPickOperatorSigner({
+      network: config.network,
+      hint: config.operator,
+    }).catch(() => null)
+    if (!operator) {
+      console.log('harness   skipped (no operator wallet to sign /healthz auth)')
+      return
+    }
+    const operatorAccount = await operator.account()
+
+    const probe = new SandboxClient({
+      endpoint: config.sandbox.endpoint,
+      sandboxId: config.sandbox.id,
+      operator: operatorAccount,
+    })
+    const providerClient = new SandboxProviderClient({
+      endpoint: SANDBOX_PROVIDER_URL_GALILEO,
+      operator: operatorAccount,
+    })
+
+    // Both reads are independent network calls; run in parallel.
+    const [healthRes, sandboxRes] = await Promise.allSettled([
+      probe.health(),
+      providerClient.getSandbox(config.sandbox.id),
+    ])
+    if (healthRes.status === 'fulfilled') {
+      const h = healthRes.value
+      console.log(`harness   state=${h.state} runtimeReady=${h.runtimeReady}`)
+      console.log(`uptime    ${(h.uptimeMs / 1000 / 60).toFixed(1)} min`)
+      console.log(`pending   ${h.pendingApprovals} approvals`)
+      console.log(`subs      ${h.subscribers}`)
+      console.log(`events    seq ${h.eventsLastSeq}`)
+    } else {
+      console.log(
+        `harness   UNREACHABLE: ${healthRes.reason.message?.slice(0, 120) ?? healthRes.reason}`,
+      )
+    }
+    if (sandboxRes.status === 'fulfilled') {
+      const sb = sandboxRes.value
+      console.log(
+        `provider  state=${sb.state}${sb.cpu ? ` cpu=${sb.cpu}` : ''}${sb.mem ? ` mem=${sb.mem}` : ''}${sb.disk ? ` disk=${sb.disk}` : ''}`,
+      )
+    } else {
+      console.log(
+        `provider  UNREACHABLE: ${sandboxRes.reason.message?.slice(0, 120) ?? sandboxRes.reason}`,
+      )
+    }
+    await operator.close?.()
+    return
+  }
+
+  const ids = await listAgentIds()
+  if (ids.length === 0) {
+    console.log('\nNo agents found in ~/.promus/agents. Re-run `promus init`.')
+    return
+  }
+
+  const client = createPublicClient({
+    transport: http(NETWORK_RPC[config.network]),
+  })
+
+  for (const id of ids) {
+    console.log('')
+    console.log(`agent     ${id}`)
+    console.log(`dir       ${agentPaths.agent(id).dir}`)
+    const activityPath = agentPaths.agent(id).activityLog
+    if (existsSync(activityPath)) {
+      const sz = statSync(activityPath).size
+      console.log(`activity  ${sz} bytes`)
+    }
+    void client
+  }
+}

package/src/commands/sync.ts

@@ -0,0 +1,147 @@
+import { cancel, intro, outro, spinner } from '@clack/prompts'
+import {
+  MemorySyncManager,
+  OPERATOR_BLOB_SCOPES,
+  agentPaths,
+  deriveBlobKey,
+  explorerTxUrl,
+  fetchAndDecryptKeystore,
+  iNFTAgentId,
+} from '@promus/core'
+import type { Address, Hex } from 'viem'
+import { findAndLoadConfig } from '../config/load'
+import { withSilencedConsole } from '../util/silence-console'
+import { loadOrPickOperatorSigner } from './init/operator-picker'
+
+/**
+ * `promus sync` — explicit memory + activity-log flush to 0G Storage and
+ * anchor on chain via iNFT updateSlots. Useful pre-transfer or as a
+ * scheduled cron. Per-turn auto-sync covers the common path; this is the
+ * "force flush now" backstop.
+ *
+ * Phase 11: in sandbox mode (`deployTarget === 'sandbox'`), proxy to the
+ * remote harness's POST /sync — agent privkey lives in the container, so
+ * the laptop never needs to decrypt the keystore.
+ */
+export async function runSync(): Promise<void> {
+  intro('promus sync')
+
+  const loaded = await findAndLoadConfig()
+  if (!loaded) {
+    cancel('No promus.config.ts found. Run `promus init` first.')
+    return
+  }
+  const { config } = loaded
+  if (!config.identity.iNFT || !config.identity.agent) {
+    cancel('Config has no iNFT or agent. Run `promus init` first.')
+    return
+  }
+
+  // Sandbox-mode proxy: POST /sync, render result. Skip keystore decrypt.
+  if (config.deployTarget === 'sandbox' && config.sandbox?.endpoint && config.sandbox.id) {
+    const operator = await loadOrPickOperatorSigner({
+      network: config.network,
+      hint: config.operator,
+    })
+    if (!operator) {
+      cancel('No operator wallet available.')
+      return
+    }
+    const { SandboxClient } = await import('../sandbox/client')
+    const operatorAccount = await operator.account()
+    const client = new SandboxClient({
+      endpoint: config.sandbox.endpoint,
+      sandboxId: config.sandbox.id,
+      operator: operatorAccount,
+    })
+    const sFlush = spinner()
+    sFlush.start('Forcing remote harness flush via POST /sync')
+    try {
+      const r = await client.sync()
+      if (r.tx) {
+        sFlush.stop(`flushed ${r.slots.length} slot(s)`)
+        outro(['', `  slots: ${r.slots.join(', ')}`, `  tx: ${r.tx}`].join('\n'))
+      } else {
+        sFlush.stop('nothing to sync (everything up to date)')
+      }
+    } catch (e) {
+      sFlush.stop(`sync failed: ${(e as Error).message.slice(0, 200)}`)
+    }
+    await operator.close?.()
+    return
+  }
+
+  const network = config.network
+  const contractAddress = config.identity.iNFT.contract as Address
+  const tokenId = BigInt(config.identity.iNFT.tokenId)
+  const agentAddress = config.identity.agent as Address
+  const finalAgentId = iNFTAgentId({ contractAddress, tokenId })
+  const paths = agentPaths.agent(finalAgentId)
+
+  const operator = await loadOrPickOperatorSigner({ network, hint: config.operator })
+  if (!operator) {
+    cancel('No operator wallet available; cannot decrypt keystore to sync.')
+    return
+  }
+
+  const sUnlock = spinner()
+  sUnlock.start('Fetching keystore + decrypting via operator')
+  let agentPrivkey: Hex
+  let profileKey: Buffer
+  try {
+    const decrypted = await withSilencedConsole(() =>
+      fetchAndDecryptKeystore({
+        network,
+        contractAddress,
+        tokenId,
+        signer: operator,
+        agentAddress,
+        cachePath: paths.keystore,
+      }),
+    )
+    agentPrivkey = decrypted.privkeyHex
+    // v0.23.0: derive PROFILE scope key alongside the keystore decrypt so the
+    // /sync flush can re-encrypt and anchor user/profile.md in the same batched
+    // updateSlots tx. One EIP-712 sign per scope; cheap because the operator
+    // is already on the live signing surface.
+    profileKey = await deriveBlobKey(operator, agentAddress, OPERATOR_BLOB_SCOPES.PROFILE)
+    sUnlock.stop(`unlocked (source: ${decrypted.source})`)
+  } catch (e) {
+    sUnlock.stop(`unlock failed: ${(e as Error).message.slice(0, 160)}`)
+    await operator.close?.()
+    return
+  }
+  await operator.close?.()
+
+  const sFlush = spinner()
+  sFlush.start('Diffing memory + activity, uploading changed blobs, anchoring on chain')
+  try {
+    const res = await withSilencedConsole(async () => {
+      const sync = new MemorySyncManager({
+        network,
+        agentId: finalAgentId,
+        agentPrivkey,
+        agentAddress,
+        contractAddress,
+        tokenId,
+        profileKey,
+      })
+      await sync.init()
+      return await sync.flushAll()
+    })
+    if (res.txHash) {
+      sFlush.stop(`anchored ${res.changedSlots.length} slot(s)`)
+      outro(
+        [
+          '',
+          `  slots updated: ${res.changedSlots.join(', ')}`,
+          `  tx: ${explorerTxUrl(network, res.txHash)}`,
+        ].join('\n'),
+      )
+    } else {
+      sFlush.stop('nothing to sync (everything up to date)')
+    }
+  } catch (e) {
+    sFlush.stop(`sync failed: ${(e as Error).message.slice(0, 200)}`)
+  }
+}

package/src/commands/telegram-remove.ts

@@ -0,0 +1,65 @@
+import { cancel, confirm, intro, isCancel, note, outro } from '@clack/prompts'
+import { iNFTAgentId } from '@promus/core'
+import { getAddress } from 'viem'
+import { findAndLoadConfig } from '../config/load'
+import { writeConfigTs } from '../config/render'
+import {
+  removeTelegramSecrets,
+  telegramSecretsExist,
+  telegramSecretsPath,
+} from '../util/telegram-secrets'
+
+export interface TelegramRemoveOpts {
+  yes?: boolean
+}
+
+export async function runTelegramRemove(opts: TelegramRemoveOpts = {}): Promise<void> {
+  intro('promus telegram remove')
+
+  const loaded = await findAndLoadConfig()
+  if (!loaded) {
+    cancel('No promus.config.ts found. Run `promus init` first.')
+    return
+  }
+  const { config, path: configPath } = loaded
+  if (!config.identity.iNFT || !config.identity.agent) {
+    cancel('Config has no iNFT or agent. Run `promus init` first.')
+    return
+  }
+
+  const inftContract = getAddress(config.identity.iNFT.contract)
+  const tokenId = BigInt(config.identity.iNFT.tokenId)
+  const agentId = iNFTAgentId({ contractAddress: inftContract, tokenId })
+
+  if (!telegramSecretsExist(agentId)) {
+    note('Nothing to remove.')
+    outro('not configured')
+    return
+  }
+
+  if (!opts.yes) {
+    const ok = (await confirm({
+      message: `Delete encrypted telegram-secrets for ${agentId}?`,
+      initialValue: false,
+    })) as boolean | symbol
+    if (isCancel(ok) || !ok) {
+      cancel('Aborted.')
+      return
+    }
+  }
+
+  await removeTelegramSecrets(agentId)
+
+  const plugins = (config.plugins ?? []).filter(p => p !== 'telegram')
+  if (plugins.length !== (config.plugins ?? []).length) {
+    const updated = { ...config, plugins }
+    await writeConfigTs(configPath, updated, { subname: config.subname })
+  }
+
+  note(
+    `Local blob deleted: ${telegramSecretsPath(agentId)}\nThe bot token at @BotFather is STILL VALID. To fully revoke, run /token in\n@BotFather and pick "Revoke" for this bot.`,
+    'reminder',
+  )
+
+  outro('telegram removed')
+}

package/src/commands/telegram-setup.ts

@@ -0,0 +1,74 @@
+import { cancel, intro, note, outro } from '@clack/prompts'
+import { iNFTAgentId } from '@promus/core'
+import { type Address, getAddress } from 'viem'
+import { findAndLoadConfig } from '../config/load'
+import { loadOrPickOperatorSigner } from './init/operator-picker'
+import { runTelegramStep } from './init/telegram-step'
+
+/**
+ * `promus telegram setup` — standalone entry. Loads the operator wallet, then
+ * delegates to `runTelegramStep` (the same helper bundled into `promus init`'s
+ * Phase E). Owns its own intro/outro framing.
+ */
+export async function runTelegramSetup(): Promise<void> {
+  intro('promus telegram setup')
+
+  const loaded = await findAndLoadConfig()
+  if (!loaded) {
+    cancel('No promus.config.ts found. Run `promus init` first.')
+    return
+  }
+  const { config, path: configPath } = loaded
+  if (!config.identity.iNFT || !config.identity.agent) {
+    cancel('Config has no iNFT or agent. Run `promus init` first.')
+    return
+  }
+
+  const agentAddress = getAddress(config.identity.agent) as Address
+  const inftContract = getAddress(config.identity.iNFT.contract) as Address
+  const tokenId = BigInt(config.identity.iNFT.tokenId)
+  const agentId = iNFTAgentId({ contractAddress: inftContract, tokenId })
+
+  const operator = await loadOrPickOperatorSigner({
+    network: config.network,
+    hint: config.operator,
+  })
+  if (!operator) {
+    cancel('No operator wallet available; cannot encrypt secrets.')
+    return
+  }
+
+  let result: Awaited<ReturnType<typeof runTelegramStep>>
+  try {
+    result = await runTelegramStep({
+      signer: operator,
+      agentId,
+      agentAddress,
+      configPath,
+      config,
+      network: config.network,
+    })
+  } finally {
+    await operator.close?.()
+  }
+
+  if (!result.configured) {
+    cancel(result.cancelled ? 'Aborted.' : 'Setup failed.')
+    return
+  }
+
+  const isSandbox = config.deployTarget === 'sandbox' && config.sandbox?.endpoint
+  if (isSandbox) {
+    note(
+      'Sandbox-mode agent: secrets are stored locally now, but the harness inside\nthe Daytona container needs them too. Run `promus upgrade` to ship them across\nthe handoff envelope.',
+      'sandbox handoff pending',
+    )
+  } else {
+    note(
+      `Open https://t.me/${result.botUsername} in Telegram and send any message.\nThen run \`promus\` (or \`promus gateway start\`) to bring the agent online.`,
+      'next step',
+    )
+  }
+
+  outro(`telegram setup complete (@${result.botUsername}, mode: ${result.modeUsed})`)
+}

package/src/commands/telegram-status.ts

@@ -0,0 +1,89 @@
+import { cancel, intro, log, outro, spinner } from '@clack/prompts'
+import { iNFTAgentId } from '@promus/core'
+import { type Address, getAddress } from 'viem'
+import { findAndLoadConfig } from '../config/load'
+import {
+  fetchBotInfo,
+  loadTelegramSecrets,
+  telegramSecretsExist,
+  telegramSecretsPath,
+} from '../util/telegram-secrets'
+import { loadOrPickOperatorSigner } from './init/operator-picker'
+
+export async function runTelegramStatus(): Promise<void> {
+  intro('promus telegram status')
+
+  const loaded = await findAndLoadConfig()
+  if (!loaded) {
+    cancel('No promus.config.ts found. Run `promus init` first.')
+    return
+  }
+  const { config } = loaded
+  if (!config.identity.iNFT || !config.identity.agent) {
+    cancel('Config has no iNFT or agent. Run `promus init` first.')
+    return
+  }
+
+  const agentAddress = getAddress(config.identity.agent) as Address
+  const inftContract = getAddress(config.identity.iNFT.contract) as Address
+  const tokenId = BigInt(config.identity.iNFT.tokenId)
+  const agentId = iNFTAgentId({ contractAddress: inftContract, tokenId })
+  const path = telegramSecretsPath(agentId)
+
+  if (!telegramSecretsExist(agentId)) {
+    log.warn(`No telegram secrets stored for ${agentId}.`)
+    log.info(`Expected at: ${path}\nRun \`promus telegram setup\` to configure.`)
+    outro('not configured')
+    return
+  }
+
+  const operator = await loadOrPickOperatorSigner({
+    network: config.network,
+    hint: config.operator,
+  })
+  if (!operator) {
+    cancel('No operator wallet available; cannot decrypt secrets.')
+    return
+  }
+
+  const sLoad = spinner()
+  sLoad.start('Decrypting telegram secrets via operator wallet')
+  let secrets: Awaited<ReturnType<typeof loadTelegramSecrets>>
+  try {
+    secrets = await loadTelegramSecrets({ signer: operator, agentAddress, agentId })
+    sLoad.stop('decrypted')
+  } catch (e) {
+    sLoad.stop(`decrypt failed: ${(e as Error).message.slice(0, 200)}`)
+    await operator.close?.()
+    return
+  } finally {
+    await operator.close?.()
+  }
+  if (!secrets) {
+    cancel('Empty telegram-secrets blob.')
+    return
+  }
+
+  const sPing = spinner()
+  sPing.start('Pinging Telegram getMe')
+  try {
+    const info = await fetchBotInfo(secrets.botToken)
+    sPing.stop(`bot ok: @${info.username} (id ${info.id})`)
+  } catch (e) {
+    sPing.stop(`getMe failed: ${(e as Error).message.slice(0, 200)}`)
+    log.warn('Token may have been revoked at @BotFather. Re-run `promus telegram setup`.')
+    return
+  }
+
+  log.info(
+    [
+      `path             ${path}`,
+      `bot username     @${secrets.botUsername ?? '(unknown)'}`,
+      `bot id           ${secrets.botId ?? '(unknown)'}`,
+      `allowed user ids ${secrets.allowedUserIds.length === 0 ? '(open access)' : secrets.allowedUserIds.join(', ')}`,
+      `plugin enabled   ${(config.plugins ?? []).includes('telegram') ? 'yes' : 'no — add `telegram` to plugins'}`,
+    ].join('\n'),
+  )
+
+  outro(`telegram configured for ${agentId}`)
+}