@rubytech/taskmaster 1.11.2 → 1.12.0

package/dist/control-ui/index.html

@@ -6,7 +6,7 @@
     <title>Taskmaster Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" type="image/png" href="./favicon.png" />
-    <script type="module" crossorigin src="./assets/index-s8s_YKvR.js"></script>
+    <script type="module" crossorigin src="./assets/index-DpMaqt-b.js"></script>
     <link rel="stylesheet" crossorigin href="./assets/index-CpaEIgQy.css">
   </head>
   <body>

package/dist/gateway/control-ui.js

@@ -5,7 +5,7 @@ import { resolveAgentWorkspaceRoot } from "../agents/agent-scope.js";
 import { buildAgentSummaries } from "../commands/agents.config.js";
 import { DEFAULT_ASSISTANT_IDENTITY, resolveAssistantIdentity } from "./assistant-identity.js";
 import { resolveAgentBoundAccountId } from "../routing/bindings.js";
-import { detectOtpChannels } from "./public-chat/deliver-otp.js";
+import { detectOtpChannels, normalizeVerifyMethods } from "./public-chat/deliver-otp.js";
 import { resolvePublicAgentId } from "./public-chat/session.js";
 import { findBrandLogo } from "./server-methods/brand.js";
 import { buildControlUiAvatarUrl, CONTROL_UI_AVATAR_PREFIX, normalizeControlUiBasePath, resolveAssistantAvatarUrl, } from "./control-ui-shared.js";
@@ -570,7 +570,7 @@ export function handlePublicChatHttpRequest(req, res, opts) {
     // Inject public-chat globals before </head>
     const publicScript = `<script>` +
         `window.__TASKMASTER_PUBLIC_CHAT__=true;` +
-        `window.__TASKMASTER_PUBLIC_CHAT_CONFIG__=${JSON.stringify({ accountId, auth: authMode, cookieTtlDays, otpChannels, verifyMethods: config.publicChat?.verifyMethods ?? ["phone"], greeting: config.publicChat?.greetings?.[accountId] || undefined })};` +
+        `window.__TASKMASTER_PUBLIC_CHAT_CONFIG__=${JSON.stringify({ accountId, auth: authMode, cookieTtlDays, otpChannels, verifyMethods: normalizeVerifyMethods(config.publicChat?.verifyMethods ?? ["whatsapp", "sms"]), greeting: config.publicChat?.greetings?.[accountId] || undefined })};` +
         `</script>`;
     const headClose = baseInjected.indexOf("</head>");
     const withPublic = headClose !== -1

package/dist/gateway/public-chat/deliver-otp.js

@@ -1,6 +1,9 @@
 /**
- * Deliver OTP verification codes via WhatsApp (primary), SMS (fallback), or email (Brevo).
+ * Deliver OTP verification codes via WhatsApp, SMS (Brevo), or email (Brevo).
  * Both SMS and email use the same Brevo API key — SMS requires prepaid credits.
+ *
+ * The admin controls which channels are enabled via `verifyMethods` config:
+ * "whatsapp", "sms", "email". The delivery logic only tries enabled channels.
  */
 import { getActiveWebListener } from "../../web/active-listener.js";
 import { sendMessageWhatsApp } from "../../web/outbound.js";
@@ -10,6 +13,27 @@ import { hasEmailApiKey, resolveEmailCredentials, sendEmail } from "./deliver-em
 function isEmail(identifier) {
     return identifier.includes("@");
 }
+/**
+ * Normalize verify methods — expand deprecated "phone" into ["whatsapp", "sms"].
+ * Returns a deduplicated array of canonical method names.
+ */
+export function normalizeVerifyMethods(methods) {
+    const result = new Set();
+    for (const m of methods) {
+        if (m === "phone") {
+            result.add("whatsapp");
+            result.add("sms");
+        }
+        else {
+            result.add(m);
+        }
+    }
+    return [...result];
+}
+/** Check whether any phone-based verify method is enabled. */
+export function hasPhoneMethod(methods) {
+    return methods.includes("whatsapp") || methods.includes("sms");
+}
 /**
  * Detect which OTP delivery channels are currently available.
  * Does not attempt delivery — used by the capabilities endpoint.
@@ -28,11 +52,12 @@ export function detectOtpChannels(whatsappAccountId) {
  * Deliver a verification code to the given identifier.
  *
  * Email identifiers (containing @) are sent via Brevo email API.
- * Phone identifiers use the existing WhatsApp -> SMS fallback chain.
- * Both SMS and email share the same Brevo API key.
+ * Phone identifiers try WhatsApp then SMS, but only channels that
+ * are enabled in `enabledMethods` are attempted.
  */
-export async function deliverOtp(identifier, code, accountId) {
+export async function deliverOtp(identifier, code, accountId, enabledMethods) {
     const message = `Your verification code is: ${code}`;
+    const methods = enabledMethods ?? ["whatsapp", "sms", "email"];
     // Email identifiers — deliver via Brevo email API
     if (isEmail(identifier)) {
         const emailCreds = await resolveEmailCredentials();
@@ -42,24 +67,33 @@ export async function deliverOtp(identifier, code, accountId) {
         await sendEmail(identifier, "Your verification code", message, emailCreds);
         return { channel: "email" };
     }
-    // Phone identifiers — WhatsApp first, SMS fallback
-    const hasWhatsApp = !!getActiveWebListener(accountId);
-    const smsCreds = await resolveSmsCredentials();
-    if (hasWhatsApp) {
+    // Phone identifiers — try enabled channels in order: WhatsApp, then SMS
+    const tryWhatsApp = methods.includes("whatsapp") && !!getActiveWebListener(accountId);
+    const trySms = methods.includes("sms");
+    if (tryWhatsApp) {
         try {
             await sendMessageWhatsApp(identifier, message, { verbose: false, accountId });
             return { channel: "whatsapp" };
         }
         catch {
-            // WhatsApp failed — fall through to SMS
+            // WhatsApp failed — fall through to SMS if enabled
         }
     }
-    if (smsCreds) {
-        await sendSms(identifier, message, smsCreds);
-        return { channel: "sms" };
+    if (trySms) {
+        const smsCreds = await resolveSmsCredentials();
+        if (smsCreds) {
+            await sendSms(identifier, message, smsCreds);
+            return { channel: "sms" };
+        }
     }
-    if (hasWhatsApp) {
-        throw new Error("Failed to send verification code via WhatsApp and SMS is not configured.");
+    // Build a specific error message based on what was tried
+    const tried = [];
+    if (methods.includes("whatsapp"))
+        tried.push("WhatsApp");
+    if (methods.includes("sms"))
+        tried.push("SMS");
+    if (tried.length === 0) {
+        throw new Error("No phone verification channel is enabled. Enable WhatsApp or SMS in Public Chat settings.");
     }
-    throw new Error("No verification channel available. Connect WhatsApp or add a Brevo API key with SMS credits.");
+    throw new Error(`Failed to send verification code via ${tried.join(" and ")}. Check that the channel is connected and configured.`);
 }

package/dist/gateway/public-chat/deliver-sms.js

@@ -1,18 +1,37 @@
 /**
  * Lightweight Brevo SMS sender — single HTTP POST, no SDK dependency.
  *
- * Uses the same Brevo API key as email delivery. The sender name is
- * auto-detected from the verified email sender's display name.
+ * Uses the same Brevo API key as email delivery. The SMS sender name comes
+ * from the same Brevo verified sender that email uses — matched by email
+ * address, so both channels present consistent branding.
  * SMS requires prepaid credits in the Brevo account.
  */
 import { loadConfig } from "../../config/config.js";
-/** Cached sender name — avoids hitting the API on every SMS. */
+import { resolveEmailCredentials } from "./deliver-email.js";
+/** Cached sender name (already truncated to ≤11 chars). */
 let cachedSenderName = null;
 /**
- * Query Brevo for the first active sender's display name.
- * Returns the sender name or "Verify" as a safe fallback.
+ * Truncate a sender name to fit the GSM alphanumeric sender limit (11 chars).
+ * Tries to break at a word boundary to avoid ugly truncations.
  */
-async function fetchSenderName(apiKey) {
+function truncateSender(name) {
+    if (name.length <= 11)
+        return name;
+    // Try the first word — often the business name
+    const firstWord = name.split(/\s/)[0];
+    if (firstWord.length <= 11)
+        return firstWord;
+    // Last resort: hard truncate
+    return name.slice(0, 11);
+}
+/**
+ * Resolve the SMS sender name from Brevo's verified senders.
+ *
+ * If an email address is provided (from config), finds the matching sender
+ * and uses its display name — this ensures SMS and email use the same identity.
+ * Falls back to the first active sender, then "Verify" as a safe default.
+ */
+async function fetchSenderName(apiKey, matchEmail) {
     try {
         const res = await fetch("https://api.brevo.com/v3/senders", {
             headers: { "api-key": apiKey, Accept: "application/json" },
@@ -20,8 +39,17 @@ async function fetchSenderName(apiKey) {
         if (!res.ok)
             return "Verify";
         const json = (await res.json());
-        const active = json.senders?.find((s) => s.active && s.name);
-        return active?.name ?? json.senders?.[0]?.name ?? "Verify";
+        const senders = json.senders ?? [];
+        // Match the sender whose email matches the one configured for email delivery
+        if (matchEmail) {
+            const match = senders.find((s) => s.email?.toLowerCase() === matchEmail.toLowerCase() && s.name);
+            if (match?.name)
+                return truncateSender(match.name);
+        }
+        // Fallback: first active sender with a name
+        const active = senders.find((s) => s.active && s.name);
+        const raw = active?.name ?? senders[0]?.name ?? "Verify";
+        return truncateSender(raw);
     }
     catch {
         return "Verify";
@@ -38,8 +66,10 @@ export function hasSmsApiKey() {
 /**
  * Resolve SMS credentials from config.
  *
- * Uses the same Brevo API key as email. The sender name is resolved
- * from the cached value or fetched from the Brevo senders API.
+ * Uses the same Brevo API key as email. The sender name is resolved by asking
+ * the email delivery module which sender it uses, then finding that sender's
+ * display name in Brevo. This ensures both email and SMS present the same
+ * brand identity. The name is truncated to 11 characters (GSM limit).
  * Returns null if no API key is configured.
  */
 export async function resolveSmsCredentials() {
@@ -47,10 +77,15 @@ export async function resolveSmsCredentials() {
     const apiKey = cfg.publicChat?.email?.apiKey;
     if (!apiKey)
         return null;
-    if (cachedSenderName && cachedSenderName.apiKey === apiKey) {
+    if (cachedSenderName &&
+        cachedSenderName.apiKey === apiKey &&
+        cachedSenderName.name.length <= 11) {
         return { apiKey, sender: cachedSenderName.name };
     }
-    const name = await fetchSenderName(apiKey);
+    // Resolve the email address that email delivery uses — ensures SMS matches
+    // the same Brevo sender regardless of whether `from` is set in config.
+    const emailCreds = await resolveEmailCredentials();
+    const name = await fetchSenderName(apiKey, emailCreds?.from);
     cachedSenderName = { apiKey, name };
     return { apiKey, sender: name };
 }
@@ -74,7 +109,7 @@ export async function sendSms(to, body, creds) {
     });
     if (!res.ok) {
         const text = await res.text().catch(() => "");
-        throw new Error(`Brevo SMS failed (${res.status}): ${text}`);
+        throw new Error(`Brevo SMS failed (${res.status}): ${text} [sender=${JSON.stringify(creds.sender)}, recipient=${to}]`);
     }
     const json = (await res.json());
     return { id: String(json.messageId ?? "unknown") };

package/dist/gateway/public-chat-api.js

@@ -36,7 +36,7 @@ import { createInternalHookEvent, triggerInternalHook } from "../hooks/internal-
 import { emitAgentEvent, onAgentEvent } from "../infra/agent-events.js";
 import { INTERNAL_MESSAGE_CHANNEL } from "../utils/message-channel.js";
 import { requestOtp, verifyOtp } from "./public-chat/otp.js";
-import { deliverOtp, detectOtpChannels } from "./public-chat/deliver-otp.js";
+import { deliverOtp, detectOtpChannels, hasPhoneMethod, normalizeVerifyMethods, } from "./public-chat/deliver-otp.js";
 import { buildPublicSessionKey, resolvePublicAgentId } from "./public-chat/session.js";
 import { loadSessionEntry, readSessionMessages } from "./session-utils.js";
 import { extractFileAttachments, sanitizeMediaForChat, stripEnvelopeFromMessages, } from "./chat-sanitize.js";
@@ -228,10 +228,10 @@ async function handleOtpRequest(req, res, accountId, cfg, maxBodyBytes) {
         : typeof payload.phone === "string"
             ? payload.phone.trim()
             : "";
-    const isEmail = rawIdentifier.includes("@");
-    const verifyMethods = cfg.publicChat?.verifyMethods ?? ["phone"];
+    const isEmailId = rawIdentifier.includes("@");
+    const verifyMethods = normalizeVerifyMethods(cfg.publicChat?.verifyMethods ?? ["whatsapp", "sms"]);
     let identifier;
-    if (isEmail) {
+    if (isEmailId) {
         if (!verifyMethods.includes("email")) {
             sendForbidden(res, "email verification is not enabled for this account");
             return;
@@ -243,7 +243,7 @@ async function handleOtpRequest(req, res, accountId, cfg, maxBodyBytes) {
         }
     }
     else {
-        if (!verifyMethods.includes("phone")) {
+        if (!hasPhoneMethod(verifyMethods)) {
             sendForbidden(res, "phone verification is not enabled for this account");
             return;
         }
@@ -265,8 +265,13 @@ async function handleOtpRequest(req, res, accountId, cfg, maxBodyBytes) {
     // OTP code is sent from the correct number (not the first active account).
     const agentId = resolvePublicAgentId(cfg, accountId);
     const whatsappAccountId = resolveAgentBoundAccountId(cfg, agentId, "whatsapp") ?? undefined;
+    // Narrow delivery to visitor's preferred channel if specified and admin-enabled
+    const preferredChannel = typeof payload.channel === "string" ? payload.channel : undefined;
+    const deliveryMethods = preferredChannel && verifyMethods.includes(preferredChannel)
+        ? [preferredChannel]
+        : verifyMethods;
     try {
-        const delivery = await deliverOtp(identifier, result.code, whatsappAccountId);
+        const delivery = await deliverOtp(identifier, result.code, whatsappAccountId, deliveryMethods);
         sendJson(res, 200, { ok: true, channel: delivery.channel });
     }
     catch (err) {
@@ -751,7 +756,7 @@ async function handleCapabilities(req, res, accountId, cfg) {
         return;
     }
     const authMode = cfg.publicChat?.auth ?? "anonymous";
-    const verifyMethods = cfg.publicChat?.verifyMethods ?? ["phone"];
+    const verifyMethods = normalizeVerifyMethods(cfg.publicChat?.verifyMethods ?? ["whatsapp", "sms"]);
     const agentId = resolvePublicAgentId(cfg, accountId);
     const whatsappAccountId = resolveAgentBoundAccountId(cfg, agentId, "whatsapp") ?? undefined;
     const channels = detectOtpChannels(whatsappAccountId);

package/dist/gateway/server-methods/public-chat.js

@@ -6,7 +6,7 @@ import { resolveAgentBoundAccountId } from "../../routing/bindings.js";
 import { generateGreeting } from "../../suggestions/greeting.js";
 import { ErrorCodes, errorShape } from "../protocol/index.js";
 import { requestOtp, verifyOtp } from "../public-chat/otp.js";
-import { deliverOtp } from "../public-chat/deliver-otp.js";
+import { deliverOtp, hasPhoneMethod, normalizeVerifyMethods } from "../public-chat/deliver-otp.js";
 import { buildPublicSessionKey, resolvePublicAgentId } from "../public-chat/session.js";
 /** Strip spaces, dashes, and parentheses from a phone number. */
 function normalizePhone(raw) {
@@ -46,10 +46,10 @@ export const publicChatHandlers = {
             respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "public chat disabled"));
             return;
         }
-        const isEmail = rawIdentifier.includes("@");
-        const verifyMethods = cfg.publicChat?.verifyMethods ?? ["phone"];
+        const isEmailId = rawIdentifier.includes("@");
+        const verifyMethods = normalizeVerifyMethods(cfg.publicChat?.verifyMethods ?? ["whatsapp", "sms"]);
         let identifier;
-        if (isEmail) {
+        if (isEmailId) {
             if (!verifyMethods.includes("email")) {
                 respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "email verification is not enabled"));
                 return;
@@ -61,7 +61,7 @@ export const publicChatHandlers = {
             }
         }
         else {
-            if (!verifyMethods.includes("phone")) {
+            if (!hasPhoneMethod(verifyMethods)) {
                 respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "phone verification is not enabled"));
                 return;
             }
@@ -82,8 +82,13 @@ export const publicChatHandlers = {
         const whatsappAccountId = agentId
             ? (resolveAgentBoundAccountId(cfg, agentId, "whatsapp") ?? undefined)
             : undefined;
+        // Narrow delivery to visitor's preferred channel if specified and admin-enabled
+        const preferredChannel = typeof params.channel === "string" ? params.channel : undefined;
+        const deliveryMethods = preferredChannel && verifyMethods.includes(preferredChannel)
+            ? [preferredChannel]
+            : verifyMethods;
         try {
-            const delivery = await deliverOtp(identifier, result.code, whatsappAccountId);
+            const delivery = await deliverOtp(identifier, result.code, whatsappAccountId, deliveryMethods);
             respond(true, { ok: true, channel: delivery.channel });
         }
         catch (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/taskmaster",
-  "version": "1.11.2",
+  "version": "1.12.0",
   "description": "AI-powered business assistant for small businesses",
   "publishConfig": {
     "access": "public"

package/skills/brevo/references/sms-credits.md

@@ -2,7 +2,9 @@
 
 Walk the user through purchasing SMS credits in Brevo. SMS verification uses the same Brevo API key as email — no additional configuration in Taskmaster. The user just needs credits in their Brevo account.
 
-**Important:** SMS credits are prepaid and never expire. Pricing varies by country (see below). The SMS sender name is auto-detected from the user's verified email sender in Brevo — no manual configuration needed.
+**Important:** SMS credits are prepaid and never expire. The cost depends on the destination country and number of messages.
+
+**SMS sender name:** The name that appears on the SMS (e.g. "Taskmaster") is taken from the same Brevo verified sender used for email — matched by email address. If you have multiple senders in Brevo, the one whose email matches the configured sender is used. The name is truncated to 11 characters (GSM limit) — if longer, the first word is used (e.g. "Rubytech LLC" becomes "Rubytech"). To control the SMS sender name, edit the sender's display name in Brevo under **Senders, Domains & Dedicated IPs → Senders**.
 
 ---
 
@@ -21,38 +23,43 @@ Walk the user through purchasing SMS credits in Brevo. SMS verification uses the
 
 ## Step 2: Purchase SMS credits
 
-> "1. Go to **brevo.com** and log in
-> 2. In the **top-right toolbar**, click the **gear icon** (⚙️) to open **Settings**
-> 3. In the left sidebar, look for **Your plan** or **Billing** under your account settings
-> 4. Find the **SMS credits** section and click **Buy credits**
-> 5. Choose how many credits you need:
->    - **100 credits** is a good starting amount for verification codes
->    - Each SMS uses 1 credit
->    - Credits never expire
-> 6. Complete the purchase
+**Navigation: Dashboard home → lightning icon (top-right toolbar) → "Campaign usage and plan" popup → SMS section → "Get more credits".**
+
+> "1. Go to **app.brevo.com** and log in — you should see the main dashboard ('Hello [name]')
+> 2. In the **top-right toolbar**, click the **lightning bolt icon** (⚡) — it's to the left of the help (?) and gear (⚙️) icons
+> 3. A **'Campaign usage and plan'** popup appears showing your plan, email credits, and SMS credits
+> 4. Under the **SMS** section (shows '0 credits left' if you haven't bought any), click **'Get more credits'**
+> 5. On the **'Add messages credits'** page:
+>    - **Type of message** — select **SMS**
+>    - **Number of messages** — enter **100** (a good starting amount for verification codes)
+>    - **Message destination** — select your country (e.g. **United Kingdom**)
+>    - The **Purchase summary** on the right shows the total cost
+> 6. Click **'Proceed to checkout'** and complete the purchase
 >
 > Let me know when that's done."
 
+If the user can't find the lightning icon:
+
+> "In the top-right toolbar of the Brevo dashboard, there are several small icons. The lightning bolt (⚡) is the first one on the left, before the help (?), gear (⚙️), bell (🔔), and chart icons. Click that — it opens a popup showing your plan and credits."
+
 Wait for the user to confirm.
 
 ## Step 3: Confirm
 
-> "SMS verification is now enabled. When a visitor verifies their phone number and WhatsApp is unavailable, the verification code will be sent by text message instead. No restart or configuration change needed — it works automatically with your existing Brevo API key."
+> "SMS credits are ready. To enable SMS verification, go to the **Setup** page → **Public Chat** settings → check the **SMS** checkbox under verification methods. You can enable SMS alongside WhatsApp, or on its own. When a visitor chooses SMS on the public chat page, the code is sent by text message. No restart needed — it uses your existing Brevo API key."
 
 ---
 
 ## Pricing reference
 
-Approximate SMS credit costs (varies by country):
+Pricing depends on the destination country and volume. The exact cost is shown on the checkout page when you select a country and message count. As a rough guide:
 
-| Region | Cost per 100 credits |
-|--------|---------------------|
+| Destination | 100 messages |
+|-------------|-------------|
+| UK | ~£2.82 |
 | US / Canada | ~$1.09 |
-| UK | ~$3.45 |
-| Australia | ~$5.50 |
-| EU (varies) | ~$3.00–$7.00 |
 
-Exact pricing is shown during purchase in the Brevo dashboard.
+Credits are called "message credits" and can be used for SMS. On the free plan, WhatsApp messages via Brevo require a Professional plan upgrade — but we don't use Brevo for WhatsApp, so this doesn't apply.
 
 ---
 
@@ -61,8 +68,9 @@ Exact pricing is shown during purchase in the Brevo dashboard.
 | Question | Answer |
 |----------|--------|
 | "Do credits expire?" | No — prepaid SMS credits never expire. |
-| "How many credits per SMS?" | One credit per message. Each verification code is one SMS. |
+| "How many credits per SMS?" | Depends on the destination country. The purchase page shows the exact conversion (e.g. 316.5 credits = 100 UK messages). |
 | "What phone number do SMS come from?" | Brevo assigns a sender automatically based on the destination country. You don't need to buy or manage a phone number. |
-| "What name appears on the SMS?" | The sender name from your verified email sender in Brevo (e.g. your business name). Taskmaster detects this automatically. |
+| "What name appears on the SMS?" | The display name from the same Brevo verified sender used for email (matched by email address). Must be 11 characters or fewer — if longer, the first word is used. Edit sender names under **Senders, Domains & Dedicated IPs → Senders** in Brevo. |
 | "Do I need to change anything in Taskmaster?" | No. If your Brevo API key is already configured, SMS works automatically when you have credits. |
 | "Can I use SMS without email?" | The Brevo API key is configured through the email setup, but once configured it serves both email and SMS. You need at least one verified sender. |
+| "Where do I check my remaining credits?" | Click the lightning bolt icon (⚡) in the top-right toolbar. The popup shows your SMS credits remaining. |

package/taskmaster-docs/USER-GUIDE.md

@@ -557,6 +557,31 @@ Your assistant can manage who has admin access — the same as using the Admins
 - "Who are my current admins?"
 - "Remove the old number ending in 789 from admins"
 
+### System Administration
+
+Your assistant can check and manage many system settings directly through chat — the same things you'd normally check in the Setup page on the control panel. Think of it as a shortcut: instead of opening the control panel and navigating to the right setting, just ask.
+
+| Capability | Description |
+|------------|-------------|
+| System status | Check gateway health, WhatsApp/iMessage connections, Claude authentication, license, software version |
+| Usage and cost | See how many tokens you've used and what it's costing, broken down by provider |
+| Channel settings | Change the AI model, thinking level, DM policy, or group chat policy for your WhatsApp accounts |
+| Branding | Update your accent or background colour |
+| Public chat | Enable or disable the public chat widget, change the greeting, set visitor verification |
+| Skills | List, create, delete, or toggle skills |
+| Logs | Review system and session logs for troubleshooting |
+
+**Try asking:**
+- "How's the system doing?"
+- "What's my usage this month?"
+- "Is WhatsApp connected?"
+- "Switch WhatsApp to a cheaper model"
+- "Change the accent colour to blue"
+- "Enable public chat"
+- "Show me the recent logs"
+
+> **Note:** Some things still need the control panel: scanning WhatsApp QR codes, uploading logos, WiFi setup, Tailscale remote access, and PIN management. Your assistant will tell you when to open the control panel and where to go.
+
 ### Web Browsing
 
 Your assistant can open and interact with websites in a built-in browser — filling in forms, clicking buttons, and navigating pages. You can watch what it's doing on the **Browser** page in real time, and take over if it needs help (for example, to complete a CAPTCHA or log in to a site).
@@ -1001,6 +1026,21 @@ If the Pi checks pass but the control panel still doesn't load from another devi
 2. **Check you're on the same subnet** — mDNS only works between devices on the same network subnet. It won't work across separate subnets, VLANs, or guest networks. A common cause: the Pi is on Ethernet while your device is on WiFi, and your router assigns them to different subnets. Check by comparing the first three groups of your IP addresses (e.g. if the Pi is `192.168.88.4` and your laptop is `192.168.10.172`, they're on different subnets).
 3. **Contact support** with: what you changed (port/hostname), the output of `hostname`, `grep 127.0.1.1 /etc/hosts`, and `taskmaster daemon status`.
 
+#### Hostname changed to `taskmaster-2.local` (or similar)
+
+If your control panel URL suddenly stops working and you notice the hostname has a `-2` (or `-3`) suffix, the Pi detected a name conflict on the network and renamed itself.
+
+**When this happens:** If you unplug the Ethernet cable while the Pi is already running on WiFi, the Pi briefly had two network connections active at the same time. Its hostname detection saw its own name coming from the Ethernet side and treated it as a conflict, adding a `-2` suffix.
+
+**Fix:**
+
+1. Power the Pi off completely (not just restart — fully power off)
+2. Wait at least 2 minutes (this lets the mDNS name cache clear on all devices on the network)
+3. Power the Pi back on
+4. Access the control panel using your normal URL
+
+**To avoid this in future:** Connect via WiFi first, then remove the Ethernet cable — don't unplug Ethernet while the Pi is running with both cables connected.
+
 ### Static IP Address
 
 You don't need to assign a static IP address — Taskmaster uses a `.local` hostname that resolves automatically via mDNS, even if the IP changes after a reboot or DHCP renewal. You'll always find your control panel at the same `.local` address.
@@ -1467,16 +1507,19 @@ By default, anyone who opens the public chat can start a conversation immediatel
 1. Go to the **Setup** page
 2. Find the **Public Chat** status card
 3. Click the settings icon to open the verification settings modal
-4. Choose a verification method:
+4. Choose an auth mode: **Anonymous** (no verification), **Verified** (must verify before chatting), or **Visitor chooses** (can chat immediately or verify for cross-device continuity)
+5. Select which verification channels to enable — three independent checkboxes:
+
+| Channel | How it works | What you need |
+|---------|-------------|---------------|
+| **WhatsApp** | Verification code sent via WhatsApp | A connected WhatsApp account |
+| **SMS** | Verification code sent by text message | Same [Brevo](https://brevo.com) API key as email, plus prepaid SMS credits in your Brevo account |
+| **Email** | Verification code sent by email | A [Brevo](https://brevo.com) API key and a verified sender (free, no credit card) |
 
-| Method | How it works | What you need |
-|--------|-------------|---------------|
-| **Anonymous** | No verification — visitors chat immediately | Nothing (default) |
-| **Email OTP** | Visitors enter their email, receive a one-time code | A [Brevo](https://brevo.com) API key and a verified sender (free, no credit card). The sender address is configured in Brevo, not in Taskmaster. |
-| **SMS OTP** | Visitors enter their phone number, receive a one-time code | Same [Brevo](https://brevo.com) API key as email, plus prepaid SMS credits in your Brevo account |
+   When both WhatsApp and SMS are enabled, phone verification tries WhatsApp first and falls back to SMS. To use SMS only, uncheck WhatsApp.
 
-5. Enter your provider credentials — add the Brevo API key in the **API Keys** section on the Setup page. The same key serves both email and SMS verification. For SMS, purchase SMS credits in your Brevo dashboard.
-6. Settings auto-save when you leave each field
+6. Enter your provider credentials — add the Brevo API key in the **API Keys** section on the Setup page. The same key serves both email and SMS verification. For SMS, purchase SMS credits in your Brevo dashboard.
+7. Settings auto-save when you change a checkbox or leave a field
 
 Once enabled, visitors must authenticate before they can send their first message. Verified contact details are stored and available to the agent via the `verify_contact` tool, so your assistant knows who it's talking to.