bloby-bot 0.60.1 → 0.62.0

package/supervisor/index.ts

@@ -551,6 +551,14 @@ export async function startSupervisor() {
     'POST /api/channels/whatsapp/react',
     'POST /api/channels/send',
     'POST /api/channels/alexa/handle',
+    // NOTE: 'POST /api/channels/telegram/connect' is NOT public — it sets the bot token, so it is
+    // gated in-handler (first run open, portal token required once a password is set), like /api/onboard.
+    'GET /api/channels/telegram/pair-page',
+    'GET /api/channels/telegram/status',
+    'POST /api/channels/telegram/configure',
+    'POST /api/channels/telegram/disconnect',
+    'POST /api/channels/telegram/reconnect',
+    'POST /api/channels/telegram/logout',
   ];
   // Method-specific public PREFIXES — onboarding namespaces with sub-paths / params that carry no
   // private chat data: provider OAuth setup/status (all of /api/auth/*), and handle availability
@@ -677,6 +685,11 @@ export async function startSupervisor() {
         'POST /api/channels/whatsapp/logout',
         'POST /api/channels/whatsapp/pairing-code',
         'POST /api/channels/send',
+        // Telegram mutation endpoints that seize/alter the agent — agent-driven over loopback only.
+        'POST /api/channels/telegram/configure',
+        'POST /api/channels/telegram/disconnect',
+        'POST /api/channels/telegram/reconnect',
+        'POST /api/channels/telegram/logout',
       ]);
       if (WA_MUTATION_ROUTES.has(`${req.method} ${channelPath}`)) {
         const remoteIp = req.socket.remoteAddress || '';
@@ -1348,6 +1361,388 @@ mint();
         return;
       }
 
+      // ── Telegram (BYO bot — the user pastes a @BotFather token; we validate it and
+      //    long-poll Telegram DIRECTLY. NO relay anywhere in the pairing or message path) ──
+
+      // POST /api/channels/telegram/connect — { botToken }. Sets the agent's bot token, so it is
+      // GATED like /api/onboard: open only on genuine first run (no portal_pass yet); once a portal
+      // password is set it requires a valid Bearer token (the pair-page sends the dashboard's
+      // bloby_token). Without this gate, any unauthenticated caller over the tunnel could inject
+      // their own bot token and hijack the channel (and, via trust-on-first-use, the agent).
+      if (req.method === 'POST' && channelPath === '/api/channels/telegram/connect') {
+        let body = '';
+        let tooLarge = false;
+        req.on('data', (chunk: Buffer) => {
+          body += chunk.toString();
+          if (body.length > 8_000) { tooLarge = true; req.destroy(); }
+        });
+        req.on('error', () => {
+          if (res.headersSent) return;
+          res.writeHead(400);
+          res.end(JSON.stringify({ ok: false, error: 'read-error' }));
+        });
+        req.on('end', () => {
+          (async () => {
+            try {
+              if (tooLarge) {
+                res.writeHead(413);
+                res.end(JSON.stringify({ ok: false, error: 'body-too-large' }));
+                return;
+              }
+              // Auth gate (matches /api/onboard): internal calls bypass; otherwise require a valid
+              // portal token whenever a password is set. First run (no password) stays open.
+              if (req.headers['x-internal'] !== internalSecret && await isAuthRequired()) {
+                const auth = req.headers.authorization;
+                const tok = auth?.startsWith('Bearer ') ? auth.slice(7) : null;
+                if (!tok || !(await validateToken(tok))) {
+                  res.writeHead(401);
+                  res.end(JSON.stringify({ ok: false, error: 'auth-required' }));
+                  return;
+                }
+              }
+
+              const data = JSON.parse(body || '{}');
+              const botToken = typeof data.botToken === 'string' ? data.botToken.trim() : '';
+              if (!botToken || !/^\d{6,}:[A-Za-z0-9_-]{30,}$/.test(botToken)) {
+                res.writeHead(400);
+                res.end(JSON.stringify({ ok: false, error: 'invalid-token-format' }));
+                return;
+              }
+              // Authoritative validation: ask Telegram who this token belongs to (with a timeout
+              // so a hung TLS connection can't wedge the request / the pair modal).
+              let me: any;
+              try {
+                const r = await fetch(`https://api.telegram.org/bot${encodeURIComponent(botToken)}/getMe`, { signal: AbortSignal.timeout(8000) });
+                me = await r.json().catch(() => ({}));
+              } catch {
+                res.writeHead(502);
+                res.end(JSON.stringify({ ok: false, error: 'telegram-unreachable' }));
+                return;
+              }
+              if (!me || me.ok !== true || !me.result || me.result.is_bot !== true) {
+                res.writeHead(400);
+                res.end(JSON.stringify({ ok: false, error: 'invalid-bot-token' }));
+                return;
+              }
+              const botUsername = me.result.username || undefined;
+              const cfg = loadConfig();
+              if (!cfg.channels) cfg.channels = {};
+              // On a token CHANGE (not a same-token reconnect), drop identity-bound fields so
+              // trust-on-first-use re-adopts the owner against the NEW bot — otherwise a stale
+              // ownerUserId/admins would silently lock out the new operator.
+              const prev = cfg.channels.telegram;
+              const tokenChanged = !!prev?.botToken && prev.botToken !== botToken;
+              cfg.channels.telegram = {
+                ...(prev || {}),
+                enabled: true,
+                mode: prev?.mode || 'channel',
+                botToken,
+                botUsername,
+                ...(tokenChanged ? { ownerUserId: undefined, admins: undefined } : {}),
+              };
+              saveConfig(cfg);
+              // Re-connecting with a new token: tear down any existing provider so init()
+              // reconnects with the new token (init() is a no-op when a provider already exists).
+              await channelManager.disconnectChannel('telegram').catch(() => {});
+              await channelManager.init().catch(() => {});
+              res.writeHead(200);
+              res.end(JSON.stringify({ ok: true, botUsername }));
+            } catch (err: any) {
+              log.warn(`[telegram/connect] ${err.message}`);
+              if (!res.headersSent) {
+                res.writeHead(500);
+                res.end(JSON.stringify({ ok: false, error: err.message }));
+              }
+            }
+          })();
+        });
+        return;
+      }
+
+      // POST /api/channels/telegram/configure — set mode + admins + skill (loopback-only).
+      if (req.method === 'POST' && channelPath === '/api/channels/telegram/configure') {
+        let body = '';
+        req.on('data', (chunk: Buffer) => { body += chunk.toString(); });
+        req.on('end', () => {
+          try {
+            const data = JSON.parse(body || '{}');
+            const cfg = loadConfig();
+            if (!cfg.channels) cfg.channels = {};
+            if (!cfg.channels.telegram) cfg.channels.telegram = { enabled: false, mode: 'channel' };
+            if (data.mode) cfg.channels.telegram.mode = data.mode;
+            if (data.admins !== undefined) cfg.channels.telegram.admins = data.admins;
+            if (data.skill !== undefined) cfg.channels.telegram.skill = data.skill;
+            if (data.allowGroups !== undefined) cfg.channels.telegram.allowGroups = !!data.allowGroups;
+            if (data.allowOthersToTrigger !== undefined) cfg.channels.telegram.allowOthersToTrigger = !!data.allowOthersToTrigger;
+            saveConfig(cfg);
+            res.writeHead(200);
+            res.end(JSON.stringify({ ok: true, config: { ...cfg.channels.telegram, botToken: cfg.channels.telegram.botToken ? '***' : undefined } }));
+          } catch (err: any) {
+            res.writeHead(400);
+            res.end(JSON.stringify({ error: err.message }));
+          }
+        });
+        return;
+      }
+
+      // POST /api/channels/telegram/disconnect — stop polling, KEEP the token (loopback-only).
+      if (req.method === 'POST' && channelPath === '/api/channels/telegram/disconnect') {
+        (async () => {
+          try {
+            await channelManager.disconnectChannel('telegram');
+            res.writeHead(200);
+            res.end(JSON.stringify({ ok: true }));
+          } catch (err: any) {
+            res.writeHead(500);
+            res.end(JSON.stringify({ ok: false, error: err.message }));
+          }
+        })();
+        return;
+      }
+
+      // POST /api/channels/telegram/logout — stop polling + forget the token (loopback-only).
+      if (req.method === 'POST' && channelPath === '/api/channels/telegram/logout') {
+        (async () => {
+          try {
+            await channelManager.disconnectChannel('telegram');
+            const cfg = loadConfig();
+            if (cfg.channels?.telegram) {
+              // "Forget the token" also forgets the identity bound to it, so a future bot re-adopts
+              // its owner cleanly via trust-on-first-use.
+              delete cfg.channels.telegram.botToken;
+              delete cfg.channels.telegram.ownerUserId;
+              delete cfg.channels.telegram.admins;
+              cfg.channels.telegram.enabled = false;
+              saveConfig(cfg);
+            }
+            res.writeHead(200);
+            res.end(JSON.stringify({ ok: true }));
+          } catch (err: any) {
+            res.writeHead(500);
+            res.end(JSON.stringify({ ok: false, error: err.message }));
+          }
+        })();
+        return;
+      }
+
+      // POST /api/channels/telegram/reconnect — resume polling an already-connected bot
+      // after a disconnect, without re-pairing (loopback-only).
+      if (req.method === 'POST' && channelPath === '/api/channels/telegram/reconnect') {
+        (async () => {
+          try {
+            const cfg = loadConfig();
+            if (!cfg.channels?.telegram?.botToken) {
+              res.writeHead(400);
+              res.end(JSON.stringify({ ok: false, error: 'no-bot-token' }));
+              return;
+            }
+            if (cfg.channels.telegram.enabled !== true) {
+              cfg.channels.telegram.enabled = true;
+              saveConfig(cfg);
+            }
+            await channelManager.init().catch(() => {});
+            res.writeHead(200);
+            res.end(JSON.stringify({ ok: true }));
+          } catch (err: any) {
+            res.writeHead(500);
+            res.end(JSON.stringify({ ok: false, error: err.message }));
+          }
+        })();
+        return;
+      }
+
+      // GET /api/channels/telegram/status — current telegram channel status
+      if (req.method === 'GET' && channelPath === '/api/channels/telegram/status') {
+        const status = channelManager.getStatus('telegram');
+        res.writeHead(200);
+        res.end(JSON.stringify(status || { channel: 'telegram', connected: false }));
+        return;
+      }
+
+      // GET /api/channels/telegram/pair-page — BYO BotFather token flow: button opens a modal explaining
+      // how to mint a token in @BotFather, takes the pasted token, POSTs {botToken} to /connect.
+      if (req.method === 'GET' && channelPath === '/api/channels/telegram/pair-page') {
+        res.setHeader('Content-Type', 'text/html');
+        const tgStatus = channelManager.getStatus('telegram');
+        const alreadyLinked = !!(tgStatus?.info as any)?.linked;
+        const linkedUsername = (tgStatus?.info as any)?.botUsername || '';
+        const confettiHTML = Array.from({ length: 30 }, (_, i) => {
+          const colors = ['#0166FF', '#009AFE', '#4AEEFF', '#4ade80', '#facc15', '#818cf8'];
+          const color = colors[Math.floor(Math.random() * colors.length)];
+          const left = Math.random() * 100;
+          const delay = i * 0.04;
+          const drift = (Math.random() - 0.5) * 120;
+          const duration = 1.8 + Math.random() * 0.8;
+          return `<div class="confetti-dot" style="left:${left}%;background:${color};animation-delay:${delay}s;animation-duration:${duration}s;--drift:${drift}px"></div>`;
+        }).join('');
+        res.writeHead(200);
+        res.end(`<!DOCTYPE html><html><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Connect Telegram</title>
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600&family=Space+Grotesk:wght@600;700&display=swap" rel="stylesheet">
+<style>
+  *{margin:0;padding:0;box-sizing:border-box}
+  body{background:#212121;color:#f5f5f5;font-family:'Inter',system-ui,-apple-system,sans-serif;display:flex;flex-direction:column;align-items:center;justify-content:center;min-height:100dvh;margin:0;overflow-x:hidden}
+  .container{display:flex;flex-direction:column;align-items:center;max-width:380px;width:100%;padding:20px}
+  .card{background:#2a2a2a;border:1px solid rgba(255,255,255,0.08);border-radius:20px;padding:28px 24px;width:100%;box-shadow:0 0 0 1px rgba(0,105,254,0.1),0 0 20px -5px rgba(0,105,254,0.15);animation:fade-up .5s ease-out both;text-align:center}
+  .header{display:flex;flex-direction:column;align-items:center;gap:6px;margin-bottom:18px}
+  .badge{display:inline-flex;align-items:center;gap:6px;background:#1a1a1a;border:1px solid rgba(255,255,255,0.08);border-radius:9999px;padding:4px 10px;font-size:11px;color:#888;text-transform:uppercase;letter-spacing:0.6px}
+  .badge::before{content:'';width:8px;height:8px;border-radius:50%;background:#229ED9;box-shadow:0 0 8px rgba(34,158,217,0.6)}
+  .title{font-family:'Space Grotesk',sans-serif;font-size:22px;font-weight:700;background:linear-gradient(135deg,#0166FF,#009AFE,#4AEEFF);-webkit-background-clip:text;-webkit-text-fill-color:transparent;background-clip:text;margin-top:6px}
+  .sub{font-size:13px;color:#999;line-height:1.6;margin-top:6px}
+  .btn{display:inline-flex;align-items:center;justify-content:center;width:100%;border:none;border-radius:10px;padding:13px 16px;font-size:14px;font-weight:600;cursor:pointer;font-family:inherit;transition:all .2s;text-decoration:none}
+  .btn-tg{background:linear-gradient(135deg,#229ED9,#2AABEE);color:#fff;box-shadow:0 4px 14px -4px rgba(34,158,217,0.5)}
+  .btn-tg:hover{opacity:.92}
+  .btn-tg:disabled{opacity:.5;cursor:not-allowed}
+  .btn-ghost{background:#1a1a1a;border:1px solid rgba(255,255,255,0.1);color:#999}
+  .btn-ghost:hover{border-color:rgba(34,158,217,0.4);color:#f5f5f5}
+  .cta-row{margin-top:8px;animation:fade-up .5s ease-out .15s both}
+  .hint{font-size:12px;color:#666;margin-top:14px;line-height:1.6}
+
+  /* modal */
+  .overlay{position:fixed;inset:0;background:rgba(10,10,10,0.72);backdrop-filter:blur(4px);display:none;align-items:center;justify-content:center;padding:20px;z-index:50}
+  .overlay.open{display:flex;animation:fade-in .2s ease-out both}
+  .modal{background:#2a2a2a;border:1px solid rgba(255,255,255,0.1);border-radius:20px;padding:24px 22px;width:100%;max-width:380px;max-height:90dvh;overflow-y:auto;box-shadow:0 24px 60px -12px rgba(0,0,0,0.6);animation:pop-up .28s cubic-bezier(.34,1.56,.64,1) both}
+  .modal-head{display:flex;align-items:flex-start;justify-content:space-between;gap:12px;margin-bottom:6px}
+  .modal-title{font-family:'Space Grotesk',sans-serif;font-size:18px;font-weight:700;color:#f5f5f5}
+  .modal-x{flex-shrink:0;width:28px;height:28px;border-radius:8px;background:#1a1a1a;border:1px solid rgba(255,255,255,0.08);color:#999;font-size:16px;line-height:1;cursor:pointer;display:flex;align-items:center;justify-content:center;transition:all .2s}
+  .modal-x:hover{color:#f5f5f5;border-color:rgba(34,158,217,0.4)}
+  .modal-sub{font-size:12px;color:#999;line-height:1.6;margin-bottom:16px}
+  .steps{text-align:left;margin:0 0 16px}
+  .step{display:flex;gap:12px;font-size:13px;color:#bbb;line-height:1.5;padding:6px 0}
+  .step-num{flex-shrink:0;width:22px;height:22px;border-radius:50%;background:#1a1a1a;border:1px solid rgba(255,255,255,0.08);display:flex;align-items:center;justify-content:center;font-size:11px;font-weight:600;color:#888}
+  .step b{color:#f5f5f5;font-weight:600}
+  .step code{font-family:'Space Grotesk',monospace;color:#2AABEE;background:#1a1a1a;border:1px solid rgba(255,255,255,0.06);border-radius:5px;padding:1px 6px;font-size:12px}
+  .bf-link{display:inline-flex;align-items:center;justify-content:center;gap:7px;width:100%;border:1px solid rgba(34,158,217,0.35);background:#1a1a1a;color:#2AABEE;border-radius:10px;padding:10px 14px;font-size:13px;font-weight:600;text-decoration:none;transition:all .2s;margin-bottom:16px}
+  .bf-link:hover{background:rgba(34,158,217,0.08)}
+  .field-label{font-size:11px;color:#666;text-transform:uppercase;letter-spacing:0.6px;margin-bottom:8px;display:block}
+  .token-input{width:100%;background:#1a1a1a;border:1px solid rgba(255,255,255,0.1);border-radius:10px;padding:12px 14px;color:#f5f5f5;font-family:'Space Grotesk',monospace;font-size:14px;outline:none;transition:border-color .2s}
+  .token-input:focus{border-color:#229ED9}
+  .token-input::placeholder{color:#555;font-family:'Inter',sans-serif}
+  .modal-actions{margin-top:18px}
+  .err{color:#FB4072;font-size:13px;margin-top:12px;min-height:1.2em;text-align:left}
+
+  .confetti-wrap{position:fixed;top:0;left:0;width:100%;height:100%;pointer-events:none;overflow:hidden;z-index:0}
+  .confetti-dot{position:absolute;width:8px;height:8px;border-radius:50%;top:-10px;animation:confetti-fall 2s ease-out forwards}
+  @keyframes confetti-fall{0%{opacity:1;transform:translateY(0) translateX(0) rotate(0) scale(1)}100%{opacity:0;transform:translateY(100vh) translateX(var(--drift)) rotate(360deg) scale(.5)}}
+  .video-wrap{margin-bottom:8px;animation:pop-in .5s cubic-bezier(.34,1.56,.64,1) forwards}
+  .video-wrap video{width:200px;object-fit:contain;pointer-events:none}
+  @keyframes pop-in{0%{transform:scale(0);opacity:0}100%{transform:scale(1);opacity:1}}
+  @keyframes pop-up{0%{transform:translateY(12px) scale(.96);opacity:0}100%{transform:translateY(0) scale(1);opacity:1}}
+  @keyframes fade-in{0%{opacity:0}100%{opacity:1}}
+  .text-wrap{text-align:center;animation:fade-up .5s ease-out .3s both}
+  .success-sub{font-size:14px;color:#999;line-height:1.5;margin-top:6px}
+  @keyframes pulse{0%,100%{opacity:1;transform:scale(1)}50%{opacity:.4;transform:scale(.8)}}
+  @keyframes fade-up{0%{opacity:0;transform:translateY(10px)}100%{opacity:1;transform:translateY(0)}}
+</style></head><body>
+<div class="container" id="root">
+${alreadyLinked
+  ? `<div class="confetti-wrap">${confettiHTML}</div>
+<div class="video-wrap"><video autoplay muted playsinline><source src="/bloby_happy_reappearing.mov" type='video/mp4; codecs="hvc1"'><source src="/bloby_happy_reappearing.webm" type="video/webm"></video></div>
+<div class="text-wrap">
+  <div class="title">Connected!</div>
+  <p class="success-sub">Telegram is linked${linkedUsername ? ` to <b style="color:#f5f5f5">@${linkedUsername}</b>` : ''}. Open Telegram and message your bot to start chatting.</p>
+  <p class="success-sub" style="margin-top:14px;font-size:12px;color:#666">You can close this page.</p>
+</div>`
+  : `<div class="card">
+  <div class="header">
+    <span class="badge">Telegram</span>
+    <div class="title">Connect Telegram</div>
+    <p class="sub">Bring your own bot. Create one for free in @BotFather, paste its token, and you're live.</p>
+  </div>
+  <div class="cta-row">
+    <button class="btn btn-tg" id="openModal">Connect Telegram</button>
+  </div>
+  <p class="hint">It takes about a minute and keeps your bot fully private to you.</p>
+</div>`}
+</div>
+
+${alreadyLinked ? '' : `<div class="overlay" id="overlay">
+  <div class="modal" role="dialog" aria-modal="true" aria-labelledby="mTitle">
+    <div class="modal-head">
+      <div class="modal-title" id="mTitle">Get your bot token</div>
+      <button class="modal-x" id="closeModal" aria-label="Close">&times;</button>
+    </div>
+    <p class="modal-sub">Telegram bots are created by a bot called <b style="color:#f5f5f5">@BotFather</b>. Follow these steps, then paste the token below.</p>
+    <div class="steps">
+      <div class="step"><div class="step-num">1</div><div>Open <b>@BotFather</b> in Telegram (button below)</div></div>
+      <div class="step"><div class="step-num">2</div><div>Send <code>/newbot</code></div></div>
+      <div class="step"><div class="step-num">3</div><div>Choose a <b>name</b> and a <b>username</b> ending in <code>bot</code></div></div>
+      <div class="step"><div class="step-num">4</div><div>BotFather replies with a <b>token</b> like <code>1234:AbCdEf…</code> — copy it</div></div>
+    </div>
+    <a class="bf-link" href="https://t.me/BotFather" target="_blank" rel="noopener">Open @BotFather in Telegram &rarr;</a>
+    <label class="field-label" for="token">Paste your bot token</label>
+    <input class="token-input" id="token" type="text" autocomplete="off" autocapitalize="off" autocorrect="off" spellcheck="false" placeholder="1234567890:ABCdefGhIJKlmNoPQRstuVwxyz">
+    <div class="modal-actions">
+      <button class="btn btn-tg" id="connectBtn">Connect</button>
+    </div>
+    <p class="err" id="err"></p>
+  </div>
+</div>`}
+
+<script>
+${alreadyLinked ? '' : `
+(function(){
+  var overlay=document.getElementById('overlay');
+  var input=document.getElementById('token');
+  var btn=document.getElementById('connectBtn');
+  var err=document.getElementById('err');
+  function open(){overlay.classList.add('open');setTimeout(function(){input.focus()},150)}
+  function close(){overlay.classList.remove('open')}
+  document.getElementById('openModal').addEventListener('click',open);
+  document.getElementById('closeModal').addEventListener('click',close);
+  overlay.addEventListener('click',function(e){if(e.target===overlay)close()});
+  document.addEventListener('keydown',function(e){if(e.key==='Escape')close()});
+  input.addEventListener('input',function(){err.textContent='';input.style.borderColor=''});
+  input.addEventListener('keydown',function(e){if(e.key==='Enter')connect()});
+  btn.addEventListener('click',connect);
+
+  function setLoading(on){
+    btn.disabled=on;
+    btn.textContent=on?'Connecting…':'Connect';
+  }
+
+  async function connect(){
+    var token=(input.value||'').trim();
+    err.textContent='';
+    if(!/^\\d{6,}:[A-Za-z0-9_-]{30,}$/.test(token)){
+      err.textContent="That doesn't look like a bot token. Copy the full line BotFather sent you.";
+      input.style.borderColor='#FB4072';
+      return;
+    }
+    setLoading(true);
+    try{
+      var headers={'Content-Type':'application/json'};
+      // Send the dashboard's portal token so the (password-gated) connect endpoint authorizes us.
+      try{var t=localStorage.getItem('bloby_token');if(t)headers['Authorization']='Bearer '+t;}catch(e){}
+      var r=await fetch('/api/channels/telegram/connect',{method:'POST',headers:headers,body:JSON.stringify({botToken:token})});
+      var d=await r.json().catch(function(){return {}});
+      if(!r.ok||!d.ok){
+        err.textContent=friendly(d.error,r.status)||'Could not connect. Check the token and try again.';
+        setLoading(false);
+        return;
+      }
+      btn.textContent='Connected ✓';
+      location.reload();
+    }catch(e){
+      err.textContent='Network error. Try again.';
+      setLoading(false);
+    }
+  }
+
+  function friendly(code,status){
+    if(status===401||/auth-required/i.test(code||''))return 'Please sign in to your Bloby dashboard first, then try again.';
+    if(/invalid.*token|getMe|invalid-bot-token/i.test(code||''))return 'Telegram rejected that token. Make sure you copied the whole line from BotFather.';
+    if(/unreachable|network|502|timeout/i.test(code||''))return 'Could not reach Telegram. Check your connection and try again.';
+    return code||'';
+  }
+})();
+`}
+</script>
+</body></html>`);
+        return;
+      }
+
       // Fallback for unknown channel routes
       res.writeHead(404);
       res.end(JSON.stringify({ error: 'Not found' }));

package/supervisor/workspace-guard.js

@@ -60,9 +60,9 @@
             '<source src="/what-happened.webm" type="video/webm"><source src="/what-happened.mp4" type="video/mp4">' +
           '</video>' +
         '</div>' +
-        '<h1 style="font-size:1.5rem;font-weight:700;margin:0 0 .6rem;background:linear-gradient(135deg,#0166FF,#009AFE,#4AEEFF);-webkit-background-clip:text;-webkit-text-fill-color:transparent;background-clip:text">A screen in your app has an error</h1>' +
-        '<p style="color:#e4e4e7;font-size:1rem;line-height:1.6;margin:0 0 .4rem">Your latest change didn\'t compile.</p>' +
-        '<p style="color:#a1a1aa;font-size:.93rem;line-height:1.6;margin:0 0 1.2rem">Ask your agent to fix it — the chat is in the bottom corner. Copy the error so it can debug faster.</p>' +
+        '<h1 style="font-size:1.5rem;font-weight:700;margin:0 0 .6rem;background:linear-gradient(135deg,#0166FF,#009AFE,#4AEEFF);-webkit-background-clip:text;-webkit-text-fill-color:transparent;background-clip:text">Workspace error</h1>' +
+        '<p style="color:#e4e4e7;font-size:1rem;line-height:1.6;margin:0 0 .4rem">Your latest frontend change didn’t compile. If your Bloby is currently building or editing something, this is usually normal while the work is still in progress.</p>' +
+        '<p style="color:#a1a1aa;font-size:.93rem;line-height:1.6;margin:0 0 1.2rem">When your agent finishes, this may fix itself. If it doesn’t, ask your Bloby to fix it and copy the error so it can debug faster.</p>' +
         '<div><button id="__bloby_fe_copy" style="font:inherit;cursor:pointer;border:none;border-radius:10px;padding:.65rem 1.2rem;font-size:.9rem;font-weight:600;background:linear-gradient(135deg,#0166FF,#0069FE);color:#fff">Copy error for your agent</button> ' +
         '<button id="__bloby_fe_dismiss" style="font:inherit;cursor:pointer;border-radius:10px;padding:.65rem 1.1rem;font-size:.9rem;font-weight:600;border:1px solid #27272a;background:#18181b;color:#e4e4e7">Dismiss</button></div>' +
       '</div>';

package/workspace/skills/telegram/.claude-plugin/plugin.json

@@ -0,0 +1,6 @@
+{
+  "name": "telegram",
+  "version": "1.0.0",
+  "description": "Telegram channel via your own @BotFather bot token. Paste-token connect, direct long-poll, voice/photo, channel/business/assistant modes.",
+  "skills": "./"
+}