npm - clisbot - Versions diffs - 0.1.19 → 0.1.21 - Mend

clisbot 0.1.19 → 0.1.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -64,8 +64,11 @@ If you want to try first without persisting the token yet, just remove `--persis
 Current auth note:
 - DMs currently start in pairing mode by default.
-- The config shape already includes `ownerClaimWindowMinutes`, but automatic first-owner claim from the first DM is not implemented in the runtime yet.
-- Today, if you want an owner or app admin, grant that principal explicitly with `clisbot auth add-user app --role owner --user <principal>` or `clisbot auth add-user app --role admin --user <principal>`.
+- If no app owner is configured yet, the first DM user during the first `ownerClaimWindowMinutes` becomes app `owner` automatically and does not need pairing approval.
+- Today, if you want an owner or app admin, grant that principal explicitly with the platform prefix plus the channel-native user id, for example `telegram:1276408333` or `slack:U123ABC456`.
+- Example commands:
+  - `clisbot auth add-user app --role owner --user telegram:1276408333`
+  - `clisbot auth add-user app --role admin --user slack:U123ABC456`
 - `clisbot auth --help` now covers role scopes, permission sets, and add/remove flows for users and permissions.
 - App-level auth and owner-claim semantics in [Authorization And Roles](docs/user-guide/auth-and-roles.md) describe both the current runtime reality and the remaining target-model gaps.

package/dist/main.js CHANGED Viewed

@@ -54487,6 +54487,9 @@ function renderPairingSetupHelpLines(prefix = "", options = {}) {
     lines.push(`${prefix}  - Approve the returned Slack code with: \`clisbot pairing approve slack <code>\``);
   }
   lines.push(`${prefix}  - Configured app owner/admin principals bypass pairing in DMs.`);
+  if (options.ownerConfigured === false) {
+    lines.push(`${prefix}  - If no owner is configured yet, the first DM user during the first ${options.ownerClaimWindowMinutes ?? 30} minutes becomes app owner automatically.`);
+  }
   return lines;
 }
 function renderTmuxDebugHelpLines(prefix = "") {
@@ -61890,6 +61893,8 @@ function getExecutableNames(command) {
 // src/runners/tmux/client.ts
 var MAIN_WINDOW_NAME = "main";
 var TMUX_NOT_FOUND_CODE = "ENOENT";
+var TMUX_SERVER_BOOTSTRAP_TIMEOUT_MS = 1000;
+var TMUX_SERVER_BOOTSTRAP_POLL_MS = 25;
 var TMUX_SERVER_DEFAULTS = [
   ["exit-empty", "off"],
   ["destroy-unattached", "off"]
@@ -61900,6 +61905,9 @@ class TmuxClient {
   constructor(socketPath) {
     this.socketPath = socketPath;
   }
+  isServerUnavailableOutput(output) {
+    return /no server running|No such file or directory|failed to connect to server|error connecting to/i.test(output);
+  }
   async exec(args, options = {}) {
     if (!commandExists("tmux")) {
       throw new Error("tmux is not installed or not available on PATH. Install tmux and restart clisbot.");
@@ -61951,7 +61959,10 @@ class TmuxClient {
     }
     const output = `${result.stderr}
 ${result.stdout}`.trim();
-    return !output.includes("no server running");
+    if (this.isServerUnavailableOutput(output)) {
+      return false;
+    }
+    return false;
   }
   async ensureServerDefaults() {
     if (!await this.isServerRunning()) {
@@ -61961,6 +61972,35 @@ ${result.stdout}`.trim();
       await this.execOrThrow(["set-option", "-g", name, value]);
     }
   }
+  isBootstrapRetryableError(error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return this.isServerUnavailableOutput(message);
+  }
+  async withServerBootstrapRetry(task) {
+    const deadline = Date.now() + TMUX_SERVER_BOOTSTRAP_TIMEOUT_MS;
+    while (true) {
+      try {
+        return await task();
+      } catch (error) {
+        if (!this.isBootstrapRetryableError(error) || Date.now() >= deadline) {
+          throw error;
+        }
+        await sleep(TMUX_SERVER_BOOTSTRAP_POLL_MS);
+      }
+    }
+  }
+  async waitForSessionBootstrap(sessionName) {
+    const deadline = Date.now() + TMUX_SERVER_BOOTSTRAP_TIMEOUT_MS;
+    while (true) {
+      if (await this.hasSession(sessionName)) {
+        return;
+      }
+      if (Date.now() >= deadline) {
+        throw new Error(`tmux session "${sessionName}" did not become reachable on socket ${this.socketPath} within ${TMUX_SERVER_BOOTSTRAP_TIMEOUT_MS}ms.`);
+      }
+      await sleep(TMUX_SERVER_BOOTSTRAP_POLL_MS);
+    }
+  }
   async newSession(params) {
     await this.execOrThrow([
       "new-session",
@@ -61973,8 +62013,13 @@ ${result.stdout}`.trim();
       params.cwd,
       params.command
     ]);
-    await this.ensureServerDefaults();
-    await this.freezeWindowName(`${params.sessionName}:${MAIN_WINDOW_NAME}`);
+    await this.waitForSessionBootstrap(params.sessionName);
+    await this.withServerBootstrapRetry(async () => {
+      await this.ensureServerDefaults();
+    });
+    await this.withServerBootstrapRetry(async () => {
+      await this.freezeWindowName(`${params.sessionName}:${MAIN_WINDOW_NAME}`);
+    });
   }
   async newWindow(params) {
     const paneId = await this.execOrThrow([
@@ -66481,6 +66526,7 @@ async function monitorTmuxRun(params) {
       promptSubmitDelayMs: params.promptSubmitDelayMs,
       timingContext: params.timingContext
     });
+    await params.onPromptSubmitted?.();
     logLatencyDebug("tmux-submit-complete", params.timingContext, {
       sessionName: params.sessionName,
       promptSubmitDelayMs: params.promptSubmitDelayMs,
@@ -66655,7 +66701,8 @@ class ActiveRunManager {
         observers: new Map,
         observerFailures: new Map,
         initialResult,
-        latestUpdate: update
+        latestUpdate: update,
+        steeringReady: true
       });
       this.startRunMonitor(resolved.sessionKey, {
         prompt: undefined,
@@ -66700,7 +66747,8 @@ class ActiveRunManager {
         fullSnapshot: "",
         initialSnapshot: "",
         note: "Starting runner session..."
-      })
+      }),
+      steeringReady: false
     });
     try {
       const { resolved, initialSnapshot } = await this.runnerSessions.preparePromptSession(target, {
@@ -66794,6 +66842,9 @@ class ActiveRunManager {
   hasActiveRun(target) {
     return this.activeRuns.has(target.sessionKey);
   }
+  canSteerActiveRun(target) {
+    return this.activeRuns.get(target.sessionKey)?.steeringReady ?? false;
+  }
   async stop() {
     this.stopping = true;
     const activeRuns = [...this.activeRuns.values()];
@@ -66898,6 +66949,9 @@ class ActiveRunManager {
     }
     (async () => {
       try {
+        if (!params.prompt) {
+          run.steeringReady = true;
+        }
         await monitorTmuxRun({
           tmux: this.tmux,
           sessionName: run.resolved.sessionName,
@@ -66912,6 +66966,13 @@ class ActiveRunManager {
           initialSnapshot: params.initialSnapshot,
           detachedAlready: params.detachedAlready,
           timingContext: params.timingContext,
+          onPromptSubmitted: async () => {
+            const currentRun = this.activeRuns.get(sessionKey);
+            if (!currentRun) {
+              return;
+            }
+            currentRun.steeringReady = true;
+          },
           onRunning: async (update) => {
             const currentRun = this.activeRuns.get(sessionKey);
             if (!currentRun) {
@@ -67094,6 +67155,9 @@ class AgentService {
   hasActiveRun(target) {
     return this.activeRuns.hasActiveRun(target);
   }
+  canSteerActiveRun(target) {
+    return this.activeRuns.canSteerActiveRun(target);
+  }
   async submitSessionInput(target, text) {
     return this.runnerSessions.submitSessionInput(target, text);
   }
@@ -68207,6 +68271,28 @@ function renderTranscriptDisabledMessage() {
   ].join(`
 `);
 }
+function renderStartupSteeringUnavailableMessage() {
+  return [
+    "The active run is still starting and cannot accept steering input yet.",
+    "Send a normal follow-up message to keep it ordered behind the first prompt, or wait until startup finishes before using `/steer`."
+  ].join(`
+`);
+}
+function renderPrincipalFormat(identity) {
+  if (identity.platform === "slack") {
+    return "slack:<nativeUserId>";
+  }
+  return "telegram:<nativeUserId>";
+}
+function renderPrincipalExample(identity) {
+  if (identity.senderId) {
+    return `${identity.platform}:${identity.senderId}`;
+  }
+  if (identity.platform === "slack") {
+    return "slack:U123ABC456";
+  }
+  return "telegram:1276408333";
+}
 function renderWhoAmIMessage(params) {
   const lines = [
     "Who am I",
@@ -68231,7 +68317,7 @@ function renderWhoAmIMessage(params) {
   if (params.identity.topicId) {
     lines.push(`topicId: \`${params.identity.topicId}\``);
   }
-  lines.push(`principal: \`${params.auth.principal ?? "(none)"}\``, `appRole: \`${params.auth.appRole}\``, `agentRole: \`${params.auth.agentRole}\``, `mayBypassPairing: \`${params.auth.mayBypassPairing}\``, `mayManageProtectedResources: \`${params.auth.mayManageProtectedResources}\``, `canUseShell: \`${params.auth.canUseShell}\``, `verbose: \`${params.route.verbose}\``);
+  lines.push(`principal: \`${params.auth.principal ?? "(none)"}\``, `principalFormat: \`${renderPrincipalFormat(params.identity)}\``, `principalExample: \`${renderPrincipalExample(params.identity)}\``, `appRole: \`${params.auth.appRole}\``, `agentRole: \`${params.auth.agentRole}\``, `mayBypassPairing: \`${params.auth.mayBypassPairing}\``, `mayManageProtectedResources: \`${params.auth.mayManageProtectedResources}\``, `canUseShell: \`${params.auth.canUseShell}\``, `verbose: \`${params.route.verbose}\``);
   return lines.join(`
 `);
 }
@@ -68259,7 +68345,7 @@ function renderRouteStatusMessage(params) {
   if (params.identity.topicId) {
     lines.push(`topicId: \`${params.identity.topicId}\``);
   }
-  lines.push(`streaming: \`${params.route.streaming}\``, `response: \`${params.route.response}\``, `responseMode: \`${params.route.responseMode}\``, `additionalMessageMode: \`${params.route.additionalMessageMode}\``, `surfaceNotifications.queueStart: \`${params.route.surfaceNotifications.queueStart}\``, `surfaceNotifications.loopStart: \`${params.route.surfaceNotifications.loopStart}\``, `verbose: \`${params.route.verbose}\``, `principal: \`${params.auth.principal ?? "(none)"}\``, `appRole: \`${params.auth.appRole}\``, `agentRole: \`${params.auth.agentRole}\``, `mayManageProtectedResources: \`${params.auth.mayManageProtectedResources}\``, `canUseShell: \`${params.auth.canUseShell}\``, `timezone: \`${params.route.timezone ?? "(inherit host/app)"}\``, `followUp.mode: \`${params.followUpState.overrideMode ?? params.route.followUp.mode}\``, `followUp.windowMinutes: \`${formatFollowUpTtlMinutes(params.route.followUp.participationTtlMs)}\``, `run.state: \`${params.runtimeState.state}\``);
+  lines.push(`principal: \`${params.auth.principal ?? "(none)"}\``, `principalFormat: \`${renderPrincipalFormat(params.identity)}\``, `principalExample: \`${renderPrincipalExample(params.identity)}\``, `streaming: \`${params.route.streaming}\``, `response: \`${params.route.response}\``, `responseMode: \`${params.route.responseMode}\``, `additionalMessageMode: \`${params.route.additionalMessageMode}\``, `surfaceNotifications.queueStart: \`${params.route.surfaceNotifications.queueStart}\``, `surfaceNotifications.loopStart: \`${params.route.surfaceNotifications.loopStart}\``, `verbose: \`${params.route.verbose}\``, `appRole: \`${params.auth.appRole}\``, `agentRole: \`${params.auth.agentRole}\``, `mayManageProtectedResources: \`${params.auth.mayManageProtectedResources}\``, `canUseShell: \`${params.auth.canUseShell}\``, `timezone: \`${params.route.timezone ?? "(inherit host/app)"}\``, `followUp.mode: \`${params.followUpState.overrideMode ?? params.route.followUp.mode}\``, `followUp.windowMinutes: \`${formatFollowUpTtlMinutes(params.route.followUp.participationTtlMs)}\``, `run.state: \`${params.runtimeState.state}\``);
   if (params.runtimeState.startedAt) {
     lines.push(`run.startedAt: \`${new Date(params.runtimeState.startedAt).toISOString()}\``);
   }
@@ -68921,6 +69007,7 @@ async function processChannelInteraction(params) {
   const explicitQueueMessage = slashCommand?.type === "queue" ? slashCommand.text.trim() : undefined;
   const explicitSteerMessage = slashCommand?.type === "steer" ? slashCommand.text.trim() : undefined;
   const sessionBusy = await (params.agentService.isAwaitingFollowUpRouting?.(params.sessionTarget) ?? params.agentService.isSessionBusy?.(params.sessionTarget) ?? false);
+  const canSteerActiveRun = params.agentService.canSteerActiveRun?.(params.sessionTarget) ?? !sessionBusy;
   const queueByMode = !explicitQueueMessage && params.route.additionalMessageMode === "queue" && sessionBusy;
   const forceQueuedDelivery = typeof explicitQueueMessage === "string" || queueByMode;
   const delayedPromptText = explicitQueueMessage ? params.agentPromptBuilder ? params.agentPromptBuilder(explicitQueueMessage) : explicitQueueMessage : params.agentPromptText ?? params.text;
@@ -69342,6 +69429,11 @@ ${escapeCodeFence(shellResult.output)}
       await params.agentService.recordConversationReply(params.sessionTarget);
       return interactionResult;
     }
+    if (!canSteerActiveRun) {
+      await params.postText(renderStartupSteeringUnavailableMessage());
+      await params.agentService.recordConversationReply(params.sessionTarget);
+      return interactionResult;
+    }
     await params.agentService.submitSessionInput(params.sessionTarget, buildSteeringMessage(explicitSteerMessage, params.protectedControlMutationRule));
     await params.postText("Steered.");
     await params.agentService.recordConversationReply(params.sessionTarget);
@@ -69350,7 +69442,7 @@ ${escapeCodeFence(shellResult.output)}
     };
   }
   if (!forceQueuedDelivery && params.route.additionalMessageMode === "steer") {
-    if (sessionBusy) {
+    if (sessionBusy && canSteerActiveRun) {
       await params.agentService.submitSessionInput(params.sessionTarget, buildSteeringMessage(params.text, params.protectedControlMutationRule));
       return {
         processingIndicatorLifecycle: "active-run"
@@ -69443,7 +69535,7 @@ function mergeRoleRecord2(defaults, overrides) {
   }
   return merged;
 }
-function normalizePrincipal(principal) {
+function normalizeAuthPrincipal(principal) {
   const trimmed = principal.trim();
   if (!trimmed) {
     return "";
@@ -69461,17 +69553,17 @@ function normalizePrincipal(principal) {
   return `${platform}:${userId.trim()}`;
 }
 function normalizeRoleUsers(users) {
-  return (users ?? []).map(normalizePrincipal).filter(Boolean);
+  return (users ?? []).map(normalizeAuthPrincipal).filter(Boolean);
 }
-function resolvePrincipal(identity) {
+function resolveAuthPrincipal(identity) {
   const senderId = identity.senderId?.trim();
   if (!senderId) {
     return;
   }
   if (identity.platform === "slack") {
-    return normalizePrincipal(`slack:${senderId}`);
+    return normalizeAuthPrincipal(`slack:${senderId}`);
   }
-  return normalizePrincipal(`telegram:${senderId}`);
+  return normalizeAuthPrincipal(`telegram:${senderId}`);
 }
 function findExplicitRole(roles, principal) {
   if (!principal || !roles) {
@@ -69503,7 +69595,7 @@ function hasAppPermission(config, appRole, permission) {
   return getAllowedPermissions(config.app.auth.roles, appRole).has(permission);
 }
 function resolveChannelAuth(params) {
-  const principal = resolvePrincipal(params.identity);
+  const principal = resolveAuthPrincipal(params.identity);
   const appAuth = params.config.app.auth;
   const explicitAppRole = findExplicitRole(appAuth.roles, principal);
   const appRole = explicitAppRole ?? appAuth.defaultRole;
@@ -69523,6 +69615,128 @@ function resolveChannelAuth(params) {
   };
 }
+// src/auth/owner-claim.ts
+var import_proper_lockfile2 = __toESM(require_proper_lockfile(), 1);
+var OWNER_CLAIM_RUNTIME_STARTED_AT_MS = Date.now();
+var CONFIG_LOCK_OPTIONS = {
+  retries: {
+    retries: 10,
+    factor: 2,
+    minTimeout: 50,
+    maxTimeout: 2000,
+    randomize: true
+  },
+  stale: 30000
+};
+var ownerClaimRuntimeState = {
+  initialized: false,
+  armed: false,
+  closed: false,
+  openedAtMs: OWNER_CLAIM_RUNTIME_STARTED_AT_MS,
+  windowMs: 0
+};
+function getOwnerUsers(config) {
+  return config.app.auth.roles.owner?.users ?? [];
+}
+function hasConfiguredOwner(config) {
+  return getOwnerUsers(config).some((entry) => entry.trim().length > 0);
+}
+function syncRuntimeStateWithConfig(config) {
+  if (hasConfiguredOwner(config)) {
+    ownerClaimRuntimeState.closed = true;
+  }
+}
+function primeOwnerClaimRuntime(config, nowMs = OWNER_CLAIM_RUNTIME_STARTED_AT_MS) {
+  if (!ownerClaimRuntimeState.initialized) {
+    ownerClaimRuntimeState.initialized = true;
+    ownerClaimRuntimeState.armed = !hasConfiguredOwner(config);
+    ownerClaimRuntimeState.closed = !ownerClaimRuntimeState.armed;
+    ownerClaimRuntimeState.openedAtMs = nowMs;
+    ownerClaimRuntimeState.windowMs = Math.max(0, config.app.auth.ownerClaimWindowMinutes * 60000);
+  }
+  syncRuntimeStateWithConfig(config);
+  return { ...ownerClaimRuntimeState };
+}
+function isOwnerClaimOpen(config, nowMs = Date.now()) {
+  primeOwnerClaimRuntime(config);
+  syncRuntimeStateWithConfig(config);
+  if (ownerClaimRuntimeState.closed || !ownerClaimRuntimeState.armed) {
+    return false;
+  }
+  return nowMs - ownerClaimRuntimeState.openedAtMs <= ownerClaimRuntimeState.windowMs;
+}
+function syncOwnerUsers(target, source) {
+  target.app.auth.roles.owner = {
+    ...target.app.auth.roles.owner,
+    allow: [...source.app.auth.roles.owner?.allow ?? target.app.auth.roles.owner?.allow ?? []],
+    users: [...source.app.auth.roles.owner?.users ?? []]
+  };
+}
+async function withConfigLock(configPath, fn) {
+  const expandedPath = await ensureEditableConfigFile(configPath);
+  let release;
+  try {
+    release = await import_proper_lockfile2.default.lock(expandedPath, CONFIG_LOCK_OPTIONS);
+    return await fn(expandedPath);
+  } finally {
+    if (release) {
+      try {
+        await release();
+      } catch {}
+    }
+  }
+}
+async function claimFirstOwnerFromDirectMessage(params) {
+  const nowMs = params.nowMs ?? Date.now();
+  primeOwnerClaimRuntime(params.config);
+  if (params.identity.conversationKind !== "dm") {
+    return { claimed: false, principal: undefined };
+  }
+  const principal = resolveAuthPrincipal(params.identity);
+  if (!principal || !isOwnerClaimOpen(params.config, nowMs)) {
+    return { claimed: false, principal };
+  }
+  const result = await withConfigLock(params.configPath, async (expandedPath) => {
+    const { config: freshConfig } = await readEditableConfig(expandedPath);
+    primeOwnerClaimRuntime(freshConfig);
+    syncRuntimeStateWithConfig(freshConfig);
+    if (!isOwnerClaimOpen(freshConfig, nowMs)) {
+      syncOwnerUsers(params.config, freshConfig);
+      return { claimed: false, principal, configPath: expandedPath };
+    }
+    const currentOwners = getOwnerUsers(freshConfig).map((entry) => entry.trim()).filter(Boolean);
+    if (currentOwners.includes(principal)) {
+      syncOwnerUsers(params.config, freshConfig);
+      ownerClaimRuntimeState.closed = true;
+      return { claimed: false, principal, configPath: expandedPath };
+    }
+    freshConfig.app.auth.roles.owner.users = [...currentOwners, principal];
+    await writeEditableConfig(expandedPath, freshConfig);
+    syncOwnerUsers(params.config, freshConfig);
+    ownerClaimRuntimeState.closed = true;
+    console.log(`clisbot auto-claimed first owner ${principal}`);
+    return { claimed: true, principal, configPath: expandedPath };
+  });
+  return result;
+}
+function renderFirstOwnerClaimMessage(params) {
+  return [
+    "First owner claim complete.",
+    "",
+    `principal: \`${params.principal}\``,
+    "role: `owner`",
+    `reason: no owner was configured, and this was the first direct message received during the first ${params.ownerClaimWindowMinutes} minutes after runtime start`,
+    "pairing: not required for you anymore because app owners bypass DM pairing",
+    "",
+    "You can now:",
+    "- chat without pairing approval",
+    "- use full app-level control",
+    "- manage auth, channels, and agent settings",
+    "- use admin-level actions across all agents and routed surfaces"
+  ].join(`
+`);
+}
 // src/channels/slack/session-routing.ts
 function resolveSlackConversationTarget(params) {
   const sessionConfig = params.loadedConfig.raw.session;
@@ -70731,21 +70945,48 @@ class SlackSocketService {
     if (params.conversationKind === "dm") {
       const directUserId = typeof event.user === "string" ? event.user.trim() : "";
       const dmConfig = this.loadedConfig.raw.channels.slack.directMessages;
-      const auth2 = resolveChannelAuth({
-        config: this.loadedConfig.raw,
-        agentId: params.route.agentId,
-        identity: {
-          platform: "slack",
-          conversationKind: params.conversationKind,
-          senderId: directUserId || undefined,
-          channelId
-        }
-      });
+      const dmIdentity = {
+        platform: "slack",
+        conversationKind: params.conversationKind,
+        senderId: directUserId || undefined,
+        channelId
+      };
       if (!directUserId || dmConfig.policy === "disabled") {
         debugSlackEvent("drop-dm-disabled", { eventId, directUserId });
         await this.processedEventsStore.markCompleted(eventId);
         return;
       }
+      let ownerClaimed = false;
+      let ownerPrincipal;
+      try {
+        const claimResult = await claimFirstOwnerFromDirectMessage({
+          config: this.loadedConfig.raw,
+          configPath: this.loadedConfig.configPath,
+          identity: dmIdentity
+        });
+        ownerClaimed = claimResult.claimed;
+        ownerPrincipal = claimResult.principal;
+      } catch (error) {
+        console.error("slack first-owner claim failed", error);
+      }
+      if (ownerClaimed && ownerPrincipal) {
+        try {
+          await postSlackText(this.app.client, {
+            channel: channelId,
+            text: renderFirstOwnerClaimMessage({
+              principal: ownerPrincipal,
+              ownerClaimWindowMinutes: this.loadedConfig.raw.app.auth.ownerClaimWindowMinutes
+            })
+          });
+        } catch (error) {
+          console.error("slack first-owner claim reply failed", error);
+        }
+      }
+      const auth2 = resolveChannelAuth({
+        config: this.loadedConfig.raw,
+        agentId: params.route.agentId,
+        identity: dmIdentity
+      });
       if (dmConfig.policy !== "open" && !auth2.mayBypassPairing) {
         const storedAllowFrom = await readChannelAllowFromStore("slack");
         const allowed = isSlackSenderAllowed({
@@ -72256,20 +72497,47 @@ class TelegramPollingService {
       const directMessages = this.loadedConfig.raw.channels.telegram.directMessages;
       const senderId = message.from?.id != null ? String(message.from.id) : "";
       const senderUsername = message.from?.username;
-      const auth = resolveChannelAuth({
-        config: this.loadedConfig.raw,
-        agentId: routeInfo.route.agentId,
-        identity: {
-          platform: "telegram",
-          conversationKind: routeInfo.conversationKind,
-          senderId: senderId || undefined,
-          chatId: String(message.chat.id)
-        }
-      });
+      const dmIdentity = {
+        platform: "telegram",
+        conversationKind: routeInfo.conversationKind,
+        senderId: senderId || undefined,
+        chatId: String(message.chat.id)
+      };
       if (!senderId || directMessages.policy === "disabled") {
         await this.processedEventsStore.markCompleted(eventId);
         return;
       }
+      let ownerClaimed = false;
+      let ownerPrincipal;
+      try {
+        const claimResult = await claimFirstOwnerFromDirectMessage({
+          config: this.loadedConfig.raw,
+          configPath: this.loadedConfig.configPath,
+          identity: dmIdentity
+        });
+        ownerClaimed = claimResult.claimed;
+        ownerPrincipal = claimResult.principal;
+      } catch (error) {
+        console.error("telegram first-owner claim failed", error);
+      }
+      if (ownerClaimed && ownerPrincipal) {
+        try {
+          await callTelegramApi(this.accountConfig.botToken, "sendMessage", {
+            chat_id: message.chat.id,
+            text: renderFirstOwnerClaimMessage({
+              principal: ownerPrincipal,
+              ownerClaimWindowMinutes: this.loadedConfig.raw.app.auth.ownerClaimWindowMinutes
+            })
+          });
+        } catch (error) {
+          console.error("telegram first-owner claim reply failed", error);
+        }
+      }
+      const auth = resolveChannelAuth({
+        config: this.loadedConfig.raw,
+        agentId: routeInfo.route.agentId,
+        identity: dmIdentity
+      });
       if (directMessages.policy !== "open" && !auth.mayBypassPairing) {
         const storedAllowFrom = await readChannelAllowFromStore("telegram");
         const allowed = isTelegramSenderAllowed({
@@ -73293,6 +73561,7 @@ class RuntimeSupervisor {
   }
   async createRuntime(loadedConfig) {
     const runtimeId = this.nextRuntimeId++;
+    primeOwnerClaimRuntime(loadedConfig.raw);
     const agentService = this.dependencies.createAgentService(loadedConfig);
     const processedEventsStore = this.dependencies.createProcessedEventsStore(loadedConfig.processedEventsPath);
     const activityStore = this.dependencies.createActivityStore();
@@ -73753,7 +74022,8 @@ function appendAuthOnboardingLines(lines, summary, prefix = "") {
   lines.push(`${prefix}Auth onboarding:`);
   if (!hasConfiguredPrivilegedPrincipal(summary)) {
     lines.push(`${prefix}  - get the principal from a surface the bot can already see; Telegram groups or topics can use \`/whoami\` before routing, while DMs with pairing must pair first`);
-    lines.push(`${prefix}  - set the first owner with: \`clisbot auth add-user app --role owner --user <principal>\``);
+    lines.push(`${prefix}  - if no owner exists yet, the first DM user during the first ${summary.ownerSummary.ownerClaimWindowMinutes} minutes becomes app owner automatically`);
+    lines.push(`${prefix}  - after the first owner exists, add more principals with: \`clisbot auth add-user app --role <owner|admin> --user <principal>\``);
   } else {
     lines.push(`${prefix}  - inspect current app roles with: \`clisbot auth show app\``);
   }
@@ -73874,6 +74144,8 @@ function renderStartSummary(summary) {
     lines.push(...renderPairingSetupHelpLines("  ", {
       slackEnabled: summary.channelSummaries.some((channel) => channel.channel === "slack" && channel.enabled),
       telegramEnabled: summary.channelSummaries.some((channel) => channel.channel === "telegram" && channel.enabled),
+      ownerConfigured: hasConfiguredPrivilegedPrincipal(summary),
+      ownerClaimWindowMinutes: summary.ownerSummary.ownerClaimWindowMinutes,
       slackDirectMessagesPolicy: summary.channelSummaries.find((channel) => channel.channel === "slack")?.directMessagesPolicy,
       telegramDirectMessagesPolicy: summary.channelSummaries.find((channel) => channel.channel === "telegram")?.directMessagesPolicy,
       conditionalOnly: true
@@ -73896,6 +74168,8 @@ function renderStartSummary(summary) {
   lines.push(...renderPairingSetupHelpLines("", {
     slackEnabled: summary.channelSummaries.some((channel) => channel.channel === "slack" && channel.enabled),
     telegramEnabled: summary.channelSummaries.some((channel) => channel.channel === "telegram" && channel.enabled),
+    ownerConfigured: hasConfiguredPrivilegedPrincipal(summary),
+    ownerClaimWindowMinutes: summary.ownerSummary.ownerClaimWindowMinutes,
     slackDirectMessagesPolicy: summary.channelSummaries.find((channel) => channel.channel === "slack")?.directMessagesPolicy,
     telegramDirectMessagesPolicy: summary.channelSummaries.find((channel) => channel.channel === "telegram")?.directMessagesPolicy,
     conditionalOnly: true

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "clisbot",
-  "version": "0.1.19",
+  "version": "0.1.21",
   "private": false,
   "description": "Chat surfaces for durable AI coding agents running in tmux",
   "license": "MIT",