clisbot 0.1.20 → 0.1.21

package/README.md

@@ -64,8 +64,11 @@ If you want to try first without persisting the token yet, just remove `--persis
 Current auth note:
 
 - DMs currently start in pairing mode by default.
-- The config shape already includes `ownerClaimWindowMinutes`, but automatic first-owner claim from the first DM is not implemented in the runtime yet.
-- Today, if you want an owner or app admin, grant that principal explicitly with `clisbot auth add-user app --role owner --user <principal>` or `clisbot auth add-user app --role admin --user <principal>`.
+- If no app owner is configured yet, the first DM user during the first `ownerClaimWindowMinutes` becomes app `owner` automatically and does not need pairing approval.
+- Today, if you want an owner or app admin, grant that principal explicitly with the platform prefix plus the channel-native user id, for example `telegram:1276408333` or `slack:U123ABC456`.
+- Example commands:
+  - `clisbot auth add-user app --role owner --user telegram:1276408333`
+  - `clisbot auth add-user app --role admin --user slack:U123ABC456`
 - `clisbot auth --help` now covers role scopes, permission sets, and add/remove flows for users and permissions.
 - App-level auth and owner-claim semantics in [Authorization And Roles](docs/user-guide/auth-and-roles.md) describe both the current runtime reality and the remaining target-model gaps.
 

package/dist/main.js

@@ -54487,6 +54487,9 @@ function renderPairingSetupHelpLines(prefix = "", options = {}) {
     lines.push(`${prefix}  - Approve the returned Slack code with: \`clisbot pairing approve slack <code>\``);
   }
   lines.push(`${prefix}  - Configured app owner/admin principals bypass pairing in DMs.`);
+  if (options.ownerConfigured === false) {
+    lines.push(`${prefix}  - If no owner is configured yet, the first DM user during the first ${options.ownerClaimWindowMinutes ?? 30} minutes becomes app owner automatically.`);
+  }
   return lines;
 }
 function renderTmuxDebugHelpLines(prefix = "") {
@@ -66523,6 +66526,7 @@ async function monitorTmuxRun(params) {
       promptSubmitDelayMs: params.promptSubmitDelayMs,
       timingContext: params.timingContext
     });
+    await params.onPromptSubmitted?.();
     logLatencyDebug("tmux-submit-complete", params.timingContext, {
       sessionName: params.sessionName,
       promptSubmitDelayMs: params.promptSubmitDelayMs,
@@ -66697,7 +66701,8 @@ class ActiveRunManager {
         observers: new Map,
         observerFailures: new Map,
         initialResult,
-        latestUpdate: update
+        latestUpdate: update,
+        steeringReady: true
       });
       this.startRunMonitor(resolved.sessionKey, {
         prompt: undefined,
@@ -66742,7 +66747,8 @@ class ActiveRunManager {
         fullSnapshot: "",
         initialSnapshot: "",
         note: "Starting runner session..."
-      })
+      }),
+      steeringReady: false
     });
     try {
       const { resolved, initialSnapshot } = await this.runnerSessions.preparePromptSession(target, {
@@ -66836,6 +66842,9 @@ class ActiveRunManager {
   hasActiveRun(target) {
     return this.activeRuns.has(target.sessionKey);
   }
+  canSteerActiveRun(target) {
+    return this.activeRuns.get(target.sessionKey)?.steeringReady ?? false;
+  }
   async stop() {
     this.stopping = true;
     const activeRuns = [...this.activeRuns.values()];
@@ -66940,6 +66949,9 @@ class ActiveRunManager {
     }
     (async () => {
       try {
+        if (!params.prompt) {
+          run.steeringReady = true;
+        }
         await monitorTmuxRun({
           tmux: this.tmux,
           sessionName: run.resolved.sessionName,
@@ -66954,6 +66966,13 @@ class ActiveRunManager {
           initialSnapshot: params.initialSnapshot,
           detachedAlready: params.detachedAlready,
           timingContext: params.timingContext,
+          onPromptSubmitted: async () => {
+            const currentRun = this.activeRuns.get(sessionKey);
+            if (!currentRun) {
+              return;
+            }
+            currentRun.steeringReady = true;
+          },
           onRunning: async (update) => {
             const currentRun = this.activeRuns.get(sessionKey);
             if (!currentRun) {
@@ -67136,6 +67155,9 @@ class AgentService {
   hasActiveRun(target) {
     return this.activeRuns.hasActiveRun(target);
   }
+  canSteerActiveRun(target) {
+    return this.activeRuns.canSteerActiveRun(target);
+  }
   async submitSessionInput(target, text) {
     return this.runnerSessions.submitSessionInput(target, text);
   }
@@ -68249,6 +68271,28 @@ function renderTranscriptDisabledMessage() {
   ].join(`
 `);
 }
+function renderStartupSteeringUnavailableMessage() {
+  return [
+    "The active run is still starting and cannot accept steering input yet.",
+    "Send a normal follow-up message to keep it ordered behind the first prompt, or wait until startup finishes before using `/steer`."
+  ].join(`
+`);
+}
+function renderPrincipalFormat(identity) {
+  if (identity.platform === "slack") {
+    return "slack:<nativeUserId>";
+  }
+  return "telegram:<nativeUserId>";
+}
+function renderPrincipalExample(identity) {
+  if (identity.senderId) {
+    return `${identity.platform}:${identity.senderId}`;
+  }
+  if (identity.platform === "slack") {
+    return "slack:U123ABC456";
+  }
+  return "telegram:1276408333";
+}
 function renderWhoAmIMessage(params) {
   const lines = [
     "Who am I",
@@ -68273,7 +68317,7 @@ function renderWhoAmIMessage(params) {
   if (params.identity.topicId) {
     lines.push(`topicId: \`${params.identity.topicId}\``);
   }
-  lines.push(`principal: \`${params.auth.principal ?? "(none)"}\``, `appRole: \`${params.auth.appRole}\``, `agentRole: \`${params.auth.agentRole}\``, `mayBypassPairing: \`${params.auth.mayBypassPairing}\``, `mayManageProtectedResources: \`${params.auth.mayManageProtectedResources}\``, `canUseShell: \`${params.auth.canUseShell}\``, `verbose: \`${params.route.verbose}\``);
+  lines.push(`principal: \`${params.auth.principal ?? "(none)"}\``, `principalFormat: \`${renderPrincipalFormat(params.identity)}\``, `principalExample: \`${renderPrincipalExample(params.identity)}\``, `appRole: \`${params.auth.appRole}\``, `agentRole: \`${params.auth.agentRole}\``, `mayBypassPairing: \`${params.auth.mayBypassPairing}\``, `mayManageProtectedResources: \`${params.auth.mayManageProtectedResources}\``, `canUseShell: \`${params.auth.canUseShell}\``, `verbose: \`${params.route.verbose}\``);
   return lines.join(`
 `);
 }
@@ -68301,7 +68345,7 @@ function renderRouteStatusMessage(params) {
   if (params.identity.topicId) {
     lines.push(`topicId: \`${params.identity.topicId}\``);
   }
-  lines.push(`streaming: \`${params.route.streaming}\``, `response: \`${params.route.response}\``, `responseMode: \`${params.route.responseMode}\``, `additionalMessageMode: \`${params.route.additionalMessageMode}\``, `surfaceNotifications.queueStart: \`${params.route.surfaceNotifications.queueStart}\``, `surfaceNotifications.loopStart: \`${params.route.surfaceNotifications.loopStart}\``, `verbose: \`${params.route.verbose}\``, `principal: \`${params.auth.principal ?? "(none)"}\``, `appRole: \`${params.auth.appRole}\``, `agentRole: \`${params.auth.agentRole}\``, `mayManageProtectedResources: \`${params.auth.mayManageProtectedResources}\``, `canUseShell: \`${params.auth.canUseShell}\``, `timezone: \`${params.route.timezone ?? "(inherit host/app)"}\``, `followUp.mode: \`${params.followUpState.overrideMode ?? params.route.followUp.mode}\``, `followUp.windowMinutes: \`${formatFollowUpTtlMinutes(params.route.followUp.participationTtlMs)}\``, `run.state: \`${params.runtimeState.state}\``);
+  lines.push(`principal: \`${params.auth.principal ?? "(none)"}\``, `principalFormat: \`${renderPrincipalFormat(params.identity)}\``, `principalExample: \`${renderPrincipalExample(params.identity)}\``, `streaming: \`${params.route.streaming}\``, `response: \`${params.route.response}\``, `responseMode: \`${params.route.responseMode}\``, `additionalMessageMode: \`${params.route.additionalMessageMode}\``, `surfaceNotifications.queueStart: \`${params.route.surfaceNotifications.queueStart}\``, `surfaceNotifications.loopStart: \`${params.route.surfaceNotifications.loopStart}\``, `verbose: \`${params.route.verbose}\``, `appRole: \`${params.auth.appRole}\``, `agentRole: \`${params.auth.agentRole}\``, `mayManageProtectedResources: \`${params.auth.mayManageProtectedResources}\``, `canUseShell: \`${params.auth.canUseShell}\``, `timezone: \`${params.route.timezone ?? "(inherit host/app)"}\``, `followUp.mode: \`${params.followUpState.overrideMode ?? params.route.followUp.mode}\``, `followUp.windowMinutes: \`${formatFollowUpTtlMinutes(params.route.followUp.participationTtlMs)}\``, `run.state: \`${params.runtimeState.state}\``);
   if (params.runtimeState.startedAt) {
     lines.push(`run.startedAt: \`${new Date(params.runtimeState.startedAt).toISOString()}\``);
   }
@@ -68963,6 +69007,7 @@ async function processChannelInteraction(params) {
   const explicitQueueMessage = slashCommand?.type === "queue" ? slashCommand.text.trim() : undefined;
   const explicitSteerMessage = slashCommand?.type === "steer" ? slashCommand.text.trim() : undefined;
   const sessionBusy = await (params.agentService.isAwaitingFollowUpRouting?.(params.sessionTarget) ?? params.agentService.isSessionBusy?.(params.sessionTarget) ?? false);
+  const canSteerActiveRun = params.agentService.canSteerActiveRun?.(params.sessionTarget) ?? !sessionBusy;
   const queueByMode = !explicitQueueMessage && params.route.additionalMessageMode === "queue" && sessionBusy;
   const forceQueuedDelivery = typeof explicitQueueMessage === "string" || queueByMode;
   const delayedPromptText = explicitQueueMessage ? params.agentPromptBuilder ? params.agentPromptBuilder(explicitQueueMessage) : explicitQueueMessage : params.agentPromptText ?? params.text;
@@ -69384,6 +69429,11 @@ ${escapeCodeFence(shellResult.output)}
       await params.agentService.recordConversationReply(params.sessionTarget);
       return interactionResult;
     }
+    if (!canSteerActiveRun) {
+      await params.postText(renderStartupSteeringUnavailableMessage());
+      await params.agentService.recordConversationReply(params.sessionTarget);
+      return interactionResult;
+    }
     await params.agentService.submitSessionInput(params.sessionTarget, buildSteeringMessage(explicitSteerMessage, params.protectedControlMutationRule));
     await params.postText("Steered.");
     await params.agentService.recordConversationReply(params.sessionTarget);
@@ -69392,7 +69442,7 @@ ${escapeCodeFence(shellResult.output)}
     };
   }
   if (!forceQueuedDelivery && params.route.additionalMessageMode === "steer") {
-    if (sessionBusy) {
+    if (sessionBusy && canSteerActiveRun) {
       await params.agentService.submitSessionInput(params.sessionTarget, buildSteeringMessage(params.text, params.protectedControlMutationRule));
       return {
         processingIndicatorLifecycle: "active-run"
@@ -69485,7 +69535,7 @@ function mergeRoleRecord2(defaults, overrides) {
   }
   return merged;
 }
-function normalizePrincipal(principal) {
+function normalizeAuthPrincipal(principal) {
   const trimmed = principal.trim();
   if (!trimmed) {
     return "";
@@ -69503,17 +69553,17 @@ function normalizePrincipal(principal) {
   return `${platform}:${userId.trim()}`;
 }
 function normalizeRoleUsers(users) {
-  return (users ?? []).map(normalizePrincipal).filter(Boolean);
+  return (users ?? []).map(normalizeAuthPrincipal).filter(Boolean);
 }
-function resolvePrincipal(identity) {
+function resolveAuthPrincipal(identity) {
   const senderId = identity.senderId?.trim();
   if (!senderId) {
     return;
   }
   if (identity.platform === "slack") {
-    return normalizePrincipal(`slack:${senderId}`);
+    return normalizeAuthPrincipal(`slack:${senderId}`);
   }
-  return normalizePrincipal(`telegram:${senderId}`);
+  return normalizeAuthPrincipal(`telegram:${senderId}`);
 }
 function findExplicitRole(roles, principal) {
   if (!principal || !roles) {
@@ -69545,7 +69595,7 @@ function hasAppPermission(config, appRole, permission) {
   return getAllowedPermissions(config.app.auth.roles, appRole).has(permission);
 }
 function resolveChannelAuth(params) {
-  const principal = resolvePrincipal(params.identity);
+  const principal = resolveAuthPrincipal(params.identity);
   const appAuth = params.config.app.auth;
   const explicitAppRole = findExplicitRole(appAuth.roles, principal);
   const appRole = explicitAppRole ?? appAuth.defaultRole;
@@ -69565,6 +69615,128 @@ function resolveChannelAuth(params) {
   };
 }
 
+// src/auth/owner-claim.ts
+var import_proper_lockfile2 = __toESM(require_proper_lockfile(), 1);
+var OWNER_CLAIM_RUNTIME_STARTED_AT_MS = Date.now();
+var CONFIG_LOCK_OPTIONS = {
+  retries: {
+    retries: 10,
+    factor: 2,
+    minTimeout: 50,
+    maxTimeout: 2000,
+    randomize: true
+  },
+  stale: 30000
+};
+var ownerClaimRuntimeState = {
+  initialized: false,
+  armed: false,
+  closed: false,
+  openedAtMs: OWNER_CLAIM_RUNTIME_STARTED_AT_MS,
+  windowMs: 0
+};
+function getOwnerUsers(config) {
+  return config.app.auth.roles.owner?.users ?? [];
+}
+function hasConfiguredOwner(config) {
+  return getOwnerUsers(config).some((entry) => entry.trim().length > 0);
+}
+function syncRuntimeStateWithConfig(config) {
+  if (hasConfiguredOwner(config)) {
+    ownerClaimRuntimeState.closed = true;
+  }
+}
+function primeOwnerClaimRuntime(config, nowMs = OWNER_CLAIM_RUNTIME_STARTED_AT_MS) {
+  if (!ownerClaimRuntimeState.initialized) {
+    ownerClaimRuntimeState.initialized = true;
+    ownerClaimRuntimeState.armed = !hasConfiguredOwner(config);
+    ownerClaimRuntimeState.closed = !ownerClaimRuntimeState.armed;
+    ownerClaimRuntimeState.openedAtMs = nowMs;
+    ownerClaimRuntimeState.windowMs = Math.max(0, config.app.auth.ownerClaimWindowMinutes * 60000);
+  }
+  syncRuntimeStateWithConfig(config);
+  return { ...ownerClaimRuntimeState };
+}
+function isOwnerClaimOpen(config, nowMs = Date.now()) {
+  primeOwnerClaimRuntime(config);
+  syncRuntimeStateWithConfig(config);
+  if (ownerClaimRuntimeState.closed || !ownerClaimRuntimeState.armed) {
+    return false;
+  }
+  return nowMs - ownerClaimRuntimeState.openedAtMs <= ownerClaimRuntimeState.windowMs;
+}
+function syncOwnerUsers(target, source) {
+  target.app.auth.roles.owner = {
+    ...target.app.auth.roles.owner,
+    allow: [...source.app.auth.roles.owner?.allow ?? target.app.auth.roles.owner?.allow ?? []],
+    users: [...source.app.auth.roles.owner?.users ?? []]
+  };
+}
+async function withConfigLock(configPath, fn) {
+  const expandedPath = await ensureEditableConfigFile(configPath);
+  let release;
+  try {
+    release = await import_proper_lockfile2.default.lock(expandedPath, CONFIG_LOCK_OPTIONS);
+    return await fn(expandedPath);
+  } finally {
+    if (release) {
+      try {
+        await release();
+      } catch {}
+    }
+  }
+}
+async function claimFirstOwnerFromDirectMessage(params) {
+  const nowMs = params.nowMs ?? Date.now();
+  primeOwnerClaimRuntime(params.config);
+  if (params.identity.conversationKind !== "dm") {
+    return { claimed: false, principal: undefined };
+  }
+  const principal = resolveAuthPrincipal(params.identity);
+  if (!principal || !isOwnerClaimOpen(params.config, nowMs)) {
+    return { claimed: false, principal };
+  }
+  const result = await withConfigLock(params.configPath, async (expandedPath) => {
+    const { config: freshConfig } = await readEditableConfig(expandedPath);
+    primeOwnerClaimRuntime(freshConfig);
+    syncRuntimeStateWithConfig(freshConfig);
+    if (!isOwnerClaimOpen(freshConfig, nowMs)) {
+      syncOwnerUsers(params.config, freshConfig);
+      return { claimed: false, principal, configPath: expandedPath };
+    }
+    const currentOwners = getOwnerUsers(freshConfig).map((entry) => entry.trim()).filter(Boolean);
+    if (currentOwners.includes(principal)) {
+      syncOwnerUsers(params.config, freshConfig);
+      ownerClaimRuntimeState.closed = true;
+      return { claimed: false, principal, configPath: expandedPath };
+    }
+    freshConfig.app.auth.roles.owner.users = [...currentOwners, principal];
+    await writeEditableConfig(expandedPath, freshConfig);
+    syncOwnerUsers(params.config, freshConfig);
+    ownerClaimRuntimeState.closed = true;
+    console.log(`clisbot auto-claimed first owner ${principal}`);
+    return { claimed: true, principal, configPath: expandedPath };
+  });
+  return result;
+}
+function renderFirstOwnerClaimMessage(params) {
+  return [
+    "First owner claim complete.",
+    "",
+    `principal: \`${params.principal}\``,
+    "role: `owner`",
+    `reason: no owner was configured, and this was the first direct message received during the first ${params.ownerClaimWindowMinutes} minutes after runtime start`,
+    "pairing: not required for you anymore because app owners bypass DM pairing",
+    "",
+    "You can now:",
+    "- chat without pairing approval",
+    "- use full app-level control",
+    "- manage auth, channels, and agent settings",
+    "- use admin-level actions across all agents and routed surfaces"
+  ].join(`
+`);
+}
+
 // src/channels/slack/session-routing.ts
 function resolveSlackConversationTarget(params) {
   const sessionConfig = params.loadedConfig.raw.session;
@@ -70773,21 +70945,48 @@ class SlackSocketService {
     if (params.conversationKind === "dm") {
       const directUserId = typeof event.user === "string" ? event.user.trim() : "";
       const dmConfig = this.loadedConfig.raw.channels.slack.directMessages;
-      const auth2 = resolveChannelAuth({
-        config: this.loadedConfig.raw,
-        agentId: params.route.agentId,
-        identity: {
-          platform: "slack",
-          conversationKind: params.conversationKind,
-          senderId: directUserId || undefined,
-          channelId
-        }
-      });
+      const dmIdentity = {
+        platform: "slack",
+        conversationKind: params.conversationKind,
+        senderId: directUserId || undefined,
+        channelId
+      };
       if (!directUserId || dmConfig.policy === "disabled") {
         debugSlackEvent("drop-dm-disabled", { eventId, directUserId });
         await this.processedEventsStore.markCompleted(eventId);
         return;
       }
+      let ownerClaimed = false;
+      let ownerPrincipal;
+      try {
+        const claimResult = await claimFirstOwnerFromDirectMessage({
+          config: this.loadedConfig.raw,
+          configPath: this.loadedConfig.configPath,
+          identity: dmIdentity
+        });
+        ownerClaimed = claimResult.claimed;
+        ownerPrincipal = claimResult.principal;
+      } catch (error) {
+        console.error("slack first-owner claim failed", error);
+      }
+      if (ownerClaimed && ownerPrincipal) {
+        try {
+          await postSlackText(this.app.client, {
+            channel: channelId,
+            text: renderFirstOwnerClaimMessage({
+              principal: ownerPrincipal,
+              ownerClaimWindowMinutes: this.loadedConfig.raw.app.auth.ownerClaimWindowMinutes
+            })
+          });
+        } catch (error) {
+          console.error("slack first-owner claim reply failed", error);
+        }
+      }
+      const auth2 = resolveChannelAuth({
+        config: this.loadedConfig.raw,
+        agentId: params.route.agentId,
+        identity: dmIdentity
+      });
       if (dmConfig.policy !== "open" && !auth2.mayBypassPairing) {
         const storedAllowFrom = await readChannelAllowFromStore("slack");
         const allowed = isSlackSenderAllowed({
@@ -72298,20 +72497,47 @@ class TelegramPollingService {
       const directMessages = this.loadedConfig.raw.channels.telegram.directMessages;
       const senderId = message.from?.id != null ? String(message.from.id) : "";
       const senderUsername = message.from?.username;
-      const auth = resolveChannelAuth({
-        config: this.loadedConfig.raw,
-        agentId: routeInfo.route.agentId,
-        identity: {
-          platform: "telegram",
-          conversationKind: routeInfo.conversationKind,
-          senderId: senderId || undefined,
-          chatId: String(message.chat.id)
-        }
-      });
+      const dmIdentity = {
+        platform: "telegram",
+        conversationKind: routeInfo.conversationKind,
+        senderId: senderId || undefined,
+        chatId: String(message.chat.id)
+      };
       if (!senderId || directMessages.policy === "disabled") {
         await this.processedEventsStore.markCompleted(eventId);
         return;
       }
+      let ownerClaimed = false;
+      let ownerPrincipal;
+      try {
+        const claimResult = await claimFirstOwnerFromDirectMessage({
+          config: this.loadedConfig.raw,
+          configPath: this.loadedConfig.configPath,
+          identity: dmIdentity
+        });
+        ownerClaimed = claimResult.claimed;
+        ownerPrincipal = claimResult.principal;
+      } catch (error) {
+        console.error("telegram first-owner claim failed", error);
+      }
+      if (ownerClaimed && ownerPrincipal) {
+        try {
+          await callTelegramApi(this.accountConfig.botToken, "sendMessage", {
+            chat_id: message.chat.id,
+            text: renderFirstOwnerClaimMessage({
+              principal: ownerPrincipal,
+              ownerClaimWindowMinutes: this.loadedConfig.raw.app.auth.ownerClaimWindowMinutes
+            })
+          });
+        } catch (error) {
+          console.error("telegram first-owner claim reply failed", error);
+        }
+      }
+      const auth = resolveChannelAuth({
+        config: this.loadedConfig.raw,
+        agentId: routeInfo.route.agentId,
+        identity: dmIdentity
+      });
       if (directMessages.policy !== "open" && !auth.mayBypassPairing) {
         const storedAllowFrom = await readChannelAllowFromStore("telegram");
         const allowed = isTelegramSenderAllowed({
@@ -73335,6 +73561,7 @@ class RuntimeSupervisor {
   }
   async createRuntime(loadedConfig) {
     const runtimeId = this.nextRuntimeId++;
+    primeOwnerClaimRuntime(loadedConfig.raw);
     const agentService = this.dependencies.createAgentService(loadedConfig);
     const processedEventsStore = this.dependencies.createProcessedEventsStore(loadedConfig.processedEventsPath);
     const activityStore = this.dependencies.createActivityStore();
@@ -73795,7 +74022,8 @@ function appendAuthOnboardingLines(lines, summary, prefix = "") {
   lines.push(`${prefix}Auth onboarding:`);
   if (!hasConfiguredPrivilegedPrincipal(summary)) {
     lines.push(`${prefix}  - get the principal from a surface the bot can already see; Telegram groups or topics can use \`/whoami\` before routing, while DMs with pairing must pair first`);
-    lines.push(`${prefix}  - set the first owner with: \`clisbot auth add-user app --role owner --user <principal>\``);
+    lines.push(`${prefix}  - if no owner exists yet, the first DM user during the first ${summary.ownerSummary.ownerClaimWindowMinutes} minutes becomes app owner automatically`);
+    lines.push(`${prefix}  - after the first owner exists, add more principals with: \`clisbot auth add-user app --role <owner|admin> --user <principal>\``);
   } else {
     lines.push(`${prefix}  - inspect current app roles with: \`clisbot auth show app\``);
   }
@@ -73916,6 +74144,8 @@ function renderStartSummary(summary) {
     lines.push(...renderPairingSetupHelpLines("  ", {
       slackEnabled: summary.channelSummaries.some((channel) => channel.channel === "slack" && channel.enabled),
       telegramEnabled: summary.channelSummaries.some((channel) => channel.channel === "telegram" && channel.enabled),
+      ownerConfigured: hasConfiguredPrivilegedPrincipal(summary),
+      ownerClaimWindowMinutes: summary.ownerSummary.ownerClaimWindowMinutes,
       slackDirectMessagesPolicy: summary.channelSummaries.find((channel) => channel.channel === "slack")?.directMessagesPolicy,
       telegramDirectMessagesPolicy: summary.channelSummaries.find((channel) => channel.channel === "telegram")?.directMessagesPolicy,
       conditionalOnly: true
@@ -73938,6 +74168,8 @@ function renderStartSummary(summary) {
   lines.push(...renderPairingSetupHelpLines("", {
     slackEnabled: summary.channelSummaries.some((channel) => channel.channel === "slack" && channel.enabled),
     telegramEnabled: summary.channelSummaries.some((channel) => channel.channel === "telegram" && channel.enabled),
+    ownerConfigured: hasConfiguredPrivilegedPrincipal(summary),
+    ownerClaimWindowMinutes: summary.ownerSummary.ownerClaimWindowMinutes,
     slackDirectMessagesPolicy: summary.channelSummaries.find((channel) => channel.channel === "slack")?.directMessagesPolicy,
     telegramDirectMessagesPolicy: summary.channelSummaries.find((channel) => channel.channel === "telegram")?.directMessagesPolicy,
     conditionalOnly: true

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clisbot",
-  "version": "0.1.20",
+  "version": "0.1.21",
   "private": false,
   "description": "Chat surfaces for durable AI coding agents running in tmux",
   "license": "MIT",