discoclaw 0.8.2 → 0.9.0

package/.context/README.md

@@ -19,6 +19,7 @@ Core instructions live in `CLAUDE.md` at the repo root.
 | **Architecture / system overview** | `architecture.md` |
 | **Tool capabilities / browser automation** | `tools.md` |
 | **Voice system (STT/TTS, audio pipeline, actions)** | `voice.md` |
+| **Automations / cron / scheduled tasks** | `automations.md` |
 | **Forge/plan standing constraints** | `project.md` *(auto-loaded by forge)* |
 | **Plan & Forge commands** | `plan-and-forge.md` *(in docs/, not .context/)* |
 | **Engineering lessons / compound learnings** | `docs/compound-lessons.md` *(single checked-in durable artifact; lives in `docs/`, not `.context/`; human/developer reference, not auto-loaded into agent context)* |
@@ -41,6 +42,7 @@ Core instructions live in `CLAUDE.md` at the repo root.
 - **bot-setup.md** — One-time bot creation and invite guide
 - **tools.md** — Available tools: browser automation (agent-browser), escalation ladder, CDP connect, security guardrails
 - **voice.md** — Voice subsystem: module map, audio data flow, key patterns (barge-in, allowlist gating), wiring sequence, dependencies, config reference
+- **automations.md** — Cron & scheduled tasks: job lifecycle, trigger types, primitives (state, silent, routing, chaining), safety rails, config reference
 - **project.md** — Standing constraints auto-loaded by forge drafter and auditor
 - **docs/plan-and-forge.md** — Canonical reference for `!plan` and `!forge` commands (lives in `docs/`, not `.context/` — human/developer reference, not auto-loaded into agent context)
 - **docs/compound-lessons.md** — Single checked-in durable artifact for distilled engineering lessons from audits, forge runs, and repeated workflow failures

package/.context/automations.md

@@ -0,0 +1,87 @@
+# automations.md — Cron & Scheduled Tasks
+
+Quick-reference for automation behavior. For full primitive docs see
+[docs/cron.md](../docs/cron.md); for worked examples and copy-pasteable recipes
+see [docs/cron-patterns.md](../docs/cron-patterns.md).
+
+## System Overview
+
+Cron jobs are defined as forum threads in a dedicated Discord forum channel.
+The scheduler registers in-process timers (via `croner`); on each tick the
+executor assembles a prompt, invokes the AI runtime, and posts output to a
+target channel.
+
+Source: `src/cron/` — scheduler, executor, parser, forum sync, run stats,
+job lock, chain, tag map.
+
+## Job Lifecycle
+
+| Thread state | Job state |
+|--------------|-----------|
+| Active | Registered and running |
+| Archived | Paused (unregistered) |
+| Unarchived | Resumed (re-registered) |
+| Deleted | Removed; stats cleaned on next startup |
+
+Jobs must be created through the bot (`cronCreate` action), not by manually
+creating forum threads.
+
+## Trigger Types
+
+- **`schedule`** — standard 5-field cron expression
+- **`webhook`** — external HTTP POST (requires `DISCOCLAW_WEBHOOK_ENABLED=true`)
+- **`manual`** — explicit `cronTrigger` action only
+
+## Key Primitives
+
+| Primitive | Purpose |
+|-----------|---------|
+| `{{state}}` / `<cron-state>` | Persistent per-job key-value state across runs |
+| `silent` mode | Suppress posting when output is a sentinel (`HEARTBEAT_OK` or `[]`) |
+| `routingMode: "json"` | Multi-channel dispatch via JSON array of `{channel, content}` |
+| `allowedActions` | Restrict which Discord action types a job may emit |
+| `chain` | Fire downstream jobs on success, forwarding state via `__upstream` |
+| `model` | Per-job model tier override (`fast` / `capable` / `deep`) |
+
+## Safety Rails
+
+- Cron jobs **cannot emit cron actions** — hard-coded, not configurable.
+- Overlap guard: one execution per job at a time; concurrent ticks are skipped.
+- Chain depth limit: **10** (prevents runaway cascades).
+- Cycle detection at write time (BFS reachability check).
+- `allowedActions` narrows only — cannot grant permissions the global config denies.
+
+## State Essentials
+
+- `<cron-state>` **replaces** the full state object (not a merge).
+- `{{state}}` expands to `{}` on first run or after a reset.
+- Reset state: `cronUpdate` with `state: "{}"`.
+- The executor injects a "Persistent State" section capped at 4 000 chars.
+
+## Configuration
+
+| Variable | Default | Purpose |
+|----------|---------|---------|
+| `DISCOCLAW_CRON_ENABLED` | `true` | Enable the cron subsystem |
+| `DISCOCLAW_CRON_FORUM` | — | Forum channel ID (auto-created if unset) |
+| `DISCOCLAW_CRON_EXEC_MODEL` | `capable` | Default model tier for execution |
+| `DISCOCLAW_CRON_MODEL` | `fast` | Model tier for definition parsing |
+| `DISCOCLAW_CRON_AUTO_TAG` | `true` | Auto-tag cron forum threads |
+| `DISCOCLAW_CRON_STATS_DIR` | — | Override stats storage directory |
+| `DISCOCLAW_CRON_TAG_MAP` | — | Override tag map file path |
+| `DISCOCLAW_WEBHOOK_ENABLED` | `false` | Enable the webhook server |
+| `DISCOCLAW_WEBHOOK_CONFIG` | — | Path to webhook config JSON |
+
+## Common Patterns (cheat sheet)
+
+| Pattern | Key technique |
+|---------|---------------|
+| Stateful polling | `{{state}}` cursor + `<cron-state>` update |
+| Silent monitoring | `silent: true` + `HEARTBEAT_OK` sentinel |
+| Multi-channel fan-out | `routingMode: "json"` |
+| Chained pipelines | `chain` field + `__upstream.state` handoff |
+| Accumulation / rollup | State counter resets on cadence boundary |
+| Webhook-triggered | Config file + HMAC-SHA256 verification |
+| Gated actions | `allowedActions` for least-privilege |
+
+See [docs/cron-patterns.md](../docs/cron-patterns.md) for full examples of each.

package/.context/runtime.md

@@ -80,46 +80,7 @@ Shutdown: `killAllSubprocesses()` from `cli-adapter.ts` kills all tracked subpro
 ## Codex CLI Runtime
 
 - Adapter: `src/runtime/codex-cli.ts` (thin wrapper around `cli-adapter.ts` + `strategies/codex-strategy.ts`)
-- Default transport:
-  - The default Codex path is `codex exec` / `codex exec resume`.
-  - DiscoClaw currently prefers the CLI route for reliability, especially in forge flows.
-- Optional native transport:
-  - When explicitly enabled, DiscoClaw can use the Codex app-server websocket for `thread/start`, `turn/start`, streaming output, `turn/steer`, and `turn/interrupt`.
-  - The native path still uses Codex's local app-server auth/session state, so no public API key is required.
-- Activation and fallback:
-  - Native invoke is opt-in via `CODEX_APP_SERVER_NATIVE=1`.
-  - Native invoke also requires `CODEX_APP_SERVER_URL` to point at a reachable websocket endpoint.
-  - If the native flag is off, the URL is unset, or the turn hits an images / non-default `cwd` bypass gate, DiscoClaw uses the `codex exec` / `codex exec resume` transport instead.
-  - If native invoke is selected but the websocket connection cannot be established, DiscoClaw falls back to `codex exec` for that turn rather than failing closed.
-- Env vars:
-  | Var | Default | Purpose |
-  |-----|---------|---------|
-  | `CODEX_APP_SERVER_NATIVE` | `0` | Enables the app-server-native invoke path for eligible turns. |
-  | `CODEX_APP_SERVER_URL` | *(unset)* | Codex app-server websocket URL (for example `ws://127.0.0.1:4321`) used by the native path. |
-- Native bypass gates:
-  - **Images:** turns with `images` bypass native invoke and stay on `codex exec`, because image parity is not guaranteed on the app-server path.
-  - **Non-default `cwd`:** turns whose `cwd` differs from the process working directory bypass native invoke and stay on `codex exec`, which is the only path that can shape the subprocess working directory per turn.
-  - **`addDirs`:** native invoke passes extra readable roots through to the app-server sandbox as additional `readableRoots`, so standard Discord turns can still stay on the websocket path.
-  - **Connection failure:** if the runtime cannot connect/initialize against the app-server websocket, it immediately drops back to `codex exec` for that invocation.
-- Capability declaration:
-  - When native invoke is enabled and the app-server is configured, the runtime adds `mid_turn_steering` and exposes `RuntimeAdapter.steer()` + `RuntimeAdapter.interrupt()`.
-  - When native invoke is inactive, the Codex adapter behaves like the legacy CLI runtime: no control methods and no extra capability.
-- Lifecycle and streaming:
-  - For native turns, the runtime creates or reuses a thread with `thread/start`, starts the turn with `turn/start`, and tracks the active turn directly from the app-server response/notifications.
-  - Streaming reply text comes from agent-message delta/completed notifications; tool progress comes from item start/completion notifications; terminal turn notifications clear the active turn and finish the stream.
-  - Because the runtime receives the live `turnId` from the app-server itself, steering and interrupt can target the active turn reliably instead of depending on `codex exec --json` to surface it mid-turn.
-- Session semantics:
-  - Reusing the same `sessionKey` reuses the same native `threadId`, so repeated turns continue the same Codex thread.
-  - Omitting `sessionKey` creates an ephemeral native thread for that invocation only.
-  - `disableSessions` strips `sessionKey` before dispatch, so native turns become ephemeral and never reuse a prior thread.
-- Steering / interrupt semantics:
-  - `steer(sessionKey, message)` is best-effort and returns `false` instead of throwing when there is no tracked active turn or the app-server request fails.
-  - Successful steering sends `turn/steer` with `threadId` plus `expectedTurnId`; if the server returns a replacement `turnId`, the runtime updates its active-turn pointer.
-  - `interrupt(sessionKey)` is also best-effort and sends `turn/interrupt` with the active `threadId` + `turnId`, then clears local active-turn state.
-- Tradeoffs vs `codex exec`:
-  - Native invoke is useful when live control matters: it owns thread/turn lifecycle directly, exposes the active `turnId`, and supports steer/interrupt semantics.
-  - `codex exec` remains the default and preferred path for general reliability, plus any turns that need unsupported invocation shapes or when the app-server is unavailable.
-  - Keeping both paths preserves local Codex auth and session behavior without forcing the app-server path on day-to-day usage.
+- Transport: `codex exec` / `codex exec resume` exclusively.
 
 ## Gemini CLI Runtime
 

package/.env.example

@@ -131,7 +131,7 @@ DISCORD_GUILD_ID=
 # --- OpenRouter adapter ---
 #OPENROUTER_API_KEY=
 #OPENROUTER_BASE_URL=https://openrouter.ai/api/v1
-#OPENROUTER_MODEL=anthropic/claude-sonnet-4
+#OPENROUTER_MODEL=anthropic/claude-sonnet-4-20250514
 
 # Log level: trace | debug | info | warn | error | fatal
 #LOG_LEVEL=info

package/.env.example.full

@@ -526,13 +526,9 @@ DISCOCLAW_DISCORD_ACTIONS_DEFER=1
 # ----------------------------------------------------------
 # Route the forge drafter to a non-Claude runtime.
 # Valid values: "codex" (Codex CLI), "openai" (OpenAI-compatible HTTP API), "openrouter" (OpenRouter).
-# Note: forge currently forces Codex phases onto codex exec by default instead of
-# the native app-server path.
 #FORGE_DRAFTER_RUNTIME=
 # Route the forge auditor to a non-Claude runtime.
 # Valid values: "codex" (Codex CLI), "openai" (OpenAI-compatible HTTP API), "openrouter" (OpenRouter).
-# Note: forge currently forces Codex phases onto codex exec by default instead of
-# the native app-server path.
 #FORGE_AUDITOR_RUNTIME=
 
 # --- Codex CLI adapter ---
@@ -540,20 +536,6 @@ DISCOCLAW_DISCORD_ACTIONS_DEFER=1
 #CODEX_BIN=codex
 # Optional: isolate Codex state/sessions from ~/.codex (helps avoid stale rollout DB issues).
 #CODEX_HOME=/absolute/path/to/.codex-home-discoclaw
-# Optional: Codex app-server websocket URL for the native app-server invoke path.
-# When combined with CODEX_APP_SERVER_NATIVE=1, DiscoClaw uses the websocket for
-# thread/turn lifecycle, streaming output, steering, and interrupts. Unset keeps
-# the native path dormant.
-#CODEX_APP_SERVER_URL=ws://127.0.0.1:4321
-# Enable the optional native Codex app-server transport.
-# Set to 1 to allow eligible Codex turns to use the websocket path. The CLI route
-# remains the recommended default for normal ops because it has been more reliable.
-# Image turns, non-default cwd turns, and websocket bootstrap failures fall back
-# to codex exec automatically. Forge currently disables the native app-server
-# route for Codex phases by default and uses codex exec instead; CODEX_APP_SERVER_NATIVE=1
-# still applies to other eligible Codex turns. Extra readable roots from addDirs
-# are passed through to the app-server sandbox.
-#CODEX_APP_SERVER_NATIVE=0
 # Default model for the Codex CLI adapter. Used when FORGE_AUDITOR_MODEL is not set.
 #CODEX_MODEL=gpt-5.4
 # WARNING: disables Codex approval prompts and sandbox protections (full-access mode).
@@ -583,7 +565,7 @@ DISCOCLAW_DISCORD_ACTIONS_DEFER=1
 # Base URL (default: OpenRouter API endpoint).
 #OPENROUTER_BASE_URL=https://openrouter.ai/api/v1
 # Default model for the OpenRouter adapter.
-#OPENROUTER_MODEL=anthropic/claude-sonnet-4
+#OPENROUTER_MODEL=anthropic/claude-sonnet-4-20250514
 
 # ----------------------------------------------------------
 # Webhooks — inbound HTTP triggers from external services

package/dist/cli/init-wizard.js

@@ -334,7 +334,7 @@ export async function runInitWizard() {
         values.PRIMARY_RUNTIME = 'openrouter';
         console.log('  Note: the OpenRouter adapter is HTTP-only.');
         values.OPENROUTER_API_KEY = await askValidated('OpenRouter API key: ', (val) => (val ? null : 'API key is required'));
-        values.OPENROUTER_MODEL = 'anthropic/claude-sonnet-4';
+        values.OPENROUTER_MODEL = 'anthropic/claude-sonnet-4-20250514';
     }
     values.DISCOCLAW_DISCORD_ACTIONS = '1';
     // ── Voice setup ───────────────────────────────────────────────────────────

package/dist/cli/init-wizard.test.js

@@ -96,12 +96,12 @@ describe('init wizard helpers', () => {
             PRIMARY_RUNTIME: 'openrouter',
             OPENROUTER_API_KEY: 'sk-or-test-key',
             OPENROUTER_BASE_URL: 'https://openrouter.ai/api/v1',
-            OPENROUTER_MODEL: 'anthropic/claude-sonnet-4',
+            OPENROUTER_MODEL: 'anthropic/claude-sonnet-4-20250514',
         }, new Date('2026-02-22T00:00:00.000Z'));
         expect(content).toContain('PRIMARY_RUNTIME=openrouter');
         expect(content).toContain('OPENROUTER_API_KEY=sk-or-test-key');
         expect(content).toContain('OPENROUTER_BASE_URL=https://openrouter.ai/api/v1');
-        expect(content).toContain('OPENROUTER_MODEL=anthropic/claude-sonnet-4');
+        expect(content).toContain('OPENROUTER_MODEL=anthropic/claude-sonnet-4-20250514');
         expect(content).toContain('# AUTO-DETECTED');
         expect(content).toContain('DISCOCLAW_TASKS_FORUM=1000000000000000002');
         expect(content).toContain('DISCOCLAW_CRON_FORUM=1000000000000000003');
@@ -269,7 +269,7 @@ describe('runInitWizard', () => {
         const newEnv = fs.readFileSync(path.join(tmpDir, '.env'), 'utf8');
         expect(newEnv).toContain('PRIMARY_RUNTIME=openrouter');
         expect(newEnv).toContain('OPENROUTER_API_KEY=sk-or-test-key');
-        expect(newEnv).toContain('OPENROUTER_MODEL=anthropic/claude-sonnet-4');
+        expect(newEnv).toContain('OPENROUTER_MODEL=anthropic/claude-sonnet-4-20250514');
         expect(newEnv).toContain('DISCOCLAW_DISCORD_ACTIONS=1');
         expect(newEnv).toContain(`DISCOCLAW_DATA_DIR=${path.join(tmpDir, 'data')}`);
     });

package/dist/config/safe-key.js

@@ -0,0 +1,38 @@
+/**
+ * Guards against prototype-pollution via dynamic property names.
+ *
+ * Any code path that uses an external string (route param, JSON key, etc.)
+ * as a plain-object property name should reject these values first.
+ */
+const PROTO_POLLUTION_KEYS = new Set([
+    '__proto__',
+    'constructor',
+    'prototype',
+]);
+/** Returns `true` when `key` is a prototype-pollution property name. */
+export function isUnsafeKey(key) {
+    return PROTO_POLLUTION_KEYS.has(key);
+}
+/**
+ * Look up `key` on `obj` only when the key is safe and is an own property.
+ * Returns `undefined` for unsafe keys or missing properties — never walks
+ * the prototype chain.
+ */
+export function safeGet(obj, key) {
+    if (isUnsafeKey(key))
+        return undefined;
+    return Object.hasOwn(obj, key) ? obj[key] : undefined;
+}
+/**
+ * Return a shallow copy of `obj` with any prototype-pollution keys removed.
+ * Useful for sanitising parsed JSON before it becomes a lookup table.
+ */
+export function stripUnsafeKeys(obj) {
+    const clean = Object.create(null);
+    for (const key of Object.keys(obj)) {
+        if (!isUnsafeKey(key)) {
+            clean[key] = obj[key];
+        }
+    }
+    return clean;
+}

package/dist/config/safe-key.test.js

@@ -0,0 +1,60 @@
+import { describe, expect, it } from 'vitest';
+import { isUnsafeKey, safeGet, stripUnsafeKeys } from './safe-key.js';
+describe('isUnsafeKey', () => {
+    it.each(['__proto__', 'constructor', 'prototype'])('returns true for %s', (key) => {
+        expect(isUnsafeKey(key)).toBe(true);
+    });
+    it.each(['github', 'alerts', '', 'proto', '__proto', 'CONSTRUCTOR'])('returns false for %s', (key) => {
+        expect(isUnsafeKey(key)).toBe(false);
+    });
+});
+describe('safeGet', () => {
+    const obj = { a: 1, b: 2 };
+    it('returns the value for a safe, present key', () => {
+        expect(safeGet(obj, 'a')).toBe(1);
+    });
+    it('returns undefined for a safe but missing key', () => {
+        expect(safeGet(obj, 'z')).toBeUndefined();
+    });
+    it('returns undefined for __proto__ even when set as own property', () => {
+        const withProto = Object.create(null);
+        withProto['__proto__'] = 42;
+        expect(safeGet(withProto, '__proto__')).toBeUndefined();
+    });
+    it('returns undefined for constructor', () => {
+        expect(safeGet(obj, 'constructor')).toBeUndefined();
+    });
+    it('returns undefined for prototype', () => {
+        expect(safeGet(obj, 'prototype')).toBeUndefined();
+    });
+    it('does not walk the prototype chain', () => {
+        const parent = { inherited: 99 };
+        const child = Object.create(parent);
+        expect(safeGet(child, 'inherited')).toBeUndefined();
+    });
+});
+describe('stripUnsafeKeys', () => {
+    it('removes __proto__, constructor, and prototype keys', () => {
+        const input = {
+            github: 'ok',
+            __proto__: 'bad',
+            constructor: 'bad',
+            prototype: 'bad',
+            alerts: 'ok',
+        };
+        // JSON.parse puts __proto__ as own property; replicate with Object.defineProperty
+        Object.defineProperty(input, '__proto__', { value: 'bad', enumerable: true, configurable: true });
+        const result = stripUnsafeKeys(input);
+        expect(Object.keys(result)).toEqual(['github', 'alerts']);
+        expect(result['github']).toBe('ok');
+        expect(result['alerts']).toBe('ok');
+    });
+    it('returns a null-prototype object', () => {
+        const result = stripUnsafeKeys({ a: 1 });
+        expect(Object.getPrototypeOf(result)).toBeNull();
+    });
+    it('handles an empty object', () => {
+        const result = stripUnsafeKeys({});
+        expect(Object.keys(result)).toEqual([]);
+    });
+});

package/dist/config.js

@@ -1,4 +1,4 @@
-import { parseAllowBotIds, parseAllowChannelIds, parseAllowUserIds } from './discord/allowlist.js';
+import { isAllowlisted, parseAllowBotIds, parseAllowChannelIds, parseAllowUserIds } from './discord/allowlist.js';
 import { parseDashboardTrustedHosts } from './dashboard/options.js';
 export const KNOWN_TOOLS = new Set([
     'Bash', 'Read', 'Write', 'Edit', 'Glob', 'Grep', 'WebSearch', 'WebFetch', 'Pipeline', 'Step',
@@ -9,6 +9,14 @@ export const DEFAULT_DISCORD_ACTIONS_DEFER_MAX_DEPTH = 4;
 export const DEFAULT_DISCORD_ACTIONS_LOOP_MIN_INTERVAL_SECONDS = 60;
 export const DEFAULT_DISCORD_ACTIONS_LOOP_MAX_INTERVAL_SECONDS = 86400;
 export const DEFAULT_DISCORD_ACTIONS_LOOP_MAX_CONCURRENT = 5;
+/**
+ * Check whether a Discord user is authorized for config-mutating actions.
+ * Uses the DISCORD_ALLOW_USER_IDS allowlist as the sole authorization source.
+ * Fails closed: returns false when the allowlist is empty.
+ */
+export function isAuthorizedUser(config, userId) {
+    return isAllowlisted(config.allowUserIds, userId);
+}
 function parseBoolean(env, name, defaultValue) {
     const raw = env[name];
     if (raw == null || raw.trim() === '')
@@ -184,6 +192,7 @@ export function parseConfig(env) {
     const discordActionsImagegen = parseBoolean(env, 'DISCOCLAW_DISCORD_ACTIONS_IMAGEGEN', false);
     const discordActionsVoice = parseBoolean(env, 'DISCOCLAW_DISCORD_ACTIONS_VOICE', false);
     const discordActionsSpawn = parseBoolean(env, 'DISCOCLAW_DISCORD_ACTIONS_SPAWN', true);
+    const discordActionsArchive = parseBoolean(env, 'DISCOCLAW_DISCORD_ACTIONS_ARCHIVE', false);
     const spawnMaxConcurrent = parsePositiveInt(env, 'DISCOCLAW_DISCORD_ACTIONS_SPAWN_MAX_CONCURRENT', 4);
     const deferMaxDelaySeconds = parsePositiveNumber(env, 'DISCOCLAW_DISCORD_ACTIONS_DEFER_MAX_DELAY_SECONDS', DEFAULT_DISCORD_ACTIONS_DEFER_MAX_DELAY_SECONDS);
     const deferMaxConcurrent = parsePositiveInt(env, 'DISCOCLAW_DISCORD_ACTIONS_DEFER_MAX_CONCURRENT', DEFAULT_DISCORD_ACTIONS_DEFER_MAX_CONCURRENT);
@@ -350,7 +359,7 @@ export function parseConfig(env) {
     }
     const openrouterApiKey = parseTrimmedString(env, 'OPENROUTER_API_KEY');
     const openrouterBaseUrl = parseTrimmedString(env, 'OPENROUTER_BASE_URL');
-    const openrouterModel = parseTrimmedString(env, 'OPENROUTER_MODEL') ?? 'anthropic/claude-sonnet-4';
+    const openrouterModel = parseTrimmedString(env, 'OPENROUTER_MODEL') ?? 'anthropic/claude-sonnet-4-20250514';
     if (primaryRuntime === 'openrouter' && !openrouterApiKey) {
         warnings.push('PRIMARY_RUNTIME=openrouter but OPENROUTER_API_KEY is not set; startup will fail unless another runtime is selected.');
     }
@@ -442,6 +451,7 @@ export function parseConfig(env) {
             discordActionsImagegen,
             discordActionsVoice,
             discordActionsSpawn,
+            discordActionsArchive,
             deferMaxDelaySeconds,
             deferMaxDepth,
             deferMaxConcurrent,

package/dist/config.test.js

@@ -403,9 +403,9 @@ describe('parseConfig', () => {
         const { config } = parseConfig(env({ OPENROUTER_API_KEY: 'sk-or-test' }));
         expect(config.openrouterApiKey).toBe('sk-or-test');
     });
-    it('defaults openrouterModel to "anthropic/claude-sonnet-4"', () => {
+    it('defaults openrouterModel to "anthropic/claude-sonnet-4-20250514"', () => {
         const { config } = parseConfig(env());
-        expect(config.openrouterModel).toBe('anthropic/claude-sonnet-4');
+        expect(config.openrouterModel).toBe('anthropic/claude-sonnet-4-20250514');
     });
     it('warns when PRIMARY_RUNTIME=openrouter without OPENROUTER_API_KEY', () => {
         const { warnings } = parseConfig(env({ PRIMARY_RUNTIME: 'openrouter', OPENROUTER_API_KEY: undefined }));

package/dist/cron/executor.js

@@ -432,7 +432,7 @@ export async function executeCronJob(job, ctx) {
         // Suppress sentinel outputs (e.g. crons whose prompts say "output nothing if idle").
         // Mirrors the reaction handler's logic at reaction-handler.ts:662-674.
         const strippedText = processedText.replace(/\s+/g, ' ').trim();
-        const isSuppressible = strippedText === 'HEARTBEAT_OK' || strippedText === '(no output)';
+        const isSuppressible = /^heartbeat(_ok)?$/i.test(strippedText) || strippedText === 'HEART' || strippedText === '(no output)' || /^[\u2764\uFE0F]+$/.test(strippedText);
         if (isSuppressible && collectedImages.length === 0) {
             ctx.log?.info({ jobId: job.id, name: job.name, sentinel: strippedText }, 'cron:exec sentinel output suppressed');
             if (ctx.statsStore && job.cronId) {

package/dist/cron/executor.test.js

@@ -436,6 +436,26 @@ describe('executeCronJob', () => {
         expect(channel.send).not.toHaveBeenCalled();
         expect(ctx.log?.info).toHaveBeenCalledWith(expect.objectContaining({ jobId: job.id, sentinel: 'HEARTBEAT_OK' }), 'cron:exec sentinel output suppressed');
     });
+    it('suppresses heart emoji output (model interprets HEARTBEAT_OK as emoji)', async () => {
+        for (const variant of ['\u2764\uFE0F', '\u2764', '\u2764\uFE0F\u2764\uFE0F']) {
+            const ctx = makeCtx({ runtime: makeMockRuntime(variant) });
+            const job = makeJob();
+            await executeCronJob(job, ctx);
+            const guild = ctx.client.guilds.cache.get('guild-1');
+            const channel = guild.channels.cache.get('general');
+            expect(channel.send).not.toHaveBeenCalled();
+        }
+    });
+    it('suppresses truncated HEARTBEAT variants (e.g. HEART)', async () => {
+        for (const variant of ['HEART', 'HEARTBEAT', 'Heartbeat_ok', 'heartbeat_ok']) {
+            const ctx = makeCtx({ runtime: makeMockRuntime(variant) });
+            const job = makeJob();
+            await executeCronJob(job, ctx);
+            const guild = ctx.client.guilds.cache.get('guild-1');
+            const channel = guild.channels.cache.get('general');
+            expect(channel.send).not.toHaveBeenCalled();
+        }
+    });
     it('suppresses (no output) output', async () => {
         const ctx = makeCtx({ runtime: makeMockRuntime('(no output)') });
         const job = makeJob();

package/dist/dashboard/page.js

@@ -434,6 +434,30 @@ export function renderDashboardPage() {
       padding: 8px 0;
     }
 
+    .findings-collapsible {
+      border-radius: 14px;
+      border: 1px solid rgba(255, 255, 255, 0.06);
+      background: var(--bg-soft);
+    }
+
+    .findings-collapsible summary {
+      cursor: pointer;
+      padding: 12px 14px;
+      color: var(--muted);
+      font-size: 13px;
+      letter-spacing: 0.06em;
+    }
+
+    .findings-collapsible[open] summary {
+      border-bottom: 1px solid rgba(255, 255, 255, 0.06);
+    }
+
+    .findings-collapsible-inner {
+      padding: 10px;
+      display: grid;
+      gap: 10px;
+    }
+
     @media (max-width: 980px) {
       .span-4,
       .span-5,
@@ -938,22 +962,24 @@ export function renderDashboardPage() {
     function renderDoctor(report, summary) {
       const findings = Array.isArray(report.findings) ? report.findings : [];
       const autoFixableCount = findings.filter((finding) => finding.autoFixable).length;
-      const attentionFindings = findings.filter((finding) => finding.severity !== 'info');
+      const criticalFindings = findings.filter((finding) => finding.severity === 'error');
+      const warnFindings = findings.filter((finding) => finding.severity === 'warn');
       const cleanupFindings = findings.filter((finding) => finding.severity === 'info');
+      const nonCriticalFindings = findings.filter((finding) => finding.severity !== 'error');
 
       doctorFixButton.disabled = autoFixableCount === 0;
       doctorFixButton.dataset.autoFixableCount = String(autoFixableCount);
 
       if (findings.length === 0) {
         doctorHelper.textContent = 'Nothing needs attention. Config looks clean.';
-      } else if (autoFixableCount > 0) {
+      } else if (criticalFindings.length > 0 && autoFixableCount > 0) {
         doctorHelper.textContent = autoFixableCount + ' safe auto-fix'
           + (autoFixableCount === 1 ? ' is' : 'es are')
-          + ' available. Review-only items will stay listed below.';
-      } else if (attentionFindings.length === 0) {
-        doctorHelper.textContent = 'These are cleanup suggestions only. Nothing here can be changed automatically.';
+          + ' available.';
+      } else if (criticalFindings.length > 0) {
+        doctorHelper.textContent = 'Review the critical items below.';
       } else {
-        doctorHelper.textContent = 'Review the items below. None of them can be changed automatically.';
+        doctorHelper.textContent = 'No critical issues. Expand below for details.';
       }
 
       clearNode(doctorFindings);
@@ -963,18 +989,7 @@ export function renderDashboardPage() {
         empty.textContent = 'No doctor findings.';
         doctorFindings.append(empty);
       } else {
-        const renderSection = (title, sectionFindings) => {
-          if (!sectionFindings.length) return;
-
-          const section = document.createElement('div');
-          section.className = 'finding-section';
-
-          const heading = document.createElement('div');
-          heading.className = 'finding-section-title';
-          heading.textContent = title;
-          section.append(heading);
-
-          sectionFindings.forEach((finding) => {
+        const renderFinding = (parent, finding) => {
           const wrapper = document.createElement('div');
           wrapper.className = 'finding';
 
@@ -1022,14 +1037,45 @@ export function renderDashboardPage() {
 
           wrapper.append(header, message);
           if (finding.recommendation) wrapper.append(recommendation);
-          section.append(wrapper);
-          });
+          parent.append(wrapper);
+        };
+
+        const renderSection = (parent, title, sectionFindings) => {
+          if (!sectionFindings.length) return;
+
+          const section = document.createElement('div');
+          section.className = 'finding-section';
+
+          const heading = document.createElement('div');
+          heading.className = 'finding-section-title';
+          heading.textContent = title;
+          section.append(heading);
 
-          doctorFindings.append(section);
+          sectionFindings.forEach((finding) => renderFinding(section, finding));
+          parent.append(section);
         };
 
-        renderSection('Needs attention', attentionFindings);
-        renderSection('Cleanup suggestions', cleanupFindings);
+        renderSection(doctorFindings, 'Needs attention', criticalFindings);
+
+        if (nonCriticalFindings.length > 0) {
+          const details = document.createElement('details');
+          details.className = 'findings-collapsible';
+
+          const summaryEl = document.createElement('summary');
+          const parts = [];
+          if (warnFindings.length > 0) parts.push(warnFindings.length + ' warning' + (warnFindings.length === 1 ? '' : 's'));
+          if (cleanupFindings.length > 0) parts.push(cleanupFindings.length + ' suggestion' + (cleanupFindings.length === 1 ? '' : 's'));
+          summaryEl.textContent = parts.join(', ');
+          details.append(summaryEl);
+
+          const inner = document.createElement('div');
+          inner.className = 'findings-collapsible-inner';
+          renderSection(inner, 'Warnings', warnFindings);
+          renderSection(inner, 'Cleanup suggestions', cleanupFindings);
+          details.append(inner);
+
+          doctorFindings.append(details);
+        }
       }
 
       const tone = findings.some((finding) => finding.severity === 'error')

package/dist/discord/abort-registry.js

@@ -4,6 +4,43 @@
 const COOLDOWN_MS = 15_000;
 const active = new Map();
 const cooldown = new Set();
+const metaStore = new Map();
+/** Attach metadata to an active abort entry for stop summary generation. */
+export function setAbortMeta(messageId, m) {
+    metaStore.set(messageId, m);
+}
+/** Remove metadata for a message (called alongside dispose). */
+export function clearAbortMeta(messageId) {
+    metaStore.delete(messageId);
+}
+/** Snapshot the metadata for a single active stream. Returns null if not found. */
+export function snapshotAbort(messageId) {
+    const m = metaStore.get(messageId);
+    if (!m)
+        return null;
+    return {
+        messageId,
+        channelId: m.channelId,
+        userMessage: m.userMessage,
+        partialResponse: m.getPartialResponse(),
+        activityLabel: m.getActivityLabel(),
+        sessionKey: m.sessionKey,
+        elapsedMs: Date.now() - m.startedAt,
+    };
+}
+/** Snapshot metadata for all actively streaming entries. */
+export function snapshotAllAborts() {
+    const snapshots = [];
+    for (const messageId of active.keys()) {
+        const snap = snapshotAbort(messageId);
+        if (snap)
+            snapshots.push(snap);
+    }
+    return snapshots;
+}
+// ---------------------------------------------------------------------------
+// Core abort registry
+// ---------------------------------------------------------------------------
 /**
  * Register an AbortController for a message that is about to start streaming.
  *
@@ -17,6 +54,7 @@ export function registerAbort(messageId) {
     active.set(messageId, controller);
     function dispose() {
         active.delete(messageId);
+        metaStore.delete(messageId);
         cooldown.add(messageId);
         setTimeout(() => cooldown.delete(messageId), COOLDOWN_MS);
     }
@@ -67,4 +105,5 @@ export function tryAbortAll() {
 export function _resetForTest() {
     active.clear();
     cooldown.clear();
+    metaStore.clear();
 }

package/dist/discord/action-categories.js

@@ -39,6 +39,8 @@ export const QUERY_ACTION_TYPES = new Set([
     'loopList',
     // Spawn
     'spawnAgent',
+    // Archive
+    'archiveList',
 ]);
 export function hasQueryAction(actionTypes) {
     return actionTypes.some((t) => QUERY_ACTION_TYPES.has(t));