limbo-ai 1.19.0 → 1.20.0

package/cli.js

@@ -1566,6 +1566,11 @@ async function cmdStart() {
     fs.writeFileSync(ENV_FILE, minimalContent, { mode: 0o600 });
     // Keep gateway token secret intact
     ensureGatewayToken(existingEnv);
+    // Clean config inside the Docker volume so entrypoint re-enters setup mode
+    try {
+      runDockerCompose(['run', '--rm', '--no-deps', '--entrypoint', 'sh', 'limbo',
+        '-c', 'rm -f /data/config/.env /home/limbo/.zeroclaw/config.toml'], { stdio: 'pipe' });
+    } catch {}
   }
 
   // ── Route: Wizard (default for fresh install or wizard reconfigure) ───────
@@ -1578,7 +1583,8 @@ async function cmdStart() {
   ensureVolumePermissions();
 
   header('Starting Limbo...');
-  const upResult = runDockerCompose(['up', '-d', '--remove-orphans'], { stdio: 'pipe' });
+  // Force recreate so the container picks up the clean .env (enters setup mode)
+  const upResult = runDockerCompose(['up', '-d', '--remove-orphans', '--force-recreate'], { stdio: 'pipe' });
   if (upResult.status !== 0) {
     process.stderr.write(upResult.stderr || '');
     die('Container failed to start. Run `limbo logs` to investigate.');

package/config.toml.template

@@ -1,52 +1,23 @@
-provider = "${MODEL_PROVIDER}"
-default_model = "${MODEL_NAME}"
+# ZeroClaw config template for Limbo.
+# Rendered by entrypoint.sh via envsubst. Telegram section is appended
+# conditionally — see entrypoint.sh for details.
+
+default_provider = "${MODEL_PROVIDER}"
+default_model = "${MODEL_PROVIDER}/${MODEL_NAME}"
 
 [gateway]
 host = "127.0.0.1"
 port = ${LIMBO_PORT}
+require_pairing = false
 allow_public_bind = false
 
-[gateway.auth]
-mode = "token"
-token_file = "/run/secrets/gateway_token"
-
-[memory]
-backend = "none"
-
-[security]
-sandbox = true
-command_allowlist = []
-
-[tools]
-profile = "messaging"
-allow = ["web_search", "web_fetch"]
-deny = ["exec", "browser", "canvas", "nodes", "cron", "gateway", "sessions_spawn", "sessions_send", "process", "image", "group:automation", "group:runtime", "group:fs"]
-
-[tools.fs]
-workspace_only = true
-
-[tools.exec]
-security = "deny"
-ask = "always"
-
-[tools.elevated]
-enabled = false
-
-[session]
-dm_scope = "per-channel-peer"
-
-[agents.defaults]
-workspace = "/data/workspace"
-
-[agents.defaults.model]
-primary = "${MODEL_PROVIDER}/${MODEL_NAME}"
+[autonomy]
+level = "full"
 
-[channels.telegram]
-enabled = ${TELEGRAM_ENABLED}
-bot_token = "${TELEGRAM_BOT_TOKEN}"
-dm_policy = "pairing"
+[mcp]
+enabled = true
 
-[mcp.limbo-vault]
+[[mcp.servers]]
+name = "limbo-vault"
 command = "node"
 args = ["/app/mcp-server/index.js"]
-tool_timeout_secs = 30

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "limbo-ai",
-  "version": "1.19.0",
+  "version": "1.20.0",
   "description": "Your personal AI memory agent — install and manage Limbo via npx",
   "type": "commonjs",
   "bin": {

package/setup-server/public/index.html

@@ -1113,26 +1113,42 @@
           <div class="validation-msg" id="tgTokenValidation"></div>
         </div>
 
-        <div class="toggle-row" style="margin-top: 4px;">
-          <div>
-            <div class="toggle-label">
-              <span data-lang="en">Auto-pair with your account</span>
-              <span data-lang="es">Auto-vincular con tu cuenta</span>
+      </div>
+
+      <!-- Pairing panel (shown after token validation) -->
+      <div id="tgPairing" style="display: none;">
+        <div class="guide-steps">
+          <div class="guide-step">
+            <div class="guide-num">5</div>
+            <div class="guide-text">
+              <span data-lang="en">Open your bot in Telegram: <strong id="tgBotHandle"></strong></span>
+              <span data-lang="es">Abrí tu bot en Telegram: <strong id="tgBotHandleEs"></strong></span>
             </div>
-            <div class="toggle-sub">
-              <span data-lang="en">Only the first Telegram user to message the bot will be linked</span>
-              <span data-lang="es">Solo el primer usuario que le escriba al bot será vinculado</span>
+          </div>
+          <div class="guide-step">
+            <div class="guide-num">6</div>
+            <div class="guide-text">
+              <span data-lang="en">Send any message (e.g. "hello")</span>
+              <span data-lang="es">Mandá cualquier mensaje (ej: "hola")</span>
             </div>
           </div>
-          <label class="toggle">
-            <input type="checkbox" id="tgAutoPair" checked>
-            <span class="toggle-track"></span>
-            <span class="toggle-thumb"></span>
-          </label>
+        </div>
+
+        <div id="tgPairingStatus" style="display: flex; align-items: center; gap: 12px; padding: 16px; background: var(--bg-3); border-radius: var(--r-md); margin-top: 16px;">
+          <div class="spinner" style="border-color: var(--accent); border-top-color: transparent; width: 20px; height: 20px; border-width: 2px;"></div>
+          <span style="color: var(--text-sub);">
+            <span data-lang="en">Waiting for your message...</span>
+            <span data-lang="es">Esperando tu mensaje...</span>
+          </span>
+        </div>
+
+        <div id="tgPairingSuccess" style="display: none; align-items: center; gap: 12px; padding: 16px; background: var(--bg-3); border-radius: var(--r-md); margin-top: 16px;">
+          <span style="color: var(--success); font-size: 20px; font-weight: 700;">&#10003;</span>
+          <span id="tgPairingSuccessMsg" style="color: var(--success);"></span>
         </div>
       </div>
 
-      <div class="btn-row">
+      <div class="btn-row" id="tgBtnRow">
         <button class="btn-secondary" onclick="skipTelegram()">
           <span data-lang="en">Skip</span>
           <span data-lang="es">Omitir</span>
@@ -1216,7 +1232,7 @@
       authMode: null,
       apiKey: '',
       model: null,
-      telegram: { enabled: true, botToken: '', autoPair: true },
+      telegram: { enabled: true, botToken: '' },
       subscriptionDone: false,
       subscriptionEmail: '',
     };
@@ -1275,6 +1291,7 @@
       // Step-specific setup
       if (n === 4) setupApiKeyStep();
       if (n === 5) fetchModels();
+      if (n === 6) resetTelegramUI();
       if (n === 7) buildSummary();
     }
 
@@ -1714,25 +1731,116 @@
       }
     });
 
+    let pairingActive = false;
+
     function skipTelegram() {
+      pairingActive = false;
       state.telegram.enabled = false;
       state.telegram.botToken = '';
       goToStep(7);
     }
 
-    function submitTelegram() {
-      if (state.telegram.enabled) {
-        const token = document.getElementById('tgTokenInput').value.trim();
-        if (!token || !/^\d+:.{20,}$/.test(token)) {
+    function resetTelegramUI() {
+      document.getElementById('tgFields').classList.toggle('visible', state.telegram.enabled);
+      document.getElementById('tgPairing').style.display = 'none';
+      document.getElementById('tgPairingStatus').style.display = 'flex';
+      document.getElementById('tgPairingSuccess').style.display = 'none';
+      const btn = document.getElementById('btnTgContinue');
+      btn.disabled = false;
+      btn.style.display = '';
+      btn.innerHTML = `<span data-lang="en">Continue</span><span data-lang="es">Continuar</span>`;
+      document.body.className = `lang-${state.language}`;
+    }
+
+    async function submitTelegram() {
+      if (!state.telegram.enabled) {
+        goToStep(7);
+        return;
+      }
+
+      const token = document.getElementById('tgTokenInput').value.trim();
+      if (!token || !/^\d+:.{20,}$/.test(token)) {
+        const msgEl = document.getElementById('tgTokenValidation');
+        const msg = state.language === 'es' ? 'Ingresá un token válido o salteá este paso' : 'Enter a valid token or skip this step';
+        msgEl.innerHTML = `<span class="validation-msg error">${msg}</span>`;
+        return;
+      }
+
+      state.telegram.botToken = token;
+      const btn = document.getElementById('btnTgContinue');
+      btn.disabled = true;
+      btn.innerHTML = `<div class="spinner" style="width:16px;height:16px;border-width:2px;display:inline-block;vertical-align:middle;"></div>`;
+
+      try {
+        // Validate token with Telegram getMe
+        const validateRes = await fetch('/api/telegram/validate-token', {
+          method: 'POST',
+          headers: authHeaders(),
+          body: JSON.stringify({ botToken: token }),
+        });
+        const validateData = await validateRes.json();
+
+        if (!validateData.valid) {
           const msgEl = document.getElementById('tgTokenValidation');
-          const msg = state.language === 'es' ? 'Ingresá un token válido o salteá este paso' : 'Enter a valid token or skip this step';
+          const msg = state.language === 'es' ? 'Token inválido. Revisá que sea correcto.' : 'Invalid token. Please check and try again.';
           msgEl.innerHTML = `<span class="validation-msg error">${msg}</span>`;
+          btn.disabled = false;
+          btn.innerHTML = `<span data-lang="en">Continue</span><span data-lang="es">Continuar</span>`;
+          document.body.className = `lang-${state.language}`;
           return;
         }
-        state.telegram.botToken = token;
-        state.telegram.autoPair = document.getElementById('tgAutoPair').checked;
+
+        // Show pairing panel
+        const handle = `@${validateData.botUsername}`;
+        document.getElementById('tgBotHandle').textContent = handle;
+        document.getElementById('tgBotHandleEs').textContent = handle;
+        document.getElementById('tgFields').classList.remove('visible');
+        document.getElementById('tgPairing').style.display = 'block';
+        btn.style.display = 'none';
+
+        // Start long-poll pairing loop
+        pairingActive = true;
+        startTelegramPairing(token);
+      } catch (err) {
+        const msgEl = document.getElementById('tgTokenValidation');
+        msgEl.innerHTML = `<span class="validation-msg error">${err.message}</span>`;
+        btn.disabled = false;
+        btn.innerHTML = `<span data-lang="en">Continue</span><span data-lang="es">Continuar</span>`;
+        document.body.className = `lang-${state.language}`;
+      }
+    }
+
+    async function startTelegramPairing(token) {
+      while (pairingActive) {
+        try {
+          const res = await fetch('/api/telegram/pair', {
+            method: 'POST',
+            headers: authHeaders(),
+            body: JSON.stringify({ botToken: token, language: state.language }),
+          });
+          const data = await res.json();
+
+          if (!pairingActive) return;
+
+          if (data.paired) {
+            pairingActive = false;
+            document.getElementById('tgPairingStatus').style.display = 'none';
+            const successEl = document.getElementById('tgPairingSuccess');
+            successEl.style.display = 'flex';
+            const msg = state.language === 'es'
+              ? `Conectado${data.firstName ? ' con ' + data.firstName : ''}. Saludo enviado.`
+              : `Connected${data.firstName ? ' with ' + data.firstName : ''}. Greeting sent.`;
+            document.getElementById('tgPairingSuccessMsg').textContent = msg;
+
+            setTimeout(() => goToStep(7), 2000);
+            return;
+          }
+          // Not paired yet — the server already waited ~25s, loop immediately
+        } catch {
+          if (!pairingActive) return;
+          await new Promise(r => setTimeout(r, 2000));
+        }
       }
-      goToStep(7);
     }
 
     // --- Step 7: Summary ---
@@ -1808,9 +1916,10 @@
       state.model = null;
       state.subscriptionDone = false;
       state.subscriptionEmail = '';
-      state.telegram = { enabled: true, botToken: '', autoPair: true };
+      state.telegram = { enabled: true, botToken: '' };
+      pairingActive = false;
       document.getElementById('tgToggle').checked = true;
-      document.getElementById('tgFields').classList.add('visible');
+      resetTelegramUI();
       goToStep(1);
     }
 
@@ -1833,7 +1942,6 @@
         telegram: {
           enabled: state.telegram.enabled,
           botToken: state.telegram.enabled ? state.telegram.botToken : '',
-          autoPair: state.telegram.autoPair,
         },
       };
       if (state.authMode === 'api-key') {

package/setup-server/server.js

@@ -13,8 +13,9 @@ const crypto = require('crypto');
 const PORT = parseInt(process.env.LIMBO_PORT, 10) || 18789;
 const PUBLIC_DIR = path.join(__dirname, 'public');
 const DATA_DIR = process.env.LIMBO_DATA_DIR || '/data';
+const ZEROCLAW_STATE = process.env.ZEROCLAW_STATE_DIR || '/home/limbo/.zeroclaw';
 const CONFIG_DIR = path.join(DATA_DIR, 'config');
-const SECRETS_DIR = path.join(DATA_DIR, 'secrets');
+const SECRETS_DIR = path.join(ZEROCLAW_STATE, 'secrets');
 const ENV_FILE = path.join(CONFIG_DIR, '.env');
 const SETUP_TOKEN_FILE = path.join(CONFIG_DIR, 'setup_token');
 
@@ -225,52 +226,216 @@ function decodeJwtPayload(token) {
   return JSON.parse(Buffer.from(parts[1], 'base64url').toString());
 }
 
+// ZeroClaw auth-profiles.json format:
+//   path: ~/.zeroclaw/auth-profiles.json
+//   fields: profile_name, kind, provider, access_token, refresh_token, expires_at (RFC3339)
+//   After writing, `zeroclaw auth use --provider X --profile Y` activates it.
+
 function buildCodexAuthProfile(profile) {
-  const profileId = profile.email ? `openai-codex:${profile.email}` : 'openai-codex:default';
+  const profileName = 'default';
+  const profileId = `openai-codex:${profileName}`;
   return {
     version: 1,
     profiles: {
       [profileId]: {
-        type: 'oauth',
+        profile_name: profileName,
+        kind: 'oauth',
         provider: 'openai-codex',
-        access: profile.access,
-        refresh: profile.refresh,
-        expires: profile.expires,
-        accountId: profile.accountId,
+        access_token: profile.access,
+        refresh_token: profile.refresh,
+        expires_at: new Date(profile.expires).toISOString(),
+        account_id: profile.accountId || '',
       },
     },
-    order: {},
-    lastGood: {},
+    order: { 'openai-codex': [profileId] },
+    lastGood: { 'openai-codex': profileId },
     usageStats: {},
   };
 }
 
 function buildAnthropicAuthProfile(token) {
+  const profileName = 'default';
+  const profileId = `anthropic:${profileName}`;
   return {
     version: 1,
     profiles: {
-      'anthropic:token': {
-        type: 'token',
+      [profileId]: {
+        profile_name: profileName,
+        kind: 'token',
         provider: 'anthropic',
-        token,
+        access_token: token,
       },
     },
-    order: { anthropic: ['anthropic:token'] },
-    lastGood: {},
+    order: { anthropic: [profileId] },
+    lastGood: { anthropic: profileId },
     usageStats: {},
   };
 }
 
-const ZEROCLAW_STATE = process.env.ZEROCLAW_STATE_DIR || '/home/limbo/.zeroclaw';
-const AUTH_PROFILES_DIR = path.join(ZEROCLAW_STATE, 'agents/main/agent');
-const AUTH_PROFILES_FILE = path.join(AUTH_PROFILES_DIR, 'auth-profiles.json');
+const AUTH_PROFILES_FILE = path.join(ZEROCLAW_STATE, 'auth-profiles.json');
 
 function writeAuthProfiles(store) {
-  fs.mkdirSync(AUTH_PROFILES_DIR, { recursive: true, mode: 0o700 });
+  fs.mkdirSync(ZEROCLAW_STATE, { recursive: true, mode: 0o700 });
   fs.writeFileSync(AUTH_PROFILES_FILE, JSON.stringify(store, null, 2), { mode: 0o600 });
   log('Auth profile written to ' + AUTH_PROFILES_FILE);
 }
 
+// ─── Telegram API Helpers ────────────────────────────────────────────────────
+
+const https = require('https');
+
+function telegramApiGet(token, method, params = {}) {
+  const qs = new URLSearchParams(params).toString();
+  const urlPath = `/bot${token}/${method}${qs ? '?' + qs : ''}`;
+  return new Promise((resolve, reject) => {
+    const req = https.get({
+      hostname: 'api.telegram.org',
+      path: urlPath,
+      timeout: 35000,
+    }, (r) => {
+      let data = '';
+      r.on('data', c => data += c);
+      r.on('end', () => {
+        try { resolve(JSON.parse(data)); }
+        catch { reject(new Error('Invalid JSON from Telegram API')); }
+      });
+    });
+    req.on('error', reject);
+    req.on('timeout', () => { req.destroy(); reject(new Error('Telegram API timeout')); });
+  });
+}
+
+function telegramApiPost(token, method, body) {
+  const jsonBody = JSON.stringify(body);
+  return new Promise((resolve, reject) => {
+    const req = https.request({
+      hostname: 'api.telegram.org',
+      path: `/bot${token}/${method}`,
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Content-Length': Buffer.byteLength(jsonBody),
+      },
+      timeout: 10000,
+    }, (r) => {
+      let data = '';
+      r.on('data', c => data += c);
+      r.on('end', () => {
+        try { resolve(JSON.parse(data)); }
+        catch { reject(new Error('Invalid JSON from Telegram API')); }
+      });
+    });
+    req.on('error', reject);
+    req.on('timeout', () => { req.destroy(); reject(new Error('Telegram API timeout')); });
+    req.write(jsonBody);
+    req.end();
+  });
+}
+
+// ─── Telegram Pairing Handlers ──────────────────────────────────────────────
+
+async function handleTelegramValidate(req, res) {
+  const body = await readBody(req);
+  const data = parseJSON(body);
+
+  if (!data || !data.botToken) {
+    return sendError(res, 400, 'Missing botToken');
+  }
+
+  try {
+    const result = await telegramApiGet(data.botToken, 'getMe');
+    if (result.ok) {
+      sendJSON(res, 200, {
+        valid: true,
+        botUsername: result.result.username,
+        botName: result.result.first_name,
+      });
+    } else {
+      sendJSON(res, 200, { valid: false, error: result.description });
+    }
+  } catch (err) {
+    sendError(res, 500, `Telegram API error: ${err.message}`);
+  }
+}
+
+async function handleTelegramPair(req, res) {
+  const body = await readBody(req);
+  const data = parseJSON(body);
+
+  if (!data || !data.botToken) {
+    return sendError(res, 400, 'Missing botToken');
+  }
+
+  const token = data.botToken;
+
+  try {
+    // Check for existing messages first (non-blocking)
+    let result = await telegramApiGet(token, 'getUpdates', { timeout: 0 });
+    if (!result.ok) {
+      return sendError(res, 502, `Telegram: ${result.description}`);
+    }
+
+    let updates = result.result || [];
+    let targetUpdate = null;
+
+    // Find the last message update
+    for (const u of updates) {
+      if (u.message && u.message.chat) targetUpdate = u;
+    }
+
+    if (!targetUpdate) {
+      // Long poll for a new message (25s — Telegram holds the connection)
+      const offset = updates.length > 0
+        ? updates[updates.length - 1].update_id + 1
+        : undefined;
+      const pollParams = { timeout: 25, limit: 1 };
+      if (offset !== undefined) pollParams.offset = offset;
+
+      result = await telegramApiGet(token, 'getUpdates', pollParams);
+      if (!result.ok) {
+        return sendError(res, 502, `Telegram: ${result.description}`);
+      }
+
+      for (const u of (result.result || [])) {
+        if (u.message && u.message.chat) targetUpdate = u;
+      }
+    }
+
+    if (!targetUpdate) {
+      return sendJSON(res, 200, { paired: false });
+    }
+
+    const chat = targetUpdate.message.chat;
+    const chatId = String(chat.id);
+    const firstName = chat.first_name || '';
+
+    // Acknowledge all updates up to this one
+    await telegramApiGet(token, 'getUpdates', {
+      offset: targetUpdate.update_id + 1,
+      timeout: 0,
+      limit: 1,
+    });
+
+    // Send greeting
+    const lang = data.language || 'en';
+    const greeting = lang === 'es'
+      ? `👋 ¡Hola${firstName ? ' ' + firstName : ''}! Limbo está configurado y listo. Podés hablarme por acá.`
+      : `👋 Hey${firstName ? ' ' + firstName : ''}! Limbo is set up and ready. You can talk to me here.`;
+
+    await telegramApiPost(token, 'sendMessage', { chat_id: chatId, text: greeting });
+
+    // Persist chat_id
+    writeSecretFile('telegram_chat_id', chatId);
+    log(`Telegram paired: chat_id=${chatId} name=${firstName}`);
+
+    sendJSON(res, 200, { paired: true, chatId, firstName });
+
+  } catch (err) {
+    log(`Telegram pair error: ${err.message}`);
+    sendError(res, 500, `Telegram pairing error: ${err.message}`);
+  }
+}
+
 // ─── Static File Serving ─────────────────────────────────────────────────────
 
 function serveStatic(req, res) {
@@ -352,7 +517,6 @@ function handleOAuthStart(req, res) {
 
 // Shared token exchange logic
 async function exchangeOAuthCode(code, verifier, redirectUri) {
-  const https = require('https');
   const tokenBody = new URLSearchParams({
     grant_type: 'authorization_code',
     client_id: OPENAI_OAUTH.clientId,
@@ -567,6 +731,7 @@ async function handleConfigure(req, res) {
     const telegram = data.telegram || {};
     if (telegram.botToken) {
       writeSecretFile('telegram_bot_token', telegram.botToken);
+      // chat_id is already captured by /api/telegram/pair during wizard Step 6
     }
 
     const gatewayToken = ensureGatewayToken();
@@ -580,8 +745,6 @@ async function handleConfigure(req, res) {
       MODEL_NAME:                 modelName,
       LIMBO_PORT:                 String(PORT),
       TELEGRAM_ENABLED:           telegram.enabled ? 'true' : 'false',
-      TELEGRAM_AUTO_PAIR_FIRST_DM: telegram.autoPair ? 'true' : 'false',
-      GATEWAY_TOKEN:              gatewayToken,
     };
 
     // Write .env file (quote values to handle special chars)
@@ -658,6 +821,10 @@ async function handleRequest(req, res) {
       await handleOAuthExchange(req, res);
     } else if (method === 'POST' && url === '/api/auth/anthropic/token') {
       await handleAnthropicToken(req, res);
+    } else if (method === 'POST' && url === '/api/telegram/validate-token') {
+      await handleTelegramValidate(req, res);
+    } else if (method === 'POST' && url === '/api/telegram/pair') {
+      await handleTelegramPair(req, res);
     } else if (method === 'POST' && url === '/api/configure') {
       await handleConfigure(req, res);
     } else if (method === 'GET') {

package/test/zeroclaw-migration.test.js

@@ -37,58 +37,74 @@ test('mcporter.json is deleted', () => {
   assert.ok(!exists('mcporter.json'), 'mcporter.json should not exist');
 });
 
-// ─── 2. New ZeroClaw config template exists and is valid TOML-ish ───────────
+// ─── 2. New ZeroClaw config template exists and matches ZeroClaw schema ─────
 
 test('config.toml.template exists', () => {
   assert.ok(exists('config.toml.template'));
 });
 
-test('config.toml.template contains required sections', () => {
+test('config.toml.template contains required ZeroClaw sections', () => {
   const toml = read('config.toml.template');
   const required = [
     '[gateway]',
+    '[mcp]',
+    '[[mcp.servers]]',
+  ];
+  for (const section of required) {
+    assert.ok(toml.includes(section), `Missing section: ${section}`);
+  }
+});
+
+test('config.toml.template does NOT contain unsupported sections', () => {
+  const toml = read('config.toml.template');
+  const forbidden = [
     '[gateway.auth]',
     '[memory]',
-    '[security]',
-    '[tools]',
     '[session]',
     '[agents.defaults]',
     '[channels.telegram]',
     '[mcp.limbo-vault]',
+    '[security]',
+    '[tools]',
   ];
-  for (const section of required) {
-    assert.ok(toml.includes(section), `Missing section: ${section}`);
+  for (const section of forbidden) {
+    assert.ok(!toml.includes(section), `Should not contain unsupported section: ${section}`);
   }
 });
 
 test('config.toml.template uses envsubst variables', () => {
   const toml = read('config.toml.template');
-  const vars = ['${MODEL_PROVIDER}', '${MODEL_NAME}', '${LIMBO_PORT}', '${TELEGRAM_BOT_TOKEN}', '${TELEGRAM_ENABLED}'];
+  const vars = ['${MODEL_PROVIDER}', '${MODEL_NAME}', '${LIMBO_PORT}'];
   for (const v of vars) {
     assert.ok(toml.includes(v), `Missing envsubst variable: ${v}`);
   }
 });
 
-test('config.toml.template has gateway auth with token_file', () => {
-  const toml = read('config.toml.template');
-  assert.ok(toml.includes('token_file = "/run/secrets/gateway_token"'),
-    'Gateway auth must reference /run/secrets/gateway_token');
-});
-
-test('config.toml.template has memory backend = none', () => {
+test('config.toml.template uses require_pairing for gateway auth', () => {
   const toml = read('config.toml.template');
-  assert.ok(toml.includes('backend = "none"'),
-    'Memory backend must be "none" (Limbo uses its own vault via MCP)');
+  assert.ok(toml.includes('require_pairing = false'),
+    'Gateway must use require_pairing (ZeroClaw schema)');
 });
 
-test('config.toml.template registers MCP server natively', () => {
+test('config.toml.template registers MCP server via [[mcp.servers]]', () => {
   const toml = read('config.toml.template');
-  assert.ok(toml.includes('[mcp.limbo-vault]'));
+  assert.ok(toml.includes('[[mcp.servers]]'));
+  assert.ok(toml.includes('name = "limbo-vault"'));
   assert.ok(toml.includes('command = "node"'));
   assert.ok(toml.includes('"/app/mcp-server/index.js"'));
 });
 
-// ─── 3. Dockerfile references ZeroClaw, not OpenClaw ────────────────────────
+// ─── 3. Entrypoint conditionally appends Telegram config ────────────────────
+
+test('entrypoint.sh appends channels_config.telegram conditionally', () => {
+  const ep = read('scripts/entrypoint.sh');
+  assert.ok(ep.includes('[channels_config.telegram]'),
+    'Entrypoint must append [channels_config.telegram] section');
+  assert.ok(ep.includes('allowed_users'),
+    'Telegram config must include allowed_users');
+});
+
+// ─── 4. Dockerfile references ZeroClaw, not OpenClaw ────────────────────────
 
 test('Dockerfile pulls ZeroClaw binary from official image', () => {
   const df = read('Dockerfile');
@@ -112,7 +128,7 @@ test('Dockerfile copies config.toml.template', () => {
   assert.ok(df.includes('config.toml.template'));
 });
 
-// ─── 4. docker-compose.yml uses ZeroClaw volumes and healthcheck ────────────
+// ─── 5. docker-compose.yml uses ZeroClaw volumes and healthcheck ────────────
 
 test('docker-compose.yml uses limbo-zeroclaw-state volume', () => {
   const dc = read('docker-compose.yml');
@@ -138,7 +154,7 @@ test('docker-compose.yml mounts .zeroclaw state dir', () => {
   assert.ok(dc.includes('/home/limbo/.zeroclaw'));
 });
 
-// ─── 5. Entrypoint uses ZeroClaw ────────────────────────────────────────────
+// ─── 6. Entrypoint uses ZeroClaw ────────────────────────────────────────────
 
 test('entrypoint.sh starts zeroclaw daemon', () => {
   const ep = read('scripts/entrypoint.sh');
@@ -165,7 +181,7 @@ test('entrypoint.sh renders config.toml from template via envsubst', () => {
   assert.ok(ep.includes('envsubst'));
 });
 
-// ─── 6. Migration version bumped correctly ──────────────────────────────────
+// ─── 7. Migration version bumped correctly ──────────────────────────────────
 
 test('migration index has CURRENT_DATA_VERSION = 3', () => {
   const idx = read('migrations/index.js');
@@ -185,14 +201,14 @@ test('migration 003 exports version 3 and up function', () => {
     'Migration 003 must export an up function');
 });
 
-// ─── 7. CLI filter suppresses both openclaw and zeroclaw branding ───────────
+// ─── 8. CLI filter suppresses both openclaw and zeroclaw branding ───────────
 
 test('cli-filter.test.js classify regex handles both brands', () => {
   const t = read('test/cli-filter.test.js');
   assert.ok(t.includes('openclaw|zeroclaw'), 'Filter regex must suppress both openclaw and zeroclaw branding');
 });
 
-// ─── 8. No stale OPENCLAW env vars in core config files ─────────────────────
+// ─── 9. No stale OPENCLAW env vars in core config files ─────────────────────
 
 test('.env.example does not use OPENCLAW_ prefix', () => {
   if (!exists('.env.example')) return; // optional file
@@ -205,7 +221,7 @@ test('docker-compose.yml does not use OPENCLAW_ env vars', () => {
   assert.ok(!dc.includes('OPENCLAW_'));
 });
 
-// ─── 9. Workspace docs updated ──────────────────────────────────────────────
+// ─── 10. Workspace docs updated ─────────────────────────────────────────────
 
 test('IDENTITY.md does not reference OpenClaw gateway', () => {
   const id = read('workspace/templates/IDENTITY.md');
@@ -217,14 +233,14 @@ test('TOOLS.md does not reference mcporter', () => {
   assert.ok(!tools.toLowerCase().includes('mcporter'), 'TOOLS.md should not reference mcporter');
 });
 
-// ─── 10. Package.json includes zeroclaw keyword ─────────────────────────────
+// ─── 11. Package.json includes zeroclaw keyword ─────────────────────────────
 
 test('package.json keywords include zeroclaw', () => {
   const pkg = JSON.parse(read('package.json'));
   assert.ok(pkg.keywords.includes('zeroclaw'), 'package.json keywords should include "zeroclaw"');
 });
 
-// ─── 11. Setup server uses ZeroClaw paths ───────────────────────────────────
+// ─── 12. Setup server uses ZeroClaw paths ───────────────────────────────────
 
 test('setup-server uses ZEROCLAW_STATE not OPENCLAW_STATE', () => {
   const srv = read('setup-server/server.js');
@@ -237,7 +253,7 @@ test('setup-server uses GATEWAY_TOKEN not OPENCLAW_GATEWAY_TOKEN', () => {
   assert.ok(!srv.includes('OPENCLAW_GATEWAY_TOKEN'), 'setup-server should not use OPENCLAW_GATEWAY_TOKEN');
 });
 
-// ─── 12. Security: sensitive dirs ───────────────────────────────────────────
+// ─── 13. Security: sensitive dirs ───────────────────────────────────────────
 
 test('Dockerfile does not install git in final image', () => {
   const df = read('Dockerfile');