metheus-governance-mcp-cli 0.2.71 → 0.2.73

package/README.md

@@ -231,7 +231,8 @@ Behavior:
 - For Telegram, the local env key is auto-generated from the matched server bot name or verified username, so you do not have to invent a separate local nickname first.
 - For Telegram, the CLI tries to match the verified bot identity against the server `me/bots` list first. If the server exposes one logical bot name with multiple roles such as `approval`, `worker`, `review`, and `monitor`, the CLI does not ask you to choose one UUID. It binds by server bot name and keeps the local role/AI fields empty so runtime can use the server bot role for each route.
 - When the Telegram username matches exactly one server bot role, the CLI still auto-fills the local `role_profile` and blank AI defaults from your local `bot-runner.json` `role_profiles` mapping.
-- `bot edit` without flags now uses the same sequential flow every time: provider -> bot entry -> username/token review -> AI field choices -> default choice -> save.
+- `bot edit` without flags now uses the same sequential flow every time: provider -> bot entry -> username/token review -> grouped server-role review when needed -> AI field choices -> default choice -> save.
+- if one server bot name maps to multiple server roles, `bot edit` keeps the Telegram env entry bound to the server identity and lets you review the local `role_profiles` for each detected role instead of forcing one role/profile UUID choice up front.
 - In the normal Telegram edit path, the CLI keeps or re-resolves the server bot binding automatically. It no longer asks you to pick `approval / worker / review / monitor` or a server bot UUID first.
 - `bot set-default` without flags starts a guided numbered flow: provider -> bot entry -> confirm default change.
 - `bot verify` without flags starts a guided numbered flow: provider -> bot entry -> output format.
@@ -246,8 +247,8 @@ Behavior:
   - `AI_PERMISSION_MODE`
   - `AI_REASONING_EFFORT`
 - Slack and KakaoTalk currently use a single local token entry per provider in this command flow.
-- `bot verify` checks the configured local token and prints the current AI binding summary.
-- `bot show` prints one local bot entry in detail.
+- `bot verify` checks the configured local token, cross-checks the server bot binding, and prints the effective runtime role profile summary that the runner will use.
+- `bot show` prints one local bot entry in detail, including grouped role summaries when one server bot name expands to multiple roles.
 - `bot global` edits Telegram-wide local settings such as API base URL, allowed updates, and default bot key.
 - `bot set-default` updates `TELEGRAM_DEFAULT_BOT_KEY`.
 - `bot migrate` moves legacy `TELEGRAM_BOT_TOKEN` into a named Telegram bot entry.
@@ -258,7 +259,7 @@ Non-interactive examples:
 metheus-governance-mcp-cli bot global --provider telegram --non-interactive true --api-base-url http://127.0.0.1:8999/telegram --auto-clear-webhook false --allowed-updates message,edited_message,channel_post
 metheus-governance-mcp-cli bot add --provider telegram --non-interactive true --server-bot-id <server_bot_uuid> --token <telegram_bot_token> --default true
 metheus-governance-mcp-cli bot add --provider telegram --non-interactive true --server-bot-id <server_bot_uuid> --token <telegram_bot_token> --ai-client codex --ai-model gpt-5-codex --ai-permission-mode read_only --ai-reasoning-effort low
-metheus-governance-mcp-cli bot edit --provider telegram --bot-key main --non-interactive true --ai-client claude --ai-model claude-sonnet --ai-permission-mode workspace_write --ai-reasoning-effort medium
+metheus-governance-mcp-cli bot edit --provider telegram --bot-key ryoai_bot --non-interactive true --ai-client claude --ai-model claude-sonnet-4 --ai-permission-mode danger_full_access --ai-reasoning-effort high
 metheus-governance-mcp-cli bot set-default --provider telegram --bot-key main --non-interactive true
 metheus-governance-mcp-cli bot migrate --provider telegram --bot-key main --server-bot-id <server_bot_uuid> --bot-name <telegram_username> --role-profile monitor --ai-client codex --ai-permission-mode read_only --ai-reasoning-effort low --non-interactive true
 metheus-governance-mcp-cli bot remove --provider telegram --bot-key main --non-interactive true
@@ -267,6 +268,8 @@ metheus-governance-mcp-cli bot verify --provider telegram --bot-key main --json
 
 For direct Telegram adds, the CLI can derive the local entry key from the matched server bot name. You no longer need `--bot-key` or `--username` in the normal server-bound path. Treat `--bot-key` as an advanced override only when you intentionally want a different local suffix.
 
+For direct Telegram edits, `--bot-key` still identifies which saved local entry to update. If one server bot name expands to multiple roles such as `approval / worker / review / monitor`, prefer the guided `bot edit` flow so you can keep the current grouped settings, edit one role only, or walk every role in sequence instead of forcing one entry-level AI override.
+
 Current support status:
 
 - Telegram: full local bot entry management, token verification, bot-to-AI binding, inbound runner support

package/cli.mjs

@@ -3362,6 +3362,7 @@ function buildBotCommandDeps() {
     loadProviderEnvConfig,
     verifyLocalProviderToken,
     loadBotRunnerConfig,
+    saveBotRunnerConfig,
     listServerBots: async ({ provider, baseURL, timeoutSeconds }) => {
       const authFlowDeps = buildAuthFlowDeps();
       const resolved = resolveCurrentAccessToken(authFlowDeps);

package/lib/bot-commands.mjs

@@ -595,6 +595,8 @@ function buildDerivedTelegramBotKey(parsedEnv, deps, preferredValues, { excludeK
 
 async function editTelegramBotGuided(ui, parsed, selected, current, flags, deps) {
   let serverRoleAutoResolved = "";
+  let groupedServerRoles = [];
+  let groupedServerName = "";
   if (current.serverBotID || current.__preferServerIdentity) {
     current.__preferServerIdentity = true;
     serverRoleAutoResolved = String(current.roleProfile || "").trim() || "__server_binding__";
@@ -641,9 +643,15 @@ async function editTelegramBotGuided(ui, parsed, selected, current, flags, deps)
       current.serverBotID = "";
       current.__preferServerIdentity = true;
       current.roleProfile = "";
+      current.client = "";
+      current.model = "";
+      current.permissionMode = "";
+      current.reasoningEffort = "";
       serverRoleAutoResolved = "__server_role_group__";
+      groupedServerRoles = preferredRoleSort(serverBot.roles);
+      groupedServerName = String(serverBot.name || current.username || current.key).trim();
       process.stdout.write(
-        `Using server Telegram bot "${serverBot.name || current.username || current.key}" with roles: ${ensureArray(serverBot.roles).join(", ")}. Runtime will use the server role automatically.\n`,
+        `Using server Telegram bot "${groupedServerName}" with roles: ${groupedServerRoles.join(", ")}. Runtime will use the server role automatically.\n`,
       );
     } else if (String(serverBot.botID || "").trim()) {
       current.serverBotID = String(serverBot.botID || "").trim();
@@ -672,53 +680,64 @@ async function editTelegramBotGuided(ui, parsed, selected, current, flags, deps)
     }
   }
 
-  const clientAction = await promptKeepChangeClear(ui, "AI client", {
-    allowClear: true,
-    defaultValue: current.client ? "keep" : "change",
-  });
-  if (clientAction === "change") {
-    current.client = requireDependency(deps, "normalizeLocalAIClientName")(
-      await promptAIClient(ui, deps, current.client),
-      "",
+  if (serverRoleAutoResolved === "__server_role_group__") {
+    await maybePromptGroupedServerRoleProfiles(
+      ui,
+      {
+        name: groupedServerName,
+        roles: groupedServerRoles,
+      },
+      deps,
     );
-  } else if (clientAction === "clear") {
-    current.client = "";
-  }
+  } else {
+    const clientAction = await promptKeepChangeClear(ui, "AI client", {
+      allowClear: true,
+      defaultValue: current.client ? "keep" : "change",
+    });
+    if (clientAction === "change") {
+      current.client = requireDependency(deps, "normalizeLocalAIClientName")(
+        await promptAIClient(ui, deps, current.client),
+        "",
+      );
+    } else if (clientAction === "clear") {
+      current.client = "";
+    }
 
-  const modelAction = await promptKeepChangeClear(ui, "AI model", {
-    allowClear: true,
-    defaultValue: current.model ? "keep" : "change",
-  });
-  if (modelAction === "change") {
-    current.model = await promptLine(ui, "AI model", current.model);
-  } else if (modelAction === "clear") {
-    current.model = "";
-  }
+    const modelAction = await promptKeepChangeClear(ui, "AI model", {
+      allowClear: true,
+      defaultValue: current.model ? "keep" : "change",
+    });
+    if (modelAction === "change") {
+      current.model = await promptLine(ui, "AI model", current.model);
+    } else if (modelAction === "clear") {
+      current.model = "";
+    }
 
-  const permissionAction = await promptKeepChangeClear(ui, "AI permission mode", {
-    allowClear: true,
-    defaultValue: current.permissionMode ? "keep" : "change",
-  });
-  if (permissionAction === "change") {
-    current.permissionMode = requireDependency(deps, "normalizeLocalAIPermissionMode")(
-      await promptPermissionMode(ui, current.permissionMode),
-      "",
-    );
-  } else if (permissionAction === "clear") {
-    current.permissionMode = "";
-  }
+    const permissionAction = await promptKeepChangeClear(ui, "AI permission mode", {
+      allowClear: true,
+      defaultValue: current.permissionMode ? "keep" : "change",
+    });
+    if (permissionAction === "change") {
+      current.permissionMode = requireDependency(deps, "normalizeLocalAIPermissionMode")(
+        await promptPermissionMode(ui, current.permissionMode),
+        "",
+      );
+    } else if (permissionAction === "clear") {
+      current.permissionMode = "";
+    }
 
-  const reasoningAction = await promptKeepChangeClear(ui, "AI reasoning effort", {
-    allowClear: true,
-    defaultValue: current.reasoningEffort ? "keep" : "change",
-  });
-  if (reasoningAction === "change") {
-    current.reasoningEffort = requireDependency(deps, "normalizeLocalAIReasoningEffort")(
-      await promptReasoningEffort(ui, current.reasoningEffort),
-      "",
-    );
-  } else if (reasoningAction === "clear") {
-    current.reasoningEffort = "";
+    const reasoningAction = await promptKeepChangeClear(ui, "AI reasoning effort", {
+      allowClear: true,
+      defaultValue: current.reasoningEffort ? "keep" : "change",
+    });
+    if (reasoningAction === "change") {
+      current.reasoningEffort = requireDependency(deps, "normalizeLocalAIReasoningEffort")(
+        await promptReasoningEffort(ui, current.reasoningEffort),
+        "",
+      );
+    } else if (reasoningAction === "clear") {
+      current.reasoningEffort = "";
+    }
   }
 
   const defaultChoice = await promptChoice(
@@ -790,6 +809,16 @@ function renderBotListPayload(provider, state, deps) {
   };
 }
 
+function formatRoleProfileOutputLine(profile) {
+  const current = safeObject(profile);
+  return [
+    current.client ? `client=${current.client}` : "client=(blank)",
+    current.model ? `model=${current.model}` : "model=(blank)",
+    current.permissionMode ? `permission=${current.permissionMode}` : "permission=(blank)",
+    current.reasoningEffort ? `reasoning=${current.reasoningEffort}` : "reasoning=(blank)",
+  ].join(" | ");
+}
+
 function buildBotShowPayload(provider, state, entry, deps, extras = {}) {
   if (provider === "telegram") {
     const selectedEntry = entry || null;
@@ -810,6 +839,7 @@ function buildBotShowPayload(provider, state, entry, deps, extras = {}) {
         permissionMode: selectedEntry.permissionMode,
         reasoningEffort: selectedEntry.reasoningEffort,
       } : null,
+      serverBinding: safeObject(extras.serverBinding),
       ...safeObject(extras),
     };
   }
@@ -864,6 +894,7 @@ function printBotList(provider, state, deps) {
 function printBotShow(provider, state, entry, deps, extras = {}) {
   if (provider === "telegram") {
     const selectedEntry = entry || {};
+    const serverBinding = safeObject(extras.serverBinding);
     process.stdout.write(`${providerLabel(provider, deps)} bot\n`);
     process.stdout.write(`  file: ${state.filePath}\n`);
     process.stdout.write(`  name: ${telegramEntryDisplayName(selectedEntry)}\n`);
@@ -877,8 +908,21 @@ function printBotShow(provider, state, entry, deps, extras = {}) {
     process.stdout.write(`  ai_model: ${selectedEntry.model || "-"}\n`);
     process.stdout.write(`  permission_mode: ${selectedEntry.permissionMode || "-"}\n`);
     process.stdout.write(`  reasoning_effort: ${selectedEntry.reasoningEffort || "-"}\n`);
-    if (extras.serverBinding) {
-      process.stdout.write(`  server_binding: ${extras.serverBinding.ok ? "OK" : "FAIL"}${extras.serverBinding.detail ? ` (${extras.serverBinding.detail})` : ""}\n`);
+    if (Object.keys(serverBinding).length) {
+      process.stdout.write(`  server_binding: ${serverBinding.ok ? "OK" : "FAIL"}${serverBinding.detail ? ` (${serverBinding.detail})` : ""}\n`);
+      process.stdout.write(`  server_binding_mode: ${serverBinding.mode || "-"}\n`);
+      process.stdout.write(`  server_bot_name: ${serverBinding.name || "-"}\n`);
+      process.stdout.write(`  server_bot_id: ${serverBinding.serverBotID || selectedEntry.serverBotID || "-" }\n`);
+      if (serverBinding.mode === "group") {
+        process.stdout.write(`  server_roles: ${ensureArray(serverBinding.roles).join(", ") || "-"}\n`);
+        const groupedProfiles = safeObject(serverBinding.effectiveRoleProfiles);
+        Object.keys(groupedProfiles).forEach((role) => {
+          process.stdout.write(`  runtime_role_profile[${role}]: ${formatRoleProfileOutputLine(groupedProfiles[role])}\n`);
+        });
+      } else if (serverBinding.effectiveRoleProfile) {
+        process.stdout.write(`  server_role: ${serverBinding.role || "-"}\n`);
+        process.stdout.write(`  runtime_role_profile: ${formatRoleProfileOutputLine(serverBinding.effectiveRoleProfile)}\n`);
+      }
     }
     return;
   }
@@ -1285,6 +1329,324 @@ function applyRoleProfileDefaults(entry, defaults, { overwrite = false } = {}) {
   }
 }
 
+function preferredRoleSort(roles) {
+  const order = ["monitor", "review", "worker", "approval"];
+  return ensureArray(roles).slice().sort((left, right) => {
+    const leftText = String(left || "").trim();
+    const rightText = String(right || "").trim();
+    const leftIndex = order.indexOf(leftText);
+    const rightIndex = order.indexOf(rightText);
+    if (leftIndex >= 0 && rightIndex >= 0) return leftIndex - rightIndex;
+    if (leftIndex >= 0) return -1;
+    if (rightIndex >= 0) return 1;
+    return leftText.localeCompare(rightText);
+  });
+}
+
+function currentRoleProfileState(roleName, deps) {
+  const normalizedRole = requireDependency(deps, "normalizeRunnerRoleProfileName")(roleName || "");
+  const defaults = resolveRoleProfileDefaults(normalizedRole, deps);
+  const config = requireDependency(deps, "loadBotRunnerConfig")({ persistIfNeeded: true });
+  const profile = safeObject(safeObject(config.roleProfiles || {})[normalizedRole]);
+  return {
+    role: normalizedRole,
+    client: requireDependency(deps, "normalizeLocalAIClientName")(profile.client || defaults.client || "", ""),
+    model: String(profile.model || defaults.model || "").trim(),
+    permissionMode: requireDependency(deps, "normalizeLocalAIPermissionMode")(
+      profile.permission_mode || profile.permissionMode || defaults.permissionMode || "",
+      "",
+    ),
+    reasoningEffort: requireDependency(deps, "normalizeLocalAIReasoningEffort")(
+      profile.reasoning_effort || profile.reasoningEffort || defaults.reasoningEffort || "",
+      "",
+    ),
+  };
+}
+
+function formatRoleProfileSummary(profile) {
+  const current = safeObject(profile);
+  return [
+    current.client ? `client:${current.client}` : "client:(blank)",
+    current.model ? `model:${current.model}` : "model:(blank)",
+    current.permissionMode ? `permission:${current.permissionMode}` : "permission:(blank)",
+    current.reasoningEffort ? `reasoning:${current.reasoningEffort}` : "reasoning:(blank)",
+  ].join(" | ");
+}
+
+function serializeRoleProfile(profile) {
+  const current = safeObject(profile);
+  return {
+    role: String(current.role || "").trim(),
+    client: String(current.client || "").trim(),
+    model: String(current.model || "").trim(),
+    permissionMode: String(current.permissionMode || "").trim(),
+    reasoningEffort: String(current.reasoningEffort || "").trim(),
+  };
+}
+
+function buildRoleProfileOutput(roleName, deps) {
+  return serializeRoleProfile(currentRoleProfileState(roleName, deps));
+}
+
+function buildGroupedRoleProfileOutput(roles, deps) {
+  const output = {};
+  preferredRoleSort(roles).forEach((role) => {
+    const normalizedRole = String(role || "").trim();
+    if (!normalizedRole) return;
+    output[normalizedRole] = buildRoleProfileOutput(normalizedRole, deps);
+  });
+  return output;
+}
+
+function persistRoleProfileState(profile, deps) {
+  const current = safeObject(profile);
+  const role = requireDependency(deps, "normalizeRunnerRoleProfileName")(current.role || "");
+  if (!role) return null;
+  const config = requireDependency(deps, "loadBotRunnerConfig")({ persistIfNeeded: true });
+  const nextRoleProfiles = {
+    ...safeObject(config.roleProfiles || {}),
+    [role]: {
+      client: String(current.client || "").trim(),
+      model: String(current.model || "").trim(),
+      permission_mode: String(current.permissionMode || "").trim(),
+      reasoning_effort: String(current.reasoningEffort || "").trim(),
+    },
+  };
+  const nextConfig = {
+    ...config,
+    roleProfiles: nextRoleProfiles,
+  };
+  return requireDependency(deps, "saveBotRunnerConfig")(nextConfig, config.filePath);
+}
+
+async function promptRoleExecutionProfile(ui, roleName, deps) {
+  const current = currentRoleProfileState(roleName, deps);
+  const action = await promptChoice(
+    ui,
+    `Role "${current.role}" local execution profile`,
+    [
+      {
+        value: "keep",
+        label: "Keep current settings",
+        description: formatRoleProfileSummary(current),
+      },
+      {
+        value: "edit",
+        label: "Edit settings",
+        description: "change AI client, model, permission, and reasoning",
+      },
+    ],
+    { defaultIndex: 0 },
+  );
+  if (action?.value !== "edit") {
+    return { changed: false, filePath: "" };
+  }
+  current.client = requireDependency(deps, "normalizeLocalAIClientName")(
+    await promptAIClient(ui, deps, current.client),
+    "",
+  );
+  current.model = await promptLine(ui, `AI model for role "${current.role}"`, current.model);
+  current.permissionMode = requireDependency(deps, "normalizeLocalAIPermissionMode")(
+    await promptPermissionMode(ui, current.permissionMode),
+    "",
+  );
+  current.reasoningEffort = requireDependency(deps, "normalizeLocalAIReasoningEffort")(
+    await promptReasoningEffort(ui, current.reasoningEffort),
+    "",
+  );
+  const filePath = persistRoleProfileState(current, deps);
+  if (filePath) {
+    process.stdout.write(`Saved local execution profile for role "${current.role}" to ${filePath}\n`);
+  }
+  return { changed: true, filePath };
+}
+
+async function maybePromptGroupedServerRoleProfiles(ui, serverBot, deps) {
+  const roles = preferredRoleSort(ensureArray(serverBot?.roles).filter(Boolean));
+  if (roles.length <= 1) {
+    return false;
+  }
+  process.stdout.write(`Current grouped role execution profiles for "${String(serverBot?.name || "").trim() || "telegram"}":\n`);
+  roles.forEach((role) => {
+    process.stdout.write(`  - ${role}: ${formatRoleProfileSummary(currentRoleProfileState(role, deps))}\n`);
+  });
+  const editChoice = await promptChoice(
+    ui,
+    "Grouped role settings",
+    [
+      {
+        value: "keep",
+        label: "Keep current role settings",
+        description: "use the existing role_profiles defaults as-is",
+      },
+      {
+        value: "one",
+        label: "Edit one role",
+        description: "change only the role that needs an update",
+      },
+      {
+        value: "all",
+        label: "Edit all roles",
+        description: "review each role in sequence",
+      },
+    ],
+    { defaultIndex: 0 },
+  );
+  if (editChoice?.value === "keep") {
+    return false;
+  }
+  if (editChoice?.value === "all") {
+    for (const role of roles) {
+      await promptRoleExecutionProfile(ui, role, deps);
+    }
+    return true;
+  }
+  const remaining = new Set(roles);
+  while (remaining.size) {
+    const roleChoice = await promptChoice(
+      ui,
+      "Select role to edit",
+      [
+        ...Array.from(remaining).map((role) => ({
+          value: role,
+          label: role,
+          description: formatRoleProfileSummary(currentRoleProfileState(role, deps)),
+        })),
+        {
+          value: "__done__",
+          label: "Done",
+          description: "finish grouped role editing",
+        },
+      ],
+      { defaultIndex: 0 },
+    );
+    if (!roleChoice || roleChoice.value === "__done__") {
+      break;
+    }
+    await promptRoleExecutionProfile(ui, roleChoice.value, deps);
+    remaining.delete(roleChoice.value);
+    if (!remaining.size) {
+      break;
+    }
+    if (!await promptYesNo(ui, "Edit another role?", false)) {
+      break;
+    }
+  }
+  return true;
+}
+
+async function resolveTelegramServerBindingDetails(envConfig, flags, deps) {
+  const current = safeObject(envConfig);
+  if (!String(current.serverBotID || "").trim() && !String(current.botUsername || "").trim() && !String(current.botKey || "").trim()) {
+    return null;
+  }
+  const lookup = await requireDependency(deps, "listServerBots")({
+    provider: "telegram",
+    baseURL: flags["base-url"] || deps.defaultSiteURL,
+    timeoutSeconds: intFromRaw(flags["timeout-seconds"], 15) || 15,
+  });
+  if (!lookup?.ok) {
+    return {
+      ok: false,
+      mode: "lookup_error",
+      matchedBy: "",
+      name: "",
+      role: "",
+      roles: [],
+      effectiveRoleProfile: null,
+      effectiveRoleProfiles: {},
+      detail: `server bot lookup unavailable: ${lookup?.error || "unknown error"}`,
+    };
+  }
+  const bots = ensureArray(lookup.bots).map((bot) => ({
+    id: String(bot?.id || "").trim(),
+    role: String(bot?.role || bot?.bot_role || "").trim(),
+    name: String(bot?.name || "").trim(),
+  })).filter((bot) => bot.id);
+  const resolveGroupedPayload = (matches, matchedBy) => {
+    const roles = preferredRoleSort(summarizeServerBotRoles(matches));
+    return {
+      ok: true,
+      mode: "group",
+      matchedBy,
+      name: String(matches[0]?.name || "").trim(),
+      role: "",
+      roles,
+      serverBotID: String(current.serverBotID || "").trim(),
+      effectiveRoleProfile: null,
+      effectiveRoleProfiles: buildGroupedRoleProfileOutput(roles, deps),
+      detail: `${String(matches[0]?.name || "").trim() || "(unnamed)"} roles: ${roles.join(", ") || "-"}`,
+    };
+  };
+  if (String(current.serverBotID || "").trim()) {
+    const match = bots.find((bot) => bot.id === String(current.serverBotID || "").trim());
+    if (!match) {
+      return {
+        ok: false,
+        mode: "missing",
+        matchedBy: "server_bot_id",
+        name: "",
+        role: "",
+        roles: [],
+        serverBotID: String(current.serverBotID || "").trim(),
+        effectiveRoleProfile: null,
+        effectiveRoleProfiles: {},
+        detail: `server bot ${current.serverBotID} not found`,
+      };
+    }
+    const sameNameMatches = bots.filter((bot) => normalizeServerBotIdentityText(bot.name) === normalizeServerBotIdentityText(match.name));
+    if (sameNameMatches.length > 1) {
+      return resolveGroupedPayload(sameNameMatches, "server_bot_id");
+    }
+    const effectiveRoleProfile = buildRoleProfileOutput(match.role || current.roleProfile || "", deps);
+    return {
+      ok: true,
+      mode: "single",
+      matchedBy: "server_bot_id",
+      name: match.name,
+      role: match.role,
+      roles: summarizeServerBotRoles([match]),
+      serverBotID: match.id,
+      effectiveRoleProfile,
+      effectiveRoleProfiles: {},
+      detail: `${String(match.name || "").trim() || "(unnamed)"} [${String(match.role || "").trim() || "-"}]`,
+    };
+  }
+  const normalizedServerIdentity = normalizeServerBotIdentityText(current.botUsername || current.botKey);
+  const matches = bots.filter((bot) => normalizeServerBotIdentityText(bot.name) === normalizedServerIdentity);
+  if (!matches.length) {
+    return {
+      ok: false,
+      mode: "missing",
+      matchedBy: "server_bot_name",
+      name: "",
+      role: "",
+      roles: [],
+      serverBotID: "",
+      effectiveRoleProfile: null,
+      effectiveRoleProfiles: {},
+      detail: `no server bot matched ${current.botUsername ? `@${current.botUsername}` : current.botKey}`,
+    };
+  }
+  if (matches.length > 1) {
+    return resolveGroupedPayload(matches, "server_bot_name");
+  }
+  const match = matches[0] || {};
+  const effectiveRoleProfile = buildRoleProfileOutput(match.role || current.roleProfile || "", deps);
+  return {
+    ok: true,
+    mode: "single",
+    matchedBy: "server_bot_name",
+    name: String(match.name || "").trim(),
+    role: String(match.role || "").trim(),
+    roles: summarizeServerBotRoles([match]),
+    serverBotID: String(match.id || "").trim(),
+    effectiveRoleProfile,
+    effectiveRoleProfiles: {},
+    detail: `${String(match.name || "").trim() || "(unnamed)"} [${String(match.role || "").trim() || "-"}]`,
+  };
+}
+
 function buildTemporaryTelegramEnvConfig({ token, apiBaseURL }) {
   return {
     ok: true,
@@ -1300,8 +1662,11 @@ async function verifyTelegramTokenCandidate(provider, token, apiBaseURL, timeout
 
 async function autoResolveTelegramServerBot(current, flags, deps) {
   const existingBotID = String(current?.serverBotID || "").trim();
-  const preferredUsername = String(current?.username || "").trim();
-  if (!preferredUsername) {
+  const preferredIdentity = firstNonEmptyString([
+    current?.username,
+    current?.key,
+  ]);
+  if (!preferredIdentity) {
     return {
       botID: existingBotID,
       role: String(current?.roleProfile || "").trim(),
@@ -1314,14 +1679,14 @@ async function autoResolveTelegramServerBot(current, flags, deps) {
     return await resolveServerBotForNonInteractive(
       "telegram",
       {
-        "bot-name": preferredUsername,
+        "bot-name": preferredIdentity,
         "base-url": flags["base-url"] || deps.defaultSiteURL,
         "timeout-seconds": intFromRaw(flags["timeout-seconds"], 15) || 15,
       },
       deps,
       {
-        preferredUsername,
-        preferredName: preferredUsername,
+        preferredUsername: preferredIdentity,
+        preferredName: preferredIdentity,
       },
     );
   } catch {
@@ -1680,53 +2045,12 @@ async function verifyProviderEntry(ui, provider, flags, deps) {
     envConfig,
     intFromRaw(flags["timeout-seconds"], 15) || 15,
   );
-  let serverBinding = null;
   let overallOK = Boolean(result.ok);
-  if (provider === "telegram" && (String(envConfig.serverBotID || "").trim() || String(envConfig.botUsername || "").trim() || String(envConfig.botKey || "").trim())) {
-    const lookup = await requireDependency(deps, "listServerBots")({
-      provider,
-      baseURL: flags["base-url"] || deps.defaultSiteURL,
-      timeoutSeconds: intFromRaw(flags["timeout-seconds"], 15) || 15,
-    });
-    if (!lookup?.ok) {
-      serverBinding = {
-        ok: false,
-        detail: `server bot lookup unavailable: ${lookup?.error || "unknown error"}`,
-      };
+  let serverBinding = null;
+  if (provider === "telegram") {
+    serverBinding = await resolveTelegramServerBindingDetails(envConfig, flags, deps);
+    if (serverBinding && !serverBinding.ok) {
       overallOK = false;
-    } else {
-      const normalizedServerIdentity = normalizeServerBotIdentityText(envConfig.botUsername || envConfig.botKey);
-      if (String(envConfig.serverBotID || "").trim()) {
-        const match = ensureArray(lookup.bots).find((bot) => String(bot.id || "").trim() === String(envConfig.serverBotID || "").trim());
-        if (!match) {
-          serverBinding = {
-            ok: false,
-            detail: `server bot ${envConfig.serverBotID} not found`,
-          };
-          overallOK = false;
-        } else {
-          serverBinding = {
-            ok: true,
-            detail: `${String(match.name || "").trim() || "(unnamed)"} [${String(match.role || "").trim() || "-"}]`,
-          };
-        }
-      } else {
-        const matches = ensureArray(lookup.bots).filter(
-          (bot) => normalizeServerBotIdentityText(bot?.name) === normalizedServerIdentity,
-        );
-        if (!matches.length) {
-          serverBinding = {
-            ok: false,
-            detail: `no server bot matched ${envConfig.botUsername ? `@${envConfig.botUsername}` : envConfig.botKey}`,
-          };
-          overallOK = false;
-        } else {
-          serverBinding = {
-            ok: true,
-            detail: `${String(matches[0]?.name || "").trim() || "(unnamed)"} roles: ${summarizeServerBotRoles(matches).join(", ") || "-"}`,
-          };
-        }
-      }
     }
   }
   const interactiveJsonChoice = (
@@ -1763,21 +2087,33 @@ async function verifyProviderEntry(ui, provider, flags, deps) {
       }, null, 2)}\n`,
     );
   } else {
-    process.stdout.write(
-      [
-        `${providerLabel(provider, deps)} verify: ${overallOK ? "OK" : "FAIL"}`,
-        `file: ${envConfig.filePath}`,
-        provider === "telegram" ? `bot_key: ${envConfig.botKey || "-"}` : "",
-        provider === "telegram" ? `server_bot_id: ${envConfig.serverBotID || "-"}` : "",
-        provider === "telegram" ? `role_profile: ${envConfig.roleProfile || "-"}` : "",
-        provider === "telegram" ? `ai_client: ${envConfig.client || "-"}` : "",
-        provider === "telegram" ? `ai_model: ${envConfig.model || "-"}` : "",
-        provider === "telegram" ? `permission_mode: ${envConfig.permissionMode || "-"}` : "",
-        provider === "telegram" ? `reasoning_effort: ${envConfig.reasoningEffort || "-"}` : "",
-        `detail: ${result.detail || "-"}`,
-        serverBinding ? `server_binding: ${serverBinding.ok ? "OK" : "FAIL"}${serverBinding.detail ? ` (${serverBinding.detail})` : ""}` : "",
-      ].filter(Boolean).join("\n") + "\n",
-    );
+    const lines = [
+      `${providerLabel(provider, deps)} verify: ${overallOK ? "OK" : "FAIL"}`,
+      `file: ${envConfig.filePath}`,
+      provider === "telegram" ? `bot_key: ${envConfig.botKey || "-"}` : "",
+      provider === "telegram" ? `server_bot_id: ${envConfig.serverBotID || "-"}` : "",
+      provider === "telegram" ? `role_profile: ${envConfig.roleProfile || "-"}` : "",
+      provider === "telegram" ? `ai_client: ${envConfig.client || "-"}` : "",
+      provider === "telegram" ? `ai_model: ${envConfig.model || "-"}` : "",
+      provider === "telegram" ? `permission_mode: ${envConfig.permissionMode || "-"}` : "",
+      provider === "telegram" ? `reasoning_effort: ${envConfig.reasoningEffort || "-"}` : "",
+      `detail: ${result.detail || "-"}`,
+      serverBinding ? `server_binding: ${serverBinding.ok ? "OK" : "FAIL"}${serverBinding.detail ? ` (${serverBinding.detail})` : ""}` : "",
+    ].filter(Boolean);
+    if (provider === "telegram" && serverBinding) {
+      lines.push(`server_binding_mode: ${serverBinding.mode || "-"}`);
+      lines.push(`server_bot_name: ${serverBinding.name || "-"}`);
+      lines.push(`server_roles: ${ensureArray(serverBinding.roles).join(", ") || "-"}`);
+      if (serverBinding.mode === "group") {
+        const groupedProfiles = safeObject(serverBinding.effectiveRoleProfiles);
+        Object.keys(groupedProfiles).forEach((role) => {
+          lines.push(`runtime_role_profile[${role}]: ${formatRoleProfileOutputLine(groupedProfiles[role])}`);
+        });
+      } else if (serverBinding.effectiveRoleProfile) {
+        lines.push(`runtime_role_profile: ${formatRoleProfileOutputLine(serverBinding.effectiveRoleProfile)}`);
+      }
+    }
+    process.stdout.write(`${lines.join("\n")}\n`);
   }
   if (!overallOK) {
     process.exitCode = 1;
@@ -1936,12 +2272,21 @@ async function runBotShow(ui, flags, deps, explicitProvider = "") {
   const state = loadProviderEnvState(provider, deps);
   if (provider === "telegram") {
     const entry = await resolveTelegramEntryForShow(ui, state.parsed, flags, deps);
-    const payload = buildBotShowPayload(provider, state, entry, deps);
+    const serverBinding = await resolveTelegramServerBindingDetails(
+      requireDependency(deps, "loadProviderEnvConfig")(provider, {
+        botKey: entry.key,
+        botID: entry.serverBotID,
+        botName: entry.username || entry.key,
+      }),
+      flags,
+      deps,
+    );
+    const payload = buildBotShowPayload(provider, state, entry, deps, { serverBinding });
     if (boolFromRaw(flags.json, false)) {
       process.stdout.write(`${JSON.stringify(payload, null, 2)}\n`);
       return;
     }
-    printBotShow(provider, state, entry, deps);
+    printBotShow(provider, state, entry, deps, { serverBinding });
     return;
   }
   const payload = buildBotShowPayload(provider, state, null, deps);

package/lib/selftest-bot-commands.mjs

@@ -341,6 +341,73 @@ export async function runSelftestBotCommands(push, deps) {
           && String(groupedState.TELEGRAM_BOT_RYOAI_BOT_AI_PERMISSION_MODE || "") === "",
         `username=${String(groupedState.TELEGRAM_BOT_RYOAI_BOT_USERNAME || "")} server_bot_id=${String(groupedState.TELEGRAM_BOT_RYOAI_BOT_SERVER_BOT_ID || "")} role=${String(groupedState.TELEGRAM_BOT_RYOAI_BOT_ROLE_PROFILE || "")}`,
       );
+
+      await runCLI({
+        cliPath,
+        args: [
+          "bot", "edit",
+          "--base-url", `http://127.0.0.1:${groupedMock.port}`,
+          "--timeout-seconds", "5",
+        ],
+        env: {
+          ...env,
+          METHEUS_SCRIPTED_PROMPT_ANSWERS: JSON.stringify([
+            "1", // provider: telegram
+            "2", // bot entry: ryoai_bot
+            "1", // keep username
+            "1", // keep token
+            "2", // grouped role settings: edit one role
+            "3", // select role to edit: worker
+            "2", // worker: edit settings
+            "3", // worker AI client: claude
+            "worker-sonnet-4",
+            "4", // worker permission: danger_full_access
+            "4", // worker reasoning: high
+            "y", // edit another role
+            "3", // select role to edit: approval
+            "2", // approval: edit settings
+            "4", // approval AI client: gemini
+            "approval-pro-2",
+            "4", // approval permission: danger_full_access
+            "4", // approval reasoning: high
+            "n", // stop editing roles
+            "1", // keep current default setting
+            "y", // save
+          ]),
+        },
+      });
+      const groupedRunnerConfigPath = path.join(tempHome, ".metheus", "bot-runner.json");
+      const groupedRunnerConfig = readJSON(fs.readFileSync(groupedRunnerConfigPath, "utf8"));
+      push(
+        "bot_edit_grouped_server_roles_updates_role_profiles",
+        String(safeObject(safeObject(groupedRunnerConfig.role_profiles || {}).worker).client || "") === "claude"
+          && String(safeObject(safeObject(groupedRunnerConfig.role_profiles || {}).worker).model || "") === "worker-sonnet-4"
+          && String(safeObject(safeObject(groupedRunnerConfig.role_profiles || {}).worker).permission_mode || "") === "danger_full_access"
+          && String(safeObject(safeObject(groupedRunnerConfig.role_profiles || {}).worker).reasoning_effort || "") === "high"
+          && String(safeObject(safeObject(groupedRunnerConfig.role_profiles || {}).approval).client || "") === "gemini"
+          && String(safeObject(safeObject(groupedRunnerConfig.role_profiles || {}).approval).model || "") === "approval-pro-2",
+        `worker=${JSON.stringify(safeObject(safeObject(groupedRunnerConfig.role_profiles || {}).worker))} approval=${JSON.stringify(safeObject(safeObject(groupedRunnerConfig.role_profiles || {}).approval))}`,
+      );
+
+      const groupedShowResult = await runCLI({
+        cliPath,
+        args: [
+          "bot", "show",
+          "--provider", "telegram",
+          "--bot-key", "ryoai_bot",
+          "--base-url", `http://127.0.0.1:${groupedMock.port}`,
+          "--json", "true",
+        ],
+        env,
+      });
+      const groupedShowPayload = readJSON(groupedShowResult.stdout);
+      push(
+        "bot_show_reports_grouped_server_roles",
+        safeObject(groupedShowPayload.serverBinding).mode === "group"
+          && safeObject(safeObject(groupedShowPayload.serverBinding).effectiveRoleProfiles).worker?.client === "claude"
+          && safeObject(safeObject(groupedShowPayload.serverBinding).effectiveRoleProfiles).approval?.client === "gemini",
+        `mode=${String(safeObject(groupedShowPayload.serverBinding).mode || "")} worker=${String(safeObject(safeObject(groupedShowPayload.serverBinding).effectiveRoleProfiles).worker?.client || "")} approval=${String(safeObject(safeObject(groupedShowPayload.serverBinding).effectiveRoleProfiles).approval?.client || "")}`,
+      );
     } finally {
       await groupedMock.close();
       await runCLI({
@@ -361,6 +428,7 @@ export async function runSelftestBotCommands(push, deps) {
         "bot", "show",
         "--provider", "telegram",
         "--bot-key", "monitorselftestbot",
+        "--base-url", baseURL,
         "--json", "true",
       ],
       env,
@@ -369,8 +437,9 @@ export async function runSelftestBotCommands(push, deps) {
     push(
       "bot_show_returns_selected_telegram_entry",
       safeObject(showPayload.entry).key === "monitorselftestbot"
-        && safeObject(showPayload.entry).client === "codex",
-      `key=${String(safeObject(showPayload.entry).key || "")} client=${String(safeObject(showPayload.entry).client || "")}`,
+        && safeObject(showPayload.entry).client === "codex"
+        && safeObject(showPayload.serverBinding).mode === "single",
+      `key=${String(safeObject(showPayload.entry).key || "")} client=${String(safeObject(showPayload.entry).client || "")} mode=${String(safeObject(showPayload.serverBinding).mode || "")}`,
     );
 
     await runCLI({
@@ -391,7 +460,6 @@ export async function runSelftestBotCommands(push, deps) {
         "3", // workspace_write
         "2", // change reasoning effort
         "3", // medium
-        "1", // keep bot key
         "1", // keep default setting
         "y", // save
         ]),
@@ -473,8 +541,9 @@ export async function runSelftestBotCommands(push, deps) {
       "bot_verify_guided_can_emit_json",
       guidedVerifyPayload.ok === true
         && safeObject(guidedVerifyPayload.serverBinding).ok === true
+        && safeObject(guidedVerifyPayload.serverBinding).mode === "single"
         && String(guidedVerifyPayload.client || "") === "claude",
-      `verify=${String(guidedVerifyPayload.ok)} server=${String(safeObject(guidedVerifyPayload.serverBinding).detail || "")}`,
+      `verify=${String(guidedVerifyPayload.ok)} mode=${String(safeObject(guidedVerifyPayload.serverBinding).mode || "")} server=${String(safeObject(guidedVerifyPayload.serverBinding).detail || "")}`,
     );
 
     await runCLI({
@@ -511,8 +580,9 @@ export async function runSelftestBotCommands(push, deps) {
       "bot_verify_cross_checks_server_bot_binding",
       verifyPayload.ok === true
         && safeObject(verifyPayload.serverBinding).ok === true
+        && safeObject(verifyPayload.serverBinding).mode === "single"
         && String(verifyPayload.client || "") === "claude",
-      `verify=${String(verifyPayload.ok)} server=${String(safeObject(verifyPayload.serverBinding).detail || "")}`,
+      `verify=${String(verifyPayload.ok)} mode=${String(safeObject(verifyPayload.serverBinding).mode || "")} server=${String(safeObject(verifyPayload.serverBinding).detail || "")}`,
     );
 
     await runCLI({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "metheus-governance-mcp-cli",
-  "version": "0.2.71",
+  "version": "0.2.73",
   "description": "Metheus Governance MCP CLI (setup + stdio proxy)",
   "type": "module",
   "files": [