polygram 0.12.0-rc.30 → 0.12.0-rc.32

package/lib/history-preload.js

@@ -69,6 +69,7 @@ function makeSessionStartHook({
   db,
   chatId,
   threadId = null,
+  isolateTopics = false,
   allowedChatIds = null,
   limit = DEFAULT_PRELOAD_LIMIT,
   since = DEFAULT_PRELOAD_SINCE,
@@ -93,6 +94,7 @@ function makeSessionStartHook({
         rows = history.recent(db, {
           chatId: String(chatId),
           threadId: threadId ?? null,
+          scopeThread: isolateTopics === true,   // cross-topic bleed fix (null = General only)
           limit,
           since,
           includeOutbound: true,
@@ -170,6 +172,7 @@ function buildHistoryBlock({
   db,
   chatId,
   threadId = null,
+  isolateTopics = false,
   excludeMsgId = null,
   limit = DEFAULT_PRELOAD_LIMIT,
   since = DEFAULT_PRELOAD_SINCE,
@@ -181,6 +184,9 @@ function buildHistoryBlock({
     rows = history.recent(db, {
       chatId: String(chatId),
       threadId: threadId ?? null,
+      // isolateTopics → scope to THIS thread (null = General only); else the
+      // chat-wide session legitimately spans all topics. (cross-topic bleed fix)
+      scopeThread: isolateTopics === true,
       limit,
       since,
       includeOutbound: true,

package/lib/history.js

@@ -56,11 +56,17 @@ function fts5Escape(query) {
     .join(' ');
 }
 
-function recent(db, { chatId, threadId = null, limit = 20, since = null, includeOutbound = true, allowedChatIds = null } = {}) {
+function recent(db, { chatId, threadId = null, scopeThread = false, limit = 20, since = null, includeOutbound = true, allowedChatIds = null } = {}) {
   const clamped = clampLimit(limit);
   let sql = 'SELECT * FROM messages WHERE chat_id = ?';
   const params = [String(chatId)];
   if (threadId) { sql += ' AND thread_id = ?'; params.push(String(threadId)); }
+  // scopeThread: a per-topic (isolateTopics) session must see ONLY its own thread —
+  // and a null thread means the General topic, i.e. thread_id IS NULL, NOT "all
+  // threads". Without this the General topic preloads the whole chat and bleeds
+  // other topics' context (2026-06-09 cross-topic incident). The history-skill CLI
+  // keeps the old "null threadId = all threads" default (scopeThread=false).
+  else if (scopeThread) { sql += ' AND thread_id IS NULL'; }
   if (!includeOutbound) sql += ` AND direction = 'in'`;
   const sinceMs = parseSinceMs(since);
   if (sinceMs) { sql += ' AND ts >= ?'; params.push(Date.now() - sinceMs); }

package/lib/process/channels-bridge-protocol.js

@@ -121,6 +121,10 @@ const ToolAckMessageSchema = z.object({
   tool_call_id: ToolCallId,
   ok: z.boolean(),
   error: z.string().optional(),
+  // 0.13: the delivered Telegram message_id, surfaced back to claude so it can
+  // `edit_message` that bubble for progressive status. Present on a successful
+  // `reply`/`edit_message` ack; absent on errors / re-acks.
+  message_id: z.union([z.number(), z.string()]).nullish(),
 }).passthrough();
 
 // 0.12 interactive questions: carries the user's answer back for an `ask` tool

package/lib/process/channels-bridge.mjs

@@ -108,19 +108,22 @@ function awaitToolAck(toolCallId) {
   })
 }
 
-function resolveToolAck(toolCallId, ok, error) {
+function resolveToolAck(toolCallId, ok, error, messageId) {
   const p = pendingToolCalls.get(toolCallId)
   if (!p) return
   pendingToolCalls.delete(toolCallId)
   clearTimeout(p.timer)
-  ok ? p.resolve() : p.reject(new Error(error || 'daemon rejected delivery'))
+  // 0.13: resolve with the delivered message_id so the CallTool handler can hand
+  // it back to claude (for edit_message). null when the daemon didn't carry one.
+  ok ? p.resolve({ message_id: messageId ?? null }) : p.reject(new Error(error || 'daemon rejected delivery'))
 }
 
 // ─── 0.12 interactive questions: `ask` blocks for the user's answer ──
-// Separate from tool_ack: a question can take MINUTES (the daemon-side 8-min
-// question timeout resolves it with {timedout} well before this hard ceiling).
+// Separate from tool_ack: a question can take MINUTES (the daemon-side 30-min
+// question timeout — aligned to the turn absolute cap — resolves it with {timedout}
+// before this hard ceiling, which sits just above as the last-resort backstop).
 const pendingQuestions = new Map() // tool_call_id → { resolve, timer }
-const QUESTION_ANSWER_TIMEOUT_MS = 20 * 60 * 1000
+const QUESTION_ANSWER_TIMEOUT_MS = 32 * 60 * 1000
 
 function awaitQuestionAnswer(toolCallId) {
   return new Promise((resolve) => {
@@ -235,7 +238,7 @@ function handleDaemonMessage(msg) {
       break
 
     case 'tool_ack':
-      resolveToolAck(msg.tool_call_id, msg.ok, msg.error)
+      resolveToolAck(msg.tool_call_id, msg.ok, msg.error, msg.message_id)
       break
 
     case 'question_answer':
@@ -301,7 +304,9 @@ mcp.setRequestHandler(ListToolsRequestSchema, async () => {
     description: 'Send a message back to the originating Telegram chat. ' +
                  'chat_id MUST match the chat_id from the inbound <channel> tag. ' +
                  'turn_id MUST echo the turn_id from the inbound <channel> tag (when present) ' +
-                 'so concurrent turns route their replies correctly.',
+                 'so concurrent turns route their replies correctly. ' +
+                 'Returns {ok, message_id}: keep the message_id to update that bubble in place ' +
+                 'with `edit_message` (progressive status on long tasks).',
     inputSchema: {
       type: 'object',
       properties: {
@@ -312,6 +317,25 @@ mcp.setRequestHandler(ListToolsRequestSchema, async () => {
       },
       required: ['chat_id', 'text'],
     },
+  }, {
+    // 0.13: edit a message already sent via `reply`, in place — the progressive-
+    // status primitive. Update one bubble instead of sending several.
+    name: 'edit_message',
+    description: 'Edit a message you previously sent via `reply`, in place. Use this for ' +
+                 'progressive status on a long task: send a short status with `reply`, take the ' +
+                 'returned message_id, then `edit_message` it as you make progress (ending with ' +
+                 'the final answer). Keep status in PLAIN LANGUAGE — never tool names like Bash/Edit. ' +
+                 'One bubble only (no chunking); for long content use `reply` instead.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        chat_id:    { type: 'string', description: 'Echo of chat_id from inbound channel meta.' },
+        turn_id:    { type: 'string', description: 'Echo of turn_id from inbound channel meta.' },
+        message_id: { type: 'number', description: 'The message_id returned by the `reply` tool call you want to update.' },
+        text:       { type: 'string', description: 'New full message body (markdown ok) — replaces the old text.' },
+      },
+      required: ['chat_id', 'message_id', 'text'],
+    },
   }, {
     // 0.12 interactive questions: ask the Telegram user a multiple-choice question
     // as tap-to-answer inline buttons. USE THIS instead of any interactive menu —
@@ -355,7 +379,7 @@ mcp.setRequestHandler(ListToolsRequestSchema, async () => {
 })
 
 mcp.setRequestHandler(CallToolRequestSchema, async req => {
-  if (req.params.name !== 'reply' && req.params.name !== 'ask') {
+  if (req.params.name !== 'reply' && req.params.name !== 'ask' && req.params.name !== 'edit_message') {
     return { content: [{ type: 'text', text: `unknown tool: ${req.params.name}` }], isError: true }
   }
   const toolCallId = randomUUID()
@@ -385,8 +409,11 @@ mcp.setRequestHandler(CallToolRequestSchema, async req => {
     args: req.params.arguments,
   }) + '\n')
   try {
-    await ackP
-    return { content: [{ type: 'text', text: 'sent' }] }
+    const ack = await ackP
+    // Return {ok, message_id} as JSON so claude can read the delivered bubble's
+    // id and `edit_message` it later (progressive status). For a plain reply with
+    // no id (solo sticker/reaction) message_id is null.
+    return { content: [{ type: 'text', text: JSON.stringify({ ok: true, message_id: ack?.message_id ?? null }) }] }
   } catch (err) {
     return { content: [{ type: 'text', text: `delivery failed: ${err.message}` }], isError: true }
   }

package/lib/process/channels-tool-dispatcher.js

@@ -9,9 +9,10 @@
  *   - lib/telegram/deliver.js   for the actual sendMessage loop
  *   - bot.api.sendPhoto/Document for file attachments
  *
- * The dispatcher returns `{ok: boolean, error?: string}` — CliProcess
- * relays this to the bridge as tool_ack, which surfaces to Claude as the
- * tool's return value (`'sent'` on ok, error message on failure).
+ * The dispatcher returns `{ok: boolean, error?: string, message_id?: number}` —
+ * CliProcess relays this to the bridge as tool_ack, which surfaces to Claude as
+ * the tool's return value (`{ok:true, message_id}` on success so claude can
+ * `edit_message` that bubble; error message on failure).
  *
  * Decoupled from polygram.js: factory takes {bot, send, chunkText, logger}
  * — same shape SDK callbacks already use — so it can be tested with fakes
@@ -125,11 +126,43 @@ function createChannelsToolDispatcher({
     || require('../telegram/process-agent-reply').processAndDeliverAgentText;
 
   return async function channelsToolDispatcher(call) {
-    const { sessionKey, chatId, threadId, toolName, text, files, sourceMsgId, maxOutboundFileBytes } = call;
+    const { sessionKey, chatId, threadId, toolName, text, files, sourceMsgId, maxOutboundFileBytes, messageId } = call;
+
+    // 0.13: `edit_message` edits a previously-sent bubble in place — the
+    // progressive-status primitive. claude gets the message_id from the
+    // `reply` tool's result (returned below) and edits it as work proceeds.
+    // A single edit is one bubble (no chunking); the `send` wrapper already
+    // does markdown→HTML and tolerates "message is not modified".
+    if (toolName === 'edit_message') {
+      if (!chatId) return { ok: false, error: 'edit_message.chat_id missing' };
+      if (messageId == null) return { ok: false, error: 'edit_message.message_id missing' };
+      if (typeof text !== 'string' || text.length === 0) {
+        return { ok: false, error: 'edit_message.text missing or empty' };
+      }
+      // Same agent-text hygiene as reply, minus chunking/delivery: strip inline
+      // [sticker:…]/[react:…] markers and intercept canned strings so neither
+      // leaks as literal text into the edited bubble.
+      let clean = text;
+      try { const p = parseResponse(text); if (p && typeof p.text === 'string') clean = p.text; } catch { /* keep raw */ }
+      try { const s = sanitizeAssistantReply(clean); if (s && typeof s.text === 'string') clean = s.text; } catch { /* keep */ }
+      if (clean.length === 0) return { ok: false, error: 'edit_message.text empty after sanitize' };
+      if (clean.length > maxChunkLen) {
+        return { ok: false, error: `edit text too long (${clean.length} > ${maxChunkLen}); a message edit is a single bubble — use reply for long content` };
+      }
+      try {
+        const params = { chat_id: chatId, message_id: messageId, text: clean };
+        if (threadId) params.message_thread_id = threadId;
+        await send(bot, 'editMessageText', params, { source: 'channels-tool-dispatcher', sessionKey, toolName });
+        return { ok: true, message_id: messageId };
+      } catch (err) {
+        logger.error?.(`[channels-tool-dispatcher] ${sessionKey} edit_message failed: ${err.message}`);
+        return { ok: false, error: err.message };
+      }
+    }
 
     if (toolName !== 'reply') {
-      // 0.11.0 Phase 1 ships `reply` only — react and edit_message are
-      // deferred (Decision #10). Future tools route through here too.
+      // `reply` + `edit_message` route here. `react` (and any future tool)
+      // is not yet implemented (Decision #10 / 0.13 follow-on).
       return { ok: false, error: `unsupported tool: ${toolName}` };
     }
 
@@ -171,6 +204,12 @@ function createChannelsToolDispatcher({
         return { ok: false, error: `delivered ${dr.sent?.length || 0} of ${totalChunks} chunks; failed: ${failedDetail}` };
       }
 
+      // 0.13: surface the FIRST delivered bubble's message_id so claude can
+      // edit_message it for progressive status. deliver.js pushes numeric ids;
+      // tolerate the {message_id} object shape too. null for solo sticker/reaction.
+      const firstSent = dr && Array.isArray(dr.sent) ? dr.sent.find(x => x != null) : null;
+      const replyMessageId = (firstSent && typeof firstSent === 'object') ? firstSent.message_id : firstSent;
+
       // File attachments — sent as separate messages AFTER the text.
       // Photos for image MIMEs, Documents for everything else (matches
       // the official Telegram channels plugin behavior).
@@ -241,7 +280,7 @@ function createChannelsToolDispatcher({
                  failedAttachments.map(f => `${f.path} (${f.error})`).join('; '),
         };
       }
-      return { ok: true };
+      return { ok: true, message_id: replyMessageId ?? null };
     } catch (err) {
       logger.error?.(`[channels-tool-dispatcher] ${sessionKey} dispatch failed: ${err.message}`);
       return { ok: false, error: err.message };

package/lib/process/cli-process.js

@@ -281,6 +281,7 @@ class CliProcess extends Process {
     // doesn't re-invoke the dispatcher → duplicate TG send. Set is bounded
     // to RECENT_TOOL_CALL_LIMIT entries via FIFO eviction.
     this.recentToolCallIds = new Set();
+    this.recentToolCallResults = new Map();   // tool_call_id → message_id (0.13: replay on re-ACK)
     this.recentToolCallOrder = [];   // FIFO bound
     // Review F#17: per-pattern last-fired timestamp for the mid-turn dialog
     // watchdog. Dedups within MID_TURN_DEDUP_WINDOW_MS so a lingering dialog
@@ -695,6 +696,20 @@ class CliProcess extends Process {
       'as normal — only the FINAL user-visible message needs to go through',
       'the reply tool.',
       '',
+      '### Staying responsive on a long task',
+      '',
+      'The user cannot see you working — no live typing reaches them. For any task',
+      'that takes more than a few seconds, send a SHORT status first via `reply`',
+      '(it returns a `message_id`), then call `mcp__polygram-bridge__edit_message`',
+      'with that `message_id` to update the SAME bubble as you make progress,',
+      'finishing with the result. One evolving message beats silence or a flood of',
+      'new ones.',
+      '',
+      'Write status in PLAIN, friendly language about what you are doing FOR THE',
+      'USER — never tool names or mechanics. Say "Checking your config now…", not',
+      '"Running Bash" or "Calling Read". If the final answer is long, send it as a',
+      'fresh `reply` rather than an edit (an edit is one single message bubble).',
+      '',
       // TEMPORARY mitigation (2026-06-08 Shumabit@UMI wedge): AskUserQuestion opens
       // a blocking TUI selection widget the channel can't answer → the session
       // parks until manually Esc'd. REMOVE this whole rule when the rich
@@ -1007,7 +1022,9 @@ class CliProcess extends Process {
       this.logger.warn?.(
         `[${this.label}] channels: duplicate tool_call_id=${msg.tool_call_id} — re-ACKing without dispatch`,
       );
-      this._writeToBridge({ kind: 'tool_ack', tool_call_id: msg.tool_call_id, ok: true });
+      // 0.13: replay the cached message_id so a retried reply keeps its edit handle
+      // (re-ACKing without it would null the handle → progressive status silently breaks).
+      this._writeToBridge({ kind: 'tool_ack', tool_call_id: msg.tool_call_id, ok: true, message_id: this.recentToolCallResults.get(msg.tool_call_id) ?? null });
       return;
     }
 
@@ -1041,15 +1058,15 @@ class CliProcess extends Process {
     // an isError ack). Window-based so legit repeat sends eventually pass.
     if (msg.name === 'reply' && typeof args.text === 'string' && args.chat_id != null) {
       const dedupKey = this._buildContentDedupKey(args.chat_id, args.text);
-      const expiry = this.recentContentHashes.get(dedupKey);
+      const entry = this.recentContentHashes.get(dedupKey);   // { expiry, message_id }
       const nowDedup = Date.now();
       // Evict stale entries opportunistically (avoids unbounded growth).
       if (this.recentContentHashes.size > 64) {
-        for (const [k, ts] of this.recentContentHashes) {
-          if (ts < nowDedup) this.recentContentHashes.delete(k);
+        for (const [k, e] of this.recentContentHashes) {
+          if (e.expiry < nowDedup) this.recentContentHashes.delete(k);
         }
       }
-      if (expiry && expiry > nowDedup) {
+      if (entry && entry.expiry > nowDedup) {
         this.logger.warn?.(
           `[${this.label}] channels: duplicate content within ${this.contentDedupWindowMs}ms ` +
           `(new tool_call_id=${msg.tool_call_id}, hash=${dedupKey.slice(-12)}) — re-ACKing without dispatch`,
@@ -1059,7 +1076,9 @@ class CliProcess extends Process {
           chat_id: args.chat_id,
           window_ms: this.contentDedupWindowMs,
         });
-        this._writeToBridge({ kind: 'tool_ack', tool_call_id: msg.tool_call_id, ok: true });
+        // 0.13: replay the ORIGINAL bubble's message_id so a retried identical reply
+        // keeps its edit handle (the slow-ack-retry case progressive status targets).
+        this._writeToBridge({ kind: 'tool_ack', tool_call_id: msg.tool_call_id, ok: true, message_id: entry.message_id ?? null });
         return;
       }
     }
@@ -1111,6 +1130,7 @@ class CliProcess extends Process {
         toolName: msg.name,
         text: args.text,
         files: args.files,
+        messageId: args.message_id,         // 0.13: edit_message target bubble
         sessionCwd: this.sessionCwd,        // P0 #2: dispatcher uses this to allowlist file roots
         maxOutboundFileBytes: this.maxOutboundFileBytes, // backend/chat-derived upload cap
       });
@@ -1119,18 +1139,22 @@ class CliProcess extends Process {
       return;
     }
 
-    this._writeToBridge({ kind: 'tool_ack', tool_call_id: msg.tool_call_id, ok: !!result?.ok, error: result?.error });
+    // 0.13: carry the delivered message_id back so the bridge hands it to claude
+    // (reply → edit_message progressive status).
+    this._writeToBridge({ kind: 'tool_ack', tool_call_id: msg.tool_call_id, ok: !!result?.ok, error: result?.error, message_id: result?.message_id });
 
     // P1 #7: remember the tool_call_id so duplicates re-ACK without dispatch.
     // Only cache on SUCCESS — failed calls should be retryable (transient TG
     // outage etc).
     if (result?.ok && msg.tool_call_id) {
       this.recentToolCallIds.add(msg.tool_call_id);
+      this.recentToolCallResults.set(msg.tool_call_id, result.message_id ?? null);   // 0.13: for re-ACK replay
       this.recentToolCallOrder.push(msg.tool_call_id);
       // FIFO eviction at cap
       while (this.recentToolCallOrder.length > RECENT_TOOL_CALL_LIMIT) {
         const evicted = this.recentToolCallOrder.shift();
         this.recentToolCallIds.delete(evicted);
+        this.recentToolCallResults.delete(evicted);
       }
     }
 
@@ -1138,7 +1162,9 @@ class CliProcess extends Process {
     // NEW tool_call_id still dedups. TTL-based via expiry timestamp.
     if (result?.ok && msg.name === 'reply' && typeof args.text === 'string' && args.chat_id != null) {
       const dedupKey = this._buildContentDedupKey(args.chat_id, args.text);
-      this.recentContentHashes.set(dedupKey, Date.now() + this.contentDedupWindowMs);
+      // 0.13: store the delivered message_id alongside the expiry so a deduped retry
+      // can replay it (keeps claude's edit handle for progressive status).
+      this.recentContentHashes.set(dedupKey, { expiry: Date.now() + this.contentDedupWindowMs, message_id: result.message_id ?? null });
     }
 
     // Review #16 + C9: only record the reply for pending-turn resolution when
@@ -1706,6 +1732,18 @@ class CliProcess extends Process {
     return { live: backgroundShell, count: shellCount };
   }
 
+  /**
+   * LRU eviction pin (0.12.0 spec). Cached read of `_bgWorkSince` — the idle bg-work
+   * watchdog state maintained by `_pollBackgroundWork` on the ≤5s pong tick. Non-null ⟺ a
+   * detached background shell has been observed while idle. No time cap: a job that runs for
+   * hours stays pinned (elapsed time can't tell "slow-but-progressing" from "stuck"). Cheap,
+   * sync — safe to call from `_evictLRU`.
+   * @returns {boolean}
+   */
+  hasActiveBackgroundWork() {
+    return this._bgWorkSince !== null;
+  }
+
   /**
    * Stall-watchdog for detached background work (0.12.0 background-work
    * lifecycle, shumorobot Music 7h frozen-Chrome download). Runs on the

package/lib/process/process.js

@@ -160,6 +160,19 @@ class Process extends EventEmitter {
     return false;
   }
 
+  /**
+   * Does this session have a DETACHED background job running (a `run_in_background`
+   * shell that outlives the dispatch turn)? Used by ProcessManager._evictLRU to PIN
+   * the session — skip it for eviction the same way `inFlight` is skipped — so a live
+   * job isn't silently killed under budget pressure. Default: no signal → false.
+   * Backends that can detect detached shells (cli) override this. Must be cheap + sync.
+   *
+   * @returns {boolean}
+   */
+  hasActiveBackgroundWork() {
+    return false;
+  }
+
   /**
    * Push priority='now' style steer (rare; legacy of OpenClaw shape).
    * Hot-path-safe.

package/lib/process-guard.js

@@ -193,7 +193,60 @@ function _makeUnhandledRejectionHandler(opts) {
 }
 
 /**
- * Convenience: install both handlers in one call.
+ * Swallow EPIPE/EIO on the process's own stdout/stderr so a broken pipe during
+ * shutdown can't become an uncaughtException.
+ *
+ * rc.50 stopped the re-entrant LOOP (the handler no longer re-throws), but the
+ * write errors themselves still surface: when `launchctl kickstart` destroys the
+ * tmux pane, in-flight `console.log`/`console.error` calls hit a now-dead pty.
+ * Because stdout/stderr are TTYs, those writes throw EIO **synchronously** — each
+ * unguarded throw becomes an uncaughtException. Observed live on the rc.29→rc.30
+ * restart (2026-06-08): 100 `write EIO` rows then a circuit-breaker panic-exit on
+ * every deploy, interrupting the graceful drain.
+ *
+ * This guards BOTH delivery paths:
+ *   (a) sync: wraps `write()` to drop EPIPE/EIO throws (TTY case — the real one);
+ *   (b) async: attaches an `error` listener for the pipe case (errors arrive as
+ *       events). Genuine, non-EPIPE/EIO errors still surface unchanged.
+ *
+ * @returns {{ uninstall: function() }}
+ */
+function guardStdio({ streams = [process.stdout, process.stderr] } = {}) {
+  const guarded = streams.filter(Boolean);
+  const isBrokenPipe = (err) => err && (err.code === 'EPIPE' || err.code === 'EIO');
+  const onError = (err) => { if (isBrokenPipe(err)) return; throw err; };
+  const restores = [];
+
+  for (const s of guarded) {
+    s.on?.('error', onError);
+    restores.push(() => s.off?.('error', onError));
+
+    if (typeof s.write === 'function' && !s.__polygramStdioGuarded) {
+      const origWrite = s.write;
+      s.write = function guardedWrite(...args) {
+        try {
+          return origWrite.apply(this, args);
+        } catch (err) {
+          if (!isBrokenPipe(err)) throw err;
+          // Pane is gone — nothing to write to. Invoke the write callback (the
+          // last arg, if any) so callers awaiting it don't hang, and report
+          // backpressure (false) instead of throwing to uncaughtException.
+          const cb = args[args.length - 1];
+          if (typeof cb === 'function') { try { cb(err); } catch { /* ignore */ } }
+          return false;
+        }
+      };
+      s.__polygramStdioGuarded = true;
+      restores.push(() => { s.write = origWrite; delete s.__polygramStdioGuarded; });
+    }
+  }
+
+  return { uninstall() { for (const r of restores) r(); } };
+}
+
+/**
+ * Convenience: install both handlers in one call (plus the stdio guard, so the
+ * shutdown broken-pipe writes never reach the uncaughtException handler).
  * @returns {{ uninstall: function() }}
  */
 function installSafetyHandlers(opts) {
@@ -201,10 +254,12 @@ function installSafetyHandlers(opts) {
   const onRejection = _makeUnhandledRejectionHandler(opts);
   process.on('uncaughtException', onException);
   process.on('unhandledRejection', onRejection);
+  const stdio = guardStdio();
   return {
     uninstall() {
       process.off('uncaughtException', onException);
       process.off('unhandledRejection', onRejection);
+      stdio.uninstall();
     },
   };
 }
@@ -235,6 +290,7 @@ module.exports = {
   claimPidFile,
   releasePidFile,
   installSafetyHandlers,
+  guardStdio,
   _makeUncaughtHandler,
   _makeUnhandledRejectionHandler,
 };

package/lib/process-manager.js

@@ -245,16 +245,36 @@ class ProcessManager {
     const newCost = newProc.cost;
 
     while (this.totalCost + newCost > this.budget) {
-      const evicted = this._evictLRU();
-      if (!evicted) {
-        // All entries in-flight — park.
-        await this._awaitLruSlot();
-        if (this._shuttingDown) {
-          try { await newProc.kill('shutdown'); } catch {}
-          throw new Error('shutdown');
-        }
-        // Loop again — budget may have freed up.
+      const evicted = this._evictLRU();   // skips inFlight + background-job-pinned
+      if (evicted) continue;
+      // _evictLRU freed nothing. Policy C — split by WHY:
+      if (this._hasPinnedSession()) {
+        // A DURABLE blocker (live background job) holds a slot. Don't park on it (could be
+        // ~an hour) and don't kill it. The budget caps RSS, not correctness — so treat it as
+        // SOFT: spawn over budget + warn; the operator reclaims by /reset-ing a chat.
+        const pinned = this._pinnedSessionKeys();
+        this._logEvent('lru-overflow-pinned', {
+          active: this.procs.size,
+          totalCost: this.totalCost,
+          budget: this.budget,
+          newCost,
+          pinned,
+        });
+        this.logger.warn?.(
+          `[pm] budget ${this.budget} exceeded (~${this.totalCost + newCost}): all free slots hold ` +
+          `live background jobs [${pinned.join(', ')}]. Spawning over limit — /reset one of those ` +
+          `chats to reclaim memory.`,
+        );
+        break;   // soft overflow — spawn anyway
+      }
+      // No pin — the blockers are all in-flight TURNS (transient, finish in seconds). Keep the
+      // existing behavior: park briefly for a slot rather than needlessly overflow.
+      await this._awaitLruSlot();
+      if (this._shuttingDown) {
+        try { await newProc.kill('shutdown'); } catch {}
+        throw new Error('shutdown');
       }
+      // Loop again — budget may have freed up.
     }
 
     this._wireCallbacks(newProc);
@@ -278,8 +298,12 @@ class ProcessManager {
   _evictLRU() {
     let oldest = null;
     let oldestKey = null;
+    let pinnedSkipped = 0;
     for (const [k, p] of this.procs.entries()) {
       if (p.inFlight) continue;
+      // PIN: a session with a live detached background job is NOT evictable — killing it
+      // would silently drop the job (and its report-back wakeup). Skip like inFlight.
+      if (p.hasActiveBackgroundWork()) { pinnedSkipped++; continue; }
       if (!oldest || (p.lastUsedTs || 0) < (oldest.lastUsedTs || 0)) {
         oldest = p;
         oldestKey = k;
@@ -290,6 +314,7 @@ class ProcessManager {
         active: this.procs.size,
         totalCost: this.totalCost,
         budget: this.budget,
+        pinnedSkipped,
       });
       return false;
     }
@@ -297,12 +322,33 @@ class ProcessManager {
       session_key: oldestKey,
       cost: oldest.cost,
       backend: oldest.backend,
+      pinnedSkipped,
     });
     oldest.kill('evict').catch(() => {});
     this.procs.delete(oldestKey);
     return true;
   }
 
+  /**
+   * A DURABLE eviction blocker: a non-inFlight session holding a slot because it has a live
+   * background job (vs an inFlight TURN, which is transient and frees in seconds). Used to
+   * split park-vs-overflow when _evictLRU can free nothing.
+   */
+  _hasPinnedSession() {
+    for (const p of this.procs.values()) {
+      if (!p.inFlight && p.hasActiveBackgroundWork()) return true;
+    }
+    return false;
+  }
+
+  _pinnedSessionKeys() {
+    const keys = [];
+    for (const [k, p] of this.procs.entries()) {
+      if (!p.inFlight && p.hasActiveBackgroundWork()) keys.push(k);
+    }
+    return keys;
+  }
+
   async _awaitLruSlot() {
     return new Promise((resolve, reject) => {
       const timer = setTimeout(() => {

package/lib/questions/store.js

@@ -11,7 +11,12 @@
 
 const { newToken, tokensEqual } = require('../approvals/store');
 
-const DEFAULT_TIMEOUT_MS = 8 * 60 * 1000;   // under the 10-min idle / 30-min absolute turn caps
+// Option A (2026-06-09): don't expire a question before the turn that's blocking on
+// it can. A blocking `ask` can live at most the 30-min turn ABSOLUTE cap
+// (DEFAULT_TURN_ABSOLUTE_MS) — the keep-alive resets the idle cap but not the absolute
+// — so align here. The user answers any time within the turn's life, not an arbitrary
+// 8-min window. (Truly-unbounded "answer hours later" needs the non-blocking redesign.)
+const DEFAULT_TIMEOUT_MS = 30 * 60 * 1000;
 
 function createQuestionStore(rawDb, now = () => Date.now()) {
   const insertStmt = rawDb.prepare(`

package/lib/rewind/execute.js

@@ -0,0 +1,89 @@
+'use strict';
+
+const fs = require('node:fs');
+const os = require('node:os');
+const path = require('node:path');
+const crypto = require('node:crypto');
+const { buildFork } = require('./fork');
+
+// claude's transcript path for a session: ~/.claude/projects/<cwd '/'→'-'>/<id>.jsonl.
+// CRITICAL (Finding A): mangle the RAW cwd, EXACTLY as cli-process.js's resume check does
+// (`resolvedCwd.replace(/\//g,'-')`, no realpath). The fork is written to this path and the
+// resume pre-check looks for it at this path — if the two diverge (one realpaths a symlinked
+// cwd, the other doesn't) the resume misses the fork and claude starts a fresh empty session:
+// a SILENT full-context wipe. Keeping both raw keeps them in lockstep; a genuinely symlinked
+// cwd then fails cleanly at the read step (transcript unreadable) instead of wiping.
+function transcriptPathFor(cwd, sessionId) {
+  return path.join(os.homedir(), '.claude', 'projects', String(cwd).replace(/\//g, '-'), `${sessionId}.jsonl`);
+}
+
+/**
+ * The 0.13 /rewind executor (P2/P3). Forks the live session transcript to before the target
+ * message, points the session at the fork (so the next message resumes the rewound
+ * conversation), kills the live proc, and deletes the bot's now-orphaned outbound messages.
+ * Copy-only + fail-safe: a fork failure leaves the original session fully intact.
+ *
+ * @param {object} deps { db, pm, tg, bot, botName, logEvent, logger, buildForkImpl }
+ * @returns {(req) => Promise<{ok:boolean,error?:string,droppedCount?:number}>}
+ */
+function createRewindExecutor({ db, pm, tg, bot, botName = 'bot', logEvent = () => {}, logger = console, buildForkImpl = buildFork } = {}) {
+  // P3: delete the bot's own outbound messages sent after M (it can always delete its own).
+  async function deleteBotMessagesAfter({ chatId, threadId, afterMsgId }) {
+    let rows;
+    try {
+      const sql = `SELECT msg_id FROM messages WHERE chat_id = ? AND direction = 'out' AND status = 'sent' AND msg_id > ?`
+        + (threadId ? ` AND thread_id = ?` : ` AND thread_id IS NULL`) + ` ORDER BY msg_id`;
+      const params = threadId ? [String(chatId), Number(afterMsgId), String(threadId)] : [String(chatId), Number(afterMsgId)];
+      rows = db.raw.prepare(sql).all(...params);
+    } catch (e) { logger.error?.(`[${botName}] rewind cleanup query failed: ${e.message}`); return 0; }
+    let deleted = 0;
+    for (const r of rows || []) {
+      try {
+        await tg(bot, 'deleteMessage', { chat_id: chatId, message_id: r.msg_id }, { source: 'rewind-cleanup', botName });
+        deleted++;
+      } catch { /* already gone / older than 48h — Telegram won't delete; skip */ }
+    }
+    return deleted;
+  }
+
+  return async function executeRewind(req) {
+    const row = db.getSession(req.sessionKey);
+    if (!row || !row.claude_session_id || !row.cwd) {
+      return { ok: false, error: 'no live session to rewind' };
+    }
+    const transcriptPath = transcriptPathFor(row.cwd, row.claude_session_id);
+    const newId = crypto.randomUUID();
+
+    const fork = buildForkImpl({ transcriptPath, targetMsgId: req.target.msg_id, newSessionId: newId });
+    if (!fork.ok) return { ok: false, error: fork.error };   // original untouched
+
+    // Point the session at the fork → the next message lazy-resumes the rewound conversation.
+    try {
+      db.upsertSession({ ...row, claude_session_id: newId });
+    } catch (e) {
+      try { fs.unlinkSync(fork.forkPath); } catch {}
+      logger.error?.(`[${botName}] rewind id-swap failed: ${e.message}`);
+      return { ok: false, error: 'failed to record the rewind' };
+    }
+    // Drop the live proc (it holds the OLD session); next inbound message respawns on the fork.
+    // A kill failure (Finding E) is NOT silent: the DB already points at the fork, but the old
+    // proc may survive holding the old id (a two-transcript split), so surface a warning rather
+    // than report a clean success the operator would trust blindly.
+    let warning;
+    try { await pm.kill(req.sessionKey, 'rewind'); }
+    catch (e) {
+      warning = 'the previous session may still be running — send a new message to confirm the rewind took';
+      logger.error?.(`[${botName}] rewind kill: ${e.message}`);
+      logEvent('rewind-kill-failed', { session_key: req.sessionKey, error: e.message });
+    }
+
+    let droppedCount = 0;
+    try { droppedCount = await deleteBotMessagesAfter({ chatId: req.chatId, threadId: req.threadId, afterMsgId: req.target.msg_id }); }
+    catch (e) { logger.error?.(`[${botName}] rewind cleanup failed: ${e.message}`); }
+
+    logEvent('rewind-executed', { session_key: req.sessionKey, new_id: newId, target_msg_id: req.target.msg_id, dropped_turns: fork.droppedTurns });
+    return { ok: true, droppedCount, ...(warning && { warning }) };
+  };
+}
+
+module.exports = { createRewindExecutor, transcriptPathFor };

package/lib/rewind/fork.js

@@ -0,0 +1,112 @@
+'use strict';
+
+const fs = require('node:fs');
+const path = require('node:path');
+
+/**
+ * Build a rewound FORK of a claude session transcript (0.13 /rewind P2; the mechanism P0.6
+ * validated). Keep the prefix up to — not including — the user turn carrying `targetMsgId`,
+ * rewrite the in-file `sessionId` to `newSessionId` on every line, and write a new
+ * `<newSessionId>.jsonl` next to the original (mode 0o600). NEVER touches the original.
+ *
+ * Fail-safe by construction — any anomaly returns `{ ok:false, error }`, never a partial/
+ * corrupt fork:
+ *   - transcript unreadable / not valid JSONL
+ *   - target not found (scrolled out OR compacted away — the locate-miss IS the compaction
+ *     guard: a target older than a compaction boundary no longer carries its msg_id wrapper)
+ *   - target is already the conversation start
+ *   - the cut point is mid-tool-call (a tool_use in the prefix without its tool_result)
+ *
+ * A clean prefix needs no `parentUuid` reconciliation — a prefix of a backward-linked chain
+ * is self-consistent (verified in the P0.6 spike).
+ *
+ * @param {object} args
+ * @param {string} args.transcriptPath
+ * @param {string|number} args.targetMsgId — TG msg_id of the user message to rewind to.
+ * @param {string} args.newSessionId
+ * @param {object} [io] { fsImpl } — inject a fake fs for tests.
+ * @returns {{ ok:true, forkPath:string, droppedTurns:number } | { ok:false, error:string }}
+ */
+function buildFork({ transcriptPath, targetMsgId, newSessionId }, { fsImpl = fs } = {}) {
+  if (!transcriptPath || !newSessionId || targetMsgId == null) {
+    return { ok: false, error: 'buildFork: transcriptPath, targetMsgId, newSessionId required' };
+  }
+  let raw;
+  try { raw = fsImpl.readFileSync(transcriptPath, 'utf8'); }
+  catch (e) { return { ok: false, error: `transcript unreadable: ${e.code || e.message}` }; }
+
+  const lines = String(raw).split('\n').filter((l) => l.trim());
+  let objs;
+  try { objs = lines.map((l) => JSON.parse(l)); }
+  catch { return { ok: false, error: 'transcript is not valid JSONL' }; }
+
+  // The channel wrapper lives in the user turn's content as a PLAIN string (the parsed value,
+  // not JSON-escaped) — search that, not JSON.stringify (which escapes the inner quotes).
+  const contentText = (o) => {
+    const c = o && o.message ? o.message.content : null;
+    if (typeof c === 'string') return c;
+    if (Array.isArray(c)) return c.map((b) => (b && b.type === 'text' ? b.text : '')).join(' ');
+    return '';
+  };
+  // Match the channel ENVELOPE's OWN msg_id — never a `<reply_to msg_id="X">` echoed inside a
+  // later turn's body (Finding B: silent-failure-hunter). In the parsed content only the outer
+  // bridge envelope keeps an unescaped `<channel …>`; the inner reply_to/telegram tags are
+  // escaped to `&lt;…&gt;`. The envelope's own closing `>` stops `[^>]*` before any embedded
+  // reply_to, so this matches the envelope whose msg_id IS the target and nothing else. Without
+  // this anchor, a target compacted away while a later turn still quotes it in reply_to would
+  // false-match the reply turn → a silent cut at the WRONG point, defeating the not-found guard.
+  const escapeRe = (s) => String(s).replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+  const targetRe = new RegExp(`<channel[^>]*\\bmsg_id="${escapeRe(targetMsgId)}"`);
+  const isChannelUser = (o) => o && o.type === 'user' && /<channel[^>]*\bmsg_id="/.test(contentText(o));
+  const cutIdx = objs.findIndex((o) => o && o.type === 'user' && targetRe.test(contentText(o)));
+  if (cutIdx < 0) {
+    return { ok: false, error: "couldn't find that message in the conversation (it may have scrolled out of memory)" };
+  }
+
+  const prefix = objs.slice(0, cutIdx);
+  if (!prefix.some(isChannelUser)) {
+    return { ok: false, error: "that's already the start of the conversation" };
+  }
+
+  // Clean-boundary check: no tool_use in the prefix left without its matching tool_result.
+  const openTools = new Set();
+  for (const o of prefix) {
+    const blocks = Array.isArray(o.message?.content) ? o.message.content : [];
+    for (const b of blocks) {
+      if (b && b.type === 'tool_use' && b.id) openTools.add(b.id);
+      if (b && b.type === 'tool_result' && b.tool_use_id) openTools.delete(b.tool_use_id);
+    }
+  }
+  if (openTools.size > 0) {
+    return { ok: false, error: 'that point is mid-tool-call — pick the message just before or after' };
+  }
+
+  // Rewrite sessionId on EVERY kept line (the resume id must match the filename + in-file id,
+  // else claude's ghost-session guard drops it and starts fresh = a silent full wipe).
+  const forked = prefix.map((o) => {
+    if (o && typeof o === 'object' && 'sessionId' in o) o.sessionId = newSessionId;
+    return JSON.stringify(o);
+  });
+
+  const dir = path.dirname(transcriptPath);
+  const forkPath = path.join(dir, `${newSessionId}.jsonl`);
+  // Atomic write (Finding C): a direct write to the live resume path can leave a TRUNCATED
+  // <id>.jsonl if interrupted (disk-full, crash, signal) — which claude then resumes as
+  // partial/empty context, or whose half-line trips the ghost-session guard into a full wipe.
+  // Write a temp sibling, then rename (atomic on the same fs) so the resume path only ever sees
+  // a complete file. The temp is a dotfile (won't match claude's `<sessionId>.jsonl` glob) and
+  // is cleaned on failure; a crash between write and rename leaves only a harmless orphan dot-tmp.
+  const tmpPath = path.join(dir, `.${newSessionId}.jsonl.tmp`);
+  try {
+    fsImpl.writeFileSync(tmpPath, forked.join('\n') + '\n', { mode: 0o600 });
+    fsImpl.renameSync(tmpPath, forkPath);
+  } catch (e) {
+    try { fsImpl.unlinkSync(tmpPath); } catch { /* nothing to clean */ }
+    return { ok: false, error: `couldn't write the fork: ${e.code || e.message}` };
+  }
+
+  const droppedTurns = objs.slice(cutIdx).filter(isChannelUser).length;
+  return { ok: true, forkPath, droppedTurns };
+}
+
+module.exports = { buildFork };

package/lib/rewind/rewind.js

@@ -0,0 +1,174 @@
+'use strict';
+
+/**
+ * `/rewind` command — P1 (0.13). Reply to a message with `/rewind` to rewind the
+ * conversation to just before it. P1 ships the plumbing: detect → gate (operator +
+ * message-ownership, per the 2026-06-09 security review) → defer to turn-end → confirm.
+ * The actual transcript fork is the **injected `executeRewind`** — P2 provides the real
+ * one (see docs/0.13-rewind-design.md, B-safe). P0.6 proved the fork mechanism works.
+ *
+ * Scope boundary the confirmation states out loud: a rewind reverts the CONVERSATION,
+ * not real-world side-effects (Drive files, Sheets, emails already created persist).
+ */
+
+// `/rewind` or `/rewind@botname`, alone on the line (no args).
+const REWIND_RE = /^\/rewind(?:@\w+)?\s*$/i;
+
+// Backstop for a deferred rewind whose proc emits neither 'idle' nor 'close'. Above the 30-min
+// absolute turn cap so a legitimately long in-flight turn finishes (emitting 'idle') first.
+const DEFER_TIMEOUT_MS = 31 * 60 * 1000;
+
+function isRewindCommand(text) {
+  return REWIND_RE.test(String(text || '').trim());
+}
+
+/**
+ * Validate a `/rewind` request. Returns { ok, reason }. Gate order:
+ *   1. must reply-to a message (the rewind target M)
+ *   2. the chat must be rewind-SAFE — a DM or an isolate-topics group. A shared (non-isolated)
+ *      group runs ONE session across all topics, so a rewind there would blast every topic and
+ *      user; refuse it. (Caller computes `rewindSafe`.)
+ *   3. access policy: the operator/admin is always allowed; any *paired* user is allowed ONLY
+ *      when the chat opted in with `rewindAccess: 'paired'`. Default ('operator') is operator-only
+ *      — NOT "any paired user" (the security-review degradation when operatorUserId was unset).
+ *   4. M must be the sender's OWN message or one of the bot's own bubbles — never another user's
+ *      (else an allowed user could rewind to anyone's message).
+ *
+ * @param {object} a
+ * @param {object} a.msg
+ * @param {string} a.botUsername
+ * @param {boolean} a.rewindSafe          chat is a DM OR an isolateTopics group (caller computes)
+ * @param {boolean} a.isOperatorIdentity  sender is operatorUserId or the admin user (caller computes)
+ * @param {boolean} a.paired              sender has a live pairing in this chat
+ * @param {'operator'|'paired'} [a.accessMode='operator']
+ */
+function gateRewindRequest({ msg, botUsername, rewindSafe, isOperatorIdentity, paired, accessMode = 'operator' } = {}) {
+  const reply = msg?.reply_to_message;
+  if (!reply) return { ok: false, reason: 'reply to the message you want to rewind to, then send /rewind' };
+  if (!rewindSafe) {
+    return { ok: false, reason: "rewind isn't available in a shared group chat — turn on per-topic isolation (isolateTopics) so a rewind only affects one topic, not everyone" };
+  }
+  const allowed = !!isOperatorIdentity || (accessMode === 'paired' && !!paired);
+  if (!allowed) {
+    return { ok: false, reason: accessMode === 'paired' ? 'only paired members can rewind this chat' : 'only the operator can rewind this chat' };
+  }
+  const fromId = reply.from?.id;
+  const isBotMsg = !!botUsername && reply.from?.username === botUsername;
+  const isOwnMsg = fromId != null && msg.from?.id != null && Number(fromId) === Number(msg.from.id);
+  if (!isBotMsg && !isOwnMsg) {
+    return { ok: false, reason: 'you can only rewind to your own messages or mine' };
+  }
+  return { ok: true };
+}
+
+function previewOf(text) {
+  const first = String(text || '').split('\n')[0].trim();
+  return first.length > 60 ? `${first.slice(0, 57)}…` : (first || '(no text)');
+}
+
+/**
+ * @param {object} deps
+ * @param {object} deps.pm           — ProcessManager (uses pm.get(sessionKey) + proc 'idle')
+ * @param {Function} deps.tg         — tg(bot, method, params, meta) sender
+ * @param {object} deps.bot
+ * @param {string} deps.botName
+ * @param {(req) => Promise<{ok:boolean,error?:string,droppedCount?:number}>} deps.executeRewind
+ *        — the transcript fork (P2). Injected; P1 wires a stub.
+ * @param {Function} [deps.logEvent]
+ * @param {object} [deps.logger]
+ */
+function createRewindHandler({ pm, tg, bot, botName = 'bot', executeRewind, logEvent = () => {}, logger = console } = {}) {
+  if (typeof executeRewind !== 'function') throw new TypeError('createRewindHandler: executeRewind required');
+
+  function ack(chatId, threadId, text) {
+    return tg(bot, 'sendMessage', { chat_id: chatId, text, ...(threadId && { message_thread_id: threadId }) },
+      { source: 'rewind', botName })
+      .catch((e) => logger.error?.(`[${botName}] rewind ack failed: ${e.message}`));
+  }
+
+  async function run(req) {
+    let result;
+    try {
+      result = await executeRewind(req);
+    } catch (e) {
+      logger.error?.(`[${botName}] rewind execute threw for ${req.sessionKey}: ${e.message}`);
+      result = { ok: false, error: e.message };
+    }
+    if (result && result.ok) {
+      const n = result.droppedCount;
+      await ack(req.chatId, req.threadId,
+        `⏪ Rewound to: «${previewOf(req.target.text)}»` + (n != null ? ` — ${n} message(s) dropped.` : '.') +
+        (result.warning ? `\n⚠️ ${result.warning}` : '') +
+        `\nNote: anything I already created (files, Sheets, emails) still exists — say the word to reverse it.`);
+      logEvent('rewind-done', { session_key: req.sessionKey, target_msg_id: req.target.msg_id });
+    } else {
+      await ack(req.chatId, req.threadId, `↩️ couldn't rewind — ${(result && result.error) || 'unknown error'}`);
+      logEvent('rewind-failed', { session_key: req.sessionKey, target_msg_id: req.target.msg_id, error: result && result.error });
+    }
+  }
+
+  // Defer to turn-end: a rewind kills+resumes the session, so it must never run mid-turn. If a
+  // turn is in flight, run on the proc's next 'idle'. If the proc is torn down first — 'close'
+  // or 'session-reset' (kill / LRU evict / bridge disconnect / model change), none of which
+  // emit 'idle' — tell the operator instead of leaving them hanging after the "queued" ack
+  // (Finding D). DEFER_TIMEOUT_MS backstops a proc that somehow emits neither (it sits above
+  // the 30-min absolute turn cap, so a legitimately long turn still completes first).
+  function schedule(req) {
+    const proc = pm && typeof pm.get === 'function' ? pm.get(req.sessionKey) : null;
+    if (proc && proc.inFlight) {
+      let settled = false;
+      const cleanup = () => {
+        clearTimeout(timer);
+        proc.removeListener('idle', onIdle);
+        proc.removeListener('close', onDead);
+        proc.removeListener('session-reset', onDead);
+      };
+      const onIdle = () => { if (settled) return; settled = true; cleanup(); run(req).catch(() => {}); };
+      const onDead = () => {
+        if (settled) return; settled = true; cleanup();
+        ack(req.chatId, req.threadId, "↩️ couldn't rewind — the session ended before the turn finished. Reply /rewind again.");
+        logEvent('rewind-deferred-lost', { session_key: req.sessionKey, target_msg_id: req.target.msg_id });
+      };
+      const timer = setTimeout(() => {
+        if (settled) return; settled = true; cleanup();
+        ack(req.chatId, req.threadId, "↩️ couldn't rewind — timed out waiting for the current turn to finish. Reply /rewind again.");
+        logEvent('rewind-deferred-timeout', { session_key: req.sessionKey, target_msg_id: req.target.msg_id });
+      }, DEFER_TIMEOUT_MS);
+      if (timer.unref) timer.unref();
+      proc.once('idle', onIdle);
+      proc.once('close', onDead);
+      proc.once('session-reset', onDead);
+      return 'deferred';
+    }
+    setImmediate(() => { run(req).catch(() => {}); });
+    return 'now';
+  }
+
+  /**
+   * Dispatcher hook. Returns { consumed }. Consumes any `/rewind` (valid → queued, invalid →
+   * the operator is told why) so it never starts a normal turn.
+   */
+  async function tryConsume({ sessionKey, chatId, threadId = null, msg, cleanText, botUsername, rewindSafe, isOperatorIdentity, paired, accessMode }) {
+    if (!isRewindCommand(cleanText)) return { consumed: false };
+    const gate = gateRewindRequest({ msg, botUsername, rewindSafe, isOperatorIdentity, paired, accessMode });
+    if (!gate.ok) {
+      await ack(chatId, threadId, `↩️ ${gate.reason}`);
+      return { consumed: true };
+    }
+    const reply = msg.reply_to_message;
+    const req = {
+      sessionKey, chatId, threadId,
+      target: { msg_id: reply.message_id, text: reply.text || reply.caption || '', ts: reply.date },
+    };
+    const when = schedule(req);
+    await ack(chatId, threadId, when === 'deferred'
+      ? '⏳ Rewind queued — I’ll run it the moment the current turn finishes.'
+      : '⏪ Rewinding…');
+    logEvent('rewind-requested', { session_key: sessionKey, target_msg_id: req.target.msg_id, when });
+    return { consumed: true };
+  }
+
+  return { tryConsume };
+}
+
+module.exports = { isRewindCommand, gateRewindRequest, previewOf, createRewindHandler };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "polygram",
-  "version": "0.12.0-rc.30",
+  "version": "0.12.0-rc.32",
   "description": "Telegram daemon for Claude Code that preserves the OpenClaw per-chat session model. Migration path for OpenClaw users moving to Claude Code.",
   "main": "lib/ipc/client.js",
   "bin": {

package/polygram.js

@@ -58,6 +58,8 @@ const { createBuildSdkOptions } = require('./lib/sdk/build-options');
 const { createSdkCallbacks } = require('./lib/sdk/callbacks');
 const { createQuestionStore } = require('./lib/questions/store');
 const { createQuestionHandlers } = require('./lib/handlers/questions');
+const { isRewindCommand, createRewindHandler } = require('./lib/rewind/rewind');
+const { createRewindExecutor } = require('./lib/rewind/execute');
 const { createTranscribeVoiceAttachments } = require('./lib/handlers/voice');
 const { createDownloadAttachments } = require('./lib/handlers/download');
 const { createHandleConfigCallback } = require('./lib/handlers/config-callback');
@@ -337,6 +339,9 @@ function formatPrompt(msg, sessionCtx, attachments = [], { sessionKey = null } =
           db,
           chatId,
           threadId: threadId || null,
+          // Per-topic sessions must only preload their OWN thread — else a message
+          // in one topic gets fed other topics' history (2026-06-09 cross-topic bleed).
+          isolateTopics: chatConfig?.isolateTopics === true,
           excludeMsgId: msg.message_id,
           logger: console,
         });
@@ -649,6 +654,7 @@ let handleApprovalCallback = null;
 // 0.12 interactive questions — assigned in main() once db.raw + pm exist; the
 // createSdkCallbacks onQuestionAsked closure + the callback router read it late.
 let questionHandlers = null;
+let rewindHandler = null;   // 0.13 /rewind (P1); late-bound, assigned in main() after pm exists
 let resolveApprovalWaiter = null;
 let startApprovalSweeper = null;
 let cancelAllWaiters = null;
@@ -1862,6 +1868,37 @@ function createBot(token) {
     const threadId = msg.message_thread_id?.toString();
     const sessionKey = getSessionKey(chatId, threadId, chatConfig);
 
+    // 0.13 /rewind: the operator replies `/rewind` to a message to rewind the conversation to
+    // before it. A command, so it bypasses the mention gate. Gated in the handler: rewind-safe
+    // chat (DM or isolateTopics group) → operator/admin identity (or any paired user only when
+    // rewindAccess='paired') → message-ownership. P1 detects/gates/defers; P2 runs the fork.
+    // Defensive: never drop a message.
+    if (rewindHandler && isRewindCommand(cleanText)) {
+      try {
+        // Operator identity: explicit operatorUserId, else the admin user — a PRIVATE adminChatId
+        // equals that user's Telegram id. A group adminChatId (negative) is not a user id → never
+        // matches a positive sender id → default-deny (no valid operator → /rewind refused).
+        const opId = config.bot?.operatorUserId;
+        const adminChatId = config.bot?.adminChatId;
+        const operatorUid = opId != null ? Number(opId) : (adminChatId != null ? Number(adminChatId) : null);
+        const isOperatorIdentity = operatorUid != null && msg.from?.id != null && Number(msg.from.id) === operatorUid;
+        const paired = pairings && msg.from?.id
+          ? pairings.hasLivePairing({ bot_name: BOT_NAME, user_id: msg.from.id, chat_id: chatId })
+          : false;
+        const accessMode = chatConfig?.rewindAccess === 'paired' ? 'paired' : 'operator';
+        // Rewind-safe: a DM (single session) OR a per-topic-isolated group. A shared group session
+        // would blast every topic/user on rewind — refuse.
+        const rewindSafe = msg.chat?.type === 'private' || chatConfig?.isolateTopics === true;
+        const r = await rewindHandler.tryConsume({ sessionKey, chatId, threadId, msg, cleanText, botUsername, rewindSafe, isOperatorIdentity, paired, accessMode });
+        if (r.consumed) return;
+      } catch (err) {
+        // The text IS a recognized /rewind command — on an internal error, consume it anyway
+        // (Finding I). Falling through would send "/rewind" to claude as a normal prompt.
+        console.error(`[${BOT_NAME}] rewind tryConsume failed: ${err?.message || err}`);
+        return;
+      }
+    }
+
     // 0.12 interactive questions: the owner's free-text "Other" answer arrives
     // WITHOUT an @mention, so in a mention-gated group shouldHandle would reject
     // it and the "Other" flow would silently dead-end. Let the claimed owner's
@@ -2295,6 +2332,15 @@ async function main() {
       }
     } catch (e) { console.error(`[${BOT_NAME}] question sweep: ${e.message}`); }
   }, 30_000).unref?.();
+
+  // 0.13 /rewind: detect + operator/ownership gate + turn-end defer + confirm (P1), backed by
+  // the copy-only transcript-fork executor (P2/P3: fork → repoint the session → kill → delete
+  // orphaned bot messages). channels/cli only; the fork mechanism was proven in P0.6.
+  // See docs/0.13-rewind-design.md.
+  const executeRewind = createRewindExecutor({ db, pm, tg, bot, botName: BOT_NAME, logEvent, logger: console });
+  rewindHandler = createRewindHandler({
+    pm, tg, bot, botName: BOT_NAME, logEvent, logger: console, executeRewind,
+  });
   buildSdkOptions = createBuildSdkOptions({
     config,
     botName: BOT_NAME,