polygram 0.12.0-rc.9 → 0.12.0

package/lib/handlers/config-ui.js

@@ -23,7 +23,7 @@ const EFFORT_OPTIONS = ['low', 'medium', 'high', 'xhigh', 'max'];
 // polygram passes the alias (opus / sonnet / haiku) and lets claude
 // resolve. Bump on Claude release.
 const MODEL_VERSIONS_DESC = {
-  opus: 'claude-opus-4-7',
+  opus: 'claude-opus-4-8',
   sonnet: 'claude-sonnet-4-6',
   haiku: 'claude-haiku-4-5',
 };
@@ -31,19 +31,23 @@ const MODEL_VERSIONS_DESC = {
 /**
  * Build the inline keyboard for /model + /effort.
  *   show = 'model' | 'effort' | 'all'
- * The current value gets a ✓ prefix.
+ * The current value gets a ✓ prefix. `topicConfig` (per-topic overrides, or
+ * null for the chat-level card) wins over chatConfig so the ✓ matches what a
+ * topic actually runs — mirrors the spawn-path precedence (topic > chat).
  */
-function buildConfigKeyboard(chatConfig, show = 'all') {
+function buildConfigKeyboard(chatConfig, show = 'all', topicConfig = null) {
+  const model = (topicConfig && topicConfig.model) || chatConfig.model;
+  const effort = (topicConfig && topicConfig.effort) || chatConfig.effort;
   const rows = [];
   if (show === 'model' || show === 'all') {
     rows.push(MODEL_OPTIONS.map((m) => ({
-      text: m === chatConfig.model ? `✓ ${m}` : m,
+      text: m === model ? `✓ ${m}` : m,
       callback_data: `cfg:model:${m}`,
     })));
   }
   if (show === 'effort' || show === 'all') {
     rows.push(EFFORT_OPTIONS.map((e) => ({
-      text: e === chatConfig.effort ? `✓ ${e}` : e,
+      text: e === effort ? `✓ ${e}` : e,
       callback_data: `cfg:effort:${e}`,
     })));
   }
@@ -60,14 +64,39 @@ function buildConfigKeyboard(chatConfig, show = 'all') {
  * @param {(db, sessionKey) => string|null} deps.getClaudeSessionId
  */
 function createFormatConfigInfoText({ pm, db, getClaudeSessionId } = {}) {
-  return function formatConfigInfoText(chatConfig, show, sessionKey) {
+  return function formatConfigInfoText(chatConfig, show, sessionKey, topicConfig = null) {
     const alive = pm.has(sessionKey) && !pm.get(sessionKey).closed;
-    const ver = MODEL_VERSIONS_DESC[chatConfig.model] || chatConfig.model;
+    // Per-topic overrides win over chat-level for the displayed values,
+    // mirroring the spawn path (polygram.js: topicConfig.agent ||
+    // chatConfig.agent). Pre-fix the card always read chat-level, so a topic's
+    // /model showed the WRONG agent — shumorobot Music topic (thread 3) showed
+    // "Agent: shumabit" instead of its music-curation:music-curator override
+    // (2026-06-03). topicConfig defaults to null (chat-level) for callers with
+    // no active topic.
+    const model = (topicConfig && topicConfig.model) || chatConfig.model;
+    const effort = (topicConfig && topicConfig.effort) || chatConfig.effort;
+    const agent = (topicConfig && topicConfig.agent) || chatConfig.agent;
+    const ver = MODEL_VERSIONS_DESC[model] || model;
     const sess = getClaudeSessionId(db, sessionKey)?.slice(0, 8) || 'new';
+    // Running vs configured: cli can't hot-swap model/effort, so a /model or
+    // /effort change is PENDING until the session reloads (on the next message).
+    // Show the truth — the live proc's spawn-time value (proc.model/proc.effort)
+    // vs the configured one — so the card never claims a model the session
+    // isn't actually running (the "says opus, runs sonnet" confusion). SDK
+    // applies live (its proc value tracks config) so no drift line ever shows.
+    const proc = alive ? pm.get(sessionKey) : null;
+    const runModel = proc && proc.model;
+    const runEffort = proc && proc.effort;
+    const modelLine = (runModel && runModel !== model)
+      ? `Model: ${runModel} (running) → ${model} (pending — applies on your next message)`
+      : `Model: ${model} (${ver})`;
+    const effortLine = (runEffort && runEffort !== effort)
+      ? `Effort: ${runEffort} (running) → ${effort} (pending — applies on your next message)`
+      : `Effort: ${effort}`;
     const head =
-      `Model: ${chatConfig.model} (${ver})\n` +
-      `Effort: ${chatConfig.effort}\n` +
-      `Agent: ${chatConfig.agent}\n` +
+      `${modelLine}\n` +
+      `${effortLine}\n` +
+      `Agent: ${agent}\n` +
       `Process: ${alive ? 'warm' : 'cold'}\n` +
       `Session: ${sess}`;
 

package/lib/handlers/dispatcher.js

@@ -24,6 +24,13 @@
 
 const CONCURRENT_WARN_THRESHOLD_DEFAULT = 20;
 
+// Startup auto-retry (option a, 2026-06-04): a short breath before silently
+// re-dispatching a message whose first attempt died in the dev-channels startup
+// gate (TMUX_SESSION_GONE). Long enough that a host under momentary load isn't
+// hammered with a back-to-back respawn, short enough that a transient flake
+// still recovers fast enough to feel instant to the user.
+const STARTUP_RETRY_DELAY_MS = 1500;
+
 function createDispatcher({
   config,
   db,
@@ -48,6 +55,9 @@ function createDispatcher({
   // the historic 4096 for back-compat in synthetic test runs that pass
   // pre-formatted text.
   chunkBudget = 4096,
+  // Delay before a silent startup auto-retry re-dispatches (TMUX_SESSION_GONE).
+  // Injected so tests can drive it to 0; production uses STARTUP_RETRY_DELAY_MS.
+  startupRetryDelayMs = STARTUP_RETRY_DELAY_MS,
   // State accessors (need late binding because polygram.js mutates):
   getIsShuttingDown,              // () → boolean
   logger = console,
@@ -178,6 +188,26 @@ function createDispatcher({
         aborted: wasAborted || undefined,
         replay: isReplay || undefined,
       });
+      // Startup-gate death (claude exited during spawn / the dialog gate timed
+      // out) of a likely-aged RESUMED session — the persisted claude_session_id
+      // can't be resumed cleanly (shumorobot general chat 2026-06-01→03: a
+      // week-old session renders claude's "Resume from summary?" dialog whose
+      // /compact resume exits code 0 → TMUX_SESSION_GONE → the chat re-resumes
+      // the same dead id on every message, stuck for days). Poison-clear so the
+      // NEXT message spawns a FRESH session — same recovery the auto-resume path
+      // does for BRIDGE_DISCONNECTED below. clearSessionId is a no-op DELETE when
+      // there's no row (a genuine fresh-spawn failure), so this is safe; and
+      // unlike an in-process recursive retry it never reuses a closed instance.
+      if ((err.code === 'TMUX_SESSION_GONE' || err.code === 'CHANNELS_DIALOG_TIMEOUT')
+          && typeof db.clearSessionId === 'function') {
+        dbWrite(
+          () => db.clearSessionId(sessionKey),
+          `clearSessionId: poisoned by ${err.code} on startup`,
+        );
+        logEvent('session-reset-after-startup-gate', {
+          chat_id: chatId, session_key: sessionKey, msg_id: msg?.message_id, code: err.code,
+        });
+      }
       // rc.55: surface replay failures with a meaningful message.
       // Pre-rc.55 any boot-replay turn that failed for ANY reason
       // was silently dropped. The rc.51-onward boot-replay path is
@@ -197,6 +227,35 @@ function createDispatcher({
       //   - shutting down ("Process killed" isn't a real error),
       //   - user just /stop'd (already saw their abort ack).
       if (!wasAborted && !isReplay && !isShuttingDown) {
+        // Startup auto-retry (option a, 2026-06-04). TMUX_SESSION_GONE = claude
+        // exited INSIDE the startup gate, before the dev-channels channel went
+        // live — so the user's message was NEVER delivered to claude. That makes
+        // a re-send idempotent BY CONSTRUCTION (unlike a mid-turn drop, where
+        // claude might still be slowly processing). The session_id was just
+        // poison-cleared above, so re-dispatching the SAME message spawns a FRESH
+        // session and delivers it. Silent: a transient startup flake (recurs
+        // ~once/9h on the channels backend) never reaches the user — instead of
+        // the "🔄 reset it, resend" papercut, polygram just retries. One-shot
+        // (_startupRetried) so a host that genuinely can't start claude surfaces
+        // the friendly reset reply (below) after EXACTLY one retry, never a loop.
+        // Scoped to TMUX_SESSION_GONE only: CHANNELS_DIALOG_TIMEOUT is a real
+        // blocking dialog (usage-limit / permission) a retry would just re-hit,
+        // so it keeps its "please resend" copy.
+        if (err.code === 'TMUX_SESSION_GONE' && !msg._startupRetried) {
+          logEvent('startup-auto-retry', {
+            chat_id: chatId, session_key: sessionKey, msg_id: msg?.message_id,
+          });
+          // Re-dispatch a COPY carrying the one-shot marker — never mutate the
+          // caller's msg (the boot-replay path shares/re-reads it). unref the
+          // best-effort timer so a pending retry can't pin the daemon alive
+          // (the Telegram long-poll already keeps the loop running).
+          const retryMsg = { ...msg, _startupRetried: true };
+          setTimeout(
+            () => dispatchHandleMessage(sessionKey, chatId, retryMsg, bot),
+            startupRetryDelayMs,
+          ).unref?.();
+          return;
+        }
         // rc.54: auto-resume on 300s no-activity timeout. The
         // resume turn itself runs through sendToProcess directly
         // (not handleMessage), so its errors don't re-enter this
@@ -224,6 +283,29 @@ function createDispatcher({
                 chat_id: chatId, session_key: sessionKey, msg_id: msg.message_id,
                 error: resumeErr?.message?.slice(0, 200),
               });
+              // Music topic incident (2026-06-01): a channels session whose
+              // context grew large enough to auto-/compact on resume loses its
+              // MCP bridge binding on EVERY resume ("no MCP server configured"),
+              // so the resumed turn re-detaches (BRIDGE_DISCONNECTED) and lands
+              // here. The persisted claude_session_id is then poisoned — every
+              // future message (manual resend OR post-cooldown auto-resume)
+              // re-resumes it and re-detaches, an endless "🔌 please resend"
+              // loop. Break it: drop the session row so the NEXT message spawns
+              // a FRESH session (no --resume). Gated on the ORIGINAL error being
+              // a bridge-detach AND auto-resume having failed — a one-off bridge
+              // crash that resumes cleanly takes the .then() path above and
+              // keeps its context; only a session that re-detaches on resume is
+              // treated as poison. We lose the poisoned conversation's history,
+              // but that session can't complete a turn anyway.
+              if (err.code === 'BRIDGE_DISCONNECTED' && typeof db.clearSessionId === 'function') {
+                dbWrite(
+                  () => db.clearSessionId(sessionKey),
+                  'clearSessionId: poisoned by bridge-detach on resume',
+                );
+                logEvent('session-reset-after-bridge-detach', {
+                  chat_id: chatId, session_key: sessionKey, msg_id: msg.message_id,
+                });
+              }
               const fallbackText = errorReplyText(err);
               if (fallbackText) {
                 tg(bot, 'sendMessage', {
@@ -266,4 +348,5 @@ function createDispatcher({
 module.exports = {
   createDispatcher,
   CONCURRENT_WARN_THRESHOLD_DEFAULT,
+  STARTUP_RETRY_DELAY_MS,
 };

package/lib/handlers/download.js

@@ -24,7 +24,7 @@
 const fs = require('fs');
 const path = require('path');
 const { redactBotToken } = require('../error/net');
-const { MAX_FILE_BYTES } = require('../attachments');
+const { MAX_FILE_BYTES, resolveFileCaps } = require('../attachments');
 
 const ATTACHMENT_DOWNLOAD_CONCURRENCY_DEFAULT = 6;
 
@@ -60,76 +60,119 @@ function createDownloadAttachments({
       } catch { /* fall through to refetch */ }
     }
     try {
+      // Inbound per-file cap is BACKEND-derived: 20 MB on cloud Telegram
+      // (Telegram's own getFile ceiling), 2 GB with the local Bot API server.
+      // rc.15: previously hardcoded to MAX_FILE_BYTES (20 MB), which rejected
+      // large lossless tracks even when the local server could handle them.
+      const cap = resolveFileCaps({ localApi: !!config.bot?.apiRoot }).inBytes;
+
       const fileInfo = await bot.api.getFile(att.file_id);
       if (!fileInfo?.file_path) throw new Error('no file_path from getFile');
-      const url = `https://api.telegram.org/file/bot${token}/${fileInfo.file_path}`;
-      const res = await fetchImpl(url);
-      if (!res.ok) throw new Error(`HTTP ${res.status}`);
-      // Three-layer size enforcement, in order of cheapness:
-      //   1. Content-Length header — fail-fast before reading body.
-      //   2. Streaming accumulator — abort the moment cumulative byte
-      //      count crosses the cap. Defends against attackers omitting
-      //      Content-Length: pre-cap the whole body could pin RSS.
-      //   3. Final post-buffer check — defense in depth.
-      const cl = parseInt(res.headers.get('content-length') || '0', 10);
-      if (cl > MAX_FILE_BYTES) {
-        throw new Error(`content-length ${cl} exceeds per-file cap ${MAX_FILE_BYTES}`);
-      }
-      let total = 0;
-      const chunks = [];
-      if (res.body && typeof res.body.getReader === 'function') {
-        const reader = res.body.getReader();
-        while (true) {
-          const { done, value } = await reader.read();
-          if (done) break;
-          total += value.byteLength;
-          if (total > MAX_FILE_BYTES) {
-            try { await reader.cancel(); } catch {}
-            throw new Error(`stream ${total}+ bytes exceeds per-file cap ${MAX_FILE_BYTES}`);
-          }
-          chunks.push(value);
-        }
-      } else {
-        // Fallback for runtimes without WHATWG streams (shouldn't fire
-        // on Node 22+).
-        const ab = await res.arrayBuffer();
-        if (ab.byteLength > MAX_FILE_BYTES) {
-          throw new Error(`body ${ab.byteLength} bytes exceeds per-file cap ${MAX_FILE_BYTES}`);
-        }
-        chunks.push(new Uint8Array(ab));
-        total = ab.byteLength;
-      }
-      const buf = Buffer.concat(chunks.map((c) => Buffer.from(c.buffer, c.byteOffset, c.byteLength)));
-      if (buf.length > MAX_FILE_BYTES) {
-        throw new Error(`body ${buf.length} bytes exceeds per-file cap ${MAX_FILE_BYTES}`);
-      }
+
       const safeName = sanitizeFilename(att.name);
       // Embed file_unique_id so two attachments with the same msg_id+name
       // (album, resend) can't silently overwrite each other.
       const uniq = att.file_unique_id ? `-${att.file_unique_id}` : '';
       const localName = `${msg.message_id}${uniq}-${safeName}`;
       const localPath = path.join(chatDir, localName);
-      // Atomic write: temp file + rename. A crash mid-write leaves a
-      // .tmp.* file (swept later) rather than a truncated canonical
-      // file the EEXIST dedup branch would happily serve next time.
-      if (fs.existsSync(localPath)) {
-        logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (already on disk, reusing)`);
+
+      let size;
+
+      if (path.isAbsolute(fileInfo.file_path)) {
+        // ── Local Bot API server ────────────────────────────────────────
+        // rc.15: in `--local` mode getFile returns a LOCAL ABSOLUTE PATH —
+        // the server has already downloaded the file to its own disk. The
+        // previous code built a cloud URL (https://api.telegram.org/file/...)
+        // and HTTP-fetched it, which is nonsensical for a local path and
+        // failed every inbound file once apiRoot was set. Instead, link the
+        // file into the inbox directly (no HTTP, no buffering a 2 GB file
+        // through RAM). A hardlink is instant and shares the inode, so it
+        // survives the server pruning its own copy; fall back to a byte copy
+        // across filesystems.
+        const srcStat = fs.statSync(fileInfo.file_path);
+        if (srcStat.size > cap) {
+          throw new Error(`file ${srcStat.size} exceeds per-file cap ${cap}`);
+        }
+        if (fs.existsSync(localPath)) {
+          logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (already on disk, reusing)`);
+        } else {
+          try {
+            fs.linkSync(fileInfo.file_path, localPath);
+          } catch (e) {
+            if (e.code === 'EEXIST') {
+              logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (race: already on disk)`);
+            } else if (e.code === 'EXDEV') {
+              fs.copyFileSync(fileInfo.file_path, localPath);   // cross-device fallback
+            } else {
+              throw e;
+            }
+          }
+        }
+        size = srcStat.size;
+        logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (${size} bytes, local-api) → ${localPath}`);
       } else {
-        const tmpPath = `${localPath}.tmp.${process.pid}.${Date.now()}`;
-        try {
-          fs.writeFileSync(tmpPath, buf, { flag: 'wx' });
-          fs.renameSync(tmpPath, localPath);
-        } catch (e) {
-          try { fs.unlinkSync(tmpPath); } catch {}
-          if (e.code !== 'EEXIST') throw e;
-          logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (race: already on disk)`);
+        // ── Cloud Telegram ──────────────────────────────────────────────
+        // getFile returns a RELATIVE path; download it over HTTPS with the
+        // three-layer size guard (header → streaming accumulator → final).
+        const url = `https://api.telegram.org/file/bot${token}/${fileInfo.file_path}`;
+        const res = await fetchImpl(url);
+        if (!res.ok) throw new Error(`HTTP ${res.status}`);
+        const cl = parseInt(res.headers.get('content-length') || '0', 10);
+        if (cl > cap) {
+          throw new Error(`content-length ${cl} exceeds per-file cap ${cap}`);
         }
+        let total = 0;
+        const chunks = [];
+        if (res.body && typeof res.body.getReader === 'function') {
+          const reader = res.body.getReader();
+          while (true) {
+            const { done, value } = await reader.read();
+            if (done) break;
+            total += value.byteLength;
+            if (total > cap) {
+              try { await reader.cancel(); } catch {}
+              throw new Error(`stream ${total}+ bytes exceeds per-file cap ${cap}`);
+            }
+            chunks.push(value);
+          }
+        } else {
+          // Fallback for runtimes without WHATWG streams (shouldn't fire
+          // on Node 22+).
+          const ab = await res.arrayBuffer();
+          if (ab.byteLength > cap) {
+            throw new Error(`body ${ab.byteLength} bytes exceeds per-file cap ${cap}`);
+          }
+          chunks.push(new Uint8Array(ab));
+          total = ab.byteLength;
+        }
+        const buf = Buffer.concat(chunks.map((c) => Buffer.from(c.buffer, c.byteOffset, c.byteLength)));
+        if (buf.length > cap) {
+          throw new Error(`body ${buf.length} bytes exceeds per-file cap ${cap}`);
+        }
+        // Atomic write: temp file + rename. A crash mid-write leaves a
+        // .tmp.* file (swept later) rather than a truncated canonical
+        // file the EEXIST dedup branch would happily serve next time.
+        if (fs.existsSync(localPath)) {
+          logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (already on disk, reusing)`);
+        } else {
+          const tmpPath = `${localPath}.tmp.${process.pid}.${Date.now()}`;
+          try {
+            fs.writeFileSync(tmpPath, buf, { flag: 'wx' });
+            fs.renameSync(tmpPath, localPath);
+          } catch (e) {
+            try { fs.unlinkSync(tmpPath); } catch {}
+            if (e.code !== 'EEXIST') throw e;
+            logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (race: already on disk)`);
+          }
+        }
+        size = buf.length;
+        logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (${size} bytes) → ${localPath}`);
       }
-      logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (${buf.length} bytes) → ${localPath}`);
+
       dbWrite(() => db.markAttachmentDownloaded(att.id, {
-        local_path: localPath, size_bytes: att.size_bytes || buf.length,
+        local_path: localPath, size_bytes: att.size_bytes || size,
       }), `markAttachmentDownloaded ${att.id}`);
-      return { ...att, path: localPath, size: att.size_bytes || buf.length, error: null };
+      return { ...att, path: localPath, size: att.size_bytes || size, error: null };
     } catch (err) {
       // Don't drop the attachment silently — push it through with the
       // failure noted. buildAttachmentTags renders this as

package/lib/handlers/drop-redeliver.js

@@ -0,0 +1,69 @@
+'use strict';
+
+/**
+ * Drop-redeliverer (0.13 D2 → D4 glue, docs/0.13-channels-lifecycle-design.md §3 D2).
+ *
+ * Consumes CliProcess's 'input-dropped' event — a ledgered input that was
+ * confirmed dropped (never seen at pickup, never acknowledged via
+ * consumed_turn_ids, not superseded, with the ack contract observed in the
+ * cycle) — and redelivers it ONCE through the unified D4 tail.
+ *
+ * Eligibility (design's redelivery constraints):
+ *   - `primary` and `autosteer` sources only: both reconstruct from the
+ *     inbound DB row (recordInbound persisted the raw message), so the
+ *     redelivered turn re-formats through the NORMAL prompt path — no stored
+ *     prompt text, no double-formatting, events stay content-free (L13).
+ *   - `edit-fold` / `system` / `inject` park as telemetry
+ *     (input-dropped-no-redeliver): an edit correction has its own
+ *     re-delivery path, and system pushes are never auto-re-executed.
+ *
+ * The D4 tail then enforces: once-only, _isReplay, the D5 gate at tier
+ * 'redelivery' (an abort/admin-shaped drop is never auto-re-executed), the
+ * visible 👀 ack, and dispatch. Supersession was already decided ledger-side.
+ */
+
+function createDropRedeliverer({ db, redeliver, logEvent = () => {}, logger = console } = {}) {
+  if (typeof redeliver !== 'function') throw new TypeError('drop-redeliver: redeliver required');
+
+  return async function onInputDropped(sessionKey, payload = {}) {
+    try {
+      const { chatId, msgId, source, turnId } = payload;
+      if (source !== 'primary' && source !== 'autosteer') {
+        logEvent('input-dropped-no-redeliver', {
+          chat_id: chatId ?? null, msg_id: msgId ?? null, source: source ?? null,
+          turn_id: turnId ?? null, reason: 'source-not-redeliverable',
+        });
+        return;
+      }
+      if (msgId == null) {
+        logEvent('input-dropped-no-redeliver', {
+          chat_id: chatId ?? null, source, turn_id: turnId ?? null, reason: 'no-msg-id',
+        });
+        return;
+      }
+      const row = db.getMessage(String(chatId), Number(msgId));
+      if (!row) {
+        logEvent('input-dropped-no-redeliver', {
+          chat_id: chatId, msg_id: msgId, source, turn_id: turnId ?? null, reason: 'no-db-row',
+        });
+        return;
+      }
+      // Reconstruct the boot-replay way: enough of a grammy Message for the
+      // normal prompt/attachment path to re-run from the persisted row.
+      const reconstructed = {
+        chat: { id: Number(chatId), type: String(chatId).startsWith('-') ? 'supergroup' : 'private' },
+        message_id: Number(msgId),
+        from: { id: row.user_id, first_name: row.user },
+        text: row.text || '',
+        date: Math.floor((row.ts || Date.now()) / 1000),
+        ...(row.thread_id && { message_thread_id: Number(row.thread_id) }),
+        ...(row.reply_to_id && { reply_to_message: { message_id: row.reply_to_id } }),
+      };
+      await redeliver({ chatId: String(chatId), msg: reconstructed, source: 'drop' });
+    } catch (err) {
+      logger.error?.(`[drop-redeliver] ${err?.message || err}`);
+    }
+  };
+}
+
+module.exports = { createDropRedeliverer };

package/lib/handlers/edit-correction.js

@@ -59,6 +59,8 @@ function createEditCorrectionInjector({
     const ok = pm.injectUserMessage(sessionKey, {
       content: `[edit] I corrected my previous message — it now reads: ${newText}`,
       priority: 'next',
+      msgId: editedMsg.message_id,
+      source: 'edit-fold',   // 0.13 D2: ledgered (telemetry; edits have their own redelivery path)
     });
     if (!ok) {
       logger.error?.(`[${chatConfig.name || chatId}] edit-correction inject failed`);

package/lib/handlers/edit-redelivery.js

@@ -0,0 +1,136 @@
+'use strict';
+
+/**
+ * Post-turn edit re-delivery (0.12.0). When the user edits a Telegram message AFTER claude's turn
+ * has finished, re-dispatch the edited message as a NEW turn so claude acts on the change — the
+ * "an edit is just a message" model. The mid-turn case (turn still in flight) stays with the
+ * existing injector (lib/handlers/edit-correction.js); this is the post-turn path.
+ *
+ * Spec: docs/0.12.0-edit-redelivery-spec.md (twice-reviewed). Key correctness points the review
+ * surfaced:
+ *   - Convey the change via reply_to carrying the OLD text (the caller captures it before
+ *     recordInbound overwrites the row) — replying to the live row would quote the NEW text, so
+ *     claude would see no before/after and couldn't tell it's an edit.
+ *   - GATE on the REAL edited message, NOT the synthetic: a self-reply_to trips shouldHandle's
+ *     `repliesToOtherUser` and drops paired users in mention-gated groups.
+ *   - The synthetic is `_isReplay`-tagged → no new editable row, never replay-eligible, error
+ *     reply suppressed.
+ *   - A re-edit while our re-run is in flight FOLDS via inject (the interlock) rather than
+ *     starting a second turn.
+ *
+ * @param {object} deps
+ * @param {object} deps.pm                    ProcessManager (get(sessionKey).inFlight, injectUserMessage)
+ * @param {object} deps.config
+ * @param {Function} deps.getSessionKey       (chatId, threadId, chatConfig) => sessionKey
+ * @param {Function} deps.shouldHandle        (msg, chatConfig, botUsername) => boolean — the real gate
+ * @param {Function} deps.dispatchHandleMessage (sessionKey, chatId, msg, bot) => void
+ * @param {object} deps.bot
+ * @param {Function} [deps.react]             (chatId, msgId) => void|Promise — on-edit acknowledgment
+ * @param {Function} [deps.logEvent]
+ * @param {object} [deps.logger]
+ * @returns {(editedMsg, oldText, botUsername, mentionRe?) => boolean} true when a fresh turn was
+ *   dispatched. botUsername / mentionRe are passed at CALL time (not construction): they are
+ *   resolved asynchronously via getMe and live in the createBot scope, so capturing them in the
+ *   factory (built in main()) would both be out of scope and freeze the empty initial values.
+ */
+function createEditRedelivery({
+  pm, config, getSessionKey, shouldHandle, dispatchHandleMessage, bot,
+  react, logEvent = () => {}, logger = console,
+} = {}) {
+  // botUsername / mentionRe arrive at CALL time — see @returns. Constructing with them threw
+  // `ReferenceError: mentionRe is not defined` at boot (rc.34): the factory runs in main() where
+  // those createBot locals don't exist. The edited_message handler passes the live values.
+  //
+  // 0.13 D5 (spec §5 as written): the in-flight interlock is per-(chatId,msgId),
+  // not per-session. A re-edit of the SAME message while its re-dispatch runs
+  // folds via inject; an edit of a DIFFERENT message proceeds as its own
+  // redelivery (dispatchHandleMessage autosteers it naturally if a turn is in
+  // flight — through the formatted-prompt path, not a hand-built string).
+  const redeliveredAt = new Map();   // `${chatId}:${msgId}` → ts
+  const INTERLOCK_TTL_MS = 10 * 60 * 1000;
+
+  return function maybePostTurnEdit(editedMsg, oldText, botUsername, mentionRe = null) {
+  try {
+    if (!editedMsg?.chat) return false;
+    const chatId = editedMsg.chat.id.toString();
+    const chatConfig = config.chats[chatId];
+    if (!chatConfig) return false;
+
+    // Per-chat / bot-level opt-out (shared with the mid-turn injector). Default on.
+    const optOut = chatConfig.editCorrection != null
+      ? chatConfig.editCorrection === false
+      : config.bot?.editCorrection === false;
+    if (optOut) return false;
+
+    const newText = editedMsg.text || editedMsg.caption || '';
+    if (!newText) return false;                              // blanked / media-only → nothing to act on
+    // Changed-guard: skip metadata-only edits (link-preview load fires edited_message too). The
+    // caller MUST have read oldText before recordInbound overwrote the row; null = unknown → proceed.
+    if (oldText != null && oldText === newText) return false;
+
+    const threadId = editedMsg.message_thread_id?.toString() || null;
+    const sessionKey = getSessionKey(chatId, threadId, chatConfig);
+
+    // Interlock (per-message, 0.13 D5): only a re-edit of a message whose OWN
+    // re-dispatch is still running folds via inject — pre-0.13 this was
+    // per-session (any in-flight turn folded any edit, and it injected
+    // BEFORE the gate; the gate now runs upstream in the edited_message
+    // handler, so every path through here is already gated).
+    const proc = pm?.get?.(sessionKey);
+    const interlockKey = `${chatId}:${editedMsg.message_id}`;
+    const lastRedeliveredAt = redeliveredAt.get(interlockKey) || 0;
+    if (proc?.inFlight && (Date.now() - lastRedeliveredAt) < INTERLOCK_TTL_MS && lastRedeliveredAt > 0) {
+      pm.injectUserMessage?.(sessionKey, {
+        content: `[edit] I edited my message again — it now reads: ${newText}`,
+        priority: 'next',
+        msgId: editedMsg.message_id,
+        source: 'edit-fold',   // 0.13 D2
+      });
+      logEvent('edit-redelivery-folded', { chat_id: chatId, session_key: sessionKey, msg_id: editedMsg.message_id });
+      return false;
+    }
+
+    // GATE on the REAL edited message (its real from / new text / its own real reply_to, if any).
+    // NOT the synthetic — a self-reply_to would trip shouldHandle.repliesToOtherUser and drop a
+    // paired user editing an un-mentioned message in a mention-gated group.
+    if (!shouldHandle(editedMsg, chatConfig, botUsername)) return false;
+
+    // Acknowledge immediately: a silent edit produces no new bubble, so show it registered before
+    // claude's reply lands (the rc.33 lesson). Best-effort; never blocks the re-dispatch.
+    try { react?.(chatId, editedMsg.message_id); } catch { /* best-effort */ }
+
+    // Synthetic turn: NEW text in the body, OLD text in the reply_to so claude sees the change.
+    // reply_to_message carries `from` + `text` so resolveReplyTo takes the telegram branch and
+    // renders the OLD text — NOT db.getMessage (which now holds the overwritten new text).
+    const cleanNew = mentionRe ? newText.replace(mentionRe, '').trim() : newText.trim();
+    const synthetic = {
+      chat: editedMsg.chat,
+      message_id: editedMsg.message_id,
+      from: editedMsg.from,
+      text: cleanNew,
+      date: editedMsg.date,
+      ...(threadId && { message_thread_id: Number(threadId) }),
+      reply_to_message: {
+        message_id: editedMsg.message_id,
+        from: editedMsg.from,
+        text: oldText || '',
+        date: editedMsg.date,
+      },
+      _isReplay: true,   // no new editable row, not replay-eligible, error reply suppressed
+    };
+    redeliveredAt.set(interlockKey, Date.now());
+    dispatchHandleMessage(sessionKey, chatId, synthetic, bot);
+    logEvent('edit-redelivered', {
+      chat_id: chatId, session_key: sessionKey, msg_id: editedMsg.message_id,
+      old_len: (oldText || '').length, new_len: newText.length,
+    });
+    return true;
+  } catch (e) {
+    // Never throw out of the edited_message handler.
+    logger.error?.(`[edit-redelivery] ${e.message}`);
+    return false;
+  }
+};
+}
+
+module.exports = { createEditRedelivery };