polygram 0.12.0-rc.9 → 0.12.0

package/lib/handlers/slash-commands.js

@@ -27,6 +27,8 @@
 
 'use strict';
 
+const { getConfigWriteScope } = require('../session-key');
+
 function createSlashCommands({
   config,
   db,
@@ -40,6 +42,7 @@ function createSlashCommands({
   getOrSpawnForChat,
   parsePairCodeArgs,
   modelVersionsDesc,
+  saveConfig = () => {},
   botName,
   logEvent,
   logger = console,
@@ -186,31 +189,49 @@ function createSlashCommands({
       return { anyActive: !applied };
     };
 
+    // cli can't hot-swap model/effort live (they are spawn-time --model /
+    // --effort flags). The change is persisted to chatConfig and applies when
+    // the session next (re)spawns — getOrSpawn's reload-on-drift makes that the
+    // user's NEXT message, conversation preserved (--resume). So give an honest
+    // suffix per backend instead of the misleading "I'll switch when I finish".
+    // (Pre-fix this checked backendName === 'channels', but 0.12.0 renamed the
+    // cli backend 'channels' → 'cli', so it never fired and every cli user got
+    // the wrong message — Review F#10 regression.)
+    const cliAwareSuffix = (anyActive) => {
+      const liveBackend = typeof pm.getBackend === 'function' ? pm.getBackend(sessionKey) : null;
+      if (liveBackend === 'cli') {
+        const proc = typeof pm.get === 'function' ? pm.get(sessionKey) : null;
+        return proc && proc.inFlight
+          ? ' — applies after this turn (conversation kept)'
+          : ' — applies on your next message (conversation kept)';
+      }
+      // cli but cold (no live proc): the next message cold-spawns with the new flag.
+      if (!liveBackend && (chatConfig.pm || config.bot?.pm) === 'cli') {
+        return ' — applies on your next message';
+      }
+      // SDK: applied live (anyActive false) or no live session to push into.
+      return anyActive ? ' — I\'ll switch when I finish' : '';
+    };
+
     // /model X
     if (botAllowsCommands && text.startsWith('/model ')) {
       const newModel = text.slice(7).trim();
       if (['opus', 'sonnet', 'haiku'].includes(newModel)) {
-        const oldModel = chatConfig.model;
-        chatConfig.model = newModel;
+        // Write to the topic when in one (so Music ≠ General) and persist to
+        // config.json so it survives restarts — both were missing (2026-06-12).
+        const { scope: wScope, threadId: wThread } = getConfigWriteScope(chatConfig, threadIdStr);
+        const oldModel = wScope.model != null ? wScope.model : chatConfig.model;
+        wScope.model = newModel;
+        try { saveConfig(); }
+        catch (err) { logger.error?.(`[${botName}] /model saveConfig failed: ${err.message}`); }
         dbWrite(() => db.logConfigChange({
-          chat_id: chatId, thread_id: threadIdStr, field: 'model',
+          chat_id: chatId, thread_id: wThread, field: 'model',
           old_value: oldModel, new_value: newModel,
           user: cmdUser, user_id: cmdUserId, source: 'command',
         }), 'log model change');
         const { anyActive } = await applyConfigChange('model', newModel);
         const ver = (modelVersionsDesc && modelVersionsDesc[newModel]) || newModel;
-        // Review F#10: channels backend can't apply model/effort changes
-        // live — its setModel/applyFlagSettings throw UNSUPPORTED_OPERATION,
-        // pm.setModel returns false → `anyActive` is true → user saw the
-        // misleading "I'll switch when I finish" message. Now we detect
-        // the channels backend explicitly and give an honest answer:
-        // settings are persisted to chatConfig and take effect on the next
-        // /reset or /new (channels lacks an in-place re-init path).
-        const backendName = typeof pm.getBackend === 'function' ? pm.getBackend(sessionKey) : null;
-        const suffix = backendName === 'channels'
-          ? ` — applies on next /reset (channels)`
-          : (anyActive ? ` — I'll switch when I finish` : '');
-        await sendReply(`Model → ${newModel} (${ver})${suffix}`);
+        await sendReply(`Model → ${newModel} (${ver})${cliAwareSuffix(anyActive)}`);
       } else {
         await sendReply(`Unknown model. Use: opus, sonnet, haiku`);
       }
@@ -221,26 +242,18 @@ function createSlashCommands({
     if (botAllowsCommands && text.startsWith('/effort ')) {
       const newEffort = text.slice(8).trim();
       if (['low', 'medium', 'high', 'xhigh', 'max'].includes(newEffort)) {
-        const oldEffort = chatConfig.effort;
-        chatConfig.effort = newEffort;
+        const { scope: wScope, threadId: wThread } = getConfigWriteScope(chatConfig, threadIdStr);
+        const oldEffort = wScope.effort != null ? wScope.effort : chatConfig.effort;
+        wScope.effort = newEffort;
+        try { saveConfig(); }
+        catch (err) { logger.error?.(`[${botName}] /effort saveConfig failed: ${err.message}`); }
         dbWrite(() => db.logConfigChange({
-          chat_id: chatId, thread_id: threadIdStr, field: 'effort',
+          chat_id: chatId, thread_id: wThread, field: 'effort',
           old_value: oldEffort, new_value: newEffort,
           user: cmdUser, user_id: cmdUserId, source: 'command',
         }), 'log effort change');
         const { anyActive } = await applyConfigChange('effort', newEffort);
-        // Review F#10: channels backend can't apply model/effort changes
-        // live — its setModel/applyFlagSettings throw UNSUPPORTED_OPERATION,
-        // pm.setModel returns false → `anyActive` is true → user saw the
-        // misleading "I'll switch when I finish" message. Now we detect
-        // the channels backend explicitly and give an honest answer:
-        // settings are persisted to chatConfig and take effect on the next
-        // /reset or /new (channels lacks an in-place re-init path).
-        const backendName = typeof pm.getBackend === 'function' ? pm.getBackend(sessionKey) : null;
-        const suffix = backendName === 'channels'
-          ? ` — applies on next /reset (channels)`
-          : (anyActive ? ` — I'll switch when I finish` : '');
-        await sendReply(`Effort → ${newEffort}${suffix}`);
+        await sendReply(`Effort → ${newEffort}${cliAwareSuffix(anyActive)}`);
       } else {
         await sendReply(`Unknown effort. Use: low, medium, high, xhigh, max`);
       }

package/lib/history-preload.js

@@ -69,6 +69,7 @@ function makeSessionStartHook({
   db,
   chatId,
   threadId = null,
+  isolateTopics = false,
   allowedChatIds = null,
   limit = DEFAULT_PRELOAD_LIMIT,
   since = DEFAULT_PRELOAD_SINCE,
@@ -93,6 +94,7 @@ function makeSessionStartHook({
         rows = history.recent(db, {
           chatId: String(chatId),
           threadId: threadId ?? null,
+          scopeThread: isolateTopics === true,   // cross-topic bleed fix (null = General only)
           limit,
           since,
           includeOutbound: true,
@@ -170,6 +172,7 @@ function buildHistoryBlock({
   db,
   chatId,
   threadId = null,
+  isolateTopics = false,
   excludeMsgId = null,
   limit = DEFAULT_PRELOAD_LIMIT,
   since = DEFAULT_PRELOAD_SINCE,
@@ -181,6 +184,9 @@ function buildHistoryBlock({
     rows = history.recent(db, {
       chatId: String(chatId),
       threadId: threadId ?? null,
+      // isolateTopics → scope to THIS thread (null = General only); else the
+      // chat-wide session legitimately spans all topics. (cross-topic bleed fix)
+      scopeThread: isolateTopics === true,
       limit,
       since,
       includeOutbound: true,

package/lib/history.js

@@ -56,11 +56,17 @@ function fts5Escape(query) {
     .join(' ');
 }
 
-function recent(db, { chatId, threadId = null, limit = 20, since = null, includeOutbound = true, allowedChatIds = null } = {}) {
+function recent(db, { chatId, threadId = null, scopeThread = false, limit = 20, since = null, includeOutbound = true, allowedChatIds = null } = {}) {
   const clamped = clampLimit(limit);
   let sql = 'SELECT * FROM messages WHERE chat_id = ?';
   const params = [String(chatId)];
   if (threadId) { sql += ' AND thread_id = ?'; params.push(String(threadId)); }
+  // scopeThread: a per-topic (isolateTopics) session must see ONLY its own thread —
+  // and a null thread means the General topic, i.e. thread_id IS NULL, NOT "all
+  // threads". Without this the General topic preloads the whole chat and bleeds
+  // other topics' context (2026-06-09 cross-topic incident). The history-skill CLI
+  // keeps the old "null threadId = all threads" default (scopeThread=false).
+  else if (scopeThread) { sql += ' AND thread_id IS NULL'; }
   if (!includeOutbound) sql += ` AND direction = 'in'`;
   const sinceMs = parseSinceMs(since);
   if (sinceMs) { sql += ' AND ts >= ?'; params.push(Date.now() - sinceMs); }

package/lib/model-costs.js

@@ -28,6 +28,10 @@ const MODEL_COSTS = {
   'claude-haiku-4-5': { input: 0.80, output: 4, cacheRead: 0.08, cacheCreation: 1 },
   // Claude Opus 4.7 (1M context)
   'claude-opus-4-7': { input: 15, output: 75, cacheRead: 1.50, cacheCreation: 18.75 },
+  // Claude Opus 4.8 — what `--model opus` resolves to now (verified in the
+  // Music-topic transcript 2026-06-10). Same Opus pricing; without this entry
+  // opus turns fall back to the Sonnet `default` and undercount cost ~5×.
+  'claude-opus-4-8': { input: 15, output: 75, cacheRead: 1.50, cacheCreation: 18.75 },
   // Default fallback — Sonnet rates (safest mid-tier estimate).
   default: { input: 3, output: 15, cacheRead: 0.30, cacheCreation: 3.75 },
 };

package/lib/process/channels-bridge-protocol.js

@@ -50,7 +50,12 @@ const ToolCallMessageSchema = z.object({
   kind: z.literal('tool'),
   session: NonEmptyString,
   tool_call_id: ToolCallId,
-  name: z.enum(['reply', 'react', 'edit_message']),
+  // 'ask' (0.12 interactive questions): a blocking tool whose answer rides back
+  // on a `question_answer` daemon→bridge message (NOT the fast `tool_ack`); its
+  // args are {chat_id, turn_id?, questions:[...]}, not reply-shaped. _dispatchToolCall
+  // branches on the name so the reply-only paths (chat_id-mismatch, content-dedup,
+  // reply-turn-binding) don't run for it.
+  name: z.enum(['reply', 'react', 'edit_message', 'ask']),
   args: z.object({}).passthrough(),
 }).passthrough();
 
@@ -116,6 +121,20 @@ const ToolAckMessageSchema = z.object({
   tool_call_id: ToolCallId,
   ok: z.boolean(),
   error: z.string().optional(),
+  // 0.13: the delivered Telegram message_id, surfaced back to claude so it can
+  // `edit_message` that bubble for progressive status. Present on a successful
+  // `reply`/`edit_message` ack; absent on errors / re-acks.
+  message_id: z.union([z.number(), z.string()]).nullish(),
+}).passthrough();
+
+// 0.12 interactive questions: carries the user's answer back for an `ask` tool
+// call. Separate from `tool_ack` (which has no payload field and resolves the
+// fast reply round-trip) so a blocking question can return a structured result.
+// `result` is one of {answers:[...]} | {cancelled:true} | {timedout:true}.
+const QuestionAnswerMessageSchema = z.object({
+  kind: z.literal('question_answer'),
+  tool_call_id: ToolCallId,
+  result: z.object({}).passthrough(),
 }).passthrough();
 
 const PingMessageSchema = z.object({
@@ -128,6 +147,7 @@ const AnyDaemonToBridgeMessage = z.discriminatedUnion('kind', [
   UserMessageSchema,
   PermVerdictMessageSchema,
   ToolAckMessageSchema,
+  QuestionAnswerMessageSchema,
   PingMessageSchema,
 ]);
 
@@ -170,6 +190,7 @@ module.exports = {
   UserMessageSchema,
   PermVerdictMessageSchema,
   ToolAckMessageSchema,
+  QuestionAnswerMessageSchema,
   PingMessageSchema,
   AnyDaemonToBridgeMessage,
   // helpers

package/lib/process/channels-bridge.mjs

@@ -108,12 +108,40 @@ function awaitToolAck(toolCallId) {
   })
 }
 
-function resolveToolAck(toolCallId, ok, error) {
+function resolveToolAck(toolCallId, ok, error, messageId) {
   const p = pendingToolCalls.get(toolCallId)
   if (!p) return
   pendingToolCalls.delete(toolCallId)
   clearTimeout(p.timer)
-  ok ? p.resolve() : p.reject(new Error(error || 'daemon rejected delivery'))
+  // 0.13: resolve with the delivered message_id so the CallTool handler can hand
+  // it back to claude (for edit_message). null when the daemon didn't carry one.
+  ok ? p.resolve({ message_id: messageId ?? null }) : p.reject(new Error(error || 'daemon rejected delivery'))
+}
+
+// ─── 0.12 interactive questions: `ask` blocks for the user's answer ──
+// Separate from tool_ack: a question can take MINUTES (the daemon-side 30-min
+// question timeout — aligned to the turn absolute cap — resolves it with {timedout}
+// before this hard ceiling, which sits just above as the last-resort backstop).
+const pendingQuestions = new Map() // tool_call_id → { resolve, timer }
+const QUESTION_ANSWER_TIMEOUT_MS = 32 * 60 * 1000
+
+function awaitQuestionAnswer(toolCallId) {
+  return new Promise((resolve) => {
+    const timer = setTimeout(() => {
+      pendingQuestions.delete(toolCallId)
+      resolve({ timedout: true })   // never reject — the agent gets a clean result
+    }, QUESTION_ANSWER_TIMEOUT_MS)
+    timer.unref?.()   // a pending answer must not, by itself, hold the event loop open
+    pendingQuestions.set(toolCallId, { resolve, timer })
+  })
+}
+
+function resolveQuestionAnswer(toolCallId, result) {
+  const p = pendingQuestions.get(toolCallId)
+  if (!p) return
+  pendingQuestions.delete(toolCallId)
+  clearTimeout(p.timer)
+  p.resolve(result ?? { cancelled: true })
 }
 
 // ─── Socket: connect, handshake, then bidirectional JSON-lines ──
@@ -210,7 +238,11 @@ function handleDaemonMessage(msg) {
       break
 
     case 'tool_ack':
-      resolveToolAck(msg.tool_call_id, msg.ok, msg.error)
+      resolveToolAck(msg.tool_call_id, msg.ok, msg.error, msg.message_id)
+      break
+
+    case 'question_answer':
+      resolveQuestionAnswer(msg.tool_call_id, msg.result)
       break
 
     case 'ping':
@@ -272,7 +304,12 @@ mcp.setRequestHandler(ListToolsRequestSchema, async () => {
     description: 'Send a message back to the originating Telegram chat. ' +
                  'chat_id MUST match the chat_id from the inbound <channel> tag. ' +
                  'turn_id MUST echo the turn_id from the inbound <channel> tag (when present) ' +
-                 'so concurrent turns route their replies correctly.',
+                 'so concurrent turns route their replies correctly. ' +
+                 'ALWAYS set consumed_turn_ids to the turn_id of EVERY <channel> message this ' +
+                 'reply answers or absorbs (including mid-turn follow-ups) — it is how polygram ' +
+                 'confirms delivery of follow-ups. ' +
+                 'Returns {ok, message_id}: keep the message_id to update that bubble in place ' +
+                 'with `edit_message` (progressive status on long tasks).',
     inputSchema: {
       type: 'object',
       properties: {
@@ -280,18 +317,99 @@ mcp.setRequestHandler(ListToolsRequestSchema, async () => {
         turn_id: { type: 'string', description: 'Echo of turn_id from inbound channel meta (required for correct turn routing).' },
         text:    { type: 'string', description: 'Message body (markdown ok).' },
         files:   { type: 'array',  items: { type: 'string' }, description: 'Optional absolute file paths to attach.' },
+        // 0.13 D2 Tier 2C: the fold-acknowledgment contract. The single turn_id
+        // field can't express a combined reply that covers a mid-turn follow-up
+        // (P0 spike Q-B: claude echoes only the trigger id) — this array can.
+        consumed_turn_ids: {
+          type: 'array', items: { type: 'string' },
+          description: 'turn_id of EVERY <channel> message this reply answers or has absorbed since your last reply (including mid-turn follow-ups). Always set it.',
+        },
       },
       required: ['chat_id', 'text'],
     },
+  }, {
+    // 0.13: edit a message already sent via `reply`, in place — the progressive-
+    // status primitive. Update one bubble instead of sending several.
+    name: 'edit_message',
+    description: 'Edit a message you previously sent via `reply`, in place. Use this for ' +
+                 'progressive status on a long task: send a short status with `reply`, take the ' +
+                 'returned message_id, then `edit_message` it as you make progress (ending with ' +
+                 'the final answer). Keep status in PLAIN LANGUAGE — never tool names like Bash/Edit. ' +
+                 'One bubble only (no chunking); for long content use `reply` instead.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        chat_id:    { type: 'string', description: 'Echo of chat_id from inbound channel meta.' },
+        turn_id:    { type: 'string', description: 'Echo of turn_id from inbound channel meta.' },
+        message_id: { type: 'number', description: 'The message_id returned by the `reply` tool call you want to update.' },
+        text:       { type: 'string', description: 'New full message body (markdown ok) — replaces the old text.' },
+      },
+      required: ['chat_id', 'message_id', 'text'],
+    },
+  }, {
+    // 0.12 interactive questions: ask the Telegram user a multiple-choice question
+    // as tap-to-answer inline buttons. USE THIS instead of any interactive menu —
+    // it returns the user's selection(s) as the tool result. Blocks until answered.
+    name: 'ask',
+    description: 'Ask the Telegram user a multiple-choice question (rendered as inline ' +
+                 'keyboard buttons; supports multiSelect + a free-text "Other"). Use this ' +
+                 'for ANY choice/confirmation — never present a numbered list and wait, and ' +
+                 'never use a terminal selection menu. Blocks until the user answers; returns ' +
+                 '{answers:[{header,selected:[label...],other?}]} (or {cancelled}/{timedout}).',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        chat_id: { type: 'string', description: 'Echo of chat_id from inbound channel meta.' },
+        turn_id: { type: 'string', description: 'Echo of turn_id from inbound channel meta.' },
+        questions: {
+          type: 'array', description: 'Up to 4 questions, asked one at a time.',
+          items: {
+            type: 'object',
+            properties: {
+              header:      { type: 'string', description: 'Short chip label (≤12 chars).' },
+              question:    { type: 'string', description: 'The question text.' },
+              multiSelect: { type: 'boolean', description: 'Allow selecting several options (checkboxes).' },
+              allowOther:  { type: 'boolean', description: 'Offer a free-text "type my own" answer (default true).' },
+              options: {
+                type: 'array', description: '2–4 options.',
+                items: { type: 'object', properties: {
+                  label:       { type: 'string', description: 'Button label (≤40 chars).' },
+                  description: { type: 'string', description: 'Shown in the message body.' },
+                } },
+              },
+            },
+            required: ['question', 'options'],
+          },
+        },
+      },
+      required: ['chat_id', 'questions'],
+    },
   }],
   }
 })
 
 mcp.setRequestHandler(CallToolRequestSchema, async req => {
-  if (req.params.name !== 'reply') {
+  if (req.params.name !== 'reply' && req.params.name !== 'ask' && req.params.name !== 'edit_message') {
     return { content: [{ type: 'text', text: `unknown tool: ${req.params.name}` }], isError: true }
   }
   const toolCallId = randomUUID()
+
+  // `ask` blocks for the user's answer (question_answer), NOT a fast tool_ack.
+  if (req.params.name === 'ask') {
+    const answerP = awaitQuestionAnswer(toolCallId)
+    try {
+      sock.write(JSON.stringify({
+        kind: 'tool', session: SESSION_KEY, tool_call_id: toolCallId, name: 'ask', args: req.params.arguments,
+      }) + '\n')
+    } catch (e) {
+      // The daemon never received the ask → no row, no sweep. Resolve the awaiter
+      // now (clears the 20-min timer) instead of stranding the agent on it.
+      resolveQuestionAnswer(toolCallId, { cancelled: true, error: `bridge write failed: ${e?.message || e}` })
+    }
+    const result = await answerP
+    return { content: [{ type: 'text', text: JSON.stringify(result) }] }
+  }
+
   const ackP = awaitToolAck(toolCallId)
   sock.write(JSON.stringify({
     kind: 'tool',
@@ -301,8 +419,11 @@ mcp.setRequestHandler(CallToolRequestSchema, async req => {
     args: req.params.arguments,
   }) + '\n')
   try {
-    await ackP
-    return { content: [{ type: 'text', text: 'sent' }] }
+    const ack = await ackP
+    // Return {ok, message_id} as JSON so claude can read the delivered bubble's
+    // id and `edit_message` it later (progressive status). For a plain reply with
+    // no id (solo sticker/reaction) message_id is null.
+    return { content: [{ type: 'text', text: JSON.stringify({ ok: true, message_id: ack?.message_id ?? null }) }] }
   } catch (err) {
     return { content: [{ type: 'text', text: `delivery failed: ${err.message}` }], isError: true }
   }

package/lib/process/channels-tool-dispatcher.js

@@ -9,9 +9,10 @@
  *   - lib/telegram/deliver.js   for the actual sendMessage loop
  *   - bot.api.sendPhoto/Document for file attachments
  *
- * The dispatcher returns `{ok: boolean, error?: string}` — CliProcess
- * relays this to the bridge as tool_ack, which surfaces to Claude as the
- * tool's return value (`'sent'` on ok, error message on failure).
+ * The dispatcher returns `{ok: boolean, error?: string, message_id?: number}` —
+ * CliProcess relays this to the bridge as tool_ack, which surfaces to Claude as
+ * the tool's return value (`{ok:true, message_id}` on success so claude can
+ * `edit_message` that bubble; error message on failure).
  *
  * Decoupled from polygram.js: factory takes {bot, send, chunkText, logger}
  * — same shape SDK callbacks already use — so it can be tested with fakes
@@ -37,6 +38,13 @@ const os = require('node:os');
 // additional roots (e.g. a configured uploads dir).
 const DEFAULT_ATTACHMENT_BASE = path.join(os.tmpdir(), 'polygram-attachments');
 
+// Review 2026-06-12 hardening: cap files[] per reply so one (possibly
+// prompt-injected) call can't fan out unlimited uploads past the per-call
+// rate limit; cap the per-session owned-message-id set so the edit-ownership
+// tracker can't grow unbounded on a long-lived session.
+const MAX_FILES_PER_REPLY = 10;
+const OWNED_MSG_CAP = 256;
+
 function isPathUnder(child, parent) {
   const rel = path.relative(parent, child);
   return rel !== '' && !rel.startsWith('..') && !path.isAbsolute(rel);
@@ -124,12 +132,69 @@ function createChannelsToolDispatcher({
   const deliverAgent = processAndDeliverAgentText
     || require('../telegram/process-agent-reply').processAndDeliverAgentText;
 
+  // Per-session set of message_ids THIS session created (via reply/edit).
+  // edit_message may only target an owned bubble — a prompt-injected
+  // edit_message can't tamper with a message it didn't send, or another
+  // session's bubble (review 2026-06-12). Bounded per session (insertion-order
+  // eviction) so a long session can't grow it without limit.
+  const ownedMessageIds = new Map();   // sessionKey → Set<number>
+  const rememberOwned = (sk, id) => {
+    if (id == null || sk == null) return;
+    const n = Number(id);
+    if (!Number.isFinite(n)) return;
+    let set = ownedMessageIds.get(sk);
+    if (!set) { set = new Set(); ownedMessageIds.set(sk, set); }
+    set.add(n);
+    while (set.size > OWNED_MSG_CAP) set.delete(set.values().next().value);
+  };
+  const ownsMessage = (sk, id) => ownedMessageIds.get(sk)?.has(Number(id)) === true;
+
   return async function channelsToolDispatcher(call) {
-    const { sessionKey, chatId, threadId, toolName, text, files, sourceMsgId, maxOutboundFileBytes } = call;
+    const { sessionKey, chatId, threadId, toolName, text, files, sourceMsgId, maxOutboundFileBytes, messageId } = call;
+
+    // 0.13: `edit_message` edits a previously-sent bubble in place — the
+    // progressive-status primitive. claude gets the message_id from the
+    // `reply` tool's result (returned below) and edits it as work proceeds.
+    // A single edit is one bubble (no chunking); the `send` wrapper already
+    // does markdown→HTML and tolerates "message is not modified".
+    if (toolName === 'edit_message') {
+      if (!chatId) return { ok: false, error: 'edit_message.chat_id missing' };
+      if (messageId == null) return { ok: false, error: 'edit_message.message_id missing' };
+      if (typeof text !== 'string' || text.length === 0) {
+        return { ok: false, error: 'edit_message.text missing or empty' };
+      }
+      // Same agent-text hygiene as reply, minus chunking/delivery: strip inline
+      // [sticker:…]/[react:…] markers and intercept canned strings so neither
+      // leaks as literal text into the edited bubble.
+      let clean = text;
+      try { const p = parseResponse(text); if (p && typeof p.text === 'string') clean = p.text; } catch { /* keep raw */ }
+      try { const s = sanitizeAssistantReply(clean); if (s && typeof s.text === 'string') clean = s.text; } catch { /* keep */ }
+      if (clean.length === 0) return { ok: false, error: 'edit_message.text empty after sanitize' };
+      if (clean.length > maxChunkLen) {
+        return { ok: false, error: `edit text too long (${clean.length} > ${maxChunkLen}); a message edit is a single bubble — use reply for long content` };
+      }
+      // Ownership gate (review 2026-06-12): only edit a bubble THIS session
+      // created (got its id from a reply/edit result). Blocks a prompt-injected
+      // edit_message from tampering with an arbitrary or cross-session message.
+      if (!ownsMessage(sessionKey, messageId)) {
+        logger.warn?.(`[channels-tool-dispatcher] ${sessionKey} edit_message DENIED: message_id ${messageId} not owned by this session`);
+        return { ok: false, error: `message_id ${messageId} was not created by this session — edit_message can only target a bubble you sent` };
+      }
+      try {
+        const params = { chat_id: chatId, message_id: messageId, text: clean };
+        if (threadId) params.message_thread_id = threadId;
+        await send(bot, 'editMessageText', params, { source: 'channels-tool-dispatcher', sessionKey, toolName });
+        rememberOwned(sessionKey, messageId);   // keep ownership across re-edits
+        return { ok: true, message_id: messageId };
+      } catch (err) {
+        logger.error?.(`[channels-tool-dispatcher] ${sessionKey} edit_message failed: ${err.message}`);
+        return { ok: false, error: err.message };
+      }
+    }
 
     if (toolName !== 'reply') {
-      // 0.11.0 Phase 1 ships `reply` only — react and edit_message are
-      // deferred (Decision #10). Future tools route through here too.
+      // `reply` + `edit_message` route here. `react` (and any future tool)
+      // is not yet implemented (Decision #10 / 0.13 follow-on).
       return { ok: false, error: `unsupported tool: ${toolName}` };
     }
 
@@ -171,6 +236,19 @@ function createChannelsToolDispatcher({
         return { ok: false, error: `delivered ${dr.sent?.length || 0} of ${totalChunks} chunks; failed: ${failedDetail}` };
       }
 
+      // 0.13: surface the FIRST delivered bubble's message_id so claude can
+      // edit_message it for progressive status. deliver.js pushes numeric ids;
+      // tolerate the {message_id} object shape too. null for solo sticker/reaction.
+      const firstSent = dr && Array.isArray(dr.sent) ? dr.sent.find(x => x != null) : null;
+      const replyMessageId = (firstSent && typeof firstSent === 'object') ? firstSent.message_id : firstSent;
+      // Remember every delivered bubble so claude can edit_message any of them
+      // (the ownership gate above) — not just the first one returned.
+      if (dr && Array.isArray(dr.sent)) {
+        for (const s of dr.sent) {
+          rememberOwned(sessionKey, (s && typeof s === 'object') ? s.message_id : s);
+        }
+      }
+
       // File attachments — sent as separate messages AFTER the text.
       // Photos for image MIMEs, Documents for everything else (matches
       // the official Telegram channels plugin behavior).
@@ -181,12 +259,22 @@ function createChannelsToolDispatcher({
       // keys, and AWS creds can't leak to Telegram.
       const failedAttachments = [];
       if (Array.isArray(files) && files.length > 0) {
+        // Cap the per-reply fan-out (review 2026-06-12): a single (possibly
+        // injected) call attaching dozens of files would bypass the per-call
+        // rate limit. Process the first MAX_FILES_PER_REPLY; surface the rest.
+        let toAttach = files;
+        if (files.length > MAX_FILES_PER_REPLY) {
+          toAttach = files.slice(0, MAX_FILES_PER_REPLY);
+          for (const extra of files.slice(MAX_FILES_PER_REPLY)) {
+            failedAttachments.push({ path: extra, error: `too many files in one reply (max ${MAX_FILES_PER_REPLY}); send the rest in a follow-up` });
+          }
+        }
         const allowedRoots = buildAllowedRoots({
           sessionKey,
           sessionCwd: call.sessionCwd,
           extraRoots: attachmentAllowlist,
         });
-        for (const filePath of files) {
+        for (const filePath of toAttach) {
           const check = validateAttachmentPath(filePath, allowedRoots);
           if (!check.ok) {
             logger.warn?.(
@@ -241,7 +329,7 @@ function createChannelsToolDispatcher({
                  failedAttachments.map(f => `${f.path} (${f.error})`).join('; '),
         };
       }
-      return { ok: true };
+      return { ok: true, message_id: replyMessageId ?? null };
     } catch (err) {
       logger.error?.(`[channels-tool-dispatcher] ${sessionKey} dispatch failed: ${err.message}`);
       return { ok: false, error: err.message };
@@ -262,10 +350,15 @@ function createChannelsToolDispatcher({
  * is the safe default.
  */
 function buildAllowedRoots({ sessionKey, sessionCwd = null, extraRoots = [] }) {
-  const roots = [
-    DEFAULT_ATTACHMENT_BASE,
-    path.join(DEFAULT_ATTACHMENT_BASE, String(sessionKey || '')),
-  ];
+  const roots = [];
+  // SECURITY (review 2026-06-12): allow ONLY this session's own staging subdir,
+  // never the shared DEFAULT_ATTACHMENT_BASE parent. All sessions' claude procs
+  // run as the same uid, so a base-level root let session A send a file staged
+  // under session B (/tmp/polygram-attachments/<B>/…) → cross-chat exfiltration.
+  // A falsy sessionKey would collapse path.join(BASE,'') back to BASE, so skip
+  // the staging root entirely when it's missing (only sessionCwd/extras remain).
+  const sk = String(sessionKey || '');
+  if (sk) roots.push(path.join(DEFAULT_ATTACHMENT_BASE, sk));
   if (sessionCwd) roots.push(sessionCwd);
   if (Array.isArray(extraRoots)) {
     for (const r of extraRoots) {