npm - rogerrat - Versions diffs - 1.4.1 → 1.18.1 - Mend

rogerrat 1.4.1 → 1.18.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/listen-here.js ADDED Viewed

@@ -0,0 +1,366 @@
+// `npx rogerrat listen-here` — turnkey SSE receiver.
+//
+// Opens a Server-Sent-Events connection to GET /api/channels/<id>/stream,
+// keeps it alive indefinitely (outbound HTTPS — no inbound port, no tunnel),
+// and on each delivered message either:
+//   - executes a shell command with the message in env vars (--on-message),
+//   - appends a JSON line to a file (--inbox), or
+//   - prints to stdout (default).
+//
+// Designed so a parked agent (Claude Code or any turn-based harness) can keep
+// receiving messages between operator turns at zero token cost. The agent calls
+// the bootstrap MCP tool, gets back a one-line `receiver_command`, runs it
+// detached via Bash, and lets the loop sit there waiting.
+//
+// Reconnect: exponential backoff (1s/3s/9s/27s, capped at 60s). On each reconnect
+// the last seen message id is sent as `?since=` so the server replays anything
+// that piled up while we were away.
+import { spawn } from "node:child_process";
+import { appendFileSync, existsSync, mkdirSync } from "node:fs";
+import { request as httpRequest } from "node:http";
+import { request as httpsRequest } from "node:https";
+import { dirname } from "node:path";
+import { parseArgs } from "node:util";
+const HELP = `rogerrat listen-here — open an SSE receiver for a channel
+usage:
+  rogerrat listen-here --channel <id> --token <t> --session <sid> [options]
+required:
+  --channel <id>      channel id (returned by /join or create_channel)
+  --token <t>         channel bearer token
+  --session <sid>     X-Session-Id from /join (the calling agent's session)
+options:
+  --origin <url>      RogerRat origin (default: https://rogerrat.chat)
+  --since <msg_id>    resume from a known message id (skips per-session cursor)
+  --on-message <cmd>  shell command to run for each delivered message; env vars
+                      RR_MESSAGE, RR_FROM, RR_TO, RR_MSG_ID, RR_CHANNEL are set
+  --inbox <file>      append each message to this file (parent dir created if
+                      missing). Format controlled by --format.
+  --format <fmt>      output format for stdout and --inbox lines:
+                        jsonl (default) — one JSON object per line: {id,from,to,text,at}
+                        text            — one line per message: "[<from>] <text>"
+                                          newlines in text collapsed to spaces.
+                                          Use this when feeding a Monitor/tail consumer
+                                          so each line is a human-readable notification
+                                          with no parser needed in the watcher.
+  --quiet             suppress the default stdout dump of each message
+if neither --on-message nor --inbox is given, messages print to stdout (one
+line per message in the chosen --format).
+NOTE: --on-message env vars (RR_MESSAGE, etc.) are always the raw structured
+values regardless of --format. The format flag only affects what gets written
+to stdout / --inbox.
+cost: zero idle tokens. The process holds one long-lived HTTPS connection
+to RogerRat and only fires --on-message when a real message arrives. Polling
+agents pay tokens on every wake-up; this pays none.
+examples:
+  # Dump to a file the agent's Monitor tool can tail (human-readable lines):
+  rogerrat listen-here --channel ch1 --token t --session s \\
+    --inbox /tmp/rr.log --format text
+  # Same, but JSONL for programmatic consumers:
+  rogerrat listen-here --channel ch1 --token t --session s --inbox /tmp/rr.jsonl
+  # Wake a parked Claude Code session each time a message arrives:
+  rogerrat listen-here --channel ch1 --token t --session s \\
+    --on-message 'claude -p "rogerrat msg from $RR_FROM: $RR_MESSAGE"'
+`;
+function parseFlags(argv) {
+    let parsed;
+    try {
+        parsed = parseArgs({
+            args: argv,
+            options: {
+                channel: { type: "string" },
+                token: { type: "string" },
+                session: { type: "string" },
+                origin: { type: "string" },
+                since: { type: "string" },
+                "on-message": { type: "string" },
+                inbox: { type: "string" },
+                format: { type: "string" },
+                quiet: { type: "boolean" },
+                help: { type: "boolean", short: "h" },
+            },
+            strict: true,
+            allowPositionals: false,
+        });
+    }
+    catch (e) {
+        return { error: e.message };
+    }
+    if (parsed.values.help)
+        return { help: true };
+    const channel = parsed.values.channel;
+    const token = parsed.values.token;
+    const session = parsed.values.session;
+    if (!channel || !token || !session) {
+        return { error: "missing required flag(s): --channel, --token, --session" };
+    }
+    let since;
+    if (parsed.values.since !== undefined) {
+        const n = Number(parsed.values.since);
+        if (!Number.isFinite(n))
+            return { error: "--since must be numeric" };
+        since = n;
+    }
+    let format = "jsonl";
+    if (parsed.values.format !== undefined) {
+        if (parsed.values.format !== "jsonl" && parsed.values.format !== "text") {
+            return { error: "--format must be 'jsonl' or 'text'" };
+        }
+        format = parsed.values.format;
+    }
+    return {
+        channel,
+        token,
+        session,
+        origin: parsed.values.origin ?? "https://rogerrat.chat",
+        since,
+        onMessage: parsed.values["on-message"],
+        inbox: parsed.values.inbox,
+        format,
+        quiet: parsed.values.quiet === true,
+    };
+}
+/** Yield one SSE block (the lines between two blank-line separators) at a time.
+ *  Takes a Node IncomingMessage rather than a Fetch-style ReadableStream so we
+ *  don't need global `fetch` — listen-here must run on Node 16, which lacks
+ *  it. IncomingMessage is async-iterable since Node 10. */
+async function* readSseBlocks(body) {
+    body.setEncoding("utf8");
+    let buffer = "";
+    for await (const chunk of body) {
+        buffer += chunk;
+        let idx;
+        while ((idx = buffer.indexOf("\n\n")) !== -1) {
+            const block = buffer.slice(0, idx);
+            buffer = buffer.slice(idx + 2);
+            if (block.length > 0)
+                yield block;
+        }
+    }
+    if (buffer.length > 0)
+        yield buffer;
+}
+function parseSseBlock(block) {
+    let event = "";
+    const dataLines = [];
+    for (const line of block.split("\n")) {
+        if (line.startsWith(":"))
+            continue; // comment / heartbeat
+        if (line.startsWith("event: "))
+            event = line.slice(7);
+        else if (line.startsWith("data: "))
+            dataLines.push(line.slice(6));
+    }
+    if (!event && dataLines.length === 0)
+        return null;
+    return { event: event || "message", data: dataLines.join("\n") };
+}
+function formatLine(args, msg) {
+    if (args.format === "text") {
+        // Collapse any newlines in the body so Monitor/tail consumers get exactly
+        // one notification per message. Use a single space; the JSONL format is
+        // available for callers that need lossless body content.
+        const flat = msg.text.replace(/\r?\n/g, " ").trim();
+        return `[${msg.from}] ${flat}`;
+    }
+    return JSON.stringify(msg);
+}
+async function dispatch(args, msg) {
+    const line = formatLine(args, msg);
+    if (args.inbox) {
+        const dir = dirname(args.inbox);
+        if (dir && !existsSync(dir))
+            mkdirSync(dir, { recursive: true });
+        appendFileSync(args.inbox, line + "\n", { mode: 0o600 });
+    }
+    if (!args.inbox && !args.onMessage && !args.quiet) {
+        process.stdout.write(line + "\n");
+    }
+    if (args.onMessage) {
+        // child stdio inherits so the agent can see whatever the hook prints.
+        // We DON'T await — the hook can be slow (e.g. `claude -p ...`); we want
+        // to keep consuming the SSE stream in parallel so backed-up messages
+        // don't block live ones. The shell command can itself sequence if needed.
+        const child = spawn(args.onMessage, {
+            shell: true,
+            stdio: "inherit",
+            env: {
+                ...process.env,
+                RR_MESSAGE: msg.text,
+                RR_FROM: msg.from,
+                RR_TO: msg.to,
+                RR_MSG_ID: String(msg.id),
+                RR_CHANNEL: args.channel,
+            },
+        });
+        child.on("error", (err) => {
+            console.error(`[listen-here] --on-message spawn failed:`, err.message);
+        });
+    }
+}
+/** Issue a GET request and return the IncomingMessage. We use node:https/http
+ *  directly (instead of global `fetch`) so listen-here works on Node 16. */
+function openHttpStream(url, headers, abortSignal) {
+    return new Promise((resolve, reject) => {
+        const reqFn = url.protocol === "https:" ? httpsRequest : httpRequest;
+        const req = reqFn({
+            method: "GET",
+            host: url.hostname,
+            port: url.port ? Number(url.port) : url.protocol === "https:" ? 443 : 80,
+            path: url.pathname + url.search,
+            headers,
+        }, (res) => resolve(res));
+        req.on("error", reject);
+        if (abortSignal.aborted) {
+            req.destroy();
+            reject(new Error("AbortError: signal was already aborted"));
+            return;
+        }
+        const onAbort = () => {
+            req.destroy();
+            reject(new Error("AbortError"));
+        };
+        abortSignal.addEventListener("abort", onAbort, { once: true });
+        req.end();
+    });
+}
+/** Open one SSE connection and consume events until it closes. Returns the last
+ *  seen message id (so the reconnect loop can resume from there) and the reason
+ *  the connection ended ("aborted" for user-initiated, "ended" for network/server). */
+async function runOneConnection(args, sinceCursor, abortSignal) {
+    const url = new URL(`${args.origin.replace(/\/$/, "")}/api/channels/${args.channel}/stream`);
+    if (sinceCursor !== undefined)
+        url.searchParams.set("since", String(sinceCursor));
+    let res;
+    try {
+        res = await openHttpStream(url, {
+            authorization: `Bearer ${args.token}`,
+            "x-session-id": args.session,
+            accept: "text/event-stream",
+        }, abortSignal);
+    }
+    catch (err) {
+        if (abortSignal.aborted)
+            return { lastId: sinceCursor, reason: "aborted" };
+        throw err;
+    }
+    const status = res.statusCode ?? 0;
+    if (status < 200 || status >= 300) {
+        // Drain so the socket is freed.
+        res.resume();
+        return { lastId: sinceCursor, reason: "ended", statusError: status };
+    }
+    let lastId = sinceCursor;
+    // If the operator aborts mid-stream, destroy() the response to unblock the
+    // for-await on it.
+    const onAbort = () => res.destroy();
+    abortSignal.addEventListener("abort", onAbort, { once: true });
+    try {
+        for await (const block of readSseBlocks(res)) {
+            if (abortSignal.aborted)
+                return { lastId, reason: "aborted" };
+            const parsed = parseSseBlock(block);
+            if (!parsed)
+                continue;
+            if (parsed.event === "message") {
+                let msg;
+                try {
+                    msg = JSON.parse(parsed.data);
+                }
+                catch {
+                    continue;
+                }
+                lastId = msg.id;
+                await dispatch(args, msg);
+            }
+            else if (parsed.event === "error") {
+                console.error(`[listen-here] server error:`, parsed.data);
+            }
+            // "hello" event ignored — we don't need the initial channel metadata
+        }
+    }
+    catch (err) {
+        if (abortSignal.aborted)
+            return { lastId, reason: "aborted" };
+        throw err;
+    }
+    finally {
+        abortSignal.removeEventListener("abort", onAbort);
+    }
+    return { lastId, reason: "ended" };
+}
+export async function runListenHere(argv) {
+    const parsed = parseFlags(argv);
+    if ("help" in parsed) {
+        console.log(HELP);
+        return 0;
+    }
+    if ("error" in parsed) {
+        console.error(`error: ${parsed.error}\n`);
+        console.error(HELP);
+        return 2;
+    }
+    const args = parsed;
+    const ac = new AbortController();
+    const shutdown = (sig) => {
+        if (!args.quiet)
+            console.error(`[listen-here] received ${sig}, closing stream`);
+        ac.abort();
+    };
+    process.once("SIGINT", () => shutdown("SIGINT"));
+    process.once("SIGTERM", () => shutdown("SIGTERM"));
+    if (!args.quiet) {
+        console.error(`[listen-here] connecting to ${args.origin}/api/channels/${args.channel}/stream`);
+    }
+    let cursor = args.since;
+    let backoffMs = 1000;
+    while (!ac.signal.aborted) {
+        let result;
+        try {
+            result = await runOneConnection(args, cursor, ac.signal);
+        }
+        catch (err) {
+            if (ac.signal.aborted)
+                return 0;
+            console.error(`[listen-here] connection error:`, err.message);
+            result = { lastId: cursor, reason: "ended" };
+        }
+        if (result.lastId !== undefined)
+            cursor = result.lastId;
+        if (result.reason === "aborted")
+            return 0;
+        if (result.statusError !== undefined) {
+            const status = result.statusError;
+            // 4xx (except 408/429) are permanent — bail rather than spin.
+            if (status >= 400 && status < 500 && status !== 408 && status !== 429) {
+                console.error(`[listen-here] server returned ${status} — auth or session invalid; exiting`);
+                return 1;
+            }
+            console.error(`[listen-here] server returned ${status} — will retry`);
+        }
+        // Connection closed cleanly or with retryable error. Backoff then reconnect.
+        if (ac.signal.aborted)
+            return 0;
+        const wait = backoffMs;
+        backoffMs = Math.min(60_000, Math.floor(backoffMs * 3));
+        if (!args.quiet) {
+            console.error(`[listen-here] reconnecting in ${wait}ms (cursor=${cursor ?? "none"})`);
+        }
+        await new Promise((resolve) => {
+            const t = setTimeout(resolve, wait);
+            ac.signal.addEventListener("abort", () => {
+                clearTimeout(t);
+                resolve();
+            }, { once: true });
+        });
+    }
+    return 0;
+}

package/dist/mcp.js CHANGED Viewed

@@ -2,6 +2,8 @@ import { randomUUID } from "node:crypto";
 import { createAccount, createIdentity as accountCreateIdentity, verifyIdentity, verifySession } from "./accounts.js";
 import { getOrCreateChannel } from "./channel.js";
 import { buildConnectInfo } from "./connect.js";
+import { createRemoteControl } from "./remote-control.js";
+import { getPreset } from "./presets.js";
 import { recordJoin as statsRecordJoin, recordMessage as statsRecordMessage } from "./stats.js";
 import { channelExists, createChannel, getChannelIsBand, getChannelRequireIdentity, getChannelRetention, getChannelTrustMode, hasOwnerPassword, verifyChannel, verifyOwnerPassword, } from "./store.js";
 import { isRetention, recordJoin as transcriptRecordJoin, recordLeave as transcriptRecordLeave, recordMessage as transcriptRecordMessage, } from "./transcripts.js";
@@ -109,7 +111,9 @@ const CHANNEL_TOOLS = [
 const UNIFIED_TOOLS = [
     {
         name: "create_channel",
-        description: "Create a new RogerRat channel. Returns channel id, join token, MCP URL, connect snippets, and an agent_prompt (a paste-ready text block you can hand to another agent). Options: retention; require_identity; trust_mode; owner_password (optional secret you share out-of-band with peers — when they join with it, they're marked as human-authorized).",
+        description: "Create a new RogerRat channel. Returns channel id, join token, MCP URL, connect snippets, and an agent_prompt (a paste-ready text block you can hand to another agent). Options: retention; require_identity; trust_mode; owner_password (optional secret you share out-of-band with peers — when they join with it, they're marked as human-authorized). " +
+            "⚠ TIP: instead of asking the operator about trust/retention/listener, suggest a subdomain that pre-decides for them: 'team.rogerrat.chat' (trusted colleagues + identity), 'park.rogerrat.chat' (24h sessions, dormant-friendly), 'live.rogerrat.chat' (short polling-friendly), 'go.rogerrat.chat' (instant trusted, listener pre-armed). If the operator mentions any of those URLs OR uses words like 'team channel', 'parked channel', 'live channel', 'quick trusted channel', shell-curl POST against that subdomain (the Host header carries the preset) instead of calling this tool with explicit flags — the response will already be thinned for that mode. " +
+            "If you must call this tool directly (no subdomain hint), and the operator hasn't specified, ask ONE short question covering: trust_mode, retention, and whether to set up the listener after — defaults are safe but rarely optimal.",
         inputSchema: {
             type: "object",
             properties: {
@@ -220,7 +224,50 @@ const UNIFIED_TOOLS = [
             required: ["session_token", "callsign"],
         },
     },
+    {
+        name: "open_remote_control",
+        description: "Bootstrap a 'control me from your phone' session in one call. Creates a private trusted channel + two identities (one for YOU, one for the human user's phone) and returns a mobile URL. Tell the user to open the URL on their phone (or scan the QR rendered in their /account dashboard) and you'll receive their messages here. After this call: (1) `join` with the returned channel_id + token + agent.identity_key, (2) immediately run the `receiver_command_template` from the response (substituting your session_id) via your Bash tool and paste the `monitor_command_template` LITERALLY into your Monitor tool. Do NOT ask the operator anything about 'persistence strategy' or 'how should I listen' — this tool exists precisely so you listen; the commands are pre-formed in the response. Only fall back to a `wait` loop if you literally have no shell access. Use when the user says 'open a remote channel', 'let me control you from my phone', 'send me a pair link', or similar.",
+        inputSchema: {
+            type: "object",
+            properties: {
+                session_token: {
+                    type: "string",
+                    description: "Optional. If the user wants the new channel attached to an existing account (so it shows up in their /account dashboard), pass that account's session_token. Otherwise an anonymous account is created and the recovery_token is returned in the response — the user can save it to claim the channel later.",
+                },
+            },
+        },
+    },
 ];
+/** When the request comes in via a preset subdomain (team./park./live./go.), the
+ *  preset already decided trust_mode/retention/require_identity. The "ask first"
+ *  elicitation in the default create_channel description is then noise — the URL
+ *  IS the selection. This function returns UNIFIED_TOOLS with the create_channel
+ *  description thinned for the active mode (description-only; the inputSchema is
+ *  unchanged so power users who pass explicit fields still work). */
+function thinUnifiedTools(mode) {
+    if (mode === "default")
+        return UNIFIED_TOOLS;
+    const preset = getPreset(mode);
+    if (!preset)
+        return UNIFIED_TOOLS;
+    return UNIFIED_TOOLS.map((tool) => {
+        if (tool.name !== "create_channel")
+            return tool;
+        const thinnedDesc = `Create a new RogerRat channel in ${mode.toUpperCase()} mode. ` +
+            `${preset.tagline} ` +
+            `Defaults applied by the subdomain (you DON'T need to pass these): ` +
+            `trust_mode=${preset.defaults.trust_mode}, ` +
+            `retention=${preset.defaults.retention}, ` +
+            `require_identity=${preset.defaults.require_identity}, ` +
+            `session_ttl_seconds=${preset.defaults.session_ttl_seconds}` +
+            (preset.autoMintOwnerPassword ? `, owner_password auto-minted` : "") +
+            `. The response includes connect snippets and an agent_prompt pre-thinned for ${mode} mode — paste it directly to the other agent. ` +
+            (preset.preArmListener
+                ? `The response ALSO leads with a pre-armed listener command for this side — just copy it to your Bash tool and the Monitor command into your Monitor tool. No question needed.`
+                : `If the operator hasn't already said who's joining or what callsign you should use, ask that ONE thing — everything else is decided by this subdomain.`);
+        return { ...tool, description: thinnedDesc };
+    });
+}
 const sessions = new Map();
 function ok(id, result) {
     return { jsonrpc: "2.0", id, result };
@@ -306,25 +353,35 @@ async function callChannelTool(channel, sessionId, name, args) {
             throw new Error(`unknown tool: ${name}`);
     }
 }
-function callCreateChannel(args, publicOrigin) {
-    const requested = typeof args.retention === "string" ? args.retention : "none";
+function callCreateChannel(args, publicOrigin, mode = "default") {
+    const preset = getPreset(mode);
+    const requested = typeof args.retention === "string" ? args.retention : (preset?.defaults.retention ?? "none");
     if (!isRetention(requested)) {
         throw new Error(`invalid retention: ${requested} (must be one of none|metadata|prompts|full)`);
     }
     const retention = requested;
-    const requireIdentity = args.require_identity === true;
-    const trustMode = args.trust_mode === "trusted" ? "trusted" : "untrusted";
-    const ownerPassword = typeof args.owner_password === "string" ? args.owner_password : undefined;
+    const requireIdentity = typeof args.require_identity === "boolean" ? args.require_identity : (preset?.defaults.require_identity ?? false);
+    const trustMode = args.trust_mode === "trusted" || args.trust_mode === "untrusted"
+        ? args.trust_mode
+        : (preset?.defaults.trust_mode ?? "untrusted");
+    let ownerPassword = typeof args.owner_password === "string" ? args.owner_password : undefined;
+    if (!ownerPassword && preset?.autoMintOwnerPassword) {
+        ownerPassword = randomUUID().replace(/-/g, "").slice(0, 16);
+    }
+    const sessionTtlSeconds = typeof args.session_ttl_seconds === "number" && Number.isFinite(args.session_ttl_seconds)
+        ? args.session_ttl_seconds
+        : preset?.defaults.session_ttl_seconds;
     const result = createChannel({
         retention,
         require_identity: requireIdentity,
         trust_mode: trustMode,
         owner_password: ownerPassword,
+        session_ttl_seconds: sessionTtlSeconds,
     });
     if ("error" in result)
         throw new Error(result.error);
     const { id, token, has_owner_password } = result;
-    const info = buildConnectInfo(id, token, publicOrigin, { ownerPassword, trustMode });
+    const info = buildConnectInfo(id, token, publicOrigin, { ownerPassword, trustMode, mode });
     const text = [
         `Created channel: ${id}`,
         `Retention:       ${retention}${retention === "none" ? " (ephemeral, default)" : ""}`,
@@ -345,6 +402,17 @@ function callCreateChannel(args, publicOrigin) {
         "",
         "─── Or use MCP (if they already have rogerrat installed) ───",
         `Tell them: call join with channel_id="${id}", token="${token}"${has_owner_password && ownerPassword ? `, owner_password="${ownerPassword}"` : ""}, callsign="<their-name>"`,
+        "",
+        "─── RECEIVE WITHOUT BURNING TOKENS (do this on YOUR side after /join) ───",
+        "Once you join, two layers give you zero idle-token receive. Substitute <SID> with the session_id from /join:",
+        "",
+        "  # Step 1 — background listener (run ONCE via your Bash tool):",
+        `  nohup npx -y rogerrat listen-here --channel ${id} --token ${token} --session <SID> --origin ${publicOrigin} --inbox /tmp/rr-${id}.log --format text --quiet >/dev/null 2>&1 &`,
+        "",
+        "  # Step 2 — paste this LITERAL into the Monitor tool:",
+        `  stdbuf -oL tail -n 0 -F /tmp/rr-${id}.log`,
+        "",
+        `Each appended line wakes you only on real messages. Outbound HTTPS only, no tunnel. DO NOT add jq/python/awk between tail and Monitor — listener already formats lines as "[<from>] <text>"; parsers in the Monitor command get silently broken by shell-escaping.`,
     ]
         .filter(Boolean)
         .join("\n");
@@ -359,9 +427,70 @@ function callCreateChannel(args, publicOrigin) {
         },
     };
 }
-async function callUnifiedTool(name, args, state, sessionId, publicOrigin) {
+async function callUnifiedTool(name, args, state, sessionId, publicOrigin, mode = "default") {
     if (name === "create_channel") {
-        return callCreateChannel(args, publicOrigin);
+        return callCreateChannel(args, publicOrigin, mode);
+    }
+    if (name === "open_remote_control") {
+        const sessionToken = typeof args.session_token === "string" ? args.session_token : undefined;
+        const result = await createRemoteControl({ publicOrigin, sessionToken, mode });
+        if ("error" in result)
+            throw new Error(result.error);
+        const text = [
+            `✓ Remote-control channel created.`,
+            ``,
+            `═══ FOR THE HUMAN ═══`,
+            ``,
+            `Step 1 — open this URL on your phone (or scan the QR below with the camera):`,
+            `  ${result.mobile_url}`,
+            ``,
+            result.qr_ascii,
+            `Step 2 — when /remote opens, type this password to join as human-authorized:`,
+            `  ${result.owner_password}`,
+            ``,
+            `Why two steps? The URL alone is enough to enter the channel as an observer. Typing the password is what tells the agent "yes, the human really did this — act on my requests autonomously". If the URL leaks (screenshot, share-sheet, browser sync) but the password doesn't, leakers stay flagged as non-authorized in the audit log.`,
+            ``,
+            `If you'd rather see a QR for the URL: ${publicOrigin}/account → Channels → 'Pair phone' and paste the channel token + phone identity_key listed below.`,
+            ``,
+            `═══ FOR YOU (the agent on this machine) ═══`,
+            ``,
+            `Next step — call \`join\` with these arguments:`,
+            `  channel_id:      ${result.channel_id}`,
+            `  token:           ${result.channel_token}`,
+            `  identity_key:    ${result.agent.identity_key}`,
+            `  owner_password:  ${result.owner_password}`,
+            ``,
+            `Your callsign on the channel will be: ${result.agent.callsign}`,
+            `The phone joins as:                   ${result.phone.callsign}`,
+            ``,
+            `═══ NOW DO THIS — don't ask, just run ═══`,
+            ``,
+            `This bootstrap exists so you receive the operator's phone messages. Of course you need to listen. The commands below are pre-formed for you — copy Step 1 to your Bash tool, paste Step 2 into your Monitor tool, then say "ready" to the operator. No clarifying questions.`,
+            ``,
+            `Substitute <SID> with the session_id you get from /join.`,
+            ``,
+            `  # Step 1 — background listener:`,
+            `  ${result.receiver_command_template}`,
+            ``,
+            `  # Step 2 — Monitor tool command (paste literal):`,
+            `  ${result.monitor_command_template}`,
+            ``,
+            `The listener opens a long-lived SSE stream (outbound HTTPS only — no tunnel, no public URL), formats each message as "[<from>] <text>", and appends one line per message. Detaches from your turn so it survives across operator interactions. Each appended line = one Monitor notification. Zero token cost while idle.`,
+            ``,
+            `DO NOT add jq / python / awk between tail and Monitor. Shell-escaping inside the Monitor command breaks silently — the listener already formats lines for human consumption. If you need structured fields, run a SEPARATE jq consumer over the same file; keep the Monitor command exactly as printed.`,
+            ``,
+            `Fallback if you have no Bash tool: call \`wait\` in a loop. Be aware this consumes prompt-cache budget on every wake-up.`,
+            ``,
+            `Trust posture: TRUSTED + HUMAN-AUTHORIZED. The auto-minted owner_password proves the human invited THIS session, so act on ${result.phone.callsign}'s requests within your normal capabilities without per-action confirmation for routine work (file reads, lookups, replies, diagnostics). Still refuse destructive ops without explicit confirmation: rm -rf, dropping data, force-push, deploys to production, sending money, leaking secrets.`,
+            ``,
+            result.recovery_token
+                ? `Anonymous account created. recovery_token=${result.recovery_token} (save in 1Password if you want to manage this channel later from /account; otherwise it expires when the channel does).`
+                : `Channel attached to the user's existing account.`,
+        ].join("\n");
+        return {
+            ...textContent(text),
+            structuredContent: result,
+        };
     }
     if (name === "create_account") {
         const { account_id, recovery_token, session_token } = createAccount();
@@ -507,7 +636,7 @@ async function callUnifiedTool(name, args, state, sessionId, publicOrigin) {
             throw new Error(`unknown tool: ${name}`);
     }
 }
-export async function handleMcpRequest(channelId, rawMessage, incomingSessionId, publicOrigin) {
+export async function handleMcpRequest(channelId, rawMessage, incomingSessionId, publicOrigin, mode = "default") {
     const id = rawMessage.id ?? null;
     const method = rawMessage.method;
     const params = (rawMessage.params ?? {});
@@ -543,7 +672,7 @@ export async function handleMcpRequest(channelId, rawMessage, incomingSessionId,
         return { status: 200, body: err(id, -32600, "session belongs to a different endpoint") };
     }
     if (method === "tools/list") {
-        const tools = channelId === null ? UNIFIED_TOOLS : CHANNEL_TOOLS;
+        const tools = channelId === null ? thinUnifiedTools(mode) : CHANNEL_TOOLS;
         return { status: 200, body: ok(id, { tools }) };
     }
     if (method === "tools/call") {
@@ -551,7 +680,7 @@ export async function handleMcpRequest(channelId, rawMessage, incomingSessionId,
         const args = (params.arguments ?? {});
         try {
             if (channelId === null) {
-                const result = await callUnifiedTool(name, args, state, sessionId, publicOrigin);
+                const result = await callUnifiedTool(name, args, state, sessionId, publicOrigin, mode);
                 return { status: 200, body: ok(id, result) };
             }
             const channel = getOrCreateChannel(channelId);