sanook-cli 0.5.1 → 0.5.5

package/README.md

@@ -4,7 +4,7 @@
 
 **The open-source terminal AI coding agent that remembers across sessions.**
 
-Bring your own key · 12 providers · MCP · a built-in **"second brain"** that gives the AI durable memory across sessions — the thing Claude Code, Codex, and Gemini CLI lose at the session boundary.
+Bring your own key · 9 providers · MCP · a built-in **"second brain"** that gives the AI durable memory across sessions — the thing Claude Code, Codex, and Gemini CLI lose at the session boundary.
 
 🇹🇭 [อ่านภาษาไทย](README.th.md)
 
@@ -13,7 +13,7 @@ Bring your own key · 12 providers · MCP · a built-in **"second brain"** that
 [![License](https://img.shields.io/badge/license-Apache--2.0-22c55e.svg)](LICENSE)
 [![Node](https://img.shields.io/badge/node-%E2%89%A5%2022-339933.svg?logo=node.js&logoColor=white)](https://nodejs.org)
 [![TypeScript](https://img.shields.io/badge/TypeScript-strict-3178c6.svg?logo=typescript&logoColor=white)](https://www.typescriptlang.org)
-[![Tests](https://img.shields.io/badge/tests-381%20passing-22c55e.svg)](#development)
+[![Tests](https://img.shields.io/badge/tests-passing-22c55e.svg)](#development)
 [![CI](https://github.com/Sir-chawakorn/sanook-cli/actions/workflows/ci.yml/badge.svg)](https://github.com/Sir-chawakorn/sanook-cli/actions/workflows/ci.yml)
 
 [Quickstart](#quickstart) · [Providers](#providers) · [Usage](#usage) · [Gateway](#gateway--scheduling) · [Skills](#skills) · [MCP](#mcp) · [Security](#security)
@@ -45,7 +45,7 @@ The agent loop, BYOK, and MCP are table stakes now. What Sanook has that the big
 |---|:---:|:---:|:---:|:---:|
 | Open-source | ✅ | ❌ | ✅ | ✅ |
 | Bring your own key | ✅ | — | ✅ | ✅ |
-| Providers | **12** | 1 | 1 | 1 |
+| Providers | **9** | 1 | 1 | 1 |
 | Local models (Ollama / LM Studio) | ✅ | ❌ | ❌ | ❌ |
 | MCP (stdio **+ remote HTTP**) | ✅ | ✅ | ✅ | ✅ |
 | OS sandbox (Seatbelt / bubblewrap) | ✅ | ✅ | ✅ | ✅ |
@@ -53,7 +53,7 @@ The agent loop, BYOK, and MCP are table stakes now. What Sanook has that the big
 | Image / vision input | ✅ | ✅ | ✅ | ✅ |
 | Prompt caching | ✅ | ✅ | ✅ | ✅ |
 | **Durable cross-session memory** | ✅ | ❌ | ❌ | ❌ |
-| **Local gateway + cron + Telegram** | ✅ | ❌ | ❌ | ❌ |
+| **Local gateway + cron + messaging** | ✅ | ❌ | ❌ | ❌ |
 
 On raw benchmark scores the frontier vendors win — Sanook's bet is **portability + persistent memory**, not beating Opus on SWE-bench. Use whatever fits; this one remembers.
 
@@ -68,9 +68,13 @@ npm install -g sanook-cli
 > ⚠️ **`'sanook' is not recognized` / command not found?** You installed it locally — `npm i sanook-cli` (without `-g`) drops it into the current folder, **not on your PATH**, so the `sanook` command isn't found. Fix: reinstall with `npm install -g sanook-cli`, or just run it via **`npx sanook`** (uses the local copy you already installed).
 > Run **`npx sanook doctor`** to auto-diagnose Node version / PATH / install state and print the exact fix for your OS (incl. a safe Windows PATH one-liner).
 
-Set an API key (or run `sanook` with no task for the interactive setup wizard):
+Run the setup wizard or set an API key manually:
 
 ```bash
+sanook setup                    # provider + model wizard; offers to create a second brain
+sanook model                    # re-run provider/model setup later
+sanook auth add anthropic --api-key sk-ant-... --use
+
 export ANTHROPIC_API_KEY=sk-ant-...        # macOS / Linux
 setx ANTHROPIC_API_KEY "sk-ant-..."        # Windows (export won't work in cmd) — then open a NEW terminal
 
@@ -82,7 +86,14 @@ Run `sanook` with no task to drop into an interactive REPL. On the very first ru
 ```bash
 sanook                          # interactive REPL
 sanook "fix the failing test"   # one-shot, headless
+sanook chat -q "fix the failing test" --provider anthropic
+sanook -z "summarise the diff"  # one-shot, final output only
 sanook --json "..."             # JSONL output for CI / scripts
+sanook status                   # redacted provider/key/brain/gateway status
+sanook web status               # true web-search/fetch readiness + grounding policy
+sanook sessions                 # list saved sessions for this project
+sanook --resume <session_id> "continue here"
+sanook dump                     # support snapshot; raw secrets are never printed
 ```
 
 ## Features
@@ -90,40 +101,42 @@ sanook --json "..."             # JSONL output for CI / scripts
 | Area | What you get |
 |---|---|
 | **Agent loop** | Built on the Vercel AI SDK 6 (`streamText` + `stopWhen` + `fullStream`), with streamed output, a cost meter, a budget cap, Anthropic **prompt caching** on the static preamble, and rate-limit-aware retry/backoff (distinct from auth failures) with model fallback. |
-| **Tools** | `read_file` · `write_file` · `edit_file` (multi-tier matcher) · `list_dir` · `glob` · `grep` · `run_bash`, plus git tools — gated by a permission layer that denies destructive commands, protected paths, and paths outside the workspace/brain by default. Non-bash tools are timeout-guarded so a runaway read/grep can't hang the loop. |
+| **Tools** | `read_file` · `write_file` · `edit_file` (multi-tier matcher) · `list_dir` · `glob` · `grep` · `run_bash` · `run_python` · `run_rust`, plus git tools — gated by a permission layer that denies destructive commands, protected paths, and paths outside the workspace/brain by default. Non-bash tools are timeout-guarded so a runaway read/grep can't hang the loop. |
 | **Sandbox** | `run_bash` is confined by an OS sandbox — **Seatbelt** on macOS, **bubblewrap** on Linux — so shell writes stay inside the workspace/brain/tmp (reads + network unaffected). Opt out with `SANOOK_NO_SANDBOX=1`. |
 | **Approval** | `ask` mode is the default and prompts `y/n` before any file write or shell command. `--yes` for auto-approve; headless ask-mode safely denies mutations when no approval UI exists. |
 | **Input** | Multiline editing, `↑`/`↓` persisted prompt history, readline keys (Ctrl-A/E/U/K/W), and `@file` mentions that inline a file's contents (or attach an **image** for vision-capable models). |
 | **Checkpoint** | A shadow-git snapshot is taken before each turn; `/rewind` restores the files **and** truncates the conversation — recoverable (it stashes the current state first). |
-| **Memory** | The agent writes its own notes (`remember`), recalls them across past sessions (`recall`), and `--continue` resumes the latest run for the current project. |
+| **Memory** | The agent writes its own notes (`remember`), recalls them across past sessions (`recall`), `--continue` resumes the latest run for the current project, `--resume <id>` resumes a specific run, and `sanook sessions` audits/exports/renames/prunes saved conversations. |
+| **Familiar CLI surfaces** | `sanook setup`, `sanook model`, `sanook auth`, `sanook chat -q`, `sanook gateway`, `sanook status`, `sanook sessions`, `sanook dump`, `sanook tools`, and `sanook send` provide familiar management entry points, all Sanook-branded. |
+| **Startup cockpit** | The interactive REPL opens with a Sanook-branded wordmark, service routes (Code, Brain, Connect, Ship), and live readiness signals for second-brain, MCP servers, installed skills, and the current git branch. |
+| **Web grounding** | `sanook web status` separates local brain search from true internet search, detects configured MCP web/search/fetch candidates, and prints Sanook's citation + prompt-injection policy for current external facts. |
 | **Repo map** | A lightweight symbol map of the repo (zero-dep, git-aware) is injected at session start so the agent picks the right files without blind grepping. |
 | **Skills** | Built-in skills + install your own from a GitHub repo, URL, or local path. The agent can also author new skills after a repeatable task. |
-| **Custom commands** | Drop a `.sanook/commands/<name>.md` prompt template and call it as `/<name>` (project commands require trust). |
+| **Custom commands** | Drop a `.sanook/commands/<name>.md` prompt template and call it as `/<name>` (project commands require trust). Arguments replace `$ARGUMENTS` or `{{ args }}`; without a placeholder they are appended. |
 | **Subagents** | A `task` tool spawns a fresh-context sub-agent for scoped exploration without bloating the main context — read-only by default, depth-guarded. |
-| **Gateway + cron** | `sanook serve` runs a long-lived daemon: a loopback OpenAI-compatible HTTP endpoint plus a cron scheduler. Ask it in plain language and it schedules itself. |
-| **Channels** | A Telegram adapter (long-polling, no public URL) lets you drive the agent from your phone — locked down with a required allowlist and private-chat-only policy. |
+| **Gateway + cron** | `sanook gateway run` (alias: `sanook serve`) runs a long-lived daemon: a loopback OpenAI-compatible HTTP endpoint plus a cron scheduler. Scheduled tasks can use `--to` to deliver results back through the messaging gateway. |
+| **Channels** | `sanook gateway setup telegram|discord|slack|mattermost|homeassistant|email|line|sms|ntfy|signal|whatsapp|matrix|googlechat|bluebubbles|teams|webhooks` stores messaging adapter config, and `sanook gateway run` starts Telegram long-polling, lightweight Discord Gateway / Slack Socket Mode / Mattermost REST+WebSocket adapters, Home Assistant state-change WebSocket filters, Email IMAP polling, LINE webhooks, Twilio SMS webhooks, ntfy topic streams, Signal via `signal-cli` HTTP/SSE, WhatsApp Cloud webhooks, Matrix Client-Server sync, and generic event webhooks when configured. Chat/event history is persisted per platform target, and final responses of `[SILENT]`, `SILENT`, `NO_REPLY`, or `NO REPLY` are stored but not delivered. `sanook send --to telegram|discord|slack|mattermost|homeassistant|email|line|sms|ntfy|signal|whatsapp|matrix|googlechat|bluebubbles|teams`, `sanook webhook subscribe`, and `sanook cron add --to ...` use the same outbound delivery rules. |
 | **MCP** | Connect any Model Context Protocol server over **stdio or remote Streamable-HTTP** (filesystem, GitHub, Postgres, hosted servers, …) via `~/.sanook/mcp.json`. |
 | **Git** | Branch, uncommitted changes, and recent commits are injected automatically, with `git_status` / `git_diff` / `git_log` / `git_commit` tools. |
 | **Hooks** | Run your own command before/after any tool. A non-zero `PreToolUse` exit blocks the tool — enforce lint, format, or policy. |
 | **Plan mode** | `--plan` restricts the agent to read-only tools and asks it to produce a plan before touching anything. |
 | **Auto-compaction** | A token-aware sliding window keeps long sessions under the context limit with zero extra LLM cost. |
+| **Prompt budget inspectability** | `sanook prompt-size [--json]` reports the offline size of Sanook's system prompt, personality overlay, auto-memory, skills index, second-brain context, project memory, repo map, git context, and built-in tool schemas. |
+| **Polyglot runtime surface** | `sanook runtimes [--json]` shows optional Python/Rust readiness. The agent gets `run_python` for data/document/ML-style helper scripts and `run_rust` for small performance/safety-critical helpers, both approval-gated and no-shell. |
 | **Second brain** | `sanook brain init` scaffolds a structured Obsidian "second-brain" workspace (folders + `_Index` + a portable AI operating constitution) for organising work and giving the agent durable, cross-session memory. |
 
 ## Providers
 
-One model spec, twelve providers. Switch with `-m <spec>` on the command line or `/model` in the REPL.
+One model spec, nine providers. Switch with `-m <spec>` on the command line or `/model` in the REPL.
 
 | Provider | Spec example | Key |
 |---|---|---|
 | Anthropic (Claude) | `-m sonnet`, `-m opus`, `-m haiku` | `ANTHROPIC_API_KEY` |
 | Google (Gemini) | `-m gemini`, `-m google:gemini-2.5-flash` | `GOOGLE_GENERATIVE_AI_API_KEY` |
 | OpenAI | `-m gpt`, `-m openai:gpt-5.5` | `OPENAI_API_KEY` |
-| DeepSeek | `-m deepseek` | `DEEPSEEK_API_KEY` |
 | xAI (Grok) | `-m grok` | `XAI_API_KEY` |
 | Mistral | `-m mistral` | `MISTRAL_API_KEY` |
 | Groq | `-m groq:fast` | `GROQ_API_KEY` |
-| MiniMax | `-m minimax` | `MINIMAX_API_KEY` |
-| GLM (Zhipu) | `-m glm` | `ZHIPU_API_KEY` |
 | Ollama | `-m ollama` | — (local) |
 | LM Studio | `-m lmstudio` | — (local) |
 | OpenAI Codex | `-m codex` | via the official Codex CLI |
@@ -133,27 +146,51 @@ A spec is an alias (`sonnet`), a `provider:model-id` pair (`openai:gpt-5.5`), or
 ```bash
 sanook models                 # list all providers
 sanook models anthropic       # curated ids (+ live verification if a key is set)
+sanook auth list              # redacted key status for every provider
+sanook auth status openai     # env/store/console details
 ```
 
 ## Usage
 
 ```
 sanook "<task>"          run one task (headless)
+sanook -z "<task>"       one-shot final output (script-friendly)
+sanook chat -q "<query>" direct one-shot query
 sanook                   interactive REPL
+sanook setup [section]   setup model/gateway/tools/agent/brain
+sanook model             choose provider + model
+sanook status            redacted install/config status
+sanook auth list         redacted provider key status
+sanook auth add openai --api-key <key> [--use]
+sanook sessions          list saved sessions for this project
+sanook sessions show <id>
+sanook sessions export <id> [--format json|markdown] [--output path]
+sanook sessions rename <id> <title>
+sanook sessions stats [--all]
+sanook sessions prune --keep N [--all] [--yes]
+sanook sessions rm <id>
+sanook dump [--show-keys] support dump (keys are still redacted)
+sanook prompt-size [--json] inspect system/brain/skill/tool context budget
+sanook runtimes [--json]   inspect optional Python/Rust runtime surface
+sanook web status [--json] inspect true web-search/fetch readiness
+sanook web doctor [--json] probe web/search/fetch MCP candidates
 sanook -c "<task>"       resume the latest session for this project
+sanook --resume <id>     resume a specific saved session
 sanook --continue-any    resume the newest session across all projects
 sanook --plan "<task>"   plan mode (read-only)
 sanook --json "<task>"   JSONL output for scripts / CI
 sanook update            update the CLI to the latest npm release
 
   -m, --model <spec>     model or provider:model-id
+      --provider <id>    provider shortcut for `sanook chat`
   -b, --budget <usd>     stop when estimated cost exceeds this
   -y, --yes              auto-approve tool calls (skip ask-mode)
+      --yolo             alias for --yes
   -v, --version          print version
   -h, --help             show help
 ```
 
-**REPL slash commands:** `/model` · `/tools` · `/skills` · `/cost` · `/diff` · `/undo` · `/rewind` · `/clear` · `/compact` · `/help` · `/quit` — plus your own `.sanook/commands/*.md`. Input supports `↑`/`↓` history, `@file` mentions (text or image), and multiline (trailing `\` or Alt+Enter).
+**REPL slash commands:** `/new` · `/reset` · `/status` · `/model` · `/personality` · `/platforms` · `/tools` · `/skills` · `/cost` · `/usage` · `/insights` · `/diff` · `/retry` · `/stop` · `/undo` · `/rewind` · `/clear` · `/compact` · `/compress` · `/help` · `/quit` — plus your own `.sanook/commands/*.md`. Input supports `↑`/`↓` history, `@file` mentions (text or image), and multiline (trailing `\` or Alt+Enter).
 
 ## Updating
 
@@ -170,11 +207,19 @@ When you launch the interactive TUI with plain `sanook`, the CLI checks for upda
 
 ## Gateway & scheduling
 
-`sanook serve` starts a single long-lived process that hosts an HTTP API, a cron scheduler, and optional chat channels — all driving the same agent core.
+`sanook gateway run` starts a single long-lived foreground process that hosts an HTTP API, a cron scheduler, and optional chat channels — all driving the same agent core. `sanook gateway start` runs the same gateway in the background and records its pid/log path under `~/.sanook/gateway/`. `sanook serve` remains as a compatibility alias.
 
 ```bash
-sanook serve --port 8787                       # HTTP (127.0.0.1 only) + scheduler
+sanook gateway status                          # redacted gateway config + token path
+sanook gateway run --port 8787                 # HTTP (127.0.0.1 only) + scheduler
+sanook gateway start --port 8787               # background process + pid/log tracking
+sanook gateway stop
+sanook gateway restart
+sanook gateway install                         # write launchd/systemd helper file
+sanook serve --port 8787                       # compatibility alias
 sanook cron add "every 30m" "check the CI"     # also "09:00", an ISO time, or "now"
+sanook cron add "every 30m" "check the CI" --to slack:C01ABCDEF
+sanook cron add "09:00" "summarise calendar" --to email:owner@example.com --model openai:gpt-5.1
 sanook cron list
 sanook cron rm <id>
 ```
@@ -194,17 +239,174 @@ curl http://127.0.0.1:8787/v1/chat/completions \
 | `POST` | `/v1/chat/completions` | run the agent (OpenAI-compatible) |
 | `GET` / `POST` | `/tasks` | list / enqueue scheduled tasks |
 
-### Telegram channel
+### Messaging channels
+
+Use the setup command, or set environment variables before `sanook gateway run`. Telegram uses long-polling (no public URL needed), Discord uses the Gateway websocket, Slack uses Socket Mode, Mattermost uses REST API v4 plus websocket events, Home Assistant uses `/api/websocket` for watched `state_changed` events plus REST `persistent_notification.create` for replies, Email uses IMAP polling plus SMTP threaded replies, LINE uses the official Messaging API webhook + Reply/Push endpoints, SMS uses Twilio Programmable Messaging with `X-Twilio-Signature` validation, ntfy uses the HTTP JSON stream + publish API, Signal uses `signal-cli daemon --http` with JSON-RPC + Server-Sent Events, WhatsApp Cloud uses Meta's official webhook + Graph Messages API, Matrix uses the Matrix Client-Server sync/send API, Google Chat uses incoming webhooks or service-account Chat REST API sends with Pub/Sub config saved for future inbound, BlueBubbles/iMessage uses the BlueBubbles REST API for outbound text with webhook settings saved for inbound parity, Microsoft Teams supports Incoming Webhook delivery and Graph chat/channel delivery, and generic Webhooks accept GitHub/GitLab/Jira/Stripe-style events with HMAC validation.
+
+```bash
+sanook gateway setup                           # platform menu
+sanook gateway setup telegram --bot-token 123:abc --allowed-chats 5222385839
+sanook gateway setup discord --bot-token "$DISCORD_BOT_TOKEN" --channel 123456789012345678
+sanook gateway setup slack --bot-token "$SLACK_BOT_TOKEN" --app-token "$SLACK_APP_TOKEN" --channel C01ABCDEF
+sanook gateway setup mattermost --url https://mm.example.com --token "$MATTERMOST_TOKEN" \
+  --allowed-users user_id_1 --home-channel chan_home_id --thread-replies
+sanook gateway setup homeassistant --url http://homeassistant.local:8123 --token "$HASS_TOKEN" \
+  --home-channel sanook_agent --watch-domains light,binary_sensor,climate
+sanook gateway setup email --address bot@example.com --password "$EMAIL_PASSWORD" \
+  --imap-host imap.example.com --smtp-host smtp.example.com --home-address owner@example.com
+sanook gateway setup line --channel-access-token "$LINE_CHANNEL_ACCESS_TOKEN" \
+  --channel-secret "$LINE_CHANNEL_SECRET" --home-channel U1234567890abcdef
+sanook gateway setup sms --account-sid "$TWILIO_ACCOUNT_SID" --auth-token "$TWILIO_AUTH_TOKEN" \
+  --phone-number "$TWILIO_PHONE_NUMBER" --home-channel +15551234567 \
+  --webhook-url https://your-tunnel.example.com/sms/webhook
+sanook gateway setup ntfy --topic sanook-yourname-2026 --token "$NTFY_TOKEN" --markdown
+sanook gateway setup signal --account +15550000000 --home-channel +15551234567 \
+  --http-url http://127.0.0.1:8080
+sanook gateway setup whatsapp --phone-number-id "$WHATSAPP_CLOUD_PHONE_NUMBER_ID" \
+  --access-token "$WHATSAPP_CLOUD_ACCESS_TOKEN" --app-secret "$WHATSAPP_CLOUD_APP_SECRET" \
+  --home-channel 15551234567 --public-url https://your-tunnel.example.com
+sanook gateway setup matrix --homeserver https://matrix.example.org \
+  --access-token "$MATRIX_ACCESS_TOKEN" --allowed-users @alice:matrix.org \
+  --home-room '!abc123:matrix.example.org'
+sanook gateway setup googlechat --service-account-json "$GOOGLE_CHAT_SERVICE_ACCOUNT_JSON" \
+  --home-channel spaces/AAAA --allowed-spaces spaces/AAAA
+sanook gateway setup googlechat --incoming-webhook-url "$GOOGLE_CHAT_INCOMING_WEBHOOK_URL"
+sanook gateway setup bluebubbles --server-url http://localhost:1234 --password "$BLUEBUBBLES_PASSWORD" \
+  --home-channel user@example.com --allowed-users user@example.com,+15551234567
+sanook gateway setup teams --incoming-webhook-url "$TEAMS_INCOMING_WEBHOOK_URL"
+sanook gateway setup teams --delivery-mode graph --graph-access-token "$TEAMS_GRAPH_ACCESS_TOKEN" \
+  --chat-id '19:chatid@thread.v2'
+sanook gateway setup webhooks --secret "$WEBHOOK_SECRET" --public-url https://your-tunnel.example.com
+sanook webhook subscribe github-issues --events issues \
+  --prompt "New issue #{issue.number}: {issue.title}\n{issue.html_url}" --to slack:C01ABCDEF
+sanook webhook subscribe deploy-notify --events push --deliver-only \
+  --prompt "Push to {repository.full_name}: {head_commit.message}" --to sms
+sanook gateway run
+sanook send --to telegram "deploy finished"
+sanook send --to discord "deploy finished"
+sanook send --to slack:C01ABCDEF "deploy finished"
+sanook send --to mattermost:chan_home_id "deploy finished"
+sanook send --to homeassistant:doorbell "deploy finished"
+sanook send --to email:owner@example.com --subject "[CI]" "deploy finished"
+sanook send --to line "deploy finished"
+sanook send --to sms "deploy finished"
+sanook send --to ntfy "deploy finished"
+sanook send --to signal "deploy finished"
+sanook send --to whatsapp "deploy finished"
+sanook send --to matrix "deploy finished"
+sanook send --to matrix:'!ops:matrix.example.org' "deploy finished"
+sanook send --to googlechat "deploy finished"
+sanook send --to googlechat:spaces/AAAA/threads/thread-1 "threaded update"
+sanook send --to bluebubbles "deploy finished"
+sanook send --to bluebubbles:'iMessage;-;user@example.com' "deploy finished"
+sanook send --to teams "deploy finished"
+sanook send --to teams:'19:chatid@thread.v2' "deploy finished"
+sanook cron add "every 30m" "check the CI" --to line
+sanook cron add "09:00" "daily check-in" --to sms
+sanook cron add "09:00" "daily check-in" --to ntfy
+sanook cron add "09:00" "daily check-in" --to mattermost
+sanook cron add "09:00" "daily check-in" --to homeassistant
+sanook cron add "09:00" "daily check-in" --to signal
+sanook cron add "09:00" "daily check-in" --to whatsapp
+sanook cron add "09:00" "daily check-in" --to matrix
+sanook cron add "09:00" "daily check-in" --to googlechat
+sanook cron add "09:00" "daily check-in" --to bluebubbles
+sanook cron add "09:00" "daily check-in" --to teams
+sanook send --to telegram --subject "[CI]" --file build.log
+echo "RAM 92%" | sanook send --to telegram --quiet
+sanook send --to telegram:5222385839:17585 "threaded reply"
+sanook webhook list
+sanook webhook test github-issues --payload '{"event_type":"issues","issue":{"number":42,"title":"Test"}}'
+sanook send --list --json
+```
 
-Set two environment variables before `sanook serve` and the gateway adds a Telegram adapter via long-polling (no public URL needed):
+Environment overrides still work:
 
 ```bash
 export TELEGRAM_BOT_TOKEN=123:abc
 export TELEGRAM_ALLOWED_CHATS=5222385839   # required — comma-separated chat ids
-sanook serve
+export LINE_CHANNEL_ACCESS_TOKEN=xxx
+export LINE_HOME_CHANNEL=U1234567890abcdef
+export TWILIO_ACCOUNT_SID=ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+export TWILIO_AUTH_TOKEN=xxx
+export TWILIO_PHONE_NUMBER=+15550000000
+export SMS_HOME_CHANNEL=+15551234567
+export SMS_WEBHOOK_URL=https://your-tunnel.example.com/sms/webhook
+export NTFY_TOPIC=sanook-yourname-2026
+export NTFY_ALLOWED_USERS=sanook-yourname-2026
+export NTFY_HOME_CHANNEL=sanook-yourname-2026
+export MATTERMOST_URL=https://mm.example.com
+export MATTERMOST_TOKEN=xxx
+export MATTERMOST_HOME_CHANNEL=chan_home_id
+export MATTERMOST_ALLOWED_USERS=user_id_1,user_id_2
+export MATTERMOST_ALLOWED_CHANNELS=chan_home_id,chan_ops_id
+export MATTERMOST_REQUIRE_MENTION=true
+export MATTERMOST_REPLY_MODE=thread
+export HASS_URL=http://homeassistant.local:8123
+export HASS_TOKEN=xxx
+export HASS_HOME_CHANNEL=sanook_agent
+export HASS_WATCH_DOMAINS=light,binary_sensor,climate
+export HASS_WATCH_ENTITIES=sensor.temp,alarm_control_panel.home
+export HASS_COOLDOWN_SECONDS=30
+export SIGNAL_HTTP_URL=http://127.0.0.1:8080
+export SIGNAL_ACCOUNT=+15550000000
+export SIGNAL_HOME_CHANNEL=+15551234567
+export SIGNAL_ALLOWED_USERS=+15551234567
+export SIGNAL_GROUP_ALLOWED_USERS=groupIdBase64
+export WHATSAPP_CLOUD_PHONE_NUMBER_ID=123456789012345
+export WHATSAPP_CLOUD_ACCESS_TOKEN=EAA...
+export WHATSAPP_CLOUD_APP_SECRET=xxx
+export WHATSAPP_CLOUD_VERIFY_TOKEN=choose-a-long-random-token
+export WHATSAPP_CLOUD_HOME_CHANNEL=15551234567
+export WHATSAPP_CLOUD_ALLOWED_USERS=15551234567,15557654321
+export WHATSAPP_CLOUD_PUBLIC_URL=https://your-tunnel.example.com
+export WHATSAPP_CLOUD_API_VERSION=v20.0
+export MATRIX_HOMESERVER=https://matrix.example.org
+export MATRIX_ACCESS_TOKEN=syt_...
+export MATRIX_USER_ID=@sanook:matrix.example.org
+export MATRIX_HOME_ROOM='!abc123:matrix.example.org'
+export MATRIX_ALLOWED_USERS=@alice:matrix.org,@bob:matrix.org
+export MATRIX_ALLOWED_ROOMS='!abc123:matrix.example.org,!ops:matrix.example.org'
+export MATRIX_REQUIRE_MENTION=true
+export MATRIX_FREE_RESPONSE_ROOMS='!free:matrix.example.org'
+export TEAMS_DELIVERY_MODE=incoming_webhook
+export TEAMS_INCOMING_WEBHOOK_URL=https://...
+export TEAMS_GRAPH_ACCESS_TOKEN=xxx
+export TEAMS_CHAT_ID='19:chatid@thread.v2'
+export TEAMS_HOME_CHANNEL='19:chatid@thread.v2'
+export WEBHOOK_ENABLED=true
+export WEBHOOK_SECRET=xxx
+export WEBHOOK_PUBLIC_URL=https://your-tunnel.example.com
+sanook gateway run
 ```
 
-The channel is **fail-closed**: with no allowlist it refuses to start, it accepts private chats only, and it never leaks internal errors back to the sender. See [Security](#security).
+Messaging channels are **fail-closed** by default: configure a home target or allowlist before accepting remote users, and internal errors are redacted before they reach chat surfaces. See [Security](#security).
+
+Inside Telegram/Discord/Slack/Mattermost/Email/LINE/SMS/ntfy/Signal/WhatsApp/Matrix conversations, Hermes-style commands are handled without calling the model: `/new`, `/reset`, `/model`, `/personality`, `/retry`, `/undo`, `/compress`, `/usage`, `/insights`, `/stop`, `/status`, `/sethome`, and `/help`. Matrix and Mattermost also accept `!new`, `!reset`, `!status`, and `!help` aliases for clients that reserve `/`.
+
+For ntfy, the topic is the identity and trust boundary: use a long random topic, a private/reserved topic with `NTFY_TOKEN`, or a self-hosted ntfy server with ACLs. Sanook authorizes inbound ntfy messages by topic, not by the user-controlled notification title.
+
+For Mattermost, use a dedicated bot account/token, set `MATTERMOST_ALLOWED_USERS` to Mattermost user IDs, and optionally restrict shared channels with `MATTERMOST_ALLOWED_CHANNELS`. DMs respond without a mention; public/private channels require `@botname` unless `MATTERMOST_REQUIRE_MENTION=false` or the channel is listed in `MATTERMOST_FREE_RESPONSE_CHANNELS`. Cron/send uses `MATTERMOST_HOME_CHANNEL`, `mattermost:channel_id`, or `mattermost:channel_id:root_post_id` for a threaded reply.
+
+For Home Assistant, create a Long-Lived Access Token, keep `HASS_WATCH_DOMAINS`/`HASS_WATCH_ENTITIES` narrow, and use `HASS_IGNORE_ENTITIES` plus `HASS_COOLDOWN_SECONDS` for noisy sensors. No state events are forwarded unless a watch filter or `HASS_WATCH_ALL=true` is configured. Conversation tools can read entities/states/services, while `ha_call_service` is approval-gated and blocks unsafe domains such as `shell_command`, `command_line`, `python_script`, `pyscript`, `hassio`, and `rest_command`.
+
+For Signal, run `signal-cli daemon --http 127.0.0.1:8080` locally, set `SIGNAL_ACCOUNT`, and keep `SIGNAL_ALLOWED_USERS` or `SIGNAL_HOME_CHANNEL` set so inbound DMs fail closed. Groups are disabled unless explicitly listed in `SIGNAL_GROUP_ALLOWED_USERS` or set to `*`; group send targets use `signal:group:<groupId>`.
+
+For WhatsApp Cloud inbound messages, expose the gateway through a tunnel and set the Meta webhook callback URL to `https://<your-tunnel>/whatsapp/webhook`. Use the generated verify token for Meta's GET challenge, keep `WHATSAPP_CLOUD_APP_SECRET` set so Sanook can validate `X-Hub-Signature-256`, and check `GET /whatsapp/webhook/health` first. Send targets use country-code digits without `+` (for example `whatsapp:15551234567`), and normal WhatsApp 24-hour customer-service window limits still apply.
+
+For Matrix, create a bot account on your homeserver, copy an access token from Element (or use `MATRIX_USER_ID` + `MATRIX_PASSWORD`), invite the bot to rooms, and keep `MATRIX_ALLOWED_USERS` set so inbound users fail closed. DMs respond without a mention; shared rooms require a bot mention unless `MATRIX_REQUIRE_MENTION=false` or the room is listed in `MATRIX_FREE_RESPONSE_ROOMS`. Cron/send uses `MATRIX_HOME_ROOM` or an explicit target like `matrix:!abc123:matrix.example.org`.
+
+For Google Chat, use `GOOGLE_CHAT_INCOMING_WEBHOOK_URL` for the fastest proactive send path, or configure `GOOGLE_CHAT_SERVICE_ACCOUNT_JSON` plus `GOOGLE_CHAT_HOME_CHANNEL` (`spaces/...`) for Chat REST API delivery. Pub/Sub fields (`GOOGLE_CHAT_PROJECT_ID`, `GOOGLE_CHAT_SUBSCRIPTION_NAME`, `GOOGLE_CHAT_ALLOWED_USERS`) are saved now for inbound parity work. Cron/send uses `googlechat`, `googlechat:spaces/...`, or `googlechat:spaces/.../threads/...`.
+
+For BlueBubbles/iMessage, run a BlueBubbles Server and configure `BLUEBUBBLES_SERVER_URL`, `BLUEBUBBLES_PASSWORD`, and `BLUEBUBBLES_HOME_CHANNEL` (chat GUID, email, or `+E.164` phone). Sanook resolves email/phone targets through `/api/v1/chat/query`, sends text via `/api/v1/message/text`, and keeps webhook fields (`BLUEBUBBLES_WEBHOOK_HOST`, `BLUEBUBBLES_WEBHOOK_PORT`, `BLUEBUBBLES_WEBHOOK_PATH`, mention gating) ready for inbound parity work.
+
+For Microsoft Teams, use `TEAMS_DELIVERY_MODE=incoming_webhook` with a channel Incoming Webhook for simple proactive send/cron delivery, or `TEAMS_DELIVERY_MODE=graph` with `TEAMS_GRAPH_ACCESS_TOKEN` plus `TEAMS_CHAT_ID` or `TEAMS_TEAM_ID` + `TEAMS_CHANNEL_ID`. Teams chat IDs can contain colons, so quote explicit targets such as `teams:'19:chatid@thread.v2'` in shells.
+
+For LINE inbound messages, expose the gateway through a tunnel and set the LINE Developers Console webhook URL to `https://<your-tunnel>/line/webhook`. Check the tunnel with `GET /line/webhook/health` first.
+
+For SMS inbound messages, expose the gateway through a tunnel and set the Twilio Messaging webhook URL to `https://<your-tunnel>/sms/webhook`. Set `SMS_WEBHOOK_URL` to that exact URL so Sanook can validate `X-Twilio-Signature`; check `GET /sms/webhook/health` first.
+
+For generic webhooks, create routes with `sanook webhook subscribe <route>` and point external services at `https://<your-tunnel>/webhooks/<route>`. Sanook accepts GitHub `X-Hub-Signature-256`, GitLab `X-Gitlab-Token`, or generic `X-Webhook-Signature`; check `GET /webhooks/health` first.
 
 ## Skills
 
@@ -229,7 +431,7 @@ sanook brain init                  # interactive — asks where + a few identity
 sanook brain init ~/notes/brain    # non-interactive (with --yes)
 ```
 
-It creates a full folder taxonomy (`Projects/`, `Sessions/`, `Shared/` memory layer, `Goals/`, `Research/`, `Skills/`, …), an `_Index.md` in every folder, seed memory files, and a portable AI **operating constitution** (`CLAUDE.md` / `GEMINI.md` / `AGENTS.md`) so any AI agent works with the vault consistently. It ships with research-backed operating rules — context-assembly (anti context-rot), an intake quarantine + injection-scan gate, bi-temporal fact validity, provenance tracking, a verification-gated `Skills/` library, and sleep-time consolidation. The first-run setup wizard also offers to create one.
+It creates a full folder taxonomy (`Projects/`, `Sessions/`, `Shared/` memory layer, `Goals/`, `Research/`, `Skills/`, …), an `_Index.md` in every folder, seed memory files, and a portable AI **operating constitution** (`CLAUDE.md` / `GEMINI.md` / `AGENTS.md` / `SANOOK.md`) so any AI agent works with the vault consistently. It ships with research-backed operating rules — context-assembly (anti context-rot), an intake quarantine + injection-scan gate, bi-temporal fact validity, provenance tracking, a verification-gated `Skills/` library, and sleep-time consolidation. The first-run setup wizard also offers to create one.
 
 Everything is **create-if-missing** — re-running never overwrites your notes. Point an Obsidian or filesystem MCP server at the workspace to let the agent read and write it.
 
@@ -263,9 +465,23 @@ Connect Model Context Protocol servers over **stdio or remote Streamable-HTTP**
 }
 ```
 
-Add servers from the CLI too: `sanook mcp add fs npx -y @modelcontextprotocol/server-filesystem /path` (stdio) or `sanook mcp add remote https://example.com/mcp` (a URL is detected as remote HTTP).
+Discover and install servers from the official MCP registry:
+
+```bash
+sanook mcp search gitlab
+sanook mcp info com.gitlab/mcp
+sanook mcp install com.gitlab/mcp --name gitlab
+sanook mcp preset dev
+sanook mcp preset research
+sanook mcp test gitlab
+sanook mcp doctor
+sanook web status
+sanook web doctor
+```
+
+Use `--env KEY=value` or `--header KEY=value` when a registry entry requires secrets, and `--project` to write to a trusted project `.sanook/mcp.json`. Some hosted MCP endpoints may return `401 Unauthorized` until you pass an auth header, even when the registry entry does not declare it yet. You can still add servers manually: `sanook mcp add fs npx -y @modelcontextprotocol/server-filesystem /path` (stdio) or `sanook mcp add remote https://example.com/mcp` (a URL is detected as remote HTTP).
 
-Their tools are merged into the agent's toolset automatically. `/tools` in the REPL lists everything currently available.
+Their tools are merged into the agent's toolset automatically. `/tools` in the REPL lists everything currently available. `sanook search` is local retrieval over the second brain, sessions, memory, and skills; true internet search comes from configured MCP web/search/fetch servers. Use `sanook web status` to see which web candidates are configured, and `sanook web doctor` to probe their advertised tools.
 
 sanook is also an MCP **server**: `sanook mcp serve` exposes your brain (`sanook_search` / `sanook_recall` / `sanook_remember` / `sanook_index` / `sanook_stats`) over stdio, so Claude Desktop, Cursor, or any MCP host can query it:
 
@@ -308,10 +524,13 @@ Quality-neutral knobs in `~/.sanook/config.json` (or the matching `SANOOK_*` env
 | `config set …` | env | effect |
 |---|---|---|
 | `cacheTtl 1h` | `SANOOK_CACHE_TTL=1h` | keep the cached system preamble alive for 1h (default `5m`) — cheaper to resume after a pause |
+| `contextCompression selective` | `SANOOK_CONTEXT_COMPRESSION=selective` | zero-LLM, query-aware selective compression for stale, very large tool outputs before each model step (default `selective`; set `off` to disable) |
+| `contextCompression headroom` | `SANOOK_CONTEXT_COMPRESSION=headroom` | wrap the Vercel AI SDK model with `headroom-ai` when you run a Headroom proxy/cloud setup (`SANOOK_HEADROOM_BASE_URL` / `SANOOK_HEADROOM_API_KEY`) |
 | `compaction summarize` | `SANOOK_COMPACTION=summarize` | when context gets long, condense it with a **cheap model** instead of truncating — better recall at the same budget (default `truncate`, zero-LLM) |
 | — | `SANOOK_SUBAGENT_MODEL=haiku` | run all sub-agent work (exploration/search) on a cheaper model while the main agent keeps the strong one |
 | `summaryModel <spec>` | `SANOOK_SUMMARY_MODEL=<spec>` | model used for summarize-compaction (default: the fast sibling of your main model) |
-| `thinking 4000` | `SANOOK_THINKING=4000` | opt-in Anthropic extended thinking on the main agent with a `budgetTokens` cap (default off) |
+| `embeddingModel <spec>` | `SANOOK_EMBEDDING_MODEL=<spec>` | model used for semantic search embeddings (for example `openai:text-embedding-3-small`) |
+| `thinking on` / `thinking 4000` | `SANOOK_THINKING=on` / `4000` | opt-in Anthropic extended thinking on the main agent; use `on`, `true`, or `yes` for the default budget, `off`, `false`, or `no` to disable, or a positive integer for `budgetTokens` |
 
 Read-side savings are automatic: the agent reads file ranges (`read_file` with `offset`/`limit`) and edits with minimal `old_string` / `replace_all` rather than rewriting whole files.
 
@@ -322,7 +541,7 @@ SANOOK_MODEL=sonnet                 # default model alias or provider:model
 SANOOK_ALLOW_OUTSIDE_WORKSPACE=1    # allow file tools outside cwd/brain
 SANOOK_GATEWAY_ALLOW_WRITE=1        # let sanook serve run mutating tools unattended
 SANOOK_HOOKS_INHERIT_ENV=1          # pass full env to hooks instead of a minimal safe env
-SANOOK_DISABLE_PERSISTENCE=1        # do not save sessions or memory
+SANOOK_DISABLE_PERSISTENCE=1        # do not save sessions, memory, prompt history, or worklogs
 SANOOK_DISABLE_UPDATE_CHECK=1       # do not show interactive update prompts
 SANOOK_DISABLE_WORKLOG=1            # do not append second-brain worklogs
 SANOOK_TRUST_PROJECT=1              # temporary trust override for project .sanook extensions
@@ -340,6 +559,16 @@ Sanook runs shell commands and edits files, so safety is built into the core rat
 - **Safe fallback** — provider fallback does not retry after a mutating tool call has already happened, avoiding duplicate side effects.
 - **Gateway** — HTTP binds to `127.0.0.1` only and requires a bearer token on every non-health endpoint.
 - **Telegram** — fail-closed: a required allowlist, private-chat-only, per-chat rate-limiting, and generic error replies that never reveal internal paths.
+- **Email** — use a dedicated mailbox and app password; store only app passwords, require an allowlist/home address by default, and keep SMTP/IMAP credentials in `~/.sanook/gateway/config.json` (chmod 600).
+- **LINE** — use a long-lived Messaging API channel access token, keep a home/allowed target list by default, and store the token/secret in `~/.sanook/gateway/config.json` (chmod 600).
+- **ntfy** — treat the topic as a shared secret unless you protect it with ntfy auth/ACLs; Sanook requires `NTFY_ALLOWED_USERS`/home topic or `NTFY_ALLOW_ALL_USERS` before subscribing.
+- **Mattermost** — use a dedicated bot token, require `MATTERMOST_ALLOWED_USERS` by default, optionally restrict channels with `MATTERMOST_ALLOWED_CHANNELS`, and keep public/private channels on mention-only mode unless you deliberately list free-response channels.
+- **Home Assistant** — use a dedicated Long-Lived Access Token, keep watch filters narrow, leave `HASS_WATCH_ALL` off by default, and require approval for device-control calls through `ha_call_service`.
+- **Signal** — keep `signal-cli` HTTP bound to loopback, require DM allowlists by default, and enable groups only with `SIGNAL_GROUP_ALLOWED_USERS` (or `*` deliberately).
+- **WhatsApp Cloud** — use a dedicated Meta app/access token, keep `WHATSAPP_CLOUD_APP_SECRET` and a long verify token configured, require home/allowed wa_ids by default, and verify every inbound POST with `X-Hub-Signature-256`.
+- **Matrix** — use a dedicated bot account/access token, require `MATRIX_ALLOWED_USERS` by default, optionally restrict shared rooms with `MATRIX_ALLOWED_ROOMS`, and treat password login as a convenience fallback rather than the preferred production mode.
+- **Google Chat** — keep service account JSON files chmod 600, do not paste private keys into shell history, keep incoming webhook URLs out of logs/support dumps, and restrict proactive sends with `GOOGLE_CHAT_HOME_CHANNEL` or `GOOGLE_CHAT_ALLOWED_SPACES`.
+- **Microsoft Teams** — prefer narrowly scoped Graph permissions or a dedicated channel Incoming Webhook, keep tokens out of logs/support dumps, and treat `TEAMS_CLIENT_SECRET` as future inbound bot credential material.
 
 Hardened across several adversarial security reviews covering command injection, prompt injection, concurrency, and credential leakage.
 

package/README.th.md

@@ -4,7 +4,7 @@
 
 **AI coding agent ใน terminal ที่ "จำงานข้ามวันได้" — open-source**
 
-ใส่ API key ของคุณเอง (BYOK) · 12 providers · MCP · มี **"สมองที่สอง" (second brain)** ที่ทำให้ AI จำ context ข้าม session ได้ — สิ่งที่ Claude Code / Codex / Gemini CLI ลืมทุกครั้งที่ปิด terminal
+ใส่ API key ของคุณเอง (BYOK) · 9 providers · MCP · มี **"สมองที่สอง" (second brain)** ที่ทำให้ AI จำ context ข้าม session ได้ — สิ่งที่ Claude Code / Codex / Gemini CLI ลืมทุกครั้งที่ปิด terminal
 
 [![npm](https://img.shields.io/npm/v/sanook-cli.svg?color=2563eb)](https://www.npmjs.com/package/sanook-cli)
 [![downloads](https://img.shields.io/npm/dm/sanook-cli.svg?color=2563eb)](https://www.npmjs.com/package/sanook-cli)
@@ -39,9 +39,13 @@ npm install -g sanook-cli
 > แก้: ลงใหม่ด้วย `npm install -g sanook-cli` · หรือเรียกผ่าน **`npx sanook`** (ใช้ตัวที่ลง local ไปแล้วได้เลย)
 > หรือรัน **`npx sanook doctor`** — ตรวจ Node/PATH/สถานะการติดตั้งให้ แล้วบอกคำสั่งแก้ที่ตรงกับ OS (มีบรรทัดแก้ PATH บน Windows แบบปลอดภัยให้ก็อปด้วย)
 
-ตั้ง API key (หรือรัน `sanook` เฉย ๆ ครั้งแรกจะมี setup wizard ให้เลือก provider + วาง key):
+เริ่มด้วย setup wizard แบบเป็นทางการ หรือจะตั้ง API key เองก็ได้:
 
 ```bash
+sanook setup                    # เลือก provider + model และเสนอสร้าง second brain
+sanook model                    # กลับมาเปลี่ยน provider/model ภายหลัง
+sanook auth add anthropic --api-key sk-ant-... --use
+
 # macOS / Linux
 export ANTHROPIC_API_KEY=sk-ant-...
 
@@ -54,16 +58,87 @@ setx ANTHROPIC_API_KEY "sk-ant-..."
 ```bash
 sanook                 # REPL (ครั้งแรก = setup wizard)
 sanook "อ่าน package.json แล้วบอกว่ามี dependencies อะไรบ้าง"
+sanook chat -q "อ่าน package.json แล้วสรุป dependencies" --provider anthropic
+sanook -z "สรุป diff นี้"     # one-shot เฉพาะคำตอบสุดท้าย เหมาะกับ script
+sanook status          # ดู provider/key/brain/gateway แบบ redact secret
+sanook sessions        # ดู saved sessions ของ project นี้
+sanook --resume <session_id> "ทำต่อจาก session นี้"
+sanook dump            # diagnostic/support snapshot โดยไม่โชว์ raw secret
 sanook -c "ทำต่อจาก session ล่าสุดของ project นี้"
 sanook --continue-any "ทำต่อจาก session ล่าสุดข้าม project"
 ```
 
+ตัวอย่างตั้งค่า messaging:
+
+```bash
+sanook gateway setup line --channel-access-token "$LINE_CHANNEL_ACCESS_TOKEN" \
+  --channel-secret "$LINE_CHANNEL_SECRET" --home-channel U1234567890abcdef
+sanook gateway setup sms --account-sid "$TWILIO_ACCOUNT_SID" --auth-token "$TWILIO_AUTH_TOKEN" \
+  --phone-number "$TWILIO_PHONE_NUMBER" --home-channel +15551234567 \
+  --webhook-url https://your-tunnel.example.com/sms/webhook
+sanook gateway setup ntfy --topic sanook-yourname-2026 --token "$NTFY_TOKEN" --markdown
+sanook gateway setup mattermost --url https://mm.example.com --token "$MATTERMOST_TOKEN" \
+  --allowed-users user_id_1 --home-channel chan_home_id --thread-replies
+sanook gateway setup homeassistant --url http://homeassistant.local:8123 --token "$HASS_TOKEN" \
+  --home-channel sanook_agent --watch-domains light,binary_sensor,climate
+sanook gateway setup signal --account +15550000000 --home-channel +15551234567 \
+  --http-url http://127.0.0.1:8080
+sanook gateway setup whatsapp --phone-number-id "$WHATSAPP_CLOUD_PHONE_NUMBER_ID" \
+  --access-token "$WHATSAPP_CLOUD_ACCESS_TOKEN" --app-secret "$WHATSAPP_CLOUD_APP_SECRET" \
+  --home-channel 15551234567 --public-url https://your-tunnel.example.com
+sanook gateway setup matrix --homeserver https://matrix.example.org \
+  --access-token "$MATRIX_ACCESS_TOKEN" --allowed-users @alice:matrix.org \
+  --home-room '!abc123:matrix.example.org'
+sanook gateway setup googlechat --service-account-json "$GOOGLE_CHAT_SERVICE_ACCOUNT_JSON" \
+  --home-channel spaces/AAAA --allowed-spaces spaces/AAAA
+sanook gateway setup googlechat --incoming-webhook-url "$GOOGLE_CHAT_INCOMING_WEBHOOK_URL"
+sanook gateway setup bluebubbles --server-url http://localhost:1234 --password "$BLUEBUBBLES_PASSWORD" \
+  --home-channel user@example.com --allowed-users user@example.com,+15551234567
+sanook gateway setup teams --incoming-webhook-url "$TEAMS_INCOMING_WEBHOOK_URL"
+sanook gateway setup webhooks --secret "$WEBHOOK_SECRET" --public-url https://your-tunnel.example.com
+sanook webhook subscribe github-issues --events issues \
+  --prompt "Issue #{issue.number}: {issue.title}" --to slack:C01ABCDEF
+sanook send --to sms "deploy finished"
+sanook send --to ntfy "deploy finished"
+sanook send --to mattermost "deploy finished"
+sanook send --to homeassistant "deploy finished"
+sanook send --to signal "deploy finished"
+sanook send --to whatsapp "deploy finished"
+sanook send --to matrix "deploy finished"
+sanook send --to googlechat "deploy finished"
+sanook send --to bluebubbles "deploy finished"
+sanook send --to teams "deploy finished"
+sanook cron add "09:00" "สรุปงานเช้านี้" --to ntfy
+sanook cron add "09:00" "สรุปงานเช้านี้" --to mattermost
+sanook cron add "09:00" "สรุปงานเช้านี้" --to homeassistant
+sanook cron add "09:00" "สรุปงานเช้านี้" --to whatsapp
+sanook cron add "09:00" "สรุปงานเช้านี้" --to matrix
+sanook cron add "09:00" "สรุปงานเช้านี้" --to googlechat
+sanook cron add "09:00" "สรุปงานเช้านี้" --to bluebubbles
+sanook cron add "09:00" "สรุปงานเช้านี้" --to teams
+```
+
+ใน Telegram/Discord/Slack/Mattermost/Email/LINE/SMS/ntfy/Signal/WhatsApp/Matrix ใช้คำสั่งสไตล์ Hermes ได้โดยไม่เรียก model: `/new`, `/reset`, `/model`, `/personality`, `/retry`, `/undo`, `/compress`, `/usage`, `/insights`, `/stop`, `/status`, `/sethome`, และ `/help`; Matrix/Mattermost ใช้ `!new`, `!reset`, `!status`, `!help` ได้ด้วยสำหรับ client ที่กันคำสั่ง `/`
+
+Home Assistant ใช้ Long-Lived Access Token, รับเฉพาะ `state_changed` ที่ตรง `--watch-domains`, `--watch-entities` หรือ `--watch-all`, และตอบกลับผ่าน persistent notification (`homeassistant[:notification_id]`). Tools อ่านสถานะ/บริการได้ ส่วน `ha_call_service` ต้องผ่าน approval และ block domain เสี่ยงเช่น `shell_command`, `command_line`, `python_script`, `pyscript`, `hassio`, `rest_command`
+
+Google Chat ตอนนี้รองรับ proactive delivery/cron ผ่าน incoming webhook (`googlechat`) หรือ Service Account + Chat REST API (`googlechat:spaces/...`). ค่าของ Pub/Sub (`GOOGLE_CHAT_PROJECT_ID`, `GOOGLE_CHAT_SUBSCRIPTION_NAME`, `GOOGLE_CHAT_ALLOWED_USERS`) บันทึกไว้เพื่อทำ inbound parity ต่อ
+
+BlueBubbles/iMessage ตอนนี้รองรับ proactive delivery/cron ผ่าน BlueBubbles REST API (`bluebubbles`, `imessage:user@example.com`, หรือ raw chat GUID). ใช้ `sanook gateway setup bluebubbles --server-url ... --password ... --home-channel ...`; ค่า webhook/mention (`BLUEBUBBLES_WEBHOOK_*`, `BLUEBUBBLES_REQUIRE_MENTION`) ถูกบันทึกไว้เพื่อทำ inbound parity ต่อ
+
+Microsoft Teams ตอนนี้รองรับ proactive delivery/cron ผ่าน Incoming Webhook (`teams`) หรือ Graph mode (`teams:'19:chatid@thread.v2'`). ใช้ `sanook gateway setup teams --incoming-webhook-url ...` สำหรับเริ่มง่ายที่สุด
+
 ## ทำอะไรได้บ้าง
 
-- **BYOK + 12 providers** — Anthropic, Google, OpenAI, DeepSeek, xAI, Mistral, Groq, MiniMax, GLM, Ollama, LM Studio, Codex
+- **BYOK + 9 providers** — Anthropic, Google, OpenAI, xAI, Mistral, Groq, Ollama, LM Studio, Codex
+- **Familiar CLI** — `sanook setup`, `sanook model`, `sanook auth`, `sanook chat -q`, `sanook gateway`, `sanook status`, `sanook sessions`, `sanook dump`, `sanook tools`, `sanook send`
 - **Second brain** — `sanook brain init` สร้าง workspace Obsidian ให้ AI จำงานข้ามวัน
-- **Tools** — อ่าน/เขียน/แก้ไฟล์ · รัน bash · git · grep/glob พร้อม permission gate
-- **Gateway + cron** — `sanook serve` รันเป็น service 24/7 + ตั้งงานล่วงหน้า + ต่อ Telegram
+- **Startup cockpit** — เปิด `sanook` แล้วเห็น wordmark, service routes (Code, Brain, Connect, Ship), และสัญญาณ readiness จริงของ second-brain, MCP, skills, git branch ทันที
+- **Web grounding** — `sanook web status` แยก local brain search ออกจาก true internet search, ตรวจ MCP web/search/fetch ที่ตั้งไว้, และโชว์ policy เรื่อง citation + prompt-injection จากเว็บ
+- **Tools** — อ่าน/เขียน/แก้ไฟล์ · รัน bash/Python/Rust แบบ approval-gated · git · grep/glob พร้อม permission gate
+- **Polyglot runtime** — TypeScript เป็น control plane หลัก; Python ใช้กับ data/document/ML helper ผ่าน `run_python`; Rust ใช้กับ helper ที่ต้องเร็ว/type-safe ผ่าน `run_rust`; ไม่มี runtime ก็ไม่ทำให้ Sanook install พัง
+- **Gateway + cron** — `sanook gateway run` (alias: `sanook serve`) รัน 24/7 + ตั้งงานล่วงหน้า + ต่อ Telegram/Discord/Slack/Mattermost/Home Assistant/Email/LINE/SMS/ntfy/Signal/WhatsApp/Matrix/Google Chat/BlueBubbles/Teams/Webhooks; task ใช้ `--to` เพื่อส่งผลลัพธ์กลับไปยัง messaging target ได้
+- **Messaging setup/send** — `sanook gateway setup telegram|discord|slack|mattermost|homeassistant|email|line|sms|ntfy|signal|whatsapp|matrix|googlechat|bluebubbles|teams|webhooks` บันทึก token/allowlist หรือ SMTP/IMAP/LINE/Twilio/ntfy/Mattermost/Home Assistant/Signal/WhatsApp/Matrix/Google Chat/BlueBubbles/Teams/Webhook config; `sanook gateway run` เริ่ม Telegram long-polling, Discord Gateway, Slack Socket Mode, Mattermost REST/WebSocket, Home Assistant state-change WebSocket, Email IMAP polling + SMTP threaded replies, LINE webhook, Twilio SMS webhook, ntfy topic stream, Signal ผ่าน `signal-cli` HTTP/SSE, WhatsApp Cloud webhook + Graph Messages API, Matrix Client-Server sync/send, Google Chat outbound ผ่าน incoming webhook/Chat REST API, BlueBubbles outbound ผ่าน REST API, Teams Incoming Webhook/Graph delivery และ generic webhooks เมื่อ config พร้อม; history ถูกเก็บต่อ platform/target และถ้าคำตอบสุดท้ายเป็น `[SILENT]`, `SILENT`, `NO_REPLY`, หรือ `NO REPLY` จะบันทึกไว้แต่ไม่ส่งกลับ; `sanook send --to telegram|discord|slack|mattermost|homeassistant|email|line|sms|ntfy|signal|whatsapp|matrix|googlechat|bluebubbles|teams "..."`, `sanook webhook subscribe` และ `sanook cron add --to ...` ใช้กฎส่งออกชุดเดียวกัน
 - **MCP + Skills** — ต่อ MCP server ได้ + มี built-in skills และติดตั้งเพิ่มได้
 - **Update ง่าย** — ใช้ `sanook update` เพื่ออัปเดต CLI เป็นเวอร์ชันล่าสุดจาก npm
 
@@ -72,8 +147,21 @@ sanook --continue-any "ทำต่อจาก session ล่าสุดข้
 ```bash
 sanook -m sonnet "..."         # Claude
 sanook -m gemini "..."         # Gemini
-sanook -m glm:smart "..."      # GLM (z.ai Coding Plan)
 sanook -m ollama "..."         # local ไม่ต้องมี key
+sanook auth list               # ดู key/provider status แบบ redact secret
+sanook auth status openai      # ดู env/store/console ของ provider
+sanook sessions                # ดู session ที่บันทึกไว้ของ project นี้
+sanook sessions show <id>      # ดูรายละเอียด session แบบย่อ
+sanook sessions export <id> --format markdown --output session.md
+sanook sessions rename <id> "ชื่อ session"
+sanook sessions stats --all
+sanook sessions prune --keep 20 --yes
+sanook sessions rm <id>        # ลบ session
+sanook dump [--show-keys]      # support dump; key ยังถูก redact
+sanook prompt-size             # ดู context/prompt budget แบบ offline
+sanook runtimes                # ดู Python/Rust optional runtime ที่ Sanook ใช้ได้
+sanook web status              # ดู true web-search/fetch readiness ผ่าน MCP
+sanook web doctor              # probe MCP web/search/fetch candidates
 ```
 
 ตั้งค่า default model ได้ด้วย:
@@ -114,7 +202,7 @@ sanook trust remove
 ```
 
 - gateway bind ที่ `127.0.0.1` และต้องใช้ bearer token ยกเว้น `/health`; mutating tools ใน `sanook serve` เป็น `ask` โดย default และ opt-in unattended write ได้ด้วย `sanook config set permissionMode auto` หรือ `SANOOK_GATEWAY_ALLOW_WRITE=1`
-- session/memory/worklog redact API keys ก่อนบันทึก และปิด persistence ได้ด้วย `SANOOK_DISABLE_PERSISTENCE=1`
+- session/memory/prompt history/worklog redact API keys ก่อนบันทึก และปิด persistence ทั้งหมดได้ด้วย `SANOOK_DISABLE_PERSISTENCE=1`
 
 ## พัฒนา