switchroom 0.13.33 → 0.13.35

package/dist/vault/approvals/kernel-server.js

@@ -10948,7 +10948,7 @@ var init_dist = __esm(() => {
 });
 
 // src/config/schema.ts
-var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, HostControlConfigSchema, HostdConfigSchema, SwitchroomConfigSchema;
+var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, AutoReleaseCheckSchema, HostControlConfigSchema, HostdConfigSchema, SwitchroomConfigSchema;
 var init_schema = __esm(() => {
   init_zod();
   CodeRepoEntrySchema = exports_external.object({
@@ -11294,8 +11294,15 @@ var init_schema = __esm(() => {
     weekly_budget_usd: exports_external.number().positive().optional().describe("Weekly USD spend budget. If unset, the greeting shows raw usage only."),
     monthly_budget_usd: exports_external.number().positive().optional().describe("Monthly USD spend budget. If unset, the greeting shows raw usage only.")
   });
+  AutoReleaseCheckSchema = exports_external.object({
+    enabled: exports_external.boolean().default(false).describe("When true, hostd polls the remote release tag every " + "`interval_minutes` and applies + restarts the fleet when a new " + "release is detected. Default false — opt-in."),
+    interval_minutes: exports_external.number().int().min(5).max(1440).default(5).describe("Poll interval in minutes. Floor of 5m matches the agent-config " + "cron rate limit; ceiling of 1440m (24h) is a sanity cap."),
+    apply_on_detect: exports_external.boolean().default(true).describe("When false, hostd logs `release_detected` but does NOT call " + "update_apply / restart all. Useful for dogfooding the detector " + "without rolling the fleet."),
+    image_ref: exports_external.string().default("ghcr.io/switchroom/switchroom-agent:latest").describe("Image reference whose remote digest is compared to the local " + "image digest. Defaults to the agent image's :latest tag, which " + "is the canonical signal that a release has been promoted.")
+  });
   HostControlConfigSchema = exports_external.object({
-    enabled: exports_external.boolean().default(true).describe("Whether the host-control daemon is in use. Default: true (since " + "RFC C Phase 2 default-flip — the gateway's /restart, /new, /reset, " + "and /update apply slash-commands all dispatch through hostd, and " + "without it those verbs fail on docker-mode installs because the " + "agent container has no docker binary/socket). " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` — " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C §5.1. " + "Set enabled: false only on legacy systemd-mode installs that " + "still rely on the in-container `spawnSwitchroomDetached` " + "shellout (removal is tracked as RFC C Phase 3).")
+    enabled: exports_external.boolean().default(true).describe("Whether the host-control daemon is in use. Default: true (since " + "RFC C Phase 2 default-flip — the gateway's /restart, /new, /reset, " + "and /update apply slash-commands all dispatch through hostd, and " + "without it those verbs fail on docker-mode installs because the " + "agent container has no docker binary/socket). " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` — " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C §5.1. " + "Set enabled: false only on legacy systemd-mode installs that " + "still rely on the in-container `spawnSwitchroomDetached` " + "shellout (removal is tracked as RFC C Phase 3)."),
+    auto_release_check: AutoReleaseCheckSchema.default({}).describe("Pull-based release-triggered fleet restart (#1743). hostd polls " + "the remote release tag on a fixed interval and applies + " + "restarts the fleet (graceful) when a new release is detected. " + "Opt-in: default enabled=false.")
   });
   HostdConfigSchema = exports_external.object({
     config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit §3). Default false — the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),

package/dist/vault/broker/server.js

@@ -10948,7 +10948,7 @@ var init_zod = __esm(() => {
 });
 
 // src/config/schema.ts
-var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, HostControlConfigSchema, HostdConfigSchema, SwitchroomConfigSchema;
+var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, AutoReleaseCheckSchema, HostControlConfigSchema, HostdConfigSchema, SwitchroomConfigSchema;
 var init_schema = __esm(() => {
   init_zod();
   CodeRepoEntrySchema = exports_external.object({
@@ -11294,8 +11294,15 @@ var init_schema = __esm(() => {
     weekly_budget_usd: exports_external.number().positive().optional().describe("Weekly USD spend budget. If unset, the greeting shows raw usage only."),
     monthly_budget_usd: exports_external.number().positive().optional().describe("Monthly USD spend budget. If unset, the greeting shows raw usage only.")
   });
+  AutoReleaseCheckSchema = exports_external.object({
+    enabled: exports_external.boolean().default(false).describe("When true, hostd polls the remote release tag every " + "`interval_minutes` and applies + restarts the fleet when a new " + "release is detected. Default false — opt-in."),
+    interval_minutes: exports_external.number().int().min(5).max(1440).default(5).describe("Poll interval in minutes. Floor of 5m matches the agent-config " + "cron rate limit; ceiling of 1440m (24h) is a sanity cap."),
+    apply_on_detect: exports_external.boolean().default(true).describe("When false, hostd logs `release_detected` but does NOT call " + "update_apply / restart all. Useful for dogfooding the detector " + "without rolling the fleet."),
+    image_ref: exports_external.string().default("ghcr.io/switchroom/switchroom-agent:latest").describe("Image reference whose remote digest is compared to the local " + "image digest. Defaults to the agent image's :latest tag, which " + "is the canonical signal that a release has been promoted.")
+  });
   HostControlConfigSchema = exports_external.object({
-    enabled: exports_external.boolean().default(true).describe("Whether the host-control daemon is in use. Default: true (since " + "RFC C Phase 2 default-flip — the gateway's /restart, /new, /reset, " + "and /update apply slash-commands all dispatch through hostd, and " + "without it those verbs fail on docker-mode installs because the " + "agent container has no docker binary/socket). " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` — " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C §5.1. " + "Set enabled: false only on legacy systemd-mode installs that " + "still rely on the in-container `spawnSwitchroomDetached` " + "shellout (removal is tracked as RFC C Phase 3).")
+    enabled: exports_external.boolean().default(true).describe("Whether the host-control daemon is in use. Default: true (since " + "RFC C Phase 2 default-flip — the gateway's /restart, /new, /reset, " + "and /update apply slash-commands all dispatch through hostd, and " + "without it those verbs fail on docker-mode installs because the " + "agent container has no docker binary/socket). " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` — " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C §5.1. " + "Set enabled: false only on legacy systemd-mode installs that " + "still rely on the in-container `spawnSwitchroomDetached` " + "shellout (removal is tracked as RFC C Phase 3)."),
+    auto_release_check: AutoReleaseCheckSchema.default({}).describe("Pull-based release-triggered fleet restart (#1743). hostd polls " + "the remote release tag on a fixed interval and applies + " + "restarts the fleet (graceful) when a new release is detected. " + "Opt-in: default enabled=false.")
   });
   HostdConfigSchema = exports_external.object({
     config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit §3). Default false — the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.13.33",
+  "version": "0.13.35",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/profiles/default/CLAUDE.md.hbs

@@ -108,7 +108,7 @@ If no sub-agents are configured, do the work yourself.
 
 By default, every restart starts a **fresh `claude` session** — the in-flight transcript is NOT carried over (`session_continuity.resume_mode: handoff`, the default since switchroom #362). Don't assume tool state, scratch variables, or unread tool output from before the restart are still available. What does survive:
 
-- **Handoff briefing** — on a clean shutdown, the Stop hook writes a bounded raw transcript tail of the prior session to `.handoff.md`. On boot, start.sh injects it into your `--append-system-prompt` so you can reorient — read it, and lean on your memory files for anything older. If the prior session crashed before the Stop hook fired, a live briefing is assembled from recent Telegram messages, Hindsight recall, and today's daily memory file (`.handoff-briefing.md`).
+- **Handoff briefing** — on a clean shutdown, the Stop hook writes a bounded raw transcript tail of the prior session to `.handoff.md`. On boot, start.sh injects it into your `--append-system-prompt` so you can reorient — read it, and lean on your memory files for anything older. If `.handoff.md` is missing or stale (fresh agent, or pre-Stop-hook crash), `start.sh` runs `handoff-briefing.sh` to assemble `.handoff-briefing.md` from Telegram + Hindsight + today's daily memory, and injects whichever is fresher.
 - **Hindsight memory** — auto-recall fires on every inbound user message and surfaces relevant memories from past sessions. Long-term facts, decisions, and mental models live here, not in the transcript.
 - **Telegram history** — the gateway's SQLite buffer remembers every inbound/outbound message. Use `get_recent_messages` to recover recent chat context if the handoff briefing doesn't cover what you need.
 - **`SWITCHROOM_PENDING_TURN`** — if your previous session was killed mid-turn (watchdog, SIGTERM, timeout), start.sh exports this env var plus the chat/thread/last-user-message context. Acknowledge the interruption and ask for direction rather than silently resuming.

package/telegram-plugin/dist/gateway/gateway.js

@@ -23592,7 +23592,7 @@ var init_dist = __esm(() => {
 });
 
 // ../src/config/schema.ts
-var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, HostControlConfigSchema, HostdConfigSchema, SwitchroomConfigSchema;
+var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, AutoReleaseCheckSchema, HostControlConfigSchema, HostdConfigSchema, SwitchroomConfigSchema;
 var init_schema = __esm(() => {
   init_zod();
   CodeRepoEntrySchema = exports_external.object({
@@ -23938,8 +23938,15 @@ var init_schema = __esm(() => {
     weekly_budget_usd: exports_external.number().positive().optional().describe("Weekly USD spend budget. If unset, the greeting shows raw usage only."),
     monthly_budget_usd: exports_external.number().positive().optional().describe("Monthly USD spend budget. If unset, the greeting shows raw usage only.")
   });
+  AutoReleaseCheckSchema = exports_external.object({
+    enabled: exports_external.boolean().default(false).describe("When true, hostd polls the remote release tag every " + "`interval_minutes` and applies + restarts the fleet when a new " + "release is detected. Default false \u2014 opt-in."),
+    interval_minutes: exports_external.number().int().min(5).max(1440).default(5).describe("Poll interval in minutes. Floor of 5m matches the agent-config " + "cron rate limit; ceiling of 1440m (24h) is a sanity cap."),
+    apply_on_detect: exports_external.boolean().default(true).describe("When false, hostd logs `release_detected` but does NOT call " + "update_apply / restart all. Useful for dogfooding the detector " + "without rolling the fleet."),
+    image_ref: exports_external.string().default("ghcr.io/switchroom/switchroom-agent:latest").describe("Image reference whose remote digest is compared to the local " + "image digest. Defaults to the agent image's :latest tag, which " + "is the canonical signal that a release has been promoted.")
+  });
   HostControlConfigSchema = exports_external.object({
-    enabled: exports_external.boolean().default(true).describe("Whether the host-control daemon is in use. Default: true (since " + "RFC C Phase 2 default-flip \u2014 the gateway's /restart, /new, /reset, " + "and /update apply slash-commands all dispatch through hostd, and " + "without it those verbs fail on docker-mode installs because the " + "agent container has no docker binary/socket). " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` \u2014 " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C \u00a75.1. " + "Set enabled: false only on legacy systemd-mode installs that " + "still rely on the in-container `spawnSwitchroomDetached` " + "shellout (removal is tracked as RFC C Phase 3).")
+    enabled: exports_external.boolean().default(true).describe("Whether the host-control daemon is in use. Default: true (since " + "RFC C Phase 2 default-flip \u2014 the gateway's /restart, /new, /reset, " + "and /update apply slash-commands all dispatch through hostd, and " + "without it those verbs fail on docker-mode installs because the " + "agent container has no docker binary/socket). " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` \u2014 " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C \u00a75.1. " + "Set enabled: false only on legacy systemd-mode installs that " + "still rely on the in-container `spawnSwitchroomDetached` " + "shellout (removal is tracked as RFC C Phase 3)."),
+    auto_release_check: AutoReleaseCheckSchema.default({}).describe("Pull-based release-triggered fleet restart (#1743). hostd polls " + "the remote release tag on a fixed interval and applies + " + "restarts the fleet (graceful) when a new release is detected. " + "Opt-in: default enabled=false.")
   });
   HostdConfigSchema = exports_external.object({
     config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit \u00a73). Default false \u2014 the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),
@@ -43307,6 +43314,45 @@ var RequestSchema3 = exports_external.discriminatedUnion("op", [
   ConfigProposeEditRequestSchema
 ]);
 var ResultSchema = exports_external.enum(["started", "completed", "denied", "error"]);
+var ErrorFixSchema = exports_external.discriminatedUnion("kind", [
+  exports_external.object({
+    kind: exports_external.literal("flip_yaml_flag"),
+    yaml_path: exports_external.string(),
+    to: exports_external.unknown()
+  }),
+  exports_external.object({
+    kind: exports_external.literal("request_vault_grant"),
+    vault_key: exports_external.string()
+  }),
+  exports_external.object({
+    kind: exports_external.literal("operator_action"),
+    subkind: exports_external.enum(["policy_denied", "infra", "out_of_scope"]),
+    operator_steps: exports_external.array(exports_external.string()).min(1).optional()
+  }),
+  exports_external.object({
+    kind: exports_external.literal("retry_after"),
+    retry_at: exports_external.string()
+  }),
+  exports_external.object({
+    kind: exports_external.literal("quota_exceeded"),
+    quota: exports_external.string(),
+    current: exports_external.number(),
+    limit: exports_external.number()
+  }),
+  exports_external.object({
+    kind: exports_external.literal("bad_input"),
+    field: exports_external.string().optional()
+  })
+]);
+var ErrorEnvelopeSchema = exports_external.object({
+  v: exports_external.literal(1),
+  code: exports_external.string().regex(/^(E_[A-Z0-9_]+|VAULT-[A-Z-]+)$/),
+  human: exports_external.string().min(1),
+  why: exports_external.string().optional(),
+  fix: ErrorFixSchema.optional(),
+  docs: exports_external.string().url().optional(),
+  request_id: exports_external.string().min(1)
+});
 var ResponseEnvelope = {
   v: exports_external.literal(1),
   request_id: exports_external.string().min(1).max(128),
@@ -43316,7 +43362,8 @@ var ResponseEnvelope = {
   audit_id: exports_external.string().min(1).optional(),
   stdout_tail: exports_external.string().optional(),
   stderr_tail: exports_external.string().optional(),
-  error: exports_external.string().optional()
+  error: exports_external.string().optional(),
+  error_envelope: ErrorEnvelopeSchema.optional()
 };
 var ResponseSchema3 = exports_external.object(ResponseEnvelope);
 function encodeRequest3(req) {
@@ -45787,6 +45834,11 @@ function readCleanShutdownMarker(path) {
     return null;
   }
 }
+function clearCleanShutdownMarker(path) {
+  try {
+    unlinkSync8(path);
+  } catch {}
+}
 function shouldSuppressRecoveryBanner(marker, now, maxAgeMs = DEFAULT_MAX_AGE_MS) {
   if (marker === null)
     return false;
@@ -48504,10 +48556,10 @@ function sweepStaleTurnActiveMarker(stateDir, opts) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.13.33";
-var COMMIT_SHA = "a8018071";
-var COMMIT_DATE = "2026-05-24T20:31:16Z";
-var LATEST_PR = 1740;
+var VERSION = "0.13.35";
+var COMMIT_SHA = "c41aabe5";
+var COMMIT_DATE = "2026-05-25T01:43:28Z";
+var LATEST_PR = 1765;
 var COMMITS_AHEAD_OF_TAG = 0;
 
 // gateway/boot-version.ts
@@ -48555,9 +48607,17 @@ function composeBootVersionString(inputs) {
 var import_grammy6 = __toESM(require_mod2(), 1);
 function classifyRejection(err, opts = {}) {
   const isGrammy = opts.isGrammyError != null ? opts.isGrammyError(err) : err instanceof import_grammy6.GrammyError;
+  const isHttp = opts.isHttpError != null ? opts.isHttpError(err) : err instanceof import_grammy6.HttpError;
+  if (isHttp)
+    return "log_only";
   if (!isGrammy)
     return "shutdown";
   const e = err;
+  if (e.error_code === 429)
+    return "log_only";
+  if (typeof e.error_code === "number" && e.error_code >= 500 && e.error_code < 600) {
+    return "log_only";
+  }
   if (e.error_code !== 400)
     return "shutdown";
   const desc = (e.description ?? "").toLowerCase();
@@ -51122,7 +51182,9 @@ ${url}`;
   });
   noteOutbound(statusKey(chat_id, threadId), Date.now());
   noteOutbound2(statusKey(chat_id, threadId), Date.now());
-  clearSilentEndState(statusKey(chat_id, threadId));
+  if (isFinalAnswerReply({ text: rawText, disableNotification })) {
+    clearSilentEndState(statusKey(chat_id, threadId));
+  }
   if (previewMessageId != null && reply_to != null && replyMode !== "off") {
     await deleteStalePreview(previewMessageId);
     previewMessageId = null;
@@ -51445,7 +51507,13 @@ async function executeStreamReply(args) {
       const sKey = statusKey(streamChatId, streamThreadId);
       noteOutbound(sKey, Date.now());
       noteOutbound2(sKey, Date.now());
-      clearSilentEndState(sKey);
+      if (isFinalAnswerReply({
+        text: args.text ?? "",
+        disableNotification: args.disable_notification === true,
+        done: args.done === true
+      })) {
+        clearSilentEndState(sKey);
+      }
     }
   }
   const result = await handleStreamReply({
@@ -51521,6 +51589,8 @@ async function executeStreamReply(args) {
     done: args.done === true
   })) {
     turn.finalAnswerDelivered = true;
+    const streamThreadIdForClear = args.message_thread_id != null ? Number(args.message_thread_id) : undefined;
+    clearSilentEndState(statusKey(streamChatId, streamThreadIdForClear));
   }
   {
     const sChat = args.chat_id;
@@ -57917,6 +57987,7 @@ var didOneTimeSetup = false;
               process.stderr.write(`telegram gateway: boot.clean_shutdown_marker_stale age=${ageSec}s signal=${cleanMarker.signal}${reasonTag}
 `);
             }
+            clearCleanShutdownMarker(GATEWAY_CLEAN_SHUTDOWN_MARKER_PATH);
           }
           if (marker) {
             const ageMs = nowMs2 - marker.ts;

package/telegram-plugin/docs/waiting-ux-spec.md

@@ -247,3 +247,43 @@ For posterity:
 - **v2 rewrite** (this PR series, also numbered #553): same Phase 3
   harness, plus three v2 helpers; new spec test file pins the
   three-class contract.
+
+
+## Silent-end contract (#1122 / #1161 / #1664 / #1741 / #1744)
+
+The "silent-end" safety net catches turns that end without the agent delivering a final answer via `reply` / `stream_reply`. The hook re-prompts once; on the second consecutive silent end it gives up and sends a fallback message so the turn never just vanishes.
+
+### What it is
+
+A per-agent state file (`$TELEGRAM_STATE_DIR/silent-end-pending.json`, fallback `~/.claude/channels/telegram/silent-end-pending.json`) acts as a one-bit handshake between the gateway and the Stop hook (`telegram-plugin/hooks/silent-end-interrupt-stop.mjs`). When the file exists, the Stop hook blocks the session stop and injects a re-prompt; when absent, the stop is allowed.
+
+### When the file is WRITTEN
+
+The gateway writes the file at `turn_end` if and only if `turn.finalAnswerDelivered === false` — i.e. no `reply` or `stream_reply` call during this turn passed the `isFinalAnswerReply` predicate. See `gateway.ts` around L7267 (`recordUndeliveredTurnEnd`). The write is idempotent across re-prompt rounds: the same turnKey inherits the prior `retryCount`; a different turnKey resets to 0.
+
+### When the file is CLEARED
+
+The gateway calls `clearSilentEndState(turnKey)` on every reply that qualifies as the final answer. Three call sites:
+
+1. `executeReply` (gateway.ts L4599-4611) — fires on every `reply` tool call. Clears iff `isFinalAnswerReply` returns true.
+2. `executeStreamReply` first-emit branch (gateway.ts L5172-5195) — fires only on the FIRST emit per stream (gated by `!activeDraftStreams.has(sKey)`). Clears iff that first emit qualifies as final.
+3. `executeStreamReply` final-answer site (gateway.ts L5335-5358, added in #1744 follow-up) — fires on every emit that qualifies as final, regardless of whether it is the first emit. This is the load-bearing site for streams whose first emit was ack-shaped but whose later emit (typically `done=true`) carries the real answer. Without site 3, such streams leak the state file.
+
+The clear is fail-silent and turnKey-keyed: a clear for turnKey A does NOT unlink a state file written for turnKey B (see `silent-end.ts clearSilentEndState`). This makes calling it unconditionally on every final-answer emit safe.
+
+### The gate predicate
+
+A reply qualifies as the final answer when `isFinalAnswerReply` returns true. The predicate (in `final-answer-detect.ts`) is a logical OR of three signals:
+
+- `done === true` (stream_reply terminal call), OR
+- `disableNotification === false` (pacing-contract final-answer signal), OR
+- `text.length >= 200` (length backstop for substantive replies mis-marked as interim).
+
+A reply with `disable_notification: true`, short text, and no `done` is an interim ack — it never clears the state.
+
+### Send sites and tests
+
+- `executeReply` (gateway.ts:4340) — single send site, single clear (site 1 above).
+- `executeStreamReply` (gateway.ts:5089) — two clear sites (sites 2 and 3 above) to cover both the first-emit and the later-emit final-answer paths.
+- Unit coverage: `tests/silent-end.test.ts` (`#1741` block) — the executeReply gate as a unit.
+- Integration coverage: `tests/silent-end-integration.test.ts` (#1744) — the stream first-emit-vs-later-emit branching, with the ack-then-final regression case pinned.

package/telegram-plugin/gateway/error-envelope-card.ts

@@ -0,0 +1,64 @@
+/**
+ * Render a one-tap unlock card for hostd error_envelopes that carry a
+ * `flip_yaml_flag` fix (#1758 Phase 1).
+ *
+ * CRITICAL safety: the `yaml_path` MUST be on the
+ * `UNLOCK_CARD_YAML_ALLOWLIST` exported from
+ * `src/host-control/config-edit-validator.ts`. A malformed or hostile
+ * envelope from any backend could otherwise nudge the operator into
+ * one-tap-approving an arbitrary flag flip. Non-allowlisted paths fall
+ * back to plain-text rendering (the caller surfaces `resp.error` as
+ * today).
+ *
+ * Phase 1 scope: ONLY `flip_yaml_flag`. `request_vault_grant` is
+ * explicitly deferred to a later phase (still plain-text rendered).
+ */
+
+import type { HostdResponse } from "../../src/host-control/protocol.js";
+import { isAllowlistedYamlPath } from "../../src/host-control/config-edit-validator.js";
+import {
+  buildApprovalCard,
+  type BuiltApprovalCard,
+} from "./approval-card.js";
+
+export type UnlockCardOutcome =
+  | { kind: "card"; card: BuiltApprovalCard; yaml_path: string; to: unknown }
+  | { kind: "plain-text" };
+
+/**
+ * Decide whether to render a one-tap unlock card for the given
+ * response. Returns `{kind: "plain-text"}` whenever the envelope
+ * lacks a `flip_yaml_flag` fix OR the path isn't on the allowlist.
+ *
+ * `approvalRequestId` is the 32-hex nonce minted by the approval
+ * kernel; caller is responsible for binding the card to that nonce
+ * and recording the apply-on-tap intent.
+ */
+export function renderErrorEnvelopeCard(
+  resp: HostdResponse,
+  agentName: string,
+  approvalRequestId: string,
+): UnlockCardOutcome {
+  const env = resp.error_envelope;
+  if (!env || !env.fix) return { kind: "plain-text" };
+  if (env.fix.kind !== "flip_yaml_flag") {
+    // request_vault_grant is Phase-2 work; everything else has no
+    // unlock-card UX. Caller falls back to plain-text rendering.
+    return { kind: "plain-text" };
+  }
+  const { yaml_path, to } = env.fix;
+  if (!isAllowlistedYamlPath(yaml_path)) {
+    // Defense-in-depth: never render a one-tap card for a path the
+    // operator hasn't explicitly opted into.
+    return { kind: "plain-text" };
+  }
+  const card = buildApprovalCard({
+    request_id: approvalRequestId,
+    agent: agentName,
+    scope_humanized: `flip ${yaml_path} → ${JSON.stringify(to)}`,
+    why: env.human + (env.why ? ` — ${env.why}` : ""),
+    offer_always: false,
+    offer_ttl: false,
+  });
+  return { kind: "card", card, yaml_path, to };
+}

package/telegram-plugin/gateway/gateway.ts

@@ -319,12 +319,16 @@ import {
 import {
   writeCleanShutdownMarker,
   readCleanShutdownMarker,
-  // clearCleanShutdownMarker is intentionally NOT imported here —
-  // the marker is a single self-overwriting file; staleness is bounded by
-  // `shouldSuppressRecoveryBanner` (DEFAULT_MAX_AGE_MS), so leaving it on
-  // disk is harmless. Pre-#142 the agent-side `session-greeting.sh` did
-  // the cleanup after rendering its "Restarted <reason>" row; that script
-  // was deleted in #142 PR 1.
+  // 2026-05-25 — clearCleanShutdownMarker IS imported and called on every
+  // boot after the marker is read. The earlier "intentionally NOT imported"
+  // comment was wrong: it assumed every shutdown writes a fresh marker, but
+  // unhandledRejection / uncaughtException paths explicitly SKIP the write
+  // (gateway.ts:15107 — "crash path"). A marker from a prior graceful
+  // shutdown then sits on disk for hours and triggers a misleading stale-
+  // marker crash banner on the next boot after an unhandled rejection.
+  // Clearing on boot collapses the marker to "describes the immediately
+  // preceding shutdown only" semantics.
+  clearCleanShutdownMarker,
   shouldSuppressRecoveryBanner,
   resolveShutdownMarker,
   DEFAULT_MAX_AGE_MS as CLEAN_SHUTDOWN_MAX_AGE_MS,
@@ -4594,12 +4598,21 @@ async function executeReply(args: Record<string, unknown>): Promise<{ content: A
   // #1122 KPI: a `reply` always produces a fresh user-visible outbound
   // message — count it for the outbound-gap / TTFO KPI AND reset the
   // silence-poke clock so the next poke is measured from this send.
-  // Also clear any silent-end state file so the Stop hook doesn't fire
-  // a stale block when the session ends (deterministic restore of the
-  // detection PR3 inadvertently removed).
   signalTracker.noteOutbound(statusKey(chat_id, threadId), Date.now())
   silencePoke.noteOutbound(statusKey(chat_id, threadId), Date.now())
-  clearSilentEndState(statusKey(chat_id, threadId))
+  // #1741 — only clear silent-end state on a plausibly-final reply.
+  // An interim ack (disable_notification:true, short text, no done)
+  // must NOT clear the state file; otherwise a turn that ends with
+  // ack-only + answer-as-transcript leaves no state for the Stop
+  // hook to act on if `turn_end` never lands (the `turn_duration`
+  // system event is unreliable for trivial-prompt turns — see the
+  // executeReply finalize comments). Final-answer replies still
+  // clear; the main turn-end path also re-writes the state when
+  // finalAnswerDelivered=false, so this is a belt-and-braces gate
+  // for the turn_end-missing case (#1741).
+  if (isFinalAnswerReply({ text: rawText, disableNotification })) {
+    clearSilentEndState(statusKey(chat_id, threadId))
+  }
 
   if (previewMessageId != null && reply_to != null && replyMode !== 'off') {
     await deleteStalePreview(previewMessageId)
@@ -5170,7 +5183,19 @@ async function executeStreamReply(args: Record<string, unknown>): Promise<unknow
       const sKey = statusKey(streamChatId, streamThreadId)
       signalTracker.noteOutbound(sKey, Date.now())
       silencePoke.noteOutbound(sKey, Date.now())
-      clearSilentEndState(sKey)
+      // #1741 — see executeReply for the rationale: only a plausibly-
+      // final stream_reply clears the silent-end state. An interim
+      // ack via stream_reply must NOT clear; the Stop hook needs
+      // the state to persist if turn_end fails to land.
+      if (
+        isFinalAnswerReply({
+          text: (args.text as string | undefined) ?? '',
+          disableNotification: args.disable_notification === true,
+          done: args.done === true,
+        })
+      ) {
+        clearSilentEndState(sKey)
+      }
     }
   }
 
@@ -5320,6 +5345,20 @@ async function executeStreamReply(args: Record<string, unknown>): Promise<unknow
     })
   ) {
     turn.finalAnswerDelivered = true
+    // #1744 follow-up — stream_reply edge case. The first-emit gate at
+    // L5178 only clears silent-end state on the FIRST emit of a stream.
+    // If a stream's first emit was ack-shaped (disable_notification:true,
+    // short text, no done) it correctly did NOT clear the state. But a
+    // LATER emit in the same stream may flip `done=true` or carry
+    // substantive text — that's the real final answer landing, and the
+    // state file must be cleared here too. clearSilentEndState is
+    // idempotent (no-op when the file is absent or the turnKey doesn't
+    // match), so calling it unconditionally on every final-answer-shaped
+    // emit is safe even if the first-emit path already cleared.
+    const streamThreadIdForClear = args.message_thread_id != null
+      ? Number(args.message_thread_id)
+      : undefined
+    clearSilentEndState(statusKey(streamChatId, streamThreadIdForClear))
   }
   // v0.13.30 follow-up — release the buffer gate on every successful
   // stream_reply too. Same rationale as executeReply: short replies
@@ -15618,10 +15657,26 @@ void (async () => {
             } else {
               process.stderr.write(`telegram gateway: boot.clean_shutdown_marker_stale age=${ageSec}s signal=${cleanMarker.signal}${reasonTag}\n`)
             }
-            // No clearCleanShutdownMarker() call — the marker is a single
-            // self-overwriting file, age-gated by shouldSuppressRecoveryBanner,
-            // so leaving it on disk is harmless. (Pre-#142 the agent-side
-            // session-greeting.sh did the cleanup; that script is deleted.)
+            // 2026-05-25 — clear the marker after this boot has read it.
+            // Pre-fix the comment here claimed the file was "self-
+            // overwriting, age-gated, harmless to leave on disk" — that's
+            // true ONLY for the cycle where every shutdown writes a fresh
+            // marker. The unhandledRejection / uncaughtException paths
+            // explicitly SKIP writing (gateway.ts:15107 — the "crash path")
+            // so a marker from an earlier graceful shutdown sits on disk
+            // for hours, then on the next boot looks stale-by-age and
+            // fires a misleading agent-crashed banner with detail
+            // `clean-shutdown marker stale age=39976s` (clerk 2026-05-25
+            // 01:11). Clearing now means the marker only ever describes
+            // the IMMEDIATELY PRECEDING shutdown, not "some shutdown in
+            // the past". After this clear: a subsequent crash with no
+            // marker write = no marker file = correctly classified
+            // 'crash' via the sessionMarker fallback (boot-reason.ts:84);
+            // a graceful shutdown writes a fresh marker that the next
+            // boot reads + clears. The historical session-greeting.sh
+            // ownership the old comment referred to is gone since #142
+            // but the GC step was never re-homed — this is it.
+            clearCleanShutdownMarker(GATEWAY_CLEAN_SHUTDOWN_MARKER_PATH)
           }
 
           if (marker) {

package/telegram-plugin/gateway/unhandled-rejection-policy.ts

@@ -10,13 +10,15 @@
  * Pure helper so it can be tested without spinning up the gateway.
  */
 
-import { GrammyError } from 'grammy'
+import { GrammyError, HttpError } from 'grammy'
 
 export type RejectionAction = 'shutdown' | 'log_only'
 
 export interface RejectionPolicyOptions {
   /** Allow tests to inject error type detection without depending on grammy. */
   isGrammyError?: (err: unknown) => boolean
+  /** Allow tests to inject HttpError detection without depending on grammy. */
+  isHttpError?: (err: unknown) => boolean
 }
 
 /**
@@ -42,9 +44,52 @@ export function classifyRejection(
       ? opts.isGrammyError(err)
       : err instanceof GrammyError
 
+  // Transient network-layer failures: grammy throws an `HttpError` wrapping
+  // the underlying fetch failure (ECONNRESET, ETIMEDOUT, fetch failed, DNS
+  // failures, etc.). These are the SAME class `retry-api-call.ts:146-162`
+  // already retries with exponential backoff — if one leaks past the retry
+  // policy (3 attempts exhausted, or a fire-and-forget callsite without
+  // robustApiCall wrapping), crashing the gateway turns one bad packet into
+  // a crash banner. log_only is the right posture: the request failed, the
+  // user-visible UX recovers on the next retry cycle, and a daemon that
+  // crashes on network errors isn't always-on.
+  //
+  // Surfaced 2026-05-25 on clerk via the boot-card sendMessage path: an
+  // HttpError leaked past the boot-card's try/catch (the async post-settle
+  // probe-loop IIFE at boot-card.ts:616 had no .catch on its outer void),
+  // triggering an unhandledRejection → shutdown → user-visible
+  // "agent-crashed" banner for what was really just a transient network hiccup.
+  const isHttp =
+    opts.isHttpError != null
+      ? opts.isHttpError(err)
+      : err instanceof HttpError
+  if (isHttp) return 'log_only'
+
   if (!isGrammy) return 'shutdown'
 
   const e = err as { error_code?: number; description?: string }
+
+  // 429 (Too Many Requests / flood-wait): grammy's flood-wait response.
+  // Already handled in retry-api-call.ts:100-108 with the
+  // `parameters.retry_after` backoff. If one leaks past — caller exceeded
+  // maxRetries=3 of sustained 429s, or didn't wrap in robustApiCall — the
+  // right posture is log_only (matches the HttpError rationale above).
+  // The bot is rate-limited; crashing makes it worse (boot fires more
+  // API calls that hit fresh 429s).
+  //
+  // Surfaced 2026-05-25 on clerk via a sendMessage that exceeded the 3-
+  // attempt retry budget; the rejection bubbled to this handler, triggered
+  // shutdown, and posted an "agent-crashed" operator-event banner.
+  if (e.error_code === 429) return 'log_only'
+
+  // 5xx (Bad Gateway / Service Unavailable / Gateway Timeout): Telegram
+  // intermittently returns these during their own load events. Same
+  // posture as 429 — retry policy already backs off and re-tries; if
+  // one leaks past, log don't crash.
+  if (typeof e.error_code === 'number' && e.error_code >= 500 && e.error_code < 600) {
+    return 'log_only'
+  }
+
   if (e.error_code !== 400) return 'shutdown'
 
   const desc = (e.description ?? '').toLowerCase()