switchroom 0.13.38 → 0.13.40

package/dist/agent-scheduler/index.js

@@ -10972,7 +10972,7 @@ var AgentBindMountSchema = exports_external.object({
 var ScheduleEntrySchema = exports_external.object({
   cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
   prompt: exports_external.string().describe("Prompt to send at the scheduled time"),
-  model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated `claude -p` and could set --model per task. " + "Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "— this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
+  model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated headless invocation and could set --model per " + "task. Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "— this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
   secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault key names this cron task may read via the vault-broker daemon. " + "Empty by default — broker requests for unlisted keys are denied. " + "Note: this is misconfiguration protection (a typo in cron-A doesn't " + "accidentally read cron-B's keys) rather than a security boundary — " + "anyone who can edit cron scripts can also edit switchroom.yaml, and " + "anyone with the vault passphrase can read the vault file directly. " + "See docs/configuration.md for the full framing.")
 });
 var AgentSoulSchema = exports_external.object({

package/dist/auth-broker/index.js

@@ -10972,7 +10972,7 @@ var AgentBindMountSchema = exports_external.object({
 var ScheduleEntrySchema = exports_external.object({
   cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
   prompt: exports_external.string().describe("Prompt to send at the scheduled time"),
-  model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated `claude -p` and could set --model per task. " + "Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "— this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
+  model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated headless invocation and could set --model per " + "task. Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "— this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
   secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault key names this cron task may read via the vault-broker daemon. " + "Empty by default — broker requests for unlisted keys are denied. " + "Note: this is misconfiguration protection (a typo in cron-A doesn't " + "accidentally read cron-B's keys) rather than a security boundary — " + "anyone who can edit cron scripts can also edit switchroom.yaml, and " + "anyone with the vault passphrase can read the vault file directly. " + "See docs/configuration.md for the full framing.")
 });
 var AgentSoulSchema = exports_external.object({

package/dist/cli/switchroom.js

@@ -13536,7 +13536,7 @@ var init_schema = __esm(() => {
   ScheduleEntrySchema = exports_external.object({
     cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
     prompt: exports_external.string().describe("Prompt to send at the scheduled time"),
-    model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated `claude -p` and could set --model per task. " + "Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "\u2014 this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
+    model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated headless invocation and could set --model per " + "task. Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "\u2014 this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
     secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault key names this cron task may read via the vault-broker daemon. " + "Empty by default \u2014 broker requests for unlisted keys are denied. " + "Note: this is misconfiguration protection (a typo in cron-A doesn't " + "accidentally read cron-B's keys) rather than a security boundary \u2014 " + "anyone who can edit cron scripts can also edit switchroom.yaml, and " + "anyone with the vault passphrase can read the vault file directly. " + "See docs/configuration.md for the full framing.")
   });
   AgentSoulSchema = exports_external.object({
@@ -22991,6 +22991,9 @@ function generateCompose(opts) {
   lines.push(`      - ${homePrefix}/.switchroom/vault-auto-unlock:/state/vault-auto-unlock:ro`);
   lines.push(`      - ${homePrefix}/.switchroom/vault-audit.log:/root/.switchroom/vault-audit.log`);
   lines.push(`      - ${homePrefix}/.switchroom/vault-grants.db:/root/.switchroom/vault-grants.db`);
+  for (const a of describeAgents(config)) {
+    lines.push(`      - ${homePrefix}/.switchroom/agents/${a.name}/.vault-token:/root/.switchroom/agents/${a.name}/.vault-token`);
+  }
   lines.push(`      - /etc/machine-id:/etc/machine-id:ro`);
   lines.push(``);
   lines.push(`  approval-kernel:`);
@@ -47744,8 +47747,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.13.38";
-var COMMIT_SHA = "faca4736";
+var VERSION = "0.13.40";
+var COMMIT_SHA = "1f8f075b";
 
 // src/cli/agent.ts
 init_source();
@@ -47838,7 +47841,7 @@ import {
 } from "node:fs";
 import { homedir as homedir4 } from "node:os";
 import { execSync, execFileSync as execFileSync2 } from "node:child_process";
-import { basename as basename3, join as join8, resolve as resolve10 } from "node:path";
+import { join as join8, resolve as resolve10 } from "node:path";
 import { createHash as createHash2 } from "node:crypto";
 
 // src/agents/cron-unit-name.ts
@@ -47849,14 +47852,10 @@ function cronUnitHash(cron, prompt) {
 function cronUnitName(cron, prompt) {
   return `cron-${cronUnitHash(cron, prompt)}`;
 }
-function cronScriptFilename(cron, prompt) {
-  return `${cronUnitName(cron, prompt)}.sh`;
-}
 var CRON_SCRIPT_BASENAME_RE = /^cron-[0-9a-f]{12}\.sh$/;
 var LEGACY_CRON_SCRIPT_BASENAME_RE = /^cron-(\d+)\.sh$/;
 
 // src/agents/scaffold.ts
-init_overlay_loader();
 init_schema();
 init_merge();
 init_timezone();
@@ -48029,52 +48028,6 @@ function applyTelegramProgressGuidance(body, args) {
     return body;
   return body + buildTelegramProgressGuidance({ defaultChatId: args.defaultChatId });
 }
-function buildCronTelegramGuidance(args) {
-  const issuesBlock = args.jobSlug ? `
-
-## If you need to record a transient issue
-
-If something half-broken happens during this run (e.g. an upstream API timed out, a vault key was missing, a non-fatal data gap), record it via:
-
-\`\`\`
-switchroom issues record --severity warn --source "cron:${args.jobSlug}" --code <stable-code> --summary "<one-line>" --detail "Fix: <one-line remediation, e.g. exact command the user can run>"
-\`\`\`
-
-The \`--detail\` field is rendered as a "\u2192 Fix: ..." line under the issue on the user's Telegram card. Make it actionable \u2014 a copy-pastable command or a one-line action, not a description of the problem. Examples:
-
-- \`--detail "Fix: switchroom vault unlock"\` (when the vault broker is locked)
-- \`--detail "Fix: re-run \`claude setup-token\` for ken@example.com"\` (when an account is unauthenticated)
-- \`--detail "Fix: \\\`switchroom auth heal --account=<name>\\\`"\` (when an OAuth token expired)
-
-Skip \`--detail\` if there's no clean one-line fix \u2014 leaving it empty means the card shows just the summary, which is fine.
-
-Use the EXACT \`--source "cron:${args.jobSlug}"\` shown above \u2014 the cron wrapper auto-resolves issues with that source on a clean run. Picking a different source means the issue persists across recoveries.
-` : "";
-  return `
-
-## Delivery instructions (cron context)
-
-This task runs as a one-shot \`claude -p\` invocation \u2014 there is no live Telegram session. Your stdout is discarded; the user will NOT see anything you print.
-
-To deliver your response to the user, you MUST call:
-
-\`\`\`
-mcp__switchroom-telegram__reply(chat_id="${args.chatId}", text="<your message>")
-\`\`\`
-
-The \`reply\` tool handles markdown\u2192HTML conversion, chunking, and all formatting automatically \u2014 write normal markdown and it will render correctly on the user's phone.
-
-After calling \`reply\`, print \`HEARTBEAT_OK\` as your final stdout line and nothing else. This confirms successful execution to the cron watchdog.
-
-If you have nothing useful to say (data is dull, all signals are nominal), print \`HEARTBEAT_OK\` without calling \`reply\` \u2014 a silent heartbeat is correct behaviour, not an error.
-${issuesBlock}`;
-}
-function applyCronTelegramGuidance(body, args) {
-  if (!args.chatId)
-    return body;
-  const trimmed = body.replace(/\s+$/, "");
-  return trimmed + buildCronTelegramGuidance({ chatId: args.chatId, jobSlug: args.jobSlug });
-}
 
 // src/agents/scaffold.ts
 init_hindsight();
@@ -48584,70 +48537,6 @@ function parseDurationToSeconds(d) {
       return;
   }
 }
-function buildCronScript(agentDir, prompt, model, chatId, userId, secrets = [], brokerSocket, jobSlug) {
-  const slug = jobSlug ?? "unknown";
-  const wrappedPrompt = applyCronTelegramGuidance(prompt, { chatId, jobSlug: slug });
-  const secretsComment = secrets.length > 0 ? `# Allowed vault keys for this cron (broker ACL): ${secrets.join(", ")}
-` : "";
-  const brokerSocketExport = brokerSocket ? `export SWITCHROOM_VAULT_BROKER_SOCK=${shellSingleQuote(brokerSocket)}
-` : "";
-  return `#!/bin/bash
-# Auto-generated by switchroom scaffold/reconcile.
-# One-shot scheduled task \u2014 runs claude -p, delivers output via MCP reply tool.
-${secretsComment}${brokerSocketExport}
-export NVM_DIR="$HOME/.nvm"
-[ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh"
-export PATH="$HOME/.bun/bin:$PATH"
-
-cd ${shellSingleQuote(agentDir)}
-
-# Auth: always OAuth, never API key.
-# Defensively unset ANTHROPIC_API_KEY so any ambient env or systemd
-# Environment= mapping cannot silently shift cron auth from OAuth
-# subscription quota to API billing.
-unset ANTHROPIC_API_KEY
-export CLAUDE_CONFIG_DIR=${shellSingleQuote(agentDir + "/.claude")}
-# SWITCHROOM_AGENT_NAME mirrors the gateway's container/unit environment.
-# Required so in-prompt \`switchroom issues
-# record\` calls without an explicit --agent flag attribute correctly,
-# and so the vault broker client can resolve a default agent.
-export SWITCHROOM_AGENT_NAME=${shellSingleQuote(basename3(agentDir))}
-
-# CLAUDE_CODE_OAUTH_TOKEN injection was removed with RFC H (auth-broker).
-# Claude reads .credentials.json directly; the auth-broker writes it
-# atomically and refreshes ahead of claude's own window.
-unset CLAUDE_CODE_OAUTH_TOKEN
-
-# MCP-only delivery path (issue #269, closes #251): the prompt instructs
-# the model to call mcp__switchroom-telegram__reply directly, then print
-# HEARTBEAT_OK as its sole stdout line. Stdout is discarded here so the
-# trailing model summary doesn't arrive as a second Telegram message.
-# Stderr remains open so systemd captures auth/network/bad-prompt errors
-# via journalctl \u2014 silently swallowing those would make a broken cron job
-# invisible to operators.
-#
-# We deliberately do NOT use \`exec\` here \u2014 the success-trailer below must
-# run after \`claude -p\` returns. Same reasoning as PR #565: when a cron
-# completes cleanly, any unresolved issues filed against this job's source
-# get auto-closed. Failure (non-zero exit) leaves issues open for the
-# Telegram surface to render, exactly as before.
-export TELEGRAM_STATE_DIR=${shellSingleQuote(join8(agentDir, "telegram"))}
-claude -p ${shellSingleQuote(wrappedPrompt)} \\
-  --model ${shellSingleQuote(model)} \\
-  --no-session-persistence \\
-  > /dev/null
-rc=$?
-if [ $rc -eq 0 ]; then
-  # Best-effort auto-resolve. Failure here (e.g. switchroom not on PATH in a
-  # weird environment) must NOT mask the cron's own success \u2014 hence the
-  # trailing \`|| true\`. PR #565 added bulk-close-by-source; we use the same
-  # source string the agent's own \`issues record\` calls should use.
-  switchroom issues resolve --source "cron:${slug}" --quiet \\
-    --state-dir "$TELEGRAM_STATE_DIR" >/dev/null 2>&1 || true
-fi
-exit $rc
-`;
-}
 function resolveSkillsPoolDir(override) {
   return resolveDualPath(override ?? "~/.switchroom/skills");
 }
@@ -49663,22 +49552,6 @@ ${body}
       writeFileSync5(mdPath, content, "utf-8");
     }
   }
-  if ((agentConfig.schedule?.length ?? 0) > 0) {
-    const cronChatId = userId ?? telegramConfig.forum_chat_id;
-    const brokerSocket = switchroomConfig?.vault?.broker?.socket ? resolveDualPath(switchroomConfig.vault.broker.socket) : resolveDualPath("~/.switchroom/vault-broker.sock");
-    for (let i = 0;i < agentConfig.schedule.length; i++) {
-      const entry = agentConfig.schedule[i];
-      const model = entry.model ?? "claude-sonnet-4-6";
-      const filename = cronScriptFilename(entry.cron, entry.prompt);
-      const stem = filename.replace(/\.sh$/, "");
-      const script = buildCronScript(agentDir, entry.prompt, model, cronChatId, userId, entry.secrets ?? [], brokerSocket, stem);
-      const scriptPath = join8(agentDir, "telegram", filename);
-      writeFileSync5(scriptPath, script, { encoding: "utf-8", mode: 448 });
-      const source = entry[OVERLAY_SOURCE] ? "overlay" : "main";
-      writeFileSync5(join8(agentDir, "telegram", `${stem}.source`), `${source}
-`, { encoding: "utf-8", mode: 384 });
-    }
-  }
   copyProfileSkills(profilePath, join8(agentDir, ".claude", "skills"));
   renderProfileClaudeTemplate(agentConfig.extends ?? DEFAULT_PROFILE);
   if (agentConfig.skills && agentConfig.skills.length > 0) {
@@ -50439,55 +50312,19 @@ ${body}
       changes.push(settingsPath);
     }
   }
-  if ((agentConfig.schedule?.length ?? 0) > 0) {
-    let cronUserId;
-    const cronAccessPath = join8(agentDir, "telegram", "access.json");
-    if (existsSync11(cronAccessPath)) {
-      try {
-        const cronAccess = JSON.parse(readFileSync11(cronAccessPath, "utf-8"));
-        cronUserId = cronAccess.allowFrom?.[0];
-      } catch {}
-    }
-    const reconBrokerSocket = switchroomConfig?.vault?.broker?.socket ? resolveDualPath(switchroomConfig.vault.broker.socket) : resolveDualPath("~/.switchroom/vault-broker.sock");
-    const reconCronChatId = cronUserId ?? telegramConfig.forum_chat_id;
-    const canonicalFilenames = new Set;
-    for (let i = 0;i < agentConfig.schedule.length; i++) {
-      const entry = agentConfig.schedule[i];
-      const model = entry.model ?? "claude-sonnet-4-6";
-      const filename = cronScriptFilename(entry.cron, entry.prompt);
-      canonicalFilenames.add(filename);
-      const script = buildCronScript(agentDir, entry.prompt, model, reconCronChatId, cronUserId, entry.secrets ?? [], reconBrokerSocket, filename.replace(/\.sh$/, ""));
-      const scriptPath = join8(agentDir, "telegram", filename);
-      const before = existsSync11(scriptPath) ? readFileSync11(scriptPath, "utf-8") : "";
-      if (script !== before) {
-        writeFileSync5(scriptPath, script, { encoding: "utf-8", mode: 448 });
-        changes.push(scriptPath);
-      }
-      const source = entry[OVERLAY_SOURCE] ? "overlay" : "main";
-      const stem = filename.replace(/\.sh$/, "");
-      const sidecarPath = join8(agentDir, "telegram", `${stem}.source`);
-      const sidecarBody = `${source}
-`;
-      const sidecarBefore = existsSync11(sidecarPath) ? readFileSync11(sidecarPath, "utf-8") : "";
-      if (sidecarBody !== sidecarBefore) {
-        writeFileSync5(sidecarPath, sidecarBody, { encoding: "utf-8", mode: 384 });
-        changes.push(sidecarPath);
-      }
-    }
-    const telegramDir = join8(agentDir, "telegram");
-    if (existsSync11(telegramDir)) {
-      const files = readdirSync5(telegramDir);
-      for (const file of files) {
-        const isCron = CRON_SCRIPT_BASENAME_RE.test(file) || LEGACY_CRON_SCRIPT_BASENAME_RE.test(file);
-        if (isCron && !canonicalFilenames.has(file)) {
-          const staleScript = join8(telegramDir, file);
-          unlinkSync4(staleScript);
-          changes.push(staleScript);
-          const sourceSidecar = staleScript.replace(/\.sh$/, ".source");
-          if (existsSync11(sourceSidecar)) {
-            unlinkSync4(sourceSidecar);
-            changes.push(sourceSidecar);
-          }
+  const telegramDir = join8(agentDir, "telegram");
+  if (existsSync11(telegramDir)) {
+    const files = readdirSync5(telegramDir);
+    for (const file of files) {
+      const isCronScript = CRON_SCRIPT_BASENAME_RE.test(file) || LEGACY_CRON_SCRIPT_BASENAME_RE.test(file);
+      if (isCronScript) {
+        const staleScript = join8(telegramDir, file);
+        unlinkSync4(staleScript);
+        changes.push(staleScript);
+        const sourceSidecar = staleScript.replace(/\.sh$/, ".source");
+        if (existsSync11(sourceSidecar)) {
+          unlinkSync4(sourceSidecar);
+          changes.push(sourceSidecar);
         }
       }
     }
@@ -56254,7 +56091,7 @@ init_compose();
 init_vault();
 import * as net3 from "node:net";
 import { mkdirSync as mkdirSync20, chmodSync as chmodSync7, chownSync as chownSync2, existsSync as existsSync33, readFileSync as readFileSync29, readdirSync as readdirSync15, statSync as statSync19, unlinkSync as unlinkSync8, writeFileSync as writeFileSync18, renameSync as renameSync9 } from "node:fs";
-import { dirname as dirname6, resolve as resolve25, basename as basename5 } from "node:path";
+import { dirname as dirname6, resolve as resolve25, basename as basename4 } from "node:path";
 import * as os4 from "node:os";
 import * as path3 from "node:path";
 
@@ -56276,7 +56113,7 @@ import {
   unlinkSync as unlinkSync7
 } from "node:fs";
 import { createHash as createHash4 } from "node:crypto";
-import { basename as basename4, dirname as dirname3, join as join24 } from "node:path";
+import { basename as basename3, dirname as dirname3, join as join24 } from "node:path";
 function vaultLayoutPaths(home2) {
   const switchroomRoot = join24(home2, ".switchroom");
   return {
@@ -56429,7 +56266,7 @@ function sha256File(path) {
   return createHash4("sha256").update(data).digest("hex");
 }
 function atomicReplaceWithSymlink(target, linkTarget) {
-  const tmp = join24(dirname3(target), `.${basename4(target)}.symlink-tmp`);
+  const tmp = join24(dirname3(target), `.${basename3(target)}.symlink-tmp`);
   if (existsSync31(tmp)) {
     try {
       unlinkSync7(tmp);
@@ -59992,6 +59829,13 @@ class VaultBroker {
         const tmpPath = `${tokenPath}.tmp.${process.pid}`;
         writeFileSync18(tmpPath, mintResult.token, { mode: 384 });
         renameSync9(tmpPath, tokenPath);
+        try {
+          const uid = allocateAgentUid(agent);
+          chownSync2(tokenPath, uid, uid);
+        } catch (chownErr) {
+          process.stderr.write(`[vault-broker] mint_grant: token written but chown failed for agent ${agent}: ${chownErr.message} (CAP_CHOWN missing?)
+`);
+        }
       } catch (err) {
         process.stderr.write(`[vault-broker] mint_grant: failed to write token file for agent ${agent}: ${err.message}
 `);
@@ -60364,12 +60208,12 @@ class VaultBroker {
 }
 function detectVaultLayoutDrift(vaultPath) {
   const dir = dirname6(vaultPath);
-  if (basename5(dir) !== "vault")
+  if (basename4(dir) !== "vault")
     return;
-  if (basename5(vaultPath) !== "vault.enc")
+  if (basename4(vaultPath) !== "vault.enc")
     return;
   const switchroomDir = dirname6(dir);
-  if (basename5(switchroomDir) !== ".switchroom")
+  if (basename4(switchroomDir) !== ".switchroom")
     return;
   const home2 = dirname6(switchroomDir);
   const result = inspectVaultLayout(home2);
@@ -62646,7 +62490,7 @@ async function getVaultPassphrase() {
 }
 function registerDispatchVerb(tg, _program) {
   const dispatch = tg.command("dispatch").description("Webhook dispatch utilities.");
-  dispatch.command("test").description("Dry-run dispatch rule matching against a captured payload file. " + "Prints which rules would match and the rendered prompt, without " + "spawning a claude -p process.").requiredOption("--agent <name>", "Agent name (must exist in switchroom.yaml)").requiredOption("--payload <file>", "Path to a JSON payload file").requiredOption("--event <type>", "GitHub event type (e.g. 'pull_request', 'push')").option("--source <name>", "Webhook source (default: github)", "github").action(withConfigError(async (opts) => {
+  dispatch.command("test").description("Dry-run dispatch rule matching against a captured payload file. " + "Prints which rules would match and the rendered prompt, without " + "actually injecting an inbound into the agent's live session.").requiredOption("--agent <name>", "Agent name (must exist in switchroom.yaml)").requiredOption("--payload <file>", "Path to a JSON payload file").requiredOption("--event <type>", "GitHub event type (e.g. 'pull_request', 'push')").option("--source <name>", "Webhook source (default: github)", "github").action(withConfigError(async (opts) => {
     const config = getConfig(_program);
     const agentRaw = config.agents[opts.agent];
     if (!agentRaw) {
@@ -73980,7 +73824,7 @@ function registerDriveMcpLauncherCommand(program3) {
 
 // src/cli/apply.ts
 init_source();
-import { accessSync as accessSync3, constants as fsConstants6, copyFileSync as copyFileSync11, existsSync as existsSync68, mkdirSync as mkdirSync36, readdirSync as readdirSync25, renameSync as renameSync13, writeFileSync as writeFileSync32 } from "node:fs";
+import { accessSync as accessSync3, chownSync as chownSync4, constants as fsConstants6, copyFileSync as copyFileSync11, existsSync as existsSync68, mkdirSync as mkdirSync36, readdirSync as readdirSync25, renameSync as renameSync13, writeFileSync as writeFileSync32 } from "node:fs";
 import { mkdir, writeFile } from "node:fs/promises";
 import { spawnSync as childSpawnSync } from "node:child_process";
 import readline from "node:readline";
@@ -74713,6 +74557,16 @@ async function ensureHostMountSources(config) {
   if (!existsSync68(hostdAuditLogPath)) {
     writeFileSync32(hostdAuditLogPath, "", { mode: 420 });
   }
+  for (const name of Object.keys(config.agents)) {
+    const tokenPath = join62(home2, ".switchroom", "agents", name, ".vault-token");
+    if (!existsSync68(tokenPath)) {
+      writeFileSync32(tokenPath, "", { mode: 384 });
+    }
+    try {
+      const uid = allocateAgentUid(name);
+      chownSync4(tokenPath, uid, uid);
+    } catch {}
+  }
 }
 function detectComposeV2() {
   try {
@@ -77016,189 +76870,12 @@ function registerHostdMcpCommand(program3) {
   });
 }
 
-// src/cli/migrate.ts
-init_source();
-init_helpers();
-init_loader();
-import {
-  existsSync as existsSync76,
-  readdirSync as readdirSync29,
-  readFileSync as readFileSync61,
-  renameSync as renameSync16,
-  statSync as statSync29,
-  unlinkSync as unlinkSync16
-} from "node:fs";
-import { createHash as createHash13 } from "node:crypto";
-import { join as join68 } from "node:path";
-function planCronUnitRenames(agentsDir, agents) {
-  const plans = [];
-  for (const [agentName, agentConfig] of Object.entries(agents)) {
-    const schedule = agentConfig.schedule ?? [];
-    if (schedule.length === 0)
-      continue;
-    const telegramDir = join68(agentsDir, agentName, "telegram");
-    if (!existsSync76(telegramDir))
-      continue;
-    let entries;
-    try {
-      entries = readdirSync29(telegramDir);
-    } catch {
-      continue;
-    }
-    for (const file of entries) {
-      const m = file.match(LEGACY_CRON_SCRIPT_BASENAME_RE);
-      if (!m)
-        continue;
-      const idx = Number.parseInt(m[1], 10);
-      const entry = schedule[idx];
-      if (!entry)
-        continue;
-      const canonical = cronScriptFilename(entry.cron, entry.prompt);
-      if (canonical === file)
-        continue;
-      plans.push({
-        agent: agentName,
-        from: join68(telegramDir, file),
-        to: join68(telegramDir, canonical),
-        scheduleIdx: idx,
-        entry
-      });
-    }
-  }
-  return plans;
-}
-function sha256File2(path8) {
-  return createHash13("sha256").update(readFileSync61(path8)).digest("hex");
-}
-function renamePair(from, to, opts = {}) {
-  if (existsSync76(to)) {
-    let identical = false;
-    try {
-      identical = sha256File2(from) === sha256File2(to);
-    } catch {
-      identical = false;
-    }
-    if (identical) {
-      if (!opts.dryRun) {
-        try {
-          unlinkSync16(from);
-        } catch {}
-      }
-      return { kind: "deduped", legacy: from };
-    }
-    return { kind: "skipped", reason: "target exists, legacy preserved", legacy: from };
-  }
-  if (!opts.dryRun)
-    renameSync16(from, to);
-  return { kind: "renamed" };
-}
-function extractPromptFromLegacyScript(path8) {
-  let body;
-  try {
-    body = readFileSync61(path8, "utf-8");
-  } catch {
-    return null;
-  }
-  const idx = body.indexOf(`
-claude -p '`);
-  if (idx < 0)
-    return null;
-  let i = idx + `
-claude -p '`.length;
-  let out = "";
-  while (i < body.length) {
-    const ch = body[i];
-    if (ch === "'") {
-      if (body.startsWith(`'"'"'`, i)) {
-        out += "'";
-        i += 5;
-        continue;
-      }
-      return out;
-    }
-    out += ch;
-    i++;
-  }
-  return null;
-}
-function detectPromptDrift(legacyPath, entry, ctx) {
-  const embedded = extractPromptFromLegacyScript(legacyPath);
-  const expected = applyCronTelegramGuidance(entry.prompt, ctx);
-  return {
-    drifted: embedded !== null && embedded !== expected,
-    embedded,
-    expected
-  };
-}
-function registerMigrateCommand(program3) {
-  const cmd = program3.command("migrate").description("One-shot config/state migrations.");
-  cmd.command("cron-unit-names").description("Rename legacy cron-<index>.sh scripts to the Phase D content-hash " + "form (cron-<sha12>.sh). Idempotent.").option("--dry-run", "Print the renames without performing them", false).option("--strict", "Treat drift (legacy script content disagrees with current schedule entry) as a hard error", false).action(withConfigError(async (opts) => {
-    const config2 = getConfig(program3);
-    const agentsDir = resolveAgentsDir(config2);
-    const plans = planCronUnitRenames(agentsDir, config2.agents);
-    if (plans.length === 0) {
-      console.log(source_default.green("Nothing to migrate \u2014 all cron scripts already use the content-hash scheme."));
-      return;
-    }
-    let driftErrors = 0;
-    for (const p of plans) {
-      const drift = detectPromptDrift(p.from, p.entry, {
-        chatId: "-",
-        jobSlug: p.to.split("/").pop().replace(/\.sh$/, "")
-      });
-      if (drift.drifted) {
-        const msg = `DRIFT: ${p.from} was scaffolded with a prompt that differs from the current schedule[${p.scheduleIdx}] entry (cron=${JSON.stringify(p.entry.cron)}); renaming to ${p.to} \u2014 verify intent`;
-        if (opts.strict) {
-          console.error(source_default.red(`error: ${msg}`));
-          driftErrors++;
-          continue;
-        }
-        console.error(source_default.yellow(msg));
-      }
-      if (opts.dryRun) {
-        console.log(source_default.cyan(`[dry-run] ${p.agent}: ${p.from} \u2192 ${p.to}`));
-        continue;
-      }
-      try {
-        const status = renamePair(p.from, p.to);
-        const fromSidecar = p.from.replace(/\.sh$/, ".source");
-        const toSidecar = p.to.replace(/\.sh$/, ".source");
-        let sidecarStatus = null;
-        if (existsSync76(fromSidecar) && statSync29(fromSidecar).isFile()) {
-          sidecarStatus = renamePair(fromSidecar, toSidecar);
-        }
-        switch (status.kind) {
-          case "renamed":
-            console.log(source_default.green(`renamed: ${p.agent}: ${p.from} \u2192 ${p.to}`));
-            break;
-          case "deduped":
-            console.log(source_default.green(`deduped: ${p.agent}: target already present with identical contents, legacy ${p.from} removed`));
-            break;
-          case "skipped":
-            console.log(source_default.yellow(`skipped: target exists, legacy preserved at ${p.from}`));
-            break;
-        }
-        if (sidecarStatus && sidecarStatus.kind === "skipped") {
-          console.log(source_default.yellow(`skipped: target exists, legacy preserved at ${fromSidecar}`));
-        } else if (sidecarStatus && sidecarStatus.kind === "deduped") {
-          console.log(source_default.green(`deduped: sidecar ${fromSidecar} removed (identical to target)`));
-        }
-      } catch (err2) {
-        console.error(source_default.red(`failed: ${p.agent}: ${p.from} \u2192 ${p.to}: ${err2.message}`));
-      }
-    }
-    if (opts.strict && driftErrors > 0) {
-      process.exitCode = 1;
-    }
-  }));
-}
-
 // src/cli/hostd.ts
 init_source();
 init_helpers();
-import { existsSync as existsSync77, mkdirSync as mkdirSync40, readdirSync as readdirSync30, readFileSync as readFileSync62, writeFileSync as writeFileSync34, statSync as statSync30, copyFileSync as copyFileSync12 } from "node:fs";
+import { existsSync as existsSync76, mkdirSync as mkdirSync40, readdirSync as readdirSync29, readFileSync as readFileSync61, writeFileSync as writeFileSync34, statSync as statSync29, copyFileSync as copyFileSync12 } from "node:fs";
 import { homedir as homedir38 } from "node:os";
-import { join as join69 } from "node:path";
+import { join as join68 } from "node:path";
 import { spawnSync as spawnSync11 } from "node:child_process";
 init_audit_reader();
 var DEFAULT_IMAGE_TAG = "latest";
@@ -77289,14 +76966,14 @@ networks:
 `;
 }
 function hostdDir() {
-  return join69(homedir38(), ".switchroom", "hostd");
+  return join68(homedir38(), ".switchroom", "hostd");
 }
 function hostdComposePath() {
-  return join69(hostdDir(), "docker-compose.yml");
+  return join68(hostdDir(), "docker-compose.yml");
 }
 function backupExistingCompose() {
   const p = hostdComposePath();
-  if (!existsSync77(p))
+  if (!existsSync76(p))
     return null;
   const ts = new Date().toISOString().replace(/[:.]/g, "-");
   const bak = `${p}.bak-${ts}`;
@@ -77373,7 +77050,7 @@ function doStatus() {
   const composeYml = hostdComposePath();
   console.log(source_default.bold("switchroom-hostd"));
   console.log("");
-  if (!existsSync77(composeYml)) {
+  if (!existsSync76(composeYml)) {
     console.log(source_default.yellow("  compose:    not installed"));
     console.log(source_default.dim("              run `switchroom hostd install` to set up."));
     return;
@@ -77394,15 +77071,15 @@ function doStatus() {
   } else {
     console.log(source_default.green(`  container:  ${ps.stdout.trim()}`));
   }
-  if (existsSync77(dir)) {
+  if (existsSync76(dir)) {
     const entries = [];
     try {
-      for (const name of readdirSync30(dir)) {
+      for (const name of readdirSync29(dir)) {
         if (name === "docker-compose.yml" || name.startsWith("docker-compose.yml."))
           continue;
-        const sockPath = join69(dir, name, "sock");
-        if (existsSync77(sockPath)) {
-          const st = statSync30(sockPath);
+        const sockPath = join68(dir, name, "sock");
+        if (existsSync76(sockPath)) {
+          const st = statSync29(sockPath);
           if ((st.mode & 61440) === 49152) {
             entries.push(`${name} \u2192 ${sockPath}`);
           }
@@ -77420,7 +77097,7 @@ function doStatus() {
 }
 function doUninstall() {
   const composeYml = hostdComposePath();
-  if (!existsSync77(composeYml)) {
+  if (!existsSync76(composeYml)) {
     console.log(source_default.yellow("  No hostd install detected (no compose file at this path)."));
     return;
   }
@@ -77444,12 +77121,12 @@ function registerHostdCommand(program3) {
   hostd.command("uninstall").description("Stop the hostd container. Leaves the compose file in place for re-install.").action(() => doUninstall());
   hostd.command("audit").description("Tail and filter the hostd audit log (privileged-verb call history)").option("--tail <n>", "Number of matching entries to show (default: 50)", "50").option("--agent <name>", "Filter to a specific caller agent").option("--op <verb>", "Filter to a specific hostd verb (e.g. update_apply, agent_restart)").option("--error", "Show only failed (error/denied) entries").option("--verbose", "Show the captured stderr / error tail under each failed row").option("--path <file>", "Override audit log path (for debugging)").action((opts) => {
     const logPath = opts.path ?? defaultAuditLogPath2();
-    if (!existsSync77(logPath)) {
+    if (!existsSync76(logPath)) {
       console.error(source_default.yellow(`Audit log not found at ${logPath}.`) + source_default.gray(`
 The log is created when hostd handles its first privileged-verb request.`));
       return;
     }
-    const raw = readFileSync62(logPath, "utf-8");
+    const raw = readFileSync61(logPath, "utf-8");
     const limit = Math.max(1, parseInt(opts.tail ?? "50", 10) || 50);
     const filters = {
       agent: opts.agent,
@@ -77528,7 +77205,6 @@ registerAgentConfigWriteCommands(program3);
 registerAgentConfigSkillWriteCommands(program3);
 registerAgentConfigMcpCommand(program3);
 registerHostdMcpCommand(program3);
-registerMigrateCommand(program3);
 registerHostdCommand(program3);
 
 // bin/switchroom.ts

package/dist/host-control/main.js

@@ -13707,7 +13707,7 @@ var AgentBindMountSchema = exports_external.object({
 var ScheduleEntrySchema = exports_external.object({
   cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
   prompt: exports_external.string().describe("Prompt to send at the scheduled time"),
-  model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated `claude -p` and could set --model per task. " + "Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "— this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
+  model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated headless invocation and could set --model per " + "task. Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "— this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
   secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault key names this cron task may read via the vault-broker daemon. " + "Empty by default — broker requests for unlisted keys are denied. " + "Note: this is misconfiguration protection (a typo in cron-A doesn't " + "accidentally read cron-B's keys) rather than a security boundary — " + "anyone who can edit cron scripts can also edit switchroom.yaml, and " + "anyone with the vault passphrase can read the vault file directly. " + "See docs/configuration.md for the full framing.")
 });
 var AgentSoulSchema = exports_external.object({

package/dist/vault/approvals/kernel-server.js

@@ -10964,7 +10964,7 @@ var init_schema = __esm(() => {
   ScheduleEntrySchema = exports_external.object({
     cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
     prompt: exports_external.string().describe("Prompt to send at the scheduled time"),
-    model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated `claude -p` and could set --model per task. " + "Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "— this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
+    model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated headless invocation and could set --model per " + "task. Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "— this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
     secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault key names this cron task may read via the vault-broker daemon. " + "Empty by default — broker requests for unlisted keys are denied. " + "Note: this is misconfiguration protection (a typo in cron-A doesn't " + "accidentally read cron-B's keys) rather than a security boundary — " + "anyone who can edit cron scripts can also edit switchroom.yaml, and " + "anyone with the vault passphrase can read the vault file directly. " + "See docs/configuration.md for the full framing.")
   });
   AgentSoulSchema = exports_external.object({

package/dist/vault/broker/server.js

@@ -10964,7 +10964,7 @@ var init_schema = __esm(() => {
   ScheduleEntrySchema = exports_external.object({
     cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
     prompt: exports_external.string().describe("Prompt to send at the scheduled time"),
-    model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated `claude -p` and could set --model per task. " + "Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "— this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
+    model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated headless invocation and could set --model per " + "task. Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "— this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
     secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault key names this cron task may read via the vault-broker daemon. " + "Empty by default — broker requests for unlisted keys are denied. " + "Note: this is misconfiguration protection (a typo in cron-A doesn't " + "accidentally read cron-B's keys) rather than a security boundary — " + "anyone who can edit cron scripts can also edit switchroom.yaml, and " + "anyone with the vault passphrase can read the vault file directly. " + "See docs/configuration.md for the full framing.")
   });
   AgentSoulSchema = exports_external.object({
@@ -16934,6 +16934,13 @@ class VaultBroker {
         const tmpPath = `${tokenPath}.tmp.${process.pid}`;
         writeFileSync3(tmpPath, mintResult.token, { mode: 384 });
         renameSync3(tmpPath, tokenPath);
+        try {
+          const uid = allocateAgentUid(agent);
+          chownSync(tokenPath, uid, uid);
+        } catch (chownErr) {
+          process.stderr.write(`[vault-broker] mint_grant: token written but chown failed for agent ${agent}: ${chownErr.message} (CAP_CHOWN missing?)
+`);
+        }
       } catch (err) {
         process.stderr.write(`[vault-broker] mint_grant: failed to write token file for agent ${agent}: ${err.message}
 `);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.13.38",
+  "version": "0.13.40",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/telegram-plugin/answer-stream.ts

@@ -244,15 +244,22 @@ export function createAnswerStream(config: AnswerStreamConfig): AnswerStreamHand
    * must clear the draft. Best-effort: a failed clear is logged but
    * not re-thrown — the worst case is a transient stale draft that
    * Telegram's own 30 s draft expiry eventually mops up.
+   *
+   * #1792 — accepts an explicit `targetDraftId` so `forceNewMessage`
+   * can clear the OLD id before bumping the closure's `draftId`. The
+   * default reads the live closure, which is what stop() / retract()
+   * want — clear whatever's current at the time the call lands.
    */
-  async function clearDraftBestEffort(): Promise<void> {
-    if (!usesDraftTransport || draftApi == null || draftId == null) return
+  async function clearDraftBestEffort(
+    targetDraftId: number | undefined = draftId,
+  ): Promise<void> {
+    if (!usesDraftTransport || draftApi == null || targetDraftId == null) return
     try {
       const params: { message_thread_id?: number } = {}
       if (threadId != null) params.message_thread_id = threadId
       await draftApi(
         chatId,
-        draftId,
+        targetDraftId,
         '',
         Object.keys(params).length > 0 ? params : undefined,
       )
@@ -531,6 +538,18 @@ export function createAnswerStream(config: AnswerStreamConfig): AnswerStreamHand
       stopped = false
       materialized = false
       if (usesDraftTransport) {
+        // #1792: clear the OLD draftId BEFORE rotating. Otherwise the
+        // stale content stays in the user's compose box until the 30 s
+        // Telegram draft expiry — the typical caller (gateway.ts mid-
+        // turn rapid-steer path: `forceNewMessage(); stop();`) cleans
+        // up the prior turn's stream, so the prior draft's content is
+        // semantically retracted. Fire-and-forget — forceNewMessage is
+        // sync; the worst-case failure mode is the same 30 s expiry
+        // we'd have had without the call.
+        const staleDraftId = draftId
+        if (staleDraftId != null) {
+          void clearDraftBestEffort(staleDraftId)
+        }
         draftId = allocateDraftId()
       }
       log?.(`answer-stream: forceNewMessage (gen=${generation})`)
@@ -546,6 +565,10 @@ export function createAnswerStream(config: AnswerStreamConfig): AnswerStreamHand
       // #1704: clear the compose-box draft. stop() is sync — fire and
       // forget. A dropped clear falls back on Telegram's own 30 s
       // draft expiry; the worst case is a transient stale preview.
+      // (#1792: the stale-id-after-rotation hazard is owned by
+      // forceNewMessage itself now — it clears its own draftId before
+      // rotating. stop() just clears whatever's current; clearing an
+      // already-cleared or never-used id is a harmless no-op.)
       void clearDraftBestEffort()
     },
 
@@ -563,6 +586,8 @@ export function createAnswerStream(config: AnswerStreamConfig): AnswerStreamHand
       // draft sitting in the user's input area and blocks them from
       // typing until the 30 s draft expiry. Awaited so a follow-up
       // sendMessage on the same chat doesn't race a stale draft edit.
+      // (See #1792 note in stop() — forceNewMessage owns its own stale
+      // id cleanup; retract just clears whatever's current.)
       await clearDraftBestEffort()
       // Delete the preliminary message if one was sent and deleteMessage
       // is wired. Best-effort: failures are logged but not re-thrown.

package/telegram-plugin/dist/gateway/gateway.js

@@ -23608,7 +23608,7 @@ var init_schema = __esm(() => {
   ScheduleEntrySchema = exports_external.object({
     cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
     prompt: exports_external.string().describe("Prompt to send at the scheduled time"),
-    model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated `claude -p` and could set --model per task. " + "Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "\u2014 this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
+    model: exports_external.string().optional().describe("DEPRECATED / IGNORED. Pre-v0.8 the singleton scheduler ran each " + "task as an isolated headless invocation and could set --model per " + "task. Post cron-fold-in (v0.8) the fire is injected into the agent's " + "running session, so it always uses the agent's configured model " + "\u2014 this field has no effect. Accepted (optional) only so existing " + "configs keep validating; set the model at the agent level instead. " + "See docs/scheduling.md."),
     secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault key names this cron task may read via the vault-broker daemon. " + "Empty by default \u2014 broker requests for unlisted keys are denied. " + "Note: this is misconfiguration protection (a typo in cron-A doesn't " + "accidentally read cron-B's keys) rather than a security boundary \u2014 " + "anyone who can edit cron scripts can also edit switchroom.yaml, and " + "anyone with the vault passphrase can read the vault file directly. " + "See docs/configuration.md for the full framing.")
   });
   AgentSoulSchema = exports_external.object({
@@ -37781,14 +37781,14 @@ function createAnswerStream(config) {
       scheduledTimer = null;
     }
   }
-  async function clearDraftBestEffort() {
-    if (!usesDraftTransport || draftApi == null || draftId == null)
+  async function clearDraftBestEffort(targetDraftId = draftId) {
+    if (!usesDraftTransport || draftApi == null || targetDraftId == null)
       return;
     try {
       const params = {};
       if (threadId != null)
         params.message_thread_id = threadId;
-      await draftApi(chatId, draftId, "", Object.keys(params).length > 0 ? params : undefined);
+      await draftApi(chatId, targetDraftId, "", Object.keys(params).length > 0 ? params : undefined);
     } catch {}
   }
   async function sendDraft(text) {
@@ -38008,6 +38008,10 @@ function createAnswerStream(config) {
       stopped = false;
       materialized = false;
       if (usesDraftTransport) {
+        const staleDraftId = draftId;
+        if (staleDraftId != null) {
+          clearDraftBestEffort(staleDraftId);
+        }
         draftId = allocateDraftId2();
       }
       log?.(`answer-stream: forceNewMessage (gen=${generation})`);
@@ -39638,9 +39642,13 @@ function parseSteerPrefix(body) {
 function escapeXmlAttribute(s) {
   return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
 }
+function decodeXmlEntities(s) {
+  return s.replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/&quot;/g, '"').replace(/&apos;/g, "'").replace(/&nbsp;/g, " ").replace(/&amp;/g, "&");
+}
 function formatPriorAssistantPreview(text, maxChars = 200) {
   const stripped = text.replace(/<[^>]*>/g, "");
-  const collapsed = stripped.replace(/\s+/g, " ").trim();
+  const decoded = decodeXmlEntities(stripped);
+  const collapsed = decoded.replace(/\s+/g, " ").trim();
   const truncated = collapsed.length > maxChars ? collapsed.slice(0, maxChars) : collapsed;
   return escapeXmlAttribute(truncated);
 }
@@ -48722,10 +48730,10 @@ function sweepStaleTurnActiveMarker(stateDir, opts) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.13.38";
-var COMMIT_SHA = "faca4736";
-var COMMIT_DATE = "2026-05-25T06:37:08Z";
-var LATEST_PR = 1795;
+var VERSION = "0.13.40";
+var COMMIT_SHA = "1f8f075b";
+var COMMIT_DATE = "2026-05-25T07:28:32Z";
+var LATEST_PR = 1800;
 var COMMITS_AHEAD_OF_TAG = 0;
 
 // gateway/boot-version.ts

package/telegram-plugin/steering.ts

@@ -73,22 +73,53 @@ export function escapeXmlAttribute(s: string): string {
     .replace(/'/g, ''')
 }
 
+/**
+ * Decode the small set of HTML / XML entities switchroom emits when it
+ * renders model output as Telegram HTML. Pre-#1791 this function did
+ * not decode and `formatPriorAssistantPreview` then re-escaped the
+ * already-encoded entities, so a turn containing inline `<code>` would
+ * surface to the model on the next inbound as `&amp;amp;lt;…&amp;amp;gt;`
+ * (triple-encoded). The model had to mentally decode three layers to
+ * recover the original characters it wrote — measurably hostile to
+ * comprehension on turns with placeholders, JSX, XML, generics, etc.
+ *
+ * Decoding before re-escape closes that loop: the attribute boundary
+ * stays safe because `escapeXmlAttribute` runs unchanged at the tail.
+ *
+ * Limited to the canonical six entities — there's no general HTML
+ * entity table here, which keeps the surface predictable.
+ */
+function decodeXmlEntities(s: string): string {
+  return s
+    .replace(/&lt;/g, '<')
+    .replace(/&gt;/g, '>')
+    .replace(/&quot;/g, '"')
+    .replace(/&apos;/g, "'")
+    .replace(/&nbsp;/g, ' ')
+    // `&amp;` last so we don't accidentally re-decode `&amp;lt;` → `<` on
+    // a single pass — the order above relies on `&amp;` still being
+    // intact during the prior replaces.
+    .replace(/&amp;/g, '&')
+}
+
 /**
  * Produce a short, safe preview of the last assistant turn for injection
  * as an XML attribute. Strips HTML tags (so `<b>foo</b>` becomes `foo`),
- * collapses all whitespace runs into single spaces, truncates to
- * `maxChars` visible characters, then XML-escapes.
- *
- * We do NOT decode HTML entities — a literal `&amp;` in the source
- * survives as `&amp;amp;` after escape, which is fine: the attribute is
- * for the model's situational awareness, not faithful rendering.
+ * decodes the canonical six XML entities so the model sees the original
+ * characters (not triple-encoded `&amp;amp;lt;` — see #1791), collapses
+ * all whitespace runs into single spaces, truncates to `maxChars` visible
+ * characters, then XML-escapes for safe attribute injection.
  */
 export function formatPriorAssistantPreview(text: string, maxChars = 200): string {
   // Strip HTML tags. Anything angle-bracketed between < and > goes away;
   // this is deliberately liberal (no tag-name whitelist) because the
   // preview is for the model's eyes only.
   const stripped = text.replace(/<[^>]*>/g, '')
-  const collapsed = stripped.replace(/\s+/g, ' ').trim()
+  // #1791: decode entities BEFORE collapse/truncate/re-escape so the
+  // model sees the prose it actually wrote. The re-escape at the tail
+  // preserves attribute-injection safety.
+  const decoded = decodeXmlEntities(stripped)
+  const collapsed = decoded.replace(/\s+/g, ' ').trim()
   const truncated = collapsed.length > maxChars ? collapsed.slice(0, maxChars) : collapsed
   return escapeXmlAttribute(truncated)
 }

package/telegram-plugin/tests/answer-stream.test.ts

@@ -527,6 +527,92 @@ describe('answer-stream — clears sendMessageDraft on terminal paths (#1704)',
   })
 })
 
+// ─── #1792 — forceNewMessage clears the stale draftId before rotating ───
+//
+// Background: `forceNewMessage()` rotates `draftId` to a fresh allocation
+// so the stream can be re-used for a new turn (typical caller: gateway
+// rapid-steer path in `handleSessionEvent` enqueue branch — calls
+// `forceNewMessage(); stop()` on the prior turn's stream before opening
+// the new turn). Pre-#1792, the rotation orphaned the prior turn's
+// draft content in the user's compose box until Telegram's 30 s draft
+// expiry — `stop()`'s fire-and-forget clear closed over the (now-new)
+// `draftId`, so the clear targeted the unused id, not the stale one.
+//
+// Post-fix: `forceNewMessage` itself clears the stale draftId BEFORE
+// rotating. `stop()` continues to clear whatever draftId is current
+// at the time it runs (defensive, also fine: clearing an unused id
+// is a harmless no-op for the user).
+
+describe('answer-stream — forceNewMessage clears the stale draft before rotating (#1792)', () => {
+  it('clears the pre-rotation draftId when forceNewMessage rotates', async () => {
+    const sendMessage = makeSendMessage()
+    const editMessageText = makeEditMessageText()
+    const sendMessageDraft = makeSendMessageDraft()
+    const stream = createAnswerStream({
+      chatId: 'chat1',
+      isPrivateChat: true,
+      throttleMs: 250,
+      sendMessage,
+      editMessageText,
+      sendMessageDraft,
+    })
+
+    // Open the stream — this allocates draftId N and fires sendDraft(N).
+    stream.update('first turn thought')
+    await flushMicrotasks()
+    expect(sendMessageDraft).toHaveBeenCalledTimes(1)
+    const staleDraftId = (sendMessageDraft.mock.calls[0] as unknown as [string, number, string, unknown])[1]
+    sendMessageDraft.mockClear()
+
+    // Rotate. forceNewMessage must enqueue a clear against the OLD
+    // draftId before bumping to the new allocation — pre-fix the
+    // stale content stayed in the compose box for 30 s.
+    stream.forceNewMessage()
+    await flushMicrotasks()
+
+    expect(sendMessageDraft).toHaveBeenCalledTimes(1)
+    const clearedId = (sendMessageDraft.mock.calls[0] as unknown as [string, number, string, unknown])[1]
+    const clearedText = (sendMessageDraft.mock.calls[0] as unknown as [string, number, string, unknown])[2]
+    expect(clearedId).toBe(staleDraftId)
+    expect(clearedText).toBe('')
+  })
+
+  it('the gateway sequence forceNewMessage(); stop() clears the stale draftId', async () => {
+    // Mirrors the only production caller — telegram-plugin/gateway/
+    // gateway.ts:6476-6477 cleans up the prior turn's answer-stream
+    // before opening a new turn (rapid steer / queue path).
+    const sendMessage = makeSendMessage()
+    const editMessageText = makeEditMessageText()
+    const sendMessageDraft = makeSendMessageDraft()
+    const stream = createAnswerStream({
+      chatId: 'chat1',
+      isPrivateChat: true,
+      throttleMs: 250,
+      sendMessage,
+      editMessageText,
+      sendMessageDraft,
+    })
+
+    stream.update('prior turn thought')
+    await flushMicrotasks()
+    const staleDraftId = (sendMessageDraft.mock.calls[0] as unknown as [string, number, string, unknown])[1]
+    sendMessageDraft.mockClear()
+
+    stream.forceNewMessage()
+    stream.stop()
+    await flushMicrotasks()
+
+    // The stale id must have been cleared by ONE of the two calls
+    // (forceNewMessage in this design); the new unused id may also
+    // be cleared by stop() — harmless. The load-bearing invariant
+    // is "the stale id reaches sendMessageDraft('') somewhere".
+    const clearedIds = (sendMessageDraft.mock.calls as unknown as Array<[string, number, string, unknown]>)
+      .filter(c => c[2] === '')
+      .map(c => c[1])
+    expect(clearedIds).toContain(staleDraftId)
+  })
+})
+
 describe('answer-stream — empty / whitespace-only text is a no-op', () => {
   it('update("") does not trigger any transport call', async () => {
     const sendMessage = makeSendMessage()

package/telegram-plugin/tests/steering.test.ts

@@ -138,10 +138,43 @@ describe('formatPriorAssistantPreview', () => {
     expect(formatPriorAssistantPreview('a & b < c')).toBe('a &amp; b &lt; c')
   })
 
-  test('does NOT decode HTML entities (documented)', () => {
-    // Entities like &amp; survive as literal "&amp;" through strip and then
-    // get re-escaped to &amp;amp;. Acceptable for a model-facing preview.
-    expect(formatPriorAssistantPreview('a &amp; b')).toBe('a &amp;amp; b')
+  // ─── #1791 — decode entities before re-escape ───────────────────────────
+  // Pre-fix this function did NOT decode, so an already-encoded source
+  // (e.g. the rendered HTML stored in history) was re-escaped on top of
+  // its own encoding. The model saw `&amp;amp;lt;bar&amp;amp;gt;` (triple
+  // encoded) instead of `<bar>`. Decoding before the trim/re-escape pass
+  // closes that loop; the attribute boundary stays safe because
+  // escapeXmlAttribute runs unchanged at the tail.
+
+  test('decodes &amp; before re-escape (single-pass, not triple) — #1791', () => {
+    // Source stored in history as escaped HTML: `a &amp; b`.
+    // Pre-fix output: `a &amp;amp; b`. Post-fix: `a &amp; b` (single).
+    expect(formatPriorAssistantPreview('a &amp; b')).toBe('a &amp; b')
+  })
+
+  test('decodes &lt; / &gt; inside stripped tags — #1791', () => {
+    // The classic #1120 case: model wrote `Path: \`/tmp/foo-<bar>/\``,
+    // markdownToHtml stored it as `<code>/tmp/foo-&lt;bar&gt;/</code>`,
+    // strip removes the <code> tags, decode brings back the angle
+    // brackets, escape re-encodes safely for the attribute.
+    expect(formatPriorAssistantPreview('<code>/tmp/foo-&lt;bar&gt;/</code>'))
+      .toBe('/tmp/foo-&lt;bar&gt;/')
+  })
+
+  test('decodes &quot; / &apos; / &nbsp; — #1791', () => {
+    expect(formatPriorAssistantPreview('say &quot;hi&quot;')).toBe('say &quot;hi&quot;')
+    expect(formatPriorAssistantPreview('it&apos;s here')).toBe("it&apos;s here")
+    expect(formatPriorAssistantPreview('a&nbsp;b')).toBe('a b')
+  })
+
+  test('does not over-decode: bare `&amp;lt;` decodes to `&lt;`, not `<` — #1791', () => {
+    // The decode order (&lt; / &gt; / &quot; / &apos; / &nbsp; first, then
+    // &amp;) ensures a single pass doesn't strip two layers of escape.
+    // A literal `&amp;lt;` in source (i.e. someone deliberately encoded
+    // the word "&lt;") becomes `&lt;` after one decode pass, and then
+    // re-escapes back to `&amp;lt;`. Pin this so the order isn't accidentally
+    // flipped to a re-decode loop.
+    expect(formatPriorAssistantPreview('&amp;lt;')).toBe('&amp;lt;')
   })
 
   test('empty string returns empty', () => {

package/telegram-plugin/uat/scenarios/jtbd-pending-progress-html-dm.test.ts

@@ -0,0 +1,124 @@
+/**
+ * UAT — pending-progress edit preserves HTML formatting (#1698 regression gate).
+ *
+ * Promoted from the one-off `pr1706-pending-progress-html-dm.test.ts`
+ * verification scenario per #1793. The pending-progress / silent-anchor
+ * / answer-stream code family in `telegram-plugin/` all touch the
+ * parse_mode contract on cross-turn edits; the existing UAT suite
+ * (`cross-turn-pending-progress-dm.test.ts`, `jtbd-fast-trivial-dm.test.ts`,
+ * `jtbd-soft-commit-dm.test.ts`) covers cadence / round-trip / pacing
+ * but does NOT pin the parse_mode contract. #1698 shipped to prod and
+ * the existing suite went green throughout — this scenario closes that
+ * blind spot.
+ *
+ * Method:
+ *   1. Ask the agent to send ONE reply with both <b> and <code> via
+ *      the reply tool (default html format).
+ *   2. Dispatch a background bash so the turn ends with pending async.
+ *   3. End turn. Pending-progress activates.
+ *   4. After ~60-90s, observe the first edit. Assert text reads back
+ *      WITHOUT literal `<b>` / `<code>` substrings (Telegram parsed
+ *      under HTML, formatting moved to entities, mtcute Message.text
+ *      returns plain prose). Pre-fix, parse_mode was dropped on the
+ *      edit and the tags would render as literal characters.
+ */
+
+import { describe, it, expect } from "vitest";
+import { spinUp, type ObservedMessage } from "../harness.js";
+
+const SLEEP_SECONDS = 90;
+const OVERALL_DEADLINE_MS = 4 * 60_000;
+
+const PROMPT =
+  `Please run \`sleep ${SLEEP_SECONDS}\` in the background using the ` +
+  `Bash tool with \`run_in_background: true\`. Send exactly ONE reply, ` +
+  `using the reply tool with default html format, containing this text ` +
+  `VERBATIM:\n\n` +
+  `<b>Worker dispatched.</b> Running <code>sleep ${SLEEP_SECONDS}</code> ` +
+  `in background.\n\n` +
+  `Do NOT send any other reply until the sleep finishes. Just dispatch ` +
+  `the bash, send that one HTML reply, end your turn. When it finishes ` +
+  `much later, reply with the single word "done".`;
+
+const SUFFIX_RE = /\n\n— still working \(\d+m\)$/;
+
+describe("uat: pending-progress edit preserves HTML formatting (#1698 regression gate)", () => {
+  it(
+    "first pending-progress edit reads back WITHOUT literal HTML tags",
+    async () => {
+      const sc = await spinUp({ agent: "test-harness" });
+      try {
+        const startedAt = Date.now();
+        await sc.sendDM(PROMPT);
+
+        let anchorMsgId: number | null = null;
+        let editText: string | null = null;
+        const deadline = startedAt + OVERALL_DEADLINE_MS;
+
+        while (Date.now() < deadline) {
+          try {
+            const msg = await sc.expectMessage(
+              (m: ObservedMessage) => m.fromBot,
+              { from: "bot", timeout: deadline - Date.now() },
+            );
+            const rel = Date.now() - startedAt;
+            console.log(
+              `[jtbd-pending-progress-html] +${(rel / 1000).toFixed(1)}s ` +
+                `${msg.edited ? "EDIT" : "FRESH"} msg=${msg.messageId} ` +
+                `${JSON.stringify(msg.text.slice(0, 120))}`,
+            );
+            if (!msg.edited && anchorMsgId == null) {
+              anchorMsgId = msg.messageId;
+              continue;
+            }
+            if (
+              msg.edited &&
+              anchorMsgId === msg.messageId &&
+              SUFFIX_RE.test(msg.text)
+            ) {
+              editText = msg.text;
+              break;
+            }
+          } catch {
+            break;
+          }
+        }
+
+        expect(
+          anchorMsgId,
+          "agent never sent its initial HTML reply — UAT env issue",
+        ).not.toBeNull();
+        expect(
+          editText,
+          `no pending-progress edit observed within ${OVERALL_DEADLINE_MS / 1000}s — ` +
+            `model may not have dispatched async, or pending-progress is disabled`,
+        ).not.toBeNull();
+
+        // ── THE #1698 REGRESSION GATE ─────────────────────────────────
+        // mtcute's Message.text returns the parsed text — formatting
+        // lives in `entities`. So a working parse_mode=HTML edit shows
+        // clean prose with no literal "<b>" / "<code>" substrings.
+        // Pre-fix the gateway dropped parse_mode on the cross-turn
+        // edit and Telegram stored the tags as plain characters.
+        expect(
+          editText,
+          `#1698 regression: pending-progress edit text contains literal "<b>" — ` +
+            `parse_mode was dropped and Telegram is storing the original HTML tags as plain.`,
+        ).not.toContain("<b>");
+        expect(editText).not.toContain("</b>");
+        expect(editText).not.toContain("<code>");
+        expect(editText).not.toContain("</code>");
+
+        // Sanity — the model's prose is still visible (without tags).
+        expect(editText).toContain("Worker dispatched");
+
+        // Belt-and-braces — the suffix landed (proves the edit was
+        // pending-progress and not some other path).
+        expect(editText).toMatch(SUFFIX_RE);
+      } finally {
+        await sc.tearDown();
+      }
+    },
+    OVERALL_DEADLINE_MS + 30_000,
+  );
+});