switchroom 0.14.20 → 0.14.22

package/telegram-plugin/gateway/coalesce-attachments.ts

@@ -36,6 +36,15 @@ export interface ResolvedExtraAttachment {
  * `maxAttachments` is floored at 1 — a cap of 0 or negative would strip the
  * primary, silently dropping the only attachment.
  */
+/** Default attachments folded into one coalesced turn: a full Telegram album
+ *  (media_group caps at 10). Floored at 1 so the only attachment is never
+ *  stripped. Set channels.telegram.coalesce.max_attachments to override. */
+export const DEFAULT_MAX_ATTACHMENTS = 10
+
+export function resolveCoalesceMaxAttachments(configured: number | undefined): number {
+  return Math.max(1, configured ?? DEFAULT_MAX_ATTACHMENTS)
+}
+
 export function splitCoalescedAttachments<T>(
   entries: T[],
   hasAttachment: (e: T) => boolean,

package/telegram-plugin/gateway/gateway.ts

@@ -39,6 +39,7 @@ import {
   ToolFlightTracker,
   decideInterruptTiming,
   resolveInterruptMaxWaitMs,
+  resolveSafeBoundaryEnabled,
 } from './interrupt-defer.js'
 import {
   resolveStickerSendArgs,
@@ -56,12 +57,16 @@ import {
 } from '../telegraph.js'
 import { OutboundDedupCache } from '../recent-outbound-dedup.js'
 import { createInboundCoalescer, inboundCoalesceKey } from './inbound-coalesce.js'
-import { splitCoalescedAttachments, buildExtraAttachmentMeta } from './coalesce-attachments.js'
+import {
+  splitCoalescedAttachments,
+  buildExtraAttachmentMeta,
+  resolveCoalesceMaxAttachments,
+} from './coalesce-attachments.js'
 import { StatusReactionController } from '../status-reactions.js'
 import { DeferredDoneReactions } from '../reaction-defer.js'
-import { createWorkerActivityFeed } from '../worker-activity-feed.js'
+import { createWorkerActivityFeed, isWorkerActivityFeedEnabled } from '../worker-activity-feed.js'
 import { isTelegramReplyTool, isTelegramSurfaceTool } from '../tool-names.js'
-import { appendActivityLabel } from '../tool-activity-summary.js'
+import { appendActivityLabel, renderActivityFeedWithNested } from '../tool-activity-summary.js'
 import { toolLabel } from '../tool-labels.js'
 import { createTypingWrapper } from '../typing-wrap.js'
 import { type DraftStreamHandle } from '../draft-stream.js'
@@ -205,14 +210,7 @@ import {
   isTurnFlushSafetyEnabled,
 } from '../turn-flush-safety.js'
 // #1122 PR3: turn-flush-prose-recovery removed with the progress card.
-import {
-  resolveAgentDirFromEnv,
-  consumeHandoffTopic,
-  shouldShowHandoffLine,
-  formatHandoffLine,
-  writeLastTurnSummary,
-  type HandoffFormat,
-} from '../handoff-continuity.js'
+import { resolveAgentDirFromEnv } from '../agent-dir.js'
 import {
   addActiveReaction,
   removeActiveReaction,
@@ -391,6 +389,7 @@ import {
   touchTurnActiveMarker,
   removeTurnActiveMarker,
   sweepStaleTurnActiveMarker,
+  TURN_ACTIVE_MARKER_FILE,
 } from './turn-active-marker.js'
 import {
   VERSION,
@@ -418,12 +417,17 @@ import {
 import { resolveVaultApprovalPosture } from '../vault-approval-posture.js'
 import {
   openTurnsDb,
-  markOrphanedAsRestarted,
+  markOrphanedWithTimeoutClassification,
   recordTurnStart,
   recordTurnEnd,
-  findMostRecentInterruptedTurn,
+  findLatestTurnIfInterrupted,
   findRecentTurnsForChat,
 } from '../registry/turns-schema.js'
+import {
+  buildResumeInterruptedInbound,
+  buildResumeWatchdogReportInbound,
+  selectResumeBuilder,
+} from './resume-inbound-builder.js'
 import { applySubagentsSchema, getSubagentByJsonlId } from '../registry/subagents-schema.js'
 import { resolveWorkerFeedDispatch, type WorkerFeedDispatch } from './worker-feed-dispatch.js'
 import { formatIdleFooter } from '../idle-footer.js'
@@ -776,14 +780,15 @@ type Access = {
   parseMode?: 'html' | 'markdownv2' | 'text'
   disableLinkPreview?: boolean
   coalescingGapMs?: number
-  /** A2: max media attachments folded into one coalesced turn. Default 1
-   *  (single-attachment behaviour). Projected from
+  /** A2: max media attachments folded into one coalesced turn. Default 10
+   *  (a full Telegram album / forwarded burst arrives as one turn). Set 1 to
+   *  restore single-attachment behaviour. Projected from
    *  channels.telegram.coalesce.max_attachments by scaffold. */
   coalesceMaxAttachments?: number
-  /** Problem B: when true, a `!` interrupt that lands mid-tool-call is
-   *  deferred until the in-flight tool finishes (bounded by
-   *  interruptMaxWaitMs) before SIGINT + resume. Default false (fire
-   *  synchronously). Projected from channels.telegram.interrupt.safe_boundary. */
+  /** Problem B: when true (the default), a `!` interrupt that lands
+   *  mid-tool-call is deferred until the in-flight tool finishes (bounded by
+   *  interruptMaxWaitMs) before SIGINT + resume. Set false to fire
+   *  synchronously. Projected from channels.telegram.interrupt.safe_boundary. */
   interruptSafeBoundary?: boolean
   /** Upper bound (ms) to wait for a safe boundary before firing a deferred
    *  interrupt anyway. Default 8000. Projected from
@@ -963,13 +968,26 @@ if (HISTORY_ENABLED) {
   }
 }
 
-// ─── Turn-tracking registry (Stage 3a of simplify-restart, Phase 0 of #250) ─
-// On boot, open the per-agent registry.db and stamp any rows that never got
-// an ended_at as ended_via='restart'. Those are turns where the previous
-// gateway died mid-flight (SIGKILL / OOM / hard reboot — any path that
-// skipped the SIGTERM handler). Stages 3b/3c will populate new rows during
-// turn enqueue/end and on graceful shutdown; Stage 4 reads on cold start.
+// ─── Turn-tracking registry + honest-restart-resume ────────────────────────
+// On boot, open the per-agent registry.db and reap any turn that never got an
+// ended_at — those were killed mid-flight (operator restart, SIGKILL, OOM,
+// hard reboot). The reaper CLASSIFIES each orphan from the on-disk
+// turn-active marker's age:
+//   - marker older than the hang-watchdog window → 'timeout' (the turn
+//     stalled with no tool progress; report it, don't blindly resume).
+//   - otherwise → 'restart' (a clean interrupt; resume it).
+// Then, if the LATEST turn was interrupted, we build a synthetic resume /
+// report inbound and (further down, once the inbound spool exists) inject it
+// so the agent wakes on its own and either picks the work back up or tells
+// the user why it stopped — no human nudge required.
+//
+// The classifier MUST read the marker before the boot-cleanup sweep removes
+// it (the sweep runs much later, in the bridge-registration path). This block
+// runs at module top, so the marker is still present here.
 let turnsDb: ReturnType<typeof openTurnsDb> | null = null
+// Stashed here; pushed to the spool once it's constructed below. The spool's
+// turn_key-keyed dedup makes a re-stash across multiple restarts a no-op.
+let bootResumeInbound: { agent: string; msg: InboundMessage } | null = null
 try {
   // STATE_DIR is `<agentDir>/telegram` in production. openTurnsDb expects
   // the parent (agent dir) and joins `telegram/registry.db` itself.
@@ -981,23 +999,88 @@ try {
   // schema; subagents lives alongside in registry.db. Idempotent — safe on
   // pre-existing DBs (handles the jsonl_agent_id column migration).
   applySubagentsSchema(turnsDb)
-  const reaped = markOrphanedAsRestarted(turnsDb)
+
+  // Read the turn-active marker (the in-flight turn the watchdog tracks)
+  // BEFORE classifying — its mtime is "ms since last tool progress" and its
+  // payload carries the in-flight turn_key.
+  let markerTurnKey: string | null = null
+  let markerAgeMs: number | null = null
+  try {
+    const markerPath = join(STATE_DIR, TURN_ACTIVE_MARKER_FILE)
+    if (existsSync(markerPath)) {
+      const st = statSync(markerPath)
+      markerAgeMs = Date.now() - st.mtimeMs
+      try {
+        const payload = JSON.parse(readFileSync(markerPath, 'utf8')) as { turnKey?: unknown }
+        if (typeof payload.turnKey === 'string' && payload.turnKey.length > 0) {
+          markerTurnKey = payload.turnKey
+        }
+      } catch { /* unreadable/torn marker — age alone still classifies */ }
+    }
+  } catch { /* stat failure — treat as no marker (plain restart) */ }
+
+  // TURN_HANG_SECS is the watchdog's hang threshold (default 300s); the
+  // classifier uses the same signal so "would the watchdog have killed it"
+  // is answered identically whether or not the watchdog is live (it's
+  // disabled under Docker, but the staleness judgement still holds).
+  const hangSecs = Number(process.env.TURN_HANG_SECS)
+  const hangThresholdMs = (Number.isFinite(hangSecs) && hangSecs > 0 ? hangSecs : 300) * 1000
+  const reasonSnapshot =
+    markerAgeMs != null ? JSON.stringify({ idleMs: Math.round(markerAgeMs) }) : null
+
+  const { reaped, timeoutTurnKey } = markOrphanedWithTimeoutClassification(turnsDb, {
+    markerTurnKey,
+    markerAgeMs,
+    hangThresholdMs,
+    reasonSnapshot,
+  })
   if (reaped > 0) {
-    process.stderr.write(`telegram gateway: turn-registry boot-reaper stamped ${reaped} orphaned turn(s) as ended_via='restart'\n`)
+    process.stderr.write(
+      `telegram gateway: turn-registry boot-reaper stamped ${reaped} orphaned turn(s)` +
+      `${timeoutTurnKey ? ` (turnKey=${timeoutTurnKey} as 'timeout', markerAgeMs=${markerAgeMs})` : " as 'restart'"}\n`,
+    )
   } else {
     process.stderr.write(`telegram gateway: turn-registry initialized at ${join(agentDir, 'telegram', 'registry.db')}\n`)
   }
 
-  // Stage 4: surface the most-recently-interrupted turn to start.sh as a
-  // shell-sourceable env file. The agent's start.sh reads this on next
-  // boot, exports the env vars to the spawned `claude` process, and
-  // deletes the file (one-shot — only ever applies to the immediately
-  // following session). If there's no interrupted turn (clean previous
-  // shutdown), we delete any stale file so the resume protocol doesn't
-  // mis-fire.
+  // Build the boot resume/report inbound for the LATEST turn if it was
+  // interrupted. selectResumeBuilder owns the resume-vs-report policy.
+  const pending = findLatestTurnIfInterrupted(turnsDb)
+  const selfAgent = process.env.SWITCHROOM_AGENT_NAME ?? ''
+  if (pending != null && selfAgent) {
+    const kind = selectResumeBuilder(pending.ended_via)
+    if (kind === 'resume') {
+      bootResumeInbound = { agent: selfAgent, msg: buildResumeInterruptedInbound({ turn: pending }) }
+    } else if (kind === 'report') {
+      // idleMs: this boot's measured marker age if it just classified this
+      // turn; otherwise recover it from the persisted interrupt_reason (a
+      // later boot, marker already swept); else fall back to total runtime.
+      let idleMs = pending.turn_key === timeoutTurnKey && markerAgeMs != null ? markerAgeMs : null
+      if (idleMs == null && pending.interrupt_reason) {
+        try {
+          const parsed = JSON.parse(pending.interrupt_reason) as { idleMs?: unknown }
+          if (typeof parsed.idleMs === 'number' && Number.isFinite(parsed.idleMs)) idleMs = parsed.idleMs
+        } catch { /* malformed snapshot — fall through */ }
+      }
+      if (idleMs == null) idleMs = Math.max(0, Date.now() - pending.started_at)
+      bootResumeInbound = {
+        agent: selfAgent,
+        msg: buildResumeWatchdogReportInbound({ turn: pending, idleMs }),
+      }
+    }
+    if (bootResumeInbound != null) {
+      process.stderr.write(
+        `telegram gateway: boot-resume queued kind=${kind} turnKey=${pending.turn_key} ` +
+        `endedVia=${pending.ended_via ?? 'open'} chat=${pending.chat_id}\n`,
+      )
+    }
+  }
+
+  // Diagnostic env file (one-shot, sourced by start.sh) — kept for the
+  // wake-audit context. The injected inbound above is the real wake signal;
+  // these vars are passive context only.
   const pendingEnvPath = join(agentDir, '.pending-turn.env')
   try {
-    const pending = findMostRecentInterruptedTurn(turnsDb)
     if (pending != null) {
       const lines = [
         `SWITCHROOM_PENDING_TURN=true`,
@@ -1007,14 +1090,12 @@ try {
         pending.last_user_msg_id != null ? `SWITCHROOM_PENDING_USER_MSG_ID=${pending.last_user_msg_id}` : `SWITCHROOM_PENDING_USER_MSG_ID=`,
         `SWITCHROOM_PENDING_ENDED_VIA=${pending.ended_via ?? 'unknown'}`,
         `SWITCHROOM_PENDING_STARTED_AT=${pending.started_at}`,
+        pending.interrupt_reason != null ? `SWITCHROOM_PENDING_INTERRUPT_REASON=${pending.interrupt_reason}` : `SWITCHROOM_PENDING_INTERRUPT_REASON=`,
       ]
       // Atomic write: tmp + rename. Without this, a crash mid-write
       // (power loss, OOM, panic) leaves a truncated `.pending-turn.env`
       // that start.sh `source`s — partial SWITCHROOM_PENDING_* vars
-      // half-trigger the resume protocol with incomplete context, or
-      // a malformed line breaks shell parsing inside the source.
-      // Same pattern used by the access-file write a few hundred lines
-      // above and by src/issues/store.ts.
+      // or a malformed line break shell parsing inside the source.
       const pendingEnvTmp = `${pendingEnvPath}.tmp-${process.pid}`
       writeFileSync(pendingEnvTmp, lines.join('\n') + '\n', { mode: 0o600 })
       renameSync(pendingEnvTmp, pendingEnvPath)
@@ -1024,7 +1105,7 @@ try {
       process.stderr.write(`telegram gateway: pending-turn env cleared (clean previous shutdown)\n`)
     }
   } catch (err) {
-    process.stderr.write(`telegram gateway: pending-turn env write failed (${(err as Error).message}) — resume protocol may not fire\n`)
+    process.stderr.write(`telegram gateway: pending-turn env write failed (${(err as Error).message})\n`)
   }
 } catch (err) {
   process.stderr.write(`telegram gateway: turn-registry init failed (${(err as Error).message}) — turn tracking disabled\n`)
@@ -1393,6 +1474,13 @@ type CurrentTurn = {
   // (via `renderActivityFeed`) as a capped chronological list into the
   // in-place edited activity message and clears on reply. Reset per turn.
   mirrorLines: string[]
+  // Model A — foreground sub-agent nesting. A foreground sub-agent (Task/Agent
+  // with no run_in_background) runs INSIDE this turn while the parent blocks at
+  // the Task tool, so its live steps nest under the parent's activity feed
+  // rather than a separate message. Keyed by jsonl agent id; value = the
+  // sub-agent's accumulated narrative lines (oldest→newest, deduped + capped).
+  // Background workers are NOT here — they get the standalone worker feed.
+  foregroundSubAgents: Map<string, string[]>
   // Issue #195 — answer-lane streaming. Lazily created on the first text
   // event of a turn (once enough text has accumulated, the stream itself
   // gates on minInitialChars). Materialized and cleared at turn_end.
@@ -2123,23 +2211,6 @@ function probeAvailableReactions(chatId: string): void {
   })()
 }
 
-// ─── Handoff continuity ───────────────────────────────────────────────────
-let pendingHandoffTopic: string | null = null
-
-function initHandoffContinuity(): void {
-  if (!shouldShowHandoffLine()) { pendingHandoffTopic = null; return }
-  const agentDir = resolveAgentDirFromEnv()
-  if (agentDir == null) { pendingHandoffTopic = null; return }
-  pendingHandoffTopic = consumeHandoffTopic(agentDir)
-}
-
-function takeHandoffPrefix(format: HandoffFormat): string {
-  if (pendingHandoffTopic == null) return ''
-  const line = formatHandoffLine(pendingHandoffTopic, format)
-  pendingHandoffTopic = null
-  return line
-}
-
 // ─── Text chunking ────────────────────────────────────────────────────────
 const PHOTO_EXTS = new Set(['.jpg', '.jpeg', '.png', '.gif', '.webp'])
 
@@ -3137,13 +3208,13 @@ type CoalescePayload = {
 
 // Count of attachment-bearing entries currently buffered per coalesce key.
 // A new attachment for a key whose count has reached the per-agent cap
-// (coalesce.max_attachments, default 1) bypasses coalescing (see
+// (coalesce.max_attachments, default 10) bypasses coalescing (see
 // handleInboundCoalesced) so no media is dropped past the cap. Cleared on
 // flush (below) and on the synchronous bypass path.
 const bufferedAttachmentKeys = new Map<string, number>()
 
 function coalesceMaxAttachments(): number {
-  return Math.max(1, loadAccess().coalesceMaxAttachments ?? 1)
+  return resolveCoalesceMaxAttachments(loadAccess().coalesceMaxAttachments)
 }
 
 const inboundCoalescer = createInboundCoalescer<CoalescePayload>({
@@ -3936,6 +4007,21 @@ const inboundSpool = STATIC
       },
     })
 const pendingInboundBuffer = createPendingInboundBuffer({ spool: inboundSpool })
+// Honest-restart-resume: inject the boot resume/report inbound built by the
+// registry classifier above. When the spool exists we only PUT it (the
+// boot-replay loop below pulls it into the in-memory buffer exactly once via
+// liveEntries — pushing here too would double-queue). The turn_key-keyed
+// spoolId makes this a no-op if a prior restart already queued the same turn
+// and it hasn't been delivered yet — so a multi-restart sequence resumes a
+// given turn once, not N times. When there's no spool (STATIC mode) push
+// straight to the in-memory buffer.
+if (bootResumeInbound != null) {
+  if (inboundSpool != null) {
+    inboundSpool.put(bootResumeInbound.agent, bootResumeInbound.msg)
+  } else {
+    pendingInboundBuffer.push(bootResumeInbound.agent, bootResumeInbound.msg)
+  }
+}
 // Boot-replay: re-queue every un-acked spooled inbound into the
 // in-memory buffer so the existing drain triggers (onClientRegistered
 // / silence-poke #1546 / idle-drain #1549) deliver them. push →
@@ -5243,13 +5329,6 @@ async function executeReply(args: Record<string, unknown>): Promise<{ content: A
     effectiveText = text
   }
 
-  {
-    const prefix = takeHandoffPrefix(
-      format === 'html' ? 'html' : format === 'markdownv2' ? 'markdownv2' : 'text',
-    )
-    if (prefix.length > 0) effectiveText = prefix + effectiveText
-  }
-
   assertAllowedChat(chat_id)
 
   let threadId = resolveThreadId(chat_id, args.message_thread_id as string | undefined)
@@ -5983,7 +6062,6 @@ async function executeStreamReply(args: Record<string, unknown>): Promise<unknow
       markdownToHtml,
       escapeMarkdownV2,
       repairEscapedWhitespace,
-      takeHandoffPrefix,
       assertAllowedChat,
       resolveThreadId,
       disableLinkPreview: access.disableLinkPreview !== false,
@@ -7152,6 +7230,27 @@ function closeProgressLane(chatId: string, threadId: number | undefined): void {
   }
 }
 
+/** Accumulation cap for a foreground sub-agent's nested narrative lines.
+ *  Slightly larger than NESTED_MAX_LINES so the render's "↳ +N earlier…"
+ *  header is meaningful without growing unbounded on a long sub-agent. */
+const FOREGROUND_SUBAGENT_ACCUM_MAX = 12
+
+/**
+ * Render this turn's activity feed, nesting any active foreground sub-agent's
+ * narrative beneath the parent's own steps (Model A). With no active
+ * foreground sub-agent this is exactly the flat feed. Multiple concurrent
+ * foreground sub-agents (rare — parallel Task dispatch) flatten in insertion
+ * order; the single-sub-agent common case nests precisely under its
+ * Delegating line.
+ */
+function composeTurnActivity(turn: CurrentTurn): string | null {
+  const childLines: string[] = []
+  for (const narrative of turn.foregroundSubAgents.values()) {
+    childLines.push(...narrative)
+  }
+  return renderActivityFeedWithNested(turn.mirrorLines, childLines)
+}
+
 /**
  * Drain the tool-activity summary's pending render queue. Single-flight
  * by construction (caller assigns the returned promise to
@@ -7318,6 +7417,7 @@ function handleSessionEvent(ev: SessionEvent): void {
           activityPendingRender: null,
           activityLastSentRender: null,
           mirrorLines: [],
+          foregroundSubAgents: new Map(),
           answerStream: null,
           isDm: isDmChatId(ev.chatId),
         }
@@ -7495,7 +7595,10 @@ function handleSessionEvent(ev: SessionEvent): void {
       if (turn.replyCalled) return
       const rendered = appendActivityLabel(turn.mirrorLines, ev.label)
       if (rendered != null) {
-        turn.activityPendingRender = rendered
+        // Recompose so any active foreground sub-agent's nested block (Model A)
+        // is preserved when the parent appends its own step. composeTurnActivity
+        // == the flat render when no foreground sub-agent is active.
+        turn.activityPendingRender = composeTurnActivity(turn) ?? rendered
         if (turn.activityInFlight == null) {
           turn.activityInFlight = drainActivitySummary(turn)
         }
@@ -8502,7 +8605,6 @@ function handlePtyActivity(text: string): void {
       markdownToHtml,
       escapeMarkdownV2,
       repairEscapedWhitespace,
-      takeHandoffPrefix: () => '',
       assertAllowedChat,
       resolveThreadId,
       disableLinkPreview: access.disableLinkPreview !== false,
@@ -8727,11 +8829,11 @@ async function handleInboundCoalesced(
   const maxAttachments = coalesceMaxAttachments()
 
   // Albums (media_group_id): coalesce only when the cap allows >1 attachment
-  // (A2). At the default cap of 1 each album part keeps its own turn exactly
-  // as before — the single-attachment merge can't carry sibling photos, so
-  // bypassing avoids dropping them. With a raised cap the parts share the
-  // coalesce key and fold into one multi-attachment turn (the cap-overflow
-  // bypass below catches parts past the cap).
+  // (A2). At the default cap of 10 the parts share the coalesce key and fold
+  // into one multi-attachment turn (the cap-overflow bypass below catches
+  // parts past the cap). With the cap lowered to 1 each album part keeps its
+  // own turn — the single-attachment merge can't carry sibling photos, so
+  // bypassing avoids dropping them.
   if (hasAttachment && ctx.message?.media_group_id != null && maxAttachments <= 1) {
     return handleInbound(ctx, text, downloadImage, attachment)
   }
@@ -8741,7 +8843,8 @@ async function handleInboundCoalesced(
 
   // An attachment past the per-agent cap would be dropped by the capped merge.
   // Bypass it to its own turn so no media is silently lost. At the default
-  // cap of 1 this fires on the SECOND attachment, preserving A1 behaviour.
+  // cap of 10 this fires on the 11th attachment; with the cap lowered to 1 it
+  // fires on the SECOND, preserving A1 behaviour.
   if (hasAttachment) {
     const probeKey = inboundCoalesceKey(
       String(ctx.chat!.id),
@@ -8785,9 +8888,9 @@ async function handleInboundCoalesced(
   // Coalescing disabled (window <= 0): flush immediately, preserving any
   // media this message carried.
   if (result.bypass) return handleInbound(ctx, text, downloadImage, attachment)
-  // Count the open window's attachments so a third+ (or second, at the
-  // default cap) bypasses rather than overflows the capped merge (cleared
-  // in onFlush).
+  // Count the open window's attachments so any part past the cap (the 11th
+  // at the default cap of 10, or the second when lowered to 1) bypasses
+  // rather than overflows the capped merge (cleared in onFlush).
   if (hasAttachment) bufferedAttachmentKeys.set(key, (bufferedAttachmentKeys.get(key) ?? 0) + 1)
 }
 
@@ -8998,7 +9101,7 @@ async function handleInbound(
     deferInterrupt =
       !interrupt.emptyBody &&
       decideInterruptTiming({
-        safeBoundaryEnabled: access.interruptSafeBoundary === true,
+        safeBoundaryEnabled: resolveSafeBoundaryEnabled(access.interruptSafeBoundary),
         midToolCall: toolFlightTracker.isMidToolCall(),
       }) === 'defer'
     process.stderr.write(
@@ -16975,7 +17078,6 @@ process.on('SIGINT', () => void shutdown('SIGINT'))
 
 
 // ─── Startup ──────────────────────────────────────────────────────────────
-initHandoffContinuity()
 
 // Top-level error handlers route through shutdown() so the startup lock is
 // released cleanly. Without this, a top-level throw would leave the lock
@@ -17565,10 +17667,17 @@ void (async () => {
             // and edits it in place as work happens (current tool + elapsed),
             // finalizing on completion — the same "live, growing message"
             // shape the main agent's answer uses, NOT card chrome (the pinned
-            // card was deleted in #1126). Flag-gated; when ON it also
+            // card was deleted in #1126). On by default (set
+            // SWITCHROOM_WORKER_ACTIVITY_FEED=0 to disable); when ON it also
             // supersedes the coarse 5-min bucket relay below to avoid
             // double-surfacing the same progress beat.
-            const workerFeedEnabled = process.env.SWITCHROOM_WORKER_ACTIVITY_FEED === '1'
+            const workerFeedEnabled = isWorkerActivityFeedEnabled(process.env.SWITCHROOM_WORKER_ACTIVITY_FEED)
+            // Model A — foreground sub-agent nesting in the parent's live
+            // activity draft. ON by default; this edits the SAME activity-
+            // summary message the tool_label feed already owns (not the
+            // compose draft, so no answer-stream contention). The kill-switch
+            // disables only the nesting; the parent's own feed is unaffected.
+            const foregroundNestingEnabled = process.env.SWITCHROOM_FOREGROUND_SUBAGENT_NESTING !== '0'
             const workerActivityFeed = createWorkerActivityFeed({
               bot: {
                 sendMessage: async (cid, text, sendOpts) => {
@@ -17727,6 +17836,28 @@ void (async () => {
                   } catch { /* best-effort */ }
                 }
                 const isBackground = dispatch.isBackground
+                if (!isBackground) {
+                  // Model A — a foreground sub-agent finished. Collapse its
+                  // nested child block from the parent's activity draft; the
+                  // parent resumes and its result returns inline as the Task
+                  // tool result, so there's no handback to deliver. Reaction
+                  // promotion already ran above.
+                  const turn = currentTurn
+                  if (
+                    turn != null &&
+                    turn.foregroundSubAgents.delete(agentId) &&
+                    !turn.replyCalled
+                  ) {
+                    const rendered = composeTurnActivity(turn)
+                    if (rendered != null) {
+                      turn.activityPendingRender = rendered
+                      if (turn.activityInFlight == null) {
+                        turn.activityInFlight = drainActivitySummary(turn)
+                      }
+                    }
+                  }
+                  return
+                }
                 // #PR2 live worker-feed: force the terminal recap edit on
                 // the worker's live message. No-op when no message was ever
                 // posted (trivial workers stay silent; handback covers them).
@@ -17835,7 +17966,39 @@ void (async () => {
                   } catch { /* best-effort */ }
                 }
                 const isBackground = dispatch.isBackground
-                if (!isBackground) return // skip overhead for foreground
+                if (!isBackground) {
+                  // Model A — a foreground sub-agent runs inside the parent's
+                  // turn, so its live narrative nests under the parent's
+                  // activity draft rather than a separate worker message. Pure
+                  // jsonl-tail → render (no model call), inside the
+                  // subscription-honest boundary.
+                  if (!foregroundNestingEnabled) return // kill-switch: skip overhead
+                  const turn = currentTurn
+                  if (turn == null || turn.replyCalled) return
+                  const child = latestSummary.trim().slice(0, 120)
+                  if (child.length === 0) return
+                  let narrative = turn.foregroundSubAgents.get(agentId)
+                  if (narrative == null) {
+                    narrative = []
+                    turn.foregroundSubAgents.set(agentId, narrative)
+                  }
+                  // Dedup against the immediately-preceding line — the watcher
+                  // re-emits the same narrative across ticks while a tool runs.
+                  if (narrative[narrative.length - 1] !== child) {
+                    narrative.push(child)
+                    if (narrative.length > FOREGROUND_SUBAGENT_ACCUM_MAX) {
+                      narrative.splice(0, narrative.length - FOREGROUND_SUBAGENT_ACCUM_MAX)
+                    }
+                  }
+                  const rendered = composeTurnActivity(turn)
+                  if (rendered != null) {
+                    turn.activityPendingRender = rendered
+                    if (turn.activityInFlight == null) {
+                      turn.activityInFlight = drainActivitySummary(turn)
+                    }
+                  }
+                  return
+                }
 
                 // #PR2 live worker-feed: when ON, the worker's live chat
                 // message owns the progress beat. Push a running cue and

package/telegram-plugin/gateway/inbound-spool.ts

@@ -79,6 +79,21 @@ export function spoolId(msg: InboundMessage): string {
   ) {
     return `s:progress:${msg.meta.subagent_jsonl_id}:${msg.meta.bucket_idx}`
   }
+  // Boot-resume inbounds (honest-restart-resume): deterministic per
+  // interrupted turn so a multi-restart sequence (operator restarts again
+  // before the agent drains the first resume) collapses to ONE resume of
+  // a given turn instead of stacking N. Keyed on the synthetic messageId
+  // (=ts, fresh every boot) would re-fire each boot; the turn_key is the
+  // stable identity. Both resume sources share the namespace because a
+  // given turn can only be one or the other.
+  if (
+    (msg.meta?.source === 'resume_interrupted' ||
+      msg.meta?.source === 'resume_watchdog_timeout') &&
+    typeof msg.meta?.resume_turn_key === 'string' &&
+    msg.meta.resume_turn_key.length > 0
+  ) {
+    return `s:resume:${msg.meta.resume_turn_key}`
+  }
   if (typeof msg.messageId === 'number' && msg.messageId > 0) {
     return `m:${msg.chatId}:${msg.messageId}`
   }

package/telegram-plugin/gateway/interrupt-defer.ts

@@ -98,3 +98,9 @@ export function resolveInterruptMaxWaitMs(configured: number | undefined): numbe
   if (typeof configured === 'number' && configured > 0) return configured
   return DEFAULT_INTERRUPT_MAX_WAIT_MS
 }
+
+/** safe_boundary defaults ON: a `!` mid-tool-call is deferred to a clean
+ *  boundary unless the operator explicitly sets it false. */
+export function resolveSafeBoundaryEnabled(configured: boolean | undefined): boolean {
+  return configured !== false
+}