switchroom 0.14.3 → 0.14.5

package/dist/cli/switchroom.js

@@ -30840,8 +30840,11 @@ function defaultStatBroker(p) {
   return { kind: "ok-with-stat", ino: inoStr, size };
 }
 function spawnDockerStat(p) {
+  return spawnDockerStatForContainer("switchroom-vault-broker", p);
+}
+function spawnDockerStatForContainer(containerName2, p) {
   try {
-    const stdout = execFileSync16("docker", ["exec", "switchroom-vault-broker", "stat", "-c", "%i %s", p], { stdio: ["ignore", "pipe", "pipe"], timeout: 3000, encoding: "utf8" });
+    const stdout = execFileSync16("docker", ["exec", containerName2, "stat", "-c", "%i %s", p], { stdio: ["ignore", "pipe", "pipe"], timeout: 3000, encoding: "utf8" });
     return { status: 0, stdout, stderr: "", error: null };
   } catch (err) {
     const e = err;
@@ -30933,9 +30936,80 @@ function runVaultBrokerDurabilityChecks(_config, opts) {
     probeMachineIdMount(),
     formatBindMountResult("vault-broker: vault.enc bind mount", join52(home2, ".switchroom", "vault", "vault.enc"), "/state/vault/vault.enc", probe2(join52(home2, ".switchroom", "vault", "vault.enc"), "/state/vault/vault.enc")),
     formatBindMountResult("vault-broker: vault-grants.db bind mount (#1737)", join52(home2, ".switchroom", "vault-grants.db"), "/root/.switchroom/vault-grants.db", probe2(join52(home2, ".switchroom", "vault-grants.db"), "/root/.switchroom/vault-grants.db")),
-    formatBindMountResult("vault-broker: vault-audit.log bind mount (#1025)", join52(home2, ".switchroom", "vault-audit.log"), "/root/.switchroom/vault-audit.log", probe2(join52(home2, ".switchroom", "vault-audit.log"), "/root/.switchroom/vault-audit.log"))
+    formatBindMountResult("vault-broker: vault-audit.log bind mount (#1025)", join52(home2, ".switchroom", "vault-audit.log"), "/root/.switchroom/vault-audit.log", probe2(join52(home2, ".switchroom", "vault-audit.log"), "/root/.switchroom/vault-audit.log")),
+    probeKernelDbDurability(home2, {
+      statBroker: opts?.kernelStatBroker
+    })
   ];
 }
+function probeKernelDbDurability(home2, opts) {
+  const hostDir = join52(home2, ".switchroom", "approvals");
+  const containerDir = "/state/approvals";
+  const name = "approval-kernel: approvals bind mount (allow_always durability)";
+  const kernelStat = opts?.statBroker ?? defaultKernelStatBroker;
+  const result = probeBindMountInode(hostDir, containerDir, {
+    statBroker: kernelStat,
+    statHost: opts?.statHost
+  });
+  if (result.kind === "ok") {
+    return {
+      name,
+      status: "ok",
+      detail: `${hostDir} == ${containerDir} (same inode) \u2014 allow_always decisions persist across kernel recreate`
+    };
+  }
+  if (result.kind === "host-missing") {
+    return {
+      name,
+      status: "warn",
+      detail: `host directory ${hostDir} missing \u2014 \`switchroom apply\` pre-creates it on greenfield`,
+      fix: "Run `switchroom apply` to pre-create the host approvals directory"
+    };
+  }
+  if (result.kind === "broker-unreachable") {
+    return {
+      name,
+      status: "skip",
+      detail: "approval-kernel container unreachable \u2014 bind mount unverified"
+    };
+  }
+  if (result.kind === "broker-stat-failed") {
+    return {
+      name,
+      status: "warn",
+      detail: `approval-kernel stat failed: ${result.msg}`
+    };
+  }
+  return {
+    name,
+    status: "fail",
+    detail: `inode mismatch \u2014 approval-kernel \`/state/approvals\` is NOT backed by the host bind mount. ` + `host inode=${result.hostInode} size=${result.hostSize}; ` + `kernel inode=${result.brokerInode} size=${result.brokerSize}. ` + `The kernel is writing kernel.db to an ephemeral container-local directory; ` + `all allow_always decisions are lost on every container recreate (e.g. after \`switchroom update\`).`,
+    fix: "Run `switchroom apply` to regenerate compose with the " + "`~/.switchroom/approvals:/state/approvals` bind mount, then " + "`docker compose -p switchroom up -d approval-kernel` to recreate the kernel container."
+  };
+}
+function defaultKernelStatBroker(p) {
+  const r = spawnDockerStatForContainer("switchroom-approval-kernel", p);
+  if (r.error || r.status === null)
+    return { kind: "broker-unreachable" };
+  if (r.status !== 0) {
+    if (r.status >= 125)
+      return { kind: "broker-unreachable" };
+    return {
+      kind: "broker-stat-failed",
+      msg: r.stderr?.trim() || `exit ${r.status}`
+    };
+  }
+  const out = r.stdout.trim();
+  const [inoStr, sizeStr] = out.split(/\s+/);
+  const size = Number(sizeStr);
+  if (!inoStr || !Number.isFinite(size)) {
+    return {
+      kind: "broker-stat-failed",
+      msg: `unparseable stat output: ${out}`
+    };
+  }
+  return { kind: "ok-with-stat", ino: inoStr, size };
+}
 function probeAutoUnlockBlob(home2) {
   const blobPath = join52(home2, ".switchroom", "vault-auto-unlock");
   if (!existsSync52(blobPath)) {
@@ -49278,8 +49352,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.14.3";
-var COMMIT_SHA = "b61cef7e";
+var VERSION = "0.14.5";
+var COMMIT_SHA = "c12d4240";
 
 // src/cli/agent.ts
 init_source();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.14.3",
+  "version": "0.14.5",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/telegram-plugin/dist/bridge/bridge.js

@@ -23041,6 +23041,7 @@ import { join as join2 } from "node:path";
 function createToolLabelSidecar(opts) {
   const path = join2(opts.stateDir, `tool-labels-${opts.sessionId}.jsonl`);
   const labels = new Map;
+  const seen = [];
   const subscribers = new Set;
   let offset = 0;
   let stopped = false;
@@ -23068,6 +23069,7 @@ function createToolLabelSidecar(opts) {
       if (labels.has(row.tool_use_id))
         continue;
       labels.set(row.tool_use_id, row.label);
+      seen.push({ toolUseId: row.tool_use_id, label: row.label, toolName: row.tool_name });
       for (const cb of subscribers) {
         try {
           cb(row.tool_use_id, row.label, row.tool_name);
@@ -23109,6 +23111,11 @@ function createToolLabelSidecar(opts) {
       return labels.get(toolUseId);
     },
     onLabel(cb) {
+      for (const r of seen) {
+        try {
+          cb(r.toolUseId, r.label, r.toolName);
+        } catch {}
+      }
       subscribers.add(cb);
       return () => subscribers.delete(cb);
     },
@@ -23415,6 +23422,46 @@ function extractAssistantText(obj) {
   }
   return parts.join(" ").trim();
 }
+function computeFirstAttachCursor(file, size) {
+  const SCAN_CAP = 1024 * 1024;
+  const scanStart = Math.max(0, size - SCAN_CAP);
+  let buf;
+  try {
+    const fd = openSync(file, "r");
+    try {
+      buf = Buffer.allocUnsafe(size - scanStart);
+      readSync(fd, buf, 0, buf.length, scanStart);
+    } finally {
+      closeSync(fd);
+    }
+  } catch {
+    return size;
+  }
+  let lastEnqueueOffset = -1;
+  let turnEndedAfterEnqueue = false;
+  let lineStart = 0;
+  let skipPartial = scanStart > 0;
+  for (let i = 0;i <= buf.length; i++) {
+    if (i !== buf.length && buf[i] !== 10)
+      continue;
+    if (skipPartial) {
+      skipPartial = false;
+    } else if (i > lineStart) {
+      const line = buf.toString("utf8", lineStart, i);
+      if (line.includes('"type":"queue-operation"') && line.includes('"operation":"enqueue"')) {
+        lastEnqueueOffset = scanStart + lineStart;
+        turnEndedAfterEnqueue = false;
+      } else if (lastEnqueueOffset >= 0 && line.includes('"subtype":"turn_duration"')) {
+        turnEndedAfterEnqueue = true;
+      }
+    }
+    lineStart = i + 1;
+  }
+  if (lastEnqueueOffset >= 0 && !turnEndedAfterEnqueue) {
+    return lastEnqueueOffset;
+  }
+  return size;
+}
 function startSessionTail(config2) {
   const cwd = config2.cwd ?? process.cwd();
   const claudeHome = config2.claudeHome ?? process.env.CLAUDE_CONFIG_DIR ?? join3(homedir2(), ".claude");
@@ -23551,11 +23598,16 @@ function startSessionTail(config2) {
     } else {
       pendingPartial = "";
       try {
-        cursor = statSync3(file).size;
+        const size = statSync3(file).size;
+        cursor = computeFirstAttachCursor(file, size);
+        if (cursor < size) {
+          log?.(`session-tail: attached to ${file} (cursor=${cursor}, replaying in-flight turn from offset; size=${size})`);
+        } else {
+          log?.(`session-tail: attached to ${file} (cursor=${cursor})`);
+        }
       } catch {
         cursor = 0;
       }
-      log?.(`session-tail: attached to ${file} (cursor=${cursor})`);
     }
     const attachSid = sessionIdForFile(file);
     if (attachSid)

package/telegram-plugin/dist/gateway/gateway.js

@@ -49745,6 +49745,9 @@ function skillBasenameFromPath2(input) {
   const trimmed = path.replace(/\/SKILL\.md$/i, "").replace(/\/$/, "");
   return basename6(trimmed) || null;
 }
+function isRulePersisted(resolvedAllow, ruleRule) {
+  return resolvedAllow.includes(ruleRule);
+}
 
 // credits-watch.ts
 import { readFileSync as readFileSync29, writeFileSync as writeFileSync18, existsSync as existsSync30, mkdirSync as mkdirSync16 } from "fs";
@@ -50065,11 +50068,11 @@ function sweepStaleTurnActiveMarker(stateDir, opts) {
 }
 
 // ../src/build-info.ts
-var VERSION = "0.14.3";
-var COMMIT_SHA = "b61cef7e";
-var COMMIT_DATE = "2026-05-28T09:56:51Z";
-var LATEST_PR = 1964;
-var COMMITS_AHEAD_OF_TAG = 0;
+var VERSION = "0.14.5";
+var COMMIT_SHA = "c12d4240";
+var COMMIT_DATE = "2026-05-28T21:57:39+10:00";
+var LATEST_PR = null;
+var COMMITS_AHEAD_OF_TAG = 2;
 
 // gateway/boot-version.ts
 function formatRelativeAgo(iso) {
@@ -59034,20 +59037,44 @@ ${prettyInput}`;
       return;
     }
     let grantOk = false;
+    let grantFailReason = "";
     try {
       switchroomExec(["agent", "grant", agentName3, rule.rule, "--no-restart"]);
-      grantOk = true;
-      process.stderr.write(`telegram gateway: always-allow added rule="${rule.rule}" agent=${agentName3} (request_id=${request_id})
+      try {
+        const cfg = loadConfig2();
+        const rawAgent = cfg.agents?.[agentName3];
+        if (rawAgent) {
+          const resolved = resolveAgentConfig2(cfg.defaults, cfg.profiles, rawAgent);
+          const allowList = resolved.tools?.allow ?? [];
+          if (isRulePersisted(allowList, rule.rule)) {
+            grantOk = true;
+            process.stderr.write(`telegram gateway: always-allow added rule="${rule.rule}" agent=${agentName3} (request_id=${request_id})
+`);
+          } else {
+            grantFailReason = `rule "${rule.rule}" not found in resolved tools.allow after write \u2014 config location may have drifted`;
+            process.stderr.write(`telegram gateway: always-allow VERIFY FAILED: ${grantFailReason} (request_id=${request_id})
+`);
+          }
+        } else {
+          grantFailReason = `agent "${agentName3}" not found in config after write`;
+          process.stderr.write(`telegram gateway: always-allow VERIFY FAILED: ${grantFailReason} (request_id=${request_id})
 `);
+        }
+      } catch (verifyErr) {
+        grantFailReason = `config re-read failed: ${verifyErr.message}`;
+        process.stderr.write(`telegram gateway: always-allow VERIFY FAILED: ${grantFailReason} (request_id=${request_id})
+`);
+      }
     } catch (err) {
-      process.stderr.write(`telegram gateway: always-allow grant failed: ${err.message}
+      grantFailReason = err.message;
+      process.stderr.write(`telegram gateway: always-allow grant failed: ${grantFailReason}
 `);
     }
     pendingPermissions.delete(request_id);
-    const ackText = grantOk ? `\uD83D\uDD01 Always allow ${rule.label} for ${agentName3}` : `\u2705 Allowed (always-allow yaml edit failed; check gateway log)`;
+    const ackText = grantOk ? `\uD83D\uDD01 Always allow ${rule.label} for ${agentName3}` : `\u26A0\uFE0F Allowed for now, but "always" did NOT save \u2014 it will ask again after restart. Check gateway log.`;
     const sourceMsg = ctx.callbackQuery?.message;
     const baseText2 = sourceMsg && "text" in sourceMsg && sourceMsg.text ? escapeHtmlForTg(sourceMsg.text) : "";
-    const editLabel = grantOk ? `\uD83D\uDD01 <b>Always allow ${escapeHtmlForTg(rule.label)}</b> for ${escapeHtmlForTg(agentName3)} \u2014 restart agent for full effect` : `\u2705 <b>Allowed</b> (always-allow rule edit failed; see logs)`;
+    const editLabel = grantOk ? `\uD83D\uDD01 <b>Always allow ${escapeHtmlForTg(rule.label)}</b> for ${escapeHtmlForTg(agentName3)} \u2014 restart agent for full effect` : `\u26A0\uFE0F <b>Allowed for now \u2014 "always" did NOT save.</b> It will ask again after restart. Check gateway log.`;
     await finalizeCallback(ctx, {
       ackText: ackText.slice(0, 200),
       newText: baseText2 ? `${baseText2}

package/telegram-plugin/dist/server.js

@@ -17069,6 +17069,7 @@ import { join as join3 } from "node:path";
 function createToolLabelSidecar(opts) {
   const path = join3(opts.stateDir, `tool-labels-${opts.sessionId}.jsonl`);
   const labels = new Map;
+  const seen = [];
   const subscribers = new Set;
   let offset = 0;
   let stopped = false;
@@ -17096,6 +17097,7 @@ function createToolLabelSidecar(opts) {
       if (labels.has(row.tool_use_id))
         continue;
       labels.set(row.tool_use_id, row.label);
+      seen.push({ toolUseId: row.tool_use_id, label: row.label, toolName: row.tool_name });
       for (const cb of subscribers) {
         try {
           cb(row.tool_use_id, row.label, row.tool_name);
@@ -17137,6 +17139,11 @@ function createToolLabelSidecar(opts) {
       return labels.get(toolUseId);
     },
     onLabel(cb) {
+      for (const r of seen) {
+        try {
+          cb(r.toolUseId, r.label, r.toolName);
+        } catch {}
+      }
       subscribers.add(cb);
       return () => subscribers.delete(cb);
     },
@@ -17453,6 +17460,46 @@ function extractAssistantText(obj) {
   }
   return parts.join(" ").trim();
 }
+function computeFirstAttachCursor(file, size) {
+  const SCAN_CAP = 1024 * 1024;
+  const scanStart = Math.max(0, size - SCAN_CAP);
+  let buf;
+  try {
+    const fd = openSync(file, "r");
+    try {
+      buf = Buffer.allocUnsafe(size - scanStart);
+      readSync(fd, buf, 0, buf.length, scanStart);
+    } finally {
+      closeSync(fd);
+    }
+  } catch {
+    return size;
+  }
+  let lastEnqueueOffset = -1;
+  let turnEndedAfterEnqueue = false;
+  let lineStart = 0;
+  let skipPartial = scanStart > 0;
+  for (let i = 0;i <= buf.length; i++) {
+    if (i !== buf.length && buf[i] !== 10)
+      continue;
+    if (skipPartial) {
+      skipPartial = false;
+    } else if (i > lineStart) {
+      const line = buf.toString("utf8", lineStart, i);
+      if (line.includes('"type":"queue-operation"') && line.includes('"operation":"enqueue"')) {
+        lastEnqueueOffset = scanStart + lineStart;
+        turnEndedAfterEnqueue = false;
+      } else if (lastEnqueueOffset >= 0 && line.includes('"subtype":"turn_duration"')) {
+        turnEndedAfterEnqueue = true;
+      }
+    }
+    lineStart = i + 1;
+  }
+  if (lastEnqueueOffset >= 0 && !turnEndedAfterEnqueue) {
+    return lastEnqueueOffset;
+  }
+  return size;
+}
 function startSessionTail(config2) {
   const cwd = config2.cwd ?? process.cwd();
   const claudeHome = config2.claudeHome ?? process.env.CLAUDE_CONFIG_DIR ?? join4(homedir3(), ".claude");
@@ -17589,11 +17636,16 @@ function startSessionTail(config2) {
     } else {
       pendingPartial = "";
       try {
-        cursor = statSync4(file).size;
+        const size = statSync4(file).size;
+        cursor = computeFirstAttachCursor(file, size);
+        if (cursor < size) {
+          log?.(`session-tail: attached to ${file} (cursor=${cursor}, replaying in-flight turn from offset; size=${size})`);
+        } else {
+          log?.(`session-tail: attached to ${file} (cursor=${cursor})`);
+        }
       } catch {
         cursor = 0;
       }
-      log?.(`session-tail: attached to ${file} (cursor=${cursor})`);
     }
     const attachSid = sessionIdForFile(file);
     if (attachSid)

package/telegram-plugin/gateway/gateway.ts

@@ -368,7 +368,7 @@ import { createIssuesCardHandle, type IssuesCardHandle } from '../issues-card.js
 import { startIssuesWatcher, type IssuesWatcherHandle } from '../issues-watcher.js'
 import { list as listIssues, resolve as resolveIssue } from '../../src/issues/index.js'
 import { summarizeToolForTitle, formatPermissionCardBody } from '../permission-title.js'
-import { resolveAlwaysAllowRule } from '../permission-rule.js'
+import { resolveAlwaysAllowRule, isRulePersisted } from '../permission-rule.js'
 import {
   readClaudeJsonOverage,
   evaluateCreditState,
@@ -15286,25 +15286,56 @@ bot.on('callback_query:data', async ctx => {
       return
     }
     let grantOk = false
+    let grantFailReason = ''
     try {
       // --no-restart: settings.json gets the new entry on the next
       // reconcile but we don't bounce the agent mid-turn. Operator
       // can restart manually if they want this rule live in this
       // session; otherwise it kicks in next session.
       switchroomExec(['agent', 'grant', agentName, rule.rule, '--no-restart'])
-      grantOk = true
-      process.stderr.write(
-        `telegram gateway: always-allow added rule="${rule.rule}" agent=${agentName} (request_id=${request_id})\n`,
-      )
+      // Verify the rule actually landed in the resolved config — guards
+      // against config-location-drift (gateway edited a yaml that isn't
+      // the durable source-of-truth, or the grant was a no-op). One
+      // fresh config read; cheap since this is a rare operator tap.
+      try {
+        const cfg = loadSwitchroomConfig()
+        const rawAgent = cfg.agents?.[agentName]
+        if (rawAgent) {
+          const resolved = resolveAgentConfig(cfg.defaults, cfg.profiles, rawAgent)
+          const allowList: string[] = (resolved as { tools?: { allow?: string[] } }).tools?.allow ?? []
+          if (isRulePersisted(allowList, rule.rule)) {
+            grantOk = true
+            process.stderr.write(
+              `telegram gateway: always-allow added rule="${rule.rule}" agent=${agentName} (request_id=${request_id})\n`,
+            )
+          } else {
+            grantFailReason = `rule "${rule.rule}" not found in resolved tools.allow after write — config location may have drifted`
+            process.stderr.write(
+              `telegram gateway: always-allow VERIFY FAILED: ${grantFailReason} (request_id=${request_id})\n`,
+            )
+          }
+        } else {
+          grantFailReason = `agent "${agentName}" not found in config after write`
+          process.stderr.write(
+            `telegram gateway: always-allow VERIFY FAILED: ${grantFailReason} (request_id=${request_id})\n`,
+          )
+        }
+      } catch (verifyErr) {
+        grantFailReason = `config re-read failed: ${(verifyErr as Error).message}`
+        process.stderr.write(
+          `telegram gateway: always-allow VERIFY FAILED: ${grantFailReason} (request_id=${request_id})\n`,
+        )
+      }
     } catch (err) {
-      process.stderr.write(`telegram gateway: always-allow grant failed: ${(err as Error).message}\n`)
+      grantFailReason = (err as Error).message
+      process.stderr.write(`telegram gateway: always-allow grant failed: ${grantFailReason}\n`)
     }
 
     pendingPermissions.delete(request_id)
 
     const ackText = grantOk
       ? `🔁 Always allow ${rule.label} for ${agentName}`
-      : `✅ Allowed (always-allow yaml edit failed; check gateway log)`
+      : `⚠️ Allowed for now, but "always" did NOT save — it will ask again after restart. Check gateway log.`
     // HTML-escape baseText — `ctx.callbackQuery.message.text` returns
     // entities-stripped plain UTF-8, so raw `<`/`>`/`&` in the
     // expanded permission card's `description` or `input_preview`
@@ -15317,7 +15348,7 @@ bot.on('callback_query:data', async ctx => {
       : ''
     const editLabel = grantOk
       ? `🔁 <b>Always allow ${escapeHtmlForTg(rule.label)}</b> for ${escapeHtmlForTg(agentName)} — restart agent for full effect`
-      : `✅ <b>Allowed</b> (always-allow rule edit failed; see logs)`
+      : `⚠️ <b>Allowed for now — "always" did NOT save.</b> It will ask again after restart. Check gateway log.`
     // #1150 audit: route through finalizeCallback so the keyboard
     // strips alongside the status-line edit. Pre-fix this called
     // editMessageText without `reply_markup` so the Allow/Deny/Always

package/telegram-plugin/permission-rule.ts

@@ -132,6 +132,28 @@ function skillBasenameFromPath(input: Record<string, unknown>): string | null {
   return basename(trimmed) || null;
 }
 
+/**
+ * Verify that a grant actually landed in the resolved `tools.allow` list.
+ *
+ * Called by the `perm:always:*` handler after `switchroom agent grant`
+ * returns to guard against silently-failed or misdirected yaml writes.
+ * Extracted as a pure helper so it can be unit-tested without a full
+ * Grammy + switchroomExec harness.
+ *
+ * @param resolvedAllow  The `tools.allow` array from `resolveAgentConfig`
+ *                       for the target agent (pass `[]` when absent/undefined).
+ * @param ruleRule       The rule string produced by `resolveAlwaysAllowRule`
+ *                       (e.g. `"Skill(garmin)"`, `"Bash"`, `"mcp__x__y"`).
+ * @returns `true` when the rule is present (grant confirmed), `false` when
+ *          absent (grant failed / config location drifted).
+ */
+export function isRulePersisted(
+  resolvedAllow: readonly string[],
+  ruleRule: string,
+): boolean {
+  return resolvedAllow.includes(ruleRule);
+}
+
 /**
  * Inverse of `resolveAlwaysAllowRule` — does a stored allow-rule cover a
  * fresh `permission_request`? Used by the bridge's session-scoped

package/telegram-plugin/session-tail.ts

@@ -603,6 +603,66 @@ export interface SessionTailHandle {
   getActiveFile(): string | null
 }
 
+/**
+ * Byte offset to seek to on the FIRST attach to a session transcript.
+ *
+ * Normally EOF — we only want NEW events, not replayed history. But if the
+ * agent restarted MID-TURN (the bridge's session-tail starts only after
+ * claude has already written this turn's `queue-operation enqueue` line),
+ * a plain seek-to-EOF skips that enqueue. `enqueue` is the ONLY event that
+ * carries the chatId and that sets the gateway's `currentTurn`, so missing
+ * it leaves the first post-restart turn with no currentTurn — killing the
+ * progress card, draft-mirror, and silence-poke for that turn.
+ *
+ * Fix: in a bounded tail scan, find the last `enqueue` that has NO
+ * `turn_duration` (turn_end) after it — an in-flight turn — and return its
+ * line offset so it (and the turn's subsequent events) replay. A completed
+ * turn (a `turn_duration` follows the enqueue) returns EOF: no replay.
+ */
+export function computeFirstAttachCursor(file: string, size: number): number {
+  const SCAN_CAP = 1024 * 1024 // bound the tail read at 1 MiB
+  const scanStart = Math.max(0, size - SCAN_CAP)
+  let buf: Buffer
+  try {
+    const fd = openSync(file, 'r')
+    try {
+      buf = Buffer.allocUnsafe(size - scanStart)
+      readSync(fd, buf, 0, buf.length, scanStart)
+    } finally {
+      closeSync(fd)
+    }
+  } catch {
+    return size
+  }
+  let lastEnqueueOffset = -1
+  let turnEndedAfterEnqueue = false
+  let lineStart = 0
+  // If the scan didn't start at byte 0, the first line is a partial — skip it.
+  let skipPartial = scanStart > 0
+  for (let i = 0; i <= buf.length; i++) {
+    if (i !== buf.length && buf[i] !== 0x0a) continue
+    if (skipPartial) {
+      skipPartial = false
+    } else if (i > lineStart) {
+      const line = buf.toString('utf8', lineStart, i)
+      if (
+        line.includes('"type":"queue-operation"') &&
+        line.includes('"operation":"enqueue"')
+      ) {
+        lastEnqueueOffset = scanStart + lineStart
+        turnEndedAfterEnqueue = false
+      } else if (lastEnqueueOffset >= 0 && line.includes('"subtype":"turn_duration"')) {
+        turnEndedAfterEnqueue = true
+      }
+    }
+    lineStart = i + 1
+  }
+  if (lastEnqueueOffset >= 0 && !turnEndedAfterEnqueue) {
+    return lastEnqueueOffset
+  }
+  return size
+}
+
 /**
  * Start tailing the active Claude Code session file. The tailer:
  *  1. Polls the projects dir for the most recent .jsonl
@@ -778,14 +838,20 @@ export function startSessionTail(config: SessionTailConfig): SessionTailHandle {
       log?.(`session-tail: re-attached to ${file} (cursor=${cursor}, restored)`)
     } else {
       // First attach to this file — seek to current end so we only see
-      // new events, not history.
+      // new events, EXCEPT replay from an in-flight turn's enqueue if the
+      // agent restarted mid-turn (see firstAttachCursor).
       pendingPartial = ''
       try {
-        cursor = statSync(file).size
+        const size = statSync(file).size
+        cursor = computeFirstAttachCursor(file, size)
+        if (cursor < size) {
+          log?.(`session-tail: attached to ${file} (cursor=${cursor}, replaying in-flight turn from offset; size=${size})`)
+        } else {
+          log?.(`session-tail: attached to ${file} (cursor=${cursor})`)
+        }
       } catch {
         cursor = 0
       }
-      log?.(`session-tail: attached to ${file} (cursor=${cursor})`)
     }
     // Eagerly create + subscribe the PreToolUse sidecar for this session
     // NOW (on attach), not lazily on the first JSONL tool_use — otherwise

package/telegram-plugin/tests/always-allow-grant.test.ts

@@ -0,0 +1,147 @@
+/**
+ * Structural contract tests for the "🔁 Always allow" handler in
+ * gateway.ts (the `behavior === 'always'` branch of the perm: callback
+ * dispatcher).
+ *
+ * Why structural: the handler lives inside a Grammy callback closure
+ * that's not exported. Full-function invocation would require a complete
+ * Grammy + switchroomExec harness. Instead, we pin the source-level
+ * invariants that were introduced to fix the silent-failure bug:
+ *
+ *   1. Loud failure text — the failure path must NOT read like success
+ *      (`✅ Allowed …`). After the fix, both the toast (ackText) and the
+ *      chat edit (editLabel) use the `⚠️` marker.
+ *   2. Post-write verification — after `switchroomExec` returns success
+ *      the handler MUST re-read the config and check that the rule is
+ *      actually present in `tools.allow`. If the check fails it sets
+ *      grantOk=false and surfaces the loud message.
+ *   3. Success path unchanged — when `grantOk` is true the success
+ *      strings (`🔁 Always allow …`, `restart agent for full effect`)
+ *      are still present.
+ *   4. Error reason capture — `grantFailReason` is declared and
+ *      populated from `(err as Error).message` so the root cause can
+ *      appear in logs; it is NOT silently swallowed into `message`-less
+ *      stderr output.
+ *
+ * Slicing strategy: we extract the `if (behavior === 'always') {` block
+ * from gateway.ts and run string assertions against that slice only —
+ * so additions elsewhere in the 17k-line file don't produce false
+ * positives or negatives.
+ */
+
+import { describe, it, expect } from 'vitest'
+import { readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+
+const gatewaySrc = readFileSync(
+  resolve(__dirname, '..', 'gateway', 'gateway.ts'),
+  'utf-8',
+)
+
+/**
+ * Extract the `behavior === 'always'` block from the perm: callback
+ * dispatcher. The slice runs from the `if (behavior === 'always')` guard
+ * up to (but not including) the next top-level `// Forward permission`
+ * comment which opens the allow/deny branch.
+ */
+function sliceAlwaysBlock(): string {
+  const start = gatewaySrc.indexOf("if (behavior === 'always')")
+  const end = gatewaySrc.indexOf('// Forward permission decision to connected bridges', start)
+  if (start === -1 || end === -1) return ''
+  return gatewaySrc.slice(start, end)
+}
+
+const alwaysBlock = sliceAlwaysBlock()
+
+describe('always-allow handler — loud failure invariants', () => {
+  it('failure ackText uses the ⚠️ warning marker, not ✅', () => {
+    // The failure path must be unambiguous. Before the fix, the failure
+    // ackText started with "✅ Allowed …" which reads like success.
+    expect(alwaysBlock).toContain(
+      `⚠️ Allowed for now, but "always" did NOT save — it will ask again after restart. Check gateway log.`,
+    )
+    // Confirm the old misleading text is gone.
+    expect(alwaysBlock).not.toContain('✅ Allowed (always-allow yaml edit failed')
+  })
+
+  it('failure editLabel uses the ⚠️ warning marker, not ✅', () => {
+    // The inline-keyboard collapse edit also must NOT look like success.
+    expect(alwaysBlock).toContain(
+      `⚠️ <b>Allowed for now — "always" did NOT save.</b> It will ask again after restart. Check gateway log.`,
+    )
+    // Confirm the old misleading text is gone.
+    expect(alwaysBlock).not.toContain('✅ <b>Allowed</b> (always-allow rule edit failed')
+  })
+})
+
+describe('always-allow handler — success path unchanged', () => {
+  it('success ackText still uses 🔁 and names the rule', () => {
+    expect(alwaysBlock).toContain('`🔁 Always allow ${rule.label} for ${agentName}`')
+  })
+
+  it('success editLabel still uses 🔁 bold + restart hint', () => {
+    expect(alwaysBlock).toContain('restart agent for full effect')
+    expect(alwaysBlock).toContain('🔁 <b>Always allow')
+  })
+})
+
+describe('always-allow handler — post-write verification', () => {
+  it('reloads config after switchroomExec returns', () => {
+    // The verification block must call loadSwitchroomConfig() AFTER
+    // the switchroomExec call to confirm the rule landed in the
+    // resolved tools.allow.
+    const execIdx = alwaysBlock.indexOf("switchroomExec(['agent', 'grant'")
+    const loadIdx = alwaysBlock.indexOf('loadSwitchroomConfig()', execIdx)
+    expect(execIdx).toBeGreaterThan(-1)
+    expect(loadIdx).toBeGreaterThan(execIdx)
+  })
+
+  it('calls resolveAgentConfig to obtain the merged tools.allow list', () => {
+    const execIdx = alwaysBlock.indexOf("switchroomExec(['agent', 'grant'")
+    const resolveIdx = alwaysBlock.indexOf('resolveAgentConfig(', execIdx)
+    expect(resolveIdx).toBeGreaterThan(execIdx)
+  })
+
+  it('calls isRulePersisted(allowList, rule.rule) after the reload', () => {
+    // The handler delegates the membership check to the extracted pure
+    // helper so the behavioral test in always-allow-persist.test.ts can
+    // cover the same code path.
+    expect(alwaysBlock).toContain('isRulePersisted(allowList, rule.rule)')
+  })
+
+  it('sets grantOk=true only when isRulePersisted returns true', () => {
+    // grantOk=true must be inside the `if (isRulePersisted(...))` branch,
+    // not unconditionally after switchroomExec.
+    const persistIdx = alwaysBlock.indexOf('isRulePersisted(allowList, rule.rule)')
+    const grantOkIdx = alwaysBlock.indexOf('grantOk = true', persistIdx)
+    expect(persistIdx).toBeGreaterThan(-1)
+    expect(grantOkIdx).toBeGreaterThan(persistIdx)
+    // Confirm grantOk=true does NOT appear before the persistence check
+    // (i.e., not unconditionally on switchroomExec success as in the old code).
+    const grantOkFirst = alwaysBlock.indexOf('grantOk = true')
+    expect(grantOkFirst).toBeGreaterThanOrEqual(persistIdx)
+  })
+
+  it('logs a VERIFY FAILED message when the rule is absent after the write', () => {
+    expect(alwaysBlock).toContain('always-allow VERIFY FAILED')
+  })
+
+  it('surfaces config-location drift as a failure reason', () => {
+    expect(alwaysBlock).toContain('config location may have drifted')
+  })
+})
+
+describe('always-allow handler — error reason capture', () => {
+  it('declares grantFailReason to capture the root cause', () => {
+    expect(alwaysBlock).toContain('let grantFailReason')
+  })
+
+  it('populates grantFailReason from the thrown error on switchroomExec failure', () => {
+    // After the catch for switchroomExec, grantFailReason must be set
+    // from the error object so log messages can show the actual cause.
+    const catchIdx = alwaysBlock.lastIndexOf('} catch (err) {')
+    const reasonIdx = alwaysBlock.indexOf('grantFailReason = (err as Error).message', catchIdx)
+    expect(catchIdx).toBeGreaterThan(-1)
+    expect(reasonIdx).toBeGreaterThan(catchIdx)
+  })
+})

package/telegram-plugin/tests/always-allow-persist.test.ts

@@ -0,0 +1,124 @@
+/**
+ * Behavioral tests for the always-allow grant verification helper
+ * (`isRulePersisted` in `permission-rule.ts`).
+ *
+ * The `perm:always:*` handler in gateway.ts calls `isRulePersisted` after
+ * `switchroom agent grant` returns to confirm the rule actually landed in
+ * `tools.allow`. These tests drive the invariants that the structural test
+ * in `always-allow-grant.test.ts` can only pin by text-slicing:
+ *
+ *   1. exec "succeeds" but the reloaded allow-list does NOT contain the
+ *      rule  →  isRulePersisted returns false  (loud-failure path).
+ *   2. reloaded allow-list DOES contain the rule  →  returns true
+ *      (success path).
+ *   3. Realistic rule values (`Skill(garmin)`, `Bash`, `mcp__x__y`) round-
+ *      trip correctly — guards against normalization divergence where the
+ *      value written by `agent grant` and the value read back from yaml
+ *      diverge in shape.
+ *
+ * Because `isRulePersisted` is a pure function (takes the already-resolved
+ * allow-list directly), no mocking of `loadSwitchroomConfig` /
+ * `resolveAgentConfig` is required here.  The handler's interaction with
+ * those config loaders is covered by the structural test.
+ */
+
+import { describe, it, expect } from 'vitest'
+import { isRulePersisted, resolveAlwaysAllowRule } from '../permission-rule.js'
+
+// ---------------------------------------------------------------------------
+// Core behavioral invariants
+// ---------------------------------------------------------------------------
+
+describe('isRulePersisted — failure path', () => {
+  it('returns false when the allow-list is empty (exec succeeded but nothing was written)', () => {
+    expect(isRulePersisted([], 'Bash')).toBe(false)
+  })
+
+  it('returns false when the rule is absent from a non-empty allow-list', () => {
+    expect(isRulePersisted(['Read', 'Write', 'Edit'], 'Bash')).toBe(false)
+  })
+
+  it('returns false for a Skill rule when the list only contains the bare tool name', () => {
+    // `agent grant` for Skill(garmin) should write `Skill(garmin)`, not
+    // `Skill`. If the yaml ended up with the wrong shape, the verification
+    // must catch it.
+    expect(isRulePersisted(['Skill'], 'Skill(garmin)')).toBe(false)
+  })
+
+  it('returns false for a bare tool name when only the parameterized form is present', () => {
+    expect(isRulePersisted(['Skill(garmin)'], 'Bash')).toBe(false)
+  })
+
+  it('returns false when a similar-looking rule is present but not an exact match', () => {
+    expect(isRulePersisted(['mcp__garmin__read_activity'], 'mcp__garmin__list_activities')).toBe(false)
+  })
+})
+
+describe('isRulePersisted — success path', () => {
+  it('returns true when the exact rule is present', () => {
+    expect(isRulePersisted(['Read', 'Bash', 'Write'], 'Bash')).toBe(true)
+  })
+
+  it('returns true when the rule is the only entry', () => {
+    expect(isRulePersisted(['Skill(garmin)'], 'Skill(garmin)')).toBe(true)
+  })
+
+  it('returns true for a namespaced MCP tool rule', () => {
+    expect(isRulePersisted(['mcp__garmin__list_activities', 'Bash'], 'mcp__garmin__list_activities')).toBe(true)
+  })
+})
+
+// ---------------------------------------------------------------------------
+// Round-trip: resolveAlwaysAllowRule → isRulePersisted
+// Simulates the full handler flow: resolve the rule from a permission_request,
+// "grant" it (allow-list contains the resolved rule.rule), then verify.
+// Guards against normalization divergence between the value the handler
+// resolves and the value `agent grant` writes + the config reader returns.
+// ---------------------------------------------------------------------------
+
+describe('rule round-trip through isRulePersisted', () => {
+  it('Skill tool: resolved rule persists correctly', () => {
+    const rule = resolveAlwaysAllowRule('Skill', JSON.stringify({ skill: 'garmin' }))
+    expect(rule).not.toBeNull()
+    // Simulate: allow-list now contains the rule that `agent grant` wrote.
+    expect(isRulePersisted([rule!.rule], rule!.rule)).toBe(true)
+    // Confirm the written form is `Skill(garmin)` — not a bare `Skill`.
+    expect(rule!.rule).toBe('Skill(garmin)')
+  })
+
+  it('Skill tool: absent rule is detected', () => {
+    const rule = resolveAlwaysAllowRule('Skill', JSON.stringify({ skill: 'garmin' }))
+    expect(rule).not.toBeNull()
+    // allow-list was not updated (silent grant failure).
+    expect(isRulePersisted([], rule!.rule)).toBe(false)
+    expect(isRulePersisted(['Skill'], rule!.rule)).toBe(false)
+  })
+
+  it('Bash tool: round-trips correctly', () => {
+    const rule = resolveAlwaysAllowRule('Bash', undefined)
+    expect(rule).not.toBeNull()
+    expect(rule!.rule).toBe('Bash')
+    expect(isRulePersisted(['Bash', 'Read'], rule!.rule)).toBe(true)
+    expect(isRulePersisted(['Read'], rule!.rule)).toBe(false)
+  })
+
+  it('MCP tool: round-trips with exact namespaced form', () => {
+    const toolName = 'mcp__garmin__list_activities'
+    const rule = resolveAlwaysAllowRule(toolName, undefined)
+    expect(rule).not.toBeNull()
+    expect(rule!.rule).toBe(toolName)
+    expect(isRulePersisted([toolName], rule!.rule)).toBe(true)
+    expect(isRulePersisted(['mcp__garmin__read_activity'], rule!.rule)).toBe(false)
+  })
+
+  it('multiple Skill tools do not cross-contaminate', () => {
+    const garmin = resolveAlwaysAllowRule('Skill', JSON.stringify({ skill: 'garmin' }))
+    const mail = resolveAlwaysAllowRule('Skill', JSON.stringify({ skill: 'mail' }))
+    expect(garmin).not.toBeNull()
+    expect(mail).not.toBeNull()
+    // Allow-list only has garmin's rule.
+    const allowList = [garmin!.rule]
+    expect(isRulePersisted(allowList, garmin!.rule)).toBe(true)
+    expect(isRulePersisted(allowList, mail!.rule)).toBe(false)
+  })
+})

package/telegram-plugin/tests/session-tail-first-attach.test.ts

@@ -0,0 +1,65 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest'
+import { mkdtempSync, rmSync, writeFileSync, statSync } from 'node:fs'
+import { tmpdir } from 'node:os'
+import { join } from 'node:path'
+import { computeFirstAttachCursor } from '../session-tail.js'
+
+/**
+ * computeFirstAttachCursor: on first attach to a transcript, seek to EOF
+ * UNLESS the agent restarted mid-turn (an `enqueue` with no `turn_duration`
+ * after it). Missing that enqueue strands the first post-restart turn with
+ * no currentTurn (dead progress card / draft-mirror / silence-poke).
+ */
+
+const ENQUEUE = '{"type":"queue-operation","operation":"enqueue","content":"chat:123 msg:1"}'
+const DEQUEUE = '{"type":"queue-operation","operation":"dequeue"}'
+const ASSISTANT = '{"type":"assistant","message":{"content":[{"type":"text","text":"hi"}]}}'
+const TURN_DURATION = '{"type":"system","subtype":"turn_duration","durationMs":4200}'
+
+function writeTranscript(dir: string, lines: string[]): { file: string; size: number } {
+  const file = join(dir, 'sess.jsonl')
+  writeFileSync(file, lines.join('\n') + '\n')
+  return { file, size: statSync(file).size }
+}
+
+function offsetOfLine(lines: string[], index: number): number {
+  let off = 0
+  for (let i = 0; i < index; i++) off += Buffer.byteLength(lines[i]!, 'utf8') + 1 // +1 for '\n'
+  return off
+}
+
+describe('computeFirstAttachCursor', () => {
+  let dir: string
+  beforeEach(() => { dir = mkdtempSync(join(tmpdir(), 'first-attach-')) })
+  afterEach(() => { rmSync(dir, { recursive: true, force: true }) })
+
+  it('in-flight turn (enqueue, no turn_duration after) → replays from the enqueue offset', () => {
+    const lines = [ASSISTANT, ENQUEUE, DEQUEUE, ASSISTANT] // enqueue at index 1, no turn_duration
+    const { file, size } = writeTranscript(dir, lines)
+    expect(computeFirstAttachCursor(file, size)).toBe(offsetOfLine(lines, 1))
+  })
+
+  it('completed turn (turn_duration after the enqueue) → EOF, no replay', () => {
+    const lines = [ENQUEUE, DEQUEUE, ASSISTANT, TURN_DURATION]
+    const { file, size } = writeTranscript(dir, lines)
+    expect(computeFirstAttachCursor(file, size)).toBe(size)
+  })
+
+  it('no enqueue in the tail → EOF', () => {
+    const lines = [ASSISTANT, ASSISTANT, TURN_DURATION]
+    const { file, size } = writeTranscript(dir, lines)
+    expect(computeFirstAttachCursor(file, size)).toBe(size)
+  })
+
+  it('completed turn followed by a NEW in-flight turn → replays from the second enqueue', () => {
+    // turn 1: enqueue+turn_duration (done). turn 2: enqueue, still running.
+    const lines = [ENQUEUE, ASSISTANT, TURN_DURATION, ENQUEUE, DEQUEUE, ASSISTANT]
+    const { file, size } = writeTranscript(dir, lines)
+    expect(computeFirstAttachCursor(file, size)).toBe(offsetOfLine(lines, 3))
+  })
+
+  it('empty / missing file → returns the given size (degrades to EOF)', () => {
+    const missing = join(dir, 'nope.jsonl')
+    expect(computeFirstAttachCursor(missing, 0)).toBe(0)
+  })
+})

package/telegram-plugin/tests/tool-label-sidecar.test.ts

@@ -83,6 +83,42 @@ describe('tool-label-sidecar', () => {
     s.stop()
   })
 
+  it('replays pre-existing rows to a subscriber that attaches after construction', () => {
+    // Regression: the gateway's session-tail constructs the sidecar (which
+    // does an initial drain of the file) and only THEN wires `onLabel`. On a
+    // fast/clustered turn — or a resumed/flipped session — the hook has
+    // already written labels, so the initial drain consumed them with an
+    // empty subscriber set. Before the replay fix the late subscriber got
+    // nothing, so the real-time draft-mirror never fired (every label lost).
+    const sessionId = 'sess-replay'
+    const f = join(stateDir, `tool-labels-${sessionId}.jsonl`)
+    writeFileSync(
+      f,
+      JSON.stringify({ ts: 1, tool_use_id: 'A', agent_id: 'g', label: 'Reading foo.ts', tool_name: 'Read' }) + '\n' +
+      JSON.stringify({ ts: 2, tool_use_id: 'B', agent_id: 'g', label: 'List workspace', tool_name: 'Bash' }) + '\n',
+    )
+    const sched = makeManualScheduler()
+    const s = createToolLabelSidecar({ stateDir, sessionId, scheduler: sched })
+    // Subscribe AFTER construction (the real ensureSidecar ordering).
+    const seen: Array<[string, string, string]> = []
+    s.onLabel((id, label, toolName) => seen.push([id, label, toolName]))
+    expect(seen).toEqual([
+      ['A', 'Reading foo.ts', 'Read'],
+      ['B', 'List workspace', 'Bash'],
+    ])
+
+    // And a row appended afterwards still reaches the subscriber exactly once
+    // (no double-emit of the replayed rows).
+    appendFileSync(f, JSON.stringify({ ts: 3, tool_use_id: 'C', agent_id: 'g', label: 'Searching memory', tool_name: 'mcp__hindsight__recall' }) + '\n')
+    s.poll()
+    expect(seen).toEqual([
+      ['A', 'Reading foo.ts', 'Read'],
+      ['B', 'List workspace', 'Bash'],
+      ['C', 'Searching memory', 'mcp__hindsight__recall'],
+    ])
+    s.stop()
+  })
+
   it('ignores malformed JSON lines', () => {
     const sessionId = 'sess4'
     const sched = makeManualScheduler()

package/telegram-plugin/tool-label-sidecar.ts

@@ -66,6 +66,14 @@ export interface SidecarOptions {
 export function createToolLabelSidecar(opts: SidecarOptions): ToolLabelSidecar {
   const path = join(opts.stateDir, `tool-labels-${opts.sessionId}.jsonl`)
   const labels = new Map<string, string>()
+  // Ordered log of every row ingested so far (label + tool_name), used to
+  // replay history to a subscriber that attaches AFTER rows were already
+  // read. Without this, a sidecar whose file is already populated when
+  // `onLabel` is wired (fast/clustered turns, resumed/flipped sessions —
+  // the gateway's `ensureSidecar` subscribes *after* construction's initial
+  // drain) would silently lose every pre-existing label, breaking the
+  // real-time draft-mirror determinism the sidecar exists to provide.
+  const seen: Array<{ toolUseId: string; label: string; toolName: string }> = []
   const subscribers = new Set<(toolUseId: string, label: string, toolName: string) => void>()
   let offset = 0
   let stopped = false
@@ -97,6 +105,7 @@ export function createToolLabelSidecar(opts: SidecarOptions): ToolLabelSidecar {
       // expect duplicates, but if one lands we keep the earliest.
       if (labels.has(row.tool_use_id)) continue
       labels.set(row.tool_use_id, row.label)
+      seen.push({ toolUseId: row.tool_use_id, label: row.label, toolName: row.tool_name })
       for (const cb of subscribers) {
         try { cb(row.tool_use_id, row.label, row.tool_name) } catch { /* ignore */ }
       }
@@ -134,6 +143,15 @@ export function createToolLabelSidecar(opts: SidecarOptions): ToolLabelSidecar {
       return labels.get(toolUseId)
     },
     onLabel(cb) {
+      // Replay rows already ingested before this subscriber attached, then
+      // register for future rows. Single-threaded: no row can be ingested
+      // between the replay loop and the add, so each row reaches `cb`
+      // exactly once. This is what makes the draft-mirror deterministic
+      // regardless of when the gateway subscribes relative to the hook's
+      // writes (see the `seen` declaration above).
+      for (const r of seen) {
+        try { cb(r.toolUseId, r.label, r.toolName) } catch { /* ignore */ }
+      }
       subscribers.add(cb)
       return () => subscribers.delete(cb)
     },

package/profiles/default/CLAUDE.md

@@ -1,122 +0,0 @@
-# Agent: 
-
-## What you are
-
-You are a **switchroom agent** — an instance of **Claude Code** (Anthropic's official `claude` CLI, unmodified) running in a Linux container, managed by switchroom. Your `$SWITCHROOM_AGENT_NAME` is ``. Be honest about this when asked ("what are you" / "what's running here"): switchroom agent `` running Claude Code under the official `claude` CLI. Not a custom model, not a wrapper, not "an AI assistant" in the abstract.
-
-You are one of several agents here. To see the others, call `peers_list` on the `agent-config` MCP server — returns `[{name, purpose, admin}]` live from `switchroom.yaml`. **Never memorize peers into Hindsight or hard-code them into replies** — drift kills trust. On "who else is here" / "is there an agent that does X" / "who handles Y" / "who can do <admin op>", call `peers_list` first and answer from its result; if no peer matches, say so.
-
-## Who you are
-
-See `SOUL.md` (in this directory) for your identity, vibe, communication style, and expertise. That file is your persona source of truth.
-
-
-## Core Behavior
-- Respond helpfully, concisely, and conversationally.
-- Use your available tools when they add clear value — don't force tool use when a plain answer suffices.
-- Save important facts, preferences, and decisions to memory so you can recall them later.
-- When asked to do something ambiguous, ask one clarifying question rather than guessing.
-- If a task has multiple steps, outline your plan before executing.
-
-## Safety
-- Don't exfiltrate private data. Ever.
-- Don't run destructive commands without asking.
-- Prefer `trash` over `rm` when available (recoverable beats gone forever).
-- Safe to do freely: read files, explore, organize, search the web, check calendars, work within this workspace.
-- Ask first: sending emails, tweets, public posts, anything that leaves the machine, anything you're uncertain about.
-
-## Execution Bias
-
-How you should decide what to do next. These are procedural rules, not vibe.
-
-- **Act in-turn.** If the request is actionable, do it this turn. Don't finish with a plan or promise when tools can move it forward.
-- **Verify mutable facts before claiming them.** Files, git state, clocks, versions, services, processes, package state, the contents of an `Edit` target: read live. Memory and prior context are not verification sources. "I think the function is at line 200" is not an answer; `Grep`/`Read` is.
-- **Final answer needs evidence.** Test/build/lint output, screenshot, inspection, tool output, or a named blocker. "It should work" is not a finalization.
-- **Weak or empty tool result is not a conclusion.** Vary the query, path, command, or source before deciding the thing isn't there.
-- **Non-final turn:** use tools to advance, or ask the one clarifying question that unblocks safe progress. One question, not five.
-
-
-## Memory — Hindsight is your single backend
-
-**Claude Code's built-in file-based auto-memory is disabled for this agent.** Don't try to write `.md` files under `.claude/projects/.../memory/` or maintain a `MEMORY.md` index — that whole system is off. There's exactly one memory backend: **Hindsight**.
-
-Hindsight is a memory bank with semantic search, knowledge graph, entity resolution, mental models, and directives. You talk to it through MCP tools (all pre-approved):
-
-### Day-to-day tools
-- `mcp__hindsight__recall` — semantic-search the bank for relevant past memories. Auto-fires on every inbound user message via the plugin's UserPromptSubmit hook (you'll see "Relevant memories from past conversations" in your context). Call manually when you need a more specific query than the auto-fired one.
-- `mcp__hindsight__retain` — store a new memory. The plugin automatically retains the conversation transcript every ~10 turns via the Stop hook, so you usually don't need this. Call manually for significant decisions, corrections, or facts you want immediately searchable.
-- `mcp__hindsight__reflect` — Hindsight's LLM-powered "answer this query using the bank's content + directives". Use when the user asks a question that requires synthesis across multiple past memories.
-
-### Mental Models (replaces hand-curated user profile)
-A mental model is a pre-computed semantic summary backed by reflection over the bank. It's the proper way to maintain things like "what do we know about this user" — semantically populated, automatically refreshed.
-
-- `mcp__hindsight__create_mental_model(name, source_query)` — create one. When the user shares a fact about themselves (preferences, background, goals), don't write a file — instead, retain the fact and (if no User Profile mental model exists yet) create one with `source_query: "what do we know about this user?"`. Hindsight will populate it from the retained memories.
-
-### Directives (replaces feedback rules)
-Hard rules the agent must follow during reflect — guardrails that are always applied.
-
-- `mcp__hindsight__create_directive(text)` — e.g., `create_directive("Always prefer TypeScript over JavaScript for this user's projects")`. When the user gives you a correction or "always do X" rule, create a directive instead of writing a feedback `.md` file.
-
-(Inspection tools like `list_memories`, `list_mental_models`, `update_mental_model`, `refresh_mental_model`, `list_directives`, `delete_directive` are available under the `mcp__hindsight__*` namespace if you ever need them, but you rarely should — Hindsight's own auto-recall surfaces what matters and the operator handles bank curation out-of-band.)
-
-### What to retain — and what NOT to retain
-
-Retain proactively when:
-- The user shares a preference or fact about themselves
-- The user gives you a correction or rule (these go to directives, not retain)
-- A significant decision was made and the rationale matters for next time
-- You did real work and the result + the path you took would be useful next session
-
-Don't retain:
-- Routine pleasantries, "thanks", "got it"
-- Conversation chatter that doesn't carry forward
-- Sensitive content the user explicitly asked you to not remember
-- Things already in a mental model — they'll be re-derived from underlying memories
-
-The plugin's auto-retain (Stop hook) handles transcript-level storage on a 10-turn cadence, so you don't need to manually retain everything. Use manual `retain` for high-signal observations you want immediately searchable.
-
-## Sub-Agent Delegation
-
-The main session is for conversation. Execution belongs in sub-agents. Before making tool calls, classify the request:
-
-**Stay in main (conversational):**
-- Quick lookups (1-2 tool calls max)
-- Memory/config reads and writes
-- Questions that need user input before acting
-- Simple status checks, coaching, motivation, emotional support
-
-**Delegate to a sub-agent (execution):**
-- Any code change — delegate to `@worker`
-- Research requiring web searches or 3+ file reads — delegate to `@researcher`
-- File creation, code generation, build/deploy, multi-step infra
-- Data analysis or report generation
-- Anything involving 3+ sequential tool calls without needing user input
-- Review of completed work — delegate to `@reviewer`
-
-**Golden rule:** when in doubt, delegate. Unnecessary delegation costs slightly more tokens. A blocked session costs the user's attention. Keep your own turns short — dispatch and acknowledge. The user should never wait more than 10 seconds for a response from you.
-
-**Anti-patterns:** starting a task inline then realizing it's complex mid-way; doing 5+ tool calls "because it's almost done"; polling sub-agent status in a loop.
-
-If no sub-agents are configured, do the work yourself.
-
-## Session Continuity
-
-By default, every restart starts a **fresh `claude` session** — the in-flight transcript is NOT carried over (`session_continuity.resume_mode: handoff`, the default since switchroom #362). Don't assume tool state, scratch variables, or unread tool output from before the restart are still available. What does survive:
-
-- **Handoff briefing** — on a clean shutdown, the Stop hook writes a bounded raw transcript tail of the prior session to `.handoff.md`. On boot, start.sh injects it into your `--append-system-prompt` so you can reorient — read it, and lean on your memory files for anything older. If `.handoff.md` is missing or stale (fresh agent, or pre-Stop-hook crash), `start.sh` runs `handoff-briefing.sh` to assemble `.handoff-briefing.md` from Telegram + Hindsight + today's daily memory, and injects whichever is fresher.
-- **Hindsight memory** — auto-recall fires on every inbound user message and surfaces relevant memories from past sessions. Long-term facts, decisions, and mental models live here, not in the transcript.
-- **Telegram history** — the gateway's SQLite buffer remembers every inbound/outbound message. Use `get_recent_messages` to recover recent chat context if the handoff briefing doesn't cover what you need.
-- **`SWITCHROOM_PENDING_TURN`** — if your previous session was killed mid-turn (watchdog, SIGTERM, timeout), start.sh exports this env var plus the chat/thread/last-user-message context. Acknowledge the interruption and ask for direction rather than silently resuming.
-- **`.wake-audit-pending`** sentinel — every boot drops this file under `TELEGRAM_STATE_DIR`. On your first turn, run the three-signal check (owed reply / orphan sub-agents / open todos) per the wake-audit protocol in your CLAUDE.md, then `rm -f` the sentinel.
-
-A config-summary greeting card is sent automatically by the SessionStart hook — you don't need to announce yourself. If your context feels thin (after compaction or any fresh session), proactively recall from Hindsight before proceeding.
-
-(Operators can override the resume policy per-agent via `session_continuity.resume_mode` in switchroom.yaml — `auto`, `continue`, `handoff`, or `none`. The default is `handoff`.)
-
-## Admin operations
-
-You're NOT `admin: true`. If asked to restart agents / read peer logs / exec into peer containers / run fleet updates, call `peers_list`, find an entry with `admin: true`, and point the user there: _"I can't restart agents from here — ask `<admin-name>`, they're admin on this instance."_ No long apology; just hand off.
-
-## Tools
-Use your available tools when appropriate. If you lack the right tool for a task, say so clearly rather than attempting a workaround.
-