npm - teleton - Versions diffs - 0.8.3 → 0.8.4 - Mend

teleton 0.8.3 → 0.8.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +230 -294
package/dist/{bootstrap-DDFVEMYI.js → bootstrap-NNEI3Z5H.js} +3 -5
package/dist/{chunk-OIMAE24Q.js → chunk-5LOHRZYY.js} +15 -4
package/dist/{chunk-2ERTYRHA.js → chunk-G7PCW63M.js} +10 -10
package/dist/chunk-JROBTXWY.js +908 -0
package/dist/{chunk-7MWKT67G.js → chunk-LZQOX6YY.js} +13 -670
package/dist/{chunk-AERHOXGC.js → chunk-NH2CNRKJ.js} +223 -91
package/dist/{chunk-33Z47EXI.js → chunk-UMUONAD6.js} +11 -13
package/dist/cli/index.js +13 -16
package/dist/index.js +4 -5
package/dist/{server-N4T7E25M.js → server-AJCOURH7.js} +4 -5
package/dist/{server-JF6FX772.js → server-WWGVDFPW.js} +5 -6
package/dist/{setup-server-IX3BFPPH.js → setup-server-VDY64CWW.js} +3 -3
package/package.json +1 -1
package/dist/chunk-AEHTQI3H.js +0 -142
package/dist/chunk-FUNF6H4W.js +0 -251

package/README.md CHANGED Viewed

@@ -19,15 +19,23 @@
 ### Key Highlights
-- **Full Telegram access** - Operates as a real user via MTProto (GramJS), not a limited bot
-- **Agentic loop** - Up to 5 iterations of tool calling per message, the agent thinks, acts, observes, and repeats
-- **Multi-Provider LLM** - Anthropic, Claude Code, OpenAI, Google Gemini, xAI Grok, Groq, OpenRouter, Moonshot, Mistral, Cerebras, ZAI, MiniMax, Hugging Face, Cocoon, Local (15 providers)
-- **TON Blockchain** - Built-in W5R1 wallet, send/receive TON & jettons, swap on STON.fi and DeDust, NFTs, DNS domains
-- **Persistent memory** - Hybrid RAG (sqlite-vec + FTS5), auto-compaction with AI summarization, daily logs
-- **125+ built-in tools** - Messaging, media, blockchain, DEX trading, deals, DNS, exec, journaling, and more
-- **Plugin SDK** - Extend the agent with custom tools, frozen SDK with isolated databases, secrets management, lifecycle hooks
-- **MCP Client** - Connect external tool servers (stdio/SSE/Streamable HTTP) with 2 lines of YAML, no code, no rebuild
-- **Secure by design** - Prompt injection defense, sandboxed workspace, plugin isolation, wallet encryption
+<table>
+<tr>
+<td align="center" width="33%"><br><b><ins>Full Telegram Access</ins></b><br>Real user via MTProto,<br>not a bot<br><br></td>
+<td align="center" width="33%"><br><b><ins>Agentic Loop</ins></b><br>Think, act, observe, repeat<br>until shit gets done<br><br></td>
+<td align="center" width="33%"><br><b><ins>15 LLM Providers</ins></b><br>Anthropic, OpenAI, Google, xAI, Groq, and more<br><br></td>
+</tr>
+<tr>
+<td align="center"><br><b><ins>TON Blockchain</ins></b><br>Wallet, jettons, DEX swaps, DNS, NFTs<br><br></td>
+<td align="center"><br><b><ins>Persistent Memory</ins></b><br>Hybrid RAG, vector + keyword, auto-compaction<br><br></td>
+<td align="center"><br><b><ins>125+ Built-in Tools</ins></b><br>Messaging, media, crypto, DEX, DNS, files<br><br></td>
+</tr>
+<tr>
+<td align="center"><br><b><ins>Plugin SDK</ins></b><br>Custom tools, isolated DBs, secrets, hooks<br><br></td>
+<td align="center"><br><b><ins>MCP Client</ins></b><br>Connect any MCP tool server<br><br></td>
+<td align="center"><br><b><ins>Secure by Design</ins></b><br>Sandbox, plugin isolation, prompt defense<br><br></td>
+</tr>
+</table>
 ---
@@ -35,39 +43,40 @@
 ### Tool Categories
-| Category      | Tools | Description                                                                                                        |
-| ------------- | ----- | ------------------------------------------------------------------------------------------------------------------ |
-| Telegram      | 77    | Messaging, media, chats, groups, polls, stickers, gifts, stars, stories, contacts, folders, profile, memory, tasks, voice transcription, scheduled messages |
-| TON & Jettons | 15    | W5R1 wallet, send/receive TON & jettons, balances, prices, holders, history, charts, NFTs, smart DEX router        |
-| STON.fi DEX   | 5     | Swap, quote, search, trending tokens, liquidity pools                                                              |
-| DeDust DEX    | 5     | Swap, quote, pools, prices, token analytics (holders, top traders, buy/sell tax)                                   |
-| TON DNS       | 8     | Domain auctions, bidding, linking/unlinking, TON Site hosting, resolution, availability checks                      |
-| Deals         | 5     | P2P escrow with inline buttons, on-chain payment verification, anti double-spend                                   |
-| Journal       | 3     | Trade/operation logging with P&L tracking and natural language queries                                             |
-| Web           | 2     | Web search and page extraction via Tavily (search, fetch/extract)                                                  |
-| Workspace     | 6     | Sandboxed file operations with path traversal protection                                                           |
-| Exec          | 4     | System execution (YOLO mode) — shell commands, file read/write, process management (off by default, admin-only)    |
+| Category      | Tools | Description                                                    |
+| ------------- | ----- | -------------------------------------------------------------- |
+| Telegram      | 77    | Messages, media, chats, polls, stickers, gifts, stars, stories |
+| TON & Jettons | 15    | Wallet, send/receive, balances, prices, NFTs, DEX router       |
+| STON.fi DEX   | 5     | Swap, quote, search, trending, pools                           |
+| DeDust DEX    | 5     | Swap, quote, pools, prices, token analytics                    |
+| TON DNS       | 8     | Auctions, bidding, linking, TON Sites, resolution              |
+| Deals         | 5     | P2P escrow, on-chain verification, anti double-spend           |
+| Journal       | 3     | Trade logging, P&L tracking, natural language queries          |
+| Web           | 2     | Search and page extraction via Tavily                          |
+| Workspace     | 6     | Sandboxed file operations, path traversal protection           |
+| Exec          | 4     | Shell, files, processes (off by default, admin-only)           |
 ### Advanced Capabilities
-| Capability              | Description                                                                                                                 |
-| ----------------------- | --------------------------------------------------------------------------------------------------------------------------- |
-| **Multi-Provider LLM**  | Switch between Anthropic, Claude Code, OpenAI, Google, xAI, Groq, OpenRouter, Moonshot, Mistral, Cerebras, ZAI, MiniMax, Hugging Face, Cocoon, or Local — Dashboard validates API key before switching |
-| **RAG + Hybrid Search** | Local ONNX embeddings (384d) or Voyage AI (512d/1024d) with FTS5 keyword + sqlite-vec cosine similarity, fused via RRF      |
-| **Auto-Compaction**     | AI-summarized context management prevents overflow, preserves key information in `memory/*.md` files                        |
-| **Observation Masking** | Compresses old tool results to one-line summaries, saving ~90% context window                                               |
-| **Plugin SDK**          | Frozen namespaced SDK (`sdk.ton`, `sdk.telegram`, `sdk.secrets`, `sdk.storage`) with isolated databases and lifecycle hooks |
-| **Smart DEX Router**    | `dex_quote` compares STON.fi vs DeDust in parallel, recommends the best rate                                                |
-| **Vision Analysis**     | Image understanding via multimodal LLM (utility model)                                                                      |
-| **Scheduled Tasks**     | Time-based task execution with DAG dependency resolution                                                                    |
-| **Message Debouncing**  | Intelligent batching of rapid group messages (DMs are always instant)                                                       |
-| **Daily Logs**          | Automatic session summaries preserved across resets                                                                         |
-| **Multi-Policy Access** | Configurable DM/group policies (open, allowlist, admin-only, disabled) with per-group module permissions                    |
-| **Tool RAG**            | Semantic tool selection (enabled by default) - sends only the top-K most relevant tools per message (hybrid vector + FTS5, configurable `top_k`, `always_include` patterns) |
-| **MCP Client**          | Connect external MCP tool servers (stdio, SSE, or Streamable HTTP) - auto-discovery, namespaced tools, managed via CLI or WebUI |
-| **System Execution**    | YOLO mode — 4 system tools (shell, file read/write, process list) with audit logging, configurable timeout, admin-only scope (off by default) |
-| **TON Proxy**           | Browse .ton domains via Tonutils-Proxy HTTP proxy, auto-downloads binary from GitHub, PID-based orphan cleanup, configurable port |
-| **Sandboxed Workspace** | Secure file system with recursive URL decoding, symlink detection, and immutable config files                               |
+| Capability              | Description                                                              |
+| ----------------------- | ------------------------------------------------------------------------ |
+| **Multi-Provider LLM**  | 15 providers, hot-swap from dashboard or CLI                             |
+| **RAG + Hybrid Search** | Vector (sqlite-vec) + keyword (FTS5) fused search                        |
+| **Auto-Compaction**     | AI summarizes old context, saves to `memory/*.md`                        |
+| **Observation Masking** | Compresses old tool results, saves ~90% context                          |
+| **Plugin SDK**          | Frozen SDK, isolated DBs, secrets, lifecycle hooks                       |
+| **Smart DEX Router**    | Compares STON.fi vs DeDust, picks best rate                              |
+| **Vision Analysis**     | Image understanding via utility model                                    |
+| **Scheduled Tasks**     | Cron-like tasks with dependency chains                                   |
+| **Message Debouncing**  | Batches rapid group messages, DMs stay instant                           |
+| **Daily Logs**          | Auto session summaries, persisted across resets                          |
+| **Multi-Policy Access** | DM/group policies (open, allowlist, admin-only, disabled), per-group     |
+| **Tool RAG**            | Sends only top-K relevant tools per message                              |
+| **MCP Client**          | stdio, SSE, Streamable HTTP, auto-discovery, CLI or WebUI               |
+| **System Execution**    | YOLO mode: shell, files, processes (off by default, admin-only)          |
+| **TON Proxy**           | Browse .ton domains via HTTP proxy, auto-installed                       |
+| **Management API**      | HTTPS control plane for remote admin, bootstrap mode, lifecycle control  |
+| **Sandboxed Workspace** | Path traversal protection, symlink detection, immutable configs          |
 ---
@@ -105,35 +114,21 @@ cd teleton-agent
 npm install && npm run build
 ```
-### 2. Setup
+### 2. Setup & Start
 ```bash
-teleton setup
+teleton setup --ui
 ```
-The wizard will configure:
-- LLM provider selection (15 providers: Anthropic, Claude Code, OpenAI, Google, xAI, Groq, OpenRouter, Moonshot, Mistral, Cerebras, ZAI, MiniMax, Hugging Face, Cocoon, Local)
-- Telegram authentication (API credentials, phone, login code)
-- Access policies (DM/group response rules)
-- Admin user ID
-- TON wallet generation (W5R1 with 24-word mnemonic)
-- Workspace initialization (SOUL.md, STRATEGY.md, SECURITY.md, MEMORY.md)
+The WebUI wizard walks you through everything: LLM provider, Telegram auth (QR code or phone), access policies, admin ID, TON wallet, and workspace files. Once done, the agent starts automatically.
-Configuration files created:
-- `~/.teleton/config.yaml` - Main configuration
-- `~/.teleton/wallet.json` - TON wallet (backup mnemonic securely)
-- `~/.teleton/memory.db` - SQLite database (WAL mode, sqlite-vec, FTS5)
-- `~/.teleton/workspace/` - Sandboxed file storage
-### 3. Start
-If setup completed without errors, your agent is ready to go:
+To restart later with the dashboard:
 ```bash
-teleton start
+teleton start --webui
 ```
-### 4. Verify
+### 3. Verify
 Send a message to your agent on Telegram:
@@ -198,25 +193,31 @@ ton_proxy:                   # Optional: .ton domain proxy
 ### Supported Models
-All models are defined in `src/config/model-catalog.ts` and shared across the CLI setup, WebUI setup wizard, and Dashboard. To add a model, add it there — it will appear everywhere automatically.
-| Provider | Models |
-|----------|--------|
-| **Anthropic** | Claude Opus 4.6, Claude Opus 4.5, Claude Sonnet 4.6, Claude Haiku 4.5 |
-| **Claude Code** | Same as Anthropic (auto-detected credentials) |
-| **OpenAI** | GPT-5, GPT-5 Pro, GPT-5 Mini, GPT-5.1, GPT-4o, GPT-4.1, GPT-4.1 Mini, o4 Mini, o3, Codex Mini |
-| **Google** | Gemini 3 Pro (preview), Gemini 3 Flash (preview), Gemini 2.5 Pro, Gemini 2.5 Flash, Gemini 2.5 Flash Lite, Gemini 2.0 Flash |
-| **xAI** | Grok 4.1 Fast, Grok 4 Fast, Grok 4, Grok Code, Grok 3 |
-| **Groq** | Llama 4 Maverick, Qwen3 32B, DeepSeek R1 70B, Llama 3.3 70B |
-| **OpenRouter** | Claude Opus/Sonnet, GPT-5, Gemini, DeepSeek R1/V3, Qwen3 Coder/Max/235B, Nemotron, Sonar Pro, MiniMax, Grok 4 |
-| **Moonshot** | Kimi K2.5, Kimi K2 Thinking |
-| **Mistral** | Devstral Small/Medium, Mistral Large, Magistral Small |
-| **Cerebras** | Qwen 3 235B, GPT OSS 120B, ZAI GLM-4.7, Llama 3.1 8B |
-| **ZAI** | GLM-5, GLM-4.7, GLM-4.7 Flash (free), GLM-4.6, GLM-4.5 Flash (free), GLM-4.5V |
-| **MiniMax** | MiniMax M2.5, MiniMax M2.5 Fast, MiniMax M2.1, MiniMax M2 |
-| **Hugging Face** | DeepSeek V3.2, DeepSeek R1, Qwen3 235B, Qwen3 Coder 480B, Qwen3 Next 80B, Kimi K2.5, GLM-4.7 Flash, GLM-5 |
-| **Cocoon** | Qwen/Qwen3-32B (decentralized, pays in TON) |
-| **Local** | Auto-detected (Ollama, vLLM, LM Studio) |
+70+ models across 15 providers. Defined in `src/config/model-catalog.ts`, shared across CLI, WebUI, and Dashboard.
+<table>
+<tr>
+<td align="center" width="20%"><br><b>Anthropic</b><br>Claude Opus 4.6<br><br></td>
+<td align="center" width="20%"><br><b>Claude Code</b><br>Auto-detected<br><br></td>
+<td align="center" width="20%"><br><b>OpenAI</b><br>GPT-5<br><br></td>
+<td align="center" width="20%"><br><b>Google</b><br>Gemini 3 Pro<br><br></td>
+<td align="center" width="20%"><br><b>xAI</b><br>Grok 4.1<br><br></td>
+</tr>
+<tr>
+<td align="center"><br><b>Groq</b><br>Llama 4 Maverick<br><br></td>
+<td align="center"><br><b>OpenRouter</b><br>Multi-provider<br><br></td>
+<td align="center"><br><b>Moonshot</b><br>Kimi K2.5<br><br></td>
+<td align="center"><br><b>Mistral</b><br>Devstral<br><br></td>
+<td align="center"><br><b>Cerebras</b><br>Qwen 3 235B<br><br></td>
+</tr>
+<tr>
+<td align="center"><br><b>ZAI</b><br>GLM-5<br><br></td>
+<td align="center"><br><b>MiniMax</b><br>M2.5<br><br></td>
+<td align="center"><br><b>Hugging Face</b><br>DeepSeek V3.2<br><br></td>
+<td align="center"><br><b>Cocoon</b><br>Decentralized (TON)<br><br></td>
+<td align="center"><br><b>Local</b><br>Ollama, vLLM, LM Studio<br><br></td>
+</tr>
+</table>
 ### MCP Servers
@@ -251,49 +252,6 @@ When the WebUI is enabled, the **MCP Servers** page lets you add/remove servers,
 Tools are namespaced as `mcp_<server>_<tool>` (e.g. `mcp_filesystem_read_file`). Each server supports `scope` (always, dm-only, group-only, admin-only) and `enabled` toggle.
-### Web Search & Fetch
-The agent has two built-in web tools powered by [Tavily](https://tavily.com/) (free tier available):
-| Tool | Description |
-|------|-------------|
-| `web_search` | Search the web - returns titles, URLs, content snippets, relevance scores. Supports `topic`: general, news, finance |
-| `web_fetch` | Extract readable text from a URL - articles, docs, links shared by users |
-Both tools require a Tavily API key. Set it via CLI or config:
-```bash
-teleton config set tavily_api_key
-```
-Or in `config.yaml`:
-```yaml
-tavily_api_key: "tvly-..."
-```
-Once configured, the agent can autonomously search the web and read pages when needed to answer questions or verify information.
-### Managing Config Keys
-Use `teleton config` to manage optional keys without editing YAML manually:
-```bash
-# List all configurable keys and their status
-teleton config list
-# Set a key (prompts interactively if value omitted)
-teleton config set tavily_api_key
-teleton config set tonapi_key AFTWPHSLN3...
-# View a key (sensitive values are masked)
-teleton config get tavily_api_key
-# Remove a key
-teleton config unset tavily_api_key
-```
-Configurable keys: `tavily_api_key`, `tonapi_key`, `telegram.bot_token`, `telegram.bot_username`.
 ### Environment Variables
 All environment variables override the corresponding `config.yaml` value at startup - useful for Docker and CI:
@@ -301,95 +259,78 @@ All environment variables override the corresponding `config.yaml` value at star
 | Variable | Description | Default |
 |----------|-------------|---------|
 | `TELETON_HOME` | Data directory (config, DB, session) | `~/.teleton` |
-| `TELETON_API_KEY` | LLM API key (overrides config) | - |
-| `TELETON_TG_API_ID` | Telegram API ID (overrides config) | - |
-| `TELETON_TG_API_HASH` | Telegram API Hash (overrides config) | - |
-| `TELETON_TG_PHONE` | Phone number (overrides config) | - |
-| `TELETON_TAVILY_API_KEY` | Tavily API key for web search | - |
-| `TELETON_TONAPI_KEY` | TonAPI key for higher rate limits | - |
-| `TELETON_WEBUI_ENABLED` | Enable WebUI (overrides config) | `false` |
-| `TELETON_WEBUI_PORT` | WebUI port (overrides config) | `7777` |
+| `TELETON_API_KEY` | LLM API key | - |
+| `TELETON_BASE_URL` | Custom LLM base URL | - |
+| `TELETON_TG_API_ID` | Telegram API ID | - |
+| `TELETON_TG_API_HASH` | Telegram API Hash | - |
+| `TELETON_TG_PHONE` | Phone number | - |
+| `TELETON_TAVILY_API_KEY` | Tavily API key for web tools | - |
+| `TELETON_TONAPI_KEY` | TonAPI key | - |
+| `TELETON_TONCENTER_API_KEY` | Toncenter API key | - |
+| `TELETON_WEBUI_ENABLED` | Enable WebUI | `false` |
+| `TELETON_WEBUI_PORT` | WebUI port | `7777` |
+| `TELETON_WEBUI_HOST` | WebUI bind address | `127.0.0.1` |
+| `TELETON_API_ENABLED` | Enable Management API | `false` |
+| `TELETON_API_PORT` | Management API port | `7778` |
+| `TELETON_LOG_LEVEL` | Log level (debug, info, warn, error) | `info` |
 ---
 ## WebUI Dashboard
-Teleton includes an **optional web dashboard** for monitoring and configuration. The WebUI is disabled by default and runs only on localhost for security.
-### Features
-- **Dashboard**: System status, uptime, model info, session count, memory stats, live token usage tracking, provider switching with API key validation, tabbed configuration editor
-- **Tools Management**: View all tools grouped by module, toggle enable/disable, change scope per tool
-- **Plugin Marketplace**: Install, update, and manage plugins from registry with secrets management
-- **Soul Editor**: Edit SOUL.md, SECURITY.md, STRATEGY.md, MEMORY.md with unsaved changes warning
-- **Memory Search**: Search knowledge base with hybrid vector+keyword search
-- **Live Logs**: Real-time log streaming via Server-Sent Events
-- **Workspace**: File browser with inline text editor
-- **MCP Servers**: Add/remove external tool servers, manage API keys (env vars), view connection status
-- **TON Proxy**: Start/stop Tonutils-Proxy, install/uninstall binary, view status
-- **Tasks**: Scheduled task management with status, dependencies, and bulk actions
-### Usage
-**Enable via config.yaml:**
-```yaml
-webui:
-  enabled: true
-  port: 7777
-```
-**Enable via CLI flag:**
-```bash
-teleton start --webui
-# or specify custom port
-teleton start --webui --webui-port 8080
-```
+Optional web dashboard, localhost only, token auth. Start with `teleton start --webui` or `teleton setup --ui`.
+<table>
+<tr>
+<td align="center" width="25%"><br><b>Dashboard</b><br>Status, model, tokens, config<br><br></td>
+<td align="center" width="25%"><br><b>Tools</b><br>Toggle, scope, per-module<br><br></td>
+<td align="center" width="25%"><br><b>Plugins</b><br>Marketplace, install, secrets<br><br></td>
+<td align="center" width="25%"><br><b>Soul Editor</b><br>SOUL, SECURITY, STRATEGY, MEMORY<br><br></td>
+</tr>
+<tr>
+<td align="center"><br><b>Memory Search</b><br>Vector + keyword hybrid<br><br></td>
+<td align="center"><br><b>Live Logs</b><br>Real-time SSE streaming<br><br></td>
+<td align="center"><br><b>Workspace</b><br>File browser + editor<br><br></td>
+<td align="center"><br><b>MCP Servers</b><br>Add, remove, configure<br><br></td>
+</tr>
+<tr>
+<td align="center"><br><b>TON Proxy</b><br>Start/stop, auto-install<br><br></td>
+<td align="center"><br><b>Tasks</b><br>Schedule, dependencies, bulk<br><br></td>
+<td align="center"><br><b>Setup Wizard</b><br>QR code + phone auth<br><br></td>
+<td align="center"><br><b>Config</b><br>Provider switch, key validation<br><br></td>
+</tr>
+</table>
+Auth token is printed at startup. Stored as HttpOnly cookie for 7 days. For remote access:
-**Enable via environment variable:**
 ```bash
-TELETON_WEBUI_ENABLED=true teleton start
+ssh -L 7777:localhost:7777 user@remote-server
 ```
-### Access
+### Coding Agent
-When WebUI is enabled, the agent will display:
-```
-🌐 WebUI: http://localhost:7777?token=your-token-here
-🔑 Token: your-token-here
-```
+By default, the agent has a **sandboxed workspace** at `~/.teleton/workspace/` with 6 file tools (read, write, delete, rename, list, info). Path traversal protection, symlink detection, and 500 MB quota. Core files (`SOUL.md`, `STRATEGY.md`, `SECURITY.md`) are immutable. Write operations are DM-only.
-1. Click the URL (token is auto-filled) or visit `http://localhost:7777`
-2. Paste the token from the console (displayed once at startup)
-3. Token is stored as HttpOnly cookie (7 days) for subsequent visits
+**YOLO mode** unlocks full system access (off by default, Linux only):
-### Security
+| Tool | Description |
+|------|-------------|
+| `exec_run` | Execute any bash command |
+| `exec_install` | Install packages (apt, pip, npm, docker) |
+| `exec_service` | Manage systemd services |
+| `exec_status` | Server health (disk, RAM, CPU, uptime) |
-- **Localhost only**: Server binds to `127.0.0.1` by default (not accessible from network)
-- **Bearer token auth**: All API routes require authentication (timing-safe comparison)
-- **HttpOnly cookies**: SameSite=Strict, prevents XSS token theft
-- **No persistence**: Runtime changes (like model switches via WebUI) are not saved to config.yaml
-- **For remote access**: Use SSH tunneling or reverse proxy (nginx/caddy) with HTTPS
+All commands are audit-logged with user, command, output, exit code, and duration. Configurable timeout (default 120s), scope (`admin-only`, `allowlist`, `all`), and output capture limit.
-**SSH tunnel example:**
-```bash
-ssh -L 7777:localhost:7777 user@remote-server
-# Then access http://localhost:7777 on your local machine
+```yaml
+capabilities:
+  exec:
+    mode: "yolo"          # off | yolo
+    scope: "admin-only"   # admin-only | allowlist | all
+    limits:
+      timeout: 120        # seconds (1-3600)
 ```
-### Workspace Files
-The agent's personality and rules are configured via markdown files in `~/.teleton/workspace/`. Default templates are generated during `teleton setup` - you can edit any of them to customize your agent:
-| File | Purpose | Mutable by Agent |
-|------|---------|-----------------|
-| `SOUL.md` | Personality, tone, behavior guidelines | No |
-| `STRATEGY.md` | Trading rules, buy/sell thresholds | No |
-| `SECURITY.md` | Security principles, threat recognition | No |
-| `MEMORY.md` | Persistent memory (facts, contacts, decisions) | Yes |
-| `memory/*.md` | Session summaries, daily logs (auto-generated) | Yes |
-> **Tip**: Templates are located in `src/templates/` if installing from source. Edit the workspace copies in `~/.teleton/workspace/` - not the source templates.
 ### Admin Commands
 All admin commands support `/`, `!`, or `.` prefix:
@@ -416,6 +357,94 @@ All admin commands support `/`, `!`, or `.` prefix:
 ---
+## Plugins
+Extend the agent with custom tools. Install from the WebUI marketplace in one click, or drop a `.js` file in `~/.teleton/plugins/`. Loaded at startup, no rebuild needed. See [official example plugins](https://github.com/TONresistor/teleton-plugins).
+```
+~/.teleton/plugins/
+├── weather.js              # Single-file plugin
+└── my-plugin/
+    ├── index.js            # Folder plugin
+    ├── package.json        # npm deps (auto-installed via npm ci)
+    └── package-lock.json
+```
+Plugins export a `tools` function (recommended) or array, plus optional lifecycle hooks:
+```js
+// ~/.teleton/plugins/weather.js
+export const manifest = {
+  name: "weather",
+  version: "1.0.0",
+  sdkVersion: "^1.0.0",
+};
+// Optional: creates an isolated database at ~/.teleton/plugins/data/weather.db
+export function migrate(db) {
+  db.exec(`CREATE TABLE IF NOT EXISTS weather_cache (
+    city TEXT PRIMARY KEY, data TEXT, cached_at INTEGER
+  )`);
+}
+// Required: tools as a function receiving the Plugin SDK
+export const tools = (sdk) => [
+  {
+    name: "weather_get",
+    description: "Get current weather for a city",
+    parameters: {
+      type: "object",
+      properties: { city: { type: "string", description: "City name" } },
+      required: ["city"],
+    },
+    execute: async (params) => {
+      sdk.log.info(`Fetching weather for ${params.city}`);
+      const res = await fetch(`https://wttr.in/${params.city}?format=j1`);
+      if (!res.ok) return { success: false, error: "City not found" };
+      const data = await res.json();
+      return { success: true, data: { temp: data.current_condition[0].temp_C } };
+    },
+  },
+];
+```
+### Plugin SDK
+The SDK provides namespaced access to core services:
+| Namespace          | Methods                                                                                                                                                                                                                                                                                              |
+| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `sdk.ton`          | **Wallet**: `getAddress()`, `getBalance()`, `getPrice()`, `sendTON()`, `getTransactions()`, `verifyPayment()`                                                                                                                                                                                        |
+|                    | **Jettons**: `getJettonBalances()`, `getJettonInfo()`, `sendJetton()`, `getJettonWalletAddress()`                                                                                                                                                                                                    |
+|                    | **Analytics**: `getJettonPrice()`, `getJettonHolders()`, `getJettonHistory()`                                                                                                                                                                                                                        |
+|                    | **NFT**: `getNftItems()`, `getNftInfo()`                                                                                                                                                                                                                                                             |
+|                    | **DEX** (`sdk.ton.dex`): `quote()`, `swap()`, `quoteSTONfi()`, `quoteDeDust()`, `swapSTONfi()`, `swapDeDust()`                                                                                                                                                                                       |
+|                    | **DNS** (`sdk.ton.dns`): `check()`, `resolve()`, `getAuctions()`, `startAuction()`, `bid()`, `link()`, `unlink()`, `setSiteRecord()`                                                                                                                                                                 |
+|                    | **Signed Transfers**: `createTransfer()`, `createJettonTransfer()`, `getPublicKey()`, `getWalletVersion()`                                                                                                                                                                                           |
+|                    | **Utils**: `toNano()`, `fromNano()`, `validateAddress()`                                                                                                                                                                                                                                             |
+| `sdk.telegram`     | **Messages**: `sendMessage()`, `editMessage()`, `deleteMessage()`, `forwardMessage()`, `pinMessage()`, `searchMessages()`, `scheduleMessage()`, `getScheduledMessages()`, `deleteScheduledMessage()`, `sendScheduledNow()`, `getReplies()`                                                           |
+|                    | **Media**: `sendPhoto()`, `sendVideo()`, `sendVoice()`, `sendFile()`, `sendGif()`, `sendSticker()`, `downloadMedia()`                                                                                                                                                                                |
+|                    | **Chat & Users**: `getChatInfo()`, `getUserInfo()`, `resolveUsername()`, `getParticipants()`, `getDialogs()`, `getHistory()`                                                                                                                                                                         |
+|                    | **Interactive**: `sendDice()`, `sendReaction()`, `createPoll()`, `createQuiz()`                                                                                                                                                                                                                      |
+|                    | **Moderation**: `banUser()`, `unbanUser()`, `muteUser()`, `kickUser()`                                                                                                                                                                                                                               |
+|                    | **Stars & Gifts**: `getStarsBalance()`, `sendGift()`, `getAvailableGifts()`, `getMyGifts()`, `getResaleGifts()`, `buyResaleGift()`, `getStarsTransactions()`, `transferCollectible()`, `setCollectiblePrice()`, `getCollectibleInfo()`, `getUniqueGift()`, `getUniqueGiftValue()`, `sendGiftOffer()` |
+|                    | **Advanced**: `getMe()`, `getMessages()`, `isAvailable()`, `getRawClient()`, `setTyping()`, `sendStory()`                                                                                                                                                                                            |
+| `sdk.bot`          | `onInlineQuery()`, `onCallback()`, `onChosenResult()`, `editInlineMessage()`, `keyboard()`, `isAvailable`, `username`                                                                                                                                                                                |
+| `sdk.secrets`      | `get()`, `require()`, `has()`                                                                                                                                                                                                                                                                        |
+| `sdk.storage`      | `get()`, `set()`, `delete()`, `has()`, `clear()` (KV with TTL)                                                                                                                                                                                                                                       |
+| `sdk.db`           | Raw `better-sqlite3` database, isolated per plugin                                                                                                                                                                                                                                                   |
+| `sdk.config`       | Sanitized app config (no API keys)                                                                                                                                                                                                                                                                   |
+| `sdk.pluginConfig` | Plugin-specific config from `config.yaml`                                                                                                                                                                                                                                                            |
+| `sdk.log`          | `info()`, `warn()`, `error()`, `debug()`                                                                                                                                                                                                                                                             |
+| `sdk.on()`         | Register hooks: `message:receive`, `response:before/after/error`, `tool:error`, `prompt:after`, `agent:start/stop`                                                                                                                                                                                   |
+**Lifecycle hooks**: `migrate(db)`, `start(ctx)`, `stop()`, `onMessage(event)`, `onCallbackQuery(event)`
+**Security**: all SDK objects are frozen. Plugins never see API keys or other plugins' data.
+---
 ## Architecture
 ### Tech Stack
@@ -508,7 +537,12 @@ src/
 │   └── model-catalog.ts    # Shared model catalog (70+ models across all providers)
 ├── webui/                  # Optional web dashboard
 │   ├── server.ts           # Hono server, auth middleware, static serving
-│   └── routes/             # 12 API route groups (status, tools, logs, memory, soul, plugins, mcp, tasks, workspace, config, marketplace, ton-proxy)
+│   └── routes/             # 14 route groups (status, tools, logs, memory, soul, plugins, mcp, tasks, workspace, config, marketplace, hooks, ton-proxy, setup)
+├── api/                    # Management API (HTTPS control plane)
+│   ├── server.ts           # Hono HTTPS server, TLS, middleware stack
+│   ├── bootstrap.ts        # API-only mode (no config needed)
+│   ├── middleware/          # Auth, rate-limit, audit, request-id
+│   └── routes/             # Agent lifecycle, system, logs, memory, auth
 ├── constants/              # Centralized limits, timeouts, API endpoints
 ├── utils/                  # Logger, sanitize, retry, fetch
 ├── workspace/              # Path validator (anti-traversal, anti-symlink)
@@ -580,105 +614,6 @@ npm run test        # Vitest
 npm run format      # Prettier
 ```
-### Plugins
-Plugins extend the agent with custom tools. Drop a `.js` file or folder in `~/.teleton/plugins/` - loaded at startup, hot-reloaded in dev mode, no rebuild needed. See [official example plugins](https://github.com/TONresistor/teleton-plugins) for complete working examples.
-```
-~/.teleton/plugins/
-├── weather.js              # Single-file plugin
-└── my-plugin/
-    ├── index.js            # Folder plugin
-    ├── package.json        # npm deps (auto-installed via npm ci)
-    └── package-lock.json
-```
-Plugins export a `tools` function (recommended) or array, plus optional lifecycle hooks:
-```js
-// ~/.teleton/plugins/weather.js
-export const manifest = {
-  name: "weather",
-  version: "1.0.0",
-  sdkVersion: "^1.0.0",
-};
-// Optional: creates an isolated database at ~/.teleton/plugins/data/weather.db
-export function migrate(db) {
-  db.exec(`CREATE TABLE IF NOT EXISTS weather_cache (
-    city TEXT PRIMARY KEY, data TEXT, cached_at INTEGER
-  )`);
-}
-// Required: tools as a function receiving the Plugin SDK
-export const tools = (sdk) => [
-  {
-    name: "weather_get",
-    description: "Get current weather for a city",
-    parameters: {
-      type: "object",
-      properties: { city: { type: "string", description: "City name" } },
-      required: ["city"],
-    },
-    execute: async (params) => {
-      sdk.log.info(`Fetching weather for ${params.city}`);
-      const res = await fetch(`https://wttr.in/${params.city}?format=j1`);
-      if (!res.ok) return { success: false, error: "City not found" };
-      const data = await res.json();
-      return { success: true, data: { temp: data.current_condition[0].temp_C } };
-    },
-  },
-];
-```
-#### Plugin SDK
-When `tools` is a function, the SDK provides namespaced access to core services:
-| Namespace | Methods |
-|-----------|---------|
-| `sdk.ton` | **Wallet**: `getAddress()`, `getBalance()`, `getPrice()`, `sendTON()`, `getTransactions()`, `verifyPayment()` |
-| | **Jettons**: `getJettonBalances()`, `getJettonInfo()`, `sendJetton()`, `getJettonWalletAddress()` |
-| | **Analytics**: `getJettonPrice()`, `getJettonHolders()`, `getJettonHistory()` |
-| | **NFT**: `getNftItems()`, `getNftInfo()` |
-| | **DEX** (`sdk.ton.dex`): `quote()`, `swap()`, `quoteSTONfi()`, `quoteDeDust()`, `swapSTONfi()`, `swapDeDust()` |
-| | **DNS** (`sdk.ton.dns`): `check()`, `resolve()`, `getAuctions()`, `startAuction()`, `bid()`, `link()`, `unlink()`, `setSiteRecord()` |
-| | **Signed Transfers** (`sdk.ton`): `createTransfer()`, `createJettonTransfer()`, `getPublicKey()`, `getWalletVersion()` |
-| | **Utils**: `toNano()`, `fromNano()`, `validateAddress()` |
-| `sdk.telegram` | **Messages**: `sendMessage()`, `editMessage()`, `deleteMessage()`, `forwardMessage()`, `pinMessage()`, `searchMessages()`, `scheduleMessage()`, `getScheduledMessages()`, `deleteScheduledMessage()`, `sendScheduledNow()`, `getReplies()` |
-| | **Media**: `sendPhoto()`, `sendVideo()`, `sendVoice()`, `sendFile()`, `sendGif()`, `sendSticker()`, `downloadMedia()` |
-| | **Chat & Users**: `getChatInfo()`, `getUserInfo()`, `resolveUsername()`, `getParticipants()`, `getDialogs()`, `getHistory()` |
-| | **Interactive**: `sendDice()`, `sendReaction()`, `createPoll()`, `createQuiz()` |
-| | **Moderation**: `banUser()`, `unbanUser()`, `muteUser()`, `kickUser()` |
-| | **Stars & Gifts**: `getStarsBalance()`, `sendGift()`, `getAvailableGifts()`, `getMyGifts()`, `getResaleGifts()`, `buyResaleGift()`, `getStarsTransactions()`, `transferCollectible()`, `setCollectiblePrice()`, `getCollectibleInfo()`, `getUniqueGift()`, `getUniqueGiftValue()`, `sendGiftOffer()` |
-| | **Advanced**: `getMe()`, `isAvailable()`, `getRawClient()`, `setTyping()`, `sendStory()` |
-| `sdk.secrets` | `get()`, `require()`, `has()` - 3-tier resolution (env var → secrets file → plugin config) |
-| `sdk.storage` | `get()`, `set()`, `delete()`, `has()`, `clear()` - KV store with TTL support |
-| `sdk.db` | Raw `better-sqlite3` database - isolated per plugin at `~/.teleton/plugins/data/<name>.db` |
-| `sdk.config` | Sanitized app config (no API keys exposed) |
-| `sdk.pluginConfig` | Plugin-specific config from `config.yaml` `plugins:` section |
-| `sdk.log` | `info()`, `warn()`, `error()`, `debug()` - Prefixed logger |
-**Lifecycle hooks**: `migrate(db)`, `start(ctx)`, `stop()`, `onMessage(event)`, `onCallbackQuery(event)`
-**Security**: all SDK objects are `Object.freeze()`-ed. Plugins never see API keys or other plugins' data.
-Plugin config in `config.yaml`:
-```yaml
-plugins:
-  weather:
-    api_key: "abc123"
-```
-Backward compatible: plugins can export `tools` as a static array without the SDK.
-At startup:
-```
-🔌 Plugin "weather": 1 tool registered
-✅ 115 tools loaded (1 from plugins)
-```
 ---
 ## Documentation
@@ -692,6 +627,7 @@ Full documentation is available in the [`docs/`](docs/) directory:
 | [Plugin Development](docs/plugins.md) | Step-by-step plugin tutorial |
 | [Telegram Setup](docs/telegram-setup.md) | API credentials, policies, 2FA, admin commands |
 | [TON Wallet](docs/ton-wallet.md) | Wallet setup, DEX trading, security |
+| [Management API](docs/management-api.md) | HTTPS API, bootstrap mode, authentication, endpoints |
 ---