feat(v2): user-level privilege model + cold DM infra + init-first-agent skill

Replaces the agent-group-centric "main group" concept with user-level
privileges and adds the cold-DM infrastructure needed for proactive
outbound messaging (pairing, approvals, welcome flows).

Privilege model
- New tables: users, user_roles (owner global-only; admin global or
  scoped to an agent_group), agent_group_members (explicit non-
  privileged access; admin/owner imply membership), user_dms (cold-DM
  resolution cache).
- Removed agent_groups.is_admin, messaging_groups.admin_user_id. Replaced
  with messaging_groups.unknown_sender_policy (strict | request_approval
  | public) for per-chat unknown-sender gating.
- src/access.ts: canAccessAgentGroup, pickApprover, pickApprovalDelivery.
- src/router.ts: access gate on every inbound, honoring
  unknown_sender_policy for unknown senders.
- src/channels/telegram.ts: pairing interceptor upserts the paired user
  and promotes them to owner if hasAnyOwner() is false (first-pair-wins).

Cold DM infrastructure
- ChannelAdapter.openDM?(handle) — optional method. Chat-SDK-bridge wires
  it to chat.openDM() for resolution-required channels (Discord, Slack,
  Teams, Webex, gChat); direct-addressable channels (Telegram, WhatsApp,
  iMessage, Matrix, Resend) fall through to the handle directly.
- src/user-dm.ts: ensureUserDm(userId) — resolves + caches via user_dms.

Approval routing
- onecli-approvals + delivery use pickApprover + pickApprovalDelivery:
  scoped admins → global admins → owners (dedup), first reachable via
  ensureUserDm, same-channel-kind tie-break. Approvals land in the
  approver's DM, not the origin chat.

Delivery fixes
- delivery.ts ACL rejection now throws instead of returning undefined —
  the outer loop previously marked rejected messages as delivered.
- Implicit-origin allow: session.messaging_group_id === target skips the
  destination check.
- createMessagingGroupAgent auto-creates the companion agent_destinations
  row (normalized local_name from the messaging group's name, collision-
  broken within the agent's namespace).

Container
- container-runner.ts: /workspace/global always read-only; drops
  NANOCLAW_IS_ADMIN; adds NANOCLAW_ADMIN_USER_IDS (owners + global admins
  + scoped admins for this agent group). Agent-runner poll-loop gates
  slash commands against that set.

New skill: /init-first-agent
- Walks the operator through standing up the first agent for a channel:
  channel pick → identity lookup (reads each channel SKILL.md's
  ## Channel Info > how-to-find-id) → DM platform_id resolution (direct-
  addressable, cold-DM via "user DMs bot first + sqlite lookup", or
  Telegram pair-code fallback) → run scripts/init-first-agent.ts →
  verify via tail of nanoclaw.log.
- scripts/init-first-agent.ts: parameterized helper that upserts the
  user + grants owner (if none), creates dm-with-<display-name> agent
  group + initGroupFilesystem, reuses/creates the DM messaging_group,
  wires it (auto-creates destination), resolves the session, and writes
  a kind:'chat' / sender:'system' welcome message into inbound.db. Host
  sweep wakes the container and the agent DMs the operator via the
  normal delivery path.

/manage-channels rewrite
- Drops --is-main / --jid / main-vs-non-main isolation references.
- First-channel flow delegates to /init-first-agent.
- Explains createMessagingGroupAgent auto-creates destinations.
- Adds a privileged-users show section.

setup/
- register.ts: drop --is-main, --jid, --local-name, --trigger
  requiresTrigger defaults; call initGroupFilesystem; normalize to
  v2 schema (no is_admin, no admin_user_id, sets unknown_sender_policy
  'strict'); let createMessagingGroupAgent handle the destination row.
- pair-telegram.ts: emit PAIRED_USER_ID (namespaced "telegram:<id>")
  instead of ADMIN_USER_ID; update header comment.
- register.test.ts deleted — was v1-only, tested a registered_groups
  table that no longer exists.

Docs
- v2-architecture-diagram.{md,html}: ER diagram updated to drop
  is_admin/admin_user_id, add unknown_sender_policy, and include
  users/user_roles/agent_group_members/user_dms.
- v2-architecture-draft.md: approval-routing paragraph rewritten for
  pickApprover/pickApprovalDelivery/ensureUserDm; SQL schema block
  updated; admin-verification paragraph references
  NANOCLAW_ADMIN_USER_IDS.
- v2-setup-wiring.md: entity-model sketch rewritten.
- v2-checklist.md: marked privilege refactor / container filtering /
  approval routing / unknown-sender gating done; removed obsolete
  admin_user_id and main-vs-non-main items.

Scripts
- scripts/init-first-agent.ts (new) replaces scripts/welcome-owner-dm.ts
  (removed; welcome-owner was a Discord-specific one-off).
- test-v2-host.ts, test-v2-channel-e2e.ts, seed-discord.ts: drop
  is_admin + admin_user_id, use unknown_sender_policy.

Tests
- src/access.test.ts (new): 14 tests for canAccessAgentGroup, role
  helpers, pickApprover, ensureUserDm, pickApprovalDelivery.
- src/db/db-v2.test.ts: adds 3 tests for the auto-created
  agent_destinations row (normalized name, no duplicates, collision
  break within an agent group).
- host-core.test.ts, channel-registry.test.ts: updated fixtures to
  use unknown_sender_policy: 'public' where the test exercises routing
  rather than the access gate.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/db/migrations/001-initial.ts

@@ -11,20 +11,19 @@ export const migration001: Migration = {
         id               TEXT PRIMARY KEY,
         name             TEXT NOT NULL,
         folder           TEXT NOT NULL UNIQUE,
-        is_admin         INTEGER DEFAULT 0,
         agent_provider   TEXT,
         container_config TEXT,
         created_at       TEXT NOT NULL
       );
 
       CREATE TABLE messaging_groups (
-        id               TEXT PRIMARY KEY,
-        channel_type     TEXT NOT NULL,
-        platform_id      TEXT NOT NULL,
-        name             TEXT,
-        is_group         INTEGER DEFAULT 0,
-        admin_user_id    TEXT,
-        created_at       TEXT NOT NULL,
+        id                    TEXT PRIMARY KEY,
+        channel_type          TEXT NOT NULL,
+        platform_id           TEXT NOT NULL,
+        name                  TEXT,
+        is_group              INTEGER DEFAULT 0,
+        unknown_sender_policy TEXT NOT NULL DEFAULT 'strict',
+        created_at            TEXT NOT NULL,
         UNIQUE(channel_type, platform_id)
       );
 
@@ -40,6 +39,50 @@ export const migration001: Migration = {
         UNIQUE(messaging_group_id, agent_group_id)
       );
 
+      CREATE TABLE users (
+        id           TEXT PRIMARY KEY,
+        kind         TEXT NOT NULL,
+        display_name TEXT,
+        created_at   TEXT NOT NULL
+      );
+
+      -- role ∈ {owner, admin}
+      -- owner: agent_group_id must be NULL (always global)
+      -- admin: agent_group_id NULL = global, else scoped
+      CREATE TABLE user_roles (
+        user_id        TEXT NOT NULL REFERENCES users(id),
+        role           TEXT NOT NULL,
+        agent_group_id TEXT REFERENCES agent_groups(id),
+        granted_by     TEXT REFERENCES users(id),
+        granted_at     TEXT NOT NULL,
+        PRIMARY KEY (user_id, role, agent_group_id)
+      );
+      CREATE INDEX idx_user_roles_scope ON user_roles(agent_group_id, role);
+
+      -- "known" membership in an agent group. Admin @ A implies membership
+      -- without needing a row (invariant enforced in code).
+      CREATE TABLE agent_group_members (
+        user_id        TEXT NOT NULL REFERENCES users(id),
+        agent_group_id TEXT NOT NULL REFERENCES agent_groups(id),
+        added_by       TEXT REFERENCES users(id),
+        added_at       TEXT NOT NULL,
+        PRIMARY KEY (user_id, agent_group_id)
+      );
+
+      -- DM channel cache: for each (user, channel) pair, which messaging_group
+      -- row is their direct-message channel. Populated on demand by
+      -- ensureUserDm() — either from adapter.openDM() for channels that
+      -- distinguish user id from DM chat id (Discord, Slack, Teams) or by
+      -- pointing directly at the user's handle for channels where they're
+      -- the same (Telegram, WhatsApp, iMessage, email, Matrix).
+      CREATE TABLE user_dms (
+        user_id            TEXT NOT NULL REFERENCES users(id),
+        channel_type       TEXT NOT NULL,
+        messaging_group_id TEXT NOT NULL REFERENCES messaging_groups(id),
+        resolved_at        TEXT NOT NULL,
+        PRIMARY KEY (user_id, channel_type)
+      );
+
       CREATE TABLE sessions (
         id                 TEXT PRIMARY KEY,
         agent_group_id     TEXT NOT NULL REFERENCES agent_groups(id),