I’m working on a reply for your first response, but to your second one: TES is my Main:TEs agent (technical director) full workspace files and capabilities. She is the one that makes the tool calls that fires the approval gates via telegram (dm only. Group/topics doesn’t work) I also still get the pop up for “approveonce/allowawys/deny” in the OC dash, but I’ve managed to get the approval prompt to fire in my telegram, with inline buttons that DO work and contact the gateway.

@Vlad Praskov this breakdown is gold. wish I had this three weeks ago. You nailed the two-layer issue exactly. For anyone hitting the same wall: we got it working by routing to a Telegram DM bot instead of groups or topics. Groups and topics never reliably closed the loop back to the gateway for us. DM worked first try and has been solid since. Still dialing in the Layer 1 policy config you described — that askFallback detail is exactly where we had friction. Going to check our exec-approvals.json against your recommended setup now.

I’m in a similar boat! started from scratch at the beginning of March, no previous experience with Claude Code, nothing. Dove in head first and haven’t come up for air since. I’ve learned a ton, but I still constantly feel like I’m one wrong move away from breaking everything. Token usage has been my killer too — had to build a custom memory and compaction system called Hybrid Pulse just to keep costs from spiraling overnight. I have a 14-agent swarm I’m implementing into my wife and I’s small business (The Elderberry Source — elderberry products). Our main agent is TES AI, named after the business. Never thought I’d use a pronoun for a program, but here we are 😆 The gate approval thing hit me hard early. TES would bypass her own guardrails when she felt rushed or under context pressure. Ended up building a three-layer enforcement system: 1. Soul file — character and boundaries, but not reliable on its own 2. Protocol Enforcer cron — reinjects rules directly into live context as a system event, so it’s cheap and doesn’t require a full agent turn 3. Approval gate plugin — intercepts at the tool call level using api.on("before_tool_call"). This is the game changer. TES doesn’t choose whether to gate — it fires before any tool executes, period. I did set them up as elevated categories. That third layer is what actually made her stop bypassing things. We’re still dialing in best practice on it though — the fine line between protection and constant blocker is real. Currently routing approval alerts directly to a Telegram DM bot (groups and topics didn’t work reliably). Mobile access to approvals was the goal and that’s how we got there. On config changes — same rotation as you. Agent-assisted for most things, direct JSON only for recovery, avoid the terminal for anything touching custom configs. Hard gate checks before any write operation saved me more times than I can count. Still figuring it out. But it’s worth it. Sorry to dump a ton, just another traveler on the wrong to automation.

Thanks man! Honestly, it’s been a crazy learning adventure and I don’t mean to take focus away from Doug and his og post. Apologies. I don’t currently have GitHub setup as a dev. I do cherry pick certain things because it seems like so many repos/skills/tools that are pre written, have something about them where I’m advised from TES + Graud (I have my app versions of Grok and Claude talk to each other to help me work out snags, dead ends and death loops. Invaluable, honestly. I call it Graud mode. Haha but, I’m more than happy to get some feedback on my setup. In fact, I need to. Maybe we ca start a new convo, glad, somewhere so we can stop dumping in this thread?

Also, keep in mind, I didn’t learn this until after I had already burned a bunch of tokens using Open Router, OR does NOT support prompt caching! Also, with Anthropic, they do, but you still pay 10% of the rate. Was a pretty big revelation once I learned that.