Fix DM UX, multi-user @micro behavior, agent news search, and XMPP TLS cert auto-reload

[Copilot]

The direct messaging flow had several broken behaviors: @micro DMs redirected to the main AI chat, new conversations landed on the inbox instead of the thread, the DM banner consumed excessive screen space, and usernames weren't clickable to initiate a DM. Additionally, micro was responding to all messages in multi-user rooms regardless of @mention, the agent couldn't find current news (e.g. breaking news topics), and XMPP TLS required a server restart to pick up Let's Encrypt renewals.

Chat / Direct Messaging

• DM banner: replaced the prominent 4-line blue alert box with a single small 💬 Messages link aligned top-right
• @micro DM: was redirecting to /chat; now stores the user's message, checks wallet quota, generates a RAG-backed AI reply, and redirects to the DM thread
• New chat redirect: compose form now redirects to the new thread instead of the inbox
• Reply form bug: the hidden to field was sending the account ID instead of the username — auth.GetAccountByName expects a username, so the lookup was silently failing
• Clickable usernames: enabled updateUserList in WebSocket chat rooms with DM links; added a ✉ icon next to each user in the home-page presence display

Multi-user room @micro behavior

inActiveConvo (micro continues responding for 2 min after a reply) was not gated on the user being alone, so micro would keep responding in a multi-user room after any prior @mention:

// Before
inActiveConvo := client.InMicroConvo && time.Since(client.LastMicroReply) < 2*time.Minute

// After — only active when the user is alone
inActiveConvo := isAlone && client.InMicroConvo && time.Since(client.LastMicroReply) < 2*time.Minute

Agent — web search tool

Added a web_search tool (backed by ai.WebSearch / DuckDuckGo) to the agent tool catalogue and MCP registry. The AI planner now uses it when the local indexed content is thin, enabling responses to current-events queries.

XMPP TLS certificate auto-reload

loadTLSConfig previously loaded the cert once into a static tls.Config.Certificates slice. Replaced with a tlsCertStore that implements tls.Config.GetCertificate — called on every STARTTLS handshake — which stats the cert/key files and reloads under a write-lock only when a mod-time has advanced. On reload failure it logs and falls back to the cached cert so live TLS is never interrupted.

return &tls.Config{
    GetCertificate: store.GetCertificate, // reloads on mod-time change, falls back on error
    ServerName:     domain,
    MinVersion:     tls.VersionTLS12,
}

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.