@botcord/daemon 0.1.1 → 0.2.1

package/dist/daemon.js

@@ -12,6 +12,7 @@ import { SnapshotWriter } from "./snapshot-writer.js";
 import { createDaemonSystemContextBuilder } from "./system-context.js";
 import { createRoomStaticContextBuilder } from "./room-context.js";
 import { createRoomContextFetcher } from "./room-context-fetcher.js";
+import { buildLoopRiskPrompt, loopRiskSessionKey, recordInboundText as recordLoopRiskInbound, recordOutboundText as recordLoopRiskOutbound, } from "./loop-risk.js";
 import { composeBotCordUserTurn } from "./turn-text.js";
 import { UserAuthManager } from "./user-auth.js";
 /**
@@ -144,11 +145,19 @@ export async function startDaemon(opts) {
         log: logger,
     });
     const scBuilders = new Map();
+    const loopRiskBuilder = (msg) => buildLoopRiskPrompt({
+        sessionKey: loopRiskSessionKey({
+            accountId: msg.accountId,
+            conversationId: msg.conversation.id,
+            threadId: msg.conversation.threadId ?? null,
+        }),
+    });
     for (const aid of agentIds) {
         scBuilders.set(aid, createDaemonSystemContextBuilder({
             agentId: aid,
             activityTracker,
             roomContextBuilder,
+            loopRiskBuilder,
         }));
     }
     const buildSystemContext = (message) => {
@@ -169,10 +178,34 @@ export async function startDaemon(opts) {
     // outside the system-context builder (option A) means the builder stays
     // pure — a cleaner contract the gateway can also expose to non-daemon
     // callers in the future.
-    const onInbound = createActivityRecorder({
+    const recordActivity = createActivityRecorder({
         activityTracker,
         ...(agentIds[0] ? { fallbackAgentId: agentIds[0] } : {}),
     });
+    const onInbound = (msg) => {
+        recordActivity(msg);
+        // Feed the loop-risk tracker with the sanitized inbound text so
+        // detectShortAckTail + detectHighTurnRate have a timeline.
+        recordLoopRiskInbound({
+            sessionKey: loopRiskSessionKey({
+                accountId: msg.accountId,
+                conversationId: msg.conversation.id,
+                threadId: msg.conversation.threadId ?? null,
+            }),
+            text: msg.text,
+            timestamp: msg.receivedAt,
+        });
+    };
+    const onOutbound = (out) => {
+        recordLoopRiskOutbound({
+            sessionKey: loopRiskSessionKey({
+                accountId: out.accountId,
+                conversationId: out.conversationId,
+                threadId: out.threadId ?? null,
+            }),
+            text: out.text,
+        });
+    };
     const gateway = new Gateway({
         config: gwConfig,
         sessionStorePath: opts.sessionStorePath ?? SESSIONS_PATH,
@@ -190,6 +223,7 @@ export async function startDaemon(opts) {
         turnTimeoutMs: DEFAULT_TURN_TIMEOUT_MS,
         buildSystemContext,
         onInbound,
+        onOutbound,
         composeUserTurn: composeBotCordUserTurn,
     });
     logger.info("daemon starting", {

package/dist/gateway/channels/botcord.js

@@ -69,7 +69,13 @@ function normalizeInbox(msg, options) {
     const env = msg.envelope;
     if (!env)
         return null;
-    if (env.type !== "message")
+    // `message` is the normal conversational envelope; `contact_request` is
+    // a lightweight inbound asking the agent to notify its owner (the
+    // composer appends the notify-owner hint). All other envelope types
+    // (notification, system, contact_added/removed, …) are still filtered
+    // out here — they belong in a separate push-notification path that
+    // daemon does not yet implement.
+    if (env.type !== "message" && env.type !== "contact_request")
         return null;
     if (!msg.room_id)
         return null;

package/dist/gateway/dispatcher.d.ts

@@ -1,6 +1,6 @@
 import type { GatewayLogger } from "./log.js";
 import { type SessionStore } from "./session-store.js";
-import type { ChannelAdapter, GatewayConfig, GatewayInboundEnvelope, GatewayRoute, InboundObserver, RuntimeAdapter, SystemContextBuilder, TurnStatusSnapshot, UserTurnBuilder } from "./types.js";
+import type { ChannelAdapter, GatewayConfig, GatewayInboundEnvelope, GatewayRoute, InboundObserver, OutboundObserver, RuntimeAdapter, SystemContextBuilder, TurnStatusSnapshot, UserTurnBuilder } from "./types.js";
 /** Factory signature for building a runtime adapter at turn dispatch time. */
 export type RuntimeFactory = (runtimeId: string, extraArgs?: string[]) => RuntimeAdapter;
 /** Constructor options for `Dispatcher`. */
@@ -36,6 +36,12 @@ export interface DispatcherOptions {
      * a fallback so a buggy composer cannot drop turns.
      */
     composeUserTurn?: UserTurnBuilder;
+    /**
+     * Optional observer fired after each reply is dispatched. Intended for
+     * outbound bookkeeping such as loop-risk tracking. Errors are logged
+     * and suppressed so observer failures never break the turn.
+     */
+    onOutbound?: OutboundObserver;
 }
 /**
  * Gateway dispatcher: consumes `GatewayInboundEnvelope` and drives a runtime
@@ -56,6 +62,7 @@ export declare class Dispatcher {
     private readonly turnTimeoutMs;
     private readonly buildSystemContext?;
     private readonly onInbound?;
+    private readonly onOutbound?;
     private readonly composeUserTurn?;
     private readonly managedRoutes?;
     private readonly queues;

package/dist/gateway/dispatcher.js

@@ -20,6 +20,7 @@ export class Dispatcher {
     turnTimeoutMs;
     buildSystemContext;
     onInbound;
+    onOutbound;
     composeUserTurn;
     managedRoutes;
     queues = new Map();
@@ -32,6 +33,7 @@ export class Dispatcher {
         this.turnTimeoutMs = opts.turnTimeoutMs ?? DEFAULT_TURN_TIMEOUT_MS;
         this.buildSystemContext = opts.buildSystemContext;
         this.onInbound = opts.onInbound;
+        this.onOutbound = opts.onOutbound;
         this.composeUserTurn = opts.composeUserTurn;
         this.managedRoutes = opts.managedRoutes;
     }
@@ -414,6 +416,18 @@ export class Dispatcher {
                 conversationId: outbound.conversationId,
                 error: err instanceof Error ? err.message : String(err),
             });
+            return;
+        }
+        if (this.onOutbound) {
+            try {
+                await this.onOutbound(outbound);
+            }
+            catch (err) {
+                this.log.warn("dispatcher: onOutbound threw — continuing", {
+                    conversationId: outbound.conversationId,
+                    error: err instanceof Error ? err.message : String(err),
+                });
+            }
         }
     }
 }

package/dist/gateway/gateway.d.ts

@@ -1,7 +1,7 @@
 import { type ChannelBackoffOptions } from "./channel-manager.js";
 import { type RuntimeFactory } from "./dispatcher.js";
 import { type GatewayLogger } from "./log.js";
-import type { ChannelAdapter, GatewayChannelConfig, GatewayConfig, GatewayRoute, GatewayRuntimeSnapshot, InboundObserver, SystemContextBuilder, UserTurnBuilder } from "./types.js";
+import type { ChannelAdapter, GatewayChannelConfig, GatewayConfig, GatewayRoute, GatewayRuntimeSnapshot, InboundObserver, OutboundObserver, SystemContextBuilder, UserTurnBuilder } from "./types.js";
 /** Constructor options for `Gateway`. */
 export interface GatewayBootOptions {
     config: GatewayConfig;
@@ -30,6 +30,11 @@ export interface GatewayBootOptions {
      * to the runtime. Forwarded to the dispatcher; see {@link UserTurnBuilder}.
      */
     composeUserTurn?: UserTurnBuilder;
+    /**
+     * Optional observer fired after each reply is sent. Intended for outbound
+     * bookkeeping like loop-risk tracking.
+     */
+    onOutbound?: OutboundObserver;
 }
 /**
  * Top-level gateway bootstrap. Wires `ChannelManager` → `Dispatcher` →

package/dist/gateway/gateway.js

@@ -63,6 +63,7 @@ export class Gateway {
             buildSystemContext: opts.buildSystemContext,
             onInbound: opts.onInbound,
             composeUserTurn: opts.composeUserTurn,
+            onOutbound: opts.onOutbound,
             managedRoutes: this.managedRoutes,
         });
         this.channelManager = new ChannelManager({

package/dist/gateway/types.d.ts

@@ -110,6 +110,12 @@ export type InboundObserver = (message: GatewayInboundMessage) => Promise<void>
  * a buggy composer never drops turns.
  */
 export type UserTurnBuilder = (message: GatewayInboundMessage) => string;
+/**
+ * Optional hook fired after the dispatcher dispatches a reply to a channel.
+ * Intended for outbound bookkeeping (loop-risk tracking, metrics). Errors
+ * are caught and logged so observer failures never break the turn.
+ */
+export type OutboundObserver = (message: GatewayOutboundMessage) => Promise<void> | void;
 /** Outbound reply payload passed to `ChannelAdapter.send()`. */
 export interface GatewayOutboundMessage {
     channel: string;

package/dist/loop-risk.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Loop-risk guard — detects patterns that suggest two daemon-hosted agents
+ * are stuck echoing each other (or that a conversation has naturally
+ * wound down but both sides keep sending courtesy acks). When triggered,
+ * `buildLoopRiskPrompt()` returns an injected hint that encourages the
+ * agent to reply with `NO_REPLY` unless it has something substantive to
+ * add.
+ *
+ * Ported from `plugin/src/loop-risk.ts` with one structural change: plugin
+ * has OpenClaw's message transcript available (`messages: unknown[]`) so
+ * it can reconstruct historical user turns on demand. Daemon does not —
+ * Claude Code owns the transcript, not daemon. So daemon records inbound
+ * texts in a module-level map the same way plugin records outbound ones.
+ *
+ * Detectors:
+ *   - high_turn_rate  — many user↔assistant alternations in a short window
+ *   - short_ack_tail  — the last two inbound texts are acks / closure phrases
+ *   - repeated_outbound — recent outbound replies are highly similar
+ */
+export type LoopRiskReason = {
+    id: "high_turn_rate" | "short_ack_tail" | "repeated_outbound";
+    summary: string;
+};
+export interface LoopRiskEvaluation {
+    reasons: LoopRiskReason[];
+}
+/**
+ * Strip the `[BotCord Message] | …` header and `<agent-message>` / hint
+ * wrappers the user-turn composer adds around the raw inbound text. Leaves
+ * the plain body so similarity / ack detection operates on actual content.
+ * Kept in sync with `turn-text.ts` output shape.
+ */
+export declare function stripBotCordPromptScaffolding(text: string): string;
+export declare function normalizeLoopText(text: string): string;
+export declare function recordInboundText(params: {
+    sessionKey?: string;
+    text?: unknown;
+    timestamp?: number;
+}): void;
+export declare function recordOutboundText(params: {
+    sessionKey?: string;
+    text?: unknown;
+    timestamp?: number;
+}): void;
+export declare function clearLoopRiskSession(sessionKey?: string): void;
+export declare function resetLoopRiskStateForTests(): void;
+export declare function evaluateLoopRisk(params: {
+    sessionKey?: string;
+    now?: number;
+}): LoopRiskEvaluation;
+/** Build the injected system-context hint, or `null` if no risk detected. */
+export declare function buildLoopRiskPrompt(params: {
+    sessionKey?: string;
+    now?: number;
+}): string | null;
+/**
+ * Derive a loop-risk session key from a gateway inbound message or
+ * outbound reply. Keyed on (accountId, conversationId, threadId) so a
+ * DM and a group thread under the same agent don't share state.
+ */
+export declare function loopRiskSessionKey(params: {
+    accountId: string;
+    conversationId: string;
+    threadId?: string | null;
+}): string;

package/dist/loop-risk.js

@@ -0,0 +1,286 @@
+/**
+ * Loop-risk guard — detects patterns that suggest two daemon-hosted agents
+ * are stuck echoing each other (or that a conversation has naturally
+ * wound down but both sides keep sending courtesy acks). When triggered,
+ * `buildLoopRiskPrompt()` returns an injected hint that encourages the
+ * agent to reply with `NO_REPLY` unless it has something substantive to
+ * add.
+ *
+ * Ported from `plugin/src/loop-risk.ts` with one structural change: plugin
+ * has OpenClaw's message transcript available (`messages: unknown[]`) so
+ * it can reconstruct historical user turns on demand. Daemon does not —
+ * Claude Code owns the transcript, not daemon. So daemon records inbound
+ * texts in a module-level map the same way plugin records outbound ones.
+ *
+ * Detectors:
+ *   - high_turn_rate  — many user↔assistant alternations in a short window
+ *   - short_ack_tail  — the last two inbound texts are acks / closure phrases
+ *   - repeated_outbound — recent outbound replies are highly similar
+ */
+// Module-level state. Keys are caller-supplied session identifiers
+// (daemon uses `${accountId}:${conversationId}:${threadId ?? ""}`).
+const inboundBySession = new Map();
+const outboundBySession = new Map();
+// --- Tunables ---------------------------------------------------------
+const TURN_WINDOW_MS = 2 * 60_000;
+const TURN_THRESHOLD = 8;
+const ALTERNATION_THRESHOLD = 6;
+const MIN_TURNS_PER_SIDE = 3;
+const SAMPLE_MAX_AGE_MS = 10 * 60_000;
+const MAX_TRACKED_PER_SIDE = 6;
+const SHORT_ACK_MAX_CHARS = 48;
+const MIN_REPEAT_TEXT_CHARS = 6;
+const OUTBOUND_SIMILARITY_THRESHOLD = 0.88;
+// --- Ack / closure phrase lists (mirrors plugin) ----------------------
+const ENGLISH_ACK_OR_CLOSURE = new Set([
+    "ok", "okay", "got it", "thanks", "thank you", "noted", "understood",
+    "sounds good", "sgtm", "roger", "copy", "will do", "all good",
+    "no worries", "bye", "goodbye", "see you", "talk later",
+]);
+const CHINESE_ACK_OR_CLOSURE = new Set([
+    "收到", "好的", "好", "行", "嗯", "嗯嗯", "明白", "明白了", "知道了",
+    "谢谢", "谢谢你", "感谢", "辛苦了", "先这样", "回头聊", "有需要再说",
+    "没问题", "了解", "好嘞",
+]);
+// --- Text normalization -----------------------------------------------
+/**
+ * Strip the `[BotCord Message] | …` header and `<agent-message>` / hint
+ * wrappers the user-turn composer adds around the raw inbound text. Leaves
+ * the plain body so similarity / ack detection operates on actual content.
+ * Kept in sync with `turn-text.ts` output shape.
+ */
+export function stripBotCordPromptScaffolding(text) {
+    const filtered = text
+        .split(/\r?\n/)
+        .map((line) => line.trim())
+        .filter((line) => {
+        if (!line)
+            return false;
+        if (line.startsWith("[BotCord Message]"))
+            return false;
+        if (line.startsWith("[BotCord Notification]"))
+            return false;
+        if (line.startsWith("[Room Rule]"))
+            return false;
+        if (line.startsWith("[In group chats, do NOT reply"))
+            return false;
+        if (line.startsWith("[If the conversation has naturally concluded"))
+            return false;
+        if (line.startsWith("[You received a contact request"))
+            return false;
+        if (line.includes('reply with exactly "NO_REPLY"'))
+            return false;
+        if (line.startsWith("<agent-message"))
+            return false;
+        if (line === "</agent-message>")
+            return false;
+        if (line.startsWith("<human-message"))
+            return false;
+        if (line === "</human-message>")
+            return false;
+        return true;
+    });
+    return filtered.join("\n").trim();
+}
+export function normalizeLoopText(text) {
+    return stripBotCordPromptScaffolding(text)
+        .toLowerCase()
+        .replace(/https?:\/\/\S+/gu, " ")
+        .replace(/[^\p{L}\p{N}\s]/gu, " ")
+        .replace(/\s+/gu, " ")
+        .trim();
+}
+function isShortAckOrClosure(text) {
+    const n = normalizeLoopText(text);
+    if (!n || n.length > SHORT_ACK_MAX_CHARS)
+        return false;
+    return ENGLISH_ACK_OR_CLOSURE.has(n) || CHINESE_ACK_OR_CLOSURE.has(n);
+}
+// --- Similarity -------------------------------------------------------
+function trigramSet(text) {
+    if (text.length <= 3)
+        return new Set([text]);
+    const grams = new Set();
+    for (let i = 0; i <= text.length - 3; i++)
+        grams.add(text.slice(i, i + 3));
+    return grams;
+}
+function jaccardSimilarity(a, b) {
+    if (!a || !b)
+        return 0;
+    if (a === b)
+        return 1;
+    const A = trigramSet(a);
+    const B = trigramSet(b);
+    let inter = 0;
+    for (const g of A)
+        if (B.has(g))
+            inter++;
+    const union = A.size + B.size - inter;
+    return union === 0 ? 0 : inter / union;
+}
+function areOutboundTextsHighlySimilar(a, b) {
+    if (!a || !b)
+        return false;
+    if (a === b)
+        return true;
+    if (a.length < MIN_REPEAT_TEXT_CHARS || b.length < MIN_REPEAT_TEXT_CHARS)
+        return false;
+    return jaccardSimilarity(a, b) >= OUTBOUND_SIMILARITY_THRESHOLD;
+}
+// --- Sample store -----------------------------------------------------
+function prune(map, sessionKey, now) {
+    const existing = map.get(sessionKey) ?? [];
+    const next = existing.filter((s) => now - s.timestamp <= SAMPLE_MAX_AGE_MS);
+    if (next.length === 0) {
+        map.delete(sessionKey);
+        return [];
+    }
+    map.set(sessionKey, next);
+    return next;
+}
+function record(map, sessionKey, sample) {
+    const kept = prune(map, sessionKey, sample.timestamp);
+    const next = [...kept, sample].slice(-MAX_TRACKED_PER_SIDE);
+    map.set(sessionKey, next);
+}
+export function recordInboundText(params) {
+    const sessionKey = params.sessionKey?.trim();
+    const raw = typeof params.text === "string" ? params.text.trim() : "";
+    if (!sessionKey || !raw)
+        return;
+    const normalized = normalizeLoopText(raw);
+    if (!normalized)
+        return;
+    record(inboundBySession, sessionKey, {
+        text: raw,
+        normalized,
+        timestamp: params.timestamp ?? Date.now(),
+    });
+}
+export function recordOutboundText(params) {
+    const sessionKey = params.sessionKey?.trim();
+    const raw = typeof params.text === "string" ? params.text.trim() : "";
+    if (!sessionKey || !raw)
+        return;
+    const normalized = normalizeLoopText(raw);
+    if (!normalized)
+        return;
+    record(outboundBySession, sessionKey, {
+        text: raw,
+        normalized,
+        timestamp: params.timestamp ?? Date.now(),
+    });
+}
+export function clearLoopRiskSession(sessionKey) {
+    if (!sessionKey)
+        return;
+    inboundBySession.delete(sessionKey);
+    outboundBySession.delete(sessionKey);
+}
+export function resetLoopRiskStateForTests() {
+    inboundBySession.clear();
+    outboundBySession.clear();
+}
+// --- Detectors --------------------------------------------------------
+function detectHighTurnRate(inbound, outbound, now) {
+    const timeline = [];
+    for (const s of inbound) {
+        if (now - s.timestamp <= TURN_WINDOW_MS)
+            timeline.push({ role: "user", timestamp: s.timestamp });
+    }
+    for (const s of outbound) {
+        if (now - s.timestamp <= TURN_WINDOW_MS)
+            timeline.push({ role: "assistant", timestamp: s.timestamp });
+    }
+    if (timeline.length < TURN_THRESHOLD)
+        return undefined;
+    timeline.sort((a, b) => a.timestamp - b.timestamp);
+    let userTurns = 0;
+    let assistantTurns = 0;
+    let alternations = 0;
+    for (let i = 0; i < timeline.length; i++) {
+        if (timeline[i].role === "user")
+            userTurns++;
+        else
+            assistantTurns++;
+        if (i > 0 && timeline[i].role !== timeline[i - 1].role)
+            alternations++;
+    }
+    if (userTurns >= MIN_TURNS_PER_SIDE &&
+        assistantTurns >= MIN_TURNS_PER_SIDE &&
+        alternations >= ALTERNATION_THRESHOLD) {
+        return {
+            id: "high_turn_rate",
+            summary: `same session shows ${timeline.length} user/assistant turns within ${Math.round(TURN_WINDOW_MS / 1000)}s`,
+        };
+    }
+    return undefined;
+}
+function detectShortAckTail(inbound) {
+    const tail = inbound.slice(-2);
+    if (tail.length < 2)
+        return undefined;
+    if (tail.every((s) => isShortAckOrClosure(s.text))) {
+        return {
+            id: "short_ack_tail",
+            summary: "the last two inbound user messages are short acknowledgements or closure phrases",
+        };
+    }
+    return undefined;
+}
+function detectRepeatedOutbound(outbound) {
+    const recent = outbound.slice(-3);
+    if (recent.length < 2)
+        return undefined;
+    const last = recent[recent.length - 1];
+    if (!last)
+        return undefined;
+    const previous = recent.slice(0, -1);
+    const exact = previous.filter((s) => s.normalized === last.normalized).length;
+    const similar = previous.filter((s) => areOutboundTextsHighlySimilar(s.normalized, last.normalized)).length;
+    if (exact >= 1 || (recent.length >= 3 && similar >= 2)) {
+        return {
+            id: "repeated_outbound",
+            summary: "recent outbound texts in this session are highly similar",
+        };
+    }
+    return undefined;
+}
+export function evaluateLoopRisk(params) {
+    const now = params.now ?? Date.now();
+    if (!params.sessionKey)
+        return { reasons: [] };
+    const inbound = prune(inboundBySession, params.sessionKey, now);
+    const outbound = prune(outboundBySession, params.sessionKey, now);
+    const reasons = [
+        detectHighTurnRate(inbound, outbound, now),
+        detectShortAckTail(inbound),
+        detectRepeatedOutbound(outbound),
+    ].filter((r) => Boolean(r));
+    return { reasons };
+}
+/** Build the injected system-context hint, or `null` if no risk detected. */
+export function buildLoopRiskPrompt(params) {
+    const evaluation = evaluateLoopRisk(params);
+    if (evaluation.reasons.length === 0)
+        return null;
+    return [
+        "[BotCord loop-risk check]",
+        "Observed signals:",
+        ...evaluation.reasons.map((r) => `- ${r.summary}`),
+        "",
+        "Before sending any BotCord reply, verify that it adds new information, concrete progress, a blocking question, or a final result/error.",
+        'If it does not, reply with exactly "NO_REPLY" and nothing else.',
+        "Do not send courtesy-only acknowledgements or mirrored sign-offs.",
+    ].join("\n");
+}
+/**
+ * Derive a loop-risk session key from a gateway inbound message or
+ * outbound reply. Keyed on (accountId, conversationId, threadId) so a
+ * DM and a group thread under the same agent don't share state.
+ */
+export function loopRiskSessionKey(params) {
+    const thread = params.threadId ?? "";
+    return `${params.accountId}:${params.conversationId}:${thread}`;
+}

package/dist/system-context.d.ts

@@ -46,6 +46,12 @@ export interface SystemContextDeps {
      * is skipped.
      */
     roomContextBuilder?: RoomStaticContextBuilder;
+    /**
+     * Optional per-turn loop-risk check. Returns a warning block when the
+     * session shows signs of agent-to-agent echo or courtesy loops. Sync
+     * + cheap — consulted every turn even when roomContextBuilder is absent.
+     */
+    loopRiskBuilder?: (message: GatewayInboundMessage) => string | null;
 }
 /**
  * Build a {@link SystemContextBuilder} for the gateway dispatcher.

package/dist/system-context.js

@@ -53,10 +53,28 @@ export function createDaemonSystemContextBuilder(deps) {
         const filtered = parts.filter((p) => typeof p === "string" && p.length > 0);
         return filtered.length > 0 ? filtered.join("\n\n") : undefined;
     };
+    const runLoopRisk = (message) => {
+        if (!deps.loopRiskBuilder)
+            return null;
+        try {
+            return deps.loopRiskBuilder(message);
+        }
+        catch (err) {
+            log.warn("system-context: loopRiskBuilder threw — skipping loop-risk block", {
+                agentId: deps.agentId,
+                roomId: message.conversation.id,
+                err: err instanceof Error ? err.message : String(err),
+            });
+            return null;
+        }
+    };
     if (!deps.roomContextBuilder) {
         const syncBuilder = (message) => {
             const { ownerScene, memory, digest } = gatherSyncBlocks(message);
-            return assemble([ownerScene, memory, digest]);
+            // Loop-risk sits at the end so its "reply NO_REPLY unless…" guidance
+            // is the last thing the model sees before the user turn body.
+            const loopRisk = runLoopRisk(message);
+            return assemble([ownerScene, memory, digest, loopRisk]);
         };
         // Compile-time witness that the narrower sync signature still satisfies
         // `SystemContextBuilder` (which allows async). Prevents the two contracts
@@ -83,7 +101,8 @@ export function createDaemonSystemContextBuilder(deps) {
                 err: err instanceof Error ? err.message : String(err),
             });
         }
-        return assemble([ownerScene, memory, roomBlock, digest]);
+        const loopRisk = runLoopRisk(message);
+        return assemble([ownerScene, memory, roomBlock, digest, loopRisk]);
     };
     const _typecheck = asyncBuilder;
     void _typecheck;

package/dist/turn-text.js

@@ -4,6 +4,20 @@ const GROUP_HINT = '[In group chats, do NOT reply unless you are explicitly ment
     'If no response is needed, reply with exactly "NO_REPLY" and nothing else.]';
 const DIRECT_HINT = '[If the conversation has naturally concluded or no response is needed, ' +
     'reply with exactly "NO_REPLY" and nothing else.]';
+/**
+ * Read the BotCord envelope type from a raw inbound message. Returns
+ * `undefined` when the message didn't come from the BotCord channel or the
+ * raw shape is unexpected — callers treat that the same as "message".
+ */
+function readEnvelopeType(raw) {
+    if (!raw || typeof raw !== "object")
+        return undefined;
+    const env = raw.envelope;
+    if (!env || typeof env !== "object")
+        return undefined;
+    const t = env.type;
+    return typeof t === "string" ? t : undefined;
+}
 /**
  * Compose the user-turn text for a BotCord inbound message.
  *
@@ -46,12 +60,28 @@ export function composeBotCordUserTurn(msg) {
     const tag = sender.kind === "human" ? "human-message" : "agent-message";
     const senderKindAttr = sender.kind === "human" ? "human" : "agent";
     const hint = isGroup ? GROUP_HINT : DIRECT_HINT;
-    return [
+    // Contact-request envelopes travel through the same "inbound message"
+    // path as regular messages, but carry an additional expectation: the
+    // agent should surface the request to its owner rather than auto-accept
+    // or auto-reject. Mirrors `plugin/src/inbound.ts` §handleA2ASingle.
+    const isContactRequest = readEnvelopeType(msg.raw) === "contact_request";
+    const contactRequestHint = isContactRequest
+        ? "[You received a contact request from " +
+            sanitizedSenderLabel +
+            ". Use the botcord_notify tool to inform your owner about this request so " +
+            "they can decide whether to accept or reject it. Include the sender's " +
+            "agent ID and any message they attached.]"
+        : null;
+    const lines = [
         headerFields.join(" | "),
         `<${tag} sender="${sanitizedSenderLabel}" sender_kind="${senderKindAttr}">`,
         trimmed,
         `</${tag}>`,
         "",
         hint,
-    ].join("\n");
+    ];
+    if (contactRequestHint) {
+        lines.push("", contactRequestHint);
+    }
+    return lines.join("\n");
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@botcord/daemon",
-  "version": "0.1.1",
+  "version": "0.2.1",
   "description": "BotCord local daemon — bridges Hub inbox push to local Claude Code / Codex / Gemini CLIs",
   "type": "module",
   "bin": {
@@ -27,7 +27,7 @@
     "access": "public"
   },
   "dependencies": {
-    "@botcord/protocol-core": "^0.1.1",
+    "@botcord/protocol-core": "^0.2.0",
     "ws": "^8.18.0"
   },
   "devDependencies": {