discoclaw 0.8.2 → 0.8.3

package/.context/README.md

@@ -19,6 +19,7 @@ Core instructions live in `CLAUDE.md` at the repo root.
 | **Architecture / system overview** | `architecture.md` |
 | **Tool capabilities / browser automation** | `tools.md` |
 | **Voice system (STT/TTS, audio pipeline, actions)** | `voice.md` |
+| **Automations / cron / scheduled tasks** | `automations.md` |
 | **Forge/plan standing constraints** | `project.md` *(auto-loaded by forge)* |
 | **Plan & Forge commands** | `plan-and-forge.md` *(in docs/, not .context/)* |
 | **Engineering lessons / compound learnings** | `docs/compound-lessons.md` *(single checked-in durable artifact; lives in `docs/`, not `.context/`; human/developer reference, not auto-loaded into agent context)* |
@@ -41,6 +42,7 @@ Core instructions live in `CLAUDE.md` at the repo root.
 - **bot-setup.md** — One-time bot creation and invite guide
 - **tools.md** — Available tools: browser automation (agent-browser), escalation ladder, CDP connect, security guardrails
 - **voice.md** — Voice subsystem: module map, audio data flow, key patterns (barge-in, allowlist gating), wiring sequence, dependencies, config reference
+- **automations.md** — Cron & scheduled tasks: job lifecycle, trigger types, primitives (state, silent, routing, chaining), safety rails, config reference
 - **project.md** — Standing constraints auto-loaded by forge drafter and auditor
 - **docs/plan-and-forge.md** — Canonical reference for `!plan` and `!forge` commands (lives in `docs/`, not `.context/` — human/developer reference, not auto-loaded into agent context)
 - **docs/compound-lessons.md** — Single checked-in durable artifact for distilled engineering lessons from audits, forge runs, and repeated workflow failures

package/.context/automations.md

@@ -0,0 +1,87 @@
+# automations.md — Cron & Scheduled Tasks
+
+Quick-reference for automation behavior. For full primitive docs see
+[docs/cron.md](../docs/cron.md); for worked examples and copy-pasteable recipes
+see [docs/cron-patterns.md](../docs/cron-patterns.md).
+
+## System Overview
+
+Cron jobs are defined as forum threads in a dedicated Discord forum channel.
+The scheduler registers in-process timers (via `croner`); on each tick the
+executor assembles a prompt, invokes the AI runtime, and posts output to a
+target channel.
+
+Source: `src/cron/` — scheduler, executor, parser, forum sync, run stats,
+job lock, chain, tag map.
+
+## Job Lifecycle
+
+| Thread state | Job state |
+|--------------|-----------|
+| Active | Registered and running |
+| Archived | Paused (unregistered) |
+| Unarchived | Resumed (re-registered) |
+| Deleted | Removed; stats cleaned on next startup |
+
+Jobs must be created through the bot (`cronCreate` action), not by manually
+creating forum threads.
+
+## Trigger Types
+
+- **`schedule`** — standard 5-field cron expression
+- **`webhook`** — external HTTP POST (requires `DISCOCLAW_WEBHOOK_ENABLED=true`)
+- **`manual`** — explicit `cronTrigger` action only
+
+## Key Primitives
+
+| Primitive | Purpose |
+|-----------|---------|
+| `{{state}}` / `<cron-state>` | Persistent per-job key-value state across runs |
+| `silent` mode | Suppress posting when output is a sentinel (`HEARTBEAT_OK` or `[]`) |
+| `routingMode: "json"` | Multi-channel dispatch via JSON array of `{channel, content}` |
+| `allowedActions` | Restrict which Discord action types a job may emit |
+| `chain` | Fire downstream jobs on success, forwarding state via `__upstream` |
+| `model` | Per-job model tier override (`fast` / `capable` / `deep`) |
+
+## Safety Rails
+
+- Cron jobs **cannot emit cron actions** — hard-coded, not configurable.
+- Overlap guard: one execution per job at a time; concurrent ticks are skipped.
+- Chain depth limit: **10** (prevents runaway cascades).
+- Cycle detection at write time (BFS reachability check).
+- `allowedActions` narrows only — cannot grant permissions the global config denies.
+
+## State Essentials
+
+- `<cron-state>` **replaces** the full state object (not a merge).
+- `{{state}}` expands to `{}` on first run or after a reset.
+- Reset state: `cronUpdate` with `state: "{}"`.
+- The executor injects a "Persistent State" section capped at 4 000 chars.
+
+## Configuration
+
+| Variable | Default | Purpose |
+|----------|---------|---------|
+| `DISCOCLAW_CRON_ENABLED` | `true` | Enable the cron subsystem |
+| `DISCOCLAW_CRON_FORUM` | — | Forum channel ID (auto-created if unset) |
+| `DISCOCLAW_CRON_EXEC_MODEL` | `capable` | Default model tier for execution |
+| `DISCOCLAW_CRON_MODEL` | `fast` | Model tier for definition parsing |
+| `DISCOCLAW_CRON_AUTO_TAG` | `true` | Auto-tag cron forum threads |
+| `DISCOCLAW_CRON_STATS_DIR` | — | Override stats storage directory |
+| `DISCOCLAW_CRON_TAG_MAP` | — | Override tag map file path |
+| `DISCOCLAW_WEBHOOK_ENABLED` | `false` | Enable the webhook server |
+| `DISCOCLAW_WEBHOOK_CONFIG` | — | Path to webhook config JSON |
+
+## Common Patterns (cheat sheet)
+
+| Pattern | Key technique |
+|---------|---------------|
+| Stateful polling | `{{state}}` cursor + `<cron-state>` update |
+| Silent monitoring | `silent: true` + `HEARTBEAT_OK` sentinel |
+| Multi-channel fan-out | `routingMode: "json"` |
+| Chained pipelines | `chain` field + `__upstream.state` handoff |
+| Accumulation / rollup | State counter resets on cadence boundary |
+| Webhook-triggered | Config file + HMAC-SHA256 verification |
+| Gated actions | `allowedActions` for least-privilege |
+
+See [docs/cron-patterns.md](../docs/cron-patterns.md) for full examples of each.

package/dist/config/safe-key.js

@@ -0,0 +1,38 @@
+/**
+ * Guards against prototype-pollution via dynamic property names.
+ *
+ * Any code path that uses an external string (route param, JSON key, etc.)
+ * as a plain-object property name should reject these values first.
+ */
+const PROTO_POLLUTION_KEYS = new Set([
+    '__proto__',
+    'constructor',
+    'prototype',
+]);
+/** Returns `true` when `key` is a prototype-pollution property name. */
+export function isUnsafeKey(key) {
+    return PROTO_POLLUTION_KEYS.has(key);
+}
+/**
+ * Look up `key` on `obj` only when the key is safe and is an own property.
+ * Returns `undefined` for unsafe keys or missing properties — never walks
+ * the prototype chain.
+ */
+export function safeGet(obj, key) {
+    if (isUnsafeKey(key))
+        return undefined;
+    return Object.hasOwn(obj, key) ? obj[key] : undefined;
+}
+/**
+ * Return a shallow copy of `obj` with any prototype-pollution keys removed.
+ * Useful for sanitising parsed JSON before it becomes a lookup table.
+ */
+export function stripUnsafeKeys(obj) {
+    const clean = Object.create(null);
+    for (const key of Object.keys(obj)) {
+        if (!isUnsafeKey(key)) {
+            clean[key] = obj[key];
+        }
+    }
+    return clean;
+}

package/dist/config/safe-key.test.js

@@ -0,0 +1,60 @@
+import { describe, expect, it } from 'vitest';
+import { isUnsafeKey, safeGet, stripUnsafeKeys } from './safe-key.js';
+describe('isUnsafeKey', () => {
+    it.each(['__proto__', 'constructor', 'prototype'])('returns true for %s', (key) => {
+        expect(isUnsafeKey(key)).toBe(true);
+    });
+    it.each(['github', 'alerts', '', 'proto', '__proto', 'CONSTRUCTOR'])('returns false for %s', (key) => {
+        expect(isUnsafeKey(key)).toBe(false);
+    });
+});
+describe('safeGet', () => {
+    const obj = { a: 1, b: 2 };
+    it('returns the value for a safe, present key', () => {
+        expect(safeGet(obj, 'a')).toBe(1);
+    });
+    it('returns undefined for a safe but missing key', () => {
+        expect(safeGet(obj, 'z')).toBeUndefined();
+    });
+    it('returns undefined for __proto__ even when set as own property', () => {
+        const withProto = Object.create(null);
+        withProto['__proto__'] = 42;
+        expect(safeGet(withProto, '__proto__')).toBeUndefined();
+    });
+    it('returns undefined for constructor', () => {
+        expect(safeGet(obj, 'constructor')).toBeUndefined();
+    });
+    it('returns undefined for prototype', () => {
+        expect(safeGet(obj, 'prototype')).toBeUndefined();
+    });
+    it('does not walk the prototype chain', () => {
+        const parent = { inherited: 99 };
+        const child = Object.create(parent);
+        expect(safeGet(child, 'inherited')).toBeUndefined();
+    });
+});
+describe('stripUnsafeKeys', () => {
+    it('removes __proto__, constructor, and prototype keys', () => {
+        const input = {
+            github: 'ok',
+            __proto__: 'bad',
+            constructor: 'bad',
+            prototype: 'bad',
+            alerts: 'ok',
+        };
+        // JSON.parse puts __proto__ as own property; replicate with Object.defineProperty
+        Object.defineProperty(input, '__proto__', { value: 'bad', enumerable: true, configurable: true });
+        const result = stripUnsafeKeys(input);
+        expect(Object.keys(result)).toEqual(['github', 'alerts']);
+        expect(result['github']).toBe('ok');
+        expect(result['alerts']).toBe('ok');
+    });
+    it('returns a null-prototype object', () => {
+        const result = stripUnsafeKeys({ a: 1 });
+        expect(Object.getPrototypeOf(result)).toBeNull();
+    });
+    it('handles an empty object', () => {
+        const result = stripUnsafeKeys({});
+        expect(Object.keys(result)).toEqual([]);
+    });
+});

package/dist/config.js

@@ -1,4 +1,4 @@
-import { parseAllowBotIds, parseAllowChannelIds, parseAllowUserIds } from './discord/allowlist.js';
+import { isAllowlisted, parseAllowBotIds, parseAllowChannelIds, parseAllowUserIds } from './discord/allowlist.js';
 import { parseDashboardTrustedHosts } from './dashboard/options.js';
 export const KNOWN_TOOLS = new Set([
     'Bash', 'Read', 'Write', 'Edit', 'Glob', 'Grep', 'WebSearch', 'WebFetch', 'Pipeline', 'Step',
@@ -9,6 +9,14 @@ export const DEFAULT_DISCORD_ACTIONS_DEFER_MAX_DEPTH = 4;
 export const DEFAULT_DISCORD_ACTIONS_LOOP_MIN_INTERVAL_SECONDS = 60;
 export const DEFAULT_DISCORD_ACTIONS_LOOP_MAX_INTERVAL_SECONDS = 86400;
 export const DEFAULT_DISCORD_ACTIONS_LOOP_MAX_CONCURRENT = 5;
+/**
+ * Check whether a Discord user is authorized for config-mutating actions.
+ * Uses the DISCORD_ALLOW_USER_IDS allowlist as the sole authorization source.
+ * Fails closed: returns false when the allowlist is empty.
+ */
+export function isAuthorizedUser(config, userId) {
+    return isAllowlisted(config.allowUserIds, userId);
+}
 function parseBoolean(env, name, defaultValue) {
     const raw = env[name];
     if (raw == null || raw.trim() === '')

package/dist/discord/action-dispatcher.js

@@ -0,0 +1,20 @@
+import { isConfigAuthorized } from './allowlist.js';
+import { CONFIG_UNAUTHORIZED_ERROR } from './replies.js';
+import { CONFIG_MUTATING_ACTION_TYPES } from './actions-config.js';
+/**
+ * Fail-fast authorization check for config-mutating actions.
+ *
+ * Returns an error result when the requester is not authorized;
+ * returns null when the action is allowed (either non-config or authorized).
+ * Missing requester identity denies by default.
+ *
+ * The protected action set is defined in actions-config.ts
+ * (CONFIG_MUTATING_ACTION_TYPES) so coverage is co-located with action definitions.
+ */
+export function checkConfigAuthorization(actionType, requesterId, allowUserIds) {
+    if (!CONFIG_MUTATING_ACTION_TYPES.has(actionType))
+        return null;
+    if (isConfigAuthorized(allowUserIds, requesterId))
+        return null;
+    return { ok: false, error: CONFIG_UNAUTHORIZED_ERROR };
+}

package/dist/discord/action-flags.js

@@ -0,0 +1,18 @@
+/**
+ * Strip action categories that require a trusted requester context.
+ *
+ * Used by cron executor and other automated paths where the requester
+ * may not be an allowlisted user. Config is included because config
+ * mutations (modelSet, modelReset) must only run for allowlisted users.
+ */
+export function withoutRequesterGatedActionFlags(flags) {
+    return {
+        ...flags,
+        channels: false,
+        messaging: false,
+        guild: false,
+        moderation: false,
+        polls: false,
+        config: false,
+    };
+}

package/dist/discord/actions-config.js

@@ -8,6 +8,19 @@ const CONFIG_TYPE_MAP = {
     workspaceWarnings: true,
 };
 export const CONFIG_ACTION_TYPES = new Set(Object.keys(CONFIG_TYPE_MAP));
+/**
+ * Config action types that mutate bot state and require requester authorization
+ * against DISCORD_ALLOW_USER_IDS. Read-only queries (modelShow, workspaceWarnings)
+ * are intentionally excluded.
+ *
+ * All role-scoped mutations — chat, voice, imagegen, fast, cron, forge-drafter,
+ * forge-auditor, plan-run, summary, cron-exec — flow through modelSet/modelReset,
+ * so this set covers every config-mutation path.
+ */
+export const CONFIG_MUTATING_ACTION_TYPES = new Set([
+    'modelSet',
+    'modelReset',
+]);
 // ---------------------------------------------------------------------------
 // Role → field mapping
 // ---------------------------------------------------------------------------

package/dist/discord/actions-imagegen.js

@@ -2,6 +2,7 @@ import { AttachmentBuilder } from 'discord.js';
 import { resolveChannel, findChannelRaw, describeChannelType } from './action-utils.js';
 import { NO_MENTIONS } from './allowed-mentions.js';
 import { downloadMessageImages, downloadImageUrl } from './image-download.js';
+import { validateGeminiModelId } from '../gemini-model-validation.js';
 const IMAGEGEN_TYPE_MAP = {
     generateImage: true,
 };
@@ -16,6 +17,8 @@ const GPT_IMAGE_VALID_SIZES = new Set(['1024x1024', '1024x1792', '1792x1024', 'a
 const GEMINI_VALID_SIZES = new Set(['1:1', '3:4', '4:3', '9:16', '16:9']);
 const VALID_QUALITY = new Set(['standard', 'hd']);
 const DISCORD_MAX_CONTENT = 2000;
+// Re-export so existing test imports continue to work.
+export { validateGeminiModelId } from '../gemini-model-validation.js';
 // Progress UX
 export const TYPING_INTERVAL_MS = 8_000;
 export const DOT_CYCLE_INTERVAL_MS = 3_000;
@@ -95,6 +98,9 @@ async function callOpenAI(prompt, model, size, quality, apiKey, baseUrl, signal)
     return { ok: true, b64: imageItem.b64_json };
 }
 async function callGemini(prompt, model, size, geminiApiKey, signal) {
+    const v = validateGeminiModelId(model);
+    if (!v.ok)
+        return { ok: false, error: v.error };
     const url = `https://generativelanguage.googleapis.com/v1beta/models/${model}:predict`;
     const body = {
         instances: [{ prompt }],
@@ -144,6 +150,9 @@ async function callGemini(prompt, model, size, geminiApiKey, signal) {
     return { ok: true, b64 };
 }
 async function callGeminiNative(prompt, model, geminiApiKey, sourceImage, signal) {
+    const v = validateGeminiModelId(model);
+    if (!v.ok)
+        return { ok: false, error: v.error };
     const url = `https://generativelanguage.googleapis.com/v1beta/models/${model}:generateContent`;
     const parts = [];
     if (sourceImage) {
@@ -251,6 +260,12 @@ export async function executeImagegenAction(action, ctx, imagegenCtx) {
             const provider = resolveProvider(model, action.provider);
             const defaultSize = provider === 'gemini' ? DEFAULT_SIZE_GEMINI : DEFAULT_SIZE_OPENAI;
             const size = action.size ?? defaultSize;
+            // Validate Gemini model ID before it can reach any URL interpolation
+            if (provider === 'gemini') {
+                const mv = validateGeminiModelId(model);
+                if (!mv.ok)
+                    return { ok: false, error: mv.error };
+            }
             // Per-provider size validation
             if (provider === 'gemini') {
                 if (!model.startsWith('gemini-') && !GEMINI_VALID_SIZES.has(size)) {

package/dist/discord/actions-imagegen.test.js

@@ -1,6 +1,6 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 import { ChannelType } from 'discord.js';
-import { executeImagegenAction, IMAGEGEN_ACTION_TYPES, imagegenActionsPromptSection, resolveDefaultModel, resolveProvider, TYPING_INTERVAL_MS, DOT_CYCLE_INTERVAL_MS, REQUEST_TIMEOUT_MS, } from './actions-imagegen.js';
+import { executeImagegenAction, IMAGEGEN_ACTION_TYPES, imagegenActionsPromptSection, resolveDefaultModel, resolveProvider, validateGeminiModelId, TYPING_INTERVAL_MS, DOT_CYCLE_INTERVAL_MS, REQUEST_TIMEOUT_MS, } from './actions-imagegen.js';
 import { buildTieredDiscordActionsPromptSection, parseDiscordActions } from './actions.js';
 import { buildUnavailableActionTypesNotice } from './output-common.js';
 vi.mock('./image-download.js', async (importOriginal) => {
@@ -769,6 +769,118 @@ describe('generateImage — Gemini Native', () => {
         expect(fetch).not.toHaveBeenCalled();
     });
 });
+// ---------------------------------------------------------------------------
+// Gemini model ID validation
+// ---------------------------------------------------------------------------
+describe('validateGeminiModelId', () => {
+    it.each([
+        'imagen-4.0-generate-001',
+        'imagen-4.0-fast-generate-001',
+        'imagen-4.0-ultra-generate-001',
+        'gemini-3.1-flash-image-preview',
+        'gemini-3-pro-image-preview',
+        'dall-e-3',
+        'gpt-image-1',
+        'my_custom_model.v2',
+    ])('accepts valid model ID: %s', (model) => {
+        expect(validateGeminiModelId(model)).toEqual({ ok: true });
+    });
+    it.each([
+        ['../other-model', 'path traversal with ../'],
+        ['model/../secret', 'embedded traversal'],
+        ['model/subpath', 'slash in model'],
+        ['model:extra', 'colon in model'],
+        ['model%2F..', 'percent-encoded slash'],
+        ['', 'empty string'],
+        [' model', 'leading space'],
+        ['model name', 'space in model'],
+        ['model\ttab', 'tab in model'],
+        ['model\nline', 'newline in model'],
+        ['.hidden', 'leading dot'],
+        ['-start', 'leading hyphen'],
+        ['_start', 'leading underscore'],
+        ['a'.repeat(129), 'exceeds max length'],
+    ])('rejects invalid model ID: %s (%s)', (model) => {
+        const result = validateGeminiModelId(model);
+        expect(result.ok).toBe(false);
+        if (!result.ok)
+            expect(result.error).toContain('invalid Gemini model identifier');
+    });
+});
+describe('generateImage — Gemini model validation', () => {
+    beforeEach(() => {
+        vi.stubGlobal('fetch', vi.fn().mockResolvedValue(makeGeminiSuccessResponse()));
+    });
+    afterEach(() => {
+        vi.unstubAllGlobals();
+    });
+    it('rejects traversal payload before any network call (:predict branch)', async () => {
+        const ch = makeMockChannel({ name: 'art' });
+        const ctx = makeCtx([ch]);
+        const result = await executeImagegenAction({ type: 'generateImage', prompt: 'A mountain', channel: '#art', model: '../evil-model', provider: 'gemini', size: '1:1' }, ctx, makeImagegenCtx({ geminiApiKey: 'gemini-key' }));
+        expect(result.ok).toBe(false);
+        if (!result.ok)
+            expect(result.error).toContain('invalid Gemini model identifier');
+        expect(fetch).not.toHaveBeenCalled();
+    });
+    it('rejects traversal payload before any network call (:generateContent branch)', async () => {
+        vi.stubGlobal('fetch', vi.fn().mockResolvedValue(makeGeminiNativeSuccessResponse()));
+        const ch = makeMockChannel({ name: 'art' });
+        const ctx = makeCtx([ch]);
+        const result = await executeImagegenAction({ type: 'generateImage', prompt: 'A mountain', channel: '#art', model: 'gemini-../../evil', provider: 'gemini' }, ctx, makeImagegenCtx({ geminiApiKey: 'gemini-key' }));
+        expect(result.ok).toBe(false);
+        if (!result.ok)
+            expect(result.error).toContain('invalid Gemini model identifier');
+        expect(fetch).not.toHaveBeenCalled();
+    });
+    it.each([
+        'model/with/slashes',
+        'model:with:colons',
+        'model%2Fencoded',
+        '../traversal',
+        'model\nnewline',
+    ])('rejects reserved/special character model "%s" without network call', async (badModel) => {
+        const ch = makeMockChannel({ name: 'art' });
+        const ctx = makeCtx([ch]);
+        const result = await executeImagegenAction({ type: 'generateImage', prompt: 'A mountain', channel: '#art', model: badModel, provider: 'gemini', size: '1:1' }, ctx, makeImagegenCtx({ geminiApiKey: 'gemini-key' }));
+        expect(result.ok).toBe(false);
+        if (!result.ok)
+            expect(result.error).toContain('invalid Gemini model identifier');
+        expect(fetch).not.toHaveBeenCalled();
+    });
+    it('accepts valid imagen model and reaches network layer', async () => {
+        const ch = makeMockChannel({ name: 'art' });
+        const ctx = makeCtx([ch]);
+        const result = await executeImagegenAction({ type: 'generateImage', prompt: 'A mountain', channel: '#art', model: 'imagen-4.0-generate-001', size: '1:1' }, ctx, makeImagegenCtx({ geminiApiKey: 'gemini-key' }));
+        expect(result.ok).toBe(true);
+        expect(fetch).toHaveBeenCalled();
+    });
+    it('accepts valid gemini native model and reaches network layer', async () => {
+        vi.stubGlobal('fetch', vi.fn().mockResolvedValue(makeGeminiNativeSuccessResponse()));
+        const ch = makeMockChannel({ name: 'art' });
+        const ctx = makeCtx([ch]);
+        const result = await executeImagegenAction({ type: 'generateImage', prompt: 'A mountain', channel: '#art', model: 'gemini-3.1-flash-image-preview' }, ctx, makeImagegenCtx({ geminiApiKey: 'gemini-key' }));
+        expect(result.ok).toBe(true);
+        expect(fetch).toHaveBeenCalled();
+    });
+    it('does not validate model for OpenAI provider (no Gemini URL involved)', async () => {
+        vi.stubGlobal('fetch', vi.fn().mockResolvedValue(makeSuccessResponse()));
+        const ch = makeMockChannel({ name: 'art' });
+        const ctx = makeCtx([ch]);
+        // A model with slashes would be invalid for Gemini, but should pass for OpenAI
+        const result = await executeImagegenAction({ type: 'generateImage', prompt: 'A mountain', channel: '#art', model: 'dall-e-3' }, ctx, makeImagegenCtx({ apiKey: 'openai-key' }));
+        expect(result.ok).toBe(true);
+        expect(fetch).toHaveBeenCalled();
+    });
+    it('preserves fallback behavior when model is omitted (Gemini default)', async () => {
+        vi.stubGlobal('fetch', vi.fn().mockResolvedValue(makeGeminiNativeSuccessResponse()));
+        const ch = makeMockChannel({ id: 'origin-ch', name: 'general' });
+        const ctx = makeCtx([ch]);
+        const result = await executeImagegenAction({ type: 'generateImage', prompt: 'A mountain' }, ctx, makeImagegenCtx({ geminiApiKey: 'gemini-key' }));
+        expect(result.ok).toBe(true);
+        expect(fetch).toHaveBeenCalledWith(expect.stringContaining('gemini-3.1-flash-image-preview:generateContent'), expect.anything());
+    });
+});
 describe('default model resolution', () => {
     afterEach(() => {
         vi.unstubAllGlobals();

package/dist/discord/actions.js

@@ -17,20 +17,12 @@ import { IMAGEGEN_ACTION_TYPES, executeImagegenAction, imagegenActionsPromptSect
 import { VOICE_ACTION_TYPES, executeVoiceAction, voiceActionsPromptSection } from './actions-voice.js';
 import { SPAWN_ACTION_TYPES, executeSpawnActions, spawnActionsPromptSection } from './actions-spawn.js';
 import { describeDestructiveConfirmationRequirement } from './destructive-confirmation.js';
+import { checkConfigAuthorization } from './action-dispatcher.js';
 import { computeMarkdownCodeRanges } from './markdown-code-ranges.js';
 import { parseCapsuleBlock } from './capsule.js';
 export { computeMarkdownCodeRanges } from './markdown-code-ranges.js';
+export { withoutRequesterGatedActionFlags } from './action-flags.js';
 export const REQUESTER_MEMBER_DENY_ALL = { __requesterDenyAll: true };
-export function withoutRequesterGatedActionFlags(flags) {
-    return {
-        ...flags,
-        channels: false,
-        messaging: false,
-        guild: false,
-        moderation: false,
-        polls: false,
-    };
-}
 import { appendOutsideFence } from './output-utils.js';
 function buildImagegenSetupRequiredStub() {
     return [
@@ -372,6 +364,12 @@ export async function executeDiscordActions(actions, ctx, log, subs) {
                 results.push(result);
                 continue;
             }
+            // Fail-fast: deny config-mutating actions from unauthorized requesters.
+            const configAuthResult = checkConfigAuthorization(action.type, ctx.requesterId, ctx.allowUserIds);
+            if (configAuthResult) {
+                results.push(configAuthResult);
+                continue;
+            }
             if (CHANNEL_ACTION_TYPES.has(action.type)) {
                 result = await executeChannelAction(action, ctx, requesterMember);
             }
@@ -514,6 +512,23 @@ export function buildDisplayResultLines(actions, results) {
 export function buildAllResultLines(results) {
     return results.map((r) => r.ok ? `Done: ${r.summary}` : `Failed: ${r.error}`);
 }
+/**
+ * Cap a single result line to approximately `maxChars` characters.
+ * If truncated, appends a visible `...[truncated]` suffix.
+ */
+export function capResultLine(line, maxChars = 1500) {
+    if (line.length <= maxChars)
+        return line;
+    return `${line.slice(0, maxChars)}...[truncated]`;
+}
+/**
+ * Build result lines for follow-up prompts with per-line length capping.
+ * Each line is capped at `maxChars` characters to prevent oversized payloads
+ * from crowding out reasoning and action blocks in follow-up prompts.
+ */
+export function buildCappedResultLines(results, maxChars = 1500) {
+    return buildAllResultLines(results).map((line) => capResultLine(line, maxChars));
+}
 /**
  * Append display result lines to body text, automatically closing any
  * unclosed fenced code block so the results render outside the block.

package/dist/discord/actions.test.js

@@ -356,7 +356,7 @@ describe('withoutRequesterGatedActionFlags', () => {
             forge: true,
             plan: true,
             memory: true,
-            config: true,
+            config: false,
             defer: true,
             loop: true,
             imagegen: true,

package/dist/discord/allowlist.js

@@ -44,3 +44,14 @@ export function isTrustedBot(allow, botId) {
         return false;
     return allow.has(botId);
 }
+/**
+ * Check whether a requester is authorized for config-mutating actions.
+ * Fail closed: missing or empty allowlist, or missing requesterId, denies.
+ */
+export function isConfigAuthorized(allowUserIds, requesterId) {
+    if (!requesterId)
+        return false;
+    if (!allowUserIds || allowUserIds.size === 0)
+        return false;
+    return allowUserIds.has(requesterId);
+}

package/dist/discord/message-coordinator.followup-lifecycle.test.js

@@ -27,6 +27,7 @@ vi.mock('./actions.js', () => ({
     })),
     buildDisplayResultLines: vi.fn(() => ['Succeeded: general, random']),
     buildAllResultLines: vi.fn(() => ['Succeeded: general, random']),
+    buildCappedResultLines: vi.fn(() => ['Succeeded: general, random']),
     appendActionResults: vi.fn((body) => `${body}\n> general, random`),
     withoutRequesterGatedActionFlags: vi.fn((flags) => flags),
 }));

package/dist/discord/message-coordinator.js

@@ -6,7 +6,7 @@ import { isAllowlisted, isTrustedBot } from './allowlist.js';
 import { KeyedQueue } from '../group-queue.js';
 import { ensureIndexedDiscordChannelContext, resolveDiscordChannelContext } from './channel-context.js';
 import { discordSessionKey } from './session-key.js';
-import { parseDiscordActions, executeDiscordActions, buildTieredDiscordActionsPromptSection, buildDisplayResultLines, buildAllResultLines, appendActionResults, withoutRequesterGatedActionFlags } from './actions.js';
+import { parseDiscordActions, executeDiscordActions, buildTieredDiscordActionsPromptSection, buildDisplayResultLines, buildCappedResultLines, appendActionResults, withoutRequesterGatedActionFlags } from './actions.js';
 import { shouldTriggerFollowUp } from './action-categories.js';
 import { countPinnedMessages, normalizePinnedMessages } from './pinned-message-utils.js';
 import { buildForgeCompletionWatchdogDetail, buildForgeCrashWatchdogDetail, buildForgePostProcessingWatchdogDetail, } from './actions-forge.js';
@@ -2264,6 +2264,7 @@ export function createMessageCreateHandler(params, queue, statusRef) {
                             guild: msg.guild,
                             client: msg.client,
                             requesterId: msg.author.id,
+                            allowUserIds: params.allowUserIds,
                             channelId: msg.channelId,
                             messageId: msg.id,
                             threadParentId,
@@ -2751,6 +2752,8 @@ export function createMessageCreateHandler(params, queue, statusRef) {
                                     useNativeTextFallback: runtimeSupportsNativeThinkingStream(params.runtime.id),
                                 });
                                 hadTextFinal = false;
+                                let responseTruncated = false;
+                                let responseFinishReason;
                                 let currentFollowUpToken = null;
                                 let currentFollowUpRunId = null;
                                 // On follow-up iterations, send a new placeholder message.
@@ -3175,6 +3178,10 @@ export function createMessageCreateHandler(params, queue, statusRef) {
                                             else if (evt.type === 'image_data') {
                                                 collectedImages.push(evt.image);
                                             }
+                                            else if (evt.type === 'finish_metadata') {
+                                                responseTruncated = evt.truncated;
+                                                responseFinishReason = evt.finishReason;
+                                            }
                                         }
                                         else {
                                             // Flat mode: stream text/final directly and append runtime signals.
@@ -3212,6 +3219,10 @@ export function createMessageCreateHandler(params, queue, statusRef) {
                                             else if (evt.type === 'image_data') {
                                                 collectedImages.push(evt.image);
                                             }
+                                            else if (evt.type === 'finish_metadata') {
+                                                responseTruncated = evt.truncated;
+                                                responseFinishReason = evt.finishReason;
+                                            }
                                         }
                                     }
                                 }
@@ -3289,6 +3300,7 @@ export function createMessageCreateHandler(params, queue, statusRef) {
                                             guild: msg.guild,
                                             client: msg.client,
                                             requesterId: !isBotMessage ? msg.author.id : undefined,
+                                            allowUserIds: params.allowUserIds,
                                             channelId: msg.channelId,
                                             messageId: msg.id,
                                             threadParentId,
@@ -3441,14 +3453,31 @@ export function createMessageCreateHandler(params, queue, statusRef) {
                                 if (shouldQueueFollowUp) {
                                     const token = buildFollowUpToken();
                                     const failureRetryPlaceholder = buildFailureRetryPlaceholder(actions, actionResults);
-                                    const followUpLines = buildAllResultLines(actionResults);
+                                    const followUpLines = buildCappedResultLines(actionResults);
                                     const followUpSuffix = failureRetryPlaceholder
                                         ? `One or more actions failed. If you retry, explicitly tell the user what failed and whether the retry succeeded or failed. Do not announce success before the action confirms it.`
                                         : `Continue your analysis based on these results. If you need additional information, you may emit further query actions.`;
-                                    currentPrompt =
-                                        `[Auto-follow-up] Your previous response included Discord actions. Here are the results:\n\n` +
-                                            followUpLines.join('\n') +
-                                            `\n\n${followUpSuffix}`;
+                                    // Build the follow-up prompt with original request context and truncation awareness.
+                                    const followUpParts = [];
+                                    // Original request summary so a reset session knows what task it is continuing.
+                                    const originalRequest = userText.trim();
+                                    if (originalRequest) {
+                                        const cappedRequest = originalRequest.length > 300
+                                            ? `${originalRequest.slice(0, 300)}...[truncated]`
+                                            : originalRequest;
+                                        followUpParts.push(`[Original request] ${cappedRequest}`);
+                                    }
+                                    // Truncation notice when the previous response was cut off by output limits.
+                                    if (responseTruncated) {
+                                        const reasonDetail = responseFinishReason ? ` (finishReason: ${responseFinishReason})` : '';
+                                        followUpParts.push(`[Truncation notice] Your previous response was cut off by output token limits${reasonDetail}. ` +
+                                            `Your earlier output may have ended before final reasoning or action blocks completed. ` +
+                                            `Review the action results below and continue from where you left off.`);
+                                    }
+                                    followUpParts.push(`[Auto-follow-up] Your previous response included Discord actions. Here are the results:\n\n` +
+                                        followUpLines.join('\n') +
+                                        `\n\n${followUpSuffix}`);
+                                    currentPrompt = followUpParts.join('\n\n');
                                     const followUpActionSection = buildTieredDiscordActionsPromptSection(actionFlags, params.botDisplayName);
                                     currentPrompt += '\n\n---\n' + followUpActionSection.prompt;
                                     const pendingLine = buildFollowUpLifecycleLine(token, 'pending');

package/dist/discord/plan-manager.js

@@ -1736,6 +1736,54 @@ function hashFileContent(filePath) {
         return '';
     }
 }
+/** Returns the current git branch name, or null if detached/unavailable. */
+export function gitCurrentBranch(cwd) {
+    try {
+        return execFileSync('git', ['rev-parse', '--abbrev-ref', 'HEAD'], {
+            cwd, env: localGitEnv(), encoding: 'utf-8', stdio: 'pipe',
+        }).trim() || null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Validates that a staged commit won't catastrophically delete most of the repo.
+ * Call after `git add` but before `git commit`.
+ *
+ * Returns null if safe, or an error message string if the commit should be rejected.
+ */
+export function validateCommitSafety(cwd, preBranch) {
+    const env = localGitEnv();
+    // Check 1: Branch drift — did the branch change during phase execution?
+    if (preBranch) {
+        const currentBranch = gitCurrentBranch(cwd);
+        if (currentBranch && currentBranch !== preBranch) {
+            return `Branch changed during phase execution: expected "${preBranch}", got "${currentBranch}". ` +
+                'This may indicate git init or git checkout --orphan was run.';
+        }
+    }
+    // Check 2: Deletion ratio — would this commit delete >50% of tracked files?
+    try {
+        const deletedRaw = execFileSync('git', ['diff', '--cached', '--diff-filter=D', '--name-only'], { cwd, env, encoding: 'utf-8', stdio: 'pipe' }).trim();
+        const deletedCount = deletedRaw ? deletedRaw.split('\n').length : 0;
+        if (deletedCount > 0) {
+            // git ls-files returns the post-staging index (deletions already removed),
+            // so add back deletedCount to get the original total.
+            const remainingRaw = execFileSync('git', ['ls-files'], { cwd, env, encoding: 'utf-8', stdio: 'pipe' }).trim();
+            const remainingCount = remainingRaw ? remainingRaw.split('\n').length : 0;
+            const originalTotal = remainingCount + deletedCount;
+            if (originalTotal > 0 && deletedCount / originalTotal > 0.5) {
+                return `Commit would delete ${deletedCount} of ${originalTotal} tracked files (${Math.round(deletedCount / originalTotal * 100)}%). ` +
+                    'This exceeds the 50% safety threshold.';
+            }
+        }
+    }
+    catch {
+        // git command failed — skip this check rather than blocking
+    }
+    return null;
+}
 // ---------------------------------------------------------------------------
 // High-level runner
 // ---------------------------------------------------------------------------
@@ -1816,6 +1864,7 @@ export async function runNextPhase(phasesFilePath, planFilePath, opts, onProgres
     writePhasesFile(phasesFilePath, allPhases);
     // 6. Git snapshot (null = git command failed, skip modified-files tracking)
     const preSnapshot = isGitAvailable ? gitDiffNames(opts.projectCwd) : null;
+    const preBranch = isGitAvailable ? gitCurrentBranch(opts.projectCwd) : null;
     // 7. Auto-revert on retry
     if (phase.status === 'failed' && phase.modifiedFiles && phase.failureHashes && isGitAvailable && preSnapshot) {
         // Note: we are re-reading phase from the old allPhases data (before status update).
@@ -2111,6 +2160,17 @@ export async function runNextPhase(phasesFilePath, planFilePath, opts, onProgres
         try {
             const env = localGitEnv();
             execFileSync('git', ['add', ...modifiedFiles], { cwd: opts.projectCwd, env, stdio: 'pipe' });
+            // Safety gate: validate commit won't catastrophically delete files
+            const safetyError = validateCommitSafety(opts.projectCwd, preBranch);
+            if (safetyError) {
+                execFileSync('git', ['reset'], { cwd: opts.projectCwd, env, stdio: 'pipe' });
+                opts.log?.error({ phase: phase.id, safetyError }, 'plan-manager: commit blocked by safety check');
+                // Mark phase as failed — a catastrophic deletion shouldn't graduate
+                allPhases = updatePhaseStatus(allPhases, phase.id, 'failed', undefined, safetyError, null);
+                writePhasesFile(phasesFilePath, allPhases);
+                const failedPhase = allPhases.phases.find((p) => p.id === phase.id);
+                return { result: 'failed', phase: failedPhase, output: '', error: safetyError };
+            }
             const commitMsg = `${allPhases.planId} ${phase.id}: ${phase.title}`;
             execFileSync('git', ['commit', '-m', commitMsg], { cwd: opts.projectCwd, env, stdio: 'pipe' });
             // Capture commit hash

package/dist/discord/plan-manager.test.js

@@ -5,7 +5,7 @@ import os from 'node:os';
 import path from 'node:path';
 import { createHash } from 'node:crypto';
 import { execSync } from 'node:child_process';
-import { computeAuditConvergenceSignature, computePlanHash, extractFilePaths, groupFiles, extractChangeSpec, decomposePlan, serializePhases, deserializePhases, getNextPhase, selectRunnablePhase, resequenceKeepingDone, validatePhaseDependencies, updatePhaseStatus, checkStaleness, buildPhasePrompt, buildAuditFixPrompt, buildPostRunSummary, extractObjective, resolveProjectCwd, resolveContextFilePath, serializePhasesStateJson, deserializePhasesStateJson, writePhasesFile, readPhasesFile, executePhase, runNextPhase, } from './plan-manager.js';
+import { computeAuditConvergenceSignature, computePlanHash, extractFilePaths, groupFiles, extractChangeSpec, decomposePlan, serializePhases, deserializePhases, getNextPhase, selectRunnablePhase, resequenceKeepingDone, validatePhaseDependencies, updatePhaseStatus, checkStaleness, buildPhasePrompt, buildAuditFixPrompt, buildPostRunSummary, extractObjective, resolveProjectCwd, resolveContextFilePath, serializePhasesStateJson, deserializePhasesStateJson, writePhasesFile, readPhasesFile, executePhase, runNextPhase, gitCurrentBranch, validateCommitSafety, } from './plan-manager.js';
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
@@ -3406,3 +3406,89 @@ describe('buildPostRunSummary', () => {
         ]);
     });
 });
+// ---------------------------------------------------------------------------
+// gitCurrentBranch / validateCommitSafety
+// ---------------------------------------------------------------------------
+describe('gitCurrentBranch', () => {
+    let tmpDir;
+    beforeEach(async () => {
+        tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'git-safety-'));
+        const gitEnv = { ...process.env, GIT_DIR: undefined, GIT_WORK_TREE: undefined };
+        execSync('git init', { cwd: tmpDir, env: gitEnv, stdio: 'pipe' });
+        execSync('git config user.email "test@test.com"', { cwd: tmpDir, env: gitEnv, stdio: 'pipe' });
+        execSync('git config user.name "Test"', { cwd: tmpDir, env: gitEnv, stdio: 'pipe' });
+        fsSync.writeFileSync(path.join(tmpDir, 'README.md'), 'test');
+        execSync('git add . && git commit -m "init"', { cwd: tmpDir, env: gitEnv, stdio: 'pipe' });
+    });
+    afterEach(async () => {
+        await fs.rm(tmpDir, { recursive: true, force: true });
+    });
+    it('returns the current branch name', () => {
+        const branch = gitCurrentBranch(tmpDir);
+        // Default branch is typically "main" or "master"
+        expect(typeof branch).toBe('string');
+        expect(branch.length).toBeGreaterThan(0);
+    });
+    it('returns null for non-git directory', async () => {
+        const nonGit = await fs.mkdtemp(path.join(os.tmpdir(), 'non-git-'));
+        try {
+            expect(gitCurrentBranch(nonGit)).toBeNull();
+        }
+        finally {
+            await fs.rm(nonGit, { recursive: true, force: true });
+        }
+    });
+});
+describe('validateCommitSafety', () => {
+    let tmpDir;
+    const gitEnv = () => ({ ...process.env, GIT_DIR: undefined, GIT_WORK_TREE: undefined });
+    beforeEach(async () => {
+        tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'commit-safety-'));
+        execSync('git init', { cwd: tmpDir, env: gitEnv(), stdio: 'pipe' });
+        execSync('git config user.email "test@test.com"', { cwd: tmpDir, env: gitEnv(), stdio: 'pipe' });
+        execSync('git config user.name "Test"', { cwd: tmpDir, env: gitEnv(), stdio: 'pipe' });
+        // Create a repo with enough files to trigger ratio checks
+        for (let i = 0; i < 20; i++) {
+            fsSync.writeFileSync(path.join(tmpDir, `file-${i}.txt`), `content-${i}`);
+        }
+        execSync('git add . && git commit -m "init with 20 files"', { cwd: tmpDir, env: gitEnv(), stdio: 'pipe' });
+    });
+    afterEach(async () => {
+        await fs.rm(tmpDir, { recursive: true, force: true });
+    });
+    it('returns null for safe commit (no deletions)', () => {
+        // Stage a small change
+        fsSync.writeFileSync(path.join(tmpDir, 'file-0.txt'), 'updated');
+        execSync('git add file-0.txt', { cwd: tmpDir, env: gitEnv(), stdio: 'pipe' });
+        const branch = gitCurrentBranch(tmpDir);
+        expect(validateCommitSafety(tmpDir, branch)).toBeNull();
+    });
+    it('rejects commit that deletes >50% of files', () => {
+        // Delete 15 of 20 files (75%)
+        for (let i = 0; i < 15; i++) {
+            fsSync.unlinkSync(path.join(tmpDir, `file-${i}.txt`));
+        }
+        execSync('git add -A', { cwd: tmpDir, env: gitEnv(), stdio: 'pipe' });
+        const branch = gitCurrentBranch(tmpDir);
+        const result = validateCommitSafety(tmpDir, branch);
+        expect(result).not.toBeNull();
+        expect(result).toContain('safety threshold');
+    });
+    it('allows commit that deletes <50% of files', () => {
+        // Delete 5 of 20 files (25%)
+        for (let i = 0; i < 5; i++) {
+            fsSync.unlinkSync(path.join(tmpDir, `file-${i}.txt`));
+        }
+        execSync('git add -A', { cwd: tmpDir, env: gitEnv(), stdio: 'pipe' });
+        const branch = gitCurrentBranch(tmpDir);
+        expect(validateCommitSafety(tmpDir, branch)).toBeNull();
+    });
+    it('rejects when branch changed', () => {
+        // Simulate branch drift by passing a different preBranch
+        fsSync.writeFileSync(path.join(tmpDir, 'file-0.txt'), 'updated');
+        execSync('git add file-0.txt', { cwd: tmpDir, env: gitEnv(), stdio: 'pipe' });
+        const result = validateCommitSafety(tmpDir, 'some-other-branch');
+        expect(result).not.toBeNull();
+        expect(result).toContain('Branch changed');
+    });
+});

package/dist/discord/reaction-handler.js

@@ -850,6 +850,7 @@ function createReactionHandler(mode, params, queue, statusRef) {
                                         guild: msg.guild,
                                         client: msg.client,
                                         requesterId: user.id,
+                                        allowUserIds: params.allowUserIds,
                                         channelId: msg.channelId,
                                         messageId: msg.id,
                                         threadParentId,

package/dist/discord/replies.js

@@ -0,0 +1,5 @@
+/**
+ * Consistent error message for unauthorized config mutation attempts.
+ * Distinct from validation errors so callers can distinguish auth failures.
+ */
+export const CONFIG_UNAUTHORIZED_ERROR = 'Unauthorized: only allowlisted users can change bot configuration. This request was denied.';

package/dist/gemini-model-validation.js

@@ -0,0 +1,20 @@
+/**
+ * Shared Gemini model-identifier validation.
+ *
+ * Every code path that interpolates a model value into a Gemini REST URL
+ * (.../models/${model}:predict, :generateContent, :streamGenerateContent)
+ * must call {@link validateGeminiModelId} **before** constructing the URL.
+ *
+ * Only alphanumerics, hyphens, dots, and underscores are legal in a Gemini
+ * model path segment.  Anything else (slashes, colons, percent-encoding,
+ * whitespace …) could alter the request URL.
+ */
+const GEMINI_MODEL_RE = /^[a-zA-Z0-9][a-zA-Z0-9._-]{0,127}$/;
+export function validateGeminiModelId(model) {
+    if (GEMINI_MODEL_RE.test(model))
+        return { ok: true };
+    return {
+        ok: false,
+        error: `invalid Gemini model identifier "${model}"`,
+    };
+}

package/dist/runtime/cli-adapter.js

@@ -482,6 +482,7 @@ export function createCliRuntime(strategy, opts) {
             let mergedStdout = '';
             let merged = '';
             let resultText = '';
+            let lastStopReason;
             let inToolUse = false;
             const stdoutLineBuf = new LineBuffer();
             let stderrBuffered = '';
@@ -556,6 +557,11 @@ export function createCliRuntime(strategy, opts) {
                     if (evt) {
                         parsedJsonLineCount++;
                         lastJsonEventType = getJsonLineEventType(evt) ?? null;
+                        // Capture stop_reason from result events for finish_metadata
+                        const evtObj = evt;
+                        if (typeof evtObj.stop_reason === 'string' && evtObj.stop_reason) {
+                            lastStopReason = evtObj.stop_reason;
+                        }
                     }
                     else {
                         unparsableStdoutLineCount++;
@@ -916,6 +922,12 @@ export function createCliRuntime(strategy, opts) {
                         emittedUserOutput = true;
                     push({ type: 'text_final', text: final });
                 }
+                const cliTruncated = lastStopReason === 'max_tokens' || lastStopReason === 'length';
+                push({
+                    type: 'finish_metadata',
+                    truncated: cliTruncated,
+                    ...(lastStopReason ? { finishReason: lastStopReason } : {}),
+                });
                 push({ type: 'done' });
                 finished = true;
                 wake();

package/dist/runtime/cli-adapter.test.js

@@ -243,6 +243,7 @@ describe('createCliRuntime', () => {
         }));
         expect(events).toEqual([
             { type: 'text_final', text: '' },
+            { type: 'finish_metadata', truncated: false },
             { type: 'done' },
         ]);
     });
@@ -261,6 +262,7 @@ describe('createCliRuntime', () => {
         }));
         expect(events).toEqual([
             { type: 'text_final', text: '' },
+            { type: 'finish_metadata', truncated: false },
             { type: 'done' },
         ]);
     });

package/dist/runtime/codex-app-server.js

@@ -1687,6 +1687,12 @@ function summarizeTraceEvent(event) {
                 type: event.type,
                 mediaType: event.image.mediaType,
             };
+        case 'finish_metadata':
+            return {
+                type: event.type,
+                truncated: event.truncated,
+                ...(event.finishReason ? { finishReason: event.finishReason } : {}),
+            };
         case 'done':
             return { type: event.type };
     }

package/dist/runtime/gemini-rest.js

@@ -3,6 +3,7 @@
 // Auth via GEMINI_API_KEY header. Zero startup overhead vs. the CLI adapter.
 import { splitSystemPrompt } from './openai-compat.js';
 import { createRuntimeErrorEvent } from './runtime-failure.js';
+import { validateGeminiModelId } from '../gemini-model-validation.js';
 /** Extract the data payload from an SSE line, or undefined if not a data line. */
 function parseSSEData(line) {
     const trimmed = line.trim();
@@ -15,6 +16,15 @@ function parseSSEData(line) {
     return undefined;
 }
 export function createGeminiRestRuntime(opts) {
+    // Validate defaultModel eagerly so configuration errors surface at startup,
+    // not on the first request.  Empty string is allowed (caller must always
+    // supply params.model); non-empty values must pass the model-ID check.
+    if (opts.defaultModel) {
+        const check = validateGeminiModelId(opts.defaultModel);
+        if (!check.ok) {
+            throw new Error(`gemini-rest: invalid defaultModel: ${check.error}`);
+        }
+    }
     const capabilities = new Set(['streaming_text']);
     const baseUrl = opts.baseUrl ?? 'https://generativelanguage.googleapis.com/v1beta';
     return {
@@ -24,6 +34,12 @@ export function createGeminiRestRuntime(opts) {
         invoke(params) {
             return (async function* () {
                 const model = params.model || opts.defaultModel;
+                const modelCheck = validateGeminiModelId(model);
+                if (!modelCheck.ok) {
+                    yield createRuntimeErrorEvent(`gemini-rest: ${modelCheck.error}`);
+                    yield { type: 'done' };
+                    return;
+                }
                 const url = `${baseUrl}/models/${model}:streamGenerateContent?alt=sse`;
                 const controller = new AbortController();
                 let timer;
@@ -136,6 +152,12 @@ export function createGeminiRestRuntime(opts) {
                         opts.log?.debug({ candidate: lastCandidate }, 'gemini-rest: full candidate on empty response');
                     }
                     yield { type: 'text_final', text: accumulated };
+                    const geminiTruncated = lastFinishReason === 'MAX_TOKENS' || lastFinishReason === 'STOP_LIMIT';
+                    yield {
+                        type: 'finish_metadata',
+                        truncated: geminiTruncated,
+                        ...(lastFinishReason ? { finishReason: lastFinishReason } : {}),
+                    };
                     yield { type: 'done' };
                 }
                 catch (err) {

package/dist/runtime/gemini-rest.test.js

@@ -192,6 +192,70 @@ describe('Gemini REST runtime adapter', () => {
         await collectEvents(runtime.invoke({ prompt: 'test', model: '', cwd: '/tmp' }));
         expect(log.debug).toHaveBeenCalledWith({ candidate }, 'gemini-rest: full candidate on empty response');
     });
+    it('rejects model with path traversal characters', async () => {
+        globalThis.fetch = vi.fn();
+        const runtime = createGeminiRestRuntime({
+            apiKey: 'test-key',
+            defaultModel: 'gemini-2.5-flash',
+        });
+        const events = await collectEvents(runtime.invoke({ prompt: 'test', model: '../evil/path', cwd: '/tmp' }));
+        const error = events.find((e) => e.type === 'error');
+        expect(error).toBeDefined();
+        expect(error.message).toContain('invalid Gemini model identifier');
+        expect(events.at(-1)?.type).toBe('done');
+        expect(globalThis.fetch).not.toHaveBeenCalled();
+    });
+    it('rejects model with colons', async () => {
+        globalThis.fetch = vi.fn();
+        const runtime = createGeminiRestRuntime({
+            apiKey: 'test-key',
+            defaultModel: 'gemini-2.5-flash',
+        });
+        const events = await collectEvents(runtime.invoke({ prompt: 'test', model: 'model:inject', cwd: '/tmp' }));
+        const error = events.find((e) => e.type === 'error');
+        expect(error).toBeDefined();
+        expect(error.message).toContain('invalid Gemini model identifier');
+        expect(globalThis.fetch).not.toHaveBeenCalled();
+    });
+    it('rejects model with slashes', async () => {
+        globalThis.fetch = vi.fn();
+        const runtime = createGeminiRestRuntime({
+            apiKey: 'test-key',
+            defaultModel: 'gemini-2.5-flash',
+        });
+        const events = await collectEvents(runtime.invoke({ prompt: 'test', model: 'models/evil', cwd: '/tmp' }));
+        const error = events.find((e) => e.type === 'error');
+        expect(error).toBeDefined();
+        expect(globalThis.fetch).not.toHaveBeenCalled();
+    });
+    it('rejects empty model when defaultModel is also empty', async () => {
+        globalThis.fetch = vi.fn();
+        const runtime = createGeminiRestRuntime({
+            apiKey: 'test-key',
+            defaultModel: '',
+        });
+        const events = await collectEvents(runtime.invoke({ prompt: 'test', model: '', cwd: '/tmp' }));
+        const error = events.find((e) => e.type === 'error');
+        expect(error).toBeDefined();
+        expect(globalThis.fetch).not.toHaveBeenCalled();
+    });
+    it('accepts valid model identifiers with dots and hyphens', async () => {
+        globalThis.fetch = vi.fn().mockResolvedValue(makeSSEResponse([makeGeminiSSEData('ok')]));
+        const runtime = createGeminiRestRuntime({
+            apiKey: 'test-key',
+            defaultModel: 'gemini-2.5-flash',
+        });
+        const events = await collectEvents(runtime.invoke({ prompt: 'test', model: 'gemini-2.5-pro-preview-05-06', cwd: '/tmp' }));
+        expect(events.find((e) => e.type === 'error')).toBeUndefined();
+        expect(events.find((e) => e.type === 'text_final')).toBeDefined();
+        expect(globalThis.fetch).toHaveBeenCalledOnce();
+    });
+    it('throws at construction time if defaultModel is invalid', () => {
+        expect(() => createGeminiRestRuntime({ apiKey: 'test-key', defaultModel: '../evil' })).toThrow('invalid defaultModel');
+    });
+    it('allows empty defaultModel at construction time', () => {
+        expect(() => createGeminiRestRuntime({ apiKey: 'test-key', defaultModel: '' })).not.toThrow();
+    });
     it('supports custom baseUrl', async () => {
         globalThis.fetch = vi.fn().mockResolvedValue(makeSSEResponse([makeGeminiSSEData('ok')]));
         const runtime = createGeminiRestRuntime({

package/dist/runtime/openai-compat.js

@@ -178,6 +178,12 @@ export function createOpenAICompatRuntime(opts) {
                                 if (content)
                                     yield { type: 'text_delta', text: content };
                                 yield { type: 'text_final', text: content };
+                                const toolLoopFinishReason = choice?.finish_reason;
+                                yield {
+                                    type: 'finish_metadata',
+                                    truncated: toolLoopFinishReason === 'length',
+                                    ...(toolLoopFinishReason ? { finishReason: toolLoopFinishReason } : {}),
+                                };
                                 yield { type: 'done' };
                                 return;
                             }
@@ -235,6 +241,7 @@ export function createOpenAICompatRuntime(opts) {
                             ...tokenField,
                         });
                         let accumulated = '';
+                        let streamFinishReason;
                         const response = await fetchWithOpenAIBearerAuth({
                             url,
                             auth,
@@ -273,16 +280,25 @@ export function createOpenAICompatRuntime(opts) {
                                 return false;
                             if (data === '[DONE]') {
                                 yield { type: 'text_final', text: accumulated };
+                                yield {
+                                    type: 'finish_metadata',
+                                    truncated: streamFinishReason === 'length',
+                                    ...(streamFinishReason ? { finishReason: streamFinishReason } : {}),
+                                };
                                 yield { type: 'done' };
                                 return true;
                             }
                             try {
                                 const parsed = JSON.parse(data);
-                                const content = parsed?.choices?.[0]?.delta?.content;
+                                const choice = parsed?.choices?.[0];
+                                const content = choice?.delta?.content;
                                 if (content) {
                                     accumulated += content;
                                     yield { type: 'text_delta', text: content };
                                 }
+                                const chunkFinish = choice?.finish_reason;
+                                if (chunkFinish)
+                                    streamFinishReason = chunkFinish;
                             }
                             catch {
                                 // Skip unparseable lines
@@ -322,6 +338,11 @@ export function createOpenAICompatRuntime(opts) {
                         }
                         // Stream ended without [DONE] — emit what we have
                         yield { type: 'text_final', text: accumulated };
+                        yield {
+                            type: 'finish_metadata',
+                            truncated: streamFinishReason === 'length',
+                            ...(streamFinishReason ? { finishReason: streamFinishReason } : {}),
+                        };
                         yield { type: 'done' };
                     }
                 }

package/dist/runtime/strategies/claude-strategy.js

@@ -23,7 +23,9 @@ const TOOL_USE_NAME_LENGTH_GUIDANCE = 'Anthropic API error: MCP tool name too lo
  * receives an explicit boundary at each phase boundary.
  */
 export const PHASE_SAFETY_REMINDER = 'SAFETY (automated agent): Do not run rm -rf outside build artifact directories, ' +
-    'git push --force, git branch -D, DROP TABLE, or chmod 777. ' +
+    'git push --force, git branch -D, git init, git checkout --orphan, ' +
+    'git reset --hard <other-commit>, DROP TABLE, or chmod 777. ' +
+    'Do not switch branches or create new branches during implementation phases. ' +
     'Do not write to .env, root-policy.ts, ~/.ssh/, or ~/.claude/ paths. ' +
     'If a task requires any of these, report it instead of executing.';
 const THINKING_PREVIEW_INTERVAL_MS = 3_000;

package/dist/server/routes/is-reserved-object-key.js

@@ -0,0 +1,17 @@
+/**
+ * Guards against prototype-pollution via dynamic route parameters.
+ *
+ * When a URL segment (e.g. `/webhook/:source`) is used as a plain-object
+ * property name, reserved keys like `__proto__` can trigger prototype
+ * pollution or uncaught exceptions.  Call this before any object lookup
+ * keyed by a route parameter.
+ */
+const RESERVED = new Set([
+    '__proto__',
+    'constructor',
+    'prototype',
+]);
+/** Returns `true` when `key` is a reserved Object property name. */
+export function isReservedObjectKey(key) {
+    return RESERVED.has(key);
+}

package/dist/webhook/server.js

@@ -7,6 +7,7 @@ import crypto from 'node:crypto';
 import http from 'node:http';
 import fs from 'node:fs/promises';
 import { executeCronJob } from '../cron/executor.js';
+import { isUnsafeKey, stripUnsafeKeys } from '../config/safe-key.js';
 import { sanitizeExternalContent } from '../sanitize-external.js';
 // ---------------------------------------------------------------------------
 // Shared constants + config types
@@ -33,7 +34,7 @@ export async function loadWebhookConfig(configPath) {
     if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
         throw new Error('Webhook config must be a JSON object');
     }
-    return parsed;
+    return stripUnsafeKeys(parsed);
 }
 let webhookJobCounter = 0;
 function buildWebhookJob(source, src, bodyText, guildId) {
@@ -113,6 +114,10 @@ export async function startWebhookServer(opts = {}) {
             respondWebhook(res, 400, 'Bad request');
             return;
         }
+        if (isUnsafeKey(source)) {
+            respondWebhook(res, 400, 'Bad request');
+            return;
+        }
         const src = config[source];
         if (!src) {
             log?.warn({ source }, 'webhook:unknown source');

package/dist/webhook/server.test.js

@@ -164,6 +164,21 @@ describe('startWebhookServer HTTP routing', () => {
         const res = await makeRequest(port, { path: '/webhook/foo%ZZbar' });
         expect(res.status).toBe(400);
     });
+    it('returns 400 for __proto__ source (prototype pollution)', async () => {
+        const res = await makeRequest(port, { path: '/webhook/__proto__', body: '{}' });
+        expect(res.status).toBe(400);
+        expect(res.body.ok).toBe(false);
+    });
+    it('returns 400 for constructor source (prototype pollution)', async () => {
+        const res = await makeRequest(port, { path: '/webhook/constructor', body: '{}' });
+        expect(res.status).toBe(400);
+        expect(res.body.ok).toBe(false);
+    });
+    it('returns 400 for prototype source (prototype pollution)', async () => {
+        const res = await makeRequest(port, { path: '/webhook/prototype', body: '{}' });
+        expect(res.status).toBe(400);
+        expect(res.body.ok).toBe(false);
+    });
     it('returns 404 for an unknown source', async () => {
         const body = '{}';
         const res = await makeRequest(port, {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "discoclaw",
-  "version": "0.8.2",
+  "version": "0.8.3",
   "description": "Personal AI orchestrator that turns Discord into a persistent workspace",
   "license": "MIT",
   "repository": {
@@ -73,7 +73,7 @@
     "youtube-transcript-plus": "^1.2.0"
   },
   "simple-git-hooks": {
-    "pre-push": "pnpm build && pnpm test"
+    "pre-push": "bash scripts/pre-push-safety.sh && pnpm build && pnpm test"
   },
   "publishConfig": {
     "access": "public",

package/templates/instructions/SYSTEM_DEFAULTS.md

@@ -114,6 +114,17 @@ Your training data has a cutoff date. Anything that could have changed recently
 
 The cost of a quick web search is negligible. The cost of confidently declaring something doesn't exist -- when it dropped two days ago -- is your credibility.
 
+## Git Safety Rules
+
+These rules apply to all git operations, including freeform "commit and PR" flows:
+
+- **Never** run `git init` in the project directory
+- **Never** run `git checkout --orphan` — this replaces the entire repo tree
+- **Never** run `git reset --hard` to a different commit without explicit user approval
+- Before pushing, verify the diff is proportional to the task — a bug fix should not delete hundreds of files
+- If the diff shows mass deletions unrelated to the task, **stop and report** instead of pushing
+- Do not switch branches during implementation unless the task explicitly requires it
+
 ## Landing the Plane (Session Completion)
 
 Work is complete only when `git push` succeeds — local-only work is stranded work. If push fails, resolve and retry.