eniac-slack 0.1.43 → 0.1.44

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [0.1.44] - 2026-04-17
+
+- fix: claude.test.ts TypeScript 빌드 오류 수정 (#55)
+- Replace Claude SDK with CLI-based implementation for Slack bot (#49)
+
+
 ## [0.1.43] - 2026-03-16
 
 - fix(slack): 응답 완료 시 삭제+재발송 대신 편집으로 변경 (#48)

package/dist/services/claude.d.ts

@@ -15,35 +15,20 @@ export type ChatEvent = {
     type: "error";
     message: string;
 };
-/**
- * Abort any in-flight chat request for the given thread.
- * Returns the AbortSignal if there was an active request that was aborted.
- */
 export declare function abortActiveChat(threadTs: string): AbortSignal | undefined;
-/**
- * Get the AbortSignal for the active request on a thread.
- */
 export declare function getAbortSignal(threadTs: string): AbortSignal | undefined;
 export declare function createSession(threadTs: string, workDir: string, authorUserId: string): Session;
 export declare function getSession(threadTs: string): Session | undefined;
-/**
- * Delete a session and clean up all associated files:
- * - SDK session JSONL file
- * - Working directory
- * - sessions.json entry
- */
 export declare function deleteSession(threadTs: string): boolean;
-/**
- * Delete ALL sessions and clean up all associated files (workDir, JSONL).
- * Returns the number of sessions deleted.
- */
 export declare function deleteAllSessions(): number;
 export declare function getAllSessions(): Map<string, Session>;
 /**
- * Send a message to a Claude session via the SDK.
+ * Send a message to a Claude session via the CLI.
  *
- * Uses `canUseTool` callback to handle permission requests
- * through Slack interactive buttons.
+ * Spawns `claude -p` and parses stream-json output. When a dangerous tool
+ * (Bash, Edit, Write, …) is detected, the process is killed before the tool
+ * runs, a Slack approval button is shown, and the session is resumed with the
+ * user's decision. This loop repeats until the turn completes normally.
  */
 export declare function chat(threadTs: string, userMessage: string, slackClient: WebClient, channel: string, images?: SlackImageFile[]): AsyncGenerator<ChatEvent, void, unknown>;
 export {};

package/dist/services/claude.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"claude.d.ts","sourceRoot":"","sources":["../../src/services/claude.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAK9D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAIhD,UAAU,OAAO;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,OAAO,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,MAAM,SAAS,GACjB;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACjC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AA0KvC;;;GAGG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS,CASzE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS,CAExE;AAED,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,GACnB,OAAO,CAaT;AAED,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAEhE;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAuCvD;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAyC1C;AAED,wBAAgB,cAAc,IAAI,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAErD;AAsCD;;;;;GAKG;AACH,wBAAuB,IAAI,CACzB,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,WAAW,EAAE,SAAS,EACtB,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,cAAc,EAAE,GACxB,cAAc,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,CAAC,CAqP1C"}
+{"version":3,"file":"claude.d.ts","sourceRoot":"","sources":["../../src/services/claude.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAK9D,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAIhD,UAAU,OAAO;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,OAAO,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,MAAM,SAAS,GACjB;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACjC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AA+JvC,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS,CASzE;AAED,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS,CAExE;AAED,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,GACnB,OAAO,CAaT;AAED,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAEhE;AAED,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAmCvD;AAED,wBAAgB,iBAAiB,IAAI,MAAM,CAoC1C;AAED,wBAAgB,cAAc,IAAI,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAErD;AA+SD;;;;;;;GAOG;AACH,wBAAuB,IAAI,CACzB,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,WAAW,EAAE,SAAS,EACtB,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,cAAc,EAAE,GACxB,cAAc,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,CAAC,CAkF1C"}

package/dist/services/claude.js

@@ -1,4 +1,5 @@
-import { query } from "@anthropic-ai/claude-agent-sdk";
+import { execa } from "execa";
+import { createInterface } from "node:readline";
 import { randomUUID } from "node:crypto";
 import fs from "node:fs";
 import path from "node:path";
@@ -28,24 +29,8 @@ function saveSessions() {
         console.warn("[sessions] failed to save:", err);
     }
 }
-// --- MCP server config loader ---
+// --- MCP config path ---
 const MCP_CONFIG_PATH = path.join(os.homedir(), ".claude", ".mcp.json");
-function loadMcpServers() {
-    try {
-        const data = fs.readFileSync(MCP_CONFIG_PATH, "utf-8");
-        const config = JSON.parse(data);
-        if (config.mcpServers && Object.keys(config.mcpServers).length > 0) {
-            console.log(`[mcp] loaded ${Object.keys(config.mcpServers).length} MCP server(s): ${Object.keys(config.mcpServers).join(", ")}`);
-            return config.mcpServers;
-        }
-    }
-    catch {
-        console.log("[mcp] no MCP config found or failed to parse");
-    }
-    return undefined;
-}
-const mcpServers = loadMcpServers();
-// --- MCP server selection (all servers always included) ---
 // --- System prompt for Slack bot ---
 const SYSTEM_PROMPT = `
 You are an AI assistant in a Slack workspace, helping with software engineering tasks.
@@ -108,6 +93,15 @@ Before modifying any infrastructure resource:
 If ports, volumes, or networks are shared with other services, you MUST notify the user.
 `.trim();
 const SESSION_TTL_MS = 14 * 24 * 60 * 60 * 1000; // 2 weeks
+// Tools that require Slack approval before running
+const DANGEROUS_TOOLS = new Set([
+    "Bash",
+    "Edit",
+    "Write",
+    "MultiEdit",
+    "NotebookEdit",
+]);
+const PERMISSION_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
 function cleanupExpiredSessions() {
     const now = Date.now();
     let cleaned = 0;
@@ -146,10 +140,6 @@ const sessions = loadSessions();
 cleanupExpiredSessions();
 // --- Active request tracking for abort-on-new-message ---
 const activeRequests = new Map();
-/**
- * Abort any in-flight chat request for the given thread.
- * Returns the AbortSignal if there was an active request that was aborted.
- */
 export function abortActiveChat(threadTs) {
     const controller = activeRequests.get(threadTs);
     if (controller) {
@@ -160,9 +150,6 @@ export function abortActiveChat(threadTs) {
     }
     return undefined;
 }
-/**
- * Get the AbortSignal for the active request on a thread.
- */
 export function getAbortSignal(threadTs) {
     return activeRequests.get(threadTs)?.signal;
 }
@@ -183,20 +170,12 @@ export function createSession(threadTs, workDir, authorUserId) {
 export function getSession(threadTs) {
     return sessions.get(threadTs);
 }
-/**
- * Delete a session and clean up all associated files:
- * - SDK session JSONL file
- * - Working directory
- * - sessions.json entry
- */
 export function deleteSession(threadTs) {
     const session = sessions.get(threadTs);
     if (!session)
         return false;
     console.log(`[sessions] deleting session: threadTs=${threadTs}, sessionId=${session.sessionId}`);
-    // Abort any in-flight request
     abortActiveChat(threadTs);
-    // Delete SDK session file (~/.claude/projects/{cwd-encoded}/{sessionId}.jsonl)
     const cwdEncoded = session.workDir.replace(/\//g, "-");
     const sessionFile = path.join(os.homedir(), ".claude", "projects", cwdEncoded, `${session.sessionId}.jsonl`);
     try {
@@ -206,7 +185,6 @@ export function deleteSession(threadTs) {
     catch {
         // File may not exist
     }
-    // Delete worktree directory
     try {
         fs.rmSync(session.workDir, { recursive: true, force: true });
         console.log(`[sessions] deleted workDir: ${session.workDir}`);
@@ -214,16 +192,11 @@ export function deleteSession(threadTs) {
     catch {
         // Directory may not exist
     }
-    // Remove from in-memory map and persist
     sessions.delete(threadTs);
     saveSessions();
     console.log(`[sessions] session deleted: threadTs=${threadTs}`);
     return true;
 }
-/**
- * Delete ALL sessions and clean up all associated files (workDir, JSONL).
- * Returns the number of sessions deleted.
- */
 export function deleteAllSessions() {
     const count = sessions.size;
     if (count === 0)
@@ -231,22 +204,17 @@ export function deleteAllSessions() {
     console.log(`[sessions] deleting all ${count} sessions`);
     for (const [threadTs, session] of sessions) {
         console.log(`[sessions] deleting session: threadTs=${threadTs}, sessionId=${session.sessionId}`);
-        // Abort any in-flight request
         abortActiveChat(threadTs);
-        // Delete SDK session file
         const cwdEncoded = session.workDir.replace(/\//g, "-");
         const sessionFile = path.join(os.homedir(), ".claude", "projects", cwdEncoded, `${session.sessionId}.jsonl`);
         try {
             fs.unlinkSync(sessionFile);
-            console.log(`[sessions] deleted session file: ${sessionFile}`);
         }
         catch {
             // File may not exist
         }
-        // Delete worktree directory
         try {
             fs.rmSync(session.workDir, { recursive: true, force: true });
-            console.log(`[sessions] deleted workDir: ${session.workDir}`);
         }
         catch {
             // Directory may not exist
@@ -272,9 +240,16 @@ function describeToolInput(toolName, input) {
             return `\`\`\`\n${JSON.stringify(input, null, 2).slice(0, 500)}\n\`\`\``;
     }
 }
-/**
- * Convert raw SDK / process error messages into user-friendly Korean messages.
- */
+function killWithEscalation(proc) {
+    proc.kill("SIGTERM");
+    const timer = setTimeout(() => {
+        try {
+            proc.kill("SIGKILL");
+        }
+        catch { /* already exited */ }
+    }, 5_000);
+    void proc.then(() => clearTimeout(timer)).catch(() => clearTimeout(timer));
+}
 function toFriendlyError(rawMessage) {
     if (/process exited with code/i.test(rawMessage)) {
         return "Claude 작업 중 예기치 않은 문제가 발생했어요. 잠시 후 다시 시도해 주세요. 문제가 계속되면 관리자에게 문의해 주세요.";
@@ -288,145 +263,130 @@ function toFriendlyError(rawMessage) {
     if (/timeout|timed out/i.test(rawMessage)) {
         return "Claude 응답 시간이 초과되었어요. 질문을 좀 더 간결하게 줄여서 다시 시도해 주세요.";
     }
-    // Fallback — show original message with friendly wrapper
     return `Claude 작업 중 문제가 발생했어요: ${rawMessage}`;
 }
+// --- CLI argument builder ---
+function buildArgs(session, prompt, isResume) {
+    const args = [
+        "-p", prompt,
+        "--output-format", "stream-json",
+        "--verbose",
+        "--include-partial-messages",
+        "--dangerously-skip-permissions",
+        "--append-system-prompt", SYSTEM_PROMPT,
+        ...(isResume
+            ? ["--resume", session.sessionId]
+            : ["--session-id", session.sessionId]),
+    ];
+    if (fs.existsSync(MCP_CONFIG_PATH)) {
+        args.push("--mcp-config", MCP_CONFIG_PATH);
+    }
+    return args;
+}
 /**
- * Send a message to a Claude session via the SDK.
+ * Runs one claude CLI process. Yields ChatEvents (text/error).
+ * Returns a ToolInterception if a dangerous tool was intercepted mid-stream,
+ * or null on normal completion.
  *
- * Uses `canUseTool` callback to handle permission requests
- * through Slack interactive buttons.
+ * Kill strategy: when we see content_block_stop for a dangerous tool_use,
+ * the process is killed before the tool executes (session file not yet written
+ * for this turn), then we ask Slack for approval.
  */
-export async function* chat(threadTs, userMessage, slackClient, channel, images) {
-    const session = sessions.get(threadTs);
-    if (!session) {
-        throw new Error(`No session found for thread ${threadTs}`);
-    }
-    // Set up abort controller for this request
-    const abortController = new AbortController();
-    activeRequests.set(threadTs, abortController);
-    const { signal } = abortController;
-    // Tools that are safe to auto-allow without Slack approval
-    const AUTO_ALLOW_TOOLS = new Set([
-        "Read",
-        "Glob",
-        "Grep",
-        "WebSearch",
-        "WebFetch",
-        "Agent",
-        "TodoRead",
-        "ListMcpResources",
-        "ReadMcpResource",
-    ]);
-    const PERMISSION_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
-    // Permission handler — auto-allows safe tools, asks Slack for dangerous ones
-    const canUseTool = async (toolName, input, { signal }) => {
-        // Auto-allow safe read-only tools
-        if (AUTO_ALLOW_TOOLS.has(toolName)) {
-            console.log(`[claude] auto-allow: ${toolName}`);
-            return { behavior: "allow" };
-        }
-        const permId = randomUUID();
-        const description = describeToolInput(toolName, input);
-        console.log(`[claude] permission request: tool=${toolName}, id=${permId}`);
-        // Race between Slack button response and timeout
-        const granted = await Promise.race([
-            requestPermission(slackClient, channel, threadTs, permId, toolName, description, session.authorUserId),
-            new Promise((resolve) => setTimeout(() => {
-                console.log(`[claude] permission timeout: ${permId}`);
-                resolve(false);
-            }, PERMISSION_TIMEOUT_MS)),
-        ]);
-        console.log(`[claude] permission ${granted ? "approved" : "denied"}: tool=${toolName}`);
-        if (granted) {
-            return { behavior: "allow" };
-        }
-        else {
-            return { behavior: "deny", message: "User denied or timed out via Slack" };
-        }
-    };
-    session.lastActivityAt = Date.now();
+async function* runOnce(session, prompt, threadTs, signal, slackClient, channel) {
+    // Capture before marking started — first call needs --session-id, not --resume
+    const isResume = session.hasStarted;
+    session.hasStarted = true;
     saveSessions();
-    console.log(`[claude] starting query, cwd=${session.workDir}, hasStarted=${session.hasStarted}`);
-    // Save images to disk for Claude to read via Read tool
-    let prompt = userMessage;
-    if (images && images.length > 0) {
-        const imgDir = path.join(session.workDir, ".eniac-images");
-        fs.mkdirSync(imgDir, { recursive: true });
-        const imagePaths = [];
-        for (let i = 0; i < images.length; i++) {
-            const imgPath = path.join(imgDir, `img-${Date.now()}-${i}.png`);
-            fs.writeFileSync(imgPath, Buffer.from(images[i].base64, "base64"));
-            imagePaths.push(imgPath);
-            console.log(`[claude] saved image ${i}: ${imgPath} (${images[i].base64.length} base64 chars)`);
-        }
-        const fileList = imagePaths.map((p) => `- ${p}`).join("\n");
-        prompt = `사용자가 이미지를 첨부했습니다. Read 도구로 아래 이미지 파일을 확인하세요:\n${fileList}\n\n사용자 메시지: ${userMessage}`;
-        console.log(`[claude] ${images.length} image(s) saved to disk, using Read tool approach`);
-    }
-    let receivedSuccessResult = false;
-    // Capture stderr for debugging process crashes
+    const args = buildArgs(session, prompt, isResume);
+    console.log(`[claude] launching: cwd=${session.workDir}, resume=${args.includes("--resume")}`);
+    const proc = execa("claude", args, {
+        cwd: session.workDir,
+        reject: false,
+    });
     const stderrChunks = [];
+    proc.stderr?.on("data", (chunk) => {
+        stderrChunks.push(chunk.toString());
+        if (stderrChunks.length > 50)
+            stderrChunks.shift();
+    });
+    const onAbort = () => killWithEscalation(proc);
+    signal.addEventListener("abort", onAbort, { once: true });
+    // Buffer text deltas — only yield after the process exits cleanly (no interception).
+    // This prevents pre-kill text from leaking to Slack when a dangerous tool is intercepted.
+    const textBuffer = [];
+    let resultFallback = null;
+    let receivedSuccessResult = false;
+    // Dangerous tool being assembled from stream deltas
+    let pendingTool = null;
+    // Set when we decide to intercept
+    let intercepted = null;
     try {
-        const q = query({
-            prompt,
-            options: {
-                cwd: session.workDir,
-                canUseTool,
-                permissionMode: "bypassPermissions",
-                allowDangerouslySkipPermissions: true,
-                includePartialMessages: true,
-                systemPrompt: SYSTEM_PROMPT,
-                stderr: (data) => {
-                    stderrChunks.push(data);
-                    // Keep only last 50 chunks to avoid memory bloat
-                    if (stderrChunks.length > 50)
-                        stderrChunks.shift();
-                },
-                ...(mcpServers ? { mcpServers } : {}),
-                ...(session.hasStarted
-                    ? { resume: session.sessionId }
-                    : { sessionId: session.sessionId }),
-            },
-        });
-        session.hasStarted = true;
-        saveSessions();
-        let hasYieldedText = false;
-        for await (const message of q) {
-            // Check if this request was aborted by a new incoming message
+        const rl = createInterface({ input: proc.stdout, crlfDelay: Infinity });
+        for await (const line of rl) {
             if (signal.aborted) {
-                console.log(`[claude] request aborted for thread_ts=${threadTs}`);
-                return;
+                // onAbort already called killWithEscalation; break to reach await proc
+                break;
             }
-            const msgType = message.type;
-            // Real-time streaming text deltas
+            if (!line.trim())
+                continue;
+            let msg;
+            try {
+                msg = JSON.parse(line);
+            }
+            catch {
+                continue;
+            }
+            const msgType = msg.type;
             if (msgType === "stream_event") {
-                const partial = message;
-                if (partial.event?.type === "content_block_delta") {
-                    if (partial.event.delta?.type === "text_delta" &&
-                        partial.event.delta.text) {
-                        hasYieldedText = true;
-                        yield { type: "text", content: partial.event.delta.text };
+                const event = msg.event;
+                if (!event)
+                    continue;
+                const evType = event.type;
+                if (evType === "content_block_start") {
+                    const block = event.content_block;
+                    if (block?.type === "tool_use") {
+                        const name = block.name;
+                        if (DANGEROUS_TOOLS.has(name)) {
+                            pendingTool = { name, inputChunks: [] };
+                        }
+                        else {
+                            recordToolUse(threadTs, name);
+                        }
                     }
                 }
-                continue;
-            }
-            // Track tool usage from tool_progress messages
-            if (msgType === "tool_progress") {
-                const tp = message;
-                if (tp.tool_name) {
-                    recordToolUse(threadTs, tp.tool_name);
+                else if (pendingTool && evType === "content_block_delta") {
+                    const delta = event.delta;
+                    if (delta?.type === "input_json_delta") {
+                        pendingTool.inputChunks.push(delta.partial_json ?? "");
+                    }
+                }
+                else if (pendingTool && evType === "content_block_stop") {
+                    // Full tool input assembled — kill before the tool runs
+                    const toolName = pendingTool.name;
+                    const inputStr = pendingTool.inputChunks.join("");
+                    let toolInput = {};
+                    try {
+                        toolInput = JSON.parse(inputStr);
+                    }
+                    catch {
+                        toolInput = { raw: inputStr };
+                    }
+                    pendingTool = null;
+                    killWithEscalation(proc);
+                    intercepted = { toolName, toolInput };
+                    break; // exit readline loop; await proc happens below
+                }
+                else if (!pendingTool && evType === "content_block_delta") {
+                    const delta = event.delta;
+                    if (delta?.type === "text_delta" && delta.text) {
+                        textBuffer.push(delta.text);
+                    }
                 }
                 continue;
             }
-            // Final result — if streaming didn't deliver the text, use result.result as fallback
             if (msgType === "result") {
-                const result = message;
-                console.log(`[claude] result: subtype=${result.subtype}, is_error=${result.is_error ?? false}, stop_reason=${result.stop_reason ?? "null"}, duration_ms=${result.duration_ms ?? 0}, cost=$${result.total_cost_usd ?? 0}, turns=${result.num_turns ?? 0}, len=${result.result?.length ?? 0}, preview=${result.result?.substring(0, 200) ?? "null"}`);
-                if (result.errors && result.errors.length > 0) {
-                    console.error(`[claude] result errors: ${JSON.stringify(result.errors)}`);
-                }
-                // Record stats
+                const result = msg;
+                console.log(`[claude] result: subtype=${result.subtype}, cost=$${result.total_cost_usd ?? 0}, turns=${result.num_turns ?? 0}`);
                 recordResult(threadTs, {
                     costUsd: result.total_cost_usd,
                     tokens: result.usage
@@ -440,47 +400,148 @@ export async function* chat(threadTs, userMessage, slackClient, channel, images)
                     turns: result.num_turns,
                     durationMs: result.duration_ms,
                 });
-                if (result.subtype === "success") {
+                if (result.subtype === "success")
                     receivedSuccessResult = true;
+                if (result.result && textBuffer.length === 0) {
+                    resultFallback = result.result;
                 }
-                if (result.result && !hasYieldedText) {
-                    console.log(`[claude] no streaming text received, using result.result as fallback (${result.result.length} chars)`);
-                    yield { type: "text", content: result.result };
-                }
-                continue;
             }
         }
-    }
-    catch (error) {
-        if (signal.aborted) {
-            console.log(`[claude] request aborted (in catch) for thread_ts=${threadTs}`);
-            return;
+        // Wait for process to fully exit
+        const procResult = await proc;
+        // Flush buffered text — only if the process completed without interception.
+        // Discarding on interception prevents pre-kill text from appearing in Slack.
+        if (!intercepted && !signal.aborted) {
+            if (textBuffer.length > 0) {
+                for (const t of textBuffer)
+                    yield { type: "text", content: t };
+            }
+            else if (resultFallback) {
+                console.log(`[claude] no streaming text, using result.result fallback (${resultFallback.length} chars)`);
+                yield { type: "text", content: resultFallback };
+            }
         }
-        const errMsg = error instanceof Error ? error.message : String(error);
-        const stderr = stderrChunks.join("").trim();
-        if (stderr) {
-            console.error(`[claude] stderr output:\n${stderr}`);
+        if (!intercepted &&
+            !signal.aborted &&
+            !receivedSuccessResult &&
+            procResult.exitCode !== 0) {
+            const stderr = stderrChunks.join("").trim();
+            if (stderr)
+                console.error(`[claude] stderr:\n${stderr}`);
+            yield {
+                type: "error",
+                message: toFriendlyError(`process exited with code ${procResult.exitCode}`),
+            };
         }
-        if (error instanceof Error && error.stack) {
-            console.error(`[claude] stack: ${error.stack}`);
+    }
+    catch (error) {
+        if (!signal.aborted && !receivedSuccessResult) {
+            const errMsg = error instanceof Error ? error.message : String(error);
+            const stderr = stderrChunks.join("").trim();
+            if (stderr)
+                console.error(`[claude] stderr:\n${stderr}`);
+            yield { type: "error", message: toFriendlyError(errMsg) };
         }
-        if (error instanceof Error && error.cause) {
-            console.error(`[claude] cause: ${JSON.stringify(error.cause)}`);
+    }
+    finally {
+        signal.removeEventListener("abort", onAbort);
+    }
+    if (!intercepted || signal.aborted)
+        return null;
+    // Intercepted a dangerous tool — ask Slack for approval
+    const { toolName, toolInput } = intercepted;
+    recordToolUse(threadTs, toolName);
+    const permId = randomUUID();
+    const description = describeToolInput(toolName, toolInput);
+    console.log(`[claude] intercepted dangerous tool: ${toolName}, asking Slack (permId=${permId})`);
+    const granted = await Promise.race([
+        requestPermission(slackClient, channel, threadTs, permId, toolName, description, session.authorUserId),
+        new Promise((resolve) => setTimeout(() => {
+            console.log(`[claude] permission timeout: ${permId}`);
+            resolve(false);
+        }, PERMISSION_TIMEOUT_MS)),
+        new Promise((resolve) => {
+            if (signal.aborted) {
+                resolve(false);
+                return;
+            }
+            signal.addEventListener("abort", () => resolve(false), { once: true });
+        }),
+    ]);
+    if (signal.aborted)
+        return null;
+    console.log(`[claude] permission ${granted ? "approved" : "denied"}: ${toolName}`);
+    return { toolName, toolInput, granted };
+}
+/**
+ * Send a message to a Claude session via the CLI.
+ *
+ * Spawns `claude -p` and parses stream-json output. When a dangerous tool
+ * (Bash, Edit, Write, …) is detected, the process is killed before the tool
+ * runs, a Slack approval button is shown, and the session is resumed with the
+ * user's decision. This loop repeats until the turn completes normally.
+ */
+export async function* chat(threadTs, userMessage, slackClient, channel, images) {
+    const session = sessions.get(threadTs);
+    if (!session) {
+        throw new Error(`No session found for thread ${threadTs}`);
+    }
+    // Abort any in-flight request on this thread before starting a new one.
+    // Without this, the old process keeps running with a stale controller that
+    // can never be aborted via abortActiveChat().
+    activeRequests.get(threadTs)?.abort();
+    const abortController = new AbortController();
+    activeRequests.set(threadTs, abortController);
+    const { signal } = abortController;
+    session.lastActivityAt = Date.now();
+    saveSessions();
+    // Save images to disk for Claude to read via Read tool
+    let prompt = userMessage;
+    if (images && images.length > 0) {
+        const imgDir = path.join(session.workDir, ".eniac-images");
+        fs.mkdirSync(imgDir, { recursive: true });
+        const imagePaths = [];
+        for (let i = 0; i < images.length; i++) {
+            const imgPath = path.join(imgDir, `img-${Date.now()}-${i}.png`);
+            fs.writeFileSync(imgPath, Buffer.from(images[i].base64, "base64"));
+            imagePaths.push(imgPath);
+            console.log(`[claude] saved image ${i}: ${imgPath} (${images[i].base64.length} base64 chars)`);
         }
-        // If we already received a successful result, the process exit is just
-        // cleanup noise (e.g. exit code 1 after the SDK has already returned).
-        if (receivedSuccessResult) {
-            console.warn(`[claude] ignoring post-result error: ${errMsg}`);
-            return;
+        const fileList = imagePaths.map((p) => `- ${p}`).join("\n");
+        prompt = `사용자가 이미지를 첨부했습니다. Read 도구로 아래 이미지 파일을 확인하세요:\n${fileList}\n\n사용자 메시지: ${userMessage}`;
+        console.log(`[claude] ${images.length} image(s) saved to disk`);
+    }
+    console.log(`[claude] starting chat, cwd=${session.workDir}, hasStarted=${session.hasStarted}`);
+    let currentPrompt = prompt;
+    try {
+        while (!signal.aborted) {
+            const result = yield* runOnce(session, currentPrompt, threadTs, signal, slackClient, channel);
+            if (!result)
+                break; // normal completion or aborted
+            // Build resume prompt that tells Claude exactly what was decided
+            const actionDesc = describeToolInput(result.toolName, result.toolInput);
+            if (result.granted) {
+                currentPrompt =
+                    `사용자가 다음 작업을 승인했습니다:\n` +
+                        `*${result.toolName}*: ${actionDesc}\n` +
+                        `해당 작업을 실행하고 계속 진행해주세요.`;
+            }
+            else {
+                currentPrompt =
+                    `사용자가 다음 작업을 거부했습니다:\n` +
+                        `*${result.toolName}*: ${actionDesc}\n` +
+                        `해당 도구를 사용하지 않고 다른 방법으로 진행해주세요.`;
+            }
         }
-        console.error(`[claude] error: ${errMsg}`);
-        yield {
-            type: "error",
-            message: toFriendlyError(errMsg),
-        };
     }
     finally {
-        // Clean up active request tracking
+        // Clean up images saved for this turn — they're only needed by the first runOnce call.
+        if (images && images.length > 0) {
+            try {
+                fs.rmSync(path.join(session.workDir, ".eniac-images"), { recursive: true, force: true });
+            }
+            catch { /* best effort */ }
+        }
         if (activeRequests.get(threadTs) === abortController) {
             activeRequests.delete(threadTs);
         }