kimaki 0.4.88 → 0.4.90

package/dist/add-directory.e2e.test.js

@@ -0,0 +1,101 @@
+// E2e tests for thread-scoped external directory preapproval via /add-directory.
+import { describe, expect, test } from 'vitest';
+import { setupQueueAdvancedSuite, TEST_USER_ID, } from './queue-advanced-e2e-setup.js';
+import { waitForBotMessageContaining, waitForFooterMessage, } from './test-utils.js';
+const TEXT_CHANNEL_ID = '200000000000001014';
+describe('/add-directory', () => {
+    const ctx = setupQueueAdvancedSuite({
+        channelId: TEXT_CHANNEL_ID,
+        channelName: 'add-directory-e2e',
+        dirName: 'add-directory-e2e',
+        username: 'add-directory-tester',
+    });
+    test('preapproves external directory access for the current thread', async () => {
+        await ctx.discord.channel(TEXT_CHANNEL_ID).user(TEST_USER_ID).sendMessage({
+            content: 'Reply with exactly: add-directory-setup',
+        });
+        const thread = await ctx.discord.channel(TEXT_CHANNEL_ID).waitForThread({
+            timeout: 4_000,
+            predicate: (candidate) => {
+                return candidate.name === 'Reply with exactly: add-directory-setup';
+            },
+        });
+        const th = ctx.discord.thread(thread.id);
+        await th.waitForBotReply({ timeout: 4_000 });
+        await waitForFooterMessage({
+            discord: ctx.discord,
+            threadId: thread.id,
+            timeout: 4_000,
+        });
+        const slashCommand = await th.user(TEST_USER_ID).runSlashCommand({
+            name: 'add-directory',
+            options: [{ name: 'path', type: 3, value: '/Users/morse' }],
+        });
+        await th.waitForInteractionAck({
+            interactionId: slashCommand.id,
+            timeout: 4_000,
+        });
+        await th.user(TEST_USER_ID).sendMessage({
+            content: 'PERMISSION_TYPING_MARKER add-directory-flow first',
+        });
+        await waitForBotMessageContaining({
+            discord: ctx.discord,
+            threadId: thread.id,
+            userId: TEST_USER_ID,
+            text: 'permission-flow-done',
+            timeout: 8_000,
+        });
+        await waitForFooterMessage({
+            discord: ctx.discord,
+            threadId: thread.id,
+            timeout: 12_000,
+            afterMessageIncludes: 'permission-flow-done',
+            afterAuthorId: ctx.discord.botUserId,
+        });
+        for (let attempt = 0; attempt < 10; attempt++) {
+            const messages = await th.getMessages();
+            const hasPermissionPrompt = messages.some((message) => {
+                return message.content.includes('Permission Required');
+            });
+            expect(hasPermissionPrompt).toBe(false);
+            await new Promise((resolve) => {
+                setTimeout(resolve, 20);
+            });
+        }
+        await th.user(TEST_USER_ID).sendMessage({
+            content: 'PERMISSION_TYPING_MARKER add-directory-flow second',
+        });
+        await waitForBotMessageContaining({
+            discord: ctx.discord,
+            threadId: thread.id,
+            userId: TEST_USER_ID,
+            text: 'Permission Required',
+            timeout: 8_000,
+        });
+        const timeline = await th.text();
+        expect(timeline).toMatchInlineSnapshot(`
+        "--- from: user (add-directory-tester)
+        Reply with exactly: add-directory-setup
+        --- from: assistant (TestBot)
+        ⬥ ok
+        *project ⋅ main ⋅ Ns ⋅ N% ⋅ deterministic-v2*
+        Directory preapproved for the next message in this thread.
+        \`/Users/morse\`
+        Kimaki will auto-accept matching external directory requests for \`/Users/morse/*\` during the next run only.
+        --- from: user (add-directory-tester)
+        PERMISSION_TYPING_MARKER add-directory-flow first
+        --- from: assistant (TestBot)
+        ⬥ requesting external read permission
+        ⬥ permission-flow-done
+        *project ⋅ main ⋅ Ns ⋅ N% ⋅ deterministic-v2*
+        --- from: user (add-directory-tester)
+        PERMISSION_TYPING_MARKER add-directory-flow second
+        --- from: assistant (TestBot)
+        ⚠️ **Permission Required**
+        **Type:** \`external_directory\`
+        Agent is accessing files outside the project. [Learn more](https://opencode.ai/docs/permissions/#external-directories)
+        **Pattern:** \`/Users/morse/*\`
+        ⬥ requesting external read permission"
+      `);
+    }, 20_000);
+});

package/dist/agent-model.e2e.test.js

@@ -23,7 +23,7 @@ import { setBotToken, initDatabase, closeDatabase, setChannelDirectory, setChann
 import { getPrisma } from './db.js';
 import { startHranaServer, stopHranaServer } from './hrana-server.js';
 import { initializeOpencodeForDirectory, stopOpencodeServer } from './opencode.js';
-import { chooseLockPort, cleanupTestSessions, waitForBotMessageContaining, waitForFooterMessage, } from './test-utils.js';
+import { chooseLockPort, cleanupTestSessions, initTestGitRepo, waitForBotMessageContaining, waitForFooterMessage, } from './test-utils.js';
 import { buildQuickAgentCommandDescription } from './commands/agent.js';
 const TEST_USER_ID = '200000000000000920';
 const TEXT_CHANNEL_ID = '200000000000000921';
@@ -38,6 +38,7 @@ function createRunDirectories() {
     const dataDir = fs.mkdtempSync(path.join(root, 'data-'));
     const projectDirectory = path.join(root, 'project');
     fs.mkdirSync(projectDirectory, { recursive: true });
+    initTestGitRepo(projectDirectory);
     return { root, dataDir, projectDirectory };
 }
 function createDiscordJsClient({ restUrl }) {
@@ -345,8 +346,7 @@ describe('agent model resolution', () => {
         Reply with exactly: system-context-check
         --- from: assistant (TestBot)
         ⬥ system-context-ok
-        *project ⋅ main ⋅ Ns ⋅ N% ⋅ agent-model-v2 ⋅ **test-agent***
-        ⬥ ok"
+        *project ⋅ main ⋅ Ns ⋅ N% ⋅ agent-model-v2 ⋅ **test-agent***"
       `);
     }, 15_000);
     test('new thread uses channel model when channel model preference is set', async () => {
@@ -513,7 +513,6 @@ describe('agent model resolution', () => {
         Reply with exactly: second-thread-msg
         --- from: assistant (TestBot)
         ⬥ ok
-        ⬥ ok
         *project ⋅ main ⋅ Ns ⋅ N% ⋅ agent-model-v2 ⋅ **test-agent***"
       `);
         const secondMessages = await discord.thread(thread.id).getMessages();
@@ -596,7 +595,6 @@ describe('agent model resolution', () => {
         Reply with exactly: default-second-msg
         --- from: assistant (TestBot)
         ⬥ ok
-        ⬥ ok
         *project ⋅ main ⋅ Ns ⋅ N% ⋅ deterministic-v2*"
       `);
         const secondMessages = await discord.thread(thread.id).getMessages();
@@ -664,7 +662,6 @@ describe('agent model resolution', () => {
         Reply with exactly: after-switch-msg
         --- from: assistant (TestBot)
         ⬥ ok
-        ⬥ ok
         *project ⋅ main ⋅ Ns ⋅ N% ⋅ plan-model-v2 ⋅ **plan***"
       `);
         const secondFooter = [...(await discord.thread(thread.id).getMessages())]

package/dist/cli-send-thread.e2e.test.js

@@ -23,7 +23,7 @@ import { startDiscordBot } from './discord-bot.js';
 import { setBotToken, initDatabase, closeDatabase, setChannelDirectory, setChannelVerbosity, } from './database.js';
 import { startHranaServer, stopHranaServer } from './hrana-server.js';
 import { initializeOpencodeForDirectory, stopOpencodeServer, } from './opencode.js';
-import { chooseLockPort, cleanupTestSessions, waitForBotMessageContaining, waitForFooterMessage, } from './test-utils.js';
+import { chooseLockPort, cleanupTestSessions, initTestGitRepo, waitForBotMessageContaining, waitForFooterMessage, } from './test-utils.js';
 import yaml from 'js-yaml';
 const TEST_USER_ID = '200000000000000830';
 const TEXT_CHANNEL_ID = '200000000000000831';
@@ -34,6 +34,7 @@ function createRunDirectories() {
     const dataDir = fs.mkdtempSync(path.join(root, 'data-'));
     const projectDirectory = path.join(root, 'project');
     fs.mkdirSync(projectDirectory, { recursive: true });
+    initTestGitRepo(projectDirectory);
     return { root, dataDir, projectDirectory };
 }
 function createDiscordJsClient({ restUrl }) {

package/dist/cli.js

@@ -1662,6 +1662,8 @@ cli
     .option('--model <model>', 'Model to use (format: provider/model)')
     .option('--permission <rule>', z.array(z.string()).describe('Session permission rule (repeatable). Format: "tool:action" or "tool:pattern:action". ' +
     'Actions: allow, deny, ask. Examples: --permission "bash:deny" --permission "edit:deny"'))
+    .option('--injection-guard <pattern>', z.array(z.string()).describe('Injection guard scan pattern (repeatable). Enables prompt injection detection for this session. ' +
+    'Format: "tool:argsGlob". Examples: --injection-guard "bash:*" --injection-guard "webfetch:*"'))
     .option('--send-at <schedule>', 'Schedule send for future (UTC ISO date/time ending in Z, or cron expression)')
     .option('--thread <threadId>', 'Post prompt to an existing thread')
     .option('--session <sessionId>', 'Post prompt to thread mapped to an existing session')
@@ -1892,6 +1894,7 @@ cli
                     username: null,
                     userId: null,
                     permissions: options.permission?.length ? options.permission : null,
+                    injectionGuardPatterns: options.injectionGuard?.length ? options.injectionGuard : null,
                 };
                 const taskId = await createScheduledTask({
                     scheduleKind: parsedSchedule.scheduleKind,
@@ -1912,8 +1915,9 @@ cli
                 process.exit(0);
             }
             const threadPromptMarker = {
-                cliThreadPrompt: true,
+                start: true,
                 ...(options.permission?.length ? { permissions: options.permission } : {}),
+                ...(options.injectionGuard?.length ? { injectionGuardPatterns: options.injectionGuard } : {}),
             };
             const promptEmbed = [
                 {
@@ -2005,6 +2009,7 @@ cli
                 username: resolvedUser?.username || null,
                 userId: resolvedUser?.id || null,
                 permissions: options.permission?.length ? options.permission : null,
+                injectionGuardPatterns: options.injectionGuard?.length ? options.injectionGuard : null,
             };
             const taskId = await createScheduledTask({
                 scheduleKind: parsedSchedule.scheduleKind,
@@ -2036,6 +2041,7 @@ cli
                 ...(options.agent && { agent: options.agent }),
                 ...(options.model && { model: options.model }),
                 ...(options.permission?.length && { permissions: options.permission }),
+                ...(options.injectionGuard?.length && { injectionGuardPatterns: options.injectionGuard }),
             };
         const autoStartEmbed = embedMarker
             ? [{ color: 0x2b2d31, footer: { text: yaml.dump(embedMarker) } }]
@@ -2504,7 +2510,11 @@ cli
 cli
     .command('project create <name>', 'Create a new project folder with git and Discord channels')
     .option('-g, --guild <guildId>', 'Discord guild ID')
+    .option('--projects-dir <path>', 'Directory where new projects are created (default: <data-dir>/projects)')
     .action(async (name, options) => {
+    if (options.projectsDir) {
+        setProjectsDir(options.projectsDir);
+    }
     const sanitizedName = name
         .toLowerCase()
         .replace(/[^a-z0-9-]/g, '-')

package/dist/commands/add-directory.js

@@ -0,0 +1,67 @@
+// /add-directory command - Preapprove an external directory for this thread.
+import { ChannelType, MessageFlags, } from 'discord.js';
+import { getThreadSession } from '../database.js';
+import { normalizeAllowedDirectoryPath } from '../directory-permissions.js';
+import { resolveWorkingDirectory, SILENT_MESSAGE_FLAGS, } from '../discord-utils.js';
+import { createLogger } from '../logger.js';
+import { getOrCreateRuntime } from '../session-handler/thread-session-runtime.js';
+const logger = createLogger('ADD_DIR');
+export async function handleAddDirectoryCommand({ command, appId, }) {
+    const inputPath = command.options.getString('path', true);
+    const channel = command.channel;
+    if (!channel) {
+        await command.reply({
+            content: 'This command can only be used in a channel',
+            flags: MessageFlags.Ephemeral | SILENT_MESSAGE_FLAGS,
+        });
+        return;
+    }
+    const isThread = [
+        ChannelType.PublicThread,
+        ChannelType.PrivateThread,
+        ChannelType.AnnouncementThread,
+    ].includes(channel.type);
+    if (!isThread) {
+        await command.reply({
+            content: 'This command can only be used in a thread with an active session',
+            flags: MessageFlags.Ephemeral | SILENT_MESSAGE_FLAGS,
+        });
+        return;
+    }
+    await command.deferReply({
+        flags: MessageFlags.Ephemeral | SILENT_MESSAGE_FLAGS,
+    });
+    const sessionId = await getThreadSession(channel.id);
+    if (!sessionId) {
+        await command.editReply('No active session in this thread');
+        return;
+    }
+    const resolved = await resolveWorkingDirectory({
+        channel: channel,
+    });
+    if (!resolved) {
+        await command.editReply('Could not determine project directory for this channel');
+        return;
+    }
+    const normalizedPath = normalizeAllowedDirectoryPath({
+        input: inputPath,
+        workingDirectory: resolved.workingDirectory,
+    });
+    if (normalizedPath instanceof Error) {
+        await command.editReply(normalizedPath.message);
+        return;
+    }
+    const runtime = getOrCreateRuntime({
+        threadId: channel.id,
+        thread: channel,
+        projectDirectory: resolved.projectDirectory,
+        sdkDirectory: resolved.workingDirectory,
+        channelId: channel.parentId || channel.id,
+        appId,
+    });
+    runtime.primeNextExternalDirectoryAccess({
+        directory: normalizedPath,
+    });
+    await command.editReply(`Directory preapproved for the next message in this thread.\n\`${normalizedPath}\`\nKimaki will auto-accept matching external directory requests for \`${normalizedPath}/*\` during the next run only.`);
+    logger.log(`Thread ${channel.id} primed one-shot directory ${normalizedPath}`);
+}

package/dist/commands/btw.js

@@ -86,7 +86,12 @@ export async function handleBtwCommand({ command, appId, }) {
         // Short status message with prompt instead of replaying past messages
         const sourceThreadLink = `<#${channel.id}>`;
         await sendThreadMessage(thread, `Reusing context from ${sourceThreadLink} to answer prompt...\n${prompt}`);
-        // Create runtime and dispatch the prompt immediately
+        const wrappedPrompt = [
+            `The user asked a side question while you were working on another task.`,
+            `This is a forked session whose ONLY goal is to answer this question.`,
+            `Do NOT continue, resume, or reference the previous task. Only answer the question below.\n`,
+            prompt,
+        ].join('\n');
         const runtime = getOrCreateRuntime({
             threadId: thread.id,
             thread,
@@ -96,7 +101,7 @@ export async function handleBtwCommand({ command, appId, }) {
             appId,
         });
         await runtime.enqueueIncoming({
-            prompt,
+            prompt: wrappedPrompt,
             userId: command.user.id,
             username: command.user.displayName,
             appId,

package/dist/commands/user-command.js

@@ -2,12 +2,14 @@
 // Handles slash commands that map to user-configured commands in opencode.json.
 import { ChannelType, MessageFlags, } from 'discord.js';
 import { getOrCreateRuntime } from '../session-handler/thread-session-runtime.js';
-import { sendThreadMessage, SILENT_MESSAGE_FLAGS } from '../discord-utils.js';
+import { SILENT_MESSAGE_FLAGS } from '../discord-utils.js';
 import { createLogger, LogPrefix } from '../logger.js';
 import { getChannelDirectory, getThreadSession } from '../database.js';
 import { store } from '../store.js';
 import fs from 'node:fs';
 const userCommandLogger = createLogger(LogPrefix.USER_CMD);
+const DISCORD_MESSAGE_LIMIT = 2000;
+const DISCORD_THREAD_NAME_LIMIT = 100;
 export const handleUserCommand = async ({ command, appId, }) => {
     const discordCommandName = command.commandName;
     // Look up the original OpenCode command name from the mapping populated at registration.
@@ -17,6 +19,10 @@ export const handleUserCommand = async ({ command, appId, }) => {
     const fallbackBase = discordCommandName.replace(/-(cmd|skill|mcp-prompt)$/, '');
     const commandName = registered?.name || fallbackBase;
     const args = command.options.getString('arguments') || '';
+    const commandInvocation = args ? `/${commandName} ${args}` : `/${commandName}`;
+    const threadOpeningMessage = commandInvocation.length <= DISCORD_MESSAGE_LIMIT
+        ? commandInvocation
+        : `${commandInvocation.slice(0, DISCORD_MESSAGE_LIMIT - 14)}... truncated`;
     userCommandLogger.log(`Executing /${commandName} (from /${discordCommandName}) argsLength=${args.length}`);
     const channel = command.channel;
     userCommandLogger.log(`Channel info: type=${channel?.type}, id=${channel?.id}, isNull=${channel === null}`);
@@ -81,7 +87,7 @@ export const handleUserCommand = async ({ command, appId, }) => {
         const commandPayload = { name: commandName, arguments: args };
         if (isThread && thread) {
             // Running in existing thread - just send the command
-            await command.editReply(`Running /${commandName}...`);
+            await command.editReply(`Running ${commandInvocation}...`);
             const runtime = getOrCreateRuntime({
                 threadId: thread.id,
                 thread,
@@ -102,21 +108,16 @@ export const handleUserCommand = async ({ command, appId, }) => {
         else if (textChannel) {
             // Running in text channel - create a new thread
             const starterMessage = await textChannel.send({
-                content: `**/${commandName}**`,
+                content: threadOpeningMessage,
                 flags: SILENT_MESSAGE_FLAGS,
             });
-            const threadName = `/${commandName}`;
             const newThread = await starterMessage.startThread({
-                name: threadName.slice(0, 100),
+                name: commandInvocation.slice(0, DISCORD_THREAD_NAME_LIMIT),
                 autoArchiveDuration: 1440,
                 reason: `OpenCode command: ${commandName}`,
             });
             // Add user to thread so it appears in their sidebar
             await newThread.members.add(command.user.id);
-            if (args) {
-                const argsPreview = args.length > 1800 ? `${args.slice(0, 1800)}\n... truncated` : args;
-                await sendThreadMessage(newThread, `Args: ${argsPreview}`);
-            }
             await command.editReply(`Started /${commandName} in ${newThread.toString()}`);
             const runtime = getOrCreateRuntime({
                 threadId: newThread.id,

package/dist/context-awareness-plugin.js

@@ -49,18 +49,20 @@ export function shouldInjectBranch({ previousGitState, currentGitState, }) {
     const text = currentGitState.warning || `\n[current git branch is ${currentGitState.label}]`;
     return { inject: true, text };
 }
-export function shouldInjectPwd({ sessionDir, projectDir, announcedDir, }) {
-    if (!sessionDir || sessionDir === projectDir) {
+export function shouldInjectPwd({ currentDir, previousDir, announcedDir, }) {
+    if (announcedDir === currentDir) {
         return { inject: false };
     }
-    if (announcedDir === sessionDir) {
+    const priorDirectory = announcedDir || previousDir;
+    if (!priorDirectory || priorDirectory === currentDir) {
         return { inject: false };
     }
     return {
         inject: true,
-        text: `\n[working directory is ${sessionDir} (git worktree of ${projectDir}). ` +
-            `All file reads, writes, and edits must use paths under ${sessionDir}, ` +
-            `not ${projectDir}.]`,
+        text: `\n[working directory changed. Previous working directory: ${priorDirectory}. ` +
+            `Current working directory: ${currentDir}. ` +
+            `You MUST read, write, and edit files only under ${currentDir}. ` +
+            `Do NOT read, write, or edit files under ${priorDirectory}.]`,
     };
 }
 const TEN_MINUTES = 10 * 60 * 1000;
@@ -149,20 +151,25 @@ async function resolveGitState({ directory, }) {
             'create or switch to a branch before committing.]',
     };
 }
-// Resolve the session's actual working directory via the SDK.
-// Cached in SessionState.resolvedDirectory to avoid repeated HTTP calls.
+// Resolve the last observed session directory via the SDK.
+// Refreshed on every real user message because sessions can switch directories
+// mid-thread and the pwd reminder must compare old vs new accurately.
 async function resolveSessionDirectory({ client, sessionID, state, }) {
-    if (state.resolvedDirectory) {
-        return state.resolvedDirectory;
-    }
+    const previousDirectory = state.resolvedDirectory;
     const result = await errore.tryAsync(() => {
         return client.session.get({ path: { id: sessionID } });
     });
     if (result instanceof Error || !result.data?.directory) {
-        return null;
+        return {
+            currentDirectory: previousDirectory || null,
+            previousDirectory,
+        };
     }
     state.resolvedDirectory = result.data.directory;
-    return result.data.directory;
+    return {
+        currentDirectory: result.data.directory,
+        previousDirectory,
+    };
 }
 // ── Plugin ───────────────────────────────────────────────────────
 const contextAwarenessPlugin = async ({ directory, client }) => {
@@ -224,23 +231,30 @@ const contextAwarenessPlugin = async ({ directory, client }) => {
                     }
                     const messageID = first.messageID;
                     // -- Resolve session working directory --
-                    const sessionDir = await resolveSessionDirectory({
+                    const sessionDirectory = await resolveSessionDirectory({
                         client,
                         sessionID,
                         state,
                     });
-                    const effectiveDirectory = sessionDir || directory;
+                    // The plugin request directory is the current directory Kimaki asked
+                    // OpenCode to operate on for this message. Prefer it over session.get()
+                    // when they disagree so reminders and MEMORY/branch context follow the
+                    // new worktree immediately after a folder switch.
+                    const effectiveDirectory = directory;
                     // -- Branch / detached HEAD detection --
                     // Resolved early but injected last so it appears at the end of parts.
                     const gitState = await resolveGitState({ directory: effectiveDirectory });
                     // -- Working directory change detection --
                     const pwdResult = shouldInjectPwd({
-                        sessionDir,
-                        projectDir: directory,
+                        currentDir: effectiveDirectory,
+                        previousDir: sessionDirectory.previousDirectory ||
+                            (sessionDirectory.currentDirectory !== effectiveDirectory
+                                ? sessionDirectory.currentDirectory || undefined
+                                : undefined),
                         announcedDir: state.announcedDirectory,
                     });
                     if (pwdResult.inject) {
-                        state.announcedDirectory = sessionDir;
+                        state.announcedDirectory = effectiveDirectory;
                         output.parts.push({
                             id: `prt_${crypto.randomUUID()}`,
                             sessionID,

package/dist/context-awareness-plugin.test.js

@@ -0,0 +1,57 @@
+// Tests for context-awareness directory switch reminders.
+import { describe, expect, test } from 'vitest';
+import { shouldInjectPwd } from './context-awareness-plugin.js';
+describe('shouldInjectPwd', () => {
+    test('does not inject when current directory matches announced directory', () => {
+        const result = shouldInjectPwd({
+            currentDir: '/repo/worktree',
+            previousDir: '/repo/main',
+            announcedDir: '/repo/worktree',
+        });
+        expect(result).toMatchInlineSnapshot(`
+      {
+        "inject": false,
+      }
+    `);
+    });
+    test('does not inject without a previous directory to warn about', () => {
+        const result = shouldInjectPwd({
+            currentDir: '/repo/worktree',
+            previousDir: undefined,
+            announcedDir: undefined,
+        });
+        expect(result).toMatchInlineSnapshot(`
+      {
+        "inject": false,
+      }
+    `);
+    });
+    test('names previous and current directories in the correct order', () => {
+        const result = shouldInjectPwd({
+            currentDir: '/repo/worktree',
+            previousDir: '/repo/main',
+            announcedDir: undefined,
+        });
+        expect(result).toMatchInlineSnapshot(`
+      {
+        "inject": true,
+        "text": "
+      [working directory changed. Previous working directory: /repo/main. Current working directory: /repo/worktree. You MUST read, write, and edit files only under /repo/worktree. Do NOT read, write, or edit files under /repo/main.]",
+      }
+    `);
+    });
+    test('prefers the last announced directory as the previous directory', () => {
+        const result = shouldInjectPwd({
+            currentDir: '/repo/worktree-b',
+            previousDir: '/repo/main',
+            announcedDir: '/repo/worktree-a',
+        });
+        expect(result).toMatchInlineSnapshot(`
+      {
+        "inject": true,
+        "text": "
+      [working directory changed. Previous working directory: /repo/worktree-a. Current working directory: /repo/worktree-b. You MUST read, write, and edit files only under /repo/worktree-b. Do NOT read, write, or edit files under /repo/worktree-a.]",
+      }
+    `);
+    });
+});

package/dist/directory-permissions.js

@@ -0,0 +1,38 @@
+// Directory permission helpers for one-shot external directory preapproval.
+import os from 'node:os';
+import path from 'node:path';
+export function normalizeAllowedDirectoryPath({ input, workingDirectory, }) {
+    const trimmedInput = input.trim();
+    if (!trimmedInput) {
+        return new Error('Path cannot be empty');
+    }
+    const withoutTrailingGlob = trimmedInput.replace(/[\\/]\*+$/u, '');
+    if (!withoutTrailingGlob) {
+        return new Error('Path cannot be empty');
+    }
+    if (withoutTrailingGlob.includes('*') || withoutTrailingGlob.includes('?')) {
+        return new Error('Path must be a directory, not a glob pattern');
+    }
+    const expandedHomeDirectory = (() => {
+        if (withoutTrailingGlob === '~') {
+            return os.homedir();
+        }
+        if (withoutTrailingGlob.startsWith('~/')) {
+            return path.join(os.homedir(), withoutTrailingGlob.slice(2));
+        }
+        return withoutTrailingGlob;
+    })();
+    const absolutePath = path.isAbsolute(expandedHomeDirectory)
+        ? expandedHomeDirectory
+        : path.resolve(workingDirectory, expandedHomeDirectory);
+    const normalizedPath = path.normalize(absolutePath);
+    const root = path.parse(normalizedPath).root;
+    const withoutTrailingSlash = normalizedPath.length > root.length
+        ? normalizedPath.replace(/[\\/]+$/u, '')
+        : normalizedPath;
+    return withoutTrailingSlash.replaceAll('\\', '/');
+}
+export function buildAllowedDirectoryPatterns({ directory, }) {
+    const childPattern = directory.endsWith('/') ? `${directory}*` : `${directory}/*`;
+    return [directory, childPattern];
+}

package/dist/directory-permissions.test.js

@@ -0,0 +1,37 @@
+// Tests for one-shot directory permission path normalization helpers.
+import os from 'node:os';
+import path from 'node:path';
+import { describe, expect, test } from 'vitest';
+import { buildAllowedDirectoryPatterns, normalizeAllowedDirectoryPath, } from './directory-permissions.js';
+describe('normalizeAllowedDirectoryPath', () => {
+    test('resolves relative paths from the working directory', () => {
+        const result = normalizeAllowedDirectoryPath({
+            input: '../shared/',
+            workingDirectory: '/repo/worktree/app',
+        });
+        expect(result).toBe('/repo/worktree/shared');
+    });
+    test('expands home directories and strips implicit trailing glob', () => {
+        const result = normalizeAllowedDirectoryPath({
+            input: '~/projects/*',
+            workingDirectory: '/repo/worktree/app',
+        });
+        expect(result).toBe(`${os.homedir().replaceAll('\\', '/')}/projects`);
+    });
+    test('rejects glob patterns in the middle of the path', () => {
+        const result = normalizeAllowedDirectoryPath({
+            input: 'src/*/nested',
+            workingDirectory: '/repo/worktree/app',
+        });
+        expect(result instanceof Error ? result.message : result).toBe('Path must be a directory, not a glob pattern');
+    });
+});
+describe('buildAllowedDirectoryPatterns', () => {
+    test('adds exact and child wildcard patterns for a directory', () => {
+        const directory = path.join('/repo', 'shared').replaceAll('\\', '/');
+        expect(buildAllowedDirectoryPatterns({ directory })).toEqual([
+            '/repo/shared',
+            '/repo/shared/*',
+        ]);
+    });
+});

package/dist/discord-bot.js

@@ -268,15 +268,19 @@ export async function startDiscordBot({ token, appId, discordClient, useWorktree
             const cliInjectedPermissions = isCliInjectedPrompt
                 ? promptMarker?.permissions
                 : undefined;
+            const cliInjectedInjectionGuardPatterns = isCliInjectedPrompt
+                ? promptMarker?.injectionGuardPatterns
+                : undefined;
             // Always ignore our own messages (unless CLI-injected prompt above).
             // Without this, assigning the Kimaki role to the bot itself would loop.
             if (isSelfBotMessage && !isCliInjectedPrompt) {
                 return;
             }
-            // Allow bot messages through if the bot has the "Kimaki" role assigned.
-            // This enables multi-agent orchestration where other bots (e.g. an
-            // orchestrator) can @mention Kimaki and trigger sessions like a human.
-            if (message.author?.bot) {
+            // Allow CLI-injected prompts from this Kimaki bot through even when role
+            // reconciliation did not give the bot the "Kimaki" role yet. Other bots
+            // still need Kimaki permission so multi-agent orchestration stays opt-in.
+            const isInjectedSelfBotMessage = isCliInjectedPrompt && message.author?.id === discordClient.user?.id;
+            if (message.author?.bot && !isInjectedSelfBotMessage) {
                 if (!hasKimakiBotPermission(message.member)) {
                     return;
                 }
@@ -488,6 +492,7 @@ export async function startDiscordBot({ token, appId, discordClient, useWorktree
                     agent: cliInjectedAgent,
                     model: cliInjectedModel,
                     permissions: cliInjectedPermissions,
+                    injectionGuardPatterns: cliInjectedInjectionGuardPatterns,
                     sessionStartSource: sessionStartSource
                         ? {
                             scheduleKind: sessionStartSource.scheduleKind,
@@ -759,6 +764,7 @@ export async function startDiscordBot({ token, appId, discordClient, useWorktree
                 agent: marker.agent,
                 model: marker.model,
                 permissions: marker.permissions,
+                injectionGuardPatterns: marker.injectionGuardPatterns,
                 mode: 'opencode',
                 sessionStartSource: botThreadStartSource
                     ? {