typeclaw 0.1.2 → 0.1.4

package/src/cli/index.ts

@@ -2,9 +2,12 @@
 
 import { defineCommand, runMain } from 'citty'
 
+import { CLI_VERSION } from '../init/cli-version'
+
 const main = defineCommand({
   meta: {
     name: 'typeclaw',
+    version: CLI_VERSION,
     description: 'TypeClaw agent runtime',
   },
   subCommands: {

package/src/cli/init.ts

@@ -275,6 +275,7 @@ export const init = defineCommand({
         cwd,
         llmAuth,
         model: selectedModel.ref,
+        cliEntry: process.argv[1],
         ...(discordBotToken !== undefined ? { discordBotToken } : {}),
         ...(slackBotToken !== undefined ? { slackBotToken, slackAppToken } : {}),
         ...(telegramBotToken !== undefined ? { telegramBotToken } : {}),
@@ -414,7 +415,7 @@ function preflightFailureGuidance(result: Extract<DockerAvailability, { ok: fals
 }
 
 function reportKakaotalkAuth(result: KakaotalkAuthResult): string {
-  if (result.ok) return 'KakaoTalk credentials saved to workspace/.agent-messenger/.'
+  if (result.ok) return 'KakaoTalk credentials saved to secrets.json.'
   return `KakaoTalk login failed: ${result.reason}`
 }
 

package/src/cli/ui.ts

@@ -2,6 +2,8 @@ import { styleText } from 'node:util'
 
 import { cancel, intro, isCancel, log, note, outro, spinner as clackSpinner } from '@clack/prompts'
 
+import { type AutoUpgradeOutcome, describeAutoUpgrade } from '@/init/auto-upgrade'
+
 export { cancel, intro, isCancel, log, note, outro }
 
 function colorize(modifier: Parameters<typeof styleText>[0], s: string): string {
@@ -62,6 +64,7 @@ export type StartLikeResult = {
   hostPort: number
   containerId: string
   hostd: { state: 'registered' } | { state: 'unavailable'; reason: string } | { state: 'disabled' }
+  autoUpgrade?: AutoUpgradeOutcome
 }
 
 export function renderStartSuccess(result: StartLikeResult): string {
@@ -69,6 +72,14 @@ export function renderStartSuccess(result: StartLikeResult): string {
   const name = c.cyan(result.plan.containerName)
   const port = c.green(String(result.hostPort))
 
+  if (result.autoUpgrade) {
+    const message = describeAutoUpgrade(result.autoUpgrade)
+    if (message.length > 0) {
+      const tint = result.autoUpgrade.kind === 'exact-pin-respected' ? c.yellow : c.cyan
+      lines.push(tint(message))
+    }
+  }
+
   if (result.alreadyRunning) {
     lines.push(`${c.green('●')} ${name} is already running on host port ${port}.`)
   } else {

package/src/config/config.ts

@@ -104,6 +104,25 @@ export const gitignoreSchema = z
 
 export type GitignoreConfig = z.infer<typeof gitignoreSchema>
 
+const IPV4_CIDR_PATTERN = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})(?:\/(\d{1,2}))?$/
+
+const ipv4CidrSchema = z.string().refine(
+  (value) => {
+    const match = IPV4_CIDR_PATTERN.exec(value)
+    if (!match) return false
+    const octets = [match[1], match[2], match[3], match[4]].map(Number)
+    if (octets.some((n) => !Number.isInteger(n) || n < 0 || n > 255)) return false
+    if (match[5] !== undefined) {
+      const prefix = Number(match[5])
+      if (!Number.isInteger(prefix) || prefix < 0 || prefix > 32) return false
+    }
+    return true
+  },
+  {
+    message: 'network.allow entries must be IPv4 addresses or CIDR ranges (e.g. "10.0.0.0/16", "10.0.0.2")',
+  },
+)
+
 // `blockInternal` is the kill-switch for the container-stage egress filter
 // installed by Dockerfile entrypoint shim: when true, the container is granted
 // CAP_NET_ADMIN at boot just long enough to install iptables OUTPUT rules
@@ -111,13 +130,51 @@ export type GitignoreConfig = z.infer<typeof gitignoreSchema>
 // multicast/reserved, IPv6 ULA/link-local/multicast. The capability is then
 // dropped from the bounding set via setpriv before the agent process exec's,
 // so no child (python, curl, bun-spawned anything) can mutate or recover it.
-// Default is `false` so existing agent folders are unaffected by an upgrade;
-// `typeclaw init` writes `true` for new agents (handled separately in init).
+//
+// Default is `true`: the threat model that motivated this feature — prompt
+// injection asking the agent to fetch RFC1918 hosts (e.g. a LAN router admin
+// page) or the cloud-IMDS endpoint — applies to every agent equally, so the
+// safe default is "on" and
+// the explicit opt-out is for users who need their agent to reach LAN hosts
+// (NAS, internal services, sibling dev machines). PR #145 shipped this with
+// default `false` to preserve existing-folder behavior on upgrade; this
+// follow-up (the one PR #145 promised in its description) makes the default
+// match the intent. `typeclaw init` also writes `true` explicitly so the
+// field is discoverable in fresh `typeclaw.json` files. Loopback traffic
+// (`-o lo`) is always allowed by the shim, so `bun run dev` and local APIs
+// on `localhost` / `127.0.0.1` are unaffected.
+//
+// `autoAllowResolvers` (default `true`) makes the shim narrowly carve out
+// the container's DNS resolvers — every `nameserver` line in
+// `/etc/resolv.conf` gets a `udp/tcp --dport 53` ACCEPT inserted BEFORE the
+// REJECT rules. This fixes the canonical EC2/GCE/Azure footgun: cloud VPC
+// resolvers live inside RFC1918 (e.g. AWS VPC DNS at `10.0.0.2`), so
+// `blockInternal: true` would otherwise kill every DNS lookup the agent
+// makes. The carve-out is scoped to port 53 only — a compromised agent
+// cannot reach the resolver host on any other port. On a laptop where
+// `/etc/resolv.conf` points at a public resolver (1.1.1.1, 8.8.8.8), the
+// generated ACCEPT rules are no-ops because public IPs are not in the
+// block list to begin with. Opt-out (`false`) is for users who explicitly
+// configure DNS via `.env` (e.g. `DOCKER_DNS=1.1.1.1`) and want a fully
+// closed filter.
+//
+// `allow` is the power-user escape hatch: an explicit list of IPv4 CIDRs
+// or bare IPv4 addresses that punch through the block list wholesale (all
+// ports, all protocols). Use case: VPC-private services the agent must
+// reach by IP — internal APIs, RDS endpoints, VPC interface endpoints for
+// S3/Bedrock. Each entry inserts an unscoped `iptables -A OUTPUT -d <cidr>
+// -j ACCEPT` before the REJECT rules. IPv4 only: the carve-out is for
+// destinations the operator names explicitly, and every cloud VPC we
+// support is IPv4-routable. Validation at parse time rejects non-CIDR
+// strings, IPv6 forms, and out-of-range octets so a typo in
+// `typeclaw.json` surfaces immediately instead of at container boot.
 export const networkSchema = z
   .object({
-    blockInternal: z.boolean().default(false),
+    blockInternal: z.boolean().default(true),
+    autoAllowResolvers: z.boolean().default(true),
+    allow: z.array(ipv4CidrSchema).default([]),
   })
-  .default({ blockInternal: false })
+  .default({ blockInternal: true, autoAllowResolvers: true, allow: [] })
 
 export type NetworkConfig = z.infer<typeof networkSchema>
 

package/src/container/index.ts

@@ -17,6 +17,8 @@ export {
 } from './shared'
 export {
   planStart,
+  refreshDockerfile,
+  refreshGitignore,
   start,
   type HostDaemonStatus,
   type PlanStartOptions,

package/src/container/start.ts

@@ -7,11 +7,20 @@ import { configSchema, expandMountPath, type Config } from '@/config/config'
 import { send as sendToDaemon } from '@/hostd/client'
 import type { HttpInfoResult } from '@/hostd/protocol'
 import { ensureDaemon } from '@/hostd/spawn'
+import {
+  autoUpgradeTypeclawDep,
+  type AutoUpgradeOutcome,
+  expectedInstalledAfterUpgrade,
+  outcomeForcesInstall,
+  readInstalledTypeclawVersionFromAgent,
+} from '@/init/auto-upgrade'
 import { resolveBaseImageVersion } from '@/init/cli-version'
 import { buildDockerfile, DOCKERFILE } from '@/init/dockerfile'
 import { ensureDepsInstalled, type EnsureDepsResult } from '@/init/ensure-deps'
 import { buildGitignore, GITIGNORE_FILE } from '@/init/gitignore'
 import { refreshPackageJson } from '@/init/packagejson'
+import { runBunUpdate, type UpdateRunner } from '@/init/run-bun-install'
+import { migrateKakaotalkCredentials } from '@/secrets'
 
 import { CONTAINER_PORT, findFreePort, isPortAllocatedError } from './port'
 import {
@@ -77,6 +86,25 @@ export type StartOptions = {
   // Reusing that daemon avoids a self-shutdown when disk source has drifted.
   reuseCurrentHostDaemon?: boolean
   ensureDeps?: (cwd: string) => Promise<EnsureDepsResult>
+  // Test seam for the typeclaw-version auto-upgrade. Production callers omit
+  // this and get the real autoUpgradeTypeclawDep (which reads the CLI's own
+  // package.json). Tests inject a stub to simulate `bun -g update typeclaw`
+  // having bumped the CLI without touching the agent folder.
+  autoUpgrade?: (cwd: string) => Promise<AutoUpgradeOutcome>
+  // Test seam for the auto-upgrade-triggered registry resolution. Defaults
+  // to `bun update typeclaw --latest`. Cannot be `runBunInstall` — see the
+  // module header in src/init/auto-upgrade.ts for why install doesn't move
+  // an already-locked in-range dep.
+  forceBunUpdate?: UpdateRunner
+  // Test seam for the post-install verification. Reads the version actually
+  // present in <agent>/node_modules/typeclaw/package.json after the upgrade
+  // install completes. Defaults to readInstalledTypeclawVersionFromAgent.
+  // Verification is mandatory: `bun update` can succeed (exit 0) but still
+  // resolve to an older version than expected if the registry has issues
+  // or the spec resolution surprises us; we MUST refuse to proceed to
+  // refreshDockerfile in that case, otherwise the Dockerfile pins a stale
+  // base image and the build either fails or runs against the wrong runtime.
+  readInstalledVersion?: (cwd: string) => string | null
   // Post-`docker run` verifier. `docker run -d` returns exit 0 the moment the
   // container is created, even if its entrypoint crashes milliseconds later.
   // The default verifier polls `docker inspect` for 1.5s and converts crashes
@@ -106,6 +134,7 @@ export type StartResult =
       // every fresh launch, including the post-stale-corpse `--rm` recovery
       // path — that one rebuilds the container from scratch.
       alreadyRunning: boolean
+      autoUpgrade: AutoUpgradeOutcome
     }
   | { ok: false; reason: string }
 
@@ -118,6 +147,9 @@ export async function start({
   cliEntry,
   reuseCurrentHostDaemon = false,
   ensureDeps = (dir) => ensureDepsInstalled({ cwd: dir }),
+  autoUpgrade = (dir) => autoUpgradeTypeclawDep({ cwd: dir }),
+  forceBunUpdate = runBunUpdate,
+  readInstalledVersion = readInstalledTypeclawVersionFromAgent,
   verifyRunning = createVerifyRunning({ exec }),
 }: StartOptions): Promise<StartResult> {
   try {
@@ -149,6 +181,42 @@ export async function start({
     if (pkgRefresh.changed) {
       await commitSystemFile(cwd, pkgRefresh.files, 'Enable bun workspaces (packages/*)')
     }
+
+    // Align the agent's typeclaw dep with the global CLI version BEFORE
+    // ensureDeps runs. The classic regression this prevents: `bun -g update
+    // typeclaw` bumps the global CLI but the agent's node_modules/typeclaw
+    // stays pinned to whatever was installed at init time. refreshDockerfile
+    // then pins FROM ghcr/typeclaw-base:<old-version> and the docker build
+    // either fails (image never published) or runs against a stale runtime.
+    //
+    // We use `bun update typeclaw --latest` (NOT `bun install`) because plain
+    // install honors the lockfile and is a no-op when the lockfile already
+    // satisfies the declared spec — which is the canonical regression case
+    // (lockfile pins 0.1.0, spec says ^0.1.0, CLI is 0.1.2; install does
+    // nothing, update force-resolves to 0.1.2).
+    //
+    // After the update we MUST verify the installed version actually matches
+    // the upgrade target. `bun update` can exit 0 but resolve to a stale
+    // version (registry hiccups, surprising spec resolution). If verification
+    // fails we abort before refreshDockerfile so we never pin a stale base
+    // image to a fresh container build.
+    const upgrade = await autoUpgrade(cwd)
+    const upgradeCommitMessage = commitMessageForAutoUpgrade(upgrade)
+    if (outcomeForcesInstall(upgrade)) {
+      const forced = await forceBunUpdate(cwd, 'typeclaw')
+      if (!forced.ok) {
+        return { ok: false, reason: `typeclaw auto-upgrade install failed: ${forced.reason}` }
+      }
+      const expected = expectedInstalledAfterUpgrade(upgrade)
+      const installedAfter = readInstalledVersion(cwd)
+      if (expected !== null && (installedAfter === null || !installedReachesTarget(installedAfter, expected))) {
+        return {
+          ok: false,
+          reason: `typeclaw auto-upgrade verification failed: bun update reported success but <agent>/node_modules/typeclaw is ${installedAfter ?? 'missing'} (expected >= ${expected}). Refusing to build a Docker image against a stale runtime.`,
+        }
+      }
+    }
+
     // Run `bun install` BEFORE the dependency-drift commit so the lockfile
     // changes the install produces are caught by the same commit. Without
     // this, upgrading the typeclaw CLI to a version that adds a new dep
@@ -160,12 +228,13 @@ export async function start({
     if (!deps.ok) {
       return { ok: false, reason: `dependency install failed: ${deps.reason}` }
     }
-    await commitSystemFile(cwd, DEPENDENCY_FILES, 'Update dependencies')
+    await commitSystemFile(cwd, DEPENDENCY_FILES, upgradeCommitMessage ?? 'Update dependencies')
     // Dockerfile refresh AFTER ensureDeps so the version pin in the FROM
     // line resolves against the agent's installed node_modules/typeclaw —
     // ensures the base image's CLI version matches the runtime the
     // container will actually load.
     await refreshDockerfile(cwd)
+    await migrateKakaotalkCredentials(cwd)
 
     if (state.exists) {
       // Container holds the name but is not running. Without `--rm`, this is
@@ -303,12 +372,31 @@ export async function start({
       hostPort,
       hostd: stripHostDaemonControl(hostd),
       alreadyRunning: false,
+      autoUpgrade: upgrade,
     }
   } catch (error) {
     return { ok: false, reason: error instanceof Error ? error.message : String(error) }
   }
 }
 
+function commitMessageForAutoUpgrade(outcome: AutoUpgradeOutcome): string | null {
+  if (outcome.kind === 'spec-rewritten') return `Upgrade typeclaw to ${outcome.to}`
+  if (outcome.kind === 'reinstall-needed') return `Upgrade typeclaw to ${outcome.to}`
+  return null
+}
+
+function installedReachesTarget(installed: string, target: string): boolean {
+  const ai = installed.match(/^(\d+)\.(\d+)\.(\d+)$/)
+  const at = target.match(/^(\d+)\.(\d+)\.(\d+)$/)
+  if (!ai || !at) return false
+  for (let i = 1; i <= 3; i++) {
+    const a = Number.parseInt(ai[i]!, 10)
+    const t = Number.parseInt(at[i]!, 10)
+    if (a !== t) return a > t
+  }
+  return true
+}
+
 export async function planStart({
   cwd,
   hostPort,
@@ -336,9 +424,16 @@ export async function planStart({
   // bounding set via setpriv before exec'ing the agent — see the shim source
   // in src/init/dockerfile.ts for the full handoff. The `-e` flag is what
   // tells the shim to take the on-path; absent or set to anything other than
-  // "1", the shim is a no-op.
+  // "1", the shim is a no-op. `autoAllowResolvers` / `allow` envs are only
+  // emitted on the on-path because the shim's off-path doesn't read them;
+  // `TYPECLAW_NETWORK_ALLOW` is comma-joined to match the shim's `IFS=','`
+  // loop, and CIDR validation already happened at config parse time.
   if (cfg.network.blockInternal) {
     runArgs.push('--cap-add=NET_ADMIN', '-e', 'TYPECLAW_NETWORK_BLOCK_INTERNAL=1')
+    runArgs.push('-e', `TYPECLAW_NETWORK_AUTO_ALLOW_RESOLVERS=${cfg.network.autoAllowResolvers ? '1' : '0'}`)
+    if (cfg.network.allow.length > 0) {
+      runArgs.push('-e', `TYPECLAW_NETWORK_ALLOW=${cfg.network.allow.join(',')}`)
+    }
   }
 
   if (hostdControl) {
@@ -537,6 +632,7 @@ async function reportAlreadyRunning(exec: DockerExec, cwd: string, containerName
     hostPort,
     hostd: { state: 'disabled' },
     alreadyRunning: true,
+    autoUpgrade: { kind: 'skipped-already-running' },
   }
 }
 

package/src/doctor/checks.ts

@@ -1,5 +1,5 @@
 import { existsSync, mkdirSync } from 'node:fs'
-import { readFile, writeFile } from 'node:fs/promises'
+import { readFile } from 'node:fs/promises'
 import { homedir } from 'node:os'
 import { join, relative } from 'node:path'
 
@@ -10,10 +10,13 @@ import {
   defaultDockerExec,
   imageTagFromCwd,
   inspectContainer,
+  refreshDockerfile,
+  refreshGitignore,
   resolveHostPort,
   type DockerExec,
 } from '@/container'
 import { isDaemonReachable, send } from '@/hostd'
+import { resolveBaseImageVersion } from '@/init/cli-version'
 import { buildDockerfile, DOCKERFILE } from '@/init/dockerfile'
 import { detectMissingDeps } from '@/init/ensure-deps'
 import { buildGitignore, GITIGNORE_FILE } from '@/init/gitignore'
@@ -33,7 +36,6 @@ export function buildStaticChecks(opts: { dockerExec?: DockerExec } = {}): Docto
     agentFolderDockerfileTemplate(),
     agentFolderGitignoreTemplate(),
     agentFolderNodeModules(),
-    agentFolderEnvFile(),
     agentFolderGitRepo(),
     configValid(),
     hostdHomeWritable(),
@@ -152,7 +154,7 @@ function agentFolderDockerfileTemplate(): DoctorCheck {
         fix: {
           description: 'Regenerate the Dockerfile from the typeclaw template.',
           autoFix: async () => {
-            await writeAtomic(dockerfilePath, expected)
+            await refreshDockerfile(ctx.cwd)
             return { summary: 'refreshed Dockerfile from template', changedPaths: [DOCKERFILE] }
           },
         },
@@ -181,7 +183,7 @@ function agentFolderGitignoreTemplate(): DoctorCheck {
         fix: {
           description: 'Regenerate .gitignore from the typeclaw template.',
           autoFix: async () => {
-            await writeAtomic(gitignorePath, expected)
+            await refreshGitignore(ctx.cwd)
             return { summary: 'refreshed .gitignore from template', changedPaths: [GITIGNORE_FILE] }
           },
         },
@@ -209,24 +211,6 @@ function agentFolderNodeModules(): DoctorCheck {
   }
 }
 
-function agentFolderEnvFile(): DoctorCheck {
-  return {
-    name: 'agent-folder.env-file',
-    category: 'agent-folder',
-    description: '.env file is present',
-    applies: (ctx) => ctx.hasAgentFolder,
-    async run(ctx) {
-      if (existsSync(join(ctx.cwd, '.env'))) return { status: 'ok', message: '.env present' }
-      return {
-        status: 'warning',
-        message: '.env is missing',
-        details: ['Channels and external API integrations will not have their secrets injected.'],
-        fix: { description: 'Create a .env file with the credentials your agent needs.' },
-      }
-    },
-  }
-}
-
 function agentFolderGitRepo(): DoctorCheck {
   return {
     name: 'agent-folder.git-repo',
@@ -384,7 +368,7 @@ function buildExpectedDockerfile(cwd: string): string | null {
   try {
     const cfg = loadConfigStrictForTemplate(cwd)
     if (cfg === null) return null
-    return buildDockerfile(cfg.dockerfile)
+    return buildDockerfile(cfg.dockerfile, { baseImageVersion: resolveBaseImageVersion(cwd) })
   } catch {
     return null
   }
@@ -417,10 +401,6 @@ async function safeRead(path: string): Promise<string | null> {
   }
 }
 
-async function writeAtomic(path: string, content: string): Promise<void> {
-  await writeFile(path, content)
-}
-
 export function relativeToCwd(cwd: string, path: string): string {
   return relative(cwd, path) || '.'
 }

package/src/doctor/commit.ts

@@ -18,8 +18,8 @@ export async function commitAutoFixes(opts: CommitOptions): Promise<CommitOutcom
     return { kind: 'skipped', reason: 'no successful auto-fixes' }
   }
 
-  const pathsStaged = uniqueSorted(successes.flatMap((a) => a.changedPaths))
-  if (pathsStaged.length === 0) {
+  const requested = uniqueSorted(successes.flatMap((a) => a.changedPaths))
+  if (requested.length === 0) {
     return { kind: 'skipped', reason: 'auto-fixes reported no changed paths' }
   }
 
@@ -29,13 +29,23 @@ export async function commitAutoFixes(opts: CommitOptions): Promise<CommitOutcom
 
   const spawnGit = opts.spawnGit ?? defaultSpawnGit
 
+  const filter = await filterCommittable(spawnGit, opts.cwd, requested)
+  if (filter.kind === 'failed') return filter
+  const pathsStaged = filter.paths
+  if (pathsStaged.length === 0) {
+    return {
+      kind: 'skipped',
+      reason: `all changed path(s) are gitignored or untracked-and-ignored (${requested.join(', ')})`,
+    }
+  }
+
   const add = await spawnGit(['add', '--', ...pathsStaged], opts.cwd)
   if (add.exitCode !== 0) {
     return { kind: 'failed', reason: `git add failed: ${add.stderr.trim() || `exit ${add.exitCode}`}` }
   }
 
   const message = buildCommitMessage(opts.attempts)
-  const commit = await spawnGit(['commit', '-m', message], opts.cwd)
+  const commit = await spawnGit(['commit', '-m', message, '--only', '--', ...pathsStaged], opts.cwd)
   if (commit.exitCode !== 0) {
     return { kind: 'failed', reason: `git commit failed: ${commit.stderr.trim() || `exit ${commit.exitCode}`}` }
   }
@@ -45,6 +55,37 @@ export async function commitAutoFixes(opts: CommitOptions): Promise<CommitOutcom
   return { kind: 'committed', commitSha, pathsStaged }
 }
 
+// TypeClaw-owned files like `Dockerfile` live in the "truly-ignored" gitignore
+// category — they're regenerated from the CLI template on every `typeclaw
+// start`, so tracking them would produce noisy "Update Dockerfile" commits.
+// `commitSystemFile` in src/container/start.ts skips them silently because
+// `git status --porcelain -- <ignored>` returns empty. We replicate that
+// behavior here so `doctor --fix` produces the same skip semantics instead
+// of failing with `git add` hints about the ignored file.
+//
+// A non-zero git-status exit IS NOT the same signal as 'empty stdout' — the
+// former means git itself failed (broken index, malformed pathspec, etc.).
+// Surface that as { kind: 'failed' } so the user sees the real cause instead
+// of a misleading 'all paths are gitignored' message.
+async function filterCommittable(
+  spawnGit: SpawnGit,
+  cwd: string,
+  paths: string[],
+): Promise<{ kind: 'ok'; paths: string[] } | { kind: 'failed'; reason: string }> {
+  const out: string[] = []
+  for (const p of paths) {
+    const status = await spawnGit(['status', '--porcelain', '--', p], cwd)
+    if (status.exitCode !== 0) {
+      return {
+        kind: 'failed',
+        reason: `git status failed for ${p}: ${status.stderr.trim() || `exit ${status.exitCode}`}`,
+      }
+    }
+    if (status.stdout.trim().length > 0) out.push(p)
+  }
+  return { kind: 'ok', paths: out }
+}
+
 export function buildCommitMessage(attempts: FixAttempt[]): string {
   const successes = attempts.filter((a): a is Extract<FixAttempt, { ok: true }> => a.ok === true)
   const subject = `typeclaw doctor: auto-fix ${successes.length} issue${successes.length === 1 ? '' : 's'}`

package/src/doctor/plugin-bridge.ts

@@ -88,7 +88,13 @@ async function dial(opts: PluginBridgeOptions): Promise<DialResult> {
   const ws = new WebSocket(url)
   try {
     await new Promise<void>((resolve, reject) => {
+      // `timer` is declared up front so `cleanup` can reference it without
+      // hitting the TDZ if the WS fires a synchronous error event during
+      // addEventListener (theoretical, but const-after-cleanup-definition
+      // would throw ReferenceError instead of being the intended no-op).
+      let timer: ReturnType<typeof setTimeout> | undefined
       const cleanup = () => {
+        if (timer !== undefined) clearTimeout(timer)
         ws.removeEventListener('open', onOpen)
         ws.removeEventListener('error', onError)
       }
@@ -100,6 +106,19 @@ async function dial(opts: PluginBridgeOptions): Promise<DialResult> {
         cleanup()
         reject(err instanceof Error ? err : new Error(`failed to connect to ${url}`))
       }
+      // Bun's WebSocket has no built-in connect timeout. Without this, a TCP
+      // handshake that completes but never produces an Upgrade response
+      // (e.g. a wedged docker/orbstack port-forward) leaves the WS stuck in
+      // CONNECTING forever — neither 'open' nor 'error' ever fires, and
+      // `typeclaw doctor` hangs. The per-request timeout downstream doesn't
+      // help because we never reach it.
+      timer = setTimeout(() => {
+        cleanup()
+        try {
+          ws.close()
+        } catch {}
+        reject(new Error(`websocket connect timeout after ${timeoutMs}ms`))
+      }, timeoutMs)
       ws.addEventListener('open', onOpen, { once: true })
       ws.addEventListener('error', onError, { once: true })
     })

package/src/hostd/daemon.ts

@@ -7,6 +7,8 @@ import type { Socket, UnixSocketListener } from 'bun'
 import type { PortForward } from '@/config'
 import { defaultDockerExec, type DockerExec } from '@/container'
 import type { PortForwardEvent } from '@/portbroker'
+import { kakaoChannelBlockSchema } from '@/secrets/schema'
+import { SecretsBackend } from '@/secrets/storage'
 
 import { isDaemonReachable } from './client'
 import { ensureDirs, registrationFilePath, registrationsDir, socketPath } from './paths'
@@ -16,6 +18,7 @@ import type {
   Request,
   Response as RpcResponse,
   RestartResult,
+  SecretsPatchResult,
   ShutdownResult,
   StatusResult,
   VersionResult,
@@ -351,6 +354,26 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
     return { ok: true, result }
   }
 
+  const handleSecretsPatch = async (req: {
+    containerName: string
+    patch: { channels: { kakaotalk: unknown } }
+  }): Promise<RpcResponse> =>
+    runSerially(req.containerName, async () => {
+      const cwd = cwds.get(req.containerName)
+      if (!cwd) return { ok: false, reason: `not registered: ${req.containerName}` }
+      const parsed = kakaoChannelBlockSchema.safeParse(req.patch?.channels?.kakaotalk)
+      if (!parsed.success) {
+        return { ok: false, reason: parsed.error.issues.map((issue) => issue.message).join('; ') }
+      }
+      const backend = new SecretsBackend(join(cwd, 'secrets.json'))
+      await backend.updateChannelsAsync(async (channels) => ({
+        result: undefined,
+        next: { ...channels, kakaotalk: parsed.data },
+      }))
+      const result: SecretsPatchResult = { containerName: req.containerName, patched: true }
+      return { ok: true, result }
+    })
+
   const handleHttpInfo = (): RpcResponse => {
     const result: HttpInfoResult = { port: httpPort }
     return { ok: true, result }
@@ -392,6 +415,8 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
         return handleStatus(req)
       case 'restart':
         return handleRestart(req)
+      case 'secrets-patch':
+        return handleSecretsPatch(req)
       case 'http-info':
         return handleHttpInfo()
       case 'version':
@@ -454,13 +479,13 @@ export async function startDaemon(opts: DaemonOptions = {}): Promise<Daemon> {
     } catch {
       return json({ ok: false, reason: 'invalid request json' }, 400)
     }
-    if (rpc.kind !== 'restart') {
-      return json({ ok: false, reason: 'http transport only supports restart' }, 403)
+    if (rpc.kind !== 'restart' && rpc.kind !== 'secrets-patch') {
+      return json({ ok: false, reason: 'http transport only supports restart and secrets-patch' }, 403)
     }
     if (restartTokens.get(rpc.containerName) !== token) {
       return json({ ok: false, reason: 'invalid restart token' }, 403)
     }
-    return json(await handleRestart(rpc))
+    return json(rpc.kind === 'restart' ? await handleRestart(rpc) : await handleSecretsPatch(rpc))
   }
 
   const httpHostname = opts.httpHost ?? '0.0.0.0'

package/src/hostd/protocol.ts

@@ -1,4 +1,5 @@
 import type { PortForward } from '@/config'
+import type { KakaoChannelBlock } from '@/secrets/schema'
 
 export type Request =
   | {
@@ -14,6 +15,7 @@ export type Request =
   | { kind: 'list' }
   | { kind: 'status'; containerName: string }
   | { kind: 'restart'; containerName: string; build?: boolean }
+  | { kind: 'secrets-patch'; containerName: string; patch: { channels: { kakaotalk: KakaoChannelBlock } } }
   | { kind: 'http-info' }
   | { kind: 'version' }
   | { kind: 'shutdown' }
@@ -35,6 +37,11 @@ export type RestartResult = {
   scheduled: true
 }
 
+export type SecretsPatchResult = {
+  containerName: string
+  patched: true
+}
+
 export type HttpInfoResult = {
   port: number
 }