typeclaw 0.1.4 → 0.1.6

package/src/init/dockerfile.ts

@@ -136,14 +136,38 @@ export const NETWORK_BLOCK_IPV6_NETS = ['fc00::/7', 'fe80::/10', 'ff00::/8', '::
 // Carve-out ordering is load-bearing. iptables OUTPUT is first-match-wins,
 // and we use -A (append). So the order written into the shim is the order
 // rules will be evaluated:
-//   1. loopback ACCEPT
-//   2. hostd port ACCEPT (narrow: tcp + single dport on the host gateway)
-//   3. resolver ACCEPT (narrow: udp/tcp dport 53 to each /etc/resolv.conf
+//   1. ESTABLISHED,RELATED ACCEPT (return path for any connection initiated
+//      from outside the container — see comment block below)
+//   2. loopback ACCEPT
+//   3. hostd port ACCEPT (narrow: tcp + single dport on the host gateway)
+//   4. resolver ACCEPT (narrow: udp/tcp dport 53 to each /etc/resolv.conf
 //      nameserver) — gated on TYPECLAW_NETWORK_AUTO_ALLOW_RESOLVERS=1
-//   4. user-supplied allowlist ACCEPT (wholesale: -d <cidr>) — driven by
+//   5. user-supplied allowlist ACCEPT (wholesale: -d <cidr>) — driven by
 //      TYPECLAW_NETWORK_ALLOW comma-separated env
-//   5. RFC1918 + link-local + CGNAT + multicast + reserved REJECTs
-// A resolver at 10.0.0.2 hits (3) and ACCEPTs before (5) DROPs it.
+//   6. RFC1918 + link-local + CGNAT + multicast + reserved REJECTs
+// A resolver at 10.0.0.2 hits (4) and ACCEPTs before (6) DROPs it.
+//
+// Rule 1 (conntrack ESTABLISHED,RELATED) is what makes Docker port-forward
+// reply traffic survive the RFC1918 REJECT. On Docker Desktop and OrbStack
+// the bridge gateway is in 192.168.0.0/16 (OrbStack: 192.168.215.1 or
+// 192.168.139.1; Docker Desktop: 192.168.65.1). A host -> container request
+// via `docker run -p 127.0.0.1:HOST:CONTAINER` arrives at the container
+// from the bridge gateway IP. Without rule 1, the reply packets would
+// match rule 6 (192.168.0.0/16 REJECT) and never reach the host — TCP
+// handshake completes (kernel SYN/ACK is in INPUT, not OUTPUT), the
+// request body is delivered, but the agent's HTTP response is dropped at
+// OUTPUT. Symptom: `curl http://127.0.0.1:HOST` connects but receives
+// zero bytes and times out. Stateful inversion via conntrack is the
+// canonical fix: ESTABLISHED matches packets belonging to a connection
+// the kernel already tracks (including the inbound port-forward), and
+// RELATED covers ICMP error packets for those connections. No new
+// outbound capability is granted — a compromised agent still cannot
+// initiate connections to RFC1918, only respond to inbound ones.
+//
+// Requires the `xt_conntrack` kernel module (universal on Linux 2.6.20+
+// and on every Docker/OrbStack VM kernel) and the userspace iptables
+// `conntrack` match (shipped in the `iptables` Debian package on trixie
+// alongside the binary itself; no extra apt install needed).
 //
 // The resolver carve-out reads /etc/resolv.conf inside the container, NOT
 // on the host. Docker propagates the host's resolver into the container by
@@ -186,6 +210,7 @@ if [ "\${TYPECLAW_NETWORK_BLOCK_INTERNAL:-0}" != "1" ]; then
   exec bun run typeclaw "$@"
 fi
 
+iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT
 
 # Hostd HTTP control carve-out: narrow ACCEPT, scoped to one TCP port on
@@ -222,6 +247,7 @@ if [ -n "\${TYPECLAW_NETWORK_ALLOW:-}" ]; then
 fi
 ${ipv4Rules.join('\n')}
 
+ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A OUTPUT -o lo -j ACCEPT
 ${ipv6Rules.join('\n')}
 
@@ -384,7 +410,7 @@ ${ghKeyringLayer}# Layer 2 (changes when the package list changes): the actual a
 # Cache mounts make a re-install nearly free when this layer is invalidated:
 # .deb files come straight from the host's BuildKit cache instead of being
 # refetched from Debian/GitHub mirrors. Package set is composed from the
-# \`dockerfile\` config block in typeclaw.json — toggles for tmux/python/gh/
+# \`docker.file\` config block in typeclaw.json — toggles for tmux/python/gh/
 # ffmpeg fan out into the args below. Baseline (git/ca-certificates/curl/
 # gnupg) is always installed because downstream layers depend on it.
 #
@@ -417,7 +443,7 @@ ${renderEntrypointShimLayer()}
 
 function renderToggleAptInstallLayer(toggleAptArgs: string[]): string {
   return `# Layer 1 (toggle apt install): packages requested via typeclaw.json
-# #dockerfile toggles. Baseline + Chrome runtime libs are already in the
+# #docker.file toggles. Baseline + Chrome runtime libs are already in the
 # base image; this layer only adds gh/tmux/python/ffmpeg if enabled.
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \\
     --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \\
@@ -432,7 +458,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \\
 // two cannot drift — the published image is a function of this source, not
 // a checked-in Dockerfile that needs hand-syncing. The base intentionally
 // stops before the per-agent layers (gh keyring, apt feature toggles,
-// dockerfile.append, ENV, ENTRYPOINT) so users can still toggle them via
+// docker.file.append, ENV, ENTRYPOINT) so users can still toggle them via
 // typeclaw.json without forcing a base-image rebuild.
 //
 // Layer 2's apt-get install line installs only the baseline packages, NOT
@@ -587,7 +613,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \\
 
 function renderCustomDockerfileLines(lines: string[]): string {
   if (lines.length === 0) return ''
-  return `# Custom lines from typeclaw.json#dockerfile.append.
+  return `# Custom lines from typeclaw.json#docker.file.append.
 ${lines.join('\n')}
 
 `

package/src/init/gitignore.ts

@@ -39,7 +39,7 @@ channels/
 
 function renderCustomGitignoreEntries(entries: string[]): string {
   if (entries.length === 0) return ''
-  return `# Custom entries from typeclaw.json#gitignore.append.
+  return `# Custom entries from typeclaw.json#git.ignore.append.
 ${entries.join('\n')}
 
 `

package/src/init/index.ts

@@ -3,10 +3,16 @@ import { mkdir, readFile, writeFile } from 'node:fs/promises'
 import { basename, dirname, join, relative, resolve } from 'node:path'
 import { fileURLToPath } from 'node:url'
 
-import { config, configSchema, type Config } from '@/config'
-import { DEFAULT_MODEL_REF, KNOWN_PROVIDERS, providerForModelRef, type KnownModelRef } from '@/config/providers'
+import { config, configSchema, migrateLegacyConfigShape, type Config } from '@/config'
+import {
+  DEFAULT_MODEL_REF,
+  KNOWN_PROVIDERS,
+  providerForModelRef,
+  type KnownModelRef,
+  type KnownProviderId,
+} from '@/config/providers'
 import { checkDockerAvailable, type DockerAvailability, type DockerExec, start } from '@/container'
-import { type Channels, type Secret, SecretsBackend } from '@/secrets'
+import { createSecretsStoreForAgent, type Channels, type Secret, SecretsBackend } from '@/secrets'
 import { createTui } from '@/tui'
 
 import { resolveBaseImageVersion, resolveScaffoldVersion } from './cli-version'
@@ -23,7 +29,6 @@ export { GITKEEP_FILE, PACKAGES_DIR } from './paths'
 
 const CONFIG_FILE = 'typeclaw.json'
 const CRON_FILE = 'cron.json'
-const SECRETS_FILE = '.env'
 const PACKAGE_FILE = 'package.json'
 
 const MARKDOWN_FILES = ['AGENTS.md', 'IDENTITY.md', 'SOUL.md', 'USER.md'] as const
@@ -76,7 +81,15 @@ export type InitStepEvent =
 // portbroker — same path `typeclaw start` takes. When omitted (test fixtures,
 // programmatic callers that never want a daemon), `start()` skips the daemon
 // path entirely and the container runs unmanaged.
-export type HatchRunner = (options: { cwd: string; port: number; cliEntry?: string }) => Promise<HatchingResult>
+export type HatchRunner = (options: {
+  cwd: string
+  port: number
+  cliEntry?: string
+  // Set when the wizard wired at least one channel adapter, so the runner
+  // can offer to run `typeclaw role claim` after the container is ready.
+  // Empty / undefined means "no channels — skip the claim flow".
+  configuredChannels?: readonly ChannelKind[]
+}) => Promise<HatchingResult>
 
 export type KakaotalkAuthRunner = (options: { cwd: string }) => Promise<KakaotalkAuthResult>
 
@@ -96,16 +109,27 @@ export type InitOptions = {
   // defaults to the api-key path with `apiKey` (legacy field, still
   // supported for backwards compat with the old `runInit` signature).
   llmAuth?: LLMAuth
+  // Optional second model + auth, written as `models.vision` when the
+  // default model is text-only. Auth is reused from the default path
+  // when both refer to the same provider; the wizard enforces this
+  // pairing rule, so by the time we get here `visionAuth` is either
+  // (a) absent, or (b) the right auth for `visionModel`'s provider.
+  visionModel?: KnownModelRef
+  visionAuth?: LLMAuth
   apiKey?: string
   discordBotToken?: string
-  discordAllowAll?: boolean
   slackBotToken?: string
   slackAppToken?: string
-  slackAllowAll?: boolean
   telegramBotToken?: string
-  telegramAllowAll?: boolean
+  // When reusing existing channel credentials from a pre-init `secrets.json`,
+  // the CLI passes `with<Adapter>: true` without a corresponding token so the
+  // scaffolded `typeclaw.json` wires the adapter while `writeSecrets` leaves
+  // the existing slot in `secrets.json#channels` untouched. Defaults below
+  // mirror the legacy derivation (`<token> !== undefined && !== ''`).
+  withDiscord?: boolean
+  withSlack?: boolean
+  withTelegram?: boolean
   withKakaotalk?: boolean
-  kakaotalkAllowAll?: boolean
   runKakaotalkAuth?: KakaotalkAuthRunner
   onProgress?: (event: InitStepEvent) => void
   runHatching?: HatchRunner
@@ -124,15 +148,16 @@ export async function runInit({
   apiKey,
   llmAuth,
   model = DEFAULT_MODEL_REF,
+  visionModel,
+  visionAuth,
   discordBotToken,
-  discordAllowAll = true,
   slackBotToken,
   slackAppToken,
-  slackAllowAll = true,
   telegramBotToken,
-  telegramAllowAll = true,
+  withDiscord,
+  withSlack,
+  withTelegram,
   withKakaotalk = false,
-  kakaotalkAllowAll = false,
   runKakaotalkAuth,
   onProgress,
   runHatching = defaultRunHatching,
@@ -175,20 +200,36 @@ export async function runInit({
     }
   }
 
-  const wantsDiscord = discordBotToken !== undefined && discordBotToken !== ''
-  const wantsSlack = slackBotToken !== undefined && slackBotToken !== ''
-  const wantsTelegram = telegramBotToken !== undefined && telegramBotToken !== ''
+  // When the vision profile uses a different provider than the default, its
+  // OAuth login runs here too, before any file write. Same-provider vision
+  // reuses the default auth (no separate login). API-key vision auth is
+  // captured in memory and persisted by writeSecrets() below.
+  if (
+    visionAuth !== undefined &&
+    visionAuth.kind === 'oauth' &&
+    visionModel !== undefined &&
+    providerForModelRef(visionModel) !== providerForModelRef(model)
+  ) {
+    emit({ step: 'oauth-login', phase: 'start' })
+    await mkdir(cwd, { recursive: true })
+    const result = await visionAuth.runLogin({ cwd, model: visionModel })
+    emit({ step: 'oauth-login', phase: 'done', result })
+    if (!result.ok) {
+      throw new Error(`OAuth login failed: ${result.reason}`)
+    }
+  }
+
+  const wantsDiscord = withDiscord ?? (discordBotToken !== undefined && discordBotToken !== '')
+  const wantsSlack = withSlack ?? (slackBotToken !== undefined && slackBotToken !== '')
+  const wantsTelegram = withTelegram ?? (telegramBotToken !== undefined && telegramBotToken !== '')
   emit({ step: 'scaffold', phase: 'start' })
   await scaffold(cwd, {
     model,
+    ...(visionModel !== undefined ? { visionModel } : {}),
     withDiscord: wantsDiscord,
-    discordAllowAll,
     withSlack: wantsSlack,
-    slackAllowAll,
     withTelegram: wantsTelegram,
-    telegramAllowAll,
     withKakaotalk,
-    kakaotalkAllowAll,
   })
   // Only write the LLM API key on the api-key path. OAuth providers persist
   // their credentials to secrets.json (via the OAuth login step above); writing
@@ -196,6 +237,9 @@ export async function runInit({
   await writeSecrets(cwd, {
     model,
     apiKey: resolvedAuth.kind === 'api-key' ? resolvedAuth.apiKey : undefined,
+    ...(visionModel !== undefined && visionAuth?.kind === 'api-key'
+      ? { visionModel, visionApiKey: visionAuth.apiKey }
+      : {}),
     discordBotToken,
     slackBotToken,
     slackAppToken,
@@ -230,8 +274,19 @@ export async function runInit({
   const git = await initGitRepo(cwd)
   emit({ step: 'git', phase: 'done', result: git })
 
+  const configuredChannels: ChannelKind[] = []
+  if (wantsDiscord) configuredChannels.push('discord-bot')
+  if (wantsSlack) configuredChannels.push('slack-bot')
+  if (wantsTelegram) configuredChannels.push('telegram-bot')
+  if (withKakaotalk) configuredChannels.push('kakaotalk')
+
   emit({ step: 'hatching', phase: 'start' })
-  const hatching = await runHatching({ cwd, port: config.port, ...(cliEntry !== undefined ? { cliEntry } : {}) })
+  const hatching = await runHatching({
+    cwd,
+    port: config.port,
+    ...(cliEntry !== undefined ? { cliEntry } : {}),
+    ...(configuredChannels.length > 0 ? { configuredChannels } : {}),
+  })
   emit({ step: 'hatching', phase: 'done', result: hatching })
 }
 
@@ -245,16 +300,20 @@ export async function defaultRunHatching({
   cwd,
   port,
   cliEntry,
+  configuredChannels,
   startContainer = start,
   tui: tuiFactory = createTui,
   waitForAgent: waitForAgentFn = waitForAgent,
+  runClaim = defaultRunClaim,
 }: {
   cwd: string
   port: number
   cliEntry?: string
+  configuredChannels?: readonly ChannelKind[]
   startContainer?: typeof start
   tui?: typeof createTui
   waitForAgent?: typeof waitForAgent
+  runClaim?: ClaimRunner
 }): Promise<HatchingResult> {
   try {
     const launch = await startContainer({
@@ -269,10 +328,15 @@ export async function defaultRunHatching({
     // the preferred port, otherwise we'd connect to the wrong service.
     const hostPort = launch.hostPort
 
-    await waitForAgentFn(`http://localhost:${hostPort}`, { timeoutMs: 30_000 })
+    await waitForAgentFn(`http://127.0.0.1:${hostPort}`, { timeoutMs: 30_000 })
+
+    if (configuredChannels !== undefined && configuredChannels.length > 0) {
+      const url = buildTuiUrl(hostPort, launch.tuiToken)
+      await runClaim({ url, configuredChannels })
+    }
 
     const tui = tuiFactory({
-      url: `ws://localhost:${hostPort}`,
+      url: buildTuiUrl(hostPort, launch.tuiToken),
       initialPrompt: HATCHING_PROMPT,
     })
     await tui.run()
@@ -282,6 +346,19 @@ export async function defaultRunHatching({
   }
 }
 
+export type ClaimRunner = (options: { url: string; configuredChannels: readonly ChannelKind[] }) => Promise<void>
+
+const defaultRunClaim: ClaimRunner = async ({ url, configuredChannels }) => {
+  const { runOwnerClaim } = await import('./run-owner-claim')
+  await runOwnerClaim({ url, configuredChannels })
+}
+
+function buildTuiUrl(hostPort: number, token: string | null): string {
+  const url = new URL(`ws://127.0.0.1:${hostPort}`)
+  if (token !== null) url.searchParams.set('token', token)
+  return url.toString()
+}
+
 // Probe the server's plain HTTP fallback (non-upgrade requests get a 200 with
 // body "typeclaw agent") instead of opening a WebSocket. Opening a WS here
 // would trigger createSession on the server and burn an LLM session just to
@@ -361,14 +438,11 @@ export async function isHatched(dir: string): Promise<boolean> {
 
 export type ScaffoldOptions = {
   model?: KnownModelRef
+  visionModel?: KnownModelRef
   withDiscord?: boolean
-  discordAllowAll?: boolean
   withSlack?: boolean
-  slackAllowAll?: boolean
   withTelegram?: boolean
-  telegramAllowAll?: boolean
   withKakaotalk?: boolean
-  kakaotalkAllowAll?: boolean
 }
 
 export async function scaffold(root: string, options: ScaffoldOptions = {}): Promise<void> {
@@ -381,30 +455,22 @@ export async function scaffold(root: string, options: ScaffoldOptions = {}): Pro
   // immediately populated, so packages/ is the only one that needs this.
   await writeFile(join(root, PACKAGES_DIR, GITKEEP_FILE), '', { flag: 'wx' }).catch(ignoreExists)
 
-  // Only fields without sensible defaults elsewhere are emitted, with one
-  // exception: `network.blockInternal` is re-emitted at its default value
-  // (`true`) because the field is security-relevant and users need to
-  // discover it in their `typeclaw.json` to know they can opt out for LAN
-  // access. `mounts` defaults to `[]` in configSchema, and the bundled
-  // memory plugin owns its own defaults in src/bundled-plugins/memory/
-  // index.ts — re-emitting either here would be duplicate noise the user
-  // has to maintain in sync with the source of truth.
+  // Only fields without sensible defaults elsewhere are emitted. Everything
+  // with a schema-provided default (e.g. `network.blockInternal`, `mounts`,
+  // `memory.*`) is omitted to keep the scaffold minimal — duplicating defaults
+  // here would mean every schema change has to be mirrored in two places, and
+  // users would feel obligated to maintain values they never set.
+  const models: Record<string, KnownModelRef> = { default: options.model ?? DEFAULT_MODEL_REF }
+  if (options.visionModel !== undefined) models.vision = options.visionModel
   const config: Record<string, unknown> = {
     $schema: './node_modules/typeclaw/typeclaw.schema.json',
-    model: options.model ?? DEFAULT_MODEL_REF,
-    network: { blockInternal: true },
-  }
-  const channels: Record<string, { allow: string[] }> = {}
-  if (options.withDiscord) channels['discord-bot'] = { allow: options.discordAllowAll === false ? [] : ['*'] }
-  if (options.withSlack) channels['slack-bot'] = { allow: options.slackAllowAll === false ? [] : ['*'] }
-  if (options.withTelegram) channels['telegram-bot'] = { allow: options.telegramAllowAll === false ? [] : ['*'] }
-  if (options.withKakaotalk) {
-    // KakaoTalk involves a personal account, so we default to a tighter
-    // allow list (DMs only) than Slack/Discord/Telegram which scope to a
-    // workspace the user explicitly admitted the bot into. The user can
-    // broaden to `kakao:*` later by editing typeclaw.json.
-    channels.kakaotalk = { allow: options.kakaotalkAllowAll === true ? ['kakao:*'] : ['kakao:dm/*'] }
+    models,
   }
+  const channels: Record<string, Record<string, never>> = {}
+  if (options.withDiscord) channels['discord-bot'] = {}
+  if (options.withSlack) channels['slack-bot'] = {}
+  if (options.withTelegram) channels['telegram-bot'] = {}
+  if (options.withKakaotalk) channels.kakaotalk = {}
   if (Object.keys(channels).length > 0) config.channels = channels
   await writeFile(join(root, CONFIG_FILE), `${JSON.stringify(config, null, 2)}\n`)
 
@@ -484,7 +550,7 @@ export async function writeDockerAssets(root: string): Promise<DockerAssetsResul
     const typeclawConfig = await readTypeclawConfig(root)
     await writeFile(
       join(root, DOCKERFILE),
-      buildDockerfile(typeclawConfig.dockerfile, { baseImageVersion: resolveBaseImageVersion(root) }),
+      buildDockerfile(typeclawConfig.docker.file, { baseImageVersion: resolveBaseImageVersion(root) }),
       { flag: 'wx' },
     ).catch(ignoreExists)
 
@@ -502,7 +568,7 @@ async function readPackageJson(root: string): Promise<{ name?: string; dependenc
 async function readTypeclawConfig(root: string): Promise<Config> {
   try {
     const raw = await readFile(join(root, CONFIG_FILE), 'utf8')
-    return configSchema.parse(JSON.parse(raw))
+    return configSchema.parse(migrateLegacyConfigShape(JSON.parse(raw)).json)
   } catch (error) {
     if ((error as NodeJS.ErrnoException).code === 'ENOENT') return configSchema.parse({})
     throw error
@@ -558,30 +624,27 @@ export async function initGitRepo(cwd: string): Promise<GitInitResult> {
   }
 }
 
-// Writes the LLM provider's API key to `.env` (under its provider-specific
-// env var, e.g. OPENAI_API_KEY or FIREWORKS_API_KEY) and the channel adapter
-// tokens to `secrets.json#channels`. Two stores on purpose: api-keys land in
-// `.env` to match the `--env-file .env` boot contract (env-wins: `auth.ts`
-// reads the value at runtime via `setRuntimeApiKey` and never persists it to
-// `secrets.json`, see `src/agent/auth.ts`); channel tokens skip the .env hop
-// entirely and land in `secrets.json#channels` as `{ value }` Secrets that
-// `hydrateChannelEnvFromSecrets` injects into `process.env` only when the
-// canonical env var is unset, see `src/secrets/hydrate.ts`.
+// Writes LLM provider API keys to `secrets.json#providers` and channel adapter
+// tokens to `secrets.json#channels`. Both paths go through the structured
+// v2 secrets envelope so reruns can reuse existing values without depending on
+// host-stage env files.
 export async function writeSecrets(
   root: string,
   {
     model = DEFAULT_MODEL_REF,
     apiKey,
+    visionModel,
+    visionApiKey,
     discordBotToken,
     slackBotToken,
     slackAppToken,
     telegramBotToken,
   }: {
     model?: KnownModelRef
-    // Omitted on the OAuth path — credentials live in secrets.json instead.
-    // The .env file still gets written (empty) so post-init callers that
-    // read it don't ENOENT-crash.
+    // Omitted on the OAuth path — credentials live in secrets.json via the OAuth runner.
     apiKey?: string
+    visionModel?: KnownModelRef
+    visionApiKey?: string
     discordBotToken?: string
     slackBotToken?: string
     slackAppToken?: string
@@ -590,12 +653,21 @@ export async function writeSecrets(
 ): Promise<void> {
   const providerId = providerForModelRef(model)
   const apiKeyEnv = KNOWN_PROVIDERS[providerId].apiKeyEnv
-  const lines: string[] = []
-  if (apiKey !== undefined && apiKeyEnv !== null) {
-    lines.push(`${apiKeyEnv}=${apiKey}`)
+  const wantsDefaultKey = apiKey !== undefined && apiKeyEnv !== null
+  const visionProviderId = visionModel !== undefined ? providerForModelRef(visionModel) : null
+  const wantsVisionKey =
+    visionModel !== undefined &&
+    visionApiKey !== undefined &&
+    visionProviderId !== providerId &&
+    visionProviderId !== null &&
+    KNOWN_PROVIDERS[visionProviderId].apiKeyEnv !== null
+  if (wantsDefaultKey || wantsVisionKey) {
+    const secretsStore = createSecretsStoreForAgent(join(root, 'secrets.json'))
+    if (wantsDefaultKey) secretsStore.set(providerId, { type: 'api_key', key: apiKey! })
+    if (wantsVisionKey) {
+      secretsStore.set(visionProviderId, { type: 'api_key', key: visionApiKey! })
+    }
   }
-  const body = lines.length > 0 ? `${lines.join('\n')}\n` : ''
-  await writeFile(join(root, SECRETS_FILE), body)
 
   const channelTokens: Record<string, Record<string, Secret>> = {}
   if (discordBotToken !== undefined && discordBotToken !== '') {
@@ -623,6 +695,76 @@ export async function writeSecrets(
   backend.writeChannelsSync(merged)
 }
 
+export async function readExistingProviderApiKey(root: string, providerId: KnownProviderId): Promise<string | null> {
+  const provider = KNOWN_PROVIDERS[providerId]
+  if (provider.apiKeyEnv === null) return null
+  return new SecretsBackend(join(root, 'secrets.json')).tryReadProviderApiKeySync(providerId)
+}
+
+// Detects whether the requested channel already has usable credentials in
+// `secrets.json#channels`, so the init wizard can offer to reuse them
+// instead of re-prompting for tokens. Mirrors `readExistingProviderApiKey`:
+// returns `true` only when ALL fields the adapter needs are present in a
+// shape `hydrateChannelEnvFromSecrets` would inject at runtime — both the
+// `{ value }` form and the `{ env }` env-binding form count, matching the
+// runtime resolution rules in `src/secrets/resolve.ts`. Partial slots (e.g.
+// `slack-bot` with `botToken` but no `appToken`) return `false` so the
+// missing field gets filled in by the normal prompt.
+//
+// KakaoTalk reuse is stricter: a usable block requires both a complete
+// account (currentAccount + matching entry in accounts) AND the renewal
+// fields (email + encryptedPassword) the hostd renewal cron needs to mint
+// fresh tokens unattended (`src/secrets/kakao-renewal.ts`). Without those,
+// the saved `oauth_token` will work only until KakaoTalk's ~7-day TTL
+// expires, after which the user has to run `typeclaw channel reauth
+// kakaotalk` anyway — better to re-auth now during init.
+export async function hasExistingChannelSecrets(
+  root: string,
+  channel: 'discord' | 'slack' | 'telegram' | 'kakaotalk',
+): Promise<boolean> {
+  const channels = new SecretsBackend(join(root, 'secrets.json')).tryReadChannelsSync()
+  if (channels === null) return false
+  switch (channel) {
+    case 'discord':
+      return hasSecretField(channels['discord-bot'], 'token')
+    case 'slack':
+      return hasSecretField(channels['slack-bot'], 'botToken') && hasSecretField(channels['slack-bot'], 'appToken')
+    case 'telegram':
+      return hasSecretField(channels['telegram-bot'], 'token')
+    case 'kakaotalk': {
+      const block = channels.kakaotalk
+      if (!isObjectRecord(block)) return false
+      const current = (block as { currentAccount?: unknown }).currentAccount
+      if (typeof current !== 'string' || current.length === 0) return false
+      const accounts = (block as { accounts?: unknown }).accounts
+      if (!isObjectRecord(accounts)) return false
+      const account = accounts[current]
+      if (!isObjectRecord(account)) return false
+      const email = (account as { email?: unknown }).email
+      const encryptedPassword = (account as { encryptedPassword?: unknown }).encryptedPassword
+      return typeof email === 'string' && email.length > 0 && isObjectRecord(encryptedPassword)
+    }
+  }
+}
+
+// Accepts either the `{ value }` form (resolves to a literal at runtime) or
+// the `{ env }` form (resolves at runtime by reading `process.env[<env>]`).
+// String shorthand is sugar for `{ value }`. The schema already rejects
+// empty strings via `z.string().min(1)`, so the length checks here are
+// defense-in-depth against forward-compat shape drift.
+function hasSecretField(slot: unknown, field: string): boolean {
+  if (!isObjectRecord(slot)) return false
+  const secret = slot[field]
+  if (typeof secret === 'string') return secret.length > 0
+  if (isObjectRecord(secret)) {
+    const value = (secret as { value?: unknown }).value
+    if (typeof value === 'string' && value.length > 0) return true
+    const env = (secret as { env?: unknown }).env
+    if (typeof env === 'string' && env.length > 0) return true
+  }
+  return false
+}
+
 function isObjectRecord(value: unknown): value is Record<string, unknown> {
   return typeof value === 'object' && value !== null && !Array.isArray(value)
 }
@@ -682,7 +824,6 @@ export type AddChannelStepEvent =
 // from prompts; tests build them inline.
 export type AddChannelOptions = {
   cwd: string
-  allowAll?: boolean
   onProgress?: (event: AddChannelStepEvent) => void
 } & (
   | { channel: 'discord-bot'; discordBotToken: string }
@@ -710,7 +851,7 @@ export async function runAddChannel(options: AddChannelOptions): Promise<void> {
   }
 
   emit({ step: 'config', phase: 'start' })
-  await mergeChannelIntoConfig(options.cwd, options.channel, options.allowAll ?? defaultAllowAll(options.channel))
+  await mergeChannelIntoConfig(options.cwd, options.channel)
   emit({ step: 'config', phase: 'done' })
 
   emit({ step: 'secrets', phase: 'start' })
@@ -721,14 +862,6 @@ export async function runAddChannel(options: AddChannelOptions): Promise<void> {
   emit({ step: 'secrets', phase: 'done' })
 }
 
-// `channel add` mirrors `runInit`'s allow defaults: workspace-scoped adapters
-// (discord/slack/telegram) default to `*` because the bot only sees what the
-// operator invited it into, while KakaoTalk uses a personal account and
-// defaults to DMs only.
-function defaultAllowAll(channel: ChannelKind): boolean {
-  return channel !== 'kakaotalk'
-}
-
 function channelSecretsFromOptions(options: AddChannelOptions): ChannelSecrets {
   switch (options.channel) {
     case 'discord-bot':
@@ -767,7 +900,7 @@ export async function readConfiguredChannels(cwd: string): Promise<Set<ChannelKi
   return present
 }
 
-async function mergeChannelIntoConfig(cwd: string, channel: ChannelKind, allowAll: boolean): Promise<void> {
+async function mergeChannelIntoConfig(cwd: string, channel: ChannelKind): Promise<void> {
   const path = join(cwd, CONFIG_FILE)
   let parsed: Record<string, unknown>
   try {
@@ -791,23 +924,18 @@ async function mergeChannelIntoConfig(cwd: string, channel: ChannelKind, allowAl
     // Defense in depth — the CLI already filters configured channels out of
     // the picker and rejects them as the positional arg. Hitting this branch
     // means a programmatic caller passed a duplicate; better to fail loudly
-    // than silently overwrite the user's existing allow list.
+    // than silently overwrite the user's existing config.
     throw new Error(`Channel "${channel}" is already configured in ${CONFIG_FILE}.`)
   }
 
   parsed.channels = {
     ...existingChannels,
-    [channel]: { allow: buildAllow(channel, allowAll) },
+    [channel]: {},
   }
 
   await writeFile(path, `${JSON.stringify(parsed, null, 2)}\n`)
 }
 
-function buildAllow(channel: ChannelKind, allowAll: boolean): string[] {
-  if (channel === 'kakaotalk') return allowAll ? ['kakao:*'] : ['kakao:dm/*']
-  return allowAll ? ['*'] : []
-}
-
 // Writes per-adapter field values into `secrets.json#channels.<adapter>`.
 // Refuses to overwrite existing fields: if the user already has e.g.
 // `botToken` recorded (from a prior `channel add` whose follow-up steps

package/src/init/kakaotalk-auth.ts

@@ -1,7 +1,11 @@
 import { createRequire } from 'node:module'
-import { join } from 'node:path'
+import { join, resolve } from 'node:path'
 
+import { containerNameFromCwd } from '@/container'
+import { keysDir } from '@/hostd/paths'
+import { encrypt } from '@/secrets/encryption'
 import { SecretsKakaoCredentialStore } from '@/secrets/kakao-store'
+import { createKeyStore, type KeyStore } from '@/secrets/keys'
 
 export type KakaotalkBootstrapStatus = { ok: true } | { ok: false; reason: string }
 
@@ -15,6 +19,13 @@ export type KakaotalkLoginInput = {
   agentDir: string
   callbacks: KakaotalkLoginCallbacks
   loginFlow?: LoginFlowFn
+  // Test seam: inject a custom keystore (typically pointing at a tmpdir).
+  // Production uses ~/.typeclaw/keys/<containerName>.key.
+  keyStore?: KeyStore
+  // Test seam: override the containerName used to bind the encrypted
+  // password's AAD. Production derives it from basename(agentDir) via
+  // containerNameFromCwd to match what `typeclaw start` registers with hostd.
+  containerName?: string
 }
 
 export type LoginFlowOptions = {
@@ -82,6 +93,10 @@ export async function runKakaotalkBootstrap(input: KakaotalkLoginInput): Promise
 
     const now = new Date().toISOString()
     const accountId = result.credentials.user_id || 'default'
+    const containerName = input.containerName ?? containerNameFromCwd(resolve(input.agentDir))
+    const keyStore = input.keyStore ?? createKeyStore({ keysDir: keysDir() })
+    const key = await keyStore.ensure(containerName)
+    const encryptedPassword = encrypt(input.password, key, { containerName, accountId })
     await credManager.setAccount({
       account_id: accountId,
       oauth_token: result.credentials.access_token,
@@ -92,6 +107,8 @@ export async function runKakaotalkBootstrap(input: KakaotalkLoginInput): Promise
       auth_method: 'login',
       created_at: now,
       updated_at: now,
+      email: input.email,
+      encryptedPassword,
     })
     await credManager.setCurrentAccount(accountId)
     await credManager.clearPendingLogin()