typeclaw 0.1.4 → 0.1.6

package/src/run/channel-session-factory.ts

@@ -1,13 +1,26 @@
 import { SessionManager } from '@mariozechner/pi-coding-agent'
 
 import { createSession as defaultCreateSession } from '@/agent'
+import { capJsonlFileInPlace } from '@/bundled-plugins/tool-result-cap/cap-jsonl'
+import type { CapOptions } from '@/bundled-plugins/tool-result-cap/cap-result'
 import type { CreateSessionForChannel, ChannelRouter } from '@/channels'
+import type { PermissionService } from '@/permissions'
 import type { ReloadRegistry } from '@/reload'
 import type { SessionFactory } from '@/sessions'
 import type { Stream } from '@/stream'
 
 import type { PluginRuntime } from './plugin-runtime'
 
+export type FactoryLogger = {
+  info: (message: string) => void
+  warn: (message: string) => void
+}
+
+const consoleLogger: FactoryLogger = {
+  info: (m) => console.info(m),
+  warn: (m) => console.warn(m),
+}
+
 export type BuildChannelSessionFactoryDeps = {
   cwd: string
   sessionFactory: SessionFactory
@@ -20,12 +33,35 @@ export type BuildChannelSessionFactoryDeps = {
   // their inbound messages came from.
   getChannelRouter: () => ChannelRouter
   containerName?: string
+  // When set, rehydrating a session JSONL caps oversized tool results in the
+  // file before pi-coding-agent reads it. `null` disables the load-time pass
+  // (tool-result-cap.enabled=false in config, or no plugin block at all).
+  rehydrateCapOptions: CapOptions | null
+  logger?: FactoryLogger
+  // Forwarded to createSession so the resolved role / permissions for the
+  // session origin get rendered into the agent's system prompt. Optional so
+  // the production wiring can plumb in pluginsLoaded.permissions while tests
+  // (or stand-alone callers) keep the previous no-annotation behavior.
+  permissions?: PermissionService
   // Test seam: lets a fake stand in for the agent session creator so tests
   // can assert exactly which CreateSessionOptions the factory builds without
   // needing a live LLM, plugin runtime, or session manager on disk.
   createSession?: typeof defaultCreateSession
 }
 
+// Tight basename validation so a tampered or corrupt channels/sessions.json
+// can't point the load-time rewrite (or SessionManager.open) at a file
+// outside `sessionDir`. We never receive sessionFile from a remote source
+// during normal operation, but the file is operator-editable, so defense-
+// in-depth is cheap. Match pi-coding-agent's filename convention loosely:
+// no path separators, no NUL, must end in `.jsonl`.
+function isValidSessionFileBasename(name: string): boolean {
+  if (name.length === 0 || name.length > 255) return false
+  if (name.includes('/') || name.includes('\\') || name.includes('\0')) return false
+  if (name === '.' || name === '..' || name.startsWith('.')) return false
+  return name.endsWith('.jsonl')
+}
+
 // The production wiring for channel-routed sessions. Channel inbounds arrive
 // at the router, the router calls this factory to get an AgentSession, and
 // the agent uses `channel_send` to reply. If `channelRouter` is missing here
@@ -35,11 +71,19 @@ export type BuildChannelSessionFactoryDeps = {
 // "channel-aware" sessions that need the same full plumbing.
 export function buildChannelSessionFactory(deps: BuildChannelSessionFactoryDeps): CreateSessionForChannel {
   const createSession = deps.createSession ?? defaultCreateSession
-  return async ({ existingSessionId, existingSessionFile, origin }) => {
+  const logger = deps.logger ?? consoleLogger
+  return async ({ existingSessionId, existingSessionFile, origin, originRef }) => {
     const sessionDir = deps.sessionFactory.sessionDir()
     const sessionManager =
       existingSessionId !== undefined
-        ? tryReopenOrCreate(deps.cwd, sessionDir, existingSessionId, existingSessionFile)
+        ? tryReopenOrCreate(
+            deps.cwd,
+            sessionDir,
+            existingSessionId,
+            existingSessionFile,
+            deps.rehydrateCapOptions,
+            logger,
+          )
         : SessionManager.create(deps.cwd, sessionDir)
 
     const snap = deps.pluginRuntime.get()
@@ -49,6 +93,7 @@ export function buildChannelSessionFactory(deps: BuildChannelSessionFactoryDeps)
       stream: deps.stream,
       channelRouter: deps.getChannelRouter(),
       origin,
+      originRef,
       ...(snap.hasAnyPluginContent
         ? {
             plugins: {
@@ -60,6 +105,7 @@ export function buildChannelSessionFactory(deps: BuildChannelSessionFactoryDeps)
           }
         : {}),
       ...(deps.containerName !== undefined ? { containerName: deps.containerName } : {}),
+      ...(deps.permissions !== undefined ? { permissions: deps.permissions } : {}),
     })
 
     return {
@@ -86,18 +132,43 @@ function tryReopenOrCreate(
   sessionDir: string,
   existingSessionId: string,
   existingSessionFile: string | undefined,
+  capOptions: CapOptions | null,
+  logger: FactoryLogger,
 ): SessionManager {
   if (existingSessionFile === undefined) {
-    console.warn(
+    logger.warn(
       `[channels] session ${existingSessionId} has no sessionFile (v2 mapping not yet migrated); creating new`,
     )
     return SessionManager.create(cwd, sessionDir)
   }
+  if (!isValidSessionFileBasename(existingSessionFile)) {
+    logger.warn(
+      `[channels] session ${existingSessionId} has invalid sessionFile (${JSON.stringify(existingSessionFile)}); creating new`,
+    )
+    return SessionManager.create(cwd, sessionDir)
+  }
+  const path = `${sessionDir}/${existingSessionFile}`
+  if (capOptions !== null) {
+    try {
+      const stats = capJsonlFileInPlace(path, capOptions)
+      if (stats.entriesMutated > 0) {
+        logger.info(
+          `[channels] rehydrate-cap ${existingSessionFile}: entriesMutated=${stats.entriesMutated} imagesReplaced=${stats.imagesReplaced} textsTruncated=${stats.textsTruncated} bytesElided=${stats.bytesElided}`,
+        )
+      }
+    } catch (err) {
+      // Capping is best-effort: if the rewrite fails, fall through to the
+      // regular open path so the session still rehydrates uncapped rather
+      // than being killed by a transient FS error.
+      const reason = err instanceof Error ? err.message : String(err)
+      logger.warn(`[channels] rehydrate-cap failed for ${existingSessionFile}: ${reason}; continuing with open`)
+    }
+  }
   try {
-    return SessionManager.open(`${sessionDir}/${existingSessionFile}`)
+    return SessionManager.open(path)
   } catch (err) {
     const reason = err instanceof Error ? err.message : String(err)
-    console.warn(
+    logger.warn(
       `[channels] could not rehydrate session ${existingSessionId} from ${existingSessionFile}: ${reason}; creating new`,
     )
     return SessionManager.create(cwd, sessionDir)

package/src/run/index.ts

@@ -1,6 +1,7 @@
 import { SessionManager } from '@mariozechner/pi-coding-agent'
 
 import { createSession, createSessionWithDispose } from '@/agent'
+import type { SessionOrigin } from '@/agent/session-origin'
 import {
   createSubagentConsumer,
   defaultCreateSessionForSubagent,
@@ -9,6 +10,7 @@ import {
   type SubagentConsumer,
   type SubagentRegistry,
 } from '@/agent/subagents'
+import { resolveCapOptionsFromConfig } from '@/bundled-plugins/tool-result-cap'
 import { createChannelManager, createChannelsReloadable, type ChannelManager } from '@/channels'
 import { createConfigReloadable, getConfig, loadConfigSync, loadPluginConfigsSync } from '@/config'
 import {
@@ -25,6 +27,7 @@ import {
 import { loadPlugins, type LoadPluginsResult, pluginCronJobs, type PluginRegistry, summarizeLoaded } from '@/plugin'
 import { createContainerBroker, publishForwardResult } from '@/portbroker'
 import { ReloadRegistry } from '@/reload'
+import { createClaimController } from '@/role-claim'
 import { hydrateChannelEnvFromSecrets } from '@/secrets'
 import { createServer, type Server } from '@/server'
 import { createSessionFactory, type SessionFactory } from '@/sessions'
@@ -87,7 +90,8 @@ export async function startAgent({
   // which is what we want, since there is no host daemon to honor it anyway.
   const containerName = process.env.TYPECLAW_CONTAINER_NAME
   const containerNameOpt = containerName !== undefined ? { containerName } : {}
-  reloadRegistry.register(createConfigReloadable({ cwd }))
+  const tuiToken = process.env.TYPECLAW_TUI_TOKEN
+  const tuiTokenOpt = tuiToken !== undefined && tuiToken !== '' ? { tuiToken } : {}
 
   const pluginConfigsByName = loadPluginConfigsSync(cwd)
   const cwdConfig = loadConfigSync(cwd)
@@ -96,7 +100,10 @@ export async function startAgent({
     agentDir: cwd,
     configsByName: pluginConfigsByName,
     bundled: BUNDLED_PLUGINS,
+    ...(cwdConfig.roles !== undefined ? { roles: cwdConfig.roles } : {}),
   })
+
+  reloadRegistry.register(createConfigReloadable({ cwd, permissions: pluginsLoaded.permissions }))
   const pluginRegistry = pluginsLoaded.registry
   const pluginHooks = pluginsLoaded.hooks
 
@@ -128,6 +135,12 @@ export async function startAgent({
   // stay in env, the file stays user-owned. See src/secrets/hydrate.ts.
   hydrateChannelEnvFromSecrets({ agentDir: cwd })
 
+  const claimController = createClaimController({
+    cwd,
+    permissions: pluginsLoaded.permissions,
+    rolesProvider: () => getConfig().roles,
+  })
+
   const channelManager = createChannelManager({
     agentDir: cwd,
     channelsConfigRef: () => getConfig().channels,
@@ -139,8 +152,12 @@ export async function startAgent({
       reloadRegistry,
       pluginRuntime,
       getChannelRouter: () => channelManager.router,
+      rehydrateCapOptions: resolveCapOptionsFromConfig(pluginConfigsByName['tool-result-cap']),
+      permissions: pluginsLoaded.permissions,
       ...containerNameOpt,
     }),
+    permissions: pluginsLoaded.permissions,
+    claimHandler: claimController.claimHandler,
   })
 
   const createSessionForSubagent: import('@/agent/subagents').CreateSessionForSubagent = async (
@@ -150,16 +167,21 @@ export async function startAgent({
     const snap = pluginRuntime.get()
     const entry = snap.pluginSubagentByShim.get(subagent)
     if (entry) {
-      const sessionId = `subagent-${entry.pluginName}-${crypto.randomUUID()}`
-      const origin = {
+      const sessionManager = SessionManager.create(cwd, sessionFactory.sessionDir())
+      const sessionId = sessionManager.getSessionId()
+      const origin: SessionOrigin = {
         kind: 'subagent' as const,
         subagent: subagentOptions?.name ?? entry.subagentName,
         parentSessionId: subagentOptions?.parentSessionId ?? '<unknown>',
+        ...(subagentOptions?.spawnedByRole !== undefined ? { spawnedByRole: subagentOptions.spawnedByRole } : {}),
+        ...(subagentOptions?.spawnedByOrigin !== undefined ? { spawnedByOrigin: subagentOptions.spawnedByOrigin } : {}),
       }
       const created = await createSessionWithDispose({
         systemPromptOverride: entry.pluginSubagent.systemPrompt,
+        sessionManager,
         channelRouter: channelManager.router,
         origin,
+        permissions: pluginsLoaded.permissions,
         plugins: {
           registry: snap.registry,
           hooks: snap.hooks,
@@ -172,6 +194,10 @@ export async function startAgent({
           ...(entry.pluginSubagent.customTools ? { customTools: entry.pluginSubagent.customTools } : {}),
           toolNamePrefix: `__plugin_${entry.pluginName}_${entry.subagentName}`,
         },
+        ...(entry.pluginSubagent.profile !== undefined ? { profile: entry.pluginSubagent.profile } : {}),
+        ...(entry.pluginSubagent.toolResultBudget !== undefined
+          ? { toolResultBudget: entry.pluginSubagent.toolResultBudget }
+          : {}),
       })
       return {
         ...created,
@@ -179,6 +205,7 @@ export async function startAgent({
         sessionId,
         agentDir: cwd,
         origin,
+        getTranscriptPath: () => sessionManager.getSessionFile(),
       }
     }
     return defaultCreateSessionForSubagent(subagent, subagentOptions)
@@ -211,12 +238,24 @@ export async function startAgent({
       const snap = pluginRuntime.get()
       const sessionManager = SessionManager.create(cwd, sessionFactory.sessionDir())
       const sessionId = sessionManager.getSessionId()
+      const cronOrigin: SessionOrigin = {
+        kind: 'cron',
+        jobId: job.id,
+        jobKind: 'prompt',
+        ...(job.scheduledByRole !== undefined ? { scheduledByRole: job.scheduledByRole } : {}),
+        // Honor the persisted audit snapshot when present (TUI-authored
+        // crons, or jobs scheduled by a future `cron_schedule` tool).
+        // Hand-authored entries fall back to the config-file synthetic
+        // marker so the audit trail records "user edited cron.json".
+        scheduledByOrigin: (job.scheduledByOrigin as SessionOrigin | undefined) ?? { kind: 'config-file' },
+      }
       const session = await createSession({
         reloadRegistry,
         sessionManager,
         stream,
         channelRouter: channelManager.router,
-        origin: { kind: 'cron', jobId: job.id, jobKind: 'prompt' },
+        origin: cronOrigin,
+        permissions: pluginsLoaded.permissions,
         ...(snap.hasAnyPluginContent
           ? {
               plugins: {
@@ -234,7 +273,7 @@ export async function startAgent({
         dispose: () => session.dispose(),
         sessionId,
         agentDir: cwd,
-        origin: { kind: 'cron' as const, jobId: job.id, jobKind: 'prompt' as const },
+        origin: cronOrigin,
         ...(snap.hasAnyPluginContent ? { hooks: snap.hooks } : {}),
         getTranscriptPath: () => sessionManager.getSessionFile(),
       }
@@ -262,13 +301,24 @@ export async function startAgent({
   reloadRegistry.register(createChannelsReloadable({ manager: channelManager }))
   await channelManager.start()
 
-  pluginsLoaded.setSpawnSubagent(async (name, payload) => {
+  pluginsLoaded.setSpawnSubagent(async (name, payload, options) => {
+    // Resolve the spawning session's role from its origin so the subagent
+    // inherits it. Callers (hooks like session.idle) pass the parent origin
+    // verbatim; we look up the role rather than letting the caller forge it,
+    // closing the laundering vector the design doc calls out for cron.
+    const spawnedByRole =
+      options?.spawnedByOrigin !== undefined
+        ? pluginsLoaded.permissions.resolveRole(options.spawnedByOrigin)
+        : undefined
     await invokeSubagent(name, {
       registry: pluginRuntime.get().subagents,
       createSessionForSubagent,
       agentDir: cwd,
       userPrompt: '',
       payload,
+      ...(options?.parentSessionId !== undefined ? { parentSessionId: options.parentSessionId } : {}),
+      ...(spawnedByRole !== undefined ? { spawnedByRole } : {}),
+      ...(options?.spawnedByOrigin !== undefined ? { spawnedByOrigin: options.spawnedByOrigin } : {}),
     })
   })
   pluginsLoaded.markBooted()
@@ -311,7 +361,9 @@ export async function startAgent({
     channelRouter: channelManager.router,
     agentDir: cwd,
     pluginRuntime,
+    claimController,
     ...containerNameOpt,
+    ...tuiTokenOpt,
     ...containerBrokerOpt,
   }).start()
 
@@ -343,7 +395,9 @@ export async function startAgent({
     }
   }
 
-  const url = `ws://localhost:${server.port}`
+  const serverPort = server.port
+  if (serverPort === undefined) throw new Error('server did not report a listening port')
+  const url = buildLocalTuiUrl(serverPort, tuiTokenOpt.tuiToken ?? null)
   const tui = createTui({ url, initialPrompt })
   const tuiPromise = tui.run()
   return {
@@ -361,6 +415,13 @@ export async function startAgent({
   }
 }
 
+function buildLocalTuiUrl(port: number, token: string | null): string {
+  if (token === null) return `ws://localhost:${port}`
+  const url = new URL(`ws://localhost:${port}`)
+  url.searchParams.set('token', token)
+  return url.toString()
+}
+
 async function disposeMaterializedSkills(pluginRuntime: PluginRuntime): Promise<void> {
   const pending = pluginRuntime.drainPendingDisposal()
   const current = pluginRuntime.get().materializedSkills

package/src/secrets/encryption.ts

@@ -0,0 +1,116 @@
+import { createCipheriv, createDecipheriv, createHash, randomBytes } from 'node:crypto'
+
+// AES-256-GCM authenticated encryption for at-rest secrets. The threat model
+// is narrow and conditional: "agent folder leaked but the effective TypeClaw
+// home (default ~/.typeclaw/, overridable via TYPECLAW_HOME) did not." That
+// covers accidental `git add secrets.json`, agent-folder backups, shared
+// mounts that expose only the agent dir. It does NOT cover (a) full host
+// compromise (the live OAuth tokens in the same secrets.json grant equivalent
+// capability), (b) whole-$HOME backups that capture both the agent dir and
+// ~/.typeclaw/, or (c) misconfiguration where TYPECLAW_HOME points inside the
+// leaked scope (e.g. inside the agent folder itself).
+//
+// AAD binds the ciphertext to the specific (containerName, accountId, version)
+// it was produced for, so a ciphertext copied between accounts or containers
+// fails authentication on decrypt even if the same key happens to unlock both.
+
+const ALGORITHM = 'AES-256-GCM' as const
+const KEY_BYTES = 32
+const IV_BYTES = 12
+const AUTH_TAG_BYTES = 16
+const ENVELOPE_VERSION = 1
+
+export type EncryptedEnvelope = {
+  v: typeof ENVELOPE_VERSION
+  alg: typeof ALGORITHM
+  kid: string
+  iv: string
+  ciphertext: string
+  authTag: string
+  createdAt: string
+}
+
+export type EncryptionContext = {
+  containerName: string
+  accountId: string
+}
+
+export class EncryptionError extends Error {
+  constructor(
+    message: string,
+    public readonly code: 'decrypt_failed' | 'envelope_invalid' | 'key_size_invalid' | 'algorithm_unsupported',
+  ) {
+    super(message)
+    this.name = 'EncryptionError'
+  }
+}
+
+export function generateKey(): Buffer {
+  return randomBytes(KEY_BYTES)
+}
+
+export function fingerprintKey(key: Buffer): string {
+  if (key.length !== KEY_BYTES) {
+    throw new EncryptionError(`key must be ${KEY_BYTES} bytes, got ${key.length}`, 'key_size_invalid')
+  }
+  return `sha256:${createHash('sha256').update(key).digest('hex').slice(0, 16)}`
+}
+
+export function encrypt(plaintext: string, key: Buffer, context: EncryptionContext): EncryptedEnvelope {
+  if (key.length !== KEY_BYTES) {
+    throw new EncryptionError(`key must be ${KEY_BYTES} bytes, got ${key.length}`, 'key_size_invalid')
+  }
+  const iv = randomBytes(IV_BYTES)
+  const cipher = createCipheriv('aes-256-gcm', key, iv)
+  cipher.setAAD(buildAad(context))
+  const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])
+  const authTag = cipher.getAuthTag()
+  return {
+    v: ENVELOPE_VERSION,
+    alg: ALGORITHM,
+    kid: fingerprintKey(key),
+    iv: iv.toString('base64'),
+    ciphertext: ciphertext.toString('base64'),
+    authTag: authTag.toString('base64'),
+    createdAt: new Date().toISOString(),
+  }
+}
+
+export function decrypt(envelope: EncryptedEnvelope, key: Buffer, context: EncryptionContext): string {
+  if (envelope.v !== ENVELOPE_VERSION) {
+    throw new EncryptionError(`unsupported envelope version: ${envelope.v}`, 'envelope_invalid')
+  }
+  if (envelope.alg !== ALGORITHM) {
+    throw new EncryptionError(`unsupported algorithm: ${envelope.alg}`, 'algorithm_unsupported')
+  }
+  if (key.length !== KEY_BYTES) {
+    throw new EncryptionError(`key must be ${KEY_BYTES} bytes, got ${key.length}`, 'key_size_invalid')
+  }
+  const iv = Buffer.from(envelope.iv, 'base64')
+  if (iv.length !== IV_BYTES) {
+    throw new EncryptionError(`iv must be ${IV_BYTES} bytes, got ${iv.length}`, 'envelope_invalid')
+  }
+  const authTag = Buffer.from(envelope.authTag, 'base64')
+  if (authTag.length !== AUTH_TAG_BYTES) {
+    throw new EncryptionError(`authTag must be ${AUTH_TAG_BYTES} bytes, got ${authTag.length}`, 'envelope_invalid')
+  }
+  const ciphertext = Buffer.from(envelope.ciphertext, 'base64')
+  const decipher = createDecipheriv('aes-256-gcm', key, iv)
+  decipher.setAAD(buildAad(context))
+  decipher.setAuthTag(authTag)
+  try {
+    const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()])
+    return plaintext.toString('utf8')
+  } catch (err) {
+    // GCM auth failure produces an opaque "Unsupported state or unable to
+    // authenticate data" — wrap it so callers can distinguish a wrong key /
+    // tampered blob from invariant violations on the envelope shape.
+    throw new EncryptionError(`decrypt failed: ${err instanceof Error ? err.message : String(err)}`, 'decrypt_failed')
+  }
+}
+
+// Changing this format breaks decryption of every previously-stored ciphertext.
+// See the module-header threat-model comment for the binding rationale.
+function buildAad(context: EncryptionContext): Buffer {
+  return Buffer.from(`typeclaw:kakaotalk-password:v1:${context.containerName}:${context.accountId}`, 'utf8')
+}