typeclaw 0.11.1 → 0.13.0

package/src/channels/adapters/kakaotalk.ts

@@ -26,9 +26,15 @@ import type {
   OutboundMessage,
   ResolvedChannelNames,
   SendResult,
+  InboundAttachment,
 } from '@/channels/types'
 
-import { emoticonEventToMessageEvent, formatHistoryText, formatInboundText } from './kakaotalk-attachment'
+import {
+  emoticonEventToMessageEvent,
+  splitEmoticonInbound,
+  splitHistoryInbound,
+  splitInbound,
+} from './kakaotalk-attachment'
 import { createKakaoAuthorResolver, type KakaoAuthorResolver } from './kakaotalk-author-resolver'
 import { createKakaoChannelResolver, type KakaoChannelResolver } from './kakaotalk-channel-resolver'
 import { classifyInbound, type InboundDropReason } from './kakaotalk-classify'
@@ -252,11 +258,13 @@ export function createKakaoHistoryCallback(deps: {
         messages.map(async (m) => {
           const authorId = String(m.author_id)
           const authorName = m.author_name ?? (await authorResolver.resolve(authorId, args.chat)) ?? authorId
+          const { text, attachments } = splitHistoryInbound(m)
           return {
             externalMessageId: m.log_id,
             authorId,
             authorName,
-            text: formatHistoryText(m),
+            text,
+            ...(attachments.length > 0 ? { attachments } : {}),
             ts: m.sent_at * 1000,
             isBot: selfId !== null && authorId === selfId,
             replyToBotMessageId: null,
@@ -331,13 +339,8 @@ export function createKakaotalkAdapter(options: KakaotalkAdapterOptions): Kakaot
   const fetchAttachmentCallback = createFetchAttachmentCallback({ logger })
 
   const handleMessageEvent = async (event: KakaoTalkPushMessageEvent): Promise<void> => {
-    // Synthesize the displayed text BEFORE classify so attachments
-    // (photo, file, video, ...) survive classifyInbound's empty_text
-    // drop and reach the agent with a `[KakaoTalk message with ...]`
-    // placeholder. For text-only messages this is a no-op —
-    // formatInboundText returns event.message unchanged. See
-    // kakaotalk-attachment.ts for the per-message-type rules.
-    await processInbound({ ...event, message: formatInboundText(event) })
+    const { text, attachments } = splitInbound(event)
+    await processInbound({ ...event, message: text }, attachments)
   }
 
   const handleEmoticonEvent = async (event: KakaoTalkPushEmoticonEvent): Promise<void> => {
@@ -347,10 +350,14 @@ export function createKakaotalkAdapter(options: KakaotalkAdapterOptions): Kakaot
     // self-author / unknown-chat rules apply identically across plain
     // messages and stickers — there is no second classifier to keep in
     // sync.
-    await processInbound(emoticonEventToMessageEvent(event))
+    const { attachments } = splitEmoticonInbound(event)
+    await processInbound(emoticonEventToMessageEvent(event), attachments)
   }
 
-  const processInbound = async (event: KakaoTalkPushMessageEvent): Promise<void> => {
+  const processInbound = async (
+    event: KakaoTalkPushMessageEvent,
+    attachments: readonly InboundAttachment[] = [],
+  ): Promise<void> => {
     inflightInbounds++
     try {
       if (channelResolver.lookupChat(event.chat_id) === null) {
@@ -391,6 +398,7 @@ export function createKakaotalkAdapter(options: KakaotalkAdapterOptions): Kakaot
       const verdict = classifyInbound(event, options.configRef(), {
         selfUserId,
         lookupChat: (id) => channelResolver.lookupChat(id),
+        ...(attachments.length > 0 ? { attachments } : {}),
         ...(options.selfAliasesRef ? { selfAliases: options.selfAliasesRef() } : {}),
       })
       if (verdict.kind === 'drop') {

package/src/channels/adapters/slack-bot-classify.ts

@@ -2,7 +2,7 @@ import type { SlackFile, SlackSocketModeAppMentionEvent, SlackSocketModeMessageE
 
 import { matchesAnyAlias } from '@/channels/engagement'
 import type { ChannelAdapterConfig } from '@/channels/schema'
-import type { InboundMessage } from '@/channels/types'
+import type { InboundAttachment, InboundMessage } from '@/channels/types'
 
 import { slackTsToMillis } from './slack-bot-time'
 
@@ -61,7 +61,7 @@ export function classifyInbound(
   }
 
   const rawText = event.text ?? ''
-  const text = inboundText(event)
+  const { text, attachments } = splitInbound(event)
   if (text === '') return { kind: 'drop', reason: 'empty_text' }
 
   const isDm = event.channel_type === 'im'
@@ -72,8 +72,8 @@ export function classifyInbound(
   }
 
   // Mention parsing runs against the raw user-typed text only — the
-  // appended `[Slack message with attachment: ...]` summary contains URLs
-  // and ids that must not be misread as mentions or group broadcasts.
+  // appended `[Slack attachment #N: ...]` placeholder contains metadata
+  // that must not be misread as mentions or group broadcasts.
   // Group mentions (`<!here>`, `<!channel>`, `<!everyone>`) are coerced to
   // direct mentions: the user fired a broadcast that explicitly includes the
   // bot, and from the engagement layer's perspective there is no meaningful
@@ -131,6 +131,7 @@ export function classifyInbound(
       chat: event.channel,
       thread,
       text,
+      ...(attachments.length > 0 ? { attachments } : {}),
       externalMessageId: event.ts,
       authorId: event.user,
       authorName: event.user,
@@ -166,19 +167,34 @@ function extractMentionedUserIds(text: string): string[] {
   return Array.from(seen)
 }
 
-function inboundText(event: SlackInboundMessageEvent): string {
+type SplitInbound = { text: string; attachments: InboundAttachment[] }
+
+function splitInbound(event: SlackInboundMessageEvent): SplitInbound {
   const rawText = event.text ?? ''
-  const mediaSummary = summarizeSlackMedia(event)
-  if (mediaSummary.length === 0) return rawText
-  const summary = `[Slack message with ${mediaSummary.join('; ')}]`
-  return rawText === '' ? summary : `${rawText}\n${summary}`
+  const attachments = describeSlackMedia(event)
+  if (attachments.length === 0) return { text: rawText, attachments: [] }
+  const summary = attachments.map(renderPlaceholder).join('\n')
+  const text = rawText === '' ? summary : `${rawText}\n${summary}`
+  return { text, attachments }
+}
+
+function describeSlackMedia(event: SlackInboundMessageEvent): InboundAttachment[] {
+  return (event.files ?? []).map((file, index) => describeSlackFile(file, index + 1))
 }
 
-function summarizeSlackMedia(event: SlackInboundMessageEvent): string[] {
-  return (event.files ?? []).map(summarizeSlackFile)
+function describeSlackFile(file: SlackFile, id: number): InboundAttachment {
+  return {
+    id,
+    kind: 'file',
+    ref: file.id,
+    filename: file.name,
+    mimetype: file.mimetype,
+  }
 }
 
-function summarizeSlackFile(file: SlackFile): string {
-  const parts: string[] = [`attachment: ${file.name}`, `(${file.mimetype})`, `id=${file.id}`]
-  return parts.join(' ')
+function renderPlaceholder(attachment: InboundAttachment): string {
+  const parts: string[] = [`Slack attachment #${attachment.id}: ${attachment.kind}`]
+  if (attachment.mimetype !== undefined) parts.push(attachment.mimetype)
+  if (attachment.filename !== undefined) parts.push(`name=${attachment.filename}`)
+  return `[${parts.join(' ')}]`
 }

package/src/channels/adapters/slack-bot.ts

@@ -692,8 +692,9 @@ export function createOutboundCallback(deps: {
 // plain HTTP tool. Routing through the SDK's `downloadFile(fileId)` is
 // the only path that works — it issues `files.info` to fetch metadata
 // (mimetype + name) then GETs `url_private` with the bot token. The
-// classifier emits `id=Fxxxx` in the inbound text exactly so the agent
-// can hand the id back to this callback.
+// classifiers now keep the bare `Fxxxx` id in structured InboundAttachment.ref
+// (legacy persisted state may still carry the old prompt-visible `id=` shape,
+// which channel_fetch_attachment strips before reaching this callback).
 export function createFetchAttachmentCallback(deps: {
   client: Pick<SlackBotClient, 'downloadFile'>
   logger: SlackBotAdapterLogger

package/src/channels/adapters/telegram-bot-classify.ts

@@ -1,7 +1,7 @@
 import type { TelegramBotUser, TelegramMessage, TelegramMessageEntity } from 'agent-messenger/telegrambot'
 
 import type { ChannelAdapterConfig } from '@/channels/schema'
-import type { InboundMessage } from '@/channels/types'
+import type { InboundAttachment, InboundMessage } from '@/channels/types'
 
 export type InboundDropReason = 'self_author' | 'no_user' | 'empty_text' | 'pre_connect'
 
@@ -31,7 +31,7 @@ export function classifyInbound(
     return { kind: 'drop', reason: 'self_author' }
   }
 
-  const text = inboundText(event)
+  const { text, attachments } = splitInbound(event)
   if (text === '') return { kind: 'drop', reason: 'empty_text' }
 
   const chat = String(event.chat.id)
@@ -70,6 +70,7 @@ export function classifyInbound(
       chat,
       thread,
       text,
+      ...(attachments.length > 0 ? { attachments } : {}),
       externalMessageId: String(event.message_id),
       authorId: String(author.id),
       authorName: formatAuthorName(author),
@@ -130,24 +131,46 @@ function isUserMentionForBot(
   return false
 }
 
-function inboundText(event: TelegramMessage): string {
+type SplitInbound = { text: string; attachments: InboundAttachment[] }
+
+function splitInbound(event: TelegramMessage): SplitInbound {
   const body = event.text ?? event.caption ?? ''
-  const mediaSummary = summarizeMedia(event)
-  if (mediaSummary.length === 0) return body
-  const summary = `[Telegram message with ${mediaSummary.join('; ')}]`
-  return body === '' ? summary : `${body}\n${summary}`
+  const attachments = describeMedia(event)
+  if (attachments.length === 0) return { text: body, attachments: [] }
+  const summary = attachments.map(renderPlaceholder).join('\n')
+  const text = body === '' ? summary : `${body}\n${summary}`
+  return { text, attachments }
 }
 
-function summarizeMedia(event: TelegramMessage): string[] {
-  const parts: string[] = []
+function describeMedia(event: TelegramMessage): InboundAttachment[] {
+  const parts: InboundAttachment[] = []
   if (event.document !== undefined) {
-    const name = event.document.file_name ?? event.document.file_id
-    const mime = event.document.mime_type !== undefined ? ` (${event.document.mime_type})` : ''
-    parts.push(`document: ${name}${mime} file_id=${event.document.file_id}`)
+    parts.push({
+      id: parts.length + 1,
+      kind: 'file',
+      ref: event.document.file_id,
+      ...(event.document.file_name !== undefined ? { filename: event.document.file_name } : {}),
+      ...(event.document.mime_type !== undefined ? { mimetype: event.document.mime_type } : {}),
+    })
   }
   if (event.photo !== undefined && event.photo.length > 0) {
     const largest = event.photo[event.photo.length - 1]!
-    parts.push(`photo: ${largest.width}x${largest.height} file_id=${largest.file_id}`)
+    parts.push({
+      id: parts.length + 1,
+      kind: 'photo',
+      ref: largest.file_id,
+      width: largest.width,
+      height: largest.height,
+    })
   }
   return parts
 }
+
+function renderPlaceholder(attachment: InboundAttachment): string {
+  const parts: string[] = [`Telegram attachment #${attachment.id}: ${attachment.kind}`]
+  if (attachment.width !== undefined && attachment.height !== undefined)
+    parts.push(`${attachment.width}x${attachment.height}`)
+  if (attachment.mimetype !== undefined) parts.push(attachment.mimetype)
+  if (attachment.filename !== undefined) parts.push(`name=${attachment.filename}`)
+  return `[${parts.join(' ')}]`
+}

package/src/channels/adapters/telegram-bot.ts

@@ -279,9 +279,9 @@ type TelegramFileResponse = {
 // Telegram's file download is a two-step protocol: `getFile` returns a
 // short-lived `file_path`, then the file lives at
 // `api.telegram.org/file/bot<TOKEN>/<file_path>`. `ref` here is the
-// `file_id` carried in the inbound classifier's `[Telegram message with
-// document: ... file_id=<id>]` summary; the agent passes it back through
-// the `channel_fetch_attachment` tool.
+// `file_id` carried in structured InboundAttachment.ref. The agent only sees
+// `[Telegram attachment #N: ...]` and passes that id through the
+// `channel_fetch_attachment` tool; the router resolves it to this callback.
 //
 // SSRF boundary: `ref` is `encodeURIComponent`'d into a query parameter
 // of a fixed `api.telegram.org/bot<TOKEN>/getFile?file_id=...` URL, so

package/src/channels/outbound-flood-filter.ts

@@ -0,0 +1,57 @@
+export type OutboundFloodCheckResult = { ok: true } | { ok: false; reason: string }
+
+const MIN_LENGTH = 40
+const MAX_RUN = 30
+const MIN_LONG_LENGTH = 80
+const MIN_UNIQUE_RATIO = 0.05
+const MAX_DOMINANCE = 0.9
+
+export function checkOutboundFlood(text: string): OutboundFloodCheckResult {
+  if (text.length < MIN_LENGTH) return { ok: true }
+
+  const graphemes = Array.from(text.normalize('NFKC'))
+  if (graphemes.length < MIN_LENGTH) return { ok: true }
+
+  const longestRun = findLongestRun(graphemes)
+  if (longestRun >= MAX_RUN) return { ok: false, reason: `repeated-char-run:${longestRun}` }
+
+  if (graphemes.length < MIN_LONG_LENGTH) return { ok: true }
+
+  const counts = countGraphemes(graphemes)
+  const uniqueRatio = counts.size / graphemes.length
+  if (uniqueRatio < MIN_UNIQUE_RATIO) return { ok: false, reason: `low-unique-ratio:${uniqueRatio.toFixed(3)}` }
+
+  const dominance = maxValue(counts) / graphemes.length
+  if (dominance > MAX_DOMINANCE) return { ok: false, reason: `char-dominance:${dominance.toFixed(2)}` }
+
+  return { ok: true }
+}
+
+function findLongestRun(graphemes: readonly string[]): number {
+  if (graphemes.length === 0) return 0
+  let longest = 1
+  let current = 1
+  for (let i = 1; i < graphemes.length; i++) {
+    if (graphemes[i] === graphemes[i - 1]) {
+      current++
+      if (current > longest) longest = current
+    } else {
+      current = 1
+    }
+  }
+  return longest
+}
+
+function countGraphemes(graphemes: readonly string[]): Map<string, number> {
+  const counts = new Map<string, number>()
+  for (const grapheme of graphemes) counts.set(grapheme, (counts.get(grapheme) ?? 0) + 1)
+  return counts
+}
+
+function maxValue(counts: Map<string, number>): number {
+  let max = 0
+  for (const value of counts.values()) {
+    if (value > max) max = value
+  }
+  return max
+}

package/src/channels/router.ts

@@ -3,7 +3,7 @@ import { basename } from 'node:path'
 import type { AssistantMessage } from '@mariozechner/pi-ai'
 import { SessionManager } from '@mariozechner/pi-coding-agent'
 
-import { createSession, type AgentSession } from '@/agent'
+import { createSession, renderTurnTimeAnchor, type AgentSession } from '@/agent'
 import { subscribeProviderErrors } from '@/agent/provider-error'
 import type { ChannelParticipant, SessionOrigin } from '@/agent/session-origin'
 import { renderSubagentCompletionReminder } from '@/agent/subagent-completion-reminder'
@@ -21,6 +21,7 @@ import {
   type MembershipResolverResult,
 } from './membership'
 import { createMembershipCache, type MembershipCache } from './membership-cache'
+import { checkOutboundFlood } from './outbound-flood-filter'
 import { updateParticipants } from './participants'
 import {
   channelsSessionsPath,
@@ -40,6 +41,7 @@ import type {
   FetchHistoryArgs,
   FetchHistoryResult,
   HistoryCallback,
+  InboundAttachment,
   InboundMessage,
   OutboundCallback,
   OutboundMessage,
@@ -106,6 +108,7 @@ export const SEND_RATE_WINDOW_MS = 5_000
 // send still emits a structured log line regardless of rate — this
 // constant only controls when the warning marker appears.
 export const SEND_RATE_WARN_THRESHOLD = 3
+export const OUTBOUND_FLOOD_ERROR = 'outbound message denied: content looks like a repeated-character flood'
 
 /**
  * Maximum age of the last engaged inbound before the next inbound triggers a fresh session.
@@ -216,6 +219,7 @@ export type ConfigForAdapter = (adapter: ChannelKey['adapter']) => ChannelAdapte
 
 type QueuedInbound = {
   text: string
+  attachments?: readonly InboundAttachment[]
   authorId: string
   authorName: string
   authorIsBot: boolean
@@ -234,6 +238,7 @@ type QueuedInbound = {
 
 type ObservedInbound = {
   text: string
+  attachments?: readonly InboundAttachment[]
   authorId: string
   authorName: string
   authorIsBot: boolean
@@ -447,6 +452,8 @@ export type ChannelRouter = {
   registerFetchAttachment: (adapter: ChannelKey['adapter'], cb: FetchAttachmentCallback) => void
   unregisterFetchAttachment: (adapter: ChannelKey['adapter'], cb: FetchAttachmentCallback) => void
   fetchAttachment: (adapter: ChannelKey['adapter'], args: FetchAttachmentArgs) => Promise<FetchAttachmentResult>
+  lookupInboundAttachment: (args: ChannelKey & { id: number }) => InboundAttachment | null
+  listInboundAttachmentIds: (args: ChannelKey) => readonly number[]
   // Execute a command by name against an existing live session, bypassing
   // the inbound classifier, engagement gate, debounce, and prompt queue.
   // Used by adapters that receive commands through a native surface
@@ -1635,6 +1642,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
   const observe = (live: LiveSession, event: InboundMessage): void => {
     live.contextBuffer.push({
       text: event.text,
+      ...(event.attachments !== undefined && event.attachments.length > 0 ? { attachments: event.attachments } : {}),
       authorId: event.authorId,
       authorName: event.authorName,
       authorIsBot: event.authorIsBot,
@@ -1650,6 +1658,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
   const enqueue = (live: LiveSession, event: InboundMessage): void => {
     live.promptQueue.push({
       text: event.text,
+      ...(event.attachments !== undefined && event.attachments.length > 0 ? { attachments: event.attachments } : {}),
       authorId: event.authorId,
       authorName: event.authorName,
       authorIsBot: event.authorIsBot,
@@ -1798,6 +1807,39 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     return lastError
   }
 
+  const lookupInboundAttachment = (args: ChannelKey & { id: number }): InboundAttachment | null => {
+    const live = liveSessions.get(channelKeyId(args))
+    if (live === undefined) return null
+    // Walk newest → oldest so that when an id collides across messages
+    // (e.g. two photos in the same session each labelled `#1`) the agent's
+    // `attachment_id: 1` always resolves to the CURRENT inbound's
+    // attachment. promptQueue holds the about-to-be-delivered turn and
+    // is therefore the freshest; within each list, append-order maps to
+    // wall-clock order, so iterating in reverse gives recency.
+    const haystacks: ReadonlyArray<ReadonlyArray<{ attachments?: readonly InboundAttachment[] }>> = [
+      live.promptQueue,
+      live.contextBuffer,
+    ]
+    for (const haystack of haystacks) {
+      for (let i = haystack.length - 1; i >= 0; i--) {
+        const item = haystack[i]
+        const found = item?.attachments?.find((attachment) => attachment.id === args.id)
+        if (found !== undefined) return found
+      }
+    }
+    return null
+  }
+
+  const listInboundAttachmentIds = (args: ChannelKey): readonly number[] => {
+    const live = liveSessions.get(channelKeyId(args))
+    if (live === undefined) return []
+    const ids = new Set<number>()
+    for (const item of [...live.promptQueue, ...live.contextBuffer]) {
+      for (const attachment of item.attachments ?? []) ids.add(attachment.id)
+    }
+    return Array.from(ids).sort((a, b) => a - b)
+  }
+
   const send = async (msg: OutboundMessage, opts?: SendOptions): Promise<SendResult> => {
     const source: SendSource = opts?.source ?? 'tool'
     const callbacks = outboundCallbacks.get(msg.adapter)
@@ -1805,6 +1847,12 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       return { ok: false, error: `no adapter registered for "${msg.adapter}"`, code: 'no-adapter' }
     }
 
+    const authoredText = normalizeSendText(msg.text)
+    if (authoredText !== undefined) {
+      const flood = checkOutboundFlood(authoredText)
+      if (!flood.ok) return { ok: false, error: OUTBOUND_FLOOD_ERROR, code: 'outbound-flood' }
+    }
+
     const keyId = channelKeyId({
       adapter: msg.adapter,
       workspace: msg.workspace,
@@ -1982,6 +2030,11 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       return
     }
 
+    if (isLikelyPlainTextChannelToolCall(assistantText)) {
+      logger.warn(`[channels] ${live.keyId}: suppressed plain_text_channel_tool_call text_len=${assistantText.length}`)
+      return
+    }
+
     // `source` distinguishes the two recovery shapes for log triage:
     //   - 'leaf': the assistant message IS the leaf (existing behavior; model
     //     ended its turn with text but forgot to call channel_reply).
@@ -2234,6 +2287,8 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     registerFetchAttachment,
     unregisterFetchAttachment,
     fetchAttachment,
+    lookupInboundAttachment,
+    listInboundAttachmentIds,
     executeCommand,
     getSelfAliases: computeSelfAliases,
     injectSubagentCompletionReminder,
@@ -2306,12 +2361,13 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
 function composeTurnPrompt(
   observed: readonly ObservedInbound[],
   batch: readonly QueuedInbound[],
-  state: { adapter?: AdapterId; loopGuardActive: boolean; systemReminders?: readonly string[] } = {
+  state: { adapter?: AdapterId; loopGuardActive: boolean; systemReminders?: readonly string[]; now?: Date } = {
     loopGuardActive: false,
   },
 ): string {
   const adapter = state.adapter ?? 'discord-bot'
   const parts: string[] = []
+  parts.push(renderTurnTimeAnchor(state.now), '')
   // System reminders (subagent-completion wakeups today) lead the turn body
   // because they are typically what triggered the drain — when the prompt
   // queue is empty and the only thing in this iteration is a reminder, the
@@ -2503,18 +2559,20 @@ export type QuoteAnchorCandidate = {
   hadInterveningObserved: boolean
 }
 
-// Strips `[<Adapter> message with ...]` placeholders that adapter
+// Strips both current `[<Adapter> attachment #N: ...]` and legacy
+// `[<Adapter> message with ...]` placeholders that adapter
 // classifiers synthesize for non-text inbounds (KakaoTalk stickers,
 // Slack/Discord/Telegram attachments). The quote anchor is a UX
 // affordance pointing the human at *their words* — quoting a sticker as
-// `> Alice: [KakaoTalk message with sticker (sticker_ani) pack=... path=...]`
+// `> Alice: [KakaoTalk attachment #1: sticker name=...]`
 // is noise, and for mixed inbounds like `사진 [KakaoTalk message with
 // photo 1254x1254 ...]` the human only wrote `사진`, so the placeholder
 // is the wrong thing to surface. The callsite (captureQuoteCandidate)
 // treats an empty residue as "no quote anchor"; mixed inbounds keep the
 // human-written portion. renderQuoteAnchor later collapses whitespace
 // so residual double-spaces from mid-string strips are harmless.
-const CHANNEL_MEDIA_PLACEHOLDER_RE = /\[(?:KakaoTalk|Slack|Discord|Telegram) message with [^\]]*\]/g
+const CHANNEL_MEDIA_PLACEHOLDER_RE =
+  /\[(?:KakaoTalk|Slack|Discord|Telegram) (?:message with|attachment #\d+:) [^\]]*\]/g
 
 export function stripChannelMediaPlaceholders(text: string): string {
   return text
@@ -2944,6 +3002,36 @@ export function isLikelyKimiChannelToolLeak(text: string): boolean {
   return KIMI_CHANNEL_TOOL_ID_RE.test(text)
 }
 
+// Detects the *plain-text* shape of a leaked channel-tool invocation — the
+// model serialized the tool call as ordinary prose instead of producing a
+// real tool call. Observed against Kimi-family deployments on KakaoTalk:
+// the entire assistant message body is literally
+//
+//   channel_reply({"text":"<the user-facing greeting the bot meant to send>"})
+//
+// with no Kimi delimiter tokens (`<|tool_call_begin|>` etc.), so
+// `isLikelyKimiChannelToolLeak` cannot catch it. Without a guard the
+// recovery path in `validateChannelTurn` posts this raw function-call
+// serialization straight to the channel, which is exactly what
+// users see in the reported screenshots.
+//
+// Structural-only detection (NOT a substring search): the trimmed text must
+// *start* with `channel_reply(` or `channel_send(`, and that opening paren
+// must enclose at least one `"` (the JSON argument). This deliberately
+// matches the leak shape while letting prose that merely *mentions* the
+// tool name (e.g. "I would normally call channel_reply here but...") reach
+// the user — that false-positive class is already locked in by the
+// `still recovers legit prose that happens to mention "channel_reply"` test.
+//
+// The trailing close paren is NOT required: the model sometimes truncates
+// mid-serialization, and a half-leaked `channel_reply({"text":"..."` is
+// just as user-hostile as the full shape.
+const PLAIN_TEXT_CHANNEL_TOOL_CALL_RE = /^channel_(?:reply|send)\s*\(\s*[^)]*"/
+
+export function isLikelyPlainTextChannelToolCall(text: string): boolean {
+  return PLAIN_TEXT_CHANNEL_TOOL_CALL_RE.test(text.trim())
+}
+
 function describe(err: unknown): string {
   return err instanceof Error ? err.message : String(err)
 }

package/src/channels/types.ts

@@ -7,12 +7,56 @@ export type ChannelKey = {
   thread: string | null
 }
 
+// Inbound (non-text) media that the user attached to a channel message.
+// The classifier produces these alongside `InboundMessage.text`; the router
+// stores them and lets channel tools look them up by `id` so the agent can
+// fetch / view a specific attachment without ever seeing the underlying
+// platform-side `ref` (URL, file id, CDN key) in its prompt context.
+//
+// Design contract:
+// - `id` is a 1-based index that is stable WITHIN A SINGLE inbound message
+//   and assigned by the adapter classifier. It is NOT globally unique —
+//   different inbounds re-use small ids (1, 2, ...). The router's lookup
+//   scopes the search to one (adapter,workspace,chat,thread) session and
+//   returns the MOST RECENT match across that session's promptQueue +
+//   contextBuffer, so within a single turn the agent always resolves
+//   `attachment_id: 1` to the attachment on the current inbound — earlier
+//   uses of id 1 from buffered context cannot intercept the lookup.
+// - `ref` is the opaque platform handle that the adapter's
+//   FetchAttachmentCallback knows how to download (Slack file id, Discord
+//   CDN URL, KakaoCDN URL, Telegram file_id). It is INTENTIONALLY not
+//   rendered into the user-visible prompt text — keeping it out of the
+//   LLM's context prevents the dialect-confusion bug where the agent
+//   pastes a malformed ref (e.g. a KakaoCDN bare key) into a tool.
+// - The kind labels (photo/video/...) are coarse on purpose: they exist
+//   for the prompt placeholder ("an image arrived") and for tool routing,
+//   not for platform-specific behavior.
+export type InboundAttachment = {
+  id: number
+  kind: 'photo' | 'video' | 'audio' | 'file' | 'sticker' | 'multiphoto' | 'embed'
+  ref: string
+  // Optional metadata that the adapter classifier may surface for the
+  // placeholder rendering. Every field MUST be safe to print into a prompt
+  // (no credentials, no long opaque tokens). If a piece of metadata would
+  // leak fetchable state, leave it off and rely on `ref` instead.
+  mimetype?: string
+  filename?: string
+  width?: number
+  height?: number
+  sizeBytes?: number
+}
+
 export type InboundMessage = {
   adapter: AdapterId
   workspace: string
   chat: string
   thread: string | null
   text: string
+  // Non-text attachments the user sent on this inbound. Empty / omitted
+  // when the message is text-only. The router carries these through to
+  // the live session's promptQueue/contextBuffer so channel tools can
+  // resolve `attachment_id` → ref without the agent ever seeing the ref.
+  attachments?: readonly InboundAttachment[]
   externalMessageId: string
   authorId: string
   authorName: string
@@ -84,7 +128,13 @@ export type OutboundMessage = {
   attachments?: OutboundAttachment[]
 }
 
-export type SendErrorCode = 'duplicate' | 'turn-cap' | 'no-adapter' | 'callback-rejected' | 'skip-locked'
+export type SendErrorCode =
+  | 'duplicate'
+  | 'turn-cap'
+  | 'outbound-flood'
+  | 'no-adapter'
+  | 'callback-rejected'
+  | 'skip-locked'
 
 export type SendResult = { ok: true } | { ok: false; error: string; code?: SendErrorCode }
 
@@ -124,6 +174,7 @@ export type ChannelHistoryMessage = {
   authorId: string
   authorName: string
   text: string
+  attachments?: readonly InboundAttachment[]
   ts: number
   isBot: boolean
   replyToBotMessageId: string | null

package/src/cli/builtins.ts

@@ -21,8 +21,10 @@ export const BUILTIN_COMMAND_NAMES = [
   'role',
   'provider',
   'model',
+  'mount',
   'doctor',
   'usage',
+  'update',
   '_hostd',
 ] as const
 

package/src/cli/index.ts

@@ -31,8 +31,10 @@ const main = defineCommand({
     role: () => import('./role').then((m) => m.roleCommand),
     provider: () => import('./provider').then((m) => m.providerCommand),
     model: () => import('./model').then((m) => m.modelCommand),
+    mount: () => import('./mount').then((m) => m.mountCommand),
     doctor: () => import('./doctor').then((m) => m.doctorCommand),
     usage: () => import('./usage').then((m) => m.usageCommand),
+    update: () => import('./update').then((m) => m.updateCommand),
     _hostd: () => import('./hostd').then((m) => m.hostdCommand),
   },
 })