typeclaw 0.13.0 → 0.15.0

package/src/channels/adapters/telegram-bot.ts

@@ -251,8 +251,12 @@ export function createOutboundCallback(deps: {
 
     try {
       const rendered = toTelegramMarkdownV2(text)
-      const sendOptions: { message_thread_id?: number; parse_mode: 'MarkdownV2' } = { parse_mode: 'MarkdownV2' }
+      const sendOptions: { message_thread_id?: number; reply_to_message_id?: number; parse_mode: 'MarkdownV2' } = {
+        parse_mode: 'MarkdownV2',
+      }
       if (threadId !== undefined) sendOptions.message_thread_id = threadId
+      const replyToId = parseTelegramMessageId(msg.replyTo?.externalMessageId)
+      if (replyToId !== undefined) sendOptions.reply_to_message_id = replyToId
       const sent = await client.sendMessage(msg.chat, rendered, sendOptions)
       logger.info(`[telegram-bot] sent message_id=${sent.message_id} ${tag}`)
       return { ok: true }
@@ -270,6 +274,12 @@ function parseThreadId(thread: string | null | undefined): number | undefined {
   return Number.isFinite(n) ? n : undefined
 }
 
+function parseTelegramMessageId(id: string | null | undefined): number | undefined {
+  if (id === null || id === undefined || id === '') return undefined
+  const n = Number(id)
+  return Number.isInteger(n) && n > 0 ? n : undefined
+}
+
 type TelegramFileResponse = {
   ok: boolean
   result?: { file_id: string; file_unique_id: string; file_size?: number; file_path?: string }

package/src/channels/router.ts

@@ -45,7 +45,9 @@ import type {
   InboundMessage,
   OutboundCallback,
   OutboundMessage,
+  QuoteAnchorSource,
   ResolvedChannelNames,
+  SendErrorCode,
   SendResult,
   TypingCallback,
 } from './types'
@@ -98,6 +100,23 @@ export const SESSION_GC_INTERVAL_MS = 60 * 1000
 // Enforced inside router.send for `source: 'tool'` callers; system
 // recovery paths (`source: 'system'`) bypass.
 export const MAX_CHANNEL_SENDS_PER_TURN = 10
+// Ceiling on tool-source channel sends that a same-turn router policy DENIED
+// without delivering — `skip-locked`, `turn-cap`, or `duplicate`. Such denials
+// return a soft error and do NOT increment `consecutiveSends`, so a model that
+// ignores the denial and retries never trips `MAX_CHANNEL_SENDS_PER_TURN`.
+// Both production livelocks had this shape: the model alternated a no-op
+// `skip_response` with a denied `channel_reply` (~200-400x in one
+// `session.prompt()`) — the interleaving defeated the byte-identical
+// loop-guard's 5-in-a-row streak, and the denials bypassed the send cap. One
+// turn was all `skip-locked`, the other all `duplicate` (byte-identical text).
+// Past this ceiling we ABORT the run's AbortSignal (`agent.abort()`), which
+// ends the turn on the next assistant stream. We can't just throw: the pi tool
+// executor catches a tool's throw into an error result and the turn continues.
+// Counted per send-target and only when NO concurrent reservation for that
+// target is in flight, so a legitimate parallel send-burst (one winner + many
+// same-tick duplicate/cap denials) is never mistaken for a loop. Reset at turn
+// start alongside `turnSeq`.
+export const MAX_POLICY_DENIED_CHANNEL_SENDS_PER_TURN = 3
 // Rolling window for outbound send-rate telemetry. 5s matches Discord's
 // rate-limit shape (5 msg / 5 s / channel) and comfortably covers Slack's
 // 1 msg/s sustained. The window is observational; exceeding the burst
@@ -347,6 +366,19 @@ type LiveSession = {
   // regardless of which order the model tried them in. Updated only at
   // turn start; reads against the live counter elsewhere are intentional.
   successfulSendsAtTurnStart: number
+  // Per-send-target count of tool-source sends with a reservation currently
+  // in flight (slot reserved, outbound callback not yet settled). Lets the
+  // policy-denial guard tell a legitimate parallel send-burst (denials that
+  // race a still-in-flight winner) from a sequential retry loop (denials with
+  // nothing in flight). Incremented at reservation, decremented in the
+  // callback-loop `finally` so an adapter throw can't strand a target.
+  inFlightToolSends: Map<string, number>
+  // Per-send-target count of policy-denied tool sends this turn that did NOT
+  // race an in-flight reservation. Drives the throw at
+  // `MAX_POLICY_DENIED_CHANNEL_SENDS_PER_TURN` that breaks the alternating-tool
+  // livelock the byte-identical loop-guard misses. Reset at turn start and
+  // cleared per-target on a successful delivery to that target.
+  policyDeniedToolSendsThisTurn: Map<string, number>
   // Stamped by `markTurnSkipped` (called from the `skip_response` tool)
   // with the current `turnSeq`. Read at the top of `validateChannelTurn`:
   // if it matches the just-completed turn, recovery is skipped entirely
@@ -498,13 +530,15 @@ export type ChannelRouter = {
   // turn cannot drop a future legitimate reply.
   //
   // Returns:
-  //   - 'recorded'      — the live session was found and the skip was stamped
-  //   - 'send-already-happened' — a tool-source channel send already landed
-  //                       in this turn; the skip is refused (symmetric with
-  //                       the send-after-skip lock in `send()`) so the model
-  //                       cannot land a reply AND claim silence. The flag is
-  //                       NOT stamped, so the turn proceeds as a normal
-  //                       reply turn.
+  //   - 'recorded'      — silence-first: no send had landed this turn, so the
+  //                       skip was stamped and later tool-source sends are
+  //                       locked out via the send-after-skip guard in `send()`
+  //   - 'recorded-after-send' — reply-first: a tool-source channel send already
+  //                       landed this turn and the agent is now going quiet for
+  //                       the rest of it (the normal ack-then-wait pattern). The
+  //                       delivered reply stands; this skip posts nothing and is
+  //                       a terminal no-op. NOT stamped as a skipped turn (a
+  //                       reply already landed), and logged inline by the impl.
   //   - 'no-live-session' — no matching channel session (e.g. tool fired
   //                         outside a channel origin); the tool should
   //                         still log the reason but cannot suppress.
@@ -513,7 +547,7 @@ export type ChannelRouter = {
     reason: string
   }) =>
     | { kind: 'recorded'; keyId: string }
-    | { kind: 'send-already-happened'; keyId: string }
+    | { kind: 'recorded-after-send'; keyId: string }
     | { kind: 'no-live-session' }
   stop: () => Promise<void>
   liveCount: () => number
@@ -1009,6 +1043,8 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         successfulChannelSends: 0,
         turnSeq: 0,
         successfulSendsAtTurnStart: 0,
+        inFlightToolSends: new Map(),
+        policyDeniedToolSendsThisTurn: new Map(),
         skippedTurn: null,
         pendingQuoteCandidate: null,
         recentEngagedPeerBotTurns: [],
@@ -1368,6 +1404,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         const successfulSendsBeforePrompt = live.successfulChannelSends
         live.turnSeq++
         live.successfulSendsAtTurnStart = successfulSendsBeforePrompt
+        live.policyDeniedToolSendsThisTurn.clear()
         await fireSessionTurnStart(live, text)
         try {
           await live.session.prompt(text)
@@ -1873,7 +1910,12 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     if (live && source === 'tool' && live.pendingQuoteCandidate !== null) {
       const quoteCandidate = refreshQuoteCandidate(live.pendingQuoteCandidate, live.contextBuffer)
       const anchor = decideQuoteAnchor(quoteCandidate, now(), options.configForAdapter(msg.adapter))
-      if (anchor !== null) msg = { ...msg, text: prependQuoteAnchor(msg.text ?? '', anchor) }
+      if (anchor !== null) {
+        msg =
+          resolveReplyRenderMode(msg) === 'native'
+            ? { ...msg, replyTo: { externalMessageId: anchor.externalMessageId, source: anchor.source } }
+            : { ...msg, text: prependQuoteAnchor(msg.text ?? '', anchor.source) }
+      }
       live.pendingQuoteCandidate = null
     }
     const text = normalizeSendText(msg.text)
@@ -1890,19 +1932,52 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     let priorLastSentText: string | undefined
     let reserved = false
     if (live && source === 'tool') {
+      // Every same-turn policy denial (skip-locked / turn-cap / duplicate)
+      // returns a soft error and does NOT increment `consecutiveSends`, so a
+      // model that ignores the denial and retries never trips the send cap. To
+      // bound that loop we route all three through one tally that ABORTS the run
+      // past the ceiling. The discriminator that keeps legitimate parallel
+      // send-bursts soft: a denial only counts when NO reservation for the same
+      // target is in flight. In a `Promise.all` burst the synchronous denials
+      // all race the one in-flight winner, so they don't count; a sequential
+      // retry loop has nothing in flight, so it does. See
+      // `MAX_POLICY_DENIED_CHANNEL_SENDS_PER_TURN`.
+      //
+      // Why abort, not throw: pi-agent-core's tool executor catches a throw
+      // from a tool's execute() and converts it into an `isError` tool result —
+      // the turn would continue and the model could retry. The only thing that
+      // actually ends an in-flight turn is aborting the run's AbortSignal:
+      // `agent.abort()` flips it synchronously, then the NEXT assistant stream
+      // (after this tool returns) sees the aborted signal and ends the turn with
+      // stopReason 'aborted'. We must NOT call `session.abort()` here — it
+      // `await`s `waitForIdle()`, which would deadlock waiting for the very run
+      // this tool call belongs to. `agent.abort()` is the signal-only,
+      // non-blocking variant. We still return the soft denial for this call.
+      const denyPolicyToolSend = (error: string, code: SendErrorCode): SendResult => {
+        if ((live.inFlightToolSends.get(sendKey) ?? 0) > 0) {
+          return { ok: false, error, code }
+        }
+        const count = (live.policyDeniedToolSendsThisTurn.get(sendKey) ?? 0) + 1
+        live.policyDeniedToolSendsThisTurn.set(sendKey, count)
+        if (count >= MAX_POLICY_DENIED_CHANNEL_SENDS_PER_TURN) {
+          logger.warn(`[channels] ${live.keyId}: aborting turn — ${count} policy-denied channel sends (last: ${code})`)
+          if (live.session.agent.signal?.aborted !== true) live.session.agent.abort()
+        }
+        return { ok: false, error, code }
+      }
       // Tool-source send after `skip_response` for the same turn is a contract
       // violation: the model already committed to silence. Reject before any
       // state mutation so the model gets a clear error and the channel stays
       // silent. System-source sends (recovery, role-claim) are not affected.
       if (live.skippedTurn !== null && live.skippedTurn.turnSeq === live.turnSeq) {
-        return { ok: false, error: SKIP_RESPONSE_LOCK_ERROR, code: 'skip-locked' }
+        return denyPolicyToolSend(SKIP_RESPONSE_LOCK_ERROR, 'skip-locked')
       }
       const currentCount = live.consecutiveSends.get(sendKey) ?? 0
       if (currentCount >= MAX_CHANNEL_SENDS_PER_TURN) {
-        return { ok: false, error: TURN_CAP_ERROR, code: 'turn-cap' }
+        return denyPolicyToolSend(TURN_CAP_ERROR, 'turn-cap')
       }
       if (text !== undefined && live.lastSentText.get(sendKey) === text) {
-        return { ok: false, error: DUPLICATE_SEND_ERROR, code: 'duplicate' }
+        return denyPolicyToolSend(DUPLICATE_SEND_ERROR, 'duplicate')
       }
       // Reserve the slot before awaiting. If the callback rejects we roll
       // back below; if it succeeds we keep the increment. The slot reserve
@@ -1913,6 +1988,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       priorLastSentText = live.lastSentText.get(sendKey)
       live.consecutiveSends.set(sendKey, currentCount + 1)
       if (text !== undefined) live.lastSentText.set(sendKey, text)
+      live.inFlightToolSends.set(sendKey, (live.inFlightToolSends.get(sendKey) ?? 0) + 1)
       reserved = true
     }
 
@@ -1922,13 +1998,24 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     const snapshot = Array.from(callbacks)
     let lastError: string | undefined
     let delivered = false
-    for (const cb of snapshot) {
-      const result = await cb(msg)
-      if (result.ok) {
-        delivered = true
-        break
+    try {
+      for (const cb of snapshot) {
+        const result = await cb(msg)
+        if (result.ok) {
+          delivered = true
+          break
+        }
+        lastError = result.error
+      }
+    } finally {
+      // Clear the in-flight reservation even if a callback threw, so a flaky
+      // adapter can never strand a target as permanently "in flight" and
+      // disable the policy-denial guard for it.
+      if (live && reserved) {
+        const inFlight = (live.inFlightToolSends.get(sendKey) ?? 1) - 1
+        if (inFlight <= 0) live.inFlightToolSends.delete(sendKey)
+        else live.inFlightToolSends.set(sendKey, inFlight)
       }
-      lastError = result.error
     }
 
     if (!delivered) {
@@ -1948,6 +2035,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
 
     if (live) {
       live.successfulChannelSends++
+      live.policyDeniedToolSendsThisTurn.delete(sendKey)
       // Don't stop the heartbeat here: the agent may still be mid-turn and
       // about to send another reply. drain()'s finally block owns turn-end
       // stop. But Slack's adapter outbound callback explicitly clears
@@ -2254,13 +2342,22 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     reason: string
   }):
     | { kind: 'recorded'; keyId: string }
-    | { kind: 'send-already-happened'; keyId: string }
+    | { kind: 'recorded-after-send'; keyId: string }
     | { kind: 'no-live-session' } => {
     for (const live of liveSessions.values()) {
       if (live.destroyed) continue
       if (live.sessionId !== args.parentSessionId) continue
       if (live.successfulChannelSends > live.successfulSendsAtTurnStart) {
-        return { kind: 'send-already-happened', keyId: live.keyId }
+        // Reply-first skip ("acked, now going quiet"): accept as a terminal
+        // no-op, never stamp `skippedTurn`. The delivered reply stands and must
+        // not be suppressed, so stamping (which `validateChannelTurn` reads to
+        // drop the turn) would be wrong; the send-after-skip lock only needs to
+        // arm on the silence-first path. Rejecting this instead deadlocks the
+        // agentic loop: denied a clean silent exit the model re-sends, gets
+        // re-denied, and repeats until the per-turn send cap trips. Logged here
+        // since `validateChannelTurn` won't see a `skippedTurn` for it.
+        logger.info(`[channels] ${live.keyId} skip_after_send reason=${JSON.stringify(args.reason)}`)
+        return { kind: 'recorded-after-send', keyId: live.keyId }
       }
       live.skippedTurn = { turnSeq: live.turnSeq, reason: args.reason }
       return { kind: 'recorded', keyId: live.keyId }
@@ -2469,12 +2566,7 @@ function formatAuthorLine(
   return `${stamp}${formatAuthorReference(adapter, authorId, authorName)} (${authorName})${tag}: ${text}`
 }
 
-export type QuoteAnchorSource = {
-  adapter: AdapterId
-  authorId: string
-  authorName: string
-  text: string
-}
+export type { QuoteAnchorSource } from './types'
 
 // Picks the right author syntax for the platform so prompts and rendered
 // quote anchors use the same form the user would type in that channel.
@@ -2546,6 +2638,7 @@ type QuoteAnchorBatchEntry = {
   authorName: string
   authorIsBot: boolean
   receivedAt: number
+  externalMessageId: string
 }
 
 type QuoteAnchorObservedEntry = {
@@ -2555,10 +2648,18 @@ type QuoteAnchorObservedEntry = {
 
 export type QuoteAnchorCandidate = {
   source: QuoteAnchorSource
+  // Native id of the primary inbound, so a native-reply adapter can point at
+  // the exact message; the blockquote fallback ignores it.
+  externalMessageId: string
   primaryReceivedAt: number
   hadInterveningObserved: boolean
 }
 
+export type QuoteAnchorTarget = {
+  source: QuoteAnchorSource
+  externalMessageId: string
+}
+
 // Strips both current `[<Adapter> attachment #N: ...]` and legacy
 // `[<Adapter> message with ...]` placeholders that adapter
 // classifiers synthesize for non-text inbounds (KakaoTalk stickers,
@@ -2609,6 +2710,7 @@ export function captureQuoteCandidate(
   if (cleaned === '') return null
   return {
     source: { adapter, authorId: primary.authorId, authorName: primary.authorName, text: cleaned },
+    externalMessageId: primary.externalMessageId,
     primaryReceivedAt: primary.receivedAt,
     hadInterveningObserved: hasInterveningObserved(primary.receivedAt, observed),
   }
@@ -2636,12 +2738,34 @@ export function decideQuoteAnchor(
   candidate: QuoteAnchorCandidate | null,
   _nowMs: number,
   adapterConfig: ChannelAdapterConfig | undefined,
-): QuoteAnchorSource | null {
+): QuoteAnchorTarget | null {
   if (candidate === null) return null
   const config = adapterConfig?.quotedReply
   if (config !== undefined && config.enabled === false) return null
   if (!candidate.hadInterveningObserved) return null
-  return candidate.source
+  return { source: candidate.source, externalMessageId: candidate.externalMessageId }
+}
+
+export type ReplyRenderMode = 'native' | 'quote'
+
+// Per-adapter, per-shape decision: can this exact outbound carry a native
+// platform reply, or must it degrade to the blockquote fallback? Conditional
+// because native support is not uniform within an adapter — Telegram's
+// `sendMessage` accepts `reply_to_message_id` but `sendDocument` does not, so
+// an attachment-only Telegram reply must quote; the same text-only restriction
+// holds for Discord (`message_reference` rides on the text send, file uploads
+// land bare) and KakaoTalk. Slack's primitive is `thread`, not a per-message
+// reply, so it stays quote; GitHub's PR-review reply already rides on `thread`.
+//
+// KakaoTalk is `native` here even though its reply payload can fail to resolve
+// at send time — the adapter degrades to the blockquote fallback itself using
+// `replyTo.source`, so the router still routes it down the native branch.
+const NATIVE_REPLY_TEXT_ADAPTERS = new Set<AdapterId>(['telegram-bot', 'discord-bot', 'kakaotalk'])
+
+export function resolveReplyRenderMode(msg: OutboundMessage): ReplyRenderMode {
+  const hasText = normalizeSendText(msg.text) !== undefined
+  if (hasText && NATIVE_REPLY_TEXT_ADAPTERS.has(msg.adapter)) return 'native'
+  return 'quote'
 }
 
 type Sliced = { kind: 'message'; message: ChannelHistoryMessage } | { kind: 'elision'; elidedCount: number }

package/src/channels/types.ts

@@ -126,6 +126,28 @@ export type OutboundMessage = {
   // `uploadFile` does not accept a content body or a thread id, see the
   // adapter for the workaround details.
   attachments?: OutboundAttachment[]
+  // Set by the router (native render mode + anchor fired) so an adapter can
+  // reply to the inbound it answers. Telegram/Discord consume `externalMessageId`;
+  // `quote`-mode adapters never see this (the router prepends the blockquote into
+  // `text` instead). `source` lets an adapter whose native primitive can fail at
+  // send time (KakaoTalk: payload built from a source message that may have
+  // scrolled out of history) degrade to the same blockquote fallback.
+  replyTo?: OutboundReplyTo
+}
+
+export type OutboundReplyTo = {
+  externalMessageId: string
+  source?: QuoteAnchorSource
+}
+
+// `adapter` selects the per-platform author-mention syntax in the blockquote
+// fallback. Lives here (not router.ts) so adapters can reconstruct a native
+// reply payload from the same shape the router renders quotes from.
+export type QuoteAnchorSource = {
+  adapter: AdapterId
+  authorId: string
+  authorName: string
+  text: string
 }
 
 export type SendErrorCode =

package/src/config/providers.ts

@@ -197,10 +197,11 @@ export const KNOWN_PROVIDERS = {
   // anthropic`) before relying on the env-var path. Same rule applies to any
   // future dual-auth provider — keep the surprise in mind when expanding.
   //
-  // Model lineup is the current GA tier as of 2026-04-16: Opus 4.7 (top,
-  // released Apr 16 2026), Sonnet 4.6 (mid, Feb 5 2026), Haiku 4.5 (fast,
-  // Oct 1 2025). Anthropic's own model overview lists these three as the
-  // current recommended set and flags earlier Opus/Sonnet variants with
+  // Model lineup is the current GA tier as of 2026-05-29: Opus 4.8 (top,
+  // released May 2026), Opus 4.7 (prior top, Apr 16 2026), Sonnet 4.6 (mid,
+  // Feb 5 2026), Haiku 4.5 (fast, Oct 1 2025). Anthropic's own model overview
+  // lists the latest Opus/Sonnet/Haiku as the current recommended set and
+  // flags earlier Opus/Sonnet variants with
   // "Consider migrating to current models." Opus 4 / Sonnet 4 are deprecated
   // (retirement: Jun 15 2026); the 4.5/4.6 alternates remain Active but are
   // not the recommended path.
@@ -276,6 +277,18 @@ export const KNOWN_PROVIDERS = {
         contextWindow: 1000000,
         maxTokens: 128000,
       },
+      'claude-opus-4-8': {
+        id: 'claude-opus-4-8',
+        name: 'Claude Opus 4.8',
+        api: 'anthropic-messages',
+        provider: 'anthropic',
+        baseUrl: 'https://api.anthropic.com',
+        reasoning: true,
+        input: ['text', 'image'],
+        cost: { input: 5, output: 25, cacheRead: 0.5, cacheWrite: 6.25 },
+        contextWindow: 1000000,
+        maxTokens: 128000,
+      },
     },
   },
   fireworks: {

package/src/container/start.ts

@@ -464,12 +464,29 @@ export async function planStart({
   // misattribute to bot detection. 2g matches the Playwright/Puppeteer
   // canonical recommendation and is a memory cap, not an allocation (only
   // used pages count against the host).
+  // `seccomp=unconfined` lets `bwrap(1)` (installed in baseline; see
+  // BASELINE_APT_PACKAGES in src/init/dockerfile.ts) create user/pid/mount
+  // namespaces from inside the container. Docker's default seccomp profile
+  // rejects `unshare(CLONE_NEWUSER)` and `clone(CLONE_NEWUSER)` for
+  // non-privileged containers, which is the right default for multi-tenant
+  // hosts (Kubernetes nodes, CI runners) but wrong for typeclaw: the outer
+  // container is a single-tenant trust boundary — the user trusts everything
+  // inside it equally, the .env and agent folder are already mounted in —
+  // so the multi-tenant protections seccomp adds are not load-bearing for
+  // typeclaw's threat model. The per-tool sandbox bwrap builds for subagents
+  // IS the real boundary against prompt-injected commands; that boundary is
+  // what `--security-opt seccomp=unconfined` exists to enable. See
+  // `docs/internals/sandbox.mdx` for the full rationale including why
+  // `--cap-add=SYS_ADMIN` was rejected as an alternative (narrower in
+  // syscalls but strictly worse in capability semantics).
   const runArgs = [
     'run',
     '-d',
     '--name',
     containerName,
     '--shm-size=2g',
+    '--security-opt',
+    'seccomp=unconfined',
     '-p',
     `${publishHost}:${hostPort}:${CONTAINER_PORT}`,
   ]