typeclaw 0.14.0 → 0.15.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "typeclaw",
-  "version": "0.14.0",
+  "version": "0.15.0",
   "homepage": "https://github.com/typeclaw/typeclaw#readme",
   "bugs": {
     "url": "https://github.com/typeclaw/typeclaw/issues"
@@ -46,7 +46,7 @@
     "@mariozechner/pi-coding-agent": "^0.67.3",
     "@mariozechner/pi-tui": "^0.67.3",
     "@mozilla/readability": "^0.6.0",
-    "agent-messenger": "2.18.0",
+    "agent-messenger": "2.19.0",
     "cheerio": "^1.2.0",
     "citty": "^0.2.2",
     "cron-parser": "^5.5.0",

package/src/channels/adapters/discord-bot.ts

@@ -393,7 +393,14 @@ export function createOutboundCallback(deps: {
     }
 
     try {
-      const sent = await client.sendMessage(msg.chat, text, msg.thread ? { thread_id: msg.thread } : undefined)
+      const sendOptions: { thread_id?: string; reply_to?: string } = {}
+      if (msg.thread) sendOptions.thread_id = msg.thread
+      if (msg.replyTo?.externalMessageId) sendOptions.reply_to = msg.replyTo.externalMessageId
+      const sent = await client.sendMessage(
+        msg.chat,
+        text,
+        Object.keys(sendOptions).length > 0 ? sendOptions : undefined,
+      )
       logger.info(`[discord-bot] sent id=${sent.id} ${tag}`)
       return { ok: true }
     } catch (err) {

package/src/channels/adapters/kakaotalk-format.ts

@@ -0,0 +1,239 @@
+// KakaoTalk's LOCO protocol renders no rich text — bytes display verbatim, so
+// the agent's Markdown (`**bold**`, `### heading`, fenced ```blocks```) leaks
+// literal `*`/`#`/backtick noise into the chat. This strips the formatting
+// markers and keeps the content. Mirrors telegram-bot-format.ts, but emits
+// plain content instead of re-encoding to MarkdownV2. Links collapse to
+// `label (url)` so the destination survives; list/quote markers stay (they
+// read fine unrendered).
+
+export function toKakaoPlainText(input: string): string {
+  // Pull fenced code out first so a `*` inside a block is not re-tokenized as
+  // italic.
+  const out: string[] = []
+  let i = 0
+  while (i < input.length) {
+    if (matchesAt(input, i, '```')) {
+      const fenceEnd = findFenceEnd(input, i + 3)
+      if (fenceEnd !== -1) {
+        out.push(renderFence(input.slice(i + 3, fenceEnd)))
+        i = fenceEnd + 3
+        continue
+      }
+      // Unterminated fence — strip the open backticks and render the rest
+      // inline so we never infinite-loop and never drop the tail.
+      out.push(renderInline(stripLeadingFence(input.slice(i + 3))))
+      break
+    }
+    const nextFence = input.indexOf('```', i)
+    const segmentEnd = nextFence === -1 ? input.length : nextFence
+    out.push(renderLines(input.slice(i, segmentEnd)))
+    i = segmentEnd
+  }
+  return out.join('')
+}
+
+function matchesAt(s: string, idx: number, needle: string): boolean {
+  return s.slice(idx, idx + needle.length) === needle
+}
+
+function findFenceEnd(s: string, start: number): number {
+  return s.indexOf('```', start)
+}
+
+function stripLeadingFence(inner: string): string {
+  // Drop an optional language hint and the newline after an opening fence.
+  const newline = inner.indexOf('\n')
+  if (newline === -1) return inner
+  const candidate = inner.slice(0, newline).trim()
+  if (candidate === '' || /^[A-Za-z0-9_+\-.]+$/.test(candidate)) {
+    return inner.slice(newline + 1)
+  }
+  return inner
+}
+
+function renderFence(inner: string): string {
+  // Keep the code body verbatim, drop the fences and any language hint.
+  let body = inner
+  const newline = inner.indexOf('\n')
+  if (newline !== -1) {
+    const candidate = inner.slice(0, newline).trim()
+    if (candidate === '' || /^[A-Za-z0-9_+\-.]+$/.test(candidate)) {
+      body = inner.slice(newline + 1)
+    }
+  }
+  if (body.endsWith('\n')) body = body.slice(0, -1)
+  return body
+}
+
+// Strip per-line block markers (heading hashes, blockquote arrows) before
+// running the inline tokenizer on each line. List markers (`- `, `* `, `1.`)
+// are left intact — they read fine as plain text and signal structure.
+function renderLines(text: string): string {
+  const lines = text.split('\n')
+  const rendered = lines.map((line) => renderInline(stripBlockMarkers(line)))
+  return rendered.join('\n')
+}
+
+function stripBlockMarkers(line: string): string {
+  // `### heading` → `heading`; `> quote` → `quote`. Only acts on leading
+  // markers after optional indentation so mid-line `#`/`>` stay literal.
+  const heading = /^(\s*)#{1,6}\s+(.*)$/.exec(line)
+  if (heading !== null) return heading[1]! + heading[2]!
+  const quote = /^(\s*)>\s?(.*)$/.exec(line)
+  if (quote !== null) return quote[1]! + quote[2]!
+  return line
+}
+
+// Inline tokenizer. Recognizes (in priority order):
+//   1. Inline code:   `code`        → code
+//   2. Links:         [text](url)   → text (url)
+//   3. Bold:          **text** / __text__ → text
+//   4. Strikethrough: ~~text~~      → text
+//   5. Italic:        *text* / _text_     → text
+//
+// Bold is checked before italic so `**` is not eaten as two italic markers.
+// Word-boundary guards keep snake_case identifiers and `a*b` math from being
+// mistaken for emphasis — the same rules the Telegram formatter uses.
+function renderInline(text: string): string {
+  const out: string[] = []
+  let i = 0
+  while (i < text.length) {
+    const ch = text[i]!
+
+    if (ch === '`') {
+      const close = text.indexOf('`', i + 1)
+      if (close !== -1) {
+        out.push(text.slice(i + 1, close))
+        i = close + 1
+        continue
+      }
+    }
+
+    if (ch === '[') {
+      const link = parseLink(text, i)
+      if (link !== null) {
+        const label = renderInline(link.label)
+        out.push(link.url === '' ? label : `${label} (${link.url})`)
+        i = link.end
+        continue
+      }
+    }
+
+    if (ch === '*' && text[i + 1] === '*') {
+      const close = findClose(text, i + 2, '**')
+      if (close !== -1 && close > i + 2) {
+        out.push(renderInline(text.slice(i + 2, close)))
+        i = close + 2
+        continue
+      }
+    }
+    if (ch === '_' && text[i + 1] === '_' && !isWordChar(text[i - 1])) {
+      const close = findClose(text, i + 2, '__')
+      if (close !== -1 && close > i + 2 && !isWordChar(text[close + 2])) {
+        out.push(renderInline(text.slice(i + 2, close)))
+        i = close + 2
+        continue
+      }
+    }
+
+    if (ch === '~' && text[i + 1] === '~') {
+      const close = findClose(text, i + 2, '~~')
+      if (close !== -1 && close > i + 2) {
+        out.push(renderInline(text.slice(i + 2, close)))
+        i = close + 2
+        continue
+      }
+    }
+
+    if (ch === '*' && !isWordChar(text[i - 1])) {
+      const close = findInlineClose(text, i + 1, '*')
+      if (close !== -1 && !isWordChar(text[close + 1])) {
+        const inner = text.slice(i + 1, close)
+        if (inner !== '' && !/^\s|\s$/.test(inner)) {
+          out.push(renderInline(inner))
+          i = close + 1
+          continue
+        }
+      }
+    }
+    if (ch === '_' && !isWordChar(text[i - 1])) {
+      const close = findInlineClose(text, i + 1, '_')
+      if (close !== -1 && !isWordChar(text[close + 1])) {
+        const inner = text.slice(i + 1, close)
+        if (inner !== '' && !/^\s|\s$/.test(inner)) {
+          out.push(renderInline(inner))
+          i = close + 1
+          continue
+        }
+      }
+    }
+
+    out.push(ch)
+    i++
+  }
+  return out.join('')
+}
+
+function findClose(text: string, from: number, marker: string): number {
+  let i = from
+  while (i <= text.length - marker.length) {
+    if (text[i] === '\\') {
+      i += 2
+      continue
+    }
+    if (matchesAt(text, i, marker)) return i
+    i++
+  }
+  return -1
+}
+
+function findInlineClose(text: string, from: number, marker: string): number {
+  let i = from
+  while (i < text.length) {
+    if (text[i] === '\n') return -1
+    if (text[i] === '\\') {
+      i += 2
+      continue
+    }
+    if (matchesAt(text, i, marker)) return i
+    i++
+  }
+  return -1
+}
+
+function parseLink(text: string, start: number): { label: string; url: string; end: number } | null {
+  let i = start + 1
+  const labelStart = i
+  while (i < text.length) {
+    const c = text[i]!
+    if (c === '\\') {
+      i += 2
+      continue
+    }
+    if (c === ']') break
+    if (c === '\n') return null
+    i++
+  }
+  if (text[i] !== ']' || text[i + 1] !== '(') return null
+  const label = text.slice(labelStart, i)
+  const urlStart = i + 2
+  let j = urlStart
+  while (j < text.length) {
+    const c = text[j]!
+    if (c === '\\') {
+      j += 2
+      continue
+    }
+    if (c === ')') break
+    if (c === '(') return null
+    if (c === '\n') return null
+    j++
+  }
+  if (text[j] !== ')') return null
+  return { label, url: text.slice(urlStart, j), end: j + 1 }
+}
+
+function isWordChar(ch: string | undefined): boolean {
+  if (ch === undefined) return false
+  return /[A-Za-z0-9_]/.test(ch)
+}

package/src/channels/adapters/kakaotalk.ts

@@ -8,6 +8,7 @@ import {
   type KakaoMember,
   type KakaoMessage,
   type KakaoProfile,
+  type KakaoReplyTarget,
   type KakaoSendResult,
   type KakaoTalkListenerEventMap,
   type KakaoTalkPushEmoticonEvent,
@@ -15,7 +16,7 @@ import {
 } from 'agent-messenger/kakaotalk'
 import type { KakaoAccountCredentials, KakaoConfig, PendingLoginState } from 'agent-messenger/kakaotalk'
 
-import type { ChannelRouter } from '@/channels/router'
+import { prependQuoteAnchor, type ChannelRouter } from '@/channels/router'
 import type { ChannelAdapterConfig } from '@/channels/schema'
 import type {
   ChannelHistoryMessage,
@@ -39,6 +40,7 @@ import { createKakaoAuthorResolver, type KakaoAuthorResolver } from './kakaotalk
 import { createKakaoChannelResolver, type KakaoChannelResolver } from './kakaotalk-channel-resolver'
 import { classifyInbound, type InboundDropReason } from './kakaotalk-classify'
 import { createFetchAttachmentCallback } from './kakaotalk-fetch-attachment'
+import { toKakaoPlainText } from './kakaotalk-format'
 
 // Structural duck-type of the upstream KakaoTalkClient class. The upstream
 // type is a class with private fields, and TypeScript treats those
@@ -53,7 +55,7 @@ export interface KakaoTalkClient {
   ): Promise<this>
   getChats(options?: { all?: boolean; search?: string }): Promise<KakaoChat[]>
   getMessages(chatId: string, options?: { count?: number; from?: string }): Promise<KakaoMessage[]>
-  sendMessage(chatId: string, text: string): Promise<KakaoSendResult>
+  sendMessage(chatId: string, text: string, options?: { replyTo?: KakaoReplyTarget }): Promise<KakaoSendResult>
   sendAttachment(
     chatId: string,
     data: Uint8Array | Buffer,
@@ -160,6 +162,11 @@ export type KakaotalkAdapter = {
 
 export const KAKAO_HISTORY_LIMIT_MAX = 200
 
+// How far back to scan for a reply target's source message. Matches the upstream
+// CLI's window; an anchored reply targets the message just answered, so the
+// target is almost always near the head of this window.
+const KAKAO_REPLY_LOOKUP_COUNT = 100
+
 function formatLabel(name: string | undefined, id: string, prefix = ''): string {
   if (name === undefined || name === '' || name === id) return id
   return `${prefix}${name}(${id})`
@@ -171,7 +178,7 @@ async function readAttachmentBuffer(path: string): Promise<Buffer> {
 }
 
 export function createOutboundCallback(deps: {
-  client: Pick<KakaoTalkClient, 'sendMessage' | 'sendAttachment'>
+  client: Pick<KakaoTalkClient, 'sendMessage' | 'sendAttachment' | 'getMessages'>
   logger: KakaotalkAdapterLogger
   formatChannelTag: (workspace: string, chat: string) => Promise<string>
   readFile?: (path: string) => Promise<Buffer>
@@ -182,7 +189,7 @@ export function createOutboundCallback(deps: {
     if (msg.adapter !== 'kakaotalk') {
       return { ok: false, error: `unknown adapter: ${msg.adapter}` }
     }
-    const text = msg.text ?? ''
+    const text = toKakaoPlainText(msg.text ?? '')
     const attachments = msg.attachments ?? []
     if (text === '' && attachments.length === 0) {
       return { ok: false, error: 'message has neither text nor attachments' }
@@ -221,8 +228,26 @@ export function createOutboundCallback(deps: {
     }
 
     if (text !== '') {
+      // KakaoTalk's native reply payload is built from the *source* message
+      // (author, original text, type), which the SDK does not derive from a
+      // bare log_id — we resolve it from recent history. If that lookup can't
+      // find the target (scrolled past the window, or the fetch failed), we
+      // degrade to the same blockquote anchor the router uses for quote-mode
+      // adapters, so the reply still visibly references the right message.
+      let outboundText = text
+      let replyTarget: KakaoReplyTarget | undefined
+      if (msg.replyTo !== undefined) {
+        replyTarget = await resolveKakaoReplyTarget(client, msg.chat, msg.replyTo.externalMessageId, logger)
+        if (replyTarget === undefined && msg.replyTo.source !== undefined) {
+          outboundText = prependQuoteAnchor(text, msg.replyTo.source)
+        }
+      }
       try {
-        const result = await client.sendMessage(msg.chat, text)
+        const result = await client.sendMessage(
+          msg.chat,
+          outboundText,
+          replyTarget !== undefined ? { replyTo: replyTarget } : undefined,
+        )
         if (!result.success) {
           logger.error(`[kakaotalk] sendMessage status_code=${result.status_code} ${tag}`)
           return { ok: false, error: `kakaotalk send failed with status ${result.status_code}` }
@@ -239,6 +264,30 @@ export function createOutboundCallback(deps: {
   }
 }
 
+// KakaoTalk replies need the full source message, not just its log_id. Resolve
+// it from the chat's recent history (matching the upstream CLI's approach).
+// Returns undefined when the target isn't in the fetched window or the fetch
+// throws — the caller degrades to the blockquote fallback in that case.
+async function resolveKakaoReplyTarget(
+  client: Pick<KakaoTalkClient, 'getMessages'>,
+  chatId: string,
+  externalMessageId: string,
+  logger: KakaotalkAdapterLogger,
+): Promise<KakaoReplyTarget | undefined> {
+  try {
+    const messages = await client.getMessages(chatId, { count: KAKAO_REPLY_LOOKUP_COUNT })
+    const target = messages.find((m) => m.log_id === externalMessageId)
+    if (target === undefined) {
+      logger.warn(`[kakaotalk] reply target log_id=${externalMessageId} not in last ${KAKAO_REPLY_LOOKUP_COUNT}`)
+      return undefined
+    }
+    return { log_id: target.log_id, author_id: target.author_id, message: target.message, type: target.type }
+  } catch (err) {
+    logger.warn(`[kakaotalk] reply target lookup failed: ${describe(err)}`)
+    return undefined
+  }
+}
+
 export function createKakaoHistoryCallback(deps: {
   client: Pick<KakaoTalkClient, 'getMessages'>
   logger: KakaotalkAdapterLogger

package/src/channels/adapters/telegram-bot.ts

@@ -251,8 +251,12 @@ export function createOutboundCallback(deps: {
 
     try {
       const rendered = toTelegramMarkdownV2(text)
-      const sendOptions: { message_thread_id?: number; parse_mode: 'MarkdownV2' } = { parse_mode: 'MarkdownV2' }
+      const sendOptions: { message_thread_id?: number; reply_to_message_id?: number; parse_mode: 'MarkdownV2' } = {
+        parse_mode: 'MarkdownV2',
+      }
       if (threadId !== undefined) sendOptions.message_thread_id = threadId
+      const replyToId = parseTelegramMessageId(msg.replyTo?.externalMessageId)
+      if (replyToId !== undefined) sendOptions.reply_to_message_id = replyToId
       const sent = await client.sendMessage(msg.chat, rendered, sendOptions)
       logger.info(`[telegram-bot] sent message_id=${sent.message_id} ${tag}`)
       return { ok: true }
@@ -270,6 +274,12 @@ function parseThreadId(thread: string | null | undefined): number | undefined {
   return Number.isFinite(n) ? n : undefined
 }
 
+function parseTelegramMessageId(id: string | null | undefined): number | undefined {
+  if (id === null || id === undefined || id === '') return undefined
+  const n = Number(id)
+  return Number.isInteger(n) && n > 0 ? n : undefined
+}
+
 type TelegramFileResponse = {
   ok: boolean
   result?: { file_id: string; file_unique_id: string; file_size?: number; file_path?: string }

package/src/channels/router.ts

@@ -45,7 +45,9 @@ import type {
   InboundMessage,
   OutboundCallback,
   OutboundMessage,
+  QuoteAnchorSource,
   ResolvedChannelNames,
+  SendErrorCode,
   SendResult,
   TypingCallback,
 } from './types'
@@ -98,6 +100,23 @@ export const SESSION_GC_INTERVAL_MS = 60 * 1000
 // Enforced inside router.send for `source: 'tool'` callers; system
 // recovery paths (`source: 'system'`) bypass.
 export const MAX_CHANNEL_SENDS_PER_TURN = 10
+// Ceiling on tool-source channel sends that a same-turn router policy DENIED
+// without delivering — `skip-locked`, `turn-cap`, or `duplicate`. Such denials
+// return a soft error and do NOT increment `consecutiveSends`, so a model that
+// ignores the denial and retries never trips `MAX_CHANNEL_SENDS_PER_TURN`.
+// Both production livelocks had this shape: the model alternated a no-op
+// `skip_response` with a denied `channel_reply` (~200-400x in one
+// `session.prompt()`) — the interleaving defeated the byte-identical
+// loop-guard's 5-in-a-row streak, and the denials bypassed the send cap. One
+// turn was all `skip-locked`, the other all `duplicate` (byte-identical text).
+// Past this ceiling we ABORT the run's AbortSignal (`agent.abort()`), which
+// ends the turn on the next assistant stream. We can't just throw: the pi tool
+// executor catches a tool's throw into an error result and the turn continues.
+// Counted per send-target and only when NO concurrent reservation for that
+// target is in flight, so a legitimate parallel send-burst (one winner + many
+// same-tick duplicate/cap denials) is never mistaken for a loop. Reset at turn
+// start alongside `turnSeq`.
+export const MAX_POLICY_DENIED_CHANNEL_SENDS_PER_TURN = 3
 // Rolling window for outbound send-rate telemetry. 5s matches Discord's
 // rate-limit shape (5 msg / 5 s / channel) and comfortably covers Slack's
 // 1 msg/s sustained. The window is observational; exceeding the burst
@@ -347,6 +366,19 @@ type LiveSession = {
   // regardless of which order the model tried them in. Updated only at
   // turn start; reads against the live counter elsewhere are intentional.
   successfulSendsAtTurnStart: number
+  // Per-send-target count of tool-source sends with a reservation currently
+  // in flight (slot reserved, outbound callback not yet settled). Lets the
+  // policy-denial guard tell a legitimate parallel send-burst (denials that
+  // race a still-in-flight winner) from a sequential retry loop (denials with
+  // nothing in flight). Incremented at reservation, decremented in the
+  // callback-loop `finally` so an adapter throw can't strand a target.
+  inFlightToolSends: Map<string, number>
+  // Per-send-target count of policy-denied tool sends this turn that did NOT
+  // race an in-flight reservation. Drives the throw at
+  // `MAX_POLICY_DENIED_CHANNEL_SENDS_PER_TURN` that breaks the alternating-tool
+  // livelock the byte-identical loop-guard misses. Reset at turn start and
+  // cleared per-target on a successful delivery to that target.
+  policyDeniedToolSendsThisTurn: Map<string, number>
   // Stamped by `markTurnSkipped` (called from the `skip_response` tool)
   // with the current `turnSeq`. Read at the top of `validateChannelTurn`:
   // if it matches the just-completed turn, recovery is skipped entirely
@@ -1011,6 +1043,8 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         successfulChannelSends: 0,
         turnSeq: 0,
         successfulSendsAtTurnStart: 0,
+        inFlightToolSends: new Map(),
+        policyDeniedToolSendsThisTurn: new Map(),
         skippedTurn: null,
         pendingQuoteCandidate: null,
         recentEngagedPeerBotTurns: [],
@@ -1370,6 +1404,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         const successfulSendsBeforePrompt = live.successfulChannelSends
         live.turnSeq++
         live.successfulSendsAtTurnStart = successfulSendsBeforePrompt
+        live.policyDeniedToolSendsThisTurn.clear()
         await fireSessionTurnStart(live, text)
         try {
           await live.session.prompt(text)
@@ -1875,7 +1910,12 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     if (live && source === 'tool' && live.pendingQuoteCandidate !== null) {
       const quoteCandidate = refreshQuoteCandidate(live.pendingQuoteCandidate, live.contextBuffer)
       const anchor = decideQuoteAnchor(quoteCandidate, now(), options.configForAdapter(msg.adapter))
-      if (anchor !== null) msg = { ...msg, text: prependQuoteAnchor(msg.text ?? '', anchor) }
+      if (anchor !== null) {
+        msg =
+          resolveReplyRenderMode(msg) === 'native'
+            ? { ...msg, replyTo: { externalMessageId: anchor.externalMessageId, source: anchor.source } }
+            : { ...msg, text: prependQuoteAnchor(msg.text ?? '', anchor.source) }
+      }
       live.pendingQuoteCandidate = null
     }
     const text = normalizeSendText(msg.text)
@@ -1892,19 +1932,52 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     let priorLastSentText: string | undefined
     let reserved = false
     if (live && source === 'tool') {
+      // Every same-turn policy denial (skip-locked / turn-cap / duplicate)
+      // returns a soft error and does NOT increment `consecutiveSends`, so a
+      // model that ignores the denial and retries never trips the send cap. To
+      // bound that loop we route all three through one tally that ABORTS the run
+      // past the ceiling. The discriminator that keeps legitimate parallel
+      // send-bursts soft: a denial only counts when NO reservation for the same
+      // target is in flight. In a `Promise.all` burst the synchronous denials
+      // all race the one in-flight winner, so they don't count; a sequential
+      // retry loop has nothing in flight, so it does. See
+      // `MAX_POLICY_DENIED_CHANNEL_SENDS_PER_TURN`.
+      //
+      // Why abort, not throw: pi-agent-core's tool executor catches a throw
+      // from a tool's execute() and converts it into an `isError` tool result —
+      // the turn would continue and the model could retry. The only thing that
+      // actually ends an in-flight turn is aborting the run's AbortSignal:
+      // `agent.abort()` flips it synchronously, then the NEXT assistant stream
+      // (after this tool returns) sees the aborted signal and ends the turn with
+      // stopReason 'aborted'. We must NOT call `session.abort()` here — it
+      // `await`s `waitForIdle()`, which would deadlock waiting for the very run
+      // this tool call belongs to. `agent.abort()` is the signal-only,
+      // non-blocking variant. We still return the soft denial for this call.
+      const denyPolicyToolSend = (error: string, code: SendErrorCode): SendResult => {
+        if ((live.inFlightToolSends.get(sendKey) ?? 0) > 0) {
+          return { ok: false, error, code }
+        }
+        const count = (live.policyDeniedToolSendsThisTurn.get(sendKey) ?? 0) + 1
+        live.policyDeniedToolSendsThisTurn.set(sendKey, count)
+        if (count >= MAX_POLICY_DENIED_CHANNEL_SENDS_PER_TURN) {
+          logger.warn(`[channels] ${live.keyId}: aborting turn — ${count} policy-denied channel sends (last: ${code})`)
+          if (live.session.agent.signal?.aborted !== true) live.session.agent.abort()
+        }
+        return { ok: false, error, code }
+      }
       // Tool-source send after `skip_response` for the same turn is a contract
       // violation: the model already committed to silence. Reject before any
       // state mutation so the model gets a clear error and the channel stays
       // silent. System-source sends (recovery, role-claim) are not affected.
       if (live.skippedTurn !== null && live.skippedTurn.turnSeq === live.turnSeq) {
-        return { ok: false, error: SKIP_RESPONSE_LOCK_ERROR, code: 'skip-locked' }
+        return denyPolicyToolSend(SKIP_RESPONSE_LOCK_ERROR, 'skip-locked')
       }
       const currentCount = live.consecutiveSends.get(sendKey) ?? 0
       if (currentCount >= MAX_CHANNEL_SENDS_PER_TURN) {
-        return { ok: false, error: TURN_CAP_ERROR, code: 'turn-cap' }
+        return denyPolicyToolSend(TURN_CAP_ERROR, 'turn-cap')
       }
       if (text !== undefined && live.lastSentText.get(sendKey) === text) {
-        return { ok: false, error: DUPLICATE_SEND_ERROR, code: 'duplicate' }
+        return denyPolicyToolSend(DUPLICATE_SEND_ERROR, 'duplicate')
       }
       // Reserve the slot before awaiting. If the callback rejects we roll
       // back below; if it succeeds we keep the increment. The slot reserve
@@ -1915,6 +1988,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       priorLastSentText = live.lastSentText.get(sendKey)
       live.consecutiveSends.set(sendKey, currentCount + 1)
       if (text !== undefined) live.lastSentText.set(sendKey, text)
+      live.inFlightToolSends.set(sendKey, (live.inFlightToolSends.get(sendKey) ?? 0) + 1)
       reserved = true
     }
 
@@ -1924,13 +1998,24 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     const snapshot = Array.from(callbacks)
     let lastError: string | undefined
     let delivered = false
-    for (const cb of snapshot) {
-      const result = await cb(msg)
-      if (result.ok) {
-        delivered = true
-        break
+    try {
+      for (const cb of snapshot) {
+        const result = await cb(msg)
+        if (result.ok) {
+          delivered = true
+          break
+        }
+        lastError = result.error
+      }
+    } finally {
+      // Clear the in-flight reservation even if a callback threw, so a flaky
+      // adapter can never strand a target as permanently "in flight" and
+      // disable the policy-denial guard for it.
+      if (live && reserved) {
+        const inFlight = (live.inFlightToolSends.get(sendKey) ?? 1) - 1
+        if (inFlight <= 0) live.inFlightToolSends.delete(sendKey)
+        else live.inFlightToolSends.set(sendKey, inFlight)
       }
-      lastError = result.error
     }
 
     if (!delivered) {
@@ -1950,6 +2035,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
 
     if (live) {
       live.successfulChannelSends++
+      live.policyDeniedToolSendsThisTurn.delete(sendKey)
       // Don't stop the heartbeat here: the agent may still be mid-turn and
       // about to send another reply. drain()'s finally block owns turn-end
       // stop. But Slack's adapter outbound callback explicitly clears
@@ -2480,12 +2566,7 @@ function formatAuthorLine(
   return `${stamp}${formatAuthorReference(adapter, authorId, authorName)} (${authorName})${tag}: ${text}`
 }
 
-export type QuoteAnchorSource = {
-  adapter: AdapterId
-  authorId: string
-  authorName: string
-  text: string
-}
+export type { QuoteAnchorSource } from './types'
 
 // Picks the right author syntax for the platform so prompts and rendered
 // quote anchors use the same form the user would type in that channel.
@@ -2557,6 +2638,7 @@ type QuoteAnchorBatchEntry = {
   authorName: string
   authorIsBot: boolean
   receivedAt: number
+  externalMessageId: string
 }
 
 type QuoteAnchorObservedEntry = {
@@ -2566,10 +2648,18 @@ type QuoteAnchorObservedEntry = {
 
 export type QuoteAnchorCandidate = {
   source: QuoteAnchorSource
+  // Native id of the primary inbound, so a native-reply adapter can point at
+  // the exact message; the blockquote fallback ignores it.
+  externalMessageId: string
   primaryReceivedAt: number
   hadInterveningObserved: boolean
 }
 
+export type QuoteAnchorTarget = {
+  source: QuoteAnchorSource
+  externalMessageId: string
+}
+
 // Strips both current `[<Adapter> attachment #N: ...]` and legacy
 // `[<Adapter> message with ...]` placeholders that adapter
 // classifiers synthesize for non-text inbounds (KakaoTalk stickers,
@@ -2620,6 +2710,7 @@ export function captureQuoteCandidate(
   if (cleaned === '') return null
   return {
     source: { adapter, authorId: primary.authorId, authorName: primary.authorName, text: cleaned },
+    externalMessageId: primary.externalMessageId,
     primaryReceivedAt: primary.receivedAt,
     hadInterveningObserved: hasInterveningObserved(primary.receivedAt, observed),
   }
@@ -2647,12 +2738,34 @@ export function decideQuoteAnchor(
   candidate: QuoteAnchorCandidate | null,
   _nowMs: number,
   adapterConfig: ChannelAdapterConfig | undefined,
-): QuoteAnchorSource | null {
+): QuoteAnchorTarget | null {
   if (candidate === null) return null
   const config = adapterConfig?.quotedReply
   if (config !== undefined && config.enabled === false) return null
   if (!candidate.hadInterveningObserved) return null
-  return candidate.source
+  return { source: candidate.source, externalMessageId: candidate.externalMessageId }
+}
+
+export type ReplyRenderMode = 'native' | 'quote'
+
+// Per-adapter, per-shape decision: can this exact outbound carry a native
+// platform reply, or must it degrade to the blockquote fallback? Conditional
+// because native support is not uniform within an adapter — Telegram's
+// `sendMessage` accepts `reply_to_message_id` but `sendDocument` does not, so
+// an attachment-only Telegram reply must quote; the same text-only restriction
+// holds for Discord (`message_reference` rides on the text send, file uploads
+// land bare) and KakaoTalk. Slack's primitive is `thread`, not a per-message
+// reply, so it stays quote; GitHub's PR-review reply already rides on `thread`.
+//
+// KakaoTalk is `native` here even though its reply payload can fail to resolve
+// at send time — the adapter degrades to the blockquote fallback itself using
+// `replyTo.source`, so the router still routes it down the native branch.
+const NATIVE_REPLY_TEXT_ADAPTERS = new Set<AdapterId>(['telegram-bot', 'discord-bot', 'kakaotalk'])
+
+export function resolveReplyRenderMode(msg: OutboundMessage): ReplyRenderMode {
+  const hasText = normalizeSendText(msg.text) !== undefined
+  if (hasText && NATIVE_REPLY_TEXT_ADAPTERS.has(msg.adapter)) return 'native'
+  return 'quote'
 }
 
 type Sliced = { kind: 'message'; message: ChannelHistoryMessage } | { kind: 'elision'; elidedCount: number }

package/src/channels/types.ts

@@ -126,6 +126,28 @@ export type OutboundMessage = {
   // `uploadFile` does not accept a content body or a thread id, see the
   // adapter for the workaround details.
   attachments?: OutboundAttachment[]
+  // Set by the router (native render mode + anchor fired) so an adapter can
+  // reply to the inbound it answers. Telegram/Discord consume `externalMessageId`;
+  // `quote`-mode adapters never see this (the router prepends the blockquote into
+  // `text` instead). `source` lets an adapter whose native primitive can fail at
+  // send time (KakaoTalk: payload built from a source message that may have
+  // scrolled out of history) degrade to the same blockquote fallback.
+  replyTo?: OutboundReplyTo
+}
+
+export type OutboundReplyTo = {
+  externalMessageId: string
+  source?: QuoteAnchorSource
+}
+
+// `adapter` selects the per-platform author-mention syntax in the blockquote
+// fallback. Lives here (not router.ts) so adapters can reconstruct a native
+// reply payload from the same shape the router renders quotes from.
+export type QuoteAnchorSource = {
+  adapter: AdapterId
+  authorId: string
+  authorName: string
+  text: string
 }
 
 export type SendErrorCode =

package/src/config/providers.ts

@@ -197,10 +197,11 @@ export const KNOWN_PROVIDERS = {
   // anthropic`) before relying on the env-var path. Same rule applies to any
   // future dual-auth provider — keep the surprise in mind when expanding.
   //
-  // Model lineup is the current GA tier as of 2026-04-16: Opus 4.7 (top,
-  // released Apr 16 2026), Sonnet 4.6 (mid, Feb 5 2026), Haiku 4.5 (fast,
-  // Oct 1 2025). Anthropic's own model overview lists these three as the
-  // current recommended set and flags earlier Opus/Sonnet variants with
+  // Model lineup is the current GA tier as of 2026-05-29: Opus 4.8 (top,
+  // released May 2026), Opus 4.7 (prior top, Apr 16 2026), Sonnet 4.6 (mid,
+  // Feb 5 2026), Haiku 4.5 (fast, Oct 1 2025). Anthropic's own model overview
+  // lists the latest Opus/Sonnet/Haiku as the current recommended set and
+  // flags earlier Opus/Sonnet variants with
   // "Consider migrating to current models." Opus 4 / Sonnet 4 are deprecated
   // (retirement: Jun 15 2026); the 4.5/4.6 alternates remain Active but are
   // not the recommended path.
@@ -276,6 +277,18 @@ export const KNOWN_PROVIDERS = {
         contextWindow: 1000000,
         maxTokens: 128000,
       },
+      'claude-opus-4-8': {
+        id: 'claude-opus-4-8',
+        name: 'Claude Opus 4.8',
+        api: 'anthropic-messages',
+        provider: 'anthropic',
+        baseUrl: 'https://api.anthropic.com',
+        reasoning: true,
+        input: ['text', 'image'],
+        cost: { input: 5, output: 25, cacheRead: 0.5, cacheWrite: 6.25 },
+        contextWindow: 1000000,
+        maxTokens: 128000,
+      },
     },
   },
   fireworks: {

package/src/container/start.ts

@@ -464,12 +464,29 @@ export async function planStart({
   // misattribute to bot detection. 2g matches the Playwright/Puppeteer
   // canonical recommendation and is a memory cap, not an allocation (only
   // used pages count against the host).
+  // `seccomp=unconfined` lets `bwrap(1)` (installed in baseline; see
+  // BASELINE_APT_PACKAGES in src/init/dockerfile.ts) create user/pid/mount
+  // namespaces from inside the container. Docker's default seccomp profile
+  // rejects `unshare(CLONE_NEWUSER)` and `clone(CLONE_NEWUSER)` for
+  // non-privileged containers, which is the right default for multi-tenant
+  // hosts (Kubernetes nodes, CI runners) but wrong for typeclaw: the outer
+  // container is a single-tenant trust boundary — the user trusts everything
+  // inside it equally, the .env and agent folder are already mounted in —
+  // so the multi-tenant protections seccomp adds are not load-bearing for
+  // typeclaw's threat model. The per-tool sandbox bwrap builds for subagents
+  // IS the real boundary against prompt-injected commands; that boundary is
+  // what `--security-opt seccomp=unconfined` exists to enable. See
+  // `docs/internals/sandbox.mdx` for the full rationale including why
+  // `--cap-add=SYS_ADMIN` was rejected as an alternative (narrower in
+  // syscalls but strictly worse in capability semantics).
   const runArgs = [
     'run',
     '-d',
     '--name',
     containerName,
     '--shm-size=2g',
+    '--security-opt',
+    'seccomp=unconfined',
     '-p',
     `${publishHost}:${hostPort}:${CONTAINER_PORT}`,
   ]

package/src/init/dockerfile.ts

@@ -38,7 +38,27 @@ export type BuildDockerfileOptions = {
 // self-heals: it spawns Xvfb (and exports DISPLAY) if the binary is on
 // PATH, and execs the agent directly otherwise. See APT_FEATURES.xvfb
 // below and `buildEntrypointShim`.
-const BASELINE_APT_PACKAGES = ['git', 'ca-certificates', 'curl', 'gnupg', 'iptables', 'util-linux'] as const
+// `bubblewrap` ships the `bwrap(1)` setuid-less namespace sandboxer. It is
+// included in baseline (not behind a toggle) because per-tool sandboxing of
+// agent bash calls is a runtime concern resolved by the agent, not by the
+// agent author. See `src/sandbox/` for the bwrap command builder, and
+// `docs/internals/sandbox.mdx` for why bwrap is the right
+// shape for per-call isolation inside an already-containerized agent. The
+// outer container's `--security-opt seccomp=unconfined` (added in the same
+// commit as this line; see `src/container/start.ts:planStart`) is what lets
+// bwrap create user/pid/mount namespaces from inside Docker. Without that
+// flag the seccomp default profile blocks `unshare(CLONE_NEWUSER)` and bwrap
+// fails at startup. The two changes are load-bearing together — do not drop
+// one without the other.
+const BASELINE_APT_PACKAGES = [
+  'git',
+  'ca-certificates',
+  'curl',
+  'gnupg',
+  'iptables',
+  'util-linux',
+  'bubblewrap',
+] as const
 
 // curl-impersonate is the only currently-working way to query DuckDuckGo from
 // a non-browser client on residential IPs in 2026. DDG fingerprints incoming

package/src/sandbox/availability.ts

@@ -0,0 +1,35 @@
+import { SandboxUnavailableError } from './errors'
+
+// Cached because the binary cannot appear or disappear during a single
+// process lifetime, and a probe per bash call is wasted work. Keyed by the
+// resolved bwrap path so a test (or a consumer pinning a non-default path)
+// re-probes instead of reading another path's cached result.
+const availabilityCache = new Map<string, boolean>()
+
+export async function ensureBwrapAvailable(options?: { bwrapPath?: string }): Promise<void> {
+  const bwrap = options?.bwrapPath ?? 'bwrap'
+  const cached = availabilityCache.get(bwrap)
+  if (cached === true) return
+  if (cached === false) throw new SandboxUnavailableError()
+
+  const available = await probe(bwrap)
+  availabilityCache.set(bwrap, available)
+  if (!available) throw new SandboxUnavailableError()
+}
+
+async function probe(bwrap: string): Promise<boolean> {
+  // Bun.spawn throws synchronously with ENOENT when the binary is not on
+  // PATH, rather than resolving with a non-zero exit code — so the
+  // "not installed" case lands in the catch, not in proc.exitCode.
+  try {
+    const proc = Bun.spawn([bwrap, '--version'], { stdout: 'ignore', stderr: 'ignore' })
+    await proc.exited
+    return proc.exitCode === 0
+  } catch {
+    return false
+  }
+}
+
+export function _resetBwrapAvailabilityCacheForTests(): void {
+  availabilityCache.clear()
+}

package/src/sandbox/build.ts

@@ -0,0 +1,128 @@
+import { SandboxPolicyError } from './errors'
+import {
+  DEFAULT_SANDBOX_ENV,
+  type SandboxCommandFilter,
+  type SandboxEnvPolicy,
+  type SandboxMount,
+  type SandboxPolicy,
+} from './policy'
+import { formatCommand } from './quote'
+
+export type SandboxedCommand = {
+  argv: string[]
+  commandString: string
+}
+
+// Pure: no I/O, no bwrap availability probe (that is `ensureBwrapAvailable`'s
+// job). Given a bash command and a policy, returns the bwrap-wrapped argv plus
+// a shell-quoted rendering of it. Knows nothing about subagents, origins, or
+// the agent runtime — a consumer resolves a policy from whatever context it
+// has and calls this. Throws SandboxPolicyError only when the consumer opted
+// into the command-filter knobs and the command violates them.
+export function buildSandboxedCommand(command: string, policy: SandboxPolicy = {}): SandboxedCommand {
+  if (policy.commandFilter !== undefined) {
+    applyCommandFilter(command, policy.commandFilter)
+  }
+  const argv = buildArgv(command, policy)
+  return { argv, commandString: formatCommand(argv) }
+}
+
+function buildArgv(command: string, policy: SandboxPolicy): string[] {
+  const bwrap = policy.bwrapPath ?? 'bwrap'
+  const argv: string[] = [bwrap, '--unshare-all']
+
+  if (policy.network === 'inherit') {
+    // --unshare-all already unshared the net namespace; --share-net rejoins
+    // the outer container's network. Other namespaces (user/pid/mount/ipc/
+    // uts/cgroup) stay unshared. Default ('none' / undefined) leaves the net
+    // namespace isolated — prompt-injected bash cannot exfiltrate over the
+    // network without the consumer explicitly opting in.
+    argv.push('--share-net')
+  }
+
+  const proc = policy.process ?? {}
+  if (proc.newSession !== false) {
+    // Drops the controlling terminal so the contained process cannot push
+    // input back into the agent's tty via TIOCSTI. Mandated by
+    // docs/internals/sandbox.mdx. Harmless for a one-shot `bash -c`.
+    argv.push('--new-session')
+  }
+  if (proc.dieWithParent !== false) {
+    argv.push('--die-with-parent')
+  }
+
+  argv.push('--clearenv')
+  for (const [key, value] of Object.entries(resolveEnv(policy.env))) {
+    argv.push('--setenv', key, value)
+  }
+
+  argv.push('--ro-bind', '/usr', '/usr', '--ro-bind', '/etc', '/etc', '--dev', '/dev', '--tmpfs', '/tmp')
+
+  if ((policy.proc ?? 'tmpfs') === 'tmpfs') {
+    // --tmpfs /proc, never --proc /proc (OrbStack's kernel blocks
+    // mount("proc",...) from user namespaces) and never --dev-bind /proc /proc
+    // (leaks the outer container's /proc/N/environ — including
+    // FIREWORKS_API_KEY — into the sandbox). See sandbox.mdx.
+    argv.push('--tmpfs', '/proc')
+  }
+
+  for (const mount of policy.mounts ?? []) {
+    appendMount(argv, mount)
+  }
+
+  if (policy.cwd !== undefined) {
+    argv.push('--chdir', policy.cwd)
+  }
+
+  argv.push('bash', '-c', command)
+  return argv
+}
+
+function appendMount(argv: string[], mount: SandboxMount): void {
+  switch (mount.type) {
+    case 'ro-bind':
+      argv.push('--ro-bind', mount.source, mount.dest)
+      return
+    case 'bind':
+      argv.push('--bind', mount.source, mount.dest)
+      return
+    case 'tmpfs':
+      argv.push('--tmpfs', mount.dest)
+      return
+    case 'dev':
+      argv.push('--dev', mount.dest)
+      return
+  }
+}
+
+function resolveEnv(env: SandboxEnvPolicy | undefined): Record<string, string> {
+  const resolved: Record<string, string> = { ...DEFAULT_SANDBOX_ENV, ...env?.set }
+  for (const key of env?.passthrough ?? []) {
+    const value = process.env[key]
+    if (value !== undefined) resolved[key] = value
+  }
+  return resolved
+}
+
+// Token-boundary match: the normalized command must equal a prefix exactly or
+// start with `prefix + ' '`. Substring matching would let `git-evil ...` slip
+// past a `git` prefix; this does not.
+const ALLOWLIST_WHITESPACE = /\s+/g
+const FORBIDDEN_METACHARS = /[;&|`$()<>\\\n]/
+
+function applyCommandFilter(command: string, filter: SandboxCommandFilter): void {
+  if (filter.rejectShellMetacharacters === true && FORBIDDEN_METACHARS.test(command)) {
+    throw new SandboxPolicyError(
+      'command contains a forbidden shell metacharacter. This policy only permits simple commands without ; & | ` $ ( ) < > \\ or newlines.',
+    )
+  }
+  if (filter.allowPrefixes !== undefined) {
+    const normalized = command.trim().replace(ALLOWLIST_WHITESPACE, ' ')
+    const matched = filter.allowPrefixes.some((p) => normalized === p || normalized.startsWith(`${p} `))
+    if (!matched) {
+      throw new SandboxPolicyError(
+        `command does not match any allowed prefix. Allowed: ${filter.allowPrefixes.join(', ')}`,
+      )
+    }
+  }
+}

package/src/sandbox/errors.ts

@@ -0,0 +1,20 @@
+export class SandboxUnavailableError extends Error {
+  override readonly name = 'SandboxUnavailableError'
+  constructor() {
+    super(
+      'sandbox unavailable: bwrap binary not found on PATH. Refusing to run a command that requires sandboxing without the kernel boundary in place.',
+    )
+  }
+}
+
+// Raised by the optional command-filter knobs (allowPrefixes,
+// rejectShellMetacharacters). These are consumer-opt-in restrictions layered
+// ABOVE the always-on kernel containment, so a rejection here is a policy
+// decision the consumer asked for — not a failure of the sandbox itself. The
+// message is phrased for the model to read and self-correct from.
+export class SandboxPolicyError extends Error {
+  override readonly name = 'SandboxPolicyError'
+  constructor(reason: string) {
+    super(`sandbox policy rejected command: ${reason}`)
+  }
+}

package/src/sandbox/index.ts

@@ -0,0 +1,14 @@
+export { buildSandboxedCommand, type SandboxedCommand } from './build'
+export { ensureBwrapAvailable } from './availability'
+export { formatCommand, shellQuote } from './quote'
+export { SandboxPolicyError, SandboxUnavailableError } from './errors'
+export {
+  DEFAULT_SANDBOX_ENV,
+  type SandboxCommandFilter,
+  type SandboxEnvPolicy,
+  type SandboxMount,
+  type SandboxNetwork,
+  type SandboxPolicy,
+  type SandboxProcessPolicy,
+  type SandboxProcStrategy,
+} from './policy'

package/src/sandbox/policy.ts

@@ -0,0 +1,47 @@
+export type SandboxMount =
+  | { type: 'ro-bind'; source: string; dest: string }
+  | { type: 'bind'; source: string; dest: string }
+  | { type: 'tmpfs'; dest: string }
+  | { type: 'dev'; dest: string }
+
+export type SandboxNetwork = 'none' | 'inherit'
+
+export type SandboxProcStrategy = 'tmpfs' | 'none'
+
+export type SandboxEnvPolicy = {
+  set?: Record<string, string>
+  passthrough?: string[]
+}
+
+export type SandboxCommandFilter = {
+  allowPrefixes?: string[]
+  rejectShellMetacharacters?: boolean
+}
+
+export type SandboxProcessPolicy = {
+  newSession?: boolean
+  dieWithParent?: boolean
+}
+
+export type SandboxPolicy = {
+  bwrapPath?: string
+  cwd?: string
+  mounts?: SandboxMount[]
+  network?: SandboxNetwork
+  env?: SandboxEnvPolicy
+  commandFilter?: SandboxCommandFilter
+  process?: SandboxProcessPolicy
+  proc?: SandboxProcStrategy
+}
+
+// The env the sandbox always re-introduces after `--clearenv`. Anything not
+// listed here (or explicitly named in `env.set` / `env.passthrough` by the
+// consumer) is invisible inside the sandbox. This is the load-bearing leak
+// guard: the container env holds FIREWORKS_API_KEY and GH_TOKEN, and env
+// inheritance is the single highest-risk exfil path for prompt-injected bash.
+// HOME points at /tmp because the sandbox mounts /tmp as a fresh tmpfs.
+export const DEFAULT_SANDBOX_ENV: Record<string, string> = {
+  PATH: '/usr/local/bin:/usr/bin:/bin',
+  HOME: '/tmp',
+  LANG: 'C.UTF-8',
+}

package/src/sandbox/quote.ts

@@ -0,0 +1,18 @@
+// POSIX shell quoting for rendering a bwrap argv array into a single
+// `bash -c`-safe string. Today's bash tool accepts a string `command` slot
+// (`mutableArgs.command`), so the sandbox primitive renders its canonical
+// argv into a quoted string the agent runtime can drop in unchanged.
+//
+// This is a local copy of the same helper in `src/update/index.ts`. It is
+// deliberately not promoted to a shared module yet: two call sites do not
+// justify the coupling, and this primitive is meant to stand alone with zero
+// imports from the rest of the tree. Promote to `src/shared/shell.ts` only
+// when a third independent consumer appears.
+export function shellQuote(arg: string): string {
+  if (/^[A-Za-z0-9_./:@%+=,-]+$/.test(arg)) return arg
+  return `'${arg.replaceAll("'", "'\\''")}'`
+}
+
+export function formatCommand(argv: readonly string[]): string {
+  return argv.map(shellQuote).join(' ')
+}

package/src/skills/typeclaw-channel-kakaotalk/SKILL.md

@@ -11,14 +11,16 @@ This means **you are messaging as a person, not as a bot.** Other participants s
 
 ## What KakaoTalk does NOT support
 
-If you produce any of the following, KakaoTalk will render it literally and the recipient will see the raw markup:
-
-- **Bold / italic / strikethrough** — `**bold**` shows as `**bold**`. Drop the asterisks; emphasize with word choice or capitalization (sparingly).
-- **Headings** — `# H1`, `## H2`, `### H3` all render as raw `#` characters.
-- **Tables** — pipe-delimited tables become a wall of `|` characters. Use bullet lists or short prose paragraphs instead.
-- **Code fences** — ``` blocks render as raw backticks. For short snippets, paste the code inline. For long snippets, summarize and offer to send it via another channel.
-- **Inline code** — `` `foo` `` renders as `` `foo` ``. Just write `foo`.
-- **Links with display text** — `[label](url)` becomes the literal string. Send the bare URL on its own; the KakaoTalk client will auto-link it.
+KakaoTalk renders messages as plain text — it has no rich-text formatting. **Write plain text from the start.** The adapter strips common markdown as a safety net before sending (so an accidental `**bold**` won't leak literal asterisks), but treat that as a last-resort guard, not a license to write markdown: the strip removes _markers_, it cannot make formatting-dependent layouts like tables readable. Compose for a plain-text surface and you control the result; lean on the stripper and you get whatever falls out.
+
+Specifically, do not rely on any of the following — write the plain-text equivalent yourself:
+
+- **Bold / italic / strikethrough** — emphasize with word choice or capitalization (sparingly), not `**asterisks**`.
+- **Headings** — `# H1`, `## H2`, `### H3` carry no visual weight here. Use a short label line or just lead with the point.
+- **Tables** — the stripper cannot rescue a pipe-delimited table; it would collapse into an unreadable line. Use bullet lists or short prose paragraphs instead.
+- **Code fences** — for short snippets, paste the code inline as plain text. For long snippets, summarize and offer to send it via another channel.
+- **Inline code** — just write `foo`, no backticks.
+- **Links with display text** — send the bare URL on its own line; the KakaoTalk client auto-links it. (A `[label](url)` that slips through is reduced to `label (url)`, but a bare URL reads cleaner.)
 - **Mentions** — there is no `@user` syntax that the protocol surfaces. Address people by name in the message body.
 - **Threads / replies-with-quote** — every message is a top-level chat post. There is no per-message reply UI.
 - **Outbound stickers / emoticons** — the KakaoTalk sticker store requires desktop-app purchase flows that the SDK does not replicate. Inbound stickers ARE surfaced (see below), but you cannot send one. If the user asks for a sticker, acknowledge the limit and offer text.
@@ -106,4 +108,4 @@ The adapter drops every inbound where `event.author_id` equals the logged-in acc
 
 ## When you cannot answer in KakaoTalk
 
-If the user asks you to do something the adapter cannot do (render markdown, post in a thread, send a sticker), say so plainly. Files are fine — those go through `attachments[]` as described above — but markdown rendering, threading, and stickers are real limits. Acknowledge the limit instead of silently dropping the request.
+If the user asks you to do something the adapter cannot do (post in a thread, send a sticker, render a real table), say so plainly. Files are fine — those go through `attachments[]` as described above — but threading, stickers, and rich formatting are real limits. Markdown markers you emit get stripped to plain text automatically, so a stray `**` won't leak; the limit is that nothing renders as formatting, not that it crashes. Acknowledge the limit instead of silently dropping the request.

package/typeclaw.schema.json

@@ -32,6 +32,7 @@
               "anthropic/claude-haiku-4-5",
               "anthropic/claude-sonnet-4-6",
               "anthropic/claude-opus-4-7",
+              "anthropic/claude-opus-4-8",
               "fireworks/accounts/fireworks/routers/kimi-k2p6-turbo",
               "zai/glm-4.5-air",
               "zai/glm-4.6",
@@ -59,6 +60,7 @@
                 "anthropic/claude-haiku-4-5",
                 "anthropic/claude-sonnet-4-6",
                 "anthropic/claude-opus-4-7",
+                "anthropic/claude-opus-4-8",
                 "fireworks/accounts/fireworks/routers/kimi-k2p6-turbo",
                 "zai/glm-4.5-air",
                 "zai/glm-4.6",