typeclaw 0.16.0 → 0.18.0

package/src/channels/adapters/slack-bot.ts

@@ -35,12 +35,11 @@ import {
 import { createSlackDedupe } from './slack-bot-dedupe'
 import {
   buildSlashAckPayload,
+  commandResultReply,
   parseSlashCommand,
-  SLACK_SLASH_REPLY_ABORTED,
-  SLACK_SLASH_REPLY_AMBIGUOUS,
+  parseThreadCommand,
   SLACK_SLASH_REPLY_FAILED,
-  SLACK_SLASH_REPLY_NO_LIVE_SESSION,
-  SLACK_SLASH_REPLY_PERMISSION_DENIED,
+  type ThreadCommandInput,
 } from './slack-bot-slash-commands'
 import { slackTsToMillis } from './slack-bot-time'
 
@@ -124,16 +123,7 @@ export function createSlashCommandHandler(
       return
     }
 
-    const replyContent =
-      result.kind === 'handled'
-        ? SLACK_SLASH_REPLY_ABORTED
-        : result.kind === 'no-live-session'
-          ? SLACK_SLASH_REPLY_NO_LIVE_SESSION
-          : result.kind === 'permission-denied'
-            ? SLACK_SLASH_REPLY_PERMISSION_DENIED
-            : result.kind === 'ambiguous'
-              ? SLACK_SLASH_REPLY_AMBIGUOUS
-              : SLACK_SLASH_REPLY_FAILED
+    const replyContent = commandResultReply(result)
 
     // Final ack on the happy path: own try/catch so a thrown ack here does
     // NOT cascade into the error-path ack above (which would violate the
@@ -158,6 +148,67 @@ export function createSlashCommandHandler(
   }
 }
 
+export type ThreadCommandReplyPoster = (args: { chat: string; thread: string | null; text: string }) => Promise<void>
+
+export type ThreadCommandHandlerDeps = {
+  router: Pick<ChannelRouter, 'executeCommand'>
+  knownCommandNames: ReadonlySet<string>
+  postReply: ThreadCommandReplyPoster
+  logger: SlackBotAdapterLoggerLike
+}
+
+export type ThreadCommandOutcome = { kind: 'not-a-command' } | { kind: 'duplicate' } | { kind: 'executed' }
+
+// Synchronous reservation: the adapter marks the dedupe ring inside this hook,
+// which the handler calls before its first `await`. Two duplicate Slack
+// deliveries can both clear `dedupe.check()` on the same JS tick; whichever
+// reserves first wins and returns `true`, the loser returns `false` and aborts
+// — so a control command never runs twice across the check→execute window.
+export type ThreadCommandReserve = () => boolean
+
+// Routes a `!cmd` thread message through the SAME router.executeCommand path as
+// native slashes, then posts the outcome back into the thread. Returns
+// 'not-a-command' (caller proceeds with normal classify/route), 'duplicate'
+// (a racing delivery already reserved this event — caller stops silently), or
+// 'executed' (command handled — caller stops; it is not agent input).
+export function createThreadCommandHandler(
+  deps: ThreadCommandHandlerDeps,
+): (input: ThreadCommandInput, reserve: ThreadCommandReserve) => Promise<ThreadCommandOutcome> {
+  return async (input, reserve) => {
+    const parsed = parseThreadCommand(input, deps.knownCommandNames)
+    if (parsed.kind === 'ignore') {
+      return { kind: 'not-a-command' }
+    }
+    // Reserve synchronously, before any await, to close the check→execute race.
+    if (!reserve()) {
+      return { kind: 'duplicate' }
+    }
+    const { command } = parsed
+    deps.logger.info(
+      `[slack-bot] thread-command !${command.name} invoker=${command.invokerId} team=${command.key.workspace} channel=${command.key.chat} thread=${command.key.thread ?? '(none)'}`,
+    )
+
+    let reply: string
+    try {
+      const result = await deps.router.executeCommand(command.key, command.name, {
+        invokerId: command.invokerId,
+      })
+      reply = commandResultReply(result)
+      deps.logger.info(`[slack-bot] thread-command !${command.name} result=${result.kind}`)
+    } catch (err) {
+      deps.logger.error(`[slack-bot] thread-command !${command.name} failed: ${describe(err)}`)
+      reply = SLACK_SLASH_REPLY_FAILED
+    }
+
+    try {
+      await deps.postReply({ chat: input.channel, thread: input.threadTs, text: reply })
+    } catch (err) {
+      deps.logger.warn(`[slack-bot] thread-command reply post failed: ${describe(err)}`)
+    }
+    return { kind: 'executed' }
+  }
+}
+
 // app_mention payloads omit channel_type and never carry a subtype, so we
 // promote them to a message-shaped event for the shared classifier. The
 // promoted event is classified as a regular channel message; the
@@ -783,6 +834,24 @@ export function createSlackBotAdapter(options: SlackBotAdapterOptions): SlackBot
     formatChannelTag,
   })
 
+  const handleThreadCommand = createThreadCommandHandler({
+    router: options.router,
+    knownCommandNames: SLACK_SLASH_COMMAND_NAMES,
+    logger,
+    postReply: async ({ chat, thread, text }) => {
+      const result = await outboundCallback({
+        adapter: 'slack-bot',
+        workspace: teamId ?? 'unknown',
+        chat,
+        ...(thread !== null ? { thread } : {}),
+        text,
+      })
+      if (!result.ok) {
+        throw new Error(result.error)
+      }
+    },
+  })
+
   const handleMessageEvent = async (
     event: SlackInboundMessageEvent,
     source: 'message' | 'app_mention',
@@ -813,6 +882,38 @@ export function createSlackBotAdapter(options: SlackBotAdapterOptions): SlackBot
         return
       }
 
+      // Intercept `!cmd` thread-message commands BEFORE classifyInbound. A
+      // command is control traffic — neither dropped nor routed to the agent —
+      // so it must short-circuit here. Bypassing classifyInbound also bypasses
+      // its self_author / no_user drops, so we replicate those guards: never
+      // execute a command from our own message (echo loop) or a userless
+      // system event. The `reserve` closure marks dedupe synchronously the
+      // instant the command is recognised (before the router await), closing
+      // the check→execute race for duplicate deliveries.
+      if (event.user !== undefined && event.user !== '' && (botUserId === null || event.user !== botUserId)) {
+        const reserve = (): boolean => {
+          if (dedupe.check(event) !== null) return false
+          dedupe.mark(event)
+          return true
+        }
+        const outcome = await handleThreadCommand(
+          {
+            text: event.text ?? '',
+            channel: event.channel,
+            threadTs: event.thread_ts ?? null,
+            isDm: event.channel_type === 'im',
+            teamId,
+            invokerId: event.user,
+          },
+          reserve,
+        )
+        if (outcome.kind === 'executed') return
+        if (outcome.kind === 'duplicate') {
+          logger.info(`[slack-bot] dropped ts=${event.ts} reason=duplicate_delivery (thread-command race)`)
+          return
+        }
+      }
+
       const verdict = classifyInbound(event, options.configRef(), {
         teamId,
         botUserId,

package/src/channels/router.ts

@@ -164,6 +164,19 @@ export const SESSION_FRESHNESS_TTL_MS = 5 * 60 * 1000
 // instead of awaiting the same dead promise forever.
 export const ENSURE_LIVE_TIMEOUT_MS = 30_000
 
+// Thrown by ensureLive() when a teardown (roles reload or shutdown) raced
+// ahead of an in-flight creation. route() has no special handling — it
+// propagates to the adapter's outer catch, dropping this one inbound. The
+// next inbound creates a fresh, post-reload session, which is the intended
+// outcome: a message that arrived mid-reload is cheap to drop, far cheaper
+// than answering it through a session built with the stale role.
+export class StaleLiveSessionError extends Error {
+  constructor(keyId: string) {
+    super(`[channels] ${keyId}: live session creation raced a teardown; discarded`)
+    this.name = 'StaleLiveSessionError'
+  }
+}
+
 // Per-callback ceilings inside the ensureLive chain. The outer watchdog
 // catches the worst case, but per-step timeouts give better log
 // attribution (which step hung) AND graceful degradation: a hung name
@@ -562,6 +575,7 @@ export type ChannelRouter = {
     | { kind: 'recorded-after-send'; keyId: string }
     | { kind: 'no-live-session' }
   stop: () => Promise<void>
+  tearDownAllLive: () => Promise<void>
   liveCount: () => number
   __testing?: {
     flushDebounce: (key: ChannelKey) => Promise<void>
@@ -691,6 +705,14 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
   const stream = options.stream
   const liveSessions = new Map<string, LiveSession>()
   const creating = new Map<string, Promise<LiveSession>>()
+  // Bumped by tearDownAllLive() and stop() before they tear sessions down. An
+  // in-flight ensureLive() captures the value at creation start and re-checks
+  // it right before installing into liveSessions; if it changed, a teardown
+  // raced ahead of this creation (e.g. a roles.match reload), so the session
+  // was built with stale role context and must self-dispose instead of
+  // installing — otherwise it would reintroduce the very staleness the
+  // teardown was meant to clear.
+  let liveGeneration = 0
   const outboundCallbacks = new Map<ChannelKey['adapter'], Set<OutboundCallback>>()
   const typingCallbacks = new Map<ChannelKey['adapter'], Set<TypingCallback>>()
   const channelNameResolvers = new Map<ChannelKey['adapter'], Set<ChannelNameResolver>>()
@@ -909,6 +931,8 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     const inFlight = creating.get(keyId)
     if (inFlight) return inFlight
 
+    const generation = liveGeneration
+
     const promise = (async () => {
       await ensureLoaded()
       const record = mappings ? findRecord(mappings, key) : undefined
@@ -1073,6 +1097,17 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       live.unsubTypingActivity = subscribeTypingActivity(created.session, live)
       installChannelReplyTerminalHook(live)
       installChannelOutputCap(live)
+
+      // A teardown (roles reload / shutdown) ran while this session was being
+      // built, so it carries stale role context. Dispose it instead of
+      // installing — installing here is the exact window the race exploits.
+      if (generation !== liveGeneration) {
+        logger.info(
+          `[channels] ${keyId}: discarding session created across a teardown (gen ${generation} → ${liveGeneration})`,
+        )
+        await tearDownLive(live)
+        throw new StaleLiveSessionError(keyId)
+      }
       liveSessions.set(keyId, live)
 
       if (isColdStart) {
@@ -1632,6 +1667,12 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         logger.info(`[channels] ${keyId}: ignoring unknown command /${parsedCommand.name}`)
         return
       }
+      if (isSessionControlDenied(event)) {
+        logger.info(
+          `[channels] ${keyId}: denied command /${parsedCommand.name} by permissions (session.control) author=${event.authorId}`,
+        )
+        return
+      }
       const existingLive = liveSessions.get(keyId)
       if (!existingLive || existingLive.destroyed) {
         logger.info(`[channels] ${keyId}: ignoring command /${parsedCommand.name} with no live session`)
@@ -1714,17 +1755,24 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     scheduleDebouncedDrain(live)
   }
 
-  const isChannelRespondDenied = (event: InboundMessage): boolean => {
-    const partial: SessionOrigin = {
-      kind: 'channel',
-      adapter: event.adapter,
-      workspace: event.workspace,
-      chat: event.chat,
-      thread: event.thread,
-      lastInboundAuthorId: event.authorId,
-    }
-    return !permissions.has(partial, CORE_PERMISSIONS.channelRespond)
-  }
+  const inboundAuthorOrigin = (event: InboundMessage): SessionOrigin => ({
+    kind: 'channel',
+    adapter: event.adapter,
+    workspace: event.workspace,
+    chat: event.chat,
+    thread: event.thread,
+    lastInboundAuthorId: event.authorId,
+  })
+
+  const isChannelRespondDenied = (event: InboundMessage): boolean =>
+    !permissions.has(inboundAuthorOrigin(event), CORE_PERMISSIONS.channelRespond)
+
+  // Gated separately from channelRespond so a respond-capable guest (an
+  // operator can grant guest channelRespond for masked stranger turns)
+  // cannot /stop another speaker's in-flight turn. session.control is
+  // member-and-up by default.
+  const isSessionControlDenied = (event: InboundMessage): boolean =>
+    !permissions.has(inboundAuthorOrigin(event), CORE_PERMISSIONS.sessionControl)
 
   const updateLoopGuard = (live: LiveSession, event: InboundMessage): void => {
     if (!event.authorIsBot) {
@@ -2334,6 +2382,27 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
   const stop = async (): Promise<void> => {
     if (gcTimer) clearInterval(gcTimer)
     gcTimer = null
+    liveGeneration++
+    const all = Array.from(liveSessions.values())
+    liveSessions.clear()
+    for (const live of all) {
+      await tearDownLive(live)
+    }
+  }
+
+  // Drops every in-memory session but KEEPS the on-disk records, so the next
+  // inbound per channel rehydrates the same transcript through a fresh
+  // createSession() — which re-renders the frozen system-prompt role block.
+  // This is how a `roles.<name>.match` reload reaches live channel sessions.
+  // Unlike stop() it leaves the GC timer running; unlike stale-rollover it
+  // keeps the sessionId, so history survives.
+  //
+  // Bumping liveGeneration BEFORE the snapshot is what makes this race-free:
+  // a session mid-creation (in `creating` but not yet in `liveSessions`) won't
+  // appear in the snapshot below, but it captured the old generation and will
+  // self-dispose at its install guard instead of resurrecting stale role state.
+  const tearDownAllLive = async (): Promise<void> => {
+    liveGeneration++
     const all = Array.from(liveSessions.values())
     liveSessions.clear()
     for (const live of all) {
@@ -2350,11 +2419,11 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     if (!commands.has(lowered)) {
       return { kind: 'unknown-command', name: lowered }
     }
-    // Permission gate runs BEFORE the live-session lookup so a guest user
-    // invoking /stop on a non-existent session gets 'permission-denied'
-    // (consistent answer regardless of session state) rather than leaking
-    // session presence via the 'no-live-session' vs 'permission-denied'
-    // distinction.
+    // Gates on session.control (not channel.respond) so a respond-capable
+    // guest cannot abort another speaker's turn. Runs BEFORE the live-session
+    // lookup so an unauthorized invoker gets 'permission-denied' regardless of
+    // session state, rather than leaking session presence via the
+    // 'no-live-session' vs 'permission-denied' distinction.
     const partial: SessionOrigin = {
       kind: 'channel',
       adapter: key.adapter,
@@ -2363,7 +2432,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       thread: key.thread,
       lastInboundAuthorId: options.invokerId,
     }
-    if (!permissions.has(partial, CORE_PERMISSIONS.channelRespond)) {
+    if (!permissions.has(partial, CORE_PERMISSIONS.sessionControl)) {
       return { kind: 'permission-denied' }
     }
     const resolved = resolveLiveSessionForCommand(liveSessions, key)
@@ -2476,6 +2545,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     injectSubagentCompletionReminder,
     markTurnSkipped,
     stop,
+    tearDownAllLive,
     liveCount: () => liveSessions.size,
     __testing: {
       flushDebounce: async (key: ChannelKey) => {

package/src/cli/channel.ts

@@ -842,7 +842,6 @@ async function promptGithubAppAuth(): Promise<{
   type: 'app'
   appId: number
   privateKey: string
-  installationId?: number
 }> {
   const appId = await text({
     message: 'GitHub App ID',
@@ -857,21 +856,10 @@ async function promptGithubAppAuth(): Promise<{
     cancel('Aborted.')
     process.exit(0)
   }
-  const installationId = await text({
-    message: 'Installation ID (optional; leave blank to auto-discover)',
-    validate: (value) =>
-      value === undefined || value === '' ? undefined : validatePositiveInteger(value, 'Installation ID is required'),
-  })
-  if (isCancel(installationId)) {
-    cancel('Aborted.')
-    process.exit(0)
-  }
-  const parsedInstallationId = installationId === '' ? undefined : Number(installationId)
   return {
     type: 'app',
     appId: Number(appId),
     privateKey,
-    ...(parsedInstallationId !== undefined ? { installationId: parsedInstallationId } : {}),
   }
 }
 

package/src/cli/init.ts

@@ -1293,7 +1293,6 @@ async function promptGithubAppAuth(): Promise<{
   type: 'app'
   appId: number
   privateKey: string
-  installationId?: number
 } | null> {
   const appId = await text({
     message: 'GitHub App ID',
@@ -1302,18 +1301,10 @@ async function promptGithubAppAuth(): Promise<{
   if (isCancel(appId)) return null
   const privateKey = await promptPrivateKeyPem('GitHub App private key PEM, escaped PEM, or path to .pem file')
   if (privateKey === CANCEL_SYMBOL) return null
-  const installationId = await text({
-    message: 'Installation ID (optional; leave blank to auto-discover)',
-    validate: (v) =>
-      v === undefined || v === '' ? undefined : validatePositiveInteger(v, 'Installation ID is required'),
-  })
-  if (isCancel(installationId)) return null
-  const parsedInstallationId = installationId === '' ? undefined : Number(installationId)
   return {
     type: 'app',
     appId: Number(appId),
     privateKey,
-    ...(parsedInstallationId !== undefined ? { installationId: parsedInstallationId } : {}),
   }
 }
 

package/src/cli/role.ts

@@ -3,7 +3,7 @@ import { defineCommand } from 'citty'
 
 import { requireContainerRunning, resolveHostPort, resolveTuiToken } from '@/container'
 import { findAgentDir } from '@/init'
-import { runClaimSession } from '@/role-claim'
+import { reloadAfterClaim, runClaimSession } from '@/role-claim'
 
 import { c, errorLine } from './ui'
 
@@ -76,6 +76,15 @@ const claimSub = defineCommand({
 
     if (result.kind === 'completed') {
       s.stop(c.green(`Paired as ${result.payload.role}.`))
+      s.start('Reloading config so the new match rule takes effect...')
+      const reloaded = await reloadAfterClaim({ url })
+      if (reloaded.ok) {
+        s.stop(c.green('Config reloaded.'))
+      } else {
+        // The role is already persisted; a reload failure is non-fatal.
+        s.stop(c.yellow(`Config reload failed: ${reloaded.reason}`))
+        console.log(c.dim('Run `typeclaw reload` manually to apply the new match rule.'))
+      }
       outro(`Match rule added: ${c.bold(result.payload.matchRule)}`)
       return
     }

package/src/cli/ui.ts

@@ -252,16 +252,18 @@ export function printSlackAppManifestSetup(output: NodeJS.WritableStream = proce
 // the exact permission bitfield the adapter uses. No-ops when the token isn't
 // parseable as a Discord bot token so we never block onboarding on best-effort
 // guidance.
-export function printDiscordInviteHint(token: string): void {
+export function printDiscordInviteHint(token: string, output: NodeJS.WritableStream = process.stdout): void {
   const appId = deriveAppIdFromBotToken(token)
   if (appId === null) return
+  // URL stays OUT of note(): clack wraps long lines with a `│` gutter that
+  // corrupts copy-pasted URLs. Same fix as src/cli/oauth-callbacks.ts.
   note(
     [
-      buildDiscordInviteUrl(appId),
-      '',
-      'Open it, pick a server, click Authorize.',
+      'Open the URL below, pick a server, click Authorize.',
       "The bot won't receive messages until it's in at least one server.",
     ].join('\n'),
     'Invite the bot to a server',
   )
+  output.write(`${buildDiscordInviteUrl(appId)}\n`)
+  output.write('\n')
 }

package/src/config/reloadable.ts

@@ -11,6 +11,10 @@ export type CreateConfigReloadableOptions = {
   // hand-edits) take effect without a container restart. `roles.<name>.permissions`
   // changes still require a restart — see FIELD_EFFECTS in config.ts.
   permissions?: PermissionService
+  // Fired after replaceRoles when a `roles.<name>.match` edit is applied. The
+  // run stage wires this to the channel router so live sessions are recreated
+  // and pick up the new role in their (otherwise frozen) system prompt.
+  onRolesChanged?: () => void | Promise<void>
   // Skip the mount-path accessibility check inside validateConfig. Mount paths
   // in typeclaw.json are host paths — they don't resolve inside the container,
   // so the check would always fail on any agent that declares mounts. `mounts`
@@ -22,18 +26,20 @@ export type CreateConfigReloadableOptions = {
 export function createConfigReloadable({
   cwd,
   permissions,
+  onRolesChanged,
   skipMountValidation = false,
 }: CreateConfigReloadableOptions): Reloadable {
   return {
     scope: 'config',
     description: 'typeclaw.json runtime config',
-    reload: async () => doReload(cwd, permissions, skipMountValidation),
+    reload: async () => doReload(cwd, permissions, onRolesChanged, skipMountValidation),
   }
 }
 
 async function doReload(
   cwd: string,
   permissions: PermissionService | undefined,
+  onRolesChanged: (() => void | Promise<void>) | undefined,
   skipMountValidation: boolean,
 ): Promise<ReloadResult> {
   // Mount accessibility belongs to the validation surface, not loadConfigSync —
@@ -59,8 +65,9 @@ async function doReload(
     return { scope: 'config', ok: false, reason: message }
   }
 
-  if (permissions !== undefined && diff.applied.some((c) => c.path === 'roles.match')) {
-    permissions.replaceRoles(getConfig().roles)
+  if (diff.applied.some((c) => c.path === 'roles.match')) {
+    permissions?.replaceRoles(getConfig().roles)
+    await onRolesChanged?.()
   }
 
   return {

package/src/init/github-webhook-install.ts

@@ -57,7 +57,7 @@ export async function installGithubWebhooksEagerly(
 
   try {
     const result = await registerGithubWebhooks({
-      token: () => strategy.token(),
+      token: (repoSlug: string) => strategy.token({ repoSlug }),
       webhookUrl,
       webhookSecret: options.webhookSecret,
       repos: options.repos,
@@ -86,7 +86,6 @@ function authToSecretBlock(auth: GithubInitCredentials['auth']) {
     type: 'app' as const,
     appId: auth.appId,
     privateKey: { value: auth.privateKey },
-    ...(auth.installationId !== undefined ? { installationId: auth.installationId } : {}),
   }
 }
 

package/src/init/index.ts

@@ -39,14 +39,6 @@ const CONFIG_FILE = 'typeclaw.json'
 const CRON_FILE = 'cron.json'
 const PACKAGE_FILE = 'package.json'
 
-// Seeded into `typeclaw.json#roles.member.match[]` whenever a chat adapter
-// (slack-bot, discord-bot, telegram-bot, kakaotalk) is wired. The "*" rule
-// matches every channel session on every platform, so the built-in `member`
-// role (which already carries `channel.respond`) covers any inbound the
-// router sees. Without this, freshly-hatched agents silently drop every
-// chat message — see scaffold() and ensureDefaultChatMemberMatch() below.
-const DEFAULT_CHAT_MEMBER_MATCH_RULE = '*'
-
 const MARKDOWN_FILES = ['AGENTS.md', 'IDENTITY.md', 'SOUL.md', 'USER.md'] as const
 
 // `packages/` is a bun workspace root (see `workspaces` in buildPackageJson).
@@ -102,7 +94,7 @@ export type GithubInitCredentials = {
   hostname?: string
   tokenEnv?: string
   repos: string[]
-  auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string; installationId?: number }
+  auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string }
 }
 
 export type GithubTunnelProvider = 'cloudflare-quick' | 'cloudflare-named' | 'external' | 'none'
@@ -586,11 +578,11 @@ export async function scaffold(root: string, options: ScaffoldOptions = {}): Pro
   if (options.withTelegram) channels['telegram-bot'] = {}
   if (options.withKakaotalk) channels.kakaotalk = {}
   if (Object.keys(channels).length > 0) config.channels = channels
-  // See DEFAULT_CHAT_MEMBER_MATCH_RULE for why this is here. GitHub is wired
-  // separately (writeGithubChannelForInit) and seeds per-repo member.match
-  // entries instead of the wildcard, so a github-only init stays scoped to
-  // the repos the operator opted in to.
-  if (Object.keys(channels).length > 0) config.roles = { member: { match: [DEFAULT_CHAT_MEMBER_MATCH_RULE] } }
+  // No default `member` match is seeded. A fresh chat agent starts with every
+  // inbound author resolving to `guest` (dropped) until the operator claims
+  // `owner` (runOwnerClaim, post-hatch) and explicitly grants others. GitHub is
+  // wired separately and seeds per-repo `member.match` entries scoped to the
+  // opted-in repos. See runOwnerClaim for the mute-until-claimed warning.
   await writeFile(join(root, CONFIG_FILE), `${JSON.stringify(config, null, 2)}\n`)
 
   const cron = {
@@ -1006,7 +998,7 @@ export type AddChannelOptions = {
       hostname?: string
       tokenEnv?: string
       repos: string[]
-      auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string; installationId?: number }
+      auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string }
       fetchImpl?: typeof fetch
     }
 )
@@ -1046,8 +1038,6 @@ export async function runAddChannel(options: AddChannelOptions): Promise<void> {
   if (options.channel === 'github') {
     await appendGithubMatchRules(options.cwd, options.repos)
     await maybeInstallGithubWebhooks(options, emit)
-  } else {
-    await ensureDefaultChatMemberMatch(options.cwd)
   }
 
   // Commit the typeclaw.json change so the agent folder isn't silently
@@ -1273,9 +1263,6 @@ async function writeGithubChannelForInit(cwd: string, credentials: GithubInitCre
             type: 'app',
             appId: credentials.auth.appId,
             privateKey: { value: credentials.auth.privateKey } satisfies Secret,
-            ...(credentials.auth.installationId !== undefined
-              ? { installationId: credentials.auth.installationId }
-              : {}),
           },
     webhookSecret: { value: credentials.webhookSecret } satisfies Secret,
   }
@@ -1308,7 +1295,6 @@ async function appendGithubSecrets(
             type: 'app',
             appId: options.auth.appId,
             privateKey: { value: options.auth.privateKey } satisfies Secret,
-            ...(options.auth.installationId !== undefined ? { installationId: options.auth.installationId } : {}),
           },
     webhookSecret: { value: options.webhookSecret } satisfies Secret,
   }
@@ -1329,24 +1315,6 @@ async function appendGithubMatchRules(cwd: string, repos: readonly string[]): Pr
   await writeFile(path, `${JSON.stringify(parsed, null, 2)}\n`)
 }
 
-// Chat-adapter counterpart of appendGithubMatchRules. See
-// DEFAULT_CHAT_MEMBER_MATCH_RULE for the rationale. Set-union semantics: re-
-// running `typeclaw channel add` for additional chat adapters is a no-op on
-// the match list, and any pre-existing rules the operator hand-authored
-// (e.g. owner-claim's per-author entry on `owner`) are left intact.
-async function ensureDefaultChatMemberMatch(cwd: string): Promise<void> {
-  const path = join(cwd, CONFIG_FILE)
-  const parsed = JSON.parse(await readFile(path, 'utf8')) as Record<string, unknown>
-  const roles = isObjectRecord(parsed.roles) ? { ...parsed.roles } : {}
-  const member = isObjectRecord(roles.member) ? { ...roles.member } : {}
-  const existing = Array.isArray(member.match) ? member.match.filter((v): v is string => typeof v === 'string') : []
-  if (existing.includes(DEFAULT_CHAT_MEMBER_MATCH_RULE)) return
-  member.match = [...existing, DEFAULT_CHAT_MEMBER_MATCH_RULE]
-  roles.member = member
-  parsed.roles = roles
-  await writeFile(path, `${JSON.stringify(parsed, null, 2)}\n`)
-}
-
 // Writes per-adapter field values into `secrets.json#channels.<adapter>`.
 // Refuses to overwrite existing fields: if the user already has e.g.
 // `botToken` recorded (from a prior `channel add` whose follow-up steps
@@ -1489,13 +1457,13 @@ export async function setChannelSecrets(
 // previous auth type, since the two shapes share no fields beyond `type`).
 export type GithubCredentialPatch = {
   webhookSecret?: string
-  auth?: { type: 'pat'; pat: string } | { type: 'app'; privateKey: string; appId?: number; installationId?: number }
+  auth?: { type: 'pat'; pat: string } | { type: 'app'; privateKey: string; appId?: number }
 }
 
 // Update one or more credential fields on an already-configured GitHub
 // channel. Like setChannelSecrets, refuses when secrets.json has no
 // existing github entry. Supports both same-type rotation (preserves env
-// bindings, carries appId/installationId forward when not supplied) and
+// bindings, carries appId forward when not supplied) and
 // auth-type switching (replaces the entire auth block — see
 // `GithubCredentialPatch` above).
 export async function setGithubSecrets(cwd: string, patch: GithubCredentialPatch): Promise<SetChannelTokensResult> {
@@ -1531,7 +1499,6 @@ export async function setGithubSecrets(cwd: string, patch: GithubCredentialPatch
       } else {
         const existingApp = isSameType && isObjectRecord(existingAuth) ? (existingAuth as Record<string, unknown>) : {}
         const appId = patch.auth.appId ?? (existingApp.appId as number | undefined)
-        const installationId = patch.auth.installationId ?? (existingApp.installationId as number | undefined)
         if (typeof appId !== 'number') {
           return {
             result: {
@@ -1546,7 +1513,6 @@ export async function setGithubSecrets(cwd: string, patch: GithubCredentialPatch
           type: 'app',
           appId,
           privateKey: rotatedSecret(existingApp.privateKey, patch.auth.privateKey),
-          ...(installationId !== undefined ? { installationId } : {}),
         }
       }
     }