typeclaw 0.17.0 → 0.18.0

package/auth.schema.json

@@ -213,11 +213,6 @@
                           }
                         }
                       ]
-                    },
-                    "installationId": {
-                      "type": "integer",
-                      "exclusiveMinimum": 0,
-                      "maximum": 9007199254740991
                     }
                   },
                   "required": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "typeclaw",
-  "version": "0.17.0",
+  "version": "0.18.0",
   "homepage": "https://github.com/typeclaw/typeclaw#readme",
   "bugs": {
     "url": "https://github.com/typeclaw/typeclaw/issues"
@@ -46,7 +46,7 @@
     "@mariozechner/pi-coding-agent": "^0.67.3",
     "@mariozechner/pi-tui": "^0.67.3",
     "@mozilla/readability": "^0.6.0",
-    "agent-messenger": "2.19.0",
+    "agent-messenger": "2.19.1",
     "cheerio": "^1.2.0",
     "citty": "^0.2.2",
     "cron-parser": "^5.5.0",

package/secrets.schema.json

@@ -213,11 +213,6 @@
                           }
                         }
                       ]
-                    },
-                    "installationId": {
-                      "type": "integer",
-                      "exclusiveMinimum": 0,
-                      "maximum": 9007199254740991
                     }
                   },
                   "required": [

package/src/channels/adapters/discord-bot-classify.ts

@@ -12,6 +12,7 @@ export type InboundDropReason =
   | 'self_author' // event.author.id === botUserId; we never route our own messages back to ourselves
   | 'empty_content' // SDK delivered content: '' — usually missing MessageContent intent
   | 'pre_connect' // bot identity is not known yet, so mention/self/reply classification cannot be trusted
+  | 'thread_created_system' // Discord's THREAD_CREATED system notice posted to the PARENT channel when a public thread is created from a message
 
 export type InboundClassification =
   | { kind: 'drop'; reason: InboundDropReason }
@@ -38,6 +39,10 @@ export function classifyInbound(
   const { text, attachments } = splitInbound(event)
   if (text === '') return { kind: 'drop', reason: 'empty_content' }
 
+  if (isThreadCreatedSystemMessage(event)) {
+    return { kind: 'drop', reason: 'thread_created_system' }
+  }
+
   const isDm = event.guild_id === undefined
   const workspace = isDm ? '@dm' : event.guild_id!
 
@@ -108,6 +113,24 @@ function isReplyToBot(event: DiscordGatewayMessageCreateEvent, botUserId: string
   return (event.mentions ?? []).some((m) => m.id === botUserId)
 }
 
+// Creating a public thread from a message fires TWO MESSAGE_CREATE events: a
+// THREAD_CREATED notice in the parent channel (content = thread name) and a
+// THREAD_STARTER_MESSAGE inside the thread. Each opens its own router session,
+// so the agent replies twice. The numeric Discord message type (18) that would
+// filter this cleanly is destroyed by the agent-messenger listener (it does
+// `{ ...d, type: t }`, overwriting `d.type` with the dispatch name), so we
+// fingerprint the notice by its reference instead: it points at a DIFFERENT
+// channel (the new thread) with no source `message_id`. The message_id-absent
+// check is load-bearing — it spares normal cross-channel replies and the
+// in-thread starter, both of which DO carry a message_id.
+function isThreadCreatedSystemMessage(event: DiscordGatewayMessageCreateEvent): boolean {
+  const ref = event.message_reference
+  if (ref?.channel_id === undefined) return false
+  if (ref.channel_id === event.channel_id) return false
+  if (ref.message_id !== undefined) return false
+  return ref.guild_id === undefined || event.guild_id === undefined || ref.guild_id === event.guild_id
+}
+
 type SplitInbound = { text: string; attachments: InboundAttachment[] }
 
 function splitInbound(event: DiscordGatewayMessageCreateEvent): SplitInbound {

package/src/channels/adapters/discord-bot.ts

@@ -763,6 +763,7 @@ function dropHint(reason: InboundDropReason): string {
       return ' (enable MESSAGE CONTENT INTENT in Discord Developer Portal and restart)'
     case 'pre_connect':
     case 'self_author':
+    case 'thread_created_system':
       return ''
   }
 }

package/src/channels/adapters/github/auth-app.ts

@@ -2,33 +2,43 @@ import { createPrivateKey } from 'node:crypto'
 
 import { resolveSecret, type Secret } from '@/secrets/resolve'
 
-import type { GithubAuthStrategy, GithubInstallationGrants, GithubSelfUser } from './auth'
+import type { GithubAuthContext, GithubAuthStrategy, GithubInstallationGrants, GithubSelfUser } from './auth'
 import { GITHUB_API_BASE, githubJsonHeaders, githubPublicHeaders } from './auth-pat'
 
+type TokenCacheEntry = { value: string; expiresAt: number }
+
 export class AppAuthStrategy implements GithubAuthStrategy {
   private readonly appId: number
   private readonly privateKeyPem: string
-  private readonly installationId: number | null
   private readonly fetchImpl: typeof fetch
-  private cachedToken: { value: string; expiresAt: number } | null = null
-  private resolvedInstallationId: number | null = null
+  // Keyed by installation id: a single App may span multiple owners, each a
+  // separate installation with its own short-lived token.
+  private readonly tokenCache = new Map<number, TokenCacheEntry>()
+  private readonly repoInstallationCache = new Map<string, number>()
+  private soleInstallationId: number | null = null
   private _selfUser: GithubSelfUser | null = null
 
-  constructor(options: { appId: number; privateKey: Secret; installationId?: number; fetchImpl?: typeof fetch }) {
+  constructor(options: { appId: number; privateKey: Secret; fetchImpl?: typeof fetch }) {
     const privateKeyPem = resolveSecret(options.privateKey, undefined, process.env)
     if (privateKeyPem === undefined || privateKeyPem.trim() === '') throw new Error('GitHub App private key is missing')
     this.appId = options.appId
     this.privateKeyPem = privateKeyPem
-    this.installationId = options.installationId ?? null
     this.fetchImpl = options.fetchImpl ?? fetch
   }
 
-  async token(): Promise<string> {
-    if (this.cachedToken && Date.now() < this.cachedToken.expiresAt - 5 * 60 * 1000) {
-      return this.cachedToken.value
-    }
+  async token(context?: GithubAuthContext): Promise<string> {
     const jwt = await this.mintJwt()
-    const installId = await this.resolveInstallationId(jwt)
+    const installId = await this.resolveInstallationId(jwt, context)
+    return this.installationToken(jwt, installId)
+  }
+
+  async authHeaders(context?: GithubAuthContext): Promise<HeadersInit> {
+    return githubJsonHeaders(await this.token(context))
+  }
+
+  private async installationToken(jwt: string, installId: number): Promise<string> {
+    const cached = this.tokenCache.get(installId)
+    if (cached && Date.now() < cached.expiresAt - 5 * 60 * 1000) return cached.value
     const response = await this.fetchImpl(`${GITHUB_API_BASE}/app/installations/${installId}/access_tokens`, {
       method: 'POST',
       headers: githubJsonHeaders(jwt),
@@ -37,14 +47,10 @@ export class AppAuthStrategy implements GithubAuthStrategy {
     const raw = (await response.json()) as { token?: unknown; expires_at?: unknown }
     if (typeof raw.token !== 'string') throw new Error('GitHub App token response missing token')
     const expiresAt = typeof raw.expires_at === 'string' ? Date.parse(raw.expires_at) : Date.now() + 60 * 60 * 1000
-    this.cachedToken = { value: raw.token, expiresAt }
+    this.tokenCache.set(installId, { value: raw.token, expiresAt })
     return raw.token
   }
 
-  async authHeaders(): Promise<HeadersInit> {
-    return githubJsonHeaders(await this.token())
-  }
-
   async getSelf(): Promise<GithubSelfUser> {
     if (this._selfUser) return this._selfUser
     const jwt = await this.mintJwt()
@@ -69,9 +75,9 @@ export class AppAuthStrategy implements GithubAuthStrategy {
     return this._selfUser
   }
 
-  async getInstallationGrants(): Promise<GithubInstallationGrants> {
+  async getInstallationGrants(context?: GithubAuthContext): Promise<GithubInstallationGrants> {
     const jwt = await this.mintJwt()
-    const installId = await this.resolveInstallationId(jwt)
+    const installId = await this.resolveInstallationId(jwt, context)
     const response = await this.fetchImpl(`${GITHUB_API_BASE}/app/installations/${installId}`, {
       headers: githubJsonHeaders(jwt),
     })
@@ -88,7 +94,8 @@ export class AppAuthStrategy implements GithubAuthStrategy {
   }
 
   async dispose(): Promise<void> {
-    this.cachedToken = null
+    this.tokenCache.clear()
+    this.repoInstallationCache.clear()
   }
 
   private async mintJwt(): Promise<string> {
@@ -107,25 +114,41 @@ export class AppAuthStrategy implements GithubAuthStrategy {
     return `${signingInput}.${base64url(Buffer.from(signature))}`
   }
 
-  private async resolveInstallationId(jwt: string): Promise<number> {
-    if (this.resolvedInstallationId !== null) return this.resolvedInstallationId
-    if (this.installationId !== null) {
-      this.resolvedInstallationId = this.installationId
-      return this.installationId
+  private async resolveInstallationId(jwt: string, context?: GithubAuthContext): Promise<number> {
+    if (context?.repoSlug !== undefined && context.repoSlug !== '') {
+      return this.resolveInstallationByEndpoint(jwt, `repos/${context.repoSlug}/installation`, context.repoSlug)
+    }
+    if (context?.owner !== undefined && context.owner !== '') {
+      return this.resolveInstallationByEndpoint(jwt, `orgs/${context.owner}/installation`, context.owner)
     }
+    if (this.soleInstallationId !== null) return this.soleInstallationId
     const response = await this.fetchImpl(`${GITHUB_API_BASE}/app/installations`, { headers: githubJsonHeaders(jwt) })
     if (!response.ok) throw new Error(`GitHub App installations fetch failed: ${response.status}`)
     const list = (await response.json()) as Array<{ id?: unknown }>
     if (list.length === 0) throw new Error('GitHub App has no installations')
     if (list.length > 1) {
       const ids = list.map((installation) => installation.id).join(', ')
-      throw new Error(`GitHub App has multiple installations (${ids}); set installationId in secrets.json`)
+      throw new Error(`GitHub App has multiple installations (${ids}); a repo must be specified to select one`)
     }
     const id = list[0]?.id
     if (typeof id !== 'number') throw new Error('GitHub App installation missing id')
-    this.resolvedInstallationId = id
+    this.soleInstallationId = id
     return id
   }
+
+  private async resolveInstallationByEndpoint(jwt: string, path: string, target: string): Promise<number> {
+    const cached = this.repoInstallationCache.get(target)
+    if (cached !== undefined) return cached
+    const response = await this.fetchImpl(`${GITHUB_API_BASE}/${path}`, { headers: githubJsonHeaders(jwt) })
+    if (response.status === 404) {
+      throw new Error(`GitHub App is not installed for ${target} or lacks access to that repository`)
+    }
+    if (!response.ok) throw new Error(`GitHub App installation lookup for ${target} failed: ${response.status}`)
+    const raw = (await response.json()) as { id?: unknown }
+    if (typeof raw.id !== 'number') throw new Error(`GitHub App installation for ${target} missing id`)
+    this.repoInstallationCache.set(target, raw.id)
+    return raw.id
+  }
 }
 
 function base64url(input: string | Buffer): string {

package/src/channels/adapters/github/auth-pat.ts

@@ -1,6 +1,6 @@
 import { resolveSecret, type Secret } from '@/secrets/resolve'
 
-import type { GithubAuthStrategy, GithubSelfUser } from './auth'
+import type { GithubAuthContext, GithubAuthStrategy, GithubSelfUser } from './auth'
 
 export const GITHUB_API_BASE = 'https://api.github.com'
 
@@ -15,11 +15,11 @@ export class PatAuthStrategy implements GithubAuthStrategy {
     this.fetchImpl = options.fetchImpl ?? fetch
   }
 
-  async token(): Promise<string> {
+  async token(_context?: GithubAuthContext): Promise<string> {
     return this._token
   }
 
-  async authHeaders(): Promise<HeadersInit> {
+  async authHeaders(_context?: GithubAuthContext): Promise<HeadersInit> {
     return githubJsonHeaders(this._token)
   }
 

package/src/channels/adapters/github/auth.ts

@@ -3,15 +3,30 @@ import type { GithubAppAuthBlock, GithubPatAuthBlock } from '@/secrets/schema'
 import { AppAuthStrategy } from './auth-app'
 import { PatAuthStrategy } from './auth-pat'
 
+// Repo identity threaded through every auth call so App auth can pick the
+// correct installation. `repoSlug` is the canonical input ("owner/name"); App
+// auth resolves it to an installation via GET /repos/{owner}/{repo}/installation
+// and caches the result. PAT auth ignores it entirely. Omitted context means
+// "no specific repo" — App auth then falls back to a single discoverable
+// installation (and errors if the App spans multiple installations).
+export type GithubAuthContext = {
+  repoSlug?: string
+  // Org login, for operations that aren't repo-scoped (e.g. team-membership
+  // lookups under GET /orgs/{org}/...). App auth resolves it to an
+  // installation via GET /orgs/{org}/installation. Ignored when repoSlug is set.
+  owner?: string
+}
+
 export type GithubAuthStrategy = {
-  token: () => Promise<string>
-  authHeaders: () => Promise<HeadersInit>
+  token: (context?: GithubAuthContext) => Promise<string>
+  authHeaders: (context?: GithubAuthContext) => Promise<HeadersInit>
   getSelf: () => Promise<GithubSelfUser>
   // App-only: returns the installation's granted-permissions map and declared
   // events so the adapter can preflight against the configured eventAllowlist
   // before any webhook arrives. PATs return access via token scopes, not an
-  // installation grant, so they leave this undefined.
-  getInstallationGrants?: () => Promise<GithubInstallationGrants>
+  // installation grant, so they leave this undefined. Context selects which
+  // installation to inspect when the App spans multiple owners.
+  getInstallationGrants?: (context?: GithubAuthContext) => Promise<GithubInstallationGrants>
   dispose: () => Promise<void>
 }
 
@@ -36,7 +51,6 @@ export function buildAuthStrategy(options: {
       return new AppAuthStrategy({
         appId: options.auth.appId,
         privateKey: options.auth.privateKey,
-        installationId: options.auth.installationId,
         fetchImpl: options.fetchImpl,
       })
   }

package/src/channels/adapters/github/channel-resolver.ts

@@ -1,10 +1,11 @@
 import type { ChannelNameResolver, ResolvedChannelNames } from '@/channels/types'
 
+import type { GithubAuthContext } from './auth'
 import { GITHUB_API_BASE, githubJsonHeaders } from './auth-pat'
 import { parseChat, parseRepo } from './outbound'
 
 export function createGithubChannelNameResolver(options: {
-  token: () => Promise<string>
+  token: (context?: GithubAuthContext) => Promise<string>
   fetchImpl?: typeof fetch
 }): ChannelNameResolver {
   const fetchImpl = options.fetchImpl ?? fetch
@@ -18,7 +19,7 @@ export function createGithubChannelNameResolver(options: {
     const path = chat.kind === 'issue' ? `issues/${chat.number}` : `pulls/${chat.number}`
     try {
       const response = await fetchImpl(`${GITHUB_API_BASE}/repos/${repo.owner}/${repo.name}/${path}`, {
-        headers: githubJsonHeaders(await options.token()),
+        headers: githubJsonHeaders(await options.token({ repoSlug: key.workspace })),
       })
       if (!response.ok) return names
       const raw = (await response.json()) as { title?: string }

package/src/channels/adapters/github/history.ts

@@ -1,10 +1,11 @@
 import type { ChannelHistoryMessage, FetchHistoryArgs, FetchHistoryResult, HistoryCallback } from '@/channels/types'
 
+import type { GithubAuthContext } from './auth'
 import { GITHUB_API_BASE, githubJsonHeaders } from './auth-pat'
 import { parseChat, parseRepo } from './outbound'
 
 export function createGithubHistoryCallback(options: {
-  token: () => Promise<string>
+  token: (context?: GithubAuthContext) => Promise<string>
   workspaceForChat: (chat: string) => string | null
   fetchImpl?: typeof fetch
 }): HistoryCallback {
@@ -26,7 +27,7 @@ export function createGithubHistoryCallback(options: {
       const response = await fetchImpl(
         `${endpoint}?per_page=${Math.min(Math.max(args.limit, 1), 100)}&direction=desc${cursor}`,
         {
-          headers: githubJsonHeaders(await options.token()),
+          headers: githubJsonHeaders(await options.token({ repoSlug: workspace })),
         },
       )
       if (!response.ok) return { ok: false, error: `GitHub history ${response.status}` }

package/src/channels/adapters/github/index.ts

@@ -3,7 +3,7 @@ import type { ChannelAdapterConfig, GithubAdapterConfig } from '@/channels/schem
 import { resolveSecret } from '@/secrets/resolve'
 import type { GithubSecretsBlock } from '@/secrets/schema'
 
-import { buildAuthStrategy } from './auth'
+import { buildAuthStrategy, type GithubAuthContext } from './auth'
 import { createGithubChannelNameResolver } from './channel-resolver'
 import { createDeliveryDedup } from './dedup'
 import { findPermissionGaps } from './event-permissions'
@@ -99,29 +99,30 @@ export function createGithubAdapter(options: GithubAdapterOptions): GithubAdapte
     workspaceByChat.set(chat, workspace)
   }
 
-  const tokenFn = async () => {
-    const t = await auth.token()
-    process.env.GH_TOKEN = t
-    return t
-  }
+  // Repo/owner-aware token resolver. A single GitHub App can span multiple
+  // installations (one per owner); each consumer passes its repo/owner so the
+  // right installation token is minted. Unlike the old single-token path, this
+  // does NOT mutate process.env.GH_TOKEN — that global is seeded separately and
+  // only when exactly one installation applies (see seedGhTokenIfSingle).
+  const authToken = (context?: GithubAuthContext) => auth.token(context)
   const outbound = createGithubOutboundCallback({
-    token: tokenFn,
+    token: authToken,
     authType: options.secrets.auth.type,
     logger,
     fetchImpl,
   })
   const history = createGithubHistoryCallback({
-    token: tokenFn,
+    token: authToken,
     fetchImpl,
     workspaceForChat: (chat) => workspaceByChat.get(chat) ?? null,
   })
-  const membership = createGithubMembershipResolver({ token: tokenFn, fetchImpl })
-  const channelNameResolver = createGithubChannelNameResolver({ token: tokenFn, fetchImpl })
+  const membership = createGithubMembershipResolver({ token: authToken, fetchImpl })
+  const channelNameResolver = createGithubChannelNameResolver({ token: authToken, fetchImpl })
   const fetchAttachment = createGithubFetchAttachmentCallback()
   // No-op typing callback: GitHub has no typing indicator API.
   const typing = async (): Promise<void> => {}
   const dedup = createDeliveryDedup()
-  const isBotInTeam = createTeamMembershipChecker({ token: tokenFn, fetchImpl })
+  const isBotInTeam = createTeamMembershipChecker({ token: authToken, fetchImpl })
   const handler = createGithubWebhookHandler({
     webhookSecret,
     dedup,
@@ -174,35 +175,48 @@ export function createGithubAdapter(options: GithubAdapterOptions): GithubAdapte
         selfLogin = null
         throw err
       }
-      // Seed GH_TOKEN so `gh` CLI calls in the container are pre-authenticated.
-      // tokenFn keeps it current on every adapter API call; App tokens refresh
-      // automatically when within 5 minutes of expiry.
-      process.env.GH_TOKEN = await auth.token()
       started = true
-      // Keep GH_TOKEN warm even when the adapter is only receiving inbound
-      // webhooks and not making outbound API calls. This prevents `gh` CLI
-      // calls from the agent from failing with 401 after the token expires.
-      const tokenRefreshIntervalMs = options.tokenRefreshIntervalMs ?? DEFAULT_TOKEN_REFRESH_INTERVAL_MS
-      if (tokenRefreshIntervalMs > 0) {
-        const refresh = () => {
-          tokenFn().catch((err) => {
-            logger.error(`[github] periodic token refresh failed: ${err instanceof Error ? err.message : String(err)}`)
-          })
+      // GH_TOKEN is a single process-wide env var the container's `gh` CLI
+      // reads, but a GitHub App spanning multiple owners has no single correct
+      // token. Seed/refresh it only when exactly one repo is configured (PAT,
+      // or App with one unambiguous installation). With multiple repos we skip
+      // the global seed: ad-hoc `gh` calls must target a specific repo, and the
+      // adapter's own API calls always resolve a repo-scoped token via authToken.
+      const ghTokenRepo = ghTokenSeedRepo(options.configRef().repos ?? [])
+      const seedGhToken = async (): Promise<void> => {
+        process.env.GH_TOKEN = await auth.token(ghTokenRepo === null ? undefined : { repoSlug: ghTokenRepo })
+      }
+      if (ghTokenRepo !== null || options.secrets.auth.type === 'pat') {
+        await seedGhToken()
+        const tokenRefreshIntervalMs = options.tokenRefreshIntervalMs ?? DEFAULT_TOKEN_REFRESH_INTERVAL_MS
+        if (tokenRefreshIntervalMs > 0) {
+          const refresh = () => {
+            seedGhToken().catch((err) => {
+              logger.error(
+                `[github] periodic token refresh failed: ${err instanceof Error ? err.message : String(err)}`,
+              )
+            })
+          }
+          const setIntervalFn =
+            options.setInterval ??
+            ((handler: () => void, ms: number) => {
+              const timer = setInterval(handler, ms)
+              return { clear: () => clearInterval(timer) }
+            })
+          tokenRefreshTimer = setIntervalFn(refresh, tokenRefreshIntervalMs)
         }
-        const setIntervalFn =
-          options.setInterval ??
-          ((handler: () => void, ms: number) => {
-            const timer = setInterval(handler, ms)
-            return { clear: () => clearInterval(timer) }
-          })
-        tokenRefreshTimer = setIntervalFn(refresh, tokenRefreshIntervalMs)
+      } else {
+        logger.info(
+          '[github] multiple repos configured across possibly-different owners; GH_TOKEN not seeded globally. ' +
+            'Ad-hoc `gh` commands should set a repo-scoped token explicitly.',
+        )
       }
       logger.info(`[github] webhook listening on port ${options.configRef().webhookPort} as @${self.login}`)
       // Best-effort: App-only preflight that compares the installation's granted
       // permissions against the configured eventAllowlist and warns about gaps.
       // Catches the most common misconfiguration (App installed with the default
       // metadata-only permission set) before any event fires a 403.
-      await runAppPermissionPreflight(logger, auth, options.configRef().eventAllowlist)
+      await runAppPermissionPreflight(logger, auth, options.configRef().eventAllowlist, options.configRef().repos ?? [])
       // Repository webhook registration is best-effort: failures are logged
       // per-repo, the adapter stays up. A misconfigured PAT or App that
       // can't manage hooks must not prevent the adapter from accepting
@@ -225,6 +239,9 @@ export function createGithubAdapter(options: GithubAdapterOptions): GithubAdapte
         })
       } else if (repos.length > 0) {
         const legacyProviderHostSuffix = detectLegacyProviderHostSuffix(effectiveUrl)
+        logger.info(
+          `[github] registering webhook for ${repos.length} repo(s) [${repos.join(', ')}] -> ${effectiveUrl} (events: ${cfg.eventAllowlist.join(', ')})`,
+        )
         if (webhookRegistrationDelayMs > 0) {
           logger.info(
             `[github] waiting ${webhookRegistrationDelayMs}ms before registering webhook so the Cloudflare edge can warm up`,
@@ -232,7 +249,7 @@ export function createGithubAdapter(options: GithubAdapterOptions): GithubAdapte
           await sleep(webhookRegistrationDelayMs)
         }
         const registration = await registerGithubWebhooks({
-          token: tokenFn,
+          token: (repoSlug: string) => auth.token({ repoSlug }),
           webhookUrl: effectiveUrl,
           webhookSecret,
           repos,
@@ -263,7 +280,7 @@ export function createGithubAdapter(options: GithubAdapterOptions): GithubAdapte
       // last to clear the cached App-installation token.
       if (managedHooks.length > 0) {
         const deregistration = await deregisterGithubWebhooks({
-          token: tokenFn,
+          token: (repoSlug: string) => auth.token({ repoSlug }),
           hooks: managedHooks,
           fetchImpl,
         })
@@ -367,18 +384,36 @@ async function runAppPermissionPreflight(
   logger: GithubAdapterLogger,
   auth: ReturnType<typeof buildAuthStrategy>,
   eventAllowlist: readonly string[],
+  repos: readonly string[],
 ): Promise<void> {
   if (auth.getInstallationGrants === undefined) return
-  let grants
-  try {
-    grants = await auth.getInstallationGrants()
-  } catch (err) {
-    logger.warn(`[github] permission preflight skipped: ${err instanceof Error ? err.message : String(err)}`)
-    return
+  const getGrants = (context: GithubAuthContext | undefined) => auth.getInstallationGrants?.(context)
+  // One grants check per distinct owner: installations are owner-scoped, so
+  // repos sharing an owner share an installation. The first repo per owner is
+  // the resolution key. With no repos, fall back to a single context-free check.
+  const reposByOwner = new Map<string, string>()
+  for (const repo of repos) {
+    const owner = repo.split('/')[0]
+    if (owner !== undefined && owner !== '' && !reposByOwner.has(owner)) reposByOwner.set(owner, repo)
+  }
+  const contexts: Array<{ label: string; context: { repoSlug: string } | undefined }> =
+    reposByOwner.size === 0
+      ? [{ label: 'app', context: undefined }]
+      : [...reposByOwner.values()].map((repo) => ({ label: repo, context: { repoSlug: repo } }))
+  for (const { label, context } of contexts) {
+    let grants
+    try {
+      grants = await getGrants(context)
+    } catch (err) {
+      logger.warn(
+        `[github] permission preflight skipped for ${label}: ${err instanceof Error ? err.message : String(err)}`,
+      )
+      continue
+    }
+    if (grants === undefined) continue
+    const gaps = findPermissionGaps(eventAllowlist, grants.permissions)
+    if (gaps.length > 0) logger.warn(buildAppPermissionPreflightGuidance(gaps))
   }
-  const gaps = findPermissionGaps(eventAllowlist, grants.permissions)
-  if (gaps.length === 0) return
-  logger.warn(buildAppPermissionPreflightGuidance(gaps))
 }
 
 function logDeregistrationOutcome(
@@ -392,6 +427,13 @@ function logDeregistrationOutcome(
   }
 }
 
+// Two repos under the same owner share an installation and could in principle
+// share a global GH_TOKEN, but the marginal value doesn't justify the special
+// case — only a single configured repo yields an unambiguous seed.
+function ghTokenSeedRepo(repos: readonly string[]): string | null {
+  return repos.length === 1 ? (repos[0] ?? null) : null
+}
+
 function defaultSleep(ms: number): Promise<void> {
   return new Promise((resolve) => setTimeout(resolve, ms))
 }

package/src/channels/adapters/github/membership.ts

@@ -1,10 +1,11 @@
 import type { MembershipResolver, MembershipResolverResult } from '@/channels/membership'
 
+import type { GithubAuthContext } from './auth'
 import { GITHUB_API_BASE, githubJsonHeaders } from './auth-pat'
 import { parseRepo } from './outbound'
 
 export function createGithubMembershipResolver(options: {
-  token: () => Promise<string>
+  token: (context?: GithubAuthContext) => Promise<string>
   fetchImpl?: typeof fetch
 }): MembershipResolver {
   const fetchImpl = options.fetchImpl ?? fetch
@@ -16,7 +17,7 @@ export function createGithubMembershipResolver(options: {
       const response = await fetchImpl(
         `${GITHUB_API_BASE}/repos/${repo.owner}/${repo.name}/collaborators?per_page=100`,
         {
-          headers: githubJsonHeaders(await options.token()),
+          headers: githubJsonHeaders(await options.token({ repoSlug: key.workspace })),
         },
       )
       if (!response.ok) return response.status >= 500 ? { kind: 'transient' } : { kind: 'permanent' }

package/src/channels/adapters/github/outbound.ts

@@ -1,5 +1,6 @@
 import type { OutboundCallback, OutboundMessage, SendResult } from '@/channels/types'
 
+import type { GithubAuthContext } from './auth'
 import { GITHUB_API_BASE, githubJsonHeaders } from './auth-pat'
 import {
   buildOutboundPermissionGuidance,
@@ -11,7 +12,7 @@ import {
 export type GithubOutboundLogger = { info: (m: string) => void; warn: (m: string) => void; error: (m: string) => void }
 
 export function createGithubOutboundCallback(deps: {
-  token: () => Promise<string>
+  token: (context?: GithubAuthContext) => Promise<string>
   authType: GithubAuthType
   logger: GithubOutboundLogger
   fetchImpl?: typeof fetch
@@ -28,9 +29,12 @@ export function createGithubOutboundCallback(deps: {
     const target = parseChat(msg.chat)
     if (target === null) return { ok: false, error: `invalid GitHub chat: ${msg.chat}` }
 
+    const token = () => deps.token({ repoSlug: msg.workspace })
+
     if (target.kind === 'discussion') {
       return await postDiscussionComment({
         ...deps,
+        token,
         fetchImpl,
         repo,
         discussionNumber: target.number,
@@ -44,7 +48,7 @@ export function createGithubOutboundCallback(deps: {
       : `${GITHUB_API_BASE}/repos/${repo.owner}/${repo.name}/issues/${target.number}/comments`
     return await postJson(
       fetchImpl,
-      await deps.token(),
+      await token(),
       endpoint,
       { body },
       {

package/src/channels/adapters/github/team-membership.ts

@@ -7,12 +7,14 @@
 // request rebuilds it). Errors fall closed (return false): we'd rather drop
 // a real review request than wake the agent on a team the bot isn't in.
 
+import type { GithubAuthContext } from './auth'
+
 const ACTIVE_MEMBERSHIP_STATE = 'active'
 
 export type TeamMembershipChecker = (input: { org: string; slug: string; login: string }) => Promise<boolean>
 
 export function createTeamMembershipChecker(options: {
-  token: () => Promise<string>
+  token: (context?: GithubAuthContext) => Promise<string>
   fetchImpl?: typeof fetch
 }): TeamMembershipChecker {
   const fetchImpl = options.fetchImpl ?? fetch
@@ -23,7 +25,7 @@ export function createTeamMembershipChecker(options: {
     const cached = cache.get(key)
     if (cached !== undefined) return cached
 
-    const result = await lookup(fetchImpl, await options.token(), org, slug, login)
+    const result = await lookup(fetchImpl, await options.token({ owner: org }), org, slug, login)
     cache.set(key, result)
     return result
   }

package/src/channels/adapters/github/webhook-register.ts

@@ -1,7 +1,10 @@
 import { GITHUB_API_BASE, githubJsonHeaders } from './auth-pat'
 
 export type RegisterGithubWebhooksOptions = {
-  token: () => Promise<string>
+  // Resolves an installation token scoped to the given "owner/name" repo. A
+  // single GitHub App may span multiple owners (separate installations), so
+  // each repo's hook must be created/listed with that repo's own token.
+  token: (repoSlug: string) => Promise<string>
   webhookUrl: string
   webhookSecret: string
   repos: readonly string[]
@@ -51,22 +54,22 @@ export async function registerGithubWebhooks(
   options: RegisterGithubWebhooksOptions,
 ): Promise<WebhookRegistrationResult> {
   const fetchImpl = options.fetchImpl ?? fetch
-  let token: string
-  try {
-    token = await options.token()
-  } catch (err) {
-    const error = describe(err)
-    return { repos: options.repos.map((repo) => ({ repo, action: 'failed' as const, error })) }
-  }
   const repos: WebhookRepoResult[] = []
   for (const repo of options.repos) {
+    let token: string
+    try {
+      token = await options.token(repo)
+    } catch (err) {
+      repos.push({ repo, action: 'failed', error: describe(err) })
+      continue
+    }
     repos.push(await registerOne(fetchImpl, token, repo, options))
   }
   return { repos }
 }
 
 export type DeregisterGithubWebhooksOptions = {
-  token: () => Promise<string>
+  token: (repoSlug: string) => Promise<string>
   hooks: ReadonlyArray<{ repo: string; hookId: number }>
   fetchImpl?: typeof fetch
 }
@@ -79,15 +82,15 @@ export async function deregisterGithubWebhooks(
   options: DeregisterGithubWebhooksOptions,
 ): Promise<WebhookDeregistrationResult> {
   const fetchImpl = options.fetchImpl ?? fetch
-  let token: string
-  try {
-    token = await options.token()
-  } catch (err) {
-    const error = describe(err)
-    return { hooks: options.hooks.map((h) => ({ ...h, action: 'failed', error })) }
-  }
   const hooks: WebhookDeregistrationResult['hooks'] = []
   for (const hook of options.hooks) {
+    let token: string
+    try {
+      token = await options.token(hook.repo)
+    } catch (err) {
+      hooks.push({ ...hook, action: 'failed', error: describe(err) })
+      continue
+    }
     hooks.push(await deleteOne(fetchImpl, token, hook))
   }
   return { hooks }

package/src/channels/adapters/slack-bot-slash-commands.ts

@@ -1,5 +1,6 @@
 import type { SlackSocketModeSlashCommandArgs } from 'agent-messenger/slackbot'
 
+import type { ExecuteCommandResult } from '@/channels/router'
 import type { ChannelKey } from '@/channels/types'
 
 // Slack channel ids: 'C' = public, 'G' = private/legacy multi-party DM,
@@ -64,13 +65,87 @@ export function parseSlashCommand(
   }
 }
 
+// Slack blocks native slash commands inside threads ("/stop is not supported
+// in threads. Sorry!"), so the only way to abort a thread-scoped turn from
+// inside that thread is a normal message. We recognise a leading `!` as an
+// alternate command prefix and route it through the same router.executeCommand
+// path as native slashes. The guard is strict: only a first token that resolves
+// to a known command name is rewritten, so casual messages like "!nice work"
+// pass through untouched as regular agent input.
+//
+// Unlike native slash payloads (which never carry a thread and rely on the
+// router's workspace+chat fallback), a thread message carries `thread_ts`,
+// letting us target the exact thread session and skip the ambiguous-match case
+// entirely.
+export const THREAD_COMMAND_PREFIX = '!'
+
+export type ThreadCommandInput = {
+  text: string
+  channel: string
+  threadTs: string | null
+  isDm: boolean
+  teamId: string
+  invokerId: string
+}
+
+export type ParseThreadCommandResult =
+  | { kind: 'parsed'; command: ParsedSlackSlashCommand }
+  | { kind: 'ignore'; reason: 'no-prefix' | 'unknown-command' }
+
+// Both ignore reasons (`no-prefix`, `unknown-command`) are non-fatal: the
+// caller lets the message flow through as ordinary agent input.
+export function parseThreadCommand(
+  input: ThreadCommandInput,
+  knownCommands: ReadonlySet<string>,
+): ParseThreadCommandResult {
+  const trimmed = input.text.trimStart()
+  if (!trimmed.startsWith(THREAD_COMMAND_PREFIX)) {
+    return { kind: 'ignore', reason: 'no-prefix' }
+  }
+  const firstToken = trimmed.slice(THREAD_COMMAND_PREFIX.length).split(/\s/, 1)[0] ?? ''
+  const name = firstToken.toLowerCase()
+  if (name === '' || !knownCommands.has(name)) {
+    return { kind: 'ignore', reason: 'unknown-command' }
+  }
+
+  const workspace = input.isDm ? '@dm' : input.teamId
+  return {
+    kind: 'parsed',
+    command: {
+      name,
+      key: { adapter: 'slack-bot', workspace, chat: input.channel, thread: input.threadTs },
+      invokerId: input.invokerId,
+    },
+  }
+}
+
 export const SLACK_SLASH_REPLY_ABORTED = 'Stopped the current turn.'
 export const SLACK_SLASH_REPLY_NO_LIVE_SESSION = 'Nothing to stop — no active turn in this channel.'
 export const SLACK_SLASH_REPLY_FAILED = 'Could not stop the current turn (internal error).'
 export const SLACK_SLASH_REPLY_PERMISSION_DENIED =
   'You do not have permission to stop the current turn in this channel.'
+// Native slash commands cannot be invoked from a thread, so the only way to
+// disambiguate is the `!stop` thread-message fallback — advise that, not the
+// impossible `/stop`-in-thread.
 export const SLACK_SLASH_REPLY_AMBIGUOUS =
-  'Multiple active turns in this channel. Reply `/stop` from inside the specific thread you want to stop.'
+  'Multiple active turns in this channel. Reply `!stop` inside the specific thread you want to stop.'
+
+// Single outcome→reply mapping shared by the native-slash (ack payload) and
+// `!cmd` thread (postMessage) delivery paths so the two never drift.
+export function commandResultReply(result: ExecuteCommandResult): string {
+  switch (result.kind) {
+    case 'handled':
+      return SLACK_SLASH_REPLY_ABORTED
+    case 'no-live-session':
+      return SLACK_SLASH_REPLY_NO_LIVE_SESSION
+    case 'permission-denied':
+      return SLACK_SLASH_REPLY_PERMISSION_DENIED
+    case 'ambiguous':
+      return SLACK_SLASH_REPLY_AMBIGUOUS
+    case 'unknown-command':
+      return SLACK_SLASH_REPLY_FAILED
+  }
+}
 
 // Slack's ack callback accepts an optional response payload that becomes
 // the user-visible reply. `response_type: 'ephemeral'` keeps the reply

package/src/channels/adapters/slack-bot.ts

@@ -35,12 +35,11 @@ import {
 import { createSlackDedupe } from './slack-bot-dedupe'
 import {
   buildSlashAckPayload,
+  commandResultReply,
   parseSlashCommand,
-  SLACK_SLASH_REPLY_ABORTED,
-  SLACK_SLASH_REPLY_AMBIGUOUS,
+  parseThreadCommand,
   SLACK_SLASH_REPLY_FAILED,
-  SLACK_SLASH_REPLY_NO_LIVE_SESSION,
-  SLACK_SLASH_REPLY_PERMISSION_DENIED,
+  type ThreadCommandInput,
 } from './slack-bot-slash-commands'
 import { slackTsToMillis } from './slack-bot-time'
 
@@ -124,16 +123,7 @@ export function createSlashCommandHandler(
       return
     }
 
-    const replyContent =
-      result.kind === 'handled'
-        ? SLACK_SLASH_REPLY_ABORTED
-        : result.kind === 'no-live-session'
-          ? SLACK_SLASH_REPLY_NO_LIVE_SESSION
-          : result.kind === 'permission-denied'
-            ? SLACK_SLASH_REPLY_PERMISSION_DENIED
-            : result.kind === 'ambiguous'
-              ? SLACK_SLASH_REPLY_AMBIGUOUS
-              : SLACK_SLASH_REPLY_FAILED
+    const replyContent = commandResultReply(result)
 
     // Final ack on the happy path: own try/catch so a thrown ack here does
     // NOT cascade into the error-path ack above (which would violate the
@@ -158,6 +148,67 @@ export function createSlashCommandHandler(
   }
 }
 
+export type ThreadCommandReplyPoster = (args: { chat: string; thread: string | null; text: string }) => Promise<void>
+
+export type ThreadCommandHandlerDeps = {
+  router: Pick<ChannelRouter, 'executeCommand'>
+  knownCommandNames: ReadonlySet<string>
+  postReply: ThreadCommandReplyPoster
+  logger: SlackBotAdapterLoggerLike
+}
+
+export type ThreadCommandOutcome = { kind: 'not-a-command' } | { kind: 'duplicate' } | { kind: 'executed' }
+
+// Synchronous reservation: the adapter marks the dedupe ring inside this hook,
+// which the handler calls before its first `await`. Two duplicate Slack
+// deliveries can both clear `dedupe.check()` on the same JS tick; whichever
+// reserves first wins and returns `true`, the loser returns `false` and aborts
+// — so a control command never runs twice across the check→execute window.
+export type ThreadCommandReserve = () => boolean
+
+// Routes a `!cmd` thread message through the SAME router.executeCommand path as
+// native slashes, then posts the outcome back into the thread. Returns
+// 'not-a-command' (caller proceeds with normal classify/route), 'duplicate'
+// (a racing delivery already reserved this event — caller stops silently), or
+// 'executed' (command handled — caller stops; it is not agent input).
+export function createThreadCommandHandler(
+  deps: ThreadCommandHandlerDeps,
+): (input: ThreadCommandInput, reserve: ThreadCommandReserve) => Promise<ThreadCommandOutcome> {
+  return async (input, reserve) => {
+    const parsed = parseThreadCommand(input, deps.knownCommandNames)
+    if (parsed.kind === 'ignore') {
+      return { kind: 'not-a-command' }
+    }
+    // Reserve synchronously, before any await, to close the check→execute race.
+    if (!reserve()) {
+      return { kind: 'duplicate' }
+    }
+    const { command } = parsed
+    deps.logger.info(
+      `[slack-bot] thread-command !${command.name} invoker=${command.invokerId} team=${command.key.workspace} channel=${command.key.chat} thread=${command.key.thread ?? '(none)'}`,
+    )
+
+    let reply: string
+    try {
+      const result = await deps.router.executeCommand(command.key, command.name, {
+        invokerId: command.invokerId,
+      })
+      reply = commandResultReply(result)
+      deps.logger.info(`[slack-bot] thread-command !${command.name} result=${result.kind}`)
+    } catch (err) {
+      deps.logger.error(`[slack-bot] thread-command !${command.name} failed: ${describe(err)}`)
+      reply = SLACK_SLASH_REPLY_FAILED
+    }
+
+    try {
+      await deps.postReply({ chat: input.channel, thread: input.threadTs, text: reply })
+    } catch (err) {
+      deps.logger.warn(`[slack-bot] thread-command reply post failed: ${describe(err)}`)
+    }
+    return { kind: 'executed' }
+  }
+}
+
 // app_mention payloads omit channel_type and never carry a subtype, so we
 // promote them to a message-shaped event for the shared classifier. The
 // promoted event is classified as a regular channel message; the
@@ -783,6 +834,24 @@ export function createSlackBotAdapter(options: SlackBotAdapterOptions): SlackBot
     formatChannelTag,
   })
 
+  const handleThreadCommand = createThreadCommandHandler({
+    router: options.router,
+    knownCommandNames: SLACK_SLASH_COMMAND_NAMES,
+    logger,
+    postReply: async ({ chat, thread, text }) => {
+      const result = await outboundCallback({
+        adapter: 'slack-bot',
+        workspace: teamId ?? 'unknown',
+        chat,
+        ...(thread !== null ? { thread } : {}),
+        text,
+      })
+      if (!result.ok) {
+        throw new Error(result.error)
+      }
+    },
+  })
+
   const handleMessageEvent = async (
     event: SlackInboundMessageEvent,
     source: 'message' | 'app_mention',
@@ -813,6 +882,38 @@ export function createSlackBotAdapter(options: SlackBotAdapterOptions): SlackBot
         return
       }
 
+      // Intercept `!cmd` thread-message commands BEFORE classifyInbound. A
+      // command is control traffic — neither dropped nor routed to the agent —
+      // so it must short-circuit here. Bypassing classifyInbound also bypasses
+      // its self_author / no_user drops, so we replicate those guards: never
+      // execute a command from our own message (echo loop) or a userless
+      // system event. The `reserve` closure marks dedupe synchronously the
+      // instant the command is recognised (before the router await), closing
+      // the check→execute race for duplicate deliveries.
+      if (event.user !== undefined && event.user !== '' && (botUserId === null || event.user !== botUserId)) {
+        const reserve = (): boolean => {
+          if (dedupe.check(event) !== null) return false
+          dedupe.mark(event)
+          return true
+        }
+        const outcome = await handleThreadCommand(
+          {
+            text: event.text ?? '',
+            channel: event.channel,
+            threadTs: event.thread_ts ?? null,
+            isDm: event.channel_type === 'im',
+            teamId,
+            invokerId: event.user,
+          },
+          reserve,
+        )
+        if (outcome.kind === 'executed') return
+        if (outcome.kind === 'duplicate') {
+          logger.info(`[slack-bot] dropped ts=${event.ts} reason=duplicate_delivery (thread-command race)`)
+          return
+        }
+      }
+
       const verdict = classifyInbound(event, options.configRef(), {
         teamId,
         botUserId,

package/src/cli/channel.ts

@@ -842,7 +842,6 @@ async function promptGithubAppAuth(): Promise<{
   type: 'app'
   appId: number
   privateKey: string
-  installationId?: number
 }> {
   const appId = await text({
     message: 'GitHub App ID',
@@ -857,21 +856,10 @@ async function promptGithubAppAuth(): Promise<{
     cancel('Aborted.')
     process.exit(0)
   }
-  const installationId = await text({
-    message: 'Installation ID (optional; leave blank to auto-discover)',
-    validate: (value) =>
-      value === undefined || value === '' ? undefined : validatePositiveInteger(value, 'Installation ID is required'),
-  })
-  if (isCancel(installationId)) {
-    cancel('Aborted.')
-    process.exit(0)
-  }
-  const parsedInstallationId = installationId === '' ? undefined : Number(installationId)
   return {
     type: 'app',
     appId: Number(appId),
     privateKey,
-    ...(parsedInstallationId !== undefined ? { installationId: parsedInstallationId } : {}),
   }
 }
 

package/src/cli/init.ts

@@ -1293,7 +1293,6 @@ async function promptGithubAppAuth(): Promise<{
   type: 'app'
   appId: number
   privateKey: string
-  installationId?: number
 } | null> {
   const appId = await text({
     message: 'GitHub App ID',
@@ -1302,18 +1301,10 @@ async function promptGithubAppAuth(): Promise<{
   if (isCancel(appId)) return null
   const privateKey = await promptPrivateKeyPem('GitHub App private key PEM, escaped PEM, or path to .pem file')
   if (privateKey === CANCEL_SYMBOL) return null
-  const installationId = await text({
-    message: 'Installation ID (optional; leave blank to auto-discover)',
-    validate: (v) =>
-      v === undefined || v === '' ? undefined : validatePositiveInteger(v, 'Installation ID is required'),
-  })
-  if (isCancel(installationId)) return null
-  const parsedInstallationId = installationId === '' ? undefined : Number(installationId)
   return {
     type: 'app',
     appId: Number(appId),
     privateKey,
-    ...(parsedInstallationId !== undefined ? { installationId: parsedInstallationId } : {}),
   }
 }
 

package/src/init/github-webhook-install.ts

@@ -57,7 +57,7 @@ export async function installGithubWebhooksEagerly(
 
   try {
     const result = await registerGithubWebhooks({
-      token: () => strategy.token(),
+      token: (repoSlug: string) => strategy.token({ repoSlug }),
       webhookUrl,
       webhookSecret: options.webhookSecret,
       repos: options.repos,
@@ -86,7 +86,6 @@ function authToSecretBlock(auth: GithubInitCredentials['auth']) {
     type: 'app' as const,
     appId: auth.appId,
     privateKey: { value: auth.privateKey },
-    ...(auth.installationId !== undefined ? { installationId: auth.installationId } : {}),
   }
 }
 

package/src/init/index.ts

@@ -94,7 +94,7 @@ export type GithubInitCredentials = {
   hostname?: string
   tokenEnv?: string
   repos: string[]
-  auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string; installationId?: number }
+  auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string }
 }
 
 export type GithubTunnelProvider = 'cloudflare-quick' | 'cloudflare-named' | 'external' | 'none'
@@ -998,7 +998,7 @@ export type AddChannelOptions = {
       hostname?: string
       tokenEnv?: string
       repos: string[]
-      auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string; installationId?: number }
+      auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string }
       fetchImpl?: typeof fetch
     }
 )
@@ -1263,9 +1263,6 @@ async function writeGithubChannelForInit(cwd: string, credentials: GithubInitCre
             type: 'app',
             appId: credentials.auth.appId,
             privateKey: { value: credentials.auth.privateKey } satisfies Secret,
-            ...(credentials.auth.installationId !== undefined
-              ? { installationId: credentials.auth.installationId }
-              : {}),
           },
     webhookSecret: { value: credentials.webhookSecret } satisfies Secret,
   }
@@ -1298,7 +1295,6 @@ async function appendGithubSecrets(
             type: 'app',
             appId: options.auth.appId,
             privateKey: { value: options.auth.privateKey } satisfies Secret,
-            ...(options.auth.installationId !== undefined ? { installationId: options.auth.installationId } : {}),
           },
     webhookSecret: { value: options.webhookSecret } satisfies Secret,
   }
@@ -1461,13 +1457,13 @@ export async function setChannelSecrets(
 // previous auth type, since the two shapes share no fields beyond `type`).
 export type GithubCredentialPatch = {
   webhookSecret?: string
-  auth?: { type: 'pat'; pat: string } | { type: 'app'; privateKey: string; appId?: number; installationId?: number }
+  auth?: { type: 'pat'; pat: string } | { type: 'app'; privateKey: string; appId?: number }
 }
 
 // Update one or more credential fields on an already-configured GitHub
 // channel. Like setChannelSecrets, refuses when secrets.json has no
 // existing github entry. Supports both same-type rotation (preserves env
-// bindings, carries appId/installationId forward when not supplied) and
+// bindings, carries appId forward when not supplied) and
 // auth-type switching (replaces the entire auth block — see
 // `GithubCredentialPatch` above).
 export async function setGithubSecrets(cwd: string, patch: GithubCredentialPatch): Promise<SetChannelTokensResult> {
@@ -1503,7 +1499,6 @@ export async function setGithubSecrets(cwd: string, patch: GithubCredentialPatch
       } else {
         const existingApp = isSameType && isObjectRecord(existingAuth) ? (existingAuth as Record<string, unknown>) : {}
         const appId = patch.auth.appId ?? (existingApp.appId as number | undefined)
-        const installationId = patch.auth.installationId ?? (existingApp.installationId as number | undefined)
         if (typeof appId !== 'number') {
           return {
             result: {
@@ -1518,7 +1513,6 @@ export async function setGithubSecrets(cwd: string, patch: GithubCredentialPatch
           type: 'app',
           appId,
           privateKey: rotatedSecret(existingApp.privateKey, patch.auth.privateKey),
-          ...(installationId !== undefined ? { installationId } : {}),
         }
       }
     }

package/src/run/index.ts

@@ -371,6 +371,7 @@ export async function startAgent({
             runtimeVersion: runtimeVersionOpt.runtimeVersion,
             containerName: containerNameOpt.containerName,
             sessionFactory,
+            channelRouter: channelManager.router,
           }),
         subagent: (subName: string, payload?: unknown) =>
           dispatchSpawnSubagent(subName, payload, {
@@ -585,6 +586,7 @@ export async function startAgent({
       containerName,
       outbound,
       sessionFactory,
+      channelRouter: channelManager.router,
     })
 
   const server = createServer({

package/src/secrets/schema.ts

@@ -49,7 +49,6 @@ const githubAppAuthSchema = z.object({
   type: z.literal('app'),
   appId: z.number().int().positive(),
   privateKey: secretFieldSchema,
-  installationId: z.number().int().positive().optional(),
 })
 
 const githubChannelSchema = z.object({

package/src/server/command-runner.ts

@@ -5,6 +5,7 @@ import {
   type CreateSessionResult,
   type SessionOrigin,
 } from '@/agent'
+import type { ChannelRouter } from '@/channels/router'
 import type { PermissionService } from '@/permissions'
 import type {
   CommandExecResult,
@@ -44,6 +45,14 @@ export type CommandRunnerOptions = {
   // `SessionManager.inMemory()` and never persist usage — see
   // `runPromptForCommand` below.
   sessionFactory: SessionFactory
+  // Channel router threaded into every `ctx.prompt` session so the model can
+  // call `channel_send`. Without this, `buildChannelTools` (src/agent/index.ts)
+  // receives `undefined` and emits no channel tools — a plugin command or cron
+  // handler told to post to a channel then has no tool to do it and falls back
+  // to flailing bash loops. The cron `prompt` path already passes
+  // `channelManager.router` via `createSessionForCron`; this is the matching
+  // wire for the handler/command path.
+  channelRouter: ChannelRouter | undefined
 }
 
 type CommandHandle = {
@@ -182,6 +191,7 @@ export function createCommandRunner(opts: CommandRunnerOptions): CommandRunner {
               permissions: opts.permissions,
               signal: abortController.signal,
               sessionFactory: opts.sessionFactory,
+              channelRouter: opts.channelRouter,
             }),
           subagent: (subName, payload) =>
             opts.spawnSubagent(subName, payload, {
@@ -363,6 +373,9 @@ export async function runPromptForCommand(args: {
   // cron `prompt` path uses in src/run/index.ts. Passing in-memory here
   // regresses `typeclaw usage` (see CommandRunnerOptions.sessionFactory).
   sessionFactory: SessionFactory
+  // See CommandRunnerOptions.channelRouter. Threaded to createSessionWithDispose
+  // so the spawned session exposes `channel_send`.
+  channelRouter?: ChannelRouter
   // Test seam for the agent-session boundary. Production passes the real
   // `createSessionWithDispose`; tests inject a fake to verify wiring
   // (specifically: the sessionManager handed off must be persisted, not
@@ -388,6 +401,7 @@ export async function runPromptForCommand(args: {
       sessionId,
       agentDir: args.agentDir,
     },
+    ...(args.channelRouter !== undefined ? { channelRouter: args.channelRouter } : {}),
     ...(args.runtimeVersion !== undefined ? { runtimeVersion: args.runtimeVersion } : {}),
     ...(args.containerName !== undefined ? { containerName: args.containerName } : {}),
   })