typeclaw 0.19.0 → 0.20.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "typeclaw",
-  "version": "0.19.0",
+  "version": "0.20.0",
   "homepage": "https://github.com/typeclaw/typeclaw#readme",
   "bugs": {
     "url": "https://github.com/typeclaw/typeclaw/issues"

package/src/agent/index.ts

@@ -49,6 +49,7 @@ import {
 } from './tool-result-budget'
 import { createChannelFetchAttachmentTool } from './tools/channel-fetch-attachment'
 import { createChannelHistoryTool } from './tools/channel-history'
+import { createChannelReactTool } from './tools/channel-react'
 import { createChannelReplyTool } from './tools/channel-reply'
 import { createChannelSendTool } from './tools/channel-send'
 import { createGrantRoleTool } from './tools/grant-role'
@@ -532,6 +533,12 @@ export function buildChannelTools(
     tools.push(createChannelReplyTool({ router: channelRouter, origin: channelOrigin }))
     tools.push(createChannelHistoryTool({ router: channelRouter, origin: channelOrigin }))
     tools.push(createChannelSendTool({ router: channelRouter, origin: channelOrigin }))
+    tools.push(
+      createChannelReactTool({
+        router: channelRouter,
+        origin: { ...channelOrigin, ...(origin.reactionRef !== undefined ? { reactionRef: origin.reactionRef } : {}) },
+      }),
+    )
     tools.push(
       createChannelFetchAttachmentTool({
         router: channelRouter,

package/src/agent/live-subagents.ts

@@ -19,6 +19,10 @@ export type LiveSubagent = {
   sessionId: string
   subagentName: string
   parentSessionId?: string
+  // Role that resolved at spawn time, captured for the provenance cap on
+  // subagent_output/subagent_cancel. Absent when no permission service was
+  // active at spawn, in which case the cap fails closed.
+  spawnedByRole?: string
   startedAt: number
   status: SubagentStatus
   completion?: SubagentCompletion

package/src/agent/session-origin.ts

@@ -1,5 +1,6 @@
 import { MEMBERSHIP_FRESHNESS_MS, type MembershipCount } from '@/channels/membership'
 import type { AdapterId } from '@/channels/schema'
+import type { ReactionRef } from '@/channels/types'
 
 export type ChannelParticipant = {
   authorId: string
@@ -38,6 +39,7 @@ export type SessionOrigin =
       chatName?: string
       thread: string | null
       lastInboundAuthorId?: string
+      reactionRef?: ReactionRef
       participants?: readonly ChannelParticipant[]
       membership?: MembershipCount
     }
@@ -301,6 +303,13 @@ function renderChannelOrigin(
       'audience: post the answer (or review summary) itself, never a status',
       'line about having posted it elsewhere. A narrated "Posted review result',
       'for PR #N: …" inside the PR is exactly the failure to avoid.',
+      '',
+      '**Do not post an "On it" acknowledgment comment.** The runtime already',
+      'adds an :eyes: reaction to the triggering item the moment it engages, so a',
+      'separate "looking into this" comment is redundant noise on the PR. If you',
+      'want to signal acknowledgment explicitly, use `channel_react({ emoji })`',
+      '(it reacts, it does not comment) — never a text ack. Reserve `channel_reply`',
+      'for the actual substantive answer.',
     )
   }
 
@@ -339,12 +348,21 @@ function renderChannelOrigin(
     '`channel_reply` call, not narration. This includes acks.',
     '',
     '**One substantive reply per inbound.** If the answer needs more than one',
-    'tool call, send a one-line ack first via `channel_reply({ text: "On it.",',
-    'continue: true })`, keep working, then send the answer with a final',
-    '`channel_reply`. The ack is not your reply; the answer is. Once the answer',
-    'lands, end your turn. The `continue: true` is not optional on that ack:',
-    'without it the turn ends the instant the ack lands and the rest of your',
-    'work — the fetch, the subagent, the actual answer — is silently dropped.',
+    ...(origin.adapter === 'github'
+      ? [
+          'tool call, keep working and post the answer with a single final',
+          '`channel_reply`. Do not post an "On it" ack comment first — the runtime',
+          'already added an :eyes: reaction on engage; use `channel_react` if you',
+          'want to acknowledge explicitly. The answer is your reply.',
+        ]
+      : [
+          'tool call, send a one-line ack first via `channel_reply({ text: "On it.",',
+          'continue: true })`, keep working, then send the answer with a final',
+          '`channel_reply`. The ack is not your reply; the answer is. Once the answer',
+          'lands, end your turn. The `continue: true` is not optional on that ack:',
+          'without it the turn ends the instant the ack lands and the rest of your',
+          'work — the fetch, the subagent, the actual answer — is silently dropped.',
+        ]),
     '',
     '**Backgrounded work does not end the obligation.** If you spawn a',
     'subagent with `run_in_background: true` to answer the current inbound,',
@@ -400,15 +418,19 @@ function renderMembershipSummary(
   if (membership === undefined) return null
 
   const total = membership.humans + membership.bots
+  // Exact Discord counts are channel-scoped (filtered by who can VIEW_CHANNEL),
+  // so the count is the channel's room, not the guild. The truncated branch is
+  // history-derived recent speakers, which is not a channel-membership claim,
+  // so the caveat would mislead there.
+  const isExact = !membership.truncated && now - membership.fetchedAt < MEMBERSHIP_FRESHNESS_MS
   const caveat =
-    origin.adapter === 'discord-bot' && origin.workspace !== '@dm'
-      ? ' (Note: this is the count of guild members; private channels with permission overwrites may have fewer actual viewers.)'
+    isExact && origin.adapter === 'discord-bot' && origin.workspace !== '@dm'
+      ? ' (This counts only members who can view this channel, not the whole guild.)'
       : ''
-  const isExact = !membership.truncated && now - membership.fetchedAt < MEMBERSHIP_FRESHNESS_MS
   if (isExact) {
     return `This channel has ${total} members: ${membership.humans} humans, ${membership.bots} bots.${caveat} The 10 most recent speakers are listed below.`
   }
-  return `This channel has approximately ${total} members (about ${membership.humans} humans, ${membership.bots} bots — the bot count is approximate, the full member list was not enumerated because it exceeds the 50-member cap).${caveat} The 10 most recent speakers are listed below.`
+  return `This channel has approximately ${total} members (about ${membership.humans} humans, ${membership.bots} bots — the bot count is approximate, the full member list was not enumerated because it exceeds the 50-member cap). The 10 most recent speakers are listed below.`
 }
 
 function renderMentionGuidance(

package/src/agent/tools/channel-react.ts

@@ -0,0 +1,79 @@
+import { Type } from '@mariozechner/pi-ai'
+import { defineTool } from '@mariozechner/pi-coding-agent'
+
+import type { ChannelRouter } from '@/channels/router'
+import type { AdapterId } from '@/channels/schema'
+import type { ReactionRef } from '@/channels/types'
+
+import { type ChannelToolLogger, consoleChannelLogger, formatChannelToolFailure } from './channel-log'
+import { TOOL_RESULT_PREFIX } from './channel-reply'
+
+export type ChannelReactOrigin = {
+  adapter: AdapterId
+  workspace: string
+  chat: string
+  thread: string | null
+  reactionRef?: ReactionRef
+}
+
+export type CreateChannelReactToolOptions = {
+  router: ChannelRouter
+  origin: ChannelReactOrigin
+  logger?: ChannelToolLogger
+}
+
+export function createChannelReactTool({
+  router,
+  origin,
+  logger = consoleChannelLogger,
+}: CreateChannelReactToolOptions) {
+  return defineTool({
+    name: 'channel_react',
+    label: 'Channel React',
+    description:
+      'Add an emoji reaction to the message that triggered this turn — a lightweight acknowledgment that does not post a comment. ' +
+      'On GitHub this reacts to the triggering issue/PR/comment (e.g. :eyes: to signal "I am looking at this"). ' +
+      'Use this instead of a textual "on it" reply when a reaction is enough. Pass the bare emoji name, no colons.',
+    parameters: Type.Object({
+      emoji: Type.String({
+        description: 'Bare emoji name, no surrounding colons. e.g. "eyes", "+1", "rocket", "heart".',
+        minLength: 1,
+      }),
+    }),
+
+    async execute(_toolCallId, params) {
+      const deny = (error: string) => {
+        logger.warn(formatChannelToolFailure('channel_react', error))
+        const details: { ok: boolean; error?: string } = { ok: false, error }
+        return {
+          content: [{ type: 'text' as const, text: `${TOOL_RESULT_PREFIX}channel_react denied: ${error}` }],
+          details,
+        }
+      }
+
+      if (origin.reactionRef === undefined) return deny('this conversation has no message to react to')
+
+      const result = await router.react({
+        adapter: origin.adapter,
+        workspace: origin.workspace,
+        chat: origin.chat,
+        thread: origin.thread,
+        reactionRef: origin.reactionRef,
+        emoji: params.emoji,
+      })
+
+      if (!result.ok) return deny(`${origin.adapter}:${origin.workspace}/${origin.chat}: ${result.error}`)
+
+      const details: { ok: boolean; error?: string } = { ok: true }
+      return {
+        content: [
+          {
+            type: 'text' as const,
+            text: `${TOOL_RESULT_PREFIX}reacted with :${params.emoji}: on ${origin.adapter}:${origin.workspace}/${origin.chat}`,
+          },
+        ],
+        details,
+      }
+    },
+  })
+}

package/src/agent/tools/spawn-subagent.ts

@@ -129,6 +129,7 @@ export function createSpawnSubagentTool(options: CreateSpawnSubagentToolOptions)
         sessionId: resolvedHandle.sessionId ?? '<pending>',
         subagentName,
         parentSessionId,
+        ...(spawnedByRole !== undefined ? { spawnedByRole } : {}),
         startedAt,
         status: 'running' as const,
         abort: resolvedHandle.abort,

package/src/agent/tools/subagent-access.ts

@@ -0,0 +1,67 @@
+import type { PermissionService } from '@/permissions'
+
+import type { LiveSubagent, LiveSubagentRegistry } from '../live-subagents'
+import type { SessionOrigin } from '../session-origin'
+
+export type SubagentAccessPermission = 'subagent.output' | 'subagent.cancel'
+
+export type SubagentAccessResult = { ok: true; live: LiveSubagent } | { ok: false; message: string }
+
+export type AuthorizeLiveSubagentAccessArgs = {
+  permissions: PermissionService | undefined
+  origin: SessionOrigin | undefined
+  liveRegistry: LiveSubagentRegistry
+  taskId: string
+  permission: SubagentAccessPermission
+}
+
+// Authorizes a single subagent_output/subagent_cancel call and resolves the
+// live entry in one place so the two tools cannot drift. Caps access to the
+// requester's role: the caller must hold the permission AND resolve to a role
+// at least as high as the role that spawned the subagent.
+//
+// The ordering closes an existence oracle: the task-independent base-permission
+// check runs BEFORE any registry lookup, and for non-owner callers an absent
+// task, a capped task, and a task with missing provenance all collapse to one
+// identical denial — so a lower-role caller cannot probe which task IDs are
+// live. Only `owner` (the trust root, which outranks every spawner) learns the
+// truthful `Unknown task_id` for a genuine miss. The cap fails closed.
+export function authorizeLiveSubagentAccess(args: AuthorizeLiveSubagentAccessArgs): SubagentAccessResult {
+  const { permissions, origin, liveRegistry, taskId, permission } = args
+
+  if (permissions === undefined) {
+    const live = liveRegistry.get(taskId)
+    if (live === undefined) {
+      return { ok: false, message: `Unknown task_id: ${taskId}.` }
+    }
+    return { ok: true, live }
+  }
+
+  if (!permissions.has(origin, permission)) {
+    return { ok: false, message: `${permission} denied: insufficient permissions` }
+  }
+
+  const requesterRole = permissions.resolveRole(origin)
+  const accessAll = requesterRole === 'owner'
+  const opaqueDenial = `${permission} denied: unknown task_id or insufficient role`
+
+  const live = liveRegistry.get(taskId)
+  if (live === undefined) {
+    return { ok: false, message: accessAll ? `Unknown task_id: ${taskId}.` : opaqueDenial }
+  }
+  if (accessAll) {
+    return { ok: true, live }
+  }
+
+  const spawnedByRole = live.spawnedByRole
+  if (spawnedByRole === undefined) {
+    return { ok: false, message: opaqueDenial }
+  }
+
+  const cmp = permissions.compareRoleSeverity(requesterRole, spawnedByRole)
+  if (cmp === undefined || cmp < 0) {
+    return { ok: false, message: opaqueDenial }
+  }
+
+  return { ok: true, live }
+}

package/src/agent/tools/subagent-cancel.ts

@@ -5,6 +5,7 @@ import type { PermissionService } from '@/permissions'
 
 import type { LiveSubagentRegistry } from '../live-subagents'
 import type { SessionOrigin } from '../session-origin'
+import { authorizeLiveSubagentAccess } from './subagent-access'
 
 export type SubagentCancelToolDetails =
   | { ok: true; taskId: string; subagent: string; alreadyDone: boolean }
@@ -33,13 +34,17 @@ export function createSubagentCancelTool(options: CreateSubagentCancelToolOption
     }),
 
     async execute(_toolCallId, params): Promise<ToolReturn> {
-      if (permissions !== undefined && !permissions.has(getOrigin(), 'subagent.cancel')) {
-        return errorResult('subagent.cancel denied: insufficient permissions')
-      }
-      const live = liveRegistry.get(params.task_id)
-      if (live === undefined) {
-        return errorResult(`Unknown task_id: ${params.task_id}.`)
+      const access = authorizeLiveSubagentAccess({
+        permissions,
+        origin: getOrigin(),
+        liveRegistry,
+        taskId: params.task_id,
+        permission: 'subagent.cancel',
+      })
+      if (!access.ok) {
+        return errorResult(access.message)
       }
+      const live = access.live
       if (live.status !== 'running') {
         const details: SubagentCancelToolDetails = {
           ok: true,

package/src/agent/tools/subagent-output.ts

@@ -5,6 +5,7 @@ import type { PermissionService } from '@/permissions'
 
 import type { LiveSubagentRegistry, StatusSnapshot, SubagentProgressEvent } from '../live-subagents'
 import type { SessionOrigin } from '../session-origin'
+import { authorizeLiveSubagentAccess } from './subagent-access'
 
 export type SubagentOutputToolDetails =
   | {
@@ -64,8 +65,15 @@ export function createSubagentOutputTool(options: CreateSubagentOutputToolOption
     }),
 
     async execute(_toolCallId, params) {
-      if (permissions !== undefined && !permissions.has(getOrigin(), 'subagent.output')) {
-        return errorResult('subagent.output denied: insufficient permissions')
+      const access = authorizeLiveSubagentAccess({
+        permissions,
+        origin: getOrigin(),
+        liveRegistry,
+        taskId: params.task_id,
+        permission: 'subagent.output',
+      })
+      if (!access.ok) {
+        return errorResult(access.message)
       }
       const snap = liveRegistry.snapshot(params.task_id, now())
       if (snap === undefined) {

package/src/channels/adapters/discord-bot.ts

@@ -148,6 +148,116 @@ type DiscordGuildPreview = {
 
 type DiscordGuildMember = {
   user?: { id?: string; bot?: boolean }
+  roles?: string[]
+}
+
+type DiscordPermissionOverwrite = {
+  id?: string
+  type?: number
+  allow?: string
+  deny?: string
+}
+
+// Discord channel `type` values that are threads. A thread's own
+// permission_overwrites are empty and its `parent_id` points at its parent
+// channel (not a category), so the normal "compute from this channel's
+// overwrites" path would treat a thread as fully public. We refuse to count
+// threads channel-scoped and fall back instead — fail-closed.
+const DISCORD_THREAD_CHANNEL_TYPES: ReadonlySet<number> = new Set([10, 11, 12])
+
+type DiscordChannelObject = {
+  type?: number
+  permission_overwrites?: DiscordPermissionOverwrite[]
+}
+
+type DiscordRole = {
+  id?: string
+  permissions?: string
+}
+
+type DiscordGuildObject = {
+  owner_id?: string
+  roles?: DiscordRole[]
+}
+
+// Discord permission bits. Discord serialises permission bitsets as decimal
+// STRINGS that can exceed Number.MAX_SAFE_INTEGER, so all bit math is done in
+// BigInt. Only the two bits this resolver needs are named.
+const DISCORD_PERMISSION_VIEW_CHANNEL = 0x400n
+const DISCORD_PERMISSION_ADMINISTRATOR = 0x8n
+
+function parsePermissionBits(raw: string | undefined): bigint {
+  if (raw === undefined || raw === '') return 0n
+  try {
+    return BigInt(raw)
+  } catch {
+    return 0n
+  }
+}
+
+// Computes whether a single member can VIEW_CHANNEL on a normal guild channel,
+// following Discord's documented resolution order:
+//   base = @everyone role perms OR all of the member's role perms
+//   → owner or ADMINISTRATOR short-circuits to visible
+//   → @everyone channel overwrite (clear deny bits, then set allow bits)
+//   → all matching role overwrites combined (OR every deny, OR every allow;
+//     apply denies then allows)
+//   → member-specific overwrite (clear deny, set allow)
+// Returns null when the data is insufficient to decide (a member references a
+// role absent from the guild role map), so the caller can fail closed rather
+// than guess.
+function memberCanViewChannel(args: {
+  guildId: string
+  ownerId: string | undefined
+  rolePermissions: ReadonlyMap<string, bigint>
+  overwrites: ReadonlyMap<string, { allow: bigint; deny: bigint }>
+  memberId: string | undefined
+  memberRoleIds: readonly string[]
+}): boolean | null {
+  const { guildId, ownerId, rolePermissions, overwrites, memberId, memberRoleIds } = args
+
+  if (memberId !== undefined && ownerId !== undefined && memberId === ownerId) return true
+
+  // Discord's `@everyone` role id always equals the guild id, so the guild id
+  // keys both the base @everyone permissions and the @everyone overwrite.
+  let base = rolePermissions.get(guildId) ?? 0n
+  for (const roleId of memberRoleIds) {
+    const perms = rolePermissions.get(roleId)
+    if (perms === undefined) return null
+    base |= perms
+  }
+
+  if ((base & DISCORD_PERMISSION_ADMINISTRATOR) !== 0n) return true
+
+  let perms = base
+
+  const everyoneOverwrite = overwrites.get(guildId)
+  if (everyoneOverwrite !== undefined) {
+    perms &= ~everyoneOverwrite.deny
+    perms |= everyoneOverwrite.allow
+  }
+
+  let roleDeny = 0n
+  let roleAllow = 0n
+  for (const roleId of memberRoleIds) {
+    const overwrite = overwrites.get(roleId)
+    if (overwrite !== undefined) {
+      roleDeny |= overwrite.deny
+      roleAllow |= overwrite.allow
+    }
+  }
+  perms &= ~roleDeny
+  perms |= roleAllow
+
+  if (memberId !== undefined) {
+    const memberOverwrite = overwrites.get(memberId)
+    if (memberOverwrite !== undefined) {
+      perms &= ~memberOverwrite.deny
+      perms |= memberOverwrite.allow
+    }
+  }
+
+  return (perms & DISCORD_PERMISSION_VIEW_CHANNEL) !== 0n
 }
 
 export function createDiscordMembershipResolver(deps: {
@@ -207,28 +317,136 @@ export function createDiscordMembershipResolver(deps: {
       return members.failure
     }
 
-    let bots = 0
-    let humans = 0
-    const humanMemberIds: string[] = []
-    let everyHumanIdentified = true
-    for (const member of members.value) {
-      if (member.user?.bot === true) {
-        bots++
-        continue
-      }
-      humans++
-      const userId = member.user?.id
-      if (userId === undefined) everyHumanIdentified = false
-      else humanMemberIds.push(userId)
+    // Guild `/members` returns the whole guild, not the channel. A bot or
+    // human that cannot VIEW_CHANNEL the target channel is not in the room and
+    // not a prompt-injection surface, so it must not be counted — otherwise a
+    // private channel of "operator + agent bot" inside a multi-bot guild reads
+    // as bots>1 and the grant_role relaxation (provesOnlyAgentBotPresent)
+    // false-refuses. Resolve channel visibility for each member; on ANY
+    // inability to decide, fall back rather than over- or under-count.
+    // `key.thread ?? key.chat` mirrors the history callback's channel-id
+    // resolution: today Discord stores a thread's own snowflake in `chat` with
+    // `thread` null, but a future caller that passes `chat=parent,
+    // thread=threadId` must scope visibility to the thread, not the parent.
+    const scoped = await scopeMembersToChannel({
+      fetchFn,
+      token: deps.token,
+      logger: deps.logger,
+      guildId: key.workspace,
+      channelId: key.thread ?? key.chat,
+      members: members.value,
+    })
+    if (scoped === 'fallback') return await fallback()
+
+    return scoped.everyHumanIdentified
+      ? {
+          humans: scoped.humans,
+          bots: scoped.bots,
+          fetchedAt: now(),
+          truncated: false,
+          humanMemberIds: scoped.humanMemberIds,
+        }
+      : { humans: scoped.humans, bots: scoped.bots, fetchedAt: now(), truncated: false }
+  }
+}
+
+type ScopedMembership = {
+  humans: number
+  bots: number
+  humanMemberIds: string[]
+  everyHumanIdentified: boolean
+}
+
+// Filters a guild member list down to those who can VIEW_CHANNEL the target
+// channel, then counts humans/bots over that visible set. Returns 'fallback'
+// when channel visibility cannot be computed completely (channel/guild fetch
+// failure, a member referencing an unknown role, or a thread channel whose
+// visibility this resolver does not model) — the caller then derives from
+// history (truncated:true), keeping every security consumer fail-closed.
+async function scopeMembersToChannel(args: {
+  fetchFn: typeof fetch
+  token: string
+  logger: DiscordBotAdapterLogger
+  guildId: string
+  channelId: string
+  members: readonly DiscordGuildMember[]
+}): Promise<ScopedMembership | 'fallback'> {
+  const { fetchFn, token, logger, guildId, channelId, members } = args
+
+  const [channel, guild] = await Promise.all([
+    fetchDiscordJson<DiscordChannelObject>(fetchFn, `${DISCORD_API_BASE}/channels/${channelId}`, token),
+    fetchDiscordJson<DiscordGuildObject>(fetchFn, `${DISCORD_API_BASE}/guilds/${guildId}`, token),
+  ])
+  if (!channel.ok) {
+    logger.warn(
+      `[discord-bot] membership channel=${channelId} fetch failed: ${channel.reason}; deriving from recent message authors`,
+    )
+    return 'fallback'
+  }
+  if (!guild.ok) {
+    logger.warn(
+      `[discord-bot] membership guild=${guildId} fetch failed: ${guild.reason}; deriving from recent message authors`,
+    )
+    return 'fallback'
+  }
+
+  if (channel.value.type !== undefined && DISCORD_THREAD_CHANNEL_TYPES.has(channel.value.type)) {
+    // A thread inherits visibility from its parent channel and (for private
+    // threads) an explicit member list; we do not model either here. Fall
+    // back rather than treat the thread as world-visible.
+    logger.warn(
+      `[discord-bot] membership channel=${channelId} is a thread; deriving from recent message authors instead of channel-scoped enumeration`,
+    )
+    return 'fallback'
+  }
+
+  const rolePermissions = new Map<string, bigint>()
+  for (const role of guild.value.roles ?? []) {
+    if (role.id !== undefined) rolePermissions.set(role.id, parsePermissionBits(role.permissions))
+  }
+
+  const overwrites = new Map<string, { allow: bigint; deny: bigint }>()
+  for (const overwrite of channel.value.permission_overwrites ?? []) {
+    if (overwrite.id === undefined) continue
+    overwrites.set(overwrite.id, {
+      allow: parsePermissionBits(overwrite.allow),
+      deny: parsePermissionBits(overwrite.deny),
+    })
+  }
+
+  let humans = 0
+  let bots = 0
+  const humanMemberIds: string[] = []
+  let everyHumanIdentified = true
+
+  for (const member of members) {
+    const visible = memberCanViewChannel({
+      guildId,
+      ownerId: guild.value.owner_id,
+      rolePermissions,
+      overwrites,
+      memberId: member.user?.id,
+      memberRoleIds: member.roles ?? [],
+    })
+    if (visible === null) {
+      logger.warn(
+        `[discord-bot] membership channel=${channelId} member references unknown role; deriving from recent message authors`,
+      )
+      return 'fallback'
     }
-    // Only attach identities when every human was identifiable; an
-    // unidentifiable human must not be silently dropped, or a consumer proving
-    // "all humans trusted" would skip an unaccounted member. Falling back to
-    // counts-only keeps that consumer fail-closed.
-    return everyHumanIdentified
-      ? { humans, bots, fetchedAt: now(), truncated: false, humanMemberIds }
-      : { humans, bots, fetchedAt: now(), truncated: false }
+    if (!visible) continue
+
+    if (member.user?.bot === true) {
+      bots++
+      continue
+    }
+    humans++
+    const userId = member.user?.id
+    if (userId === undefined) everyHumanIdentified = false
+    else humanMemberIds.push(userId)
   }
+
+  return { humans, bots, humanMemberIds, everyHumanIdentified }
 }
 
 type DiscordFetchResult<T> =