typeclaw 0.21.0 → 0.23.0

package/src/channels/router.ts

@@ -7,7 +7,7 @@ import { createSession, renderTurnRoleAnchor, renderTurnTimeAnchor, type AgentSe
 import { subscribeProviderErrors } from '@/agent/provider-error'
 import type { ChannelParticipant, SessionOrigin } from '@/agent/session-origin'
 import { renderSubagentCompletionReminder } from '@/agent/subagent-completion-reminder'
-import { type Command, type CommandResult, createCommandRegistry } from '@/commands'
+import { type Command, type CommandPermission, type CommandResult, createCommandRegistry } from '@/commands'
 import { CORE_PERMISSIONS, type PermissionService } from '@/permissions'
 import type { HookBus } from '@/plugin'
 import { extractClaimCode } from '@/role-claim'
@@ -43,6 +43,8 @@ import type {
   ChannelHistoryMessage,
   ChannelKey,
   ChannelNameResolver,
+  ChannelSelfIdentity,
+  ChannelSelfIdentityResolver,
   FetchAttachmentArgs,
   FetchAttachmentCallback,
   FetchAttachmentResult,
@@ -553,6 +555,13 @@ export type ChannelRouter = {
   unregisterTyping: (adapter: ChannelKey['adapter'], cb: TypingCallback) => void
   registerChannelNameResolver: (adapter: ChannelKey['adapter'], resolver: ChannelNameResolver) => void
   unregisterChannelNameResolver: (adapter: ChannelKey['adapter'], resolver: ChannelNameResolver) => void
+  // Self-identity is a per-adapter singleton (one bot account per adapter),
+  // so unlike the multi-resolver registries above this is last-write-wins:
+  // register overwrites, unregister clears only if the current resolver is
+  // the one being removed (guards against a late stop() of a replaced adapter
+  // wiping a fresh registration).
+  registerSelfIdentity: (adapter: ChannelKey['adapter'], resolver: ChannelSelfIdentityResolver) => void
+  unregisterSelfIdentity: (adapter: ChannelKey['adapter'], resolver: ChannelSelfIdentityResolver) => void
   registerMembership: (adapter: ChannelKey['adapter'], resolver: MembershipResolver) => void
   unregisterMembership: (adapter: ChannelKey['adapter'], resolver: MembershipResolver) => void
   registerHistory: (adapter: ChannelKey['adapter'], cb: HistoryCallback) => void
@@ -720,6 +729,17 @@ export type CreateChannelRouterOptions = {
   // can diagnose silent drops from `typeclaw inspect` alone. Omitted in
   // tests that don't care about inspect surfacing.
   stream?: Stream
+  // Operate-the-agent command handlers. When set, the router registers the
+  // matching channel command (/reload, /restart) gated on session.admin
+  // (owner+trusted). Omitted means the command is not registered at all — it
+  // won't appear in /help and a text-prefix or native-slash invocation is
+  // treated as unknown. Production wiring (src/run/index.ts via the channel
+  // manager) supplies both; tests opt in per-case. `onReload` returns a short
+  // human-readable summary posted back to the channel; `onRestart` returns a
+  // confirmation string (the container exits shortly after, so the reply is
+  // best-effort).
+  onReload?: () => Promise<string>
+  onRestart?: () => Promise<string>
 }
 
 export type ClaimHandlerInput = {
@@ -756,6 +776,8 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
   const permissions = options.permissions ?? GRANT_ALL_PERMISSIONS
   const claimHandler = options.claimHandler
   const stream = options.stream
+  const onReload = options.onReload
+  const onRestart = options.onRestart
   const liveSessions = new Map<string, LiveSession>()
   const creating = new Map<string, Promise<LiveSession>>()
   // Bumped by tearDownAllLive() and stop() before they tear sessions down. An
@@ -772,6 +794,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
   const typingCallbacks = new Map<ChannelKey['adapter'], Set<TypingCallback>>()
   const channelNameResolvers = new Map<ChannelKey['adapter'], Set<ChannelNameResolver>>()
   const membershipResolvers = new Map<ChannelKey['adapter'], Set<MembershipResolver>>()
+  const selfIdentityResolvers = new Map<ChannelKey['adapter'], ChannelSelfIdentityResolver>()
   const membershipCaches = new Map<ChannelKey['adapter'], MembershipCache>()
   const historyCallbacks = new Map<ChannelKey['adapter'], Set<HistoryCallback>>()
   const fetchAttachmentCallbacks = new Map<ChannelKey['adapter'], Set<FetchAttachmentCallback>>()
@@ -779,7 +802,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
   // The /help handler reads the live registry to enumerate commands, so it
   // forward-references `commands`. Safe at runtime — the handler only runs on
   // invocation, long after the assignment below completes.
-  const channelCommands: readonly Command<ChannelCommandContext>[] = [
+  const channelCommands: Command<ChannelCommandContext>[] = [
     {
       name: 'help',
       description: 'List available commands.',
@@ -800,6 +823,28 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       },
     },
   ]
+  // /reload and /restart are registered only when the operate-the-agent
+  // callbacks are wired (production via the channel manager). Without them the
+  // capability doesn't exist for this router, so the commands stay absent from
+  // /help and resolve as unknown — never a silent no-op.
+  if (onReload !== undefined) {
+    channelCommands.push({
+      name: 'reload',
+      description: 'Reload typeclaw config and subsystems from disk.',
+      permission: 'session.admin',
+      requiresLiveSession: false,
+      handler: async () => ({ reply: await onReload() }),
+    })
+  }
+  if (onRestart !== undefined) {
+    channelCommands.push({
+      name: 'restart',
+      description: 'Restart the typeclaw container.',
+      permission: 'session.admin',
+      requiresLiveSession: false,
+      handler: async () => ({ reply: await onRestart() }),
+    })
+  }
   const commands = createCommandRegistry<ChannelCommandContext>(channelCommands)
 
   // Implicit dir-name alias: agent folder basename matches Docker
@@ -1053,6 +1098,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       // channel.respond gate just admitted on. Per-turn updates after this
       // point are handled by `originRef.current = buildLiveOrigin(live)`
       // before each prompt() call.
+      const self = resolveSelfIdentity(key)
       const origin: SessionOrigin = {
         kind: 'channel',
         adapter: key.adapter,
@@ -1064,6 +1110,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         ...(triggeringAuthorId !== undefined ? { lastInboundAuthorId: triggeringAuthorId } : {}),
         participants,
         ...(membership !== null ? { membership } : {}),
+        ...(self !== undefined ? { self } : {}),
       }
 
       const isColdStart = resolvedRecord?.sessionId === undefined
@@ -1487,6 +1534,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
 
   const buildLiveOrigin = (live: LiveSession): SessionOrigin => {
     const membership = readMembership(live.key)
+    const self = resolveSelfIdentity(live.key)
     return {
       kind: 'channel',
       adapter: live.key.adapter,
@@ -1499,6 +1547,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       ...(live.currentTurnReactionRef !== null ? { reactionRef: live.currentTurnReactionRef } : {}),
       participants: live.participants,
       ...(membership !== null ? { membership } : {}),
+      ...(self !== undefined ? { self } : {}),
     }
   }
 
@@ -1800,9 +1849,10 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         logger.info(`[channels] ${keyId}: ignoring unknown command /${parsedCommand.name}`)
         return
       }
-      if (commandInfo.permission === 'session.control' && isSessionControlDenied(event)) {
+      const requiredPermission = commandPermissionString(commandInfo.permission)
+      if (requiredPermission !== null && !permissions.has(inboundAuthorOrigin(event), requiredPermission)) {
         logger.info(
-          `[channels] ${keyId}: denied command /${parsedCommand.name} by permissions (session.control) author=${event.authorId}`,
+          `[channels] ${keyId}: denied command /${parsedCommand.name} by permissions (${requiredPermission}) author=${event.authorId}`,
         )
         return
       }
@@ -1913,8 +1963,22 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
   // operator can grant guest channelRespond for masked stranger turns)
   // cannot /stop another speaker's in-flight turn. session.control is
   // member-and-up by default.
-  const isSessionControlDenied = (event: InboundMessage): boolean =>
-    !permissions.has(inboundAuthorOrigin(event), CORE_PERMISSIONS.sessionControl)
+  // Maps a command's declared permission tier to the concrete permission
+  // string gated on both the text-prefix path (route) and the native-slash
+  // path (executeCommand). 'none' is never gated. session.admin (owner+trusted,
+  // not member) covers /reload and /restart, which mutate global agent state
+  // and drop every in-flight session. Centralized so a new tier can't be
+  // honored on one path and silently skipped on the other.
+  const commandPermissionString = (permission: CommandPermission): string | null => {
+    switch (permission) {
+      case 'none':
+        return null
+      case 'session.control':
+        return CORE_PERMISSIONS.sessionControl
+      case 'session.admin':
+        return CORE_PERMISSIONS.sessionAdmin
+    }
+  }
 
   const updateLoopGuard = (live: LiveSession, event: InboundMessage): void => {
     if (!event.authorIsBot) {
@@ -2151,6 +2215,22 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     channelNameResolvers.get(adapter)?.delete(resolver)
   }
 
+  const registerSelfIdentity = (adapter: ChannelKey['adapter'], resolver: ChannelSelfIdentityResolver): void => {
+    selfIdentityResolvers.set(adapter, resolver)
+  }
+
+  const unregisterSelfIdentity = (adapter: ChannelKey['adapter'], resolver: ChannelSelfIdentityResolver): void => {
+    if (selfIdentityResolvers.get(adapter) === resolver) {
+      selfIdentityResolvers.delete(adapter)
+    }
+  }
+
+  const resolveSelfIdentity = (key: ChannelKey): ChannelSelfIdentity | undefined => {
+    const resolver = selfIdentityResolvers.get(key.adapter)
+    if (resolver === undefined) return undefined
+    return resolver(key.workspace) ?? undefined
+  }
+
   const registerMembership = (adapter: ChannelKey['adapter'], resolver: MembershipResolver): void => {
     let set = membershipResolvers.get(adapter)
     if (!set) {
@@ -2702,14 +2782,17 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     if (commandInfo === undefined) {
       return { kind: 'unknown-command', name: lowered }
     }
-    // Gates on session.control (not channel.respond) so a respond-capable
-    // guest cannot abort another speaker's turn. Runs BEFORE the live-session
-    // lookup so an unauthorized invoker gets 'permission-denied' regardless of
-    // session state, rather than leaking session presence via the
-    // 'no-live-session' vs 'permission-denied' distinction. Session-less
-    // informational commands (e.g. /help) declare permission:'none' and skip
-    // both the gate and the lookup so they work in channels with no live turn.
-    if (commandInfo.permission === 'session.control') {
+    // Gates on the command's declared tier (session.control for /stop,
+    // session.admin for /reload and /restart) — never channel.respond — so a
+    // respond-capable guest cannot abort another speaker's turn or bounce the
+    // container. Runs BEFORE the live-session lookup so an unauthorized invoker
+    // gets 'permission-denied' regardless of session state, rather than leaking
+    // session presence via the 'no-live-session' vs 'permission-denied'
+    // distinction. Session-less informational commands (e.g. /help) declare
+    // permission:'none' and skip both the gate and the lookup so they work in
+    // channels with no live turn.
+    const requiredPermission = commandPermissionString(commandInfo.permission)
+    if (requiredPermission !== null) {
       const partial: SessionOrigin = {
         kind: 'channel',
         adapter: key.adapter,
@@ -2718,7 +2801,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         thread: key.thread,
         lastInboundAuthorId: options.invokerId,
       }
-      if (!permissions.has(partial, CORE_PERMISSIONS.sessionControl)) {
+      if (!permissions.has(partial, requiredPermission)) {
         return { kind: 'permission-denied' }
       }
     }
@@ -2829,6 +2912,8 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     unregisterTyping,
     registerChannelNameResolver,
     unregisterChannelNameResolver,
+    registerSelfIdentity,
+    unregisterSelfIdentity,
     registerMembership,
     unregisterMembership,
     registerHistory,

package/src/channels/schema.ts

@@ -131,6 +131,23 @@ export const DEFAULT_GITHUB_EVENT_ALLOWLIST = [
   'pull_request_review.submitted',
 ] as const
 
+// PR-review policy knobs. Grouped under `review` so future toggles
+// (`requestChanges`, auto-review-on-request, severity thresholds) cluster
+// here instead of flattening onto the channel root.
+//
+// `approve` gates whether the agent may submit a formal review with
+// `event: APPROVE`. When `false`, the adapter appends an operator-policy note
+// to inbounds and the `typeclaw-channel-github` skill downgrades an `approve`
+// verdict to a `COMMENT` review (findings still posted, no formal approval).
+// Enforced in the inbound text rather than at the bash layer because the
+// review posts via `gh api --input <file>`, so the `event` value lives in a
+// temp file the command interceptor never sees.
+const githubReviewSchema = z
+  .object({
+    approve: z.boolean().default(true),
+  })
+  .default({ approve: true })
+
 const githubChannelSchema = adapterSchema.extend({
   // Optional now (PR 2): when omitted and a `tunnels[]` entry with
   // `for: { kind: 'channel', name: 'github' }` exists, the runtime resolves
@@ -146,6 +163,7 @@ const githubChannelSchema = adapterSchema.extend({
   // this session is deleted so a restart with a different webhookUrl (e.g.
   // a tunnel reassigning a URL) doesn't leave orphaned hooks on GitHub.
   repos: z.array(z.string()).default([]),
+  review: githubReviewSchema,
 })
 
 // KakaoTalk uses the same shape as every other adapter. There used to be an

package/src/channels/types.ts

@@ -243,6 +243,33 @@ export type ResolvedChannelNames = {
 
 export type ChannelNameResolver = (key: ChannelKey) => Promise<ResolvedChannelNames>
 
+// The bot's OWN identity on a platform, surfaced into the channel system
+// prompt so the model recognizes mentions of itself. The engagement gate
+// already knows this id (it sets `isBotMention`), but the model only knows
+// its NAME (from identity files) — not its platform user id. Without this,
+// a message addressed to `<@U0ABFG8TYN7>` (the bot's own Slack id) reads to
+// the model as "addressed to someone else" and it skips a turn it was
+// correctly engaged for.
+//
+// - `id` is the raw platform user id (Slack `U…`, Discord snowflake,
+//   Telegram numeric id as string, GitHub numeric id as string). For
+//   angle-id platforms this is what appears inside `<@…>`.
+// - `username` is the human-typed handle used for at-mentions on platforms
+//   where the id is NOT what gets typed (Telegram `@username`, GitHub
+//   `@login`). Omitted when the platform mentions by id, or when the
+//   account simply has no username.
+export type ChannelSelfIdentity = {
+  id: string
+  username?: string
+}
+
+// Resolves the bot's own identity for a given workspace. `workspace` is
+// passed because identity is conceptually per-workspace (Slack team); most
+// adapters serve a single identity and ignore the argument. Returns null
+// when identity is not yet resolved (startup race) or unknown — callers
+// MUST treat null as "omit the self-mention prompt line", never as an error.
+export type ChannelSelfIdentityResolver = (workspace: string) => ChannelSelfIdentity | null
+
 // History entries are intentionally distinct from InboundMessage:
 // `InboundMessage` carries router-classification fields (`isBotMention`,
 // `isDm`) that are turn-delivery concerns, not history concerns. History

package/src/cli/dreams.ts

@@ -4,7 +4,7 @@ import { type DreamEntry, renderListRow, runDreams, type ViewAction } from '@/dr
 import { findAgentDir } from '@/init'
 
 import { createEscController } from './inspect-controller'
-import { c, cancel, errorLine, isCancel } from './ui'
+import { c, cancel, errorLine, isCancel, prepareStdinForClack } from './ui'
 
 const ESC_DEBOUNCE_MS = 50
 const QUIT_KEY = 0x71
@@ -123,6 +123,7 @@ async function clackSelect(
   initialSha: string | undefined,
 ): Promise<DreamEntry | null> {
   const { select } = await import('@clack/prompts')
+  prepareStdinForClack()
   const preferred = initialSha !== undefined && entries.some((e) => e.sha === initialSha) ? initialSha : entries[0]?.sha
   const picked = await select<string>({
     message: `Pick a dream to open (${entries.length} total)`,

package/src/cli/inspect-controller.ts

@@ -64,3 +64,95 @@ export function createEscController({ debounceMs }: { debounceMs: number }): Esc
     },
   }
 }
+
+export type TailIntent = 'back' | 'exit'
+
+export type TailScope = {
+  signal: AbortSignal
+  // null when the tail ended on its own (stream closed / replay-only); the loop
+  // treats null the same as 'back'. The stream only ever sees signal.aborted —
+  // intent is read by the loop, keeping abort decoupled from what abort meant.
+  intent: () => TailIntent | null
+  dispose: () => void
+}
+
+type RawInput = Pick<NodeJS.ReadStream, 'isTTY' | 'setRawMode' | 'resume' | 'on' | 'off'>
+
+type ProcessSignals = Pick<NodeJS.Process, 'once' | 'off'>
+
+// One disposable interaction scope per live-tail iteration. Creates a FRESH
+// AbortController, installs a temporary raw-mode 'data' listener plus
+// SIGINT/SIGTERM handlers, and tears all of it down on dispose(). This mirrors
+// the `dreams` viewer-key pattern: raw mode is scoped to a single tail attempt
+// and never survives into the clack picker, which removes the pause/resume
+// state machine that made the old inspect listener fragile.
+export function createTailScope(opts: { debounceMs: number; input?: RawInput; proc?: ProcessSignals }): TailScope {
+  const stdin = opts.input ?? process.stdin
+  const proc = opts.proc ?? process
+  const controller = new AbortController()
+  let intent: TailIntent | null = null
+  let disposed = false
+
+  const settle = (next: TailIntent): void => {
+    if (intent === null) intent = next
+    controller.abort()
+  }
+
+  const onSigExit = (): void => {
+    settle('exit')
+  }
+
+  const isTty = Boolean(stdin.isTTY) && typeof stdin.setRawMode === 'function'
+  const esc = isTty ? createEscController({ debounceMs: opts.debounceMs }) : null
+  const escSignal = esc?.armForStream()
+  // A bare ESC fires through the debounce controller, not the 'data' handler:
+  // route its abort into 'back' intent here so the loop can re-open the picker.
+  const onEscAbort = (): void => settle('back')
+
+  const onData = (chunk: Buffer): void => {
+    if (esc === null) return
+    const { sigint } = esc.onChunk(chunk)
+    if (sigint) settle('exit')
+  }
+
+  const dispose = (): void => {
+    if (disposed) return
+    disposed = true
+    proc.off('SIGINT', onSigExit)
+    proc.off('SIGTERM', onSigExit)
+    escSignal?.removeEventListener('abort', onEscAbort)
+    if (esc !== null) {
+      stdin.off('data', onData)
+      esc.dispose()
+      try {
+        stdin.setRawMode(false)
+      } catch {
+        /* terminal already torn down */
+      }
+      // Deliberately NOT stdin.pause(): a paused process.stdin does not reliably
+      // re-flow into the next clack picker under Bun (same reason as
+      // prepareStdinForClack / dreams' waitForViewerKey). Leave it flowing.
+    }
+    // Abort last so a stream still awaiting on this signal unblocks during
+    // teardown rather than hanging.
+    controller.abort()
+  }
+
+  proc.once('SIGINT', onSigExit)
+  proc.once('SIGTERM', onSigExit)
+
+  if (esc !== null && escSignal !== undefined) {
+    escSignal.addEventListener('abort', onEscAbort, { once: true })
+    stdin.setRawMode(true)
+    // Attach the data handler before resume() so no raw-mode keystroke slips
+    // through between resuming the stream and registering the listener.
+    stdin.on('data', onData)
+    stdin.resume()
+  }
+
+  return {
+    signal: controller.signal,
+    intent: () => intent,
+    dispose,
+  }
+}

package/src/cli/inspect.ts

@@ -5,10 +5,10 @@ import { findAgentDir } from '@/init'
 import { runInspectLoop, streamLive, type LiveSourceFactory, type SessionSummary } from '@/inspect'
 import { originLabel, shortSessionId } from '@/inspect/label'
 
-import { createEscController } from './inspect-controller'
-import { cancel, c, errorLine, isCancel } from './ui'
+import { createTailScope } from './inspect-controller'
+import { cancel, c, errorLine, isCancel, prepareStdinForClack } from './ui'
 
-const ESC_LISTEN_DELAY_MS = 50
+const ESC_DEBOUNCE_MS = 50
 
 export const inspectCommand = defineCommand({
   meta: {
@@ -45,46 +45,23 @@ export const inspectCommand = defineCommand({
 
     const isJson = args.json === true
     const liveSource = isJson ? undefined : await buildLiveSource(cwd)
-    const signalCtrl = installSigintAbort()
-    const signal = signalCtrl.signal
-    // Raw-mode Ctrl-C arrives as byte 0x03 and must abort the exit controller
-    // directly: under Bun a self-issued process.kill(SIGINT) does not reliably
-    // re-enter our process.once('SIGINT') handler, so the live tail never exits.
-    const escListener = isJson ? null : createEscListener(() => signalCtrl.abort())
-    const liveHint = escListener === null ? undefined : escHintLine(color)
-
-    // try/finally so a thrown loop never leaves the terminal stuck in raw mode.
-    let result: Awaited<ReturnType<typeof runInspectLoop>>
-    try {
-      result = await runInspectLoop({
-        agentDir: cwd,
-        ...(sessionArg !== undefined ? { sessionIdOrPrefix: sessionArg } : {}),
-        ...(filterArg !== undefined ? { filter: filterArg } : {}),
-        ...(sinceArg !== undefined ? { since: sinceArg } : {}),
-        json: isJson,
-        color,
-        selectSession: (sessions, selectOpts) => {
-          escListener?.pause()
-          return clackSelect(sessions, selectOpts?.initialSessionId).finally(() => {
-            escListener?.resume()
-          })
-        },
-        ...(liveSource !== undefined ? { liveSource } : {}),
-        signal,
-        newEscSignal: () => {
-          if (escListener === null) return new AbortController().signal
-          return escListener.armForStream()
-        },
-        afterEscStream: () => {
-          escListener?.pause()
-        },
-        ...(liveHint !== undefined ? { liveHint } : {}),
-        stdout: (line) => process.stdout.write(`${line}\n`),
-        stderr: (line) => process.stderr.write(`${line}\n`),
-      })
-    } finally {
-      escListener?.stop()
-    }
+    const interactive = !isJson && Boolean(process.stdin.isTTY)
+    const liveHint = interactive ? escHintLine(color) : undefined
+
+    const result = await runInspectLoop({
+      agentDir: cwd,
+      ...(sessionArg !== undefined ? { sessionIdOrPrefix: sessionArg } : {}),
+      ...(filterArg !== undefined ? { filter: filterArg } : {}),
+      ...(sinceArg !== undefined ? { since: sinceArg } : {}),
+      json: isJson,
+      color,
+      selectSession: (sessions, selectOpts) => clackSelect(sessions, selectOpts?.initialSessionId),
+      ...(liveSource !== undefined ? { liveSource } : {}),
+      createTailScope: () => createTailScope({ debounceMs: ESC_DEBOUNCE_MS }),
+      ...(liveHint !== undefined ? { liveHint } : {}),
+      stdout: (line) => process.stdout.write(`${line}\n`),
+      stderr: (line) => process.stderr.write(`${line}\n`),
+    })
 
     if (!result.ok) {
       process.stderr.write(`${errorLine(result.reason)}\n`)
@@ -115,86 +92,6 @@ async function buildLiveSource(cwd: string): Promise<LiveSourceFactory | undefin
     })
 }
 
-function installSigintAbort(): AbortController {
-  const ctrl = new AbortController()
-  const onSig = (): void => {
-    ctrl.abort()
-  }
-  process.once('SIGINT', onSig)
-  process.once('SIGTERM', onSig)
-  return ctrl
-}
-
-type EscListener = {
-  armForStream: () => AbortSignal
-  pause: () => void
-  resume: () => void
-  stop: () => void
-}
-
-type RawInput = Pick<NodeJS.ReadStream, 'isTTY' | 'setRawMode' | 'resume' | 'pause' | 'on' | 'off'>
-
-export function createEscListener(onSigint: () => void, input: RawInput = process.stdin): EscListener | null {
-  const stdin = input
-  if (!stdin.isTTY || typeof stdin.setRawMode !== 'function') return null
-
-  const ctrl = createEscController({ debounceMs: ESC_LISTEN_DELAY_MS })
-  let active = false
-
-  const onData = (chunk: Buffer): void => {
-    const { sigint } = ctrl.onChunk(chunk)
-    if (sigint) onSigint()
-  }
-
-  const start = (): void => {
-    if (active) return
-    active = true
-    stdin.setRawMode(true)
-    // Attach the data handler before resume() so no raw-mode keystroke can slip
-    // through between resuming the stream and registering the listener.
-    stdin.on('data', onData)
-    stdin.resume()
-  }
-  const stop = (): void => {
-    if (!active) return
-    active = false
-    stdin.off('data', onData)
-    try {
-      stdin.setRawMode(false)
-    } catch {
-      /* terminal already torn down */
-    }
-    // Do NOT pause stdin here: this teardown hands control to the clack picker,
-    // and under Bun clack does not reliably re-flow a previously paused
-    // process.stdin, so its keypresses never arrive and arrow keys echo as raw
-    // bytes. Leaving the stream flowing lets clack own raw mode during the picker.
-    ctrl.clearPending()
-  }
-
-  return {
-    armForStream: () => {
-      const signal = ctrl.armForStream()
-      start()
-      return signal
-    },
-    pause: () => {
-      stop()
-    },
-    resume: () => {
-      // Resume the listener WITHOUT replacing the AbortController.
-      // The signal returned by armForStream() is held by the live source
-      // through streamSession's combinedSignal; replacing the controller
-      // here would orphan that signal so a subsequent ESC press could
-      // not abort the live tail.
-      start()
-    },
-    stop: () => {
-      ctrl.dispose()
-      stop()
-    },
-  }
-}
-
 function escHintLine(color: boolean): string {
   const text = '(press esc to return to session list)'
   return color ? `\u001b[2m${text}\u001b[0m` : text
@@ -212,6 +109,7 @@ async function clackSelect(
   initialSessionId: string | undefined,
 ): Promise<SessionSummary | null> {
   const { select } = await import('@clack/prompts')
+  prepareStdinForClack()
   const preferred =
     initialSessionId !== undefined && sessions.some((s) => s.sessionId === initialSessionId)
       ? initialSessionId

package/src/cli/ui.ts

@@ -7,6 +7,28 @@ import { type AutoUpgradeOutcome, describeAutoUpgrade } from '@/init/auto-upgrad
 
 export { cancel, intro, isCancel, log, note, outro }
 
+type ClackInput = Pick<NodeJS.ReadStream, 'isTTY' | 'setRawMode' | 'resume'>
+
+// Hand stdin to a clack picker in a state it can own. Over an SSH pseudo-TTY,
+// Bun's readline keypress wiring only transitions stdin into flowing raw mode
+// reliably once the stream has already been resumed; on a never-resumed stdin
+// the picker renders but arrow keys echo as raw `^[[B` and never advance it.
+// Local terminals dodge this because stdin was already flowing. So before every
+// picker: clear any stale raw mode for a clean baseline, then resume the stream.
+// Never pause() here — a previously-paused process.stdin does not reliably
+// re-flow under Bun, which is the same failure this resume() is fixing.
+export function prepareStdinForClack(input: ClackInput = process.stdin): void {
+  if (!input.isTTY) return
+  if (typeof input.setRawMode === 'function') {
+    try {
+      input.setRawMode(false)
+    } catch {
+      /* terminal already torn down */
+    }
+  }
+  input.resume()
+}
+
 function colorize(modifier: Parameters<typeof styleText>[0], s: string): string {
   if (!colorsEnabled()) return s
   return styleText(modifier, s)
@@ -169,6 +191,18 @@ export const SLACK_APP_MANIFEST = {
         url: 'https://example.invalid/typeclaw-uses-socket-mode',
         should_escape: false,
       },
+      {
+        command: '/reload',
+        description: 'Reload typeclaw config and subsystems from disk',
+        url: 'https://example.invalid/typeclaw-uses-socket-mode',
+        should_escape: false,
+      },
+      {
+        command: '/restart',
+        description: 'Restart the typeclaw container',
+        url: 'https://example.invalid/typeclaw-uses-socket-mode',
+        should_escape: false,
+      },
     ],
   },
   oauth_config: {

package/src/commands/index.ts

@@ -13,8 +13,11 @@ export type CommandHandler<Context> = (
 // dispatcher, so a new command declares its own requirements in one place:
 // 'session.control' + requiresLiveSession:true is the control-command default
 // (/stop); 'none' + requiresLiveSession:false is the informational default
-// (/help). Both are optional so plain registries (tests, TUI) need not care.
-export type CommandPermission = 'none' | 'session.control'
+// (/help). 'session.admin' + requiresLiveSession:false is the operate-the-agent
+// tier (/reload, /restart) — owner+trusted only, no live session required since
+// it acts on the container, not a channel turn. Both are optional so plain
+// registries (tests, TUI) need not care.
+export type CommandPermission = 'none' | 'session.control' | 'session.admin'
 
 export type Command<Context> = {
   name: string