typeclaw 0.25.0 → 0.27.0

package/src/channels/adapters/slack-bot-reactions.ts

@@ -0,0 +1,167 @@
+import type { SlackBotClient } from 'agent-messenger/slackbot'
+
+import type {
+  ReactionCallback,
+  ReactionErrorCode,
+  ReactionRef,
+  ReactionResult,
+  RemoveReactionCallback,
+} from '@/channels/types'
+
+// The reactable target on Slack: a message is addressed by its channel id plus
+// the message `ts`. The classifier stamps this because `ts` is the inbound's
+// own message timestamp — the same value that becomes `externalMessageId`
+// downstream, but kept in an opaque ref so the router/tool never have to know
+// Slack's addressing. Mirrors the GitHub `GithubReactionTarget` precedent.
+export type SlackReactionTarget = { channel: string; ts: string }
+
+// Removal needs the emoji name too: Slack's `reactions.remove` is keyed by
+// (channel, ts, name), unlike GitHub's per-reaction id. We fold the emoji that
+// was added into the removal ref so `RemoveReactionCallback` can reconstruct
+// the exact call without the caller tracking it.
+export type SlackReactionRemovalTarget = { channel: string; ts: string; emoji: string }
+
+export function encodeSlackReactionRef(target: SlackReactionTarget): ReactionRef {
+  return { adapter: 'slack-bot', value: JSON.stringify(target) }
+}
+
+export function decodeSlackReactionRef(ref: ReactionRef): SlackReactionTarget | null {
+  if (ref.adapter !== 'slack-bot') return null
+  const parsed = parseRecord(ref.value)
+  if (parsed === null) return null
+  if (parsed.op !== undefined) return null
+  const channel = typeof parsed.channel === 'string' ? parsed.channel : null
+  const ts = typeof parsed.ts === 'string' ? parsed.ts : null
+  if (channel === null || ts === null) return null
+  return { channel, ts }
+}
+
+export function encodeSlackRemovalRef(target: SlackReactionRemovalTarget): ReactionRef {
+  return { adapter: 'slack-bot', value: JSON.stringify({ op: 'remove', ...target }) }
+}
+
+export function decodeSlackRemovalRef(ref: ReactionRef): SlackReactionRemovalTarget | null {
+  if (ref.adapter !== 'slack-bot') return null
+  const parsed = parseRecord(ref.value)
+  if (parsed === null || parsed.op !== 'remove') return null
+  const channel = typeof parsed.channel === 'string' ? parsed.channel : null
+  const ts = typeof parsed.ts === 'string' ? parsed.ts : null
+  const emoji = typeof parsed.emoji === 'string' ? parsed.emoji : null
+  if (channel === null || ts === null || emoji === null) return null
+  return { channel, ts, emoji }
+}
+
+// Slack accepts any custom-emoji name the workspace has, so unlike GitHub there
+// is no fixed allow-list to validate against up front — an unknown name comes
+// back as `invalid_name` from the API, which we map to `unsupported`. We only
+// strip surrounding colons here; the SDK does the same, but normalizing first
+// keeps the removal ref's stored name canonical.
+function normalizeEmoji(emoji: string): string {
+  return emoji.replace(/^:|:$/g, '')
+}
+
+export function createSlackReactionCallback(deps: { client: Pick<SlackBotClient, 'addReaction'> }): ReactionCallback {
+  return async (req): Promise<ReactionResult> => {
+    if (req.adapter !== 'slack-bot') {
+      return { ok: false, error: `unknown adapter: ${req.adapter}`, code: 'unsupported' }
+    }
+    const target = decodeSlackReactionRef(req.reactionRef)
+    if (target === null) return { ok: false, error: 'unparseable slack reaction ref', code: 'unsupported' }
+    const emoji = normalizeEmoji(req.emoji)
+    try {
+      await deps.client.addReaction(target.channel, target.ts, emoji)
+    } catch (err) {
+      // `already_reacted` is the desired end state, not a failure: a duplicate
+      // engage (or a retried tool call) that re-adds the same emoji must read
+      // as success so the model/runtime don't surface a spurious error.
+      const code = slackErrorCode(err)
+      if (code === 'already_reacted') {
+        return { ok: true, reactionRef: encodeSlackRemovalRef({ ...target, emoji }) }
+      }
+      return { ok: false, error: withScopeHint(code, describe(err)), code: classifySlackError(code) }
+    }
+    return { ok: true, reactionRef: encodeSlackRemovalRef({ ...target, emoji }) }
+  }
+}
+
+export function createSlackRemoveReactionCallback(deps: {
+  client: Pick<SlackBotClient, 'removeReaction'>
+}): RemoveReactionCallback {
+  return async (req): Promise<ReactionResult> => {
+    if (req.adapter !== 'slack-bot') {
+      return { ok: false, error: `unknown adapter: ${req.adapter}`, code: 'unsupported' }
+    }
+    const target = decodeSlackRemovalRef(req.reactionRef)
+    if (target === null) return { ok: false, error: 'unparseable slack reaction removal ref', code: 'unsupported' }
+    try {
+      await deps.client.removeReaction(target.channel, target.ts, target.emoji)
+    } catch (err) {
+      // `no_reaction` means the reaction is already gone — the desired end
+      // state for a removal, so treat it as success (idempotent), mirroring the
+      // `already_reacted` handling on the add path.
+      const code = slackErrorCode(err)
+      if (code === 'no_reaction') return { ok: true }
+      return { ok: false, error: describe(err), code: classifySlackError(code) }
+    }
+    return { ok: true }
+  }
+}
+
+// SlackBotError carries the raw Slack API error string on `.code`. We read it
+// structurally (not by instanceof) so a re-thrown or wrapped error still maps
+// correctly, falling back to the message when no code is present.
+function slackErrorCode(err: unknown): string | null {
+  if (typeof err === 'object' && err !== null && 'code' in err) {
+    const code = (err as { code: unknown }).code
+    if (typeof code === 'string') return code
+  }
+  return null
+}
+
+// `reactions:write` is the scope the bot token needs for both add and remove.
+// On `missing_scope` the bare Slack error is uninformative, so append the
+// concrete operator fix — mirroring GitHub's permission-guidance precedent —
+// since autoReactOnEngage surfaces this to host logs on every engaged inbound
+// until the scope is granted.
+function withScopeHint(code: string | null, error: string): string {
+  if (code !== 'missing_scope') return error
+  return `${error} (Slack bot token needs the \`reactions:write\` scope; reinstall/reauthorize the app with that scope.)`
+}
+
+function classifySlackError(code: string | null): ReactionErrorCode {
+  switch (code) {
+    case 'invalid_name':
+    case 'no_item_specified':
+      return 'unsupported'
+    case 'missing_scope':
+    case 'not_in_channel':
+    case 'is_archived':
+    case 'not_authed':
+    case 'invalid_auth':
+      return 'permission-denied'
+    case 'message_not_found':
+    case 'channel_not_found':
+      return 'not-found'
+    case 'ratelimited':
+    case 'rate_limited':
+      return 'rate-limited'
+    default:
+      return 'transient'
+  }
+}
+
+function parseRecord(value: string): Record<string, unknown> | null {
+  let parsed: unknown
+  try {
+    parsed = JSON.parse(value)
+  } catch {
+    return null
+  }
+  return typeof parsed === 'object' && parsed !== null && !Array.isArray(parsed)
+    ? (parsed as Record<string, unknown>)
+    : null
+}
+
+function describe(err: unknown): string {
+  return err instanceof Error ? err.message : String(err)
+}

package/src/channels/adapters/slack-bot.ts

@@ -43,6 +43,7 @@ import {
   type SlackInboundMessageEvent,
 } from './slack-bot-classify'
 import { createSlackDedupe } from './slack-bot-dedupe'
+import { createSlackReactionCallback, createSlackRemoveReactionCallback } from './slack-bot-reactions'
 import { enrichSlackReferenceContext } from './slack-bot-reference'
 import {
   buildSlashAckPayload,
@@ -997,6 +998,9 @@ export function createSlackBotAdapter(options: SlackBotAdapterOptions): SlackBot
 
   const fetchAttachmentCallback = createFetchAttachmentCallback({ client, logger })
 
+  const reactionCallback = createSlackReactionCallback({ client })
+  const removeReactionCallback = createSlackRemoveReactionCallback({ client })
+
   const dedupe = createSlackDedupe()
 
   const handleSlashCommand = createSlashCommandHandler({
@@ -1206,6 +1210,8 @@ export function createSlackBotAdapter(options: SlackBotAdapterOptions): SlackBot
       })
 
       options.router.registerOutbound('slack-bot', outboundCallback)
+      options.router.registerReaction('slack-bot', reactionCallback)
+      options.router.registerRemoveReaction('slack-bot', removeReactionCallback)
       options.router.registerTyping('slack-bot', typingCallback)
       options.router.registerChannelNameResolver('slack-bot', channelResolver)
       options.router.registerSelfIdentity('slack-bot', selfIdentityResolver)
@@ -1216,6 +1222,22 @@ export function createSlackBotAdapter(options: SlackBotAdapterOptions): SlackBot
       try {
         await listener.start()
       } catch (err) {
+        // Listener failed after registration — roll back every callback so a
+        // failed start leaves no router state behind (stop() returns early on
+        // !started and would otherwise skip cleanup), mirroring the github
+        // adapter's rollback path.
+        options.router.unregisterOutbound('slack-bot', outboundCallback)
+        options.router.unregisterReaction('slack-bot', reactionCallback)
+        options.router.unregisterRemoveReaction('slack-bot', removeReactionCallback)
+        options.router.unregisterTyping('slack-bot', typingCallback)
+        options.router.unregisterChannelNameResolver('slack-bot', channelResolver)
+        options.router.unregisterSelfIdentity('slack-bot', selfIdentityResolver)
+        options.router.unregisterHistory('slack-bot', historyCallback)
+        options.router.unregisterFetchAttachment('slack-bot', fetchAttachmentCallback)
+        options.router.unregisterMembership('slack-bot', membershipResolver)
+        listener = null
+        botUserId = null
+        teamId = null
         started = false
         logger.error(`[slack-bot] listener start failed: ${describe(err)}`)
         throw err
@@ -1226,6 +1248,8 @@ export function createSlackBotAdapter(options: SlackBotAdapterOptions): SlackBot
       if (!started) return
       started = false
       options.router.unregisterOutbound('slack-bot', outboundCallback)
+      options.router.unregisterReaction('slack-bot', reactionCallback)
+      options.router.unregisterRemoveReaction('slack-bot', removeReactionCallback)
       options.router.unregisterTyping('slack-bot', typingCallback)
       options.router.unregisterChannelNameResolver('slack-bot', channelResolver)
       options.router.unregisterSelfIdentity('slack-bot', selfIdentityResolver)

package/src/channels/router.ts

@@ -2854,7 +2854,8 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       return
     }
 
-    const { text: assistantText, source } = candidate
+    const { text: candidateText, source } = candidate
+    let assistantText = candidateText
 
     if (endsWithNoReplySignal(assistantText)) {
       const leakedReasoning = !isNoReplySignal(assistantText)
@@ -2874,10 +2875,49 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       return
     }
 
-    if (isLikelyPlainTextChannelToolCall(assistantText)) {
-      logger.warn(`[channels] ${live.keyId}: suppressed plain_text_channel_tool_call text_len=${assistantText.length}`)
+    // Plain-text tool-call leak: the model serialized a channel tool call as
+    // ordinary prose instead of producing a real tool call (a Kimi-on-Fireworks
+    // failure mode — see `isLikelyPlainTextChannelToolCall`). We can't post the
+    // raw `channel_reply({...})` serialization to the channel, but for
+    // reply/send the model's *intent* is unambiguous: deliver the `text` arg.
+    // Extract it and recover the actual message. `skip_response` is the
+    // opposite — a genuine decline — so it stays suppressed.
+    const plainTextToolCallKind = getPlainTextChannelToolCallKind(assistantText)
+    if (plainTextToolCallKind === 'skip') {
+      logger.warn(
+        `[channels] ${live.keyId}: suppressed plain_text_channel_skip_response text_len=${assistantText.length}`,
+      )
       return
     }
+    if (plainTextToolCallKind !== null) {
+      const extracted = extractPlainTextChannelToolCallText(assistantText)
+      // Unextractable (no `text` arg, empty value, or fully-truncated): fall
+      // back to the historical safe behavior — drop it rather than leak plumbing.
+      if (extracted === null) {
+        logger.warn(
+          `[channels] ${live.keyId}: suppressed unextractable_plain_text_channel_tool_call text_len=${assistantText.length}`,
+        )
+        return
+      }
+      // The extracted value is still untrusted model output: if it is itself a
+      // no-reply signal, an empty-response sentinel, or another (nested) leaked
+      // tool call, suppress it through the same guards rather than re-leaking.
+      if (
+        endsWithNoReplySignal(extracted) ||
+        isUpstreamEmptyResponseSentinel(extracted) ||
+        isLikelyKimiChannelToolLeak(extracted) ||
+        isLikelyPlainTextChannelToolCall(extracted)
+      ) {
+        logger.warn(
+          `[channels] ${live.keyId}: suppressed plain_text_channel_tool_call (unsafe extracted text) text_len=${extracted.length}`,
+        )
+        return
+      }
+      logger.warn(
+        `[channels] ${live.keyId}: recovered plain_text_channel_tool_call kind=${plainTextToolCallKind} text_len=${extracted.length}`,
+      )
+      assistantText = extracted
+    }
 
     // `source` distinguishes the three recovery shapes for log triage:
     //   - 'leaf': the assistant message IS the leaf with stopReason 'stop'
@@ -3233,6 +3273,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       error?: string
     },
   ): { kind: 'delivered'; keyId: string } => {
+    const adapter = live.keyId.split(':', 1)[0] ?? ''
     const text = renderSubagentCompletionReminder({
       subagent: args.subagent,
       taskId: args.taskId,
@@ -3240,6 +3281,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       durationMs: args.durationMs,
       ...(args.error !== undefined ? { error: args.error } : {}),
       channel: true,
+      adapter,
     })
     live.pendingSystemReminders.push(text)
     // The reminder tells the agent to fetch this result now; clear the
@@ -4231,8 +4273,12 @@ export function isLikelyKimiChannelToolLeak(text: string): boolean {
 //
 // Structural-only detection (NOT a substring search): the trimmed text must
 // *start* with `channel_reply(`, `channel_send(`, or `skip_response(`, and
-// that opening paren must enclose at least one `"` (the serialized argument).
-// This deliberately matches the leak shape while letting prose that merely
+// that opening paren must enclose at least one quote — `"` or `'` (the
+// serialized argument). The single-quote arm matters because the extractor
+// recovers single-quoted values too; if the classifier only matched `"`, a
+// single-quoted leak like `channel_reply({text: 'hi'})` would bypass the
+// extractor and post raw plumbing. This deliberately matches the leak shape
+// while letting prose that merely
 // *mentions* a tool name (e.g. "I would normally call channel_reply here
 // but...") reach the user — that false-positive class is already locked in by
 // the `still recovers prose that mentions channel_reply` test.
@@ -4240,12 +4286,150 @@ export function isLikelyKimiChannelToolLeak(text: string): boolean {
 // The trailing close paren is NOT required: the model sometimes truncates
 // mid-serialization, and a half-leaked `channel_reply({"text":"..."` is
 // just as user-hostile as the full shape.
-const PLAIN_TEXT_CHANNEL_TOOL_CALL_RE = /^(?:channel_(?:reply|send)|skip_response)\s*\(\s*[^)]*"/
+const PLAIN_TEXT_CHANNEL_TOOL_CALL_RE = /^(channel_reply|channel_send|skip_response)\s*\(\s*[^)]*["']/
+
+export type PlainTextChannelToolCallKind = 'reply' | 'send' | 'skip'
+
+export function getPlainTextChannelToolCallKind(text: string): PlainTextChannelToolCallKind | null {
+  const match = PLAIN_TEXT_CHANNEL_TOOL_CALL_RE.exec(text.trim())
+  if (match === null) return null
+  switch (match[1]) {
+    case 'channel_reply':
+      return 'reply'
+    case 'channel_send':
+      return 'send'
+    case 'skip_response':
+      return 'skip'
+    default:
+      return null
+  }
+}
 
 export function isLikelyPlainTextChannelToolCall(text: string): boolean {
-  return PLAIN_TEXT_CHANNEL_TOOL_CALL_RE.test(text.trim())
+  return getPlainTextChannelToolCallKind(text) !== null
+}
+
+// Tolerant single-purpose scanner that pulls the `text` argument out of a
+// plain-text-serialized `channel_reply(...)` / `channel_send(...)` leak. A
+// single regex covering every shape (double/single/unquoted keys, escaped
+// quotes, mid-serialization truncation) is fragile, so this walks the string
+// once and extracts only the first string-valued `text` property. `channel_send`
+// also carries `adapter`/`chat`/`thread`, which are intentionally ignored —
+// recovery always routes back through the current channel, never a
+// model-supplied destination. Returns null when no recoverable, non-empty
+// `text` value is present so the caller can fall back to suppression.
+export function extractPlainTextChannelToolCallText(text: string): string | null {
+  const trimmed = text.trim()
+  if (!/^(?:channel_reply|channel_send)\s*\(/.test(trimmed)) return null
+
+  // Walk the serialization once, honoring a `text` key only at the top level of
+  // the argument object (braceDepth 1, outside any array). Two failure classes
+  // motivate the bookkeeping: a `text:` inside an earlier quoted value, e.g.
+  // `channel_send({ reason: "see text: here", text: "real" })`, and a `text:`
+  // inside a *nested* object, e.g. `channel_reply({ meta: { text: "x" }, text:
+  // "real" })`. Skipping string literals defeats the first; tracking
+  // brace/bracket depth and matching keys only at top level defeats the second.
+  // Either way the scanner lands on the real reply instead of leaking the wrong
+  // value or dropping the message.
+  let braceDepth = 0
+  let bracketDepth = 0
+  for (let i = 0; i < trimmed.length; i++) {
+    const ch = trimmed[i]!
+
+    if (ch === '"' || ch === "'") {
+      i = skipStringLiteral(trimmed, i, ch)
+      continue
+    }
+
+    if (ch === '{') {
+      braceDepth++
+      if (braceDepth === 1 && bracketDepth === 0) {
+        const value = readTextKeyValueAt(trimmed, i + 1)
+        if (value !== undefined) return value
+      }
+      continue
+    }
+    if (ch === '}') {
+      if (braceDepth > 0) braceDepth--
+      continue
+    }
+    if (ch === '[') {
+      bracketDepth++
+      continue
+    }
+    if (ch === ']') {
+      if (bracketDepth > 0) bracketDepth--
+      continue
+    }
+
+    if (ch === ',' && braceDepth === 1 && bracketDepth === 0) {
+      const value = readTextKeyValueAt(trimmed, i + 1)
+      if (value !== undefined) return value
+    }
+  }
+
+  return null
+}
+
+// Returns the recovered value (string or null) when a `text` key starts at
+// `from`, or undefined when no `text` key is present there so the scanner keeps
+// walking. The null/undefined split lets a malformed `text` value short-circuit
+// to suppression while a non-`text` delimiter is simply skipped.
+function readTextKeyValueAt(s: string, from: number): string | null | undefined {
+  const afterKey = matchTextKey(s, from)
+  if (afterKey === null) return undefined
+
+  const quote = s[afterKey]
+  if (quote !== '"' && quote !== "'") return null
+  return readStringValue(s, afterKey + 1, quote)
+}
+
+// Returns the closing-quote index, or the last index when the literal is
+// truncated, so the caller's `i++` resumes past the consumed string.
+function skipStringLiteral(s: string, openIdx: number, quote: string): number {
+  let escaped = false
+  for (let i = openIdx + 1; i < s.length; i++) {
+    const ch = s[i]!
+    if (escaped) {
+      escaped = false
+      continue
+    }
+    if (ch === '\\') {
+      escaped = true
+      continue
+    }
+    if (ch === quote) return i
+  }
+  return s.length
+}
+
+function matchTextKey(s: string, from: number): number | null {
+  const m = /^\s*(?:"text"|'text'|text)\s*:\s*/.exec(s.slice(from))
+  return m === null ? null : from + m[0].length
 }
 
+function readStringValue(s: string, from: number, quote: string): string | null {
+  let value = ''
+  let escaped = false
+  for (let i = from; i < s.length; i++) {
+    const ch = s[i]!
+    if (escaped) {
+      value += ESCAPE_REPLACEMENTS[ch] ?? ch
+      escaped = false
+      continue
+    }
+    if (ch === '\\') {
+      escaped = true
+      continue
+    }
+    if (ch === quote) break
+    value += ch
+  }
+  return value.trim().length > 0 ? value : null
+}
+
+const ESCAPE_REPLACEMENTS: Record<string, string> = { n: '\n', r: '\r', t: '\t' }
+
 function describe(err: unknown): string {
   return err instanceof Error ? err.message : String(err)
 }

package/src/channels/schema.ts

@@ -125,12 +125,53 @@ export const DEFAULT_GITHUB_EVENT_ALLOWLIST = [
   'discussion_comment.created',
   'issues.opened',
   'pull_request.opened',
+  'pull_request.ready_for_review',
   'pull_request.review_requested',
   'pull_request.review_request_removed',
   'discussion.created',
   'pull_request_review.submitted',
 ] as const
 
+// Prior values of DEFAULT_GITHUB_EVENT_ALLOWLIST that shipped in releases and
+// were seeded verbatim into typeclaw.json. Kept as historical record so the
+// migration can recognize and unfreeze configs created by those versions.
+// NEVER edit these in place — they are snapshots of what was on disk.
+//   - v1: 7-event default, shipped 0.5.1–0.10.0 (commit fe4f3a8)
+const GITHUB_EVENT_ALLOWLIST_V1 = [
+  'issue_comment.created',
+  'pull_request_review_comment.created',
+  'discussion_comment.created',
+  'issues.opened',
+  'pull_request.opened',
+  'discussion.created',
+  'pull_request_review.submitted',
+] as const
+//   - v2: added review_requested + review_request_removed, shipped 0.11.0+ (commit 4f365ce)
+const GITHUB_EVENT_ALLOWLIST_V2 = [
+  'issue_comment.created',
+  'pull_request_review_comment.created',
+  'discussion_comment.created',
+  'issues.opened',
+  'pull_request.opened',
+  'pull_request.review_requested',
+  'pull_request.review_request_removed',
+  'discussion.created',
+  'pull_request_review.submitted',
+] as const
+
+// Every event-allowlist that `channel add` / `init` has ever seeded verbatim
+// into typeclaw.json, oldest first, current default last. The legacy-shape
+// migration uses this to tell a seeded default (safe to strip so the config
+// re-tracks the shipped default) from a user's deliberate customization (must
+// be preserved). Append the prior array here — never edit in place — whenever
+// DEFAULT_GITHUB_EVENT_ALLOWLIST changes, or configs from the old version stay
+// frozen and the migration starts eating user edits.
+export const SEEDED_GITHUB_EVENT_ALLOWLISTS: readonly (readonly string[])[] = [
+  GITHUB_EVENT_ALLOWLIST_V1,
+  GITHUB_EVENT_ALLOWLIST_V2,
+  DEFAULT_GITHUB_EVENT_ALLOWLIST,
+]
+
 // Which pull_request webhook action triggers an agent code review. The two
 // event values are GitHub's bare PR action names (the `pull_request.` event
 // prefix is implied by this field living under the review config); `off` is the