typeclaw 0.26.0 → 0.27.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "typeclaw",
-  "version": "0.26.0",
+  "version": "0.27.0",
   "homepage": "https://github.com/typeclaw/typeclaw#readme",
   "bugs": {
     "url": "https://github.com/typeclaw/typeclaw/issues"

package/src/agent/session-origin.ts

@@ -297,6 +297,7 @@ function renderChannelOrigin(
     chat: string
     chatName?: string
     thread: string | null
+    reactionRef?: ReactionRef
     participants?: readonly ChannelParticipant[]
     membership?: MembershipCount
     self?: ChannelSelfIdentity
@@ -354,7 +355,14 @@ function renderChannelOrigin(
   const conversationLine = renderConversationLine(origin)
   if (conversationLine !== null) lines.push('', conversationLine)
 
-  if (platformInfo.supportsReactions) {
+  // Gate on `reactionRef`, not just the static `supportsReactions` platform
+  // fact: a turn only has a message to react to when the triggering inbound
+  // carried one. Reminder-only turns (restart-resume, subagent-completion,
+  // idle/todo continuation) wake the session with no inbound, so
+  // `buildLiveOrigin` omits `reactionRef`. Prompting "react like a teammate"
+  // there made the model call `channel_react`, which then denied with "this
+  // conversation has no message to react to".
+  if (platformInfo.supportsReactions && origin.reactionRef !== undefined) {
     lines.push(
       '',
       '**React like a teammate would.** You can drop an emoji on the message that',

package/src/bundled-plugins/reviewer/skills/code-review.ts

@@ -66,7 +66,9 @@ Prioritize in this order:
 
 ### Re-reviews must re-decide, not observe
 
-When the payload tells you this is a **re-review** — you (or this agent) previously requested changes on this PR and the author has pushed fixes and asked again — your verdict's whole purpose is to **re-decide the blocking state**, so:
+When the payload tells you this is a **re-review** — you (or this agent) previously requested changes on this PR and the author has pushed fixes — your verdict's whole purpose is to **re-decide the blocking state**, so:
+
+This includes payloads where the parent says the author **addressed your prior blocking feedback** — "fixed both issues", "addressed your review", "pushed a fix" — even when the inbound was phrased conversationally rather than as an explicit "review again". An author responding to the blocker you raised IS the re-review trigger; the absence of the words "review again" does not downgrade it to a \`comment\`. Re-decide:
 
 - Return **approve** if the blockers that drove the prior \`request-changes\` are resolved (leftover nits do not block — \`approve\` with inline nits is correct).
 - Return **request-changes** if any blocker remains or a new one appeared.

package/src/channels/adapters/github/inbound.ts

@@ -187,6 +187,7 @@ export function classifyGithubInbound(
 ): InboundMessage | null {
   const repository = readRepository(payload)
   if (repository === null) return null
+  const mention = resolveBotMentionLogins(selfLogin, options?.authType ?? 'pat')
   const base = {
     adapter: 'github' as const,
     workspace: `${repository.owner}/${repository.name}`,
@@ -209,7 +210,7 @@ export function classifyGithubInbound(
       comment.body,
       id,
       user,
-      selfLogin,
+      mention,
       comment.created_at,
       { kind: 'issue-comment', owner: repository.owner, repo: repository.name, commentId: id },
     )
@@ -228,7 +229,7 @@ export function classifyGithubInbound(
       comment.body,
       id,
       readUser(comment.user),
-      selfLogin,
+      mention,
       comment.created_at,
       { kind: 'pr-review-comment', owner: repository.owner, repo: repository.name, commentId: id },
     )
@@ -246,7 +247,7 @@ export function classifyGithubInbound(
       comment.body,
       id,
       readUser(comment.user),
-      selfLogin,
+      mention,
       comment.created_at,
       null,
     )
@@ -270,7 +271,7 @@ export function classifyGithubInbound(
       text,
       id,
       opener,
-      selfLogin,
+      mention,
       issue.created_at,
       { kind: 'issue', owner: repository.owner, repo: repository.name, issueNumber: number },
       action === 'opened' && !hasBody,
@@ -325,7 +326,7 @@ export function classifyGithubInbound(
       prText,
       id,
       opener,
-      selfLogin,
+      mention,
       pr.created_at,
       { kind: 'issue', owner: repository.owner, repo: repository.name, issueNumber: number },
       isOpenLike && !hasBody,
@@ -352,7 +353,7 @@ export function classifyGithubInbound(
       text,
       id,
       reviewer,
-      selfLogin,
+      mention,
       review.submitted_at,
       null,
       !hasBody,
@@ -377,7 +378,7 @@ export function classifyGithubInbound(
       text,
       id,
       opener,
-      selfLogin,
+      mention,
       discussion.created_at,
       null,
       action === 'created' && !hasBody,
@@ -417,6 +418,48 @@ function resolveDecoyReviewerLogin(selfLogin: string, authType: 'pat' | 'app'):
   return slug !== '' ? slug : null
 }
 
+// The @-handles that count as "addressed to us" in inbound body text. Under
+// App auth `selfLogin` is the actor login `slug[bot]`, but GitHub renders a
+// human's mention of the App as `@slug` (the bare slug — the decoy account's
+// login), with no `[bot]` suffix and no way to type one. Matching only against
+// `selfLogin` therefore never sees `@typeey` for a `typeey[bot]` actor, so a
+// direct "@typeey review again" lands with isBotMention=false and falls through
+// the engagement mention gate. Include the decoy slug so the bare-slug mention
+// is recognized. Under PAT auth the bot IS a real user, so there is no decoy
+// and only `selfLogin` applies.
+export type BotMentionLogins = readonly string[]
+
+export function resolveBotMentionLogins(selfLogin: string | null, authType: 'pat' | 'app'): BotMentionLogins {
+  if (selfLogin === null) return []
+  const decoyLogin = resolveDecoyReviewerLogin(selfLogin, authType)
+  return decoyLogin !== null ? [selfLogin, decoyLogin] : [selfLogin]
+}
+
+// GitHub login chars are ASCII letters, digits, and hyphen. A `@login` token is
+// a real mention of `login` only when the char right after it is not one of
+// these — otherwise `@${login}` is a prefix of a longer, different login. This
+// matters for the App decoy slug: `resolveBotMentionLogins('typeclaw[bot]')`
+// yields the bare slug `typeclaw`, and a naive substring check would treat
+// `@typeclaw-bot` (a different user) as a self-mention. The trailing `[` of
+// `@typeclaw[bot]` is not a login char, so the full actor handle still matches.
+const LOGIN_CHAR = /[A-Za-z0-9-]/
+
+function textMentionsBot(text: string, mentionLogins: BotMentionLogins): boolean {
+  return mentionLogins.some((login) => mentionsLogin(text, login))
+}
+
+function mentionsLogin(text: string, login: string): boolean {
+  const token = `@${login}`
+  let from = 0
+  for (;;) {
+    const at = text.indexOf(token, from)
+    if (at === -1) return false
+    const next = text[at + token.length]
+    if (next === undefined || !LOGIN_CHAR.test(next)) return true
+    from = at + 1
+  }
+}
+
 function classifyReviewRequest(input: ReviewRequestInput): InboundMessage | null {
   const { action, payload, pr, number, base, selfLogin, authType, teamIsBotMember } = input
   if (selfLogin === null) return null
@@ -550,7 +593,7 @@ function buildInbound(
   rawText: unknown,
   id: number,
   user: GithubUser | null,
-  selfLogin: string | null,
+  mention: BotMentionLogins,
   rawTs: unknown,
   reactionTarget: GithubReactionTarget | null,
   synthesizedAwareness = false,
@@ -567,7 +610,7 @@ function buildInbound(
   // Synthesized awareness lines carry an `@author` prefix describing who acted;
   // that handle is the author, never a third-party mention of the bot, so the
   // body-text mention heuristic must not fire on it.
-  const isBotMention = !synthesizedAwareness && selfLogin !== null && text.includes(`@${selfLogin}`)
+  const isBotMention = !synthesizedAwareness && textMentionsBot(text, mention)
   return {
     ...key,
     text,

package/src/channels/adapters/github/review-thread-resolver.ts

@@ -9,7 +9,7 @@ const GRAPHQL_ENDPOINT = `${GITHUB_API_BASE}/graphql`
 // carry more, so the resolver paginates until it matches the root comment id
 // or exhausts the pages — stopping early on a 404-equivalent (thread absent)
 // rather than fabricating a node id.
-const THREADS_QUERY = `query($owner:String!,$name:String!,$number:Int!,$after:String){repository(owner:$owner,name:$name){pullRequest(number:$number){reviewThreads(first:100,after:$after){pageInfo{hasNextPage endCursor}nodes{id isResolved comments(first:1){nodes{databaseId author{login}}}}}}}}`
+const THREADS_QUERY = `query($owner:String!,$name:String!,$number:Int!,$after:String){repository(owner:$owner,name:$name){pullRequest(number:$number){reviewThreads(first:100,after:$after){pageInfo{hasNextPage endCursor}nodes{id isResolved comments(first:1){nodes{databaseId author{__typename login}}}}}}}}`
 
 const RESOLVE_MUTATION = `mutation($threadId:ID!){resolveReviewThread(input:{threadId:$threadId}){thread{id isResolved}}}`
 
@@ -18,6 +18,7 @@ type ReviewThreadNode = {
   isResolved: boolean
   rootCommentId: number | null
   rootAuthorLogin: string | null
+  rootAuthorIsBot: boolean
 }
 
 type ThreadLookup =
@@ -66,7 +67,7 @@ export function createGithubReviewThreadResolver(deps: {
     const thread = lookup.thread
     // The load-bearing guard: only the bot may resolve the bot's own thread.
     // Resolving a human reviewer's thread would erase their open question.
-    if (thread.rootAuthorLogin !== selfLogin) {
+    if (!isSelfAuthor(thread, selfLogin)) {
       return {
         ok: false,
         error: `refusing to resolve thread authored by @${thread.rootAuthorLogin ?? 'unknown'} (not @${selfLogin})`,
@@ -79,6 +80,29 @@ export function createGithubReviewThreadResolver(deps: {
   }
 }
 
+// A GitHub App's own login differs across the two APIs this guard straddles:
+// REST `getSelf` returns `slug[bot]` (selfLogin) but GraphQL's `Bot` author node
+// returns the bare `slug` (rootAuthorLogin). Strict `===` thus refused the App's
+// OWN thread (production: "refusing to resolve thread authored by @typeey (not
+// @typeey[bot])"). The bare-slug match is gated on the GraphQL author actually
+// being a `Bot`: a human `User` can legitimately own the bare slug as a login
+// (e.g. the user `typeey` exists alongside the App `typeey[bot]`), so a User
+// author must still match `selfLogin` exactly — otherwise the suffix-strip would
+// let the bot close a human reviewer's thread, defeating the guard above.
+const BOT_LOGIN_SUFFIX = '[bot]'
+
+function isSelfAuthor(thread: ReviewThreadNode, selfLogin: string): boolean {
+  if (thread.rootAuthorLogin === null) return false
+  if (thread.rootAuthorIsBot) {
+    return normalizeBotLogin(thread.rootAuthorLogin) === normalizeBotLogin(selfLogin)
+  }
+  return thread.rootAuthorLogin === selfLogin
+}
+
+function normalizeBotLogin(login: string): string {
+  return login.endsWith(BOT_LOGIN_SUFFIX) ? login.slice(0, -BOT_LOGIN_SUFFIX.length) : login
+}
+
 type ResolveTarget = { owner: string; repo: string; prNumber: number; rootCommentId: number }
 
 function parseTarget(req: ReviewThreadResolveRequest): ResolveTarget | null {
@@ -175,6 +199,7 @@ async function parseThreadsPage(response: Response): Promise<ThreadsPage> {
       isResolved: n.isResolved,
       rootCommentId: root?.databaseId ?? null,
       rootAuthorLogin: root?.author?.login ?? null,
+      rootAuthorIsBot: root?.author?.__typename === 'Bot',
     }
   })
   return { kind: 'ok', nodes, hasNextPage: connection.pageInfo.hasNextPage, endCursor: connection.pageInfo.endCursor }
@@ -231,7 +256,7 @@ type GraphqlThreadsResponse = {
           nodes: Array<{
             id: string
             isResolved: boolean
-            comments: { nodes: Array<{ databaseId?: number; author?: { login?: string } }> }
+            comments: { nodes: Array<{ databaseId?: number; author?: { __typename?: string; login?: string } }> }
           }>
         }
       }

package/src/channels/router.ts

@@ -2854,7 +2854,8 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       return
     }
 
-    const { text: assistantText, source } = candidate
+    const { text: candidateText, source } = candidate
+    let assistantText = candidateText
 
     if (endsWithNoReplySignal(assistantText)) {
       const leakedReasoning = !isNoReplySignal(assistantText)
@@ -2874,10 +2875,49 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       return
     }
 
-    if (isLikelyPlainTextChannelToolCall(assistantText)) {
-      logger.warn(`[channels] ${live.keyId}: suppressed plain_text_channel_tool_call text_len=${assistantText.length}`)
+    // Plain-text tool-call leak: the model serialized a channel tool call as
+    // ordinary prose instead of producing a real tool call (a Kimi-on-Fireworks
+    // failure mode — see `isLikelyPlainTextChannelToolCall`). We can't post the
+    // raw `channel_reply({...})` serialization to the channel, but for
+    // reply/send the model's *intent* is unambiguous: deliver the `text` arg.
+    // Extract it and recover the actual message. `skip_response` is the
+    // opposite — a genuine decline — so it stays suppressed.
+    const plainTextToolCallKind = getPlainTextChannelToolCallKind(assistantText)
+    if (plainTextToolCallKind === 'skip') {
+      logger.warn(
+        `[channels] ${live.keyId}: suppressed plain_text_channel_skip_response text_len=${assistantText.length}`,
+      )
       return
     }
+    if (plainTextToolCallKind !== null) {
+      const extracted = extractPlainTextChannelToolCallText(assistantText)
+      // Unextractable (no `text` arg, empty value, or fully-truncated): fall
+      // back to the historical safe behavior — drop it rather than leak plumbing.
+      if (extracted === null) {
+        logger.warn(
+          `[channels] ${live.keyId}: suppressed unextractable_plain_text_channel_tool_call text_len=${assistantText.length}`,
+        )
+        return
+      }
+      // The extracted value is still untrusted model output: if it is itself a
+      // no-reply signal, an empty-response sentinel, or another (nested) leaked
+      // tool call, suppress it through the same guards rather than re-leaking.
+      if (
+        endsWithNoReplySignal(extracted) ||
+        isUpstreamEmptyResponseSentinel(extracted) ||
+        isLikelyKimiChannelToolLeak(extracted) ||
+        isLikelyPlainTextChannelToolCall(extracted)
+      ) {
+        logger.warn(
+          `[channels] ${live.keyId}: suppressed plain_text_channel_tool_call (unsafe extracted text) text_len=${extracted.length}`,
+        )
+        return
+      }
+      logger.warn(
+        `[channels] ${live.keyId}: recovered plain_text_channel_tool_call kind=${plainTextToolCallKind} text_len=${extracted.length}`,
+      )
+      assistantText = extracted
+    }
 
     // `source` distinguishes the three recovery shapes for log triage:
     //   - 'leaf': the assistant message IS the leaf with stopReason 'stop'
@@ -4233,8 +4273,12 @@ export function isLikelyKimiChannelToolLeak(text: string): boolean {
 //
 // Structural-only detection (NOT a substring search): the trimmed text must
 // *start* with `channel_reply(`, `channel_send(`, or `skip_response(`, and
-// that opening paren must enclose at least one `"` (the serialized argument).
-// This deliberately matches the leak shape while letting prose that merely
+// that opening paren must enclose at least one quote — `"` or `'` (the
+// serialized argument). The single-quote arm matters because the extractor
+// recovers single-quoted values too; if the classifier only matched `"`, a
+// single-quoted leak like `channel_reply({text: 'hi'})` would bypass the
+// extractor and post raw plumbing. This deliberately matches the leak shape
+// while letting prose that merely
 // *mentions* a tool name (e.g. "I would normally call channel_reply here
 // but...") reach the user — that false-positive class is already locked in by
 // the `still recovers prose that mentions channel_reply` test.
@@ -4242,12 +4286,150 @@ export function isLikelyKimiChannelToolLeak(text: string): boolean {
 // The trailing close paren is NOT required: the model sometimes truncates
 // mid-serialization, and a half-leaked `channel_reply({"text":"..."` is
 // just as user-hostile as the full shape.
-const PLAIN_TEXT_CHANNEL_TOOL_CALL_RE = /^(?:channel_(?:reply|send)|skip_response)\s*\(\s*[^)]*"/
+const PLAIN_TEXT_CHANNEL_TOOL_CALL_RE = /^(channel_reply|channel_send|skip_response)\s*\(\s*[^)]*["']/
+
+export type PlainTextChannelToolCallKind = 'reply' | 'send' | 'skip'
+
+export function getPlainTextChannelToolCallKind(text: string): PlainTextChannelToolCallKind | null {
+  const match = PLAIN_TEXT_CHANNEL_TOOL_CALL_RE.exec(text.trim())
+  if (match === null) return null
+  switch (match[1]) {
+    case 'channel_reply':
+      return 'reply'
+    case 'channel_send':
+      return 'send'
+    case 'skip_response':
+      return 'skip'
+    default:
+      return null
+  }
+}
 
 export function isLikelyPlainTextChannelToolCall(text: string): boolean {
-  return PLAIN_TEXT_CHANNEL_TOOL_CALL_RE.test(text.trim())
+  return getPlainTextChannelToolCallKind(text) !== null
+}
+
+// Tolerant single-purpose scanner that pulls the `text` argument out of a
+// plain-text-serialized `channel_reply(...)` / `channel_send(...)` leak. A
+// single regex covering every shape (double/single/unquoted keys, escaped
+// quotes, mid-serialization truncation) is fragile, so this walks the string
+// once and extracts only the first string-valued `text` property. `channel_send`
+// also carries `adapter`/`chat`/`thread`, which are intentionally ignored —
+// recovery always routes back through the current channel, never a
+// model-supplied destination. Returns null when no recoverable, non-empty
+// `text` value is present so the caller can fall back to suppression.
+export function extractPlainTextChannelToolCallText(text: string): string | null {
+  const trimmed = text.trim()
+  if (!/^(?:channel_reply|channel_send)\s*\(/.test(trimmed)) return null
+
+  // Walk the serialization once, honoring a `text` key only at the top level of
+  // the argument object (braceDepth 1, outside any array). Two failure classes
+  // motivate the bookkeeping: a `text:` inside an earlier quoted value, e.g.
+  // `channel_send({ reason: "see text: here", text: "real" })`, and a `text:`
+  // inside a *nested* object, e.g. `channel_reply({ meta: { text: "x" }, text:
+  // "real" })`. Skipping string literals defeats the first; tracking
+  // brace/bracket depth and matching keys only at top level defeats the second.
+  // Either way the scanner lands on the real reply instead of leaking the wrong
+  // value or dropping the message.
+  let braceDepth = 0
+  let bracketDepth = 0
+  for (let i = 0; i < trimmed.length; i++) {
+    const ch = trimmed[i]!
+
+    if (ch === '"' || ch === "'") {
+      i = skipStringLiteral(trimmed, i, ch)
+      continue
+    }
+
+    if (ch === '{') {
+      braceDepth++
+      if (braceDepth === 1 && bracketDepth === 0) {
+        const value = readTextKeyValueAt(trimmed, i + 1)
+        if (value !== undefined) return value
+      }
+      continue
+    }
+    if (ch === '}') {
+      if (braceDepth > 0) braceDepth--
+      continue
+    }
+    if (ch === '[') {
+      bracketDepth++
+      continue
+    }
+    if (ch === ']') {
+      if (bracketDepth > 0) bracketDepth--
+      continue
+    }
+
+    if (ch === ',' && braceDepth === 1 && bracketDepth === 0) {
+      const value = readTextKeyValueAt(trimmed, i + 1)
+      if (value !== undefined) return value
+    }
+  }
+
+  return null
+}
+
+// Returns the recovered value (string or null) when a `text` key starts at
+// `from`, or undefined when no `text` key is present there so the scanner keeps
+// walking. The null/undefined split lets a malformed `text` value short-circuit
+// to suppression while a non-`text` delimiter is simply skipped.
+function readTextKeyValueAt(s: string, from: number): string | null | undefined {
+  const afterKey = matchTextKey(s, from)
+  if (afterKey === null) return undefined
+
+  const quote = s[afterKey]
+  if (quote !== '"' && quote !== "'") return null
+  return readStringValue(s, afterKey + 1, quote)
+}
+
+// Returns the closing-quote index, or the last index when the literal is
+// truncated, so the caller's `i++` resumes past the consumed string.
+function skipStringLiteral(s: string, openIdx: number, quote: string): number {
+  let escaped = false
+  for (let i = openIdx + 1; i < s.length; i++) {
+    const ch = s[i]!
+    if (escaped) {
+      escaped = false
+      continue
+    }
+    if (ch === '\\') {
+      escaped = true
+      continue
+    }
+    if (ch === quote) return i
+  }
+  return s.length
+}
+
+function matchTextKey(s: string, from: number): number | null {
+  const m = /^\s*(?:"text"|'text'|text)\s*:\s*/.exec(s.slice(from))
+  return m === null ? null : from + m[0].length
 }
 
+function readStringValue(s: string, from: number, quote: string): string | null {
+  let value = ''
+  let escaped = false
+  for (let i = from; i < s.length; i++) {
+    const ch = s[i]!
+    if (escaped) {
+      value += ESCAPE_REPLACEMENTS[ch] ?? ch
+      escaped = false
+      continue
+    }
+    if (ch === '\\') {
+      escaped = true
+      continue
+    }
+    if (ch === quote) break
+    value += ch
+  }
+  return value.trim().length > 0 ? value : null
+}
+
+const ESCAPE_REPLACEMENTS: Record<string, string> = { n: '\n', r: '\r', t: '\t' }
+
 function describe(err: unknown): string {
   return err instanceof Error ? err.message : String(err)
 }