typeclaw 0.26.0 → 0.28.0

package/src/cli/tui.ts

@@ -3,14 +3,16 @@ import { defineCommand } from 'citty'
 import { requireContainerRunning, resolveHostPort, resolveTuiToken } from '@/container'
 import { findAgentDir } from '@/init'
 import { CLI_VERSION } from '@/init/cli-version'
-import { createTui, formatVersionMismatchWarning } from '@/tui'
+import { runTuiViewer } from '@/inspect'
+import { formatVersionMismatchWarning } from '@/tui'
 
+import { runInspectViewer } from './inspect'
 import { errorLine } from './ui'
 
 export const tui = defineCommand({
   meta: {
     name: 'tui',
-    description: 'start the tui client',
+    description: 'open the live agent session in the read+write viewer (host stage)',
   },
   args: {
     prompt: {
@@ -25,50 +27,42 @@ export const tui = defineCommand({
     },
   },
   async run({ args }) {
-    const resolveUrl: () => Promise<string> = args.url !== undefined ? async () => args.url as string : defaultUrl
+    const cwd = findAgentDir(process.cwd()) ?? process.cwd()
+    const resolveUrl: () => Promise<string> =
+      args.url !== undefined ? async () => args.url as string : () => defaultUrl(cwd)
 
-    let initialPrompt: string | undefined = args.prompt
-    let attempt = 0
-    const RECONNECT_MAX_ATTEMPTS = 30
-    const RECONNECT_BACKOFF_MS = 1_000
+    const result = await runTuiViewer({
+      resolveUrl,
+      ...(args.prompt !== undefined ? { initialPrompt: args.prompt } : {}),
+      expectedVersion: CLI_VERSION,
+      onVersionMismatch: (info) => {
+        process.stderr.write(`${formatVersionMismatchWarning(info)}\n`)
+      },
+      stderr: (line) => process.stderr.write(`${line}\n`),
+    })
 
-    while (true) {
-      const url = await resolveUrl()
-      const tui = createTui({
-        url,
-        ...(initialPrompt !== undefined ? { initialPrompt } : {}),
-        expectedVersion: CLI_VERSION,
-        onVersionMismatch: (info) => {
-          process.stderr.write(`${formatVersionMismatchWarning(info)}\n`)
-        },
-      })
-      const outcome = await tui.run()
-      if (!outcome.lostConnection) return
-      // The TUI lost its WS post-handshake (container restart, network blip,
-      // hostd hiccup). Re-resolve the URL because the host port can change
-      // across container lifecycles (see resolveHostPort), then reconnect.
-      // The initial prompt is intentionally cleared after the first cycle:
-      // on a reconnect, the agent is resuming the same session — replaying
-      // the prompt would re-send it to the LLM.
-      initialPrompt = undefined
-      attempt += 1
-      if (attempt > RECONNECT_MAX_ATTEMPTS) {
-        console.error(errorLine(`disconnected; gave up after ${RECONNECT_MAX_ATTEMPTS} reconnect attempts`))
-        process.exit(1)
-      }
-      process.stderr.write(`reconnecting (attempt ${attempt}/${RECONNECT_MAX_ATTEMPTS})...\n`)
-      await new Promise((resolve) => setTimeout(resolve, RECONNECT_BACKOFF_MS))
+    // Esc detached from the live session: drop into the viewer list so the user
+    // can pick another session or the container logs — `tui` is just a deep-link
+    // into the session viewer, pre-opened on the live session. allowWritable
+    // is false because detaching ended the live session, so no row may be
+    // offered as a writable "live TUI" anymore.
+    if (result.ok && result.escToPicker === true) {
+      const viewerExit = await runInspectViewer({ cwd, allowWritable: false })
+      process.exit(viewerExit)
+      return
     }
+
+    if (!result.ok) {
+      process.stderr.write(`${errorLine(result.reason)}\n`)
+      process.exit(result.exitCode)
+    }
+    process.exit(result.exitCode)
   },
 })
 
-async function defaultUrl(): Promise<string> {
-  const cwd = findAgentDir(process.cwd()) ?? process.cwd()
+async function defaultUrl(cwd: string): Promise<string> {
   const precheck = await requireContainerRunning({ cwd })
-  if (!precheck.ok) {
-    console.error(errorLine(precheck.reason))
-    process.exit(1)
-  }
+  if (!precheck.ok) throw new Error(precheck.reason)
   const port = await resolveHostPort({ cwd })
   const token = await resolveTuiToken({ cwd })
   const url = new URL(`ws://127.0.0.1:${port}`)

package/src/compose/logs.ts

@@ -100,7 +100,7 @@ export async function composeLogs({
       follow,
       ...(tail !== undefined ? { tail } : {}),
     })
-    const proc = bun.spawn({ cmd, stdout: 'pipe', stderr: 'pipe' })
+    const proc = bun.spawn({ cmd, stdin: 'ignore', stdout: 'pipe', stderr: 'pipe' })
     return { agent, proc }
   })
 

package/src/config/config.ts

@@ -249,8 +249,7 @@ export const gitignoreSchema = gitignoreObjectSchema.default(() => gitignoreObje
 export type GitignoreConfig = z.infer<typeof gitignoreSchema>
 
 // Same rationale as `dockerSchema`: a `git` namespace today carries `git.ignore`
-// and leaves room for future siblings (e.g. `git.attributes`). The one-time
-// migration also handles the rename of legacy top-level `gitignore`.
+// and leaves room for future siblings (e.g. `git.attributes`).
 export const gitSchema = z
   .object({
     ignore: gitignoreSchema,
@@ -783,34 +782,17 @@ export function loadConfigSync(cwd: string): Config {
   return result.data
 }
 
-// One-shot rename of legacy top-level `dockerfile` / `gitignore` keys into the
-// nested `docker.file` / `git.ignore` shape introduced for namespace
-// extensibility (`docker.compose`, `git.attributes`, etc. land here later
-// without a second migration). Called from every entry point that reads
-// `typeclaw.json` so the rest of the pipeline only ever sees the new shape.
-//
-// Precedence when both legacy and new keys coexist: the new shape wins and
-// the legacy key is dropped silently. Two ways this happens in practice:
-//   1. User hand-edited the new shape after auto-migration but forgot to
-//      delete the legacy key.
-//   2. Two `typeclaw start` invocations raced on a stale checkout.
-// Either way, the new shape is the source of truth — losing the legacy
-// duplicate is the right call because it would otherwise be shadowed at
-// parse time anyway (`configSchema` has no `dockerfile`/`gitignore` keys).
+// Strips a `channels.github.eventAllowlist` that deep-equals a value `channel
+// add` / `init` previously seeded verbatim, so the config re-tracks the shipped
+// default. Called from every entry point that reads `typeclaw.json` so the rest
+// of the pipeline only ever sees the canonical shape.
 //
 // The returned `applied` array names each migration step that fired, so
-// callers in `typeclaw start` can build a meaningful git commit message
-// instead of a generic "migrate legacy shape" subject. `changed` is the
-// boolean equivalent of `applied.length > 0` and is preserved for back-compat
-// with the many call sites that only care whether ANY rewrite happened.
-export type MigrationStep =
-  | { kind: 'dockerfile-to-docker-file' }
-  | { kind: 'gitignore-to-git-ignore' }
-  | { kind: 'channels-allow-to-roles-member-match'; rules: string[]; dropped: string[] }
-  | { kind: 'strip-permissions-gate-channel-respond' }
-  | { kind: 'model-to-models'; ref: string }
-  | { kind: 'drop-stale-model'; ref: string }
-  | { kind: 'drop-github-seeded-event-allowlist' }
+// callers in `typeclaw start` can build a meaningful git commit message.
+// `changed` is the boolean equivalent of `applied.length > 0` and is preserved
+// for back-compat with the many call sites that only care whether ANY rewrite
+// happened.
+export type MigrationStep = { kind: 'drop-github-seeded-event-allowlist' }
 
 export type MigrationResult = { json: unknown; changed: boolean; applied: MigrationStep[] }
 
@@ -820,86 +802,13 @@ export function migrateLegacyConfigShape(json: unknown): MigrationResult {
   }
 
   const obj = json as Record<string, unknown>
-  const hasLegacyDockerfile = 'dockerfile' in obj
-  const hasLegacyGitignore = 'gitignore' in obj
-  const channelsAllowMigration = collectChannelsAllowMigration(obj)
-  const hasLegacyGateChannelRespond = isPlainObject(obj.permissions) && 'gateChannelRespond' in obj.permissions
-  // The pre-multi-model schema had a top-level `model: KnownModelRef` and no
-  // `models` key. Detecting the legacy shape requires both: `model` present
-  // AND `models` absent. If both coexist (user hand-edited after auto-migrate
-  // but didn't delete the legacy key), `models` wins and `model` is dropped
-  // silently — same precedence rule as the dockerfile/gitignore migrations.
-  const hasLegacyModel = 'model' in obj && !('models' in obj) && typeof obj.model === 'string'
-  const hasStaleModelAlongsideModels = 'model' in obj && 'models' in obj
   const hasSeededGithubEventAllowlist = isSeededGithubEventAllowlist(obj)
-  if (
-    !hasLegacyDockerfile &&
-    !hasLegacyGitignore &&
-    !channelsAllowMigration.found &&
-    !hasLegacyGateChannelRespond &&
-    !hasLegacyModel &&
-    !hasStaleModelAlongsideModels &&
-    !hasSeededGithubEventAllowlist
-  ) {
+  if (!hasSeededGithubEventAllowlist) {
     return { json, changed: false, applied: [] }
   }
 
   const applied: MigrationStep[] = []
   const next: Record<string, unknown> = { ...obj }
-  if (hasLegacyDockerfile) {
-    const legacy = next.dockerfile
-    delete next.dockerfile
-    if (!('docker' in next)) {
-      next.docker = { file: legacy }
-    } else if (isPlainObject(next.docker) && !('file' in next.docker)) {
-      next.docker = { ...next.docker, file: legacy }
-    }
-    applied.push({ kind: 'dockerfile-to-docker-file' })
-  }
-  if (hasLegacyGitignore) {
-    const legacy = next.gitignore
-    delete next.gitignore
-    if (!('git' in next)) {
-      next.git = { ignore: legacy }
-    } else if (isPlainObject(next.git) && !('ignore' in next.git)) {
-      next.git = { ...next.git, ignore: legacy }
-    }
-    applied.push({ kind: 'gitignore-to-git-ignore' })
-  }
-  if (channelsAllowMigration.found) {
-    applyChannelsAllowMigration(next, channelsAllowMigration)
-    applied.push({
-      kind: 'channels-allow-to-roles-member-match',
-      rules: channelsAllowMigration.rules,
-      dropped: channelsAllowMigration.warnings,
-    })
-  }
-  if (hasLegacyGateChannelRespond) {
-    const perms = { ...(next.permissions as Record<string, unknown>) }
-    delete perms.gateChannelRespond
-    if (Object.keys(perms).length === 0) {
-      delete next.permissions
-    } else {
-      next.permissions = perms
-    }
-    applied.push({ kind: 'strip-permissions-gate-channel-respond' })
-  }
-  if (hasLegacyModel) {
-    const ref = next.model as string
-    delete next.model
-    next.models = { default: ref }
-    applied.push({ kind: 'model-to-models', ref })
-  } else if (hasStaleModelAlongsideModels) {
-    // `models` wins (per the same precedence rule as dockerfile/gitignore), but
-    // the drop is still a tracked migration step so the disk rewrite gets a
-    // commit instead of silently dirtying the worktree. Without this, the
-    // file would be rewritten by persistMigratedConfig and no commit would
-    // fire (buildConfigMigrationCommitMessage returns null for empty applied
-    // lists), contradicting the invariant in persistMigratedConfig's comment.
-    const ref = typeof next.model === 'string' ? next.model : ''
-    delete next.model
-    applied.push({ kind: 'drop-stale-model', ref })
-  }
   if (hasSeededGithubEventAllowlist) {
     dropSeededGithubEventAllowlist(next)
     applied.push({ kind: 'drop-github-seeded-event-allowlist' })
@@ -937,12 +846,6 @@ function arraysEqual(a: readonly unknown[], b: readonly unknown[]): boolean {
   return true
 }
 
-// Builds a meaningful one-line git commit subject for a typeclaw.json
-// migration. Single-step migrations get a specific subject; multi-step ones
-// fall back to a stable summary subject with the count. The body (after the
-// blank line) enumerates each step so `git log -p typeclaw.json` is an
-// auditable trail of what legacy shapes the agent has graduated from.
-//
 // Returns null when no steps were applied — callers should not commit in
 // that case. Keeping the null branch here (vs an empty string) makes the
 // "nothing happened" case impossible to misuse at the call site.
@@ -950,42 +853,13 @@ export function buildConfigMigrationCommitMessage(applied: readonly MigrationSte
   const first = applied[0]
   if (first === undefined) return null
 
-  const subject =
-    applied.length === 1
-      ? `typeclaw.json: ${shortStepLabel(first)}`
-      : `typeclaw.json: migrate legacy shape (${applied.length} steps)`
-
+  const subject = `typeclaw.json: ${shortStepLabel(first)}`
   const bodyLines: string[] = applied.map((step) => `- ${describeStep(step)}`)
-
-  // Surface dropped rules in the commit body so a user inspecting `git log -p`
-  // sees exactly which legacy entries had to be hand-re-added (the lossy
-  // `channel:<id>` case). Without this, the silent-drop is invisible after
-  // the fact.
-  for (const step of applied) {
-    if (step.kind === 'channels-allow-to-roles-member-match' && step.dropped.length > 0) {
-      for (const warning of step.dropped) {
-        bodyLines.push(`  warning: ${warning}`)
-      }
-    }
-  }
-
   return `${subject}\n\n${bodyLines.join('\n')}\n`
 }
 
 function shortStepLabel(step: MigrationStep): string {
   switch (step.kind) {
-    case 'dockerfile-to-docker-file':
-      return 'lift dockerfile → docker.file'
-    case 'gitignore-to-git-ignore':
-      return 'lift gitignore → git.ignore'
-    case 'channels-allow-to-roles-member-match':
-      return 'lift channels.<adapter>.allow[] → roles.member.match[]'
-    case 'strip-permissions-gate-channel-respond':
-      return 'drop permissions.gateChannelRespond'
-    case 'model-to-models':
-      return 'lift model → models.default'
-    case 'drop-stale-model':
-      return 'drop stale legacy model alongside models'
     case 'drop-github-seeded-event-allowlist':
       return 'drop seeded channels.github.eventAllowlist'
   }
@@ -993,152 +867,11 @@ function shortStepLabel(step: MigrationStep): string {
 
 function describeStep(step: MigrationStep): string {
   switch (step.kind) {
-    case 'dockerfile-to-docker-file':
-      return 'lift top-level dockerfile into docker.file'
-    case 'gitignore-to-git-ignore':
-      return 'lift top-level gitignore into git.ignore'
-    case 'channels-allow-to-roles-member-match': {
-      if (step.rules.length === 0) {
-        return 'strip channels.<adapter>.allow[] (no translatable rules)'
-      }
-      return `lift channels.<adapter>.allow[] → roles.member.match[]: ${step.rules.join(', ')}`
-    }
-    case 'strip-permissions-gate-channel-respond':
-      return 'drop permissions.gateChannelRespond (removed key)'
-    case 'model-to-models':
-      return `lift top-level model into models.default: ${step.ref}`
-    case 'drop-stale-model':
-      return step.ref !== ''
-        ? `drop stale top-level model (${step.ref}) — models block takes precedence`
-        : 'drop stale top-level model — models block takes precedence'
     case 'drop-github-seeded-event-allowlist':
       return 'drop seeded channels.github.eventAllowlist so it re-tracks the shipped default'
   }
 }
 
-// Channels.<adapter>.allow[] → roles.member.match[] migration.
-//
-// Phase 3 removes the per-adapter allow-list and unifies wake-up gating
-// through `roles.member.match[]` + the `channel.respond` permission. This
-// helper translates legacy `allow` entries into canonical match-rule DSL
-// strings and appends them (deduplicated, preserving declaration order)
-// to `roles.member.match[]`. The `allow` field is then stripped from each
-// adapter block; the block survives — only the field is gone.
-//
-// `channel:<id>` rules cannot round-trip (the DSL forbids
-// wildcard-workspace + specific-chat) and are dropped with a warning. All
-// other shapes translate losslessly per the table in match-rule.ts.
-type ChannelsAllowMigration = {
-  found: boolean
-  rules: string[]
-  warnings: string[]
-}
-
-function collectChannelsAllowMigration(obj: Record<string, unknown>): ChannelsAllowMigration {
-  const out: ChannelsAllowMigration = { found: false, rules: [], warnings: [] }
-  const channels = obj.channels
-  if (!isPlainObject(channels)) return out
-  for (const [adapter, value] of Object.entries(channels)) {
-    if (!isPlainObject(value)) continue
-    if (!('allow' in value)) continue
-    out.found = true
-    const allow = value.allow
-    if (!Array.isArray(allow)) continue
-    for (const entry of allow) {
-      if (typeof entry !== 'string') continue
-      const translated = translateLegacyAllowRule(entry)
-      if (translated.kind === 'rule') {
-        out.rules.push(translated.value)
-      } else {
-        out.warnings.push(`channels.${adapter}.allow[]: dropped '${entry}' (${translated.reason})`)
-      }
-    }
-  }
-  return out
-}
-
-function applyChannelsAllowMigration(next: Record<string, unknown>, migration: ChannelsAllowMigration): void {
-  const channels = next.channels
-  if (isPlainObject(channels)) {
-    const updated: Record<string, unknown> = {}
-    for (const [adapter, value] of Object.entries(channels)) {
-      if (isPlainObject(value) && 'allow' in value) {
-        const { allow: _allow, ...rest } = value
-        updated[adapter] = rest
-      } else {
-        updated[adapter] = value
-      }
-    }
-    next.channels = updated
-  }
-
-  if (migration.rules.length === 0) {
-    for (const warning of migration.warnings) {
-      console.warn(`[config] ${warning}`)
-    }
-    return
-  }
-
-  const roles = isPlainObject(next.roles) ? { ...next.roles } : {}
-  const member = isPlainObject(roles.member) ? { ...roles.member } : {}
-  const existingMatch = Array.isArray(member.match)
-    ? (member.match as unknown[]).filter((m) => typeof m === 'string')
-    : []
-  const seen = new Set<string>(existingMatch as string[])
-  const merged = [...(existingMatch as string[])]
-  for (const rule of migration.rules) {
-    if (!seen.has(rule)) {
-      seen.add(rule)
-      merged.push(rule)
-    }
-  }
-  member.match = merged
-  roles.member = member
-  next.roles = roles
-
-  console.warn(`[config] migrated channels.<adapter>.allow[] -> roles.member.match[]: ${migration.rules.join(', ')}`)
-  for (const warning of migration.warnings) {
-    console.warn(`[config] ${warning}`)
-  }
-}
-
-type TranslatedRule = { kind: 'rule'; value: string } | { kind: 'drop'; reason: string }
-
-function translateLegacyAllowRule(rule: string): TranslatedRule {
-  // Already canonical / cross-platform.
-  if (rule === '*') return { kind: 'rule', value: '*' }
-  if (rule.startsWith('kakao:')) return { kind: 'rule', value: rule }
-
-  // Discord: guild → discord, dm → discord:dm.
-  if (rule === 'guild:*') return { kind: 'rule', value: 'discord:*' }
-  if (rule.startsWith('guild:')) return { kind: 'rule', value: `discord:${rule.slice('guild:'.length)}` }
-  if (rule === 'dm:*') return { kind: 'rule', value: 'discord:dm/*' }
-  if (rule.startsWith('dm:')) return { kind: 'rule', value: `discord:dm/${rule.slice('dm:'.length)}` }
-
-  // Slack: team → slack, im → slack:dm.
-  if (rule === 'team:*') return { kind: 'rule', value: 'slack:*' }
-  if (rule.startsWith('team:')) return { kind: 'rule', value: `slack:${rule.slice('team:'.length)}` }
-  if (rule === 'im:*') return { kind: 'rule', value: 'slack:dm/*' }
-  if (rule.startsWith('im:')) return { kind: 'rule', value: `slack:dm/${rule.slice('im:'.length)}` }
-
-  // Telegram: tg → telegram.
-  if (rule === 'tg:*') return { kind: 'rule', value: 'telegram:*' }
-  if (rule.startsWith('tg:')) return { kind: 'rule', value: `telegram:${rule.slice('tg:'.length)}` }
-
-  // `channel:<id>` had no workspace; canonical DSL rejects wildcard
-  // workspace + specific chat. Drop with a warning so the operator knows
-  // to re-add the rule explicitly with a workspace coordinate.
-  if (rule.startsWith('channel:')) {
-    return {
-      kind: 'drop',
-      reason:
-        'channel:<id> rules require an explicit workspace under the new DSL; re-add as discord:<guild>/<id> or slack:<team>/<id>',
-    }
-  }
-
-  return { kind: 'drop', reason: `unrecognized legacy allow shape '${rule}'` }
-}
-
 function isPlainObject(value: unknown): value is Record<string, unknown> {
   return typeof value === 'object' && value !== null && !Array.isArray(value)
 }
@@ -1156,18 +889,16 @@ function persistMigratedConfig(cwd: string, json: unknown, applied: readonly Mig
   }
 
   // Pair the disk rewrite with a git commit so the agent folder is never
-  // silently dirty after a legacy-shape migration. typeclaw.json is in
-  // git's "tracked" category (unlike Dockerfile, which is regenerated on
-  // every start and intentionally gitignored), so an uncommitted rewrite
-  // gets mixed into unrelated commits the moment any other tool touches
-  // the repo. commitSystemFileSync no-ops on non-git folders, missing
-  // Bun, and clean files, so canonical-shape reads pay zero cost.
+  // silently dirty after a migration. typeclaw.json is in git's "tracked"
+  // category (unlike Dockerfile, which is regenerated on every start and
+  // intentionally gitignored), so an uncommitted rewrite gets mixed into
+  // unrelated commits the moment any other tool touches the repo.
+  // commitSystemFileSync no-ops on non-git folders, missing Bun, and clean
+  // files, so canonical-shape reads pay zero cost.
   //
   // Called from every entry point that reads typeclaw.json (host CLI,
   // hostd daemon, container runtime) so the commit follows the rewrite
-  // wherever it happens — not only from `typeclaw start`. The earlier
-  // design that committed only in start() missed the long-running hostd
-  // daemon, doctor, tui, reload, and compose paths.
+  // wherever it happens — not only from `typeclaw start`.
   const message = buildConfigMigrationCommitMessage(applied)
   if (message !== null) {
     commitSystemFileSync(cwd, CONFIG_FILE, message)

package/src/container/logs.ts

@@ -44,27 +44,48 @@ export async function logs({
       return { ok: false, reason: `Container ${plan.containerName} not found. Run \`typeclaw start\` first.` }
     }
 
-    const proc = bun.spawn({ cmd: buildDockerLogsCmd(plan), cwd, stdout: 'pipe', stderr: 'pipe' })
+    // stdin:'ignore' — `docker logs` never reads stdin, and letting the child
+    // hold the TTY breaks the viewer's raw-mode keypress listener (esc/q/ctrl-c
+    // stop reaching it, freezing the logs view with no way out).
+    const proc = bun.spawn({ cmd: buildDockerLogsCmd(plan), cwd, stdin: 'ignore', stdout: 'pipe', stderr: 'pipe' })
 
+    // `docker logs -f` never exits on its own; aborting the signal must kill it
+    // so the pumps' stream readers end. Escalate to SIGKILL if SIGTERM is
+    // ignored, otherwise Promise.all(pumps) could hang until the pipes close.
+    let killTimer: ReturnType<typeof setTimeout> | undefined
     const onAbort = (): void => {
       try {
         proc.kill('SIGTERM')
+        killTimer = setTimeout(() => {
+          try {
+            proc.kill('SIGKILL')
+          } catch {
+            // already exited
+          }
+        }, 2_000)
       } catch {
         // already exited
       }
     }
     signal?.addEventListener('abort', onAbort, { once: true })
+    // The signal may already be aborted before we attached the listener (esc
+    // pressed during container existence check); addEventListener would then
+    // never fire, leaving docker logs -f running forever.
+    if (signal?.aborted === true) onAbort()
 
-    const colorOut = useColor ?? supportsColor(out)
-    const colorErr = useColor ?? supportsColor(err)
-    await Promise.all([
-      pumpWithTimestamps(proc.stdout, out, makeLogTimestampReformatter(undefined, { color: colorOut })),
-      pumpWithTimestamps(proc.stderr, err, makeLogTimestampReformatter(undefined, { color: colorErr })),
-    ])
-    const exitCode = await proc.exited
-    signal?.removeEventListener('abort', onAbort)
-
-    return { ok: true, containerName: plan.containerName, exitCode }
+    try {
+      const colorOut = useColor ?? supportsColor(out)
+      const colorErr = useColor ?? supportsColor(err)
+      await Promise.all([
+        pumpWithTimestamps(proc.stdout, out, makeLogTimestampReformatter(undefined, { color: colorOut }), signal),
+        pumpWithTimestamps(proc.stderr, err, makeLogTimestampReformatter(undefined, { color: colorErr }), signal),
+      ])
+      const exitCode = await proc.exited
+      return { ok: true, containerName: plan.containerName, exitCode }
+    } finally {
+      if (killTimer !== undefined) clearTimeout(killTimer)
+      signal?.removeEventListener('abort', onAbort)
+    }
   } catch (error) {
     return { ok: false, reason: error instanceof Error ? error.message : String(error) }
   }
@@ -101,30 +122,57 @@ export function buildDockerLogsCmd(plan: LogsPlan): string[] {
 
 // Exported for `compose/logs.ts` so the multi-agent path reuses the same
 // reformatter and stays consistent with single-agent output.
+//
+// Abort handling is load-bearing for the interactive logs viewer: killing
+// `docker logs -f` does NOT reliably make Bun's pending `reader.read()` resolve
+// (the killed child may not promptly EOF its piped stdout — see the OrbStack
+// /proc quirk). Without cancelling the reader on abort, esc would hang forever.
+// So on abort we cancel the reader, which unblocks the pending read; the caller
+// still kills the process for OS-side cleanup.
 export async function pumpWithTimestamps(
   stream: ReadableStream<Uint8Array>,
   sink: NodeJS.WritableStream,
   reformatter: TimestampReformatter = makeLogTimestampReformatter(),
+  signal?: AbortSignal,
 ): Promise<void> {
   const decoder = new TextDecoder()
   const reader = stream.getReader()
+  let aborted = signal?.aborted === true
+  const onAbort = (): void => {
+    aborted = true
+    void reader.cancel().catch(() => {})
+  }
+  if (aborted) onAbort()
+  else signal?.addEventListener('abort', onAbort, { once: true })
+
   try {
     while (true) {
-      const { done, value } = await reader.read()
-      if (done) break
-      if (value && value.byteLength > 0) {
-        const out = reformatter.write(decoder.decode(value, { stream: true }))
+      if (aborted) break
+      const chunk = await reader.read().catch((error: unknown) => {
+        if (aborted || signal?.aborted === true) return null
+        throw error
+      })
+      if (chunk === null || chunk.done || aborted) break
+      if (chunk.value && chunk.value.byteLength > 0) {
+        const out = reformatter.write(decoder.decode(chunk.value, { stream: true }))
         if (out.length > 0) sink.write(out)
       }
     }
-    const tail = decoder.decode()
-    if (tail.length > 0) {
-      const out = reformatter.write(tail)
-      if (out.length > 0) sink.write(out)
+    if (!aborted) {
+      const tail = decoder.decode()
+      if (tail.length > 0) {
+        const out = reformatter.write(tail)
+        if (out.length > 0) sink.write(out)
+      }
+      const flushed = reformatter.flush()
+      if (flushed.length > 0) sink.write(flushed)
     }
-    const flushed = reformatter.flush()
-    if (flushed.length > 0) sink.write(flushed)
   } finally {
-    reader.releaseLock()
+    signal?.removeEventListener('abort', onAbort)
+    try {
+      reader.releaseLock()
+    } catch {
+      // harmless if cancel/abort raced with stream teardown
+    }
   }
 }

package/src/container/start.ts

@@ -22,7 +22,6 @@ import { ensureDepsInstalled, type EnsureDepsResult } from '@/init/ensure-deps'
 import { buildGitignore, GITIGNORE_FILE } from '@/init/gitignore'
 import { refreshPackageJson } from '@/init/packagejson'
 import { runBunUpdate, type UpdateRunner } from '@/init/run-bun-install'
-import { migrateKakaotalkCredentials } from '@/secrets'
 
 import { CONTAINER_PORT, TUI_TOKEN_LABEL, findFreePort, isPortAllocatedError, resolveTuiToken } from './port'
 import {
@@ -258,7 +257,6 @@ export async function start({
     // ensures the base image's CLI version matches the runtime the
     // container will actually load.
     const dockerfileRefresh = await refreshDockerfile(cwd)
-    await migrateKakaotalkCredentials(cwd)
 
     if (state.exists) {
       // Container holds the name but is not running. Without `--rm`, this is