typeclaw 0.26.0 → 0.28.0

package/src/secrets/schema.ts

@@ -1,7 +1,6 @@
 import { z } from 'zod'
 
-import { CHANNEL_ENV_TO_FIELD } from './defaults'
-import { secretFieldSchema, type Secret } from './resolve'
+import { secretFieldSchema } from './resolve'
 
 // providers.<id> for api-key credentials: the `key` field is a Secret (string
 // shorthand or `{ value?, env? }` object). resolveSecret turns this into a
@@ -115,9 +114,7 @@ export const channelsSchema = z
   .catchall(z.unknown())
 
 // version 2 = providers.* with Secret-typed api-key.key + per-adapter
-// channel field shapes. version 1 = the previous shape (flat `llm.*`, channel
-// slots keyed by env-var name). Legacy v1 input is upgraded transparently by
-// parseSecretsFile; the first write persists v2.
+// channel field shapes.
 export const SECRETS_FILE_VERSION = 2
 
 export const secretsFileSchema = z.object({
@@ -140,98 +137,15 @@ export type SecretsFile = z.infer<typeof secretsFileSchema>
 
 export type ParseSecretsResult = { ok: true; file: SecretsFile } | { ok: false; reason: string }
 
-// parseSecretsFile recognises three shapes, in priority order:
-//   1. The v2 envelope (current): { version: 2, providers, channels }
-//   2. The v1 envelope (legacy): { version: 1, llm, channels } where channel
-//      slots are keyed by env-var name. Both `llm` and `channels` get
-//      reshaped — llm -> providers, env-keyed channel slots -> field-keyed.
-//   3. The pre-envelope flat shape (very legacy): Record<string, AuthCredential>
-//      at top level. Treated as { version: 2, providers: <flat>, channels: {} }
-//      so existing OAuth users transparently upgrade.
-//
-// Every legacy upgrade produces a v2-shaped SecretsFile in memory; the next
-// write persists v2 to disk. The legacy branches stay forever as a quiet
-// compatibility seam — only the v2 form is documented.
+// parseSecretsFile accepts only the current v2 envelope:
+// { version: 2, providers, channels }.
 export function parseSecretsFile(raw: unknown): ParseSecretsResult {
   const v2 = secretsFileSchema.safeParse(raw)
   if (v2.success) return { ok: true, file: v2.data }
 
-  const v1 = legacyV1Schema.safeParse(raw)
-  if (v1.success) return { ok: true, file: upgradeV1ToV2(v1.data) }
-
-  const flat = legacyFlatProviderSchema.safeParse(raw)
-  if (flat.success) {
-    return { ok: true, file: upgradeV1ToV2({ version: 1, llm: flat.data, channels: {} }) }
-  }
-
   return { ok: false, reason: v2.error.issues.map(formatIssue).join('; ') }
 }
 
-// Legacy v1 schema: `llm` (flat string-key) and `channels` (env-var-keyed
-// flat map per adapter). Used only for upgrade reads; never written.
-const legacyV1ApiKeySchema = z.object({
-  type: z.literal('api_key'),
-  key: z.string().min(1),
-})
-
-const legacyV1OAuthSchema = z
-  .object({
-    type: z.literal('oauth'),
-  })
-  .catchall(z.unknown())
-
-const legacyV1CredentialSchema = z.discriminatedUnion('type', [legacyV1ApiKeySchema, legacyV1OAuthSchema])
-
-const legacyV1LlmSchema = z.record(z.string(), legacyV1CredentialSchema)
-
-const legacyV1ChannelsSchema = z.record(z.string(), z.record(z.string(), z.string()))
-
-const legacyV1Schema = z.object({
-  $schema: z.string().optional(),
-  version: z.literal(1),
-  llm: legacyV1LlmSchema.default({}),
-  channels: legacyV1ChannelsSchema.default({}),
-})
-
-const legacyFlatProviderSchema = z.record(z.string(), legacyV1CredentialSchema)
-
-function upgradeV1ToV2(legacy: z.infer<typeof legacyV1Schema>): SecretsFile {
-  const providers: Providers = {}
-  for (const [providerId, cred] of Object.entries(legacy.llm)) {
-    if (cred.type === 'api_key') {
-      providers[providerId] = { type: 'api_key', key: { value: cred.key } }
-    } else {
-      providers[providerId] = cred
-    }
-  }
-
-  const channels: Channels = {}
-  for (const [adapterId, envKeyedSlot] of Object.entries(legacy.channels)) {
-    const upgradedSlot: Record<string, Secret> = {}
-    for (const [envKey, value] of Object.entries(envKeyedSlot)) {
-      const mapping = CHANNEL_ENV_TO_FIELD[envKey]
-      if (mapping && mapping.adapterId === adapterId) {
-        upgradedSlot[mapping.fieldName] = { value }
-      } else {
-        // Unknown env-var-name key on a known adapter, or an adapter we don't
-        // recognise: pass through verbatim under the original key. Better to
-        // preserve user data than drop it; the catchall on channelsSchema
-        // makes this safe.
-        upgradedSlot[envKey] = { value }
-      }
-    }
-    channels[adapterId] = upgradedSlot
-  }
-
-  const result: SecretsFile = {
-    version: SECRETS_FILE_VERSION,
-    providers,
-    channels,
-  }
-  if (legacy.$schema !== undefined) result.$schema = legacy.$schema
-  return result
-}
-
 function formatIssue(issue: { path: PropertyKey[]; message: string }): string {
   const path = issue.path.length > 0 ? issue.path.map(String).join('.') : '<root>'
   return `${path}: ${issue.message}`

package/src/secrets/storage.ts

@@ -9,7 +9,6 @@ import {
 import lockfile from 'proper-lockfile'
 
 import { providerKeyDefaultEnv } from './defaults'
-import { migrateLegacyAuthJson } from './migrate'
 import { resolveSecret, type Secret } from './resolve'
 import {
   type Channels,
@@ -375,7 +374,6 @@ export class SecretsBackend implements AuthStorageBackend {
 }
 
 export function createSecretsStoreForAgent(secretsPath: string): AuthStorage {
-  migrateLegacyAuthJson(dirname(secretsPath))
   return AuthStorageImpl.fromStorage(new SecretsBackend(secretsPath))
 }
 

package/src/server/index.ts

@@ -1181,10 +1181,6 @@ async function handleCronList(
     // jobs from a newer registry.
     const snapshot = pluginRuntime?.get()
     const loadResult = await loadCron(agentDir, {
-      // Read-only path: do not rewrite cron.json or commit the
-      // migration just because the user (or the agent) asked to see
-      // the schedule. Boot/reload still own the persistent migration.
-      persistMigrations: false,
       ...(snapshot !== undefined ? { subagents: snapshot.subagents } : {}),
     })
     if (!loadResult.ok) {

package/src/skills/typeclaw-channel-github/SKILL.md

@@ -20,7 +20,7 @@ Before you pick an action, classify the inbound. Skipping this step is how a PR
 
 1. **Is this a PR, and do I have an unresolved blocking obligation on it?** On any `pr:N` inbound, before anything else, check whether you owe this PR a verdict you have not yet landed. Check **both** signals below — checking only formal review state misses the very failure this gate exists to catch, because a prior block may never have become formal state:
    - **Formal review state.** Run the step-1 re-review query in the PR review flow (`gh api --paginate --slurp /repos/owner/repo/pulls/<N>/reviews --jq '…'` filtered to `{CHANGES_REQUESTED, APPROVED}`). If your latest **blocking decision** is `CHANGES_REQUESTED`, you have a live sticky block.
-   - **Flat-comment blockers you authored.** A prior "request changes" may have been posted as a plain PR/issue comment instead of a formal review — in which case **no `CHANGES_REQUESTED` row exists** and the query above returns empty even though you blocked the PR in prose. So also scan your own recent comments (`gh api /repos/owner/repo/issues/<N>/comments --jq '[.[] | select(.user.login == "<your-login>")]'`) for one that requested changes / raised blockers and has not since been superseded by a formal review or a clear retraction. For routing, a blocking comment you wrote is as binding as a formal `CHANGES_REQUESTED`.
+   - **Flat-comment blockers you authored.** A prior "request changes" may have been posted as a plain PR/issue comment instead of a formal review — in which case **no `CHANGES_REQUESTED` row exists** and the query above returns empty even though you blocked the PR in prose. So also scan your own recent comments (`gh api /repos/owner/repo/issues/<N>/comments --jq '[.[] | select(.user.login == "<your-login>")]'`) for one that requested changes / raised blockers and has not since been superseded by a formal review or a clear retraction. For routing, a blocking comment you wrote is as binding as a formal `CHANGES_REQUESTED`. **A courtesy acknowledgement is not a retraction.** A reply you posted like "nice, that closes the hole" / "thanks, looks good" / "✅" does **not** supersede or retract a blocker you raised — it is a chat ack, not a verdict, and it carries no review state. The blocker stays binding until you land a **formal** `APPROVE`/`REQUEST_CHANGES` (or dismiss your prior review). So when an earlier "✅ thanks" of yours is the only thing between your blocker and the author's address-comment, the blocker is **still live** and this inbound is a re-review — do not let your own ack downgrade it.
 
    If **either** signal shows an unresolved blocker you raised, this inbound is a **re-review** — go to the **PR review flow** regardless of how it is phrased. An author commenting "fixed both issues" / "addressed your feedback" / "pushed a fix" is a re-review trigger, **not** a thread-resolve trigger. A re-review is closed by re-deciding the verdict and landing a **formal** review via `POST /pulls/<N>/reviews`: `APPROVE` clears a sticky `CHANGES_REQUESTED`; a comment or a flat reply clears neither a formal block nor a flat-comment blocker — it just strands the verdict again, which is the original bug.
 
@@ -201,6 +201,8 @@ A review you posted leaves inline comment threads open on the PR. When one of **
 
 **The base principle: whoever opened the thread closes it.** Resolve only threads whose root comment **you** authored. Never resolve a human reviewer's thread on your behalf — that erases their open question. The thread you can resolve is the one you started; the inbound that brings you here is a **review-thread reply on `pr:N` with `thread` set**, replying inside a thread you opened.
 
+> **Thread cleanup is not the same as discharging a PR-level block.** Resolving an inline thread closes that one thread; it carries **no** review state and does **not** clear a PR-level blocking obligation (a sticky `CHANGES_REQUESTED`, or a flat blocker you authored on the PR conversation). Those are two separate duties. If triage #1 found a live PR-level block, that inbound is a **re-review** and the PR review flow wins over this section — you owe a formal `APPROVE`/`REQUEST_CHANGES`, and resolving threads (or a chat ✅) must **not** be your final response. Reach this section only for a thread-scoped reply on a PR where you owe no PR-level verdict (triage #1 came back clean). When in doubt, re-run triage #1 first.
+
 ### When a thread counts as addressed
 
 Do not resolve on a bare "done" claim. A reply that says "fixed" is a prompt to check, not proof. Before resolving, **verify the fix at the PR's current head SHA**:

package/src/skills/typeclaw-config/SKILL.md

@@ -54,7 +54,7 @@ You yourself cannot run `typeclaw restart` — that is a host-stage command and
 
 > **Top-level keys not in this table are not "ignored unknowns" anymore** — they are reserved for **plugin config blocks**. The schema's `catchall(z.unknown())` preserves them, and the plugin loader hands each block to its owning plugin's `configSchema` for validation. The bundled memory plugin owns `memory` at the top level — see the `typeclaw-memory` skill for that block's semantics. Do not write a top-level key unless you know which plugin owns it.
 
-Within the well-known ten (`$schema`, `port`, `models`, `mounts`, `plugins`, `alias`, `channels`, `portForward`, `docker`, `git`), **fields the schema doesn't predeclare are silently dropped**. Legacy top-level `dockerfile` and `gitignore` keys are migrated to `docker.file` / `git.ignore` automatically the first time the CLI loads the file — see **Legacy migration** below. Do not invent runtime fields like `provider`, `apiKey`, `temperature`, `maxTokens`, `systemPrompt`, `tools`, `timeout`, etc. — those are not plugin blocks, they are imaginary. If the user asks for one, say it is not yet supported and (if it makes sense) suggest they file a request.
+Within the well-known ten (`$schema`, `port`, `models`, `mounts`, `plugins`, `alias`, `channels`, `portForward`, `docker`, `git`), **fields the schema doesn't predeclare are silently dropped**. Legacy top-level `dockerfile` and `gitignore` keys are no longer migrated — use `docker.file` and `git.ignore` directly (the legacy keys are silently ignored). Do not invent runtime fields like `provider`, `apiKey`, `temperature`, `maxTokens`, `systemPrompt`, `tools`, `timeout`, etc. — those are not plugin blocks, they are imaginary. If the user asks for one, say it is not yet supported and (if it makes sense) suggest they file a request.
 
 A scaffolded `typeclaw.json` looks like:
 
@@ -436,7 +436,7 @@ The toggle-driven apt install benefits from BuildKit `--mount=type=cache` on `/v
 
 `typeclaw start` rewrites the agent folder's `.gitignore` from a template baked into the typeclaw CLI on **every** invocation, then auto-commits it when the agent folder is a git repo and the file changed. The template protects two categories: truly-ignored paths (`secrets.json`, `.env`, `.env.local`, `auth.json`, `node_modules/`, `workspace/`, `mounts/`, `channels/`, `Dockerfile`, `.DS_Store`) and system-managed runtime state (`sessions/`, `memory/`) that TypeClaw, not the agent, commits on its own schedule. Editing `.gitignore` by hand is temporary; the next `typeclaw start` overwrites it.
 
-The `git.ignore.append` field (introduced when the legacy top-level `gitignore` key was nested under the `git` namespace for future extensibility — see **Legacy migration**) is the supported escape hatch for additional local ignore patterns. It is an array of strings, each treated as a single `.gitignore` line. The CLI splices them into the autogenerated `.gitignore` before TypeClaw's protected rules, prefixed with a `# Custom entries from typeclaw.json#git.ignore.append.` comment.
+The `git.ignore.append` field is the supported escape hatch for additional local ignore patterns. It is an array of strings, each treated as a single `.gitignore` line. The CLI splices them into the autogenerated `.gitignore` before TypeClaw's protected rules, prefixed with a `# Custom entries from typeclaw.json#git.ignore.append.` comment.
 
 ### Field
 
@@ -487,19 +487,17 @@ channels/
 
 ## Legacy migration
 
-Pre-namespace `typeclaw.json` files carried `dockerfile` and `gitignore` as top-level keys. The current schema nests them under `docker.file` and `git.ignore` so the `docker` and `git` namespaces stay free for future siblings (`docker.compose`, `git.attributes`, etc.) without a second rename.
+The only migration step that still runs is dropping a seeded `channels.github.eventAllowlist` field — if present, it is removed and the file is rewritten with a descriptive commit subject.
 
-The first time `validateConfig` or `loadConfigSync` reads a legacy file:
+All other legacy shapes are no longer migrated:
 
-1. The in-memory JSON is rewritten: top-level `dockerfile` → `docker.file`, top-level `gitignore` → `git.ignore`.
-2. The same rewrite is persisted back to `typeclaw.json` on disk (pretty-printed, trailing newline). Best-effort: a read-only filesystem just retries next start.
-3. If the file already has a `docker` or `git` block AND the legacy key, the new shape wins — the legacy duplicate is dropped silently. The new shape would have shadowed the legacy at parse time anyway.
+- **Top-level `dockerfile` and `gitignore` keys** are silently ignored on parse. Use `docker.file` and `git.ignore` directly. If a file still carries these keys, update it by hand.
+- **`channels.<adapter>.allow[]`** is silently ignored on parse and NOT translated to `roles.member.match[]`. Define `roles.member.match[]` directly.
 
 What this means for you:
 
-- **Do not write top-level `dockerfile` or `gitignore` keys** when editing `typeclaw.json`. They'll be migrated away on the next CLI invocation; meanwhile the file is briefly in an inconsistent shape.
+- **Do not write top-level `dockerfile` or `gitignore` keys** when editing `typeclaw.json`. They are ignored; the intended fields are `docker.file` and `git.ignore`.
 - **Old documentation or examples that still mention `typeclaw.json#dockerfile.append` are stale.** The current path is `typeclaw.json#docker.file.append`. Same for `git.ignore.append`.
-- **An auto-commit may appear** the next time `typeclaw start` runs against a freshly-migrated agent folder. The diff is mechanical (top-level rename → nested) — surface it to the user as a one-time migration, not a behavior change.
 
 ## Plugin config blocks
 
@@ -550,7 +548,7 @@ Do **not** edit `typeclaw.json` to a model the registry doesn't know, even if th
     - `slack-bot: { botToken: <Secret>, appToken: <Secret> }`
     - `telegram-bot: { token: <Secret> }`
 
-  (Pre-v2 agent folders carry the older `llm` slice and channel-env-var-keyed shape; they are upgraded transparently on first read. Pre-rename folders may even carry the file as `auth.json`; it is renamed to `secrets.json` on the next boot.)
+  (Only the `v2` envelope is accepted. Pre-v2 shapes and `auth.json` are no longer auto-upgraded — they are rejected with an error. `auth.json` stays gitignored as a safety net for old folders, but it is not read.)
 
 - **`./.env`** (env-var overrides): plain `KEY=value` lines, loaded by Docker via `--env-file` at container start. When set, an env var **wins** over the file value (see resolution rules below). Useful for CI, transient rotations, or any tooling outside typeclaw that reads from the environment. The canonical env-var names per provider:
   - `OPENAI_API_KEY` — for any `openai/...` model.
@@ -630,7 +628,7 @@ Never echo, log, or commit values from `secrets.json` or `.env`. Both are gitign
 - If `alias` is set: array of strings, each non-empty after trimming surrounding whitespace
 - If `channels.<adapter>.engagement.trigger` is set: array of `"mention"`, `"reply"`, `"dm"` (any subset, including empty)
 - If `channels.<adapter>.engagement.stickiness` is set: either the literal `"off"` or `{ "perReply": { "window": <int 1..86400000> } }`
-- `channels.<adapter>.allow` (legacy) is silently dropped on parse; `migrateLegacyConfigShape` lifts it into `roles.member.match` on load. See the `typeclaw-permissions` skill.
+- `channels.<adapter>.allow` (legacy) is silently ignored on parse and NOT translated to `roles.member.match`. Define `roles.member.match[]` directly. See the `typeclaw-permissions` skill.
 - If `portForward` is set: `allow` is either `"*"` or an array of integers (1–65535); `deny`, if present, is an array of integers and **only valid when `allow` is `"*"`** (the schema rejects `deny` paired with a number-array `allow`)
 - If `docker.file.append` is set: array of strings, each with no embedded `\n` or `\r` (multi-step shell logic goes in a single `&&`-chained `RUN` entry)
 - If any `docker.file` toggle is set: `tmux`/`gh`/`ffmpeg` are boolean or version string (no whitespace, no `=`); `python`, `cjkFonts`, `cloudflared`, `claudeCode`, and `codexCli` are boolean only

package/src/skills/typeclaw-permissions/SKILL.md

@@ -81,7 +81,7 @@ Things the DSL rejects (the parser emits actionable errors at boot, but you shou
 - `slack:*/*` — `*/*` is redundant; use `slack:*` for "any Slack chat".
 - `slack:*/C0ABCDE` — workspace-less chat ID is impossible; pick a workspace.
 - `slack:T0123/*` — workspace-only is enough; drop the trailing `/*`.
-- `team:T0123`, `guild:G123`, `tg:42` — these are legacy prefixes from the old `channels.<adapter>.allow[]` field. They are auto-migrated on load but **don't write them in new code** — use `slack:T0123`, `discord:G123`, `telegram:42` directly.
+- `team:T0123`, `guild:G123`, `tg:42` — these are legacy prefixes that are no longer supported. The parser rejects them with a hint to use the canonical form: `slack:T0123`, `discord:G123`, `telegram:42`.
 - `autor:U_ME` — typo of `author:`. The parser will suggest the fix at boot.
 
 ## Permission strings you will see

package/src/tui/index.ts

@@ -50,13 +50,21 @@ export type TuiOptions = {
   onVersionMismatch?: (info: VersionMismatch) => void
 }
 
-// Outcome of a single `run()` cycle. The CLI's reconnect loop reads this to
-// decide whether to spin again or exit. `lostConnection` is true when the
-// WS closed AFTER the connected handshake without a deliberate /quit or
-// Ctrl+C — exactly the case a self-restart produces, and the only one
-// where a fresh connect can recover the session. Quit / Ctrl+C / pre-
-// handshake errors all resolve with `lostConnection: false`.
-export type TuiRunOutcome = { lostConnection: boolean }
+// Outcome of a single `run()` cycle.
+//   - 'detach': idle Esc — return to the session-viewer list. Closing the WS
+//     ends the server-side AgentSession (accepted; the list re-shows it as a
+//     read-only transcript).
+//   - 'exit': deliberate /quit or Ctrl+C — terminate the client.
+//   - 'lostConnection': WS closed AFTER the handshake without a deliberate
+//     quit/detach — exactly the self-restart case, and the only one where a
+//     fresh connect can recover the session.
+//   - 'connectFailed': pre-handshake connect/handshake error.
+// The CLI reconnect loop spins only on 'lostConnection'.
+export type TuiRunResult =
+  | { reason: 'detach' }
+  | { reason: 'exit'; exitCode: number }
+  | { reason: 'lostConnection' }
+  | { reason: 'connectFailed' }
 
 export function createTui({
   url,
@@ -68,7 +76,7 @@ export function createTui({
   expectedVersion,
   onVersionMismatch,
 }: TuiOptions) {
-  async function run(): Promise<TuiRunOutcome> {
+  async function run(): Promise<TuiRunResult> {
     const terminal = createTerminal()
     const tui = new TUI(terminal)
     const displayUrl = redactUrl(url)
@@ -78,13 +86,19 @@ export function createTui({
     tui.start()
     tui.requestRender()
 
-    const client = await createClient(url).catch((err) => {
+    // Pre-handshake failures resolve 'connectFailed' (not throw): the standalone
+    // CLI injects exit=process.exit so exit(1) ends the process and the return is
+    // moot; the viewer injects a no-op exit so run() resolves cleanly and the
+    // caller maps connectFailed into an error result instead of an uncaught reject.
+    const maybeClient = await createClient(url).catch((err) => {
       status.setText(colors.red(`connection error: ${err instanceof Error ? err.message : String(err)}`))
       tui.requestRender()
       tui.stop()
       exit(1)
-      throw err
+      return null
     })
+    if (maybeClient === null) return { reason: 'connectFailed' }
+    const client = maybeClient
 
     const handshake = await waitForConnected(client, displayUrl, handshakeTimeoutMs).catch((err) => {
       status.setText(colors.red(`connection error: ${err instanceof Error ? err.message : String(err)}`))
@@ -92,10 +106,10 @@ export function createTui({
       client.close()
       tui.stop()
       exit(1)
-      throw err
+      return null
     })
+    if (handshake === null) return { reason: 'connectFailed' }
 
-    let userInitiatedShutdown = false
     const { sessionId, serverVersion } = handshake
     status.setText(colors.dim(`session: ${sessionId}`))
     tui.requestRender()
@@ -231,12 +245,23 @@ export function createTui({
       }
     })
 
-    const closed = new Promise<boolean>((resolve) => {
-      client.onClose(() => {
-        appendHistory(new Text(colors.dim('disconnected'), 0, 0))
-        tui.requestRender()
-        resolve(!userInitiatedShutdown)
-      })
+    let settleOutcome: ((result: TuiRunResult) => void) | null = null
+    const outcome = new Promise<TuiRunResult>((resolve) => {
+      settleOutcome = resolve
+    })
+    const settle = (result: TuiRunResult): void => {
+      if (settleOutcome === null) return
+      const fn = settleOutcome
+      settleOutcome = null
+      fn(result)
+    }
+
+    client.onClose(() => {
+      appendHistory(new Text(colors.dim('disconnected'), 0, 0))
+      tui.requestRender()
+      // A user-initiated detach/exit already closed the WS deliberately and
+      // settled the outcome; onClose then fires but must not override it.
+      settle({ reason: 'lostConnection' })
     })
 
     function send(text: string): Promise<void> {
@@ -249,7 +274,7 @@ export function createTui({
 
     function runTuiCommand(command: TuiCommandName): boolean {
       if (command === 'quit') {
-        shutdown(0)
+        exitWith(0)
         return true
       }
       if (command === 'reload') {
@@ -266,29 +291,44 @@ export function createTui({
       return true
     }
 
-    // Esc aborts an in-flight reply. The Editor does not bind Esc, so a
-    // top-level input listener can intercept it without fighting the editor.
+    // Esc means "abort the in-flight reply" while a turn is generating, and
+    // "detach back to the session list" when idle. The Editor does not bind
+    // Esc, so a top-level listener intercepts it without fighting the editor.
     tui.addInputListener((data) => {
-      if (matchesKey(data, Key.escape) && replyInFlight) {
+      if (!matchesKey(data, Key.escape)) return undefined
+      if (replyInFlight) {
         client.send({ type: 'abort' })
         return { consume: true }
       }
-      return undefined
+      detach()
+      return { consume: true }
     })
 
-    const shutdown = (code: number) => {
-      userInitiatedShutdown = true
+    // Settle BEFORE closing the client: client.close() fires onClose, which
+    // settles 'lostConnection'. settle() is idempotent, so the first call wins —
+    // settling the deliberate outcome first keeps the later onClose a no-op.
+    const teardown = (): void => {
       tui.stop()
       client.close()
+    }
+
+    const exitWith = (code: number): void => {
+      settle({ reason: 'exit', exitCode: code })
+      teardown()
       exit(code)
     }
 
-    // Ctrl+C exits cleanly. In raw mode the kernel does NOT generate SIGINT,
-    // so we must intercept the \x03 byte ourselves. The Editor would otherwise
-    // swallow it. tui.stop() restores raw-mode/cursor/echo before we exit.
+    const detach = (): void => {
+      settle({ reason: 'detach' })
+      teardown()
+    }
+
+    // Ctrl+C exits the client. In raw mode the kernel does NOT generate SIGINT,
+    // so we intercept the \x03 byte ourselves; the Editor would otherwise
+    // swallow it. teardown() restores raw-mode/cursor/echo before we settle.
     tui.addInputListener((data) => {
       if (matchesKey(data, Key.ctrl('c'))) {
-        shutdown(0)
+        exitWith(0)
         return { consume: true }
       }
       return undefined
@@ -330,15 +370,15 @@ export function createTui({
       const command = parseBareTuiCommand(initialPrompt)
       if (command !== null) {
         runTuiCommand(command)
-        if (command === 'quit') return { lostConnection: false }
+        if (command === 'quit') return { reason: 'exit', exitCode: 0 }
       } else {
         await send(initialPrompt)
       }
     }
 
-    const lostConnection = await closed
+    const result = await outcome
     tui.stop()
-    return { lostConnection }
+    return result
   }
 
   return { run }

package/typeclaw.schema.json

@@ -532,6 +532,7 @@
                 "pull_request.ready_for_review",
                 "pull_request.review_requested",
                 "pull_request.review_request_removed",
+                "pull_request.synchronize",
                 "discussion.created",
                 "pull_request_review.submitted"
               ],

package/src/agent/tools/normalize-ref.ts

@@ -1,11 +0,0 @@
-export function normalizeRef(ref: string): string {
-  const trimmed = ref.trim()
-  // New classifiers store bare Slack file ids; legacy persisted refs (and
-  // anything still hitting the lookup path from older contextBuffer state)
-  // may carry the old prompt-visible `id=Fxxxx` prefix. Strip it here so
-  // both attachment-fetching tools route the same ref through the adapter
-  // callback — without this, `channel_fetch_attachment` would silently
-  // succeed on a legacy ref while `look_at_channel_attachment` would fail.
-  if (trimmed.startsWith('id=')) return trimmed.slice(3)
-  return trimmed
-}