typeclaw 0.27.0 → 0.28.1

package/src/channels/adapters/github/review-thread-resolver.ts

@@ -128,6 +128,69 @@ function parseDecimalId(value: string | undefined): number | null {
 }
 
 async function findThread(fetchImpl: typeof fetch, token: string, target: ResolveTarget): Promise<ThreadLookup> {
+  let lookup: ThreadLookup = { kind: 'absent' }
+  const outcome = await walkThreadPages(
+    fetchImpl,
+    token,
+    { owner: target.owner, repo: target.repo, prNumber: target.prNumber },
+    (nodes) => {
+      for (const node of nodes) {
+        if (node.rootCommentId === target.rootCommentId) {
+          lookup = { kind: 'found', thread: node }
+          return 'stop'
+        }
+      }
+      return 'continue'
+    },
+  )
+  if (outcome.kind === 'error') return { kind: 'error', result: outcome.result }
+  return lookup
+}
+
+export type UnresolvedSelfReviewThread = { threadId: string; rootCommentId: number }
+
+export type ListUnresolvedSelfReviewThreadsResult =
+  | { ok: true; threads: UnresolvedSelfReviewThread[] }
+  | { ok: false; error: string }
+
+// Reuses the same page-walk and authorship guard (`isSelfAuthor`) as the
+// single-thread resolver so the post-push "did my comments get addressed?"
+// sweep can never surface a human reviewer's thread as a resolve candidate.
+export async function listUnresolvedSelfReviewThreads(deps: {
+  token: string
+  selfLogin: string
+  owner: string
+  repo: string
+  prNumber: number
+  fetchImpl?: typeof fetch
+}): Promise<ListUnresolvedSelfReviewThreadsResult> {
+  const fetchImpl = deps.fetchImpl ?? fetch
+  const threads: UnresolvedSelfReviewThread[] = []
+  const outcome = await walkThreadPages(
+    fetchImpl,
+    deps.token,
+    { owner: deps.owner, repo: deps.repo, prNumber: deps.prNumber },
+    (nodes) => {
+      for (const node of nodes) {
+        if (node.isResolved || node.rootCommentId === null) continue
+        if (!isSelfAuthor(node, deps.selfLogin)) continue
+        threads.push({ threadId: node.id, rootCommentId: node.rootCommentId })
+      }
+      return 'continue'
+    },
+  )
+  if (outcome.kind === 'error') return { ok: false, error: outcome.result.error }
+  return { ok: true, threads }
+}
+
+type WalkOutcome = { kind: 'done' } | { kind: 'error'; result: ReviewThreadResolveResult & { ok: false } }
+
+async function walkThreadPages(
+  fetchImpl: typeof fetch,
+  token: string,
+  target: { owner: string; repo: string; prNumber: number },
+  onPage: (nodes: ReviewThreadNode[]) => 'stop' | 'continue',
+): Promise<WalkOutcome> {
   let after: string | null = null
   for (;;) {
     let response: Response
@@ -148,11 +211,8 @@ async function findThread(fetchImpl: typeof fetch, token: string, target: Resolv
     }
     const parsed = await parseThreadsPage(response)
     if (parsed.kind === 'error') return { kind: 'error', result: parsed.result }
-
-    for (const node of parsed.nodes) {
-      if (node.rootCommentId === target.rootCommentId) return { kind: 'found', thread: node }
-    }
-    if (!parsed.hasNextPage || parsed.endCursor === null) return { kind: 'absent' }
+    if (onPage(parsed.nodes) === 'stop') return { kind: 'done' }
+    if (!parsed.hasNextPage || parsed.endCursor === null) return { kind: 'done' }
     after = parsed.endCursor
   }
 }

package/src/channels/github-false-receipt.ts

@@ -0,0 +1,87 @@
+import { classifyReviewClaim } from './github-review-claim'
+import { hasResolvedThread, hasReview } from './github-review-turn-ledger'
+
+// Decides whether a github PR reply is a false receipt: prose that CLAIMS a
+// formal verdict / thread close-out the agent never actually performed this turn.
+// Pure except for the ledger reads (module singletons); returns the action the
+// channel_reply tool should take. Block only the black-and-white cases; warn on
+// soft signals so casual chatter is never hard-denied.
+
+export type FalseReceiptDecision =
+  | { kind: 'allow' }
+  | { kind: 'block'; reason: string }
+  | { kind: 'warn'; notice: string }
+
+export type FalseReceiptInput = {
+  sessionId: string
+  adapter: string
+  workspace: string
+  chat: string
+  thread: string | null
+  text: string | undefined
+  isContinue: boolean
+  resolveReviewThread: boolean
+}
+
+export function checkFalseReceipt(input: FalseReceiptInput): FalseReceiptDecision {
+  if (input.adapter !== 'github') return { kind: 'allow' }
+  const prNumber = prNumberFromChat(input.chat)
+  if (prNumber === null) return { kind: 'allow' }
+
+  const claim = classifyReviewClaim(input.text ?? '')
+  if (claim === 'ignore') return { kind: 'allow' }
+  if (claim === 'warn') return { kind: 'warn', notice: SOFT_NOTICE }
+
+  // A turn the agent explicitly keeps alive (continue:true) is not yet a receipt
+  // — the real action may still be coming. Never block; nudge instead.
+  if (input.isContinue) return { kind: 'warn', notice: SOFT_NOTICE }
+
+  if (claim === 'block-resolve') {
+    if (input.thread === null) return { kind: 'allow' }
+    if (input.resolveReviewThread) return { kind: 'allow' }
+    if (
+      hasResolvedThread({
+        sessionId: input.sessionId,
+        workspace: input.workspace,
+        prNumber,
+        rootCommentId: input.thread,
+      })
+    ) {
+      return { kind: 'allow' }
+    }
+    return { kind: 'block', reason: RESOLVE_REASON }
+  }
+
+  const verdict = claim === 'block-approve' ? 'APPROVE' : 'REQUEST_CHANGES'
+  if (hasReview({ sessionId: input.sessionId, workspace: input.workspace, prNumber, verdict })) {
+    return { kind: 'allow' }
+  }
+  return { kind: 'block', reason: verdict === 'APPROVE' ? APPROVE_REASON : REQUEST_CHANGES_REASON }
+}
+
+function prNumberFromChat(chat: string): number | null {
+  const m = /^pr:(\d+)$/.exec(chat)
+  if (m === null) return null
+  const n = Number(m[1])
+  return Number.isSafeInteger(n) && n > 0 ? n : null
+}
+
+const APPROVE_REASON =
+  'This reply reads as a formal approval, but no APPROVE review was submitted on this PR this turn. ' +
+  'A chat comment is not a GitHub review — submit the formal review via `gh api -X POST /repos/<owner>/<repo>/pulls/<N>/reviews` ' +
+  '(event: APPROVE) first, then narrate if needed. If you are not actually approving, reword the reply.'
+
+const REQUEST_CHANGES_REASON =
+  'This reply reads as a formal "request changes", but no REQUEST_CHANGES review was submitted on this PR this turn. ' +
+  'Submit the formal review via `gh api -X POST /repos/<owner>/<repo>/pulls/<N>/reviews` (event: REQUEST_CHANGES) first. ' +
+  'If you are not actually requesting changes, reword the reply.'
+
+const RESOLVE_REASON =
+  'This reply reads as closing out a review thread, but `resolve_review_thread: true` was not set and the thread ' +
+  'was not resolved this turn. Pass `resolve_review_thread: true` on this reply to actually resolve it, ' +
+  'or reword if the thread should stay open.'
+
+const SOFT_NOTICE =
+  'Note: a chat comment does not create a formal GitHub review or resolve a thread. ' +
+  'If you mean to approve / request changes, submit a formal review via `gh api`; ' +
+  'to close a thread you authored, set `resolve_review_thread: true`.'

package/src/channels/github-rereview-guard.ts

@@ -0,0 +1,76 @@
+import { classifyReviewClaim } from './github-review-claim'
+import type { ReviewStateResult } from './types'
+
+// The re-review stranding guard. A bot that resolves a review thread (or posts a
+// close-out ack) while it still holds its own sticky CHANGES_REQUESTED leaves the
+// PR blocked forever — the resolve/ack carries no review state, so GitHub's
+// reviewDecision never clears (PR #644). This guard blocks that close-out and
+// tells the model to land a formal APPROVE / dismissal first.
+//
+// It is the same enforcement seam as the false-receipt guard and the
+// resolve-thread author check: BLOCK and instruct, never act on the model's
+// behalf — the runtime cannot prove a semantic approval from "one thread closed".
+
+export type RereviewGuardInput = {
+  adapter: string
+  chat: string
+  thread: string | null
+  text: string | undefined
+  wantsResolve: boolean
+  getReviewState: (req: { adapter: 'github'; workspace: string; chat: string }) => Promise<ReviewStateResult>
+  workspace: string
+}
+
+export type RereviewGuardDecision = { block: false } | { block: true; reason: string }
+
+const ALLOW: RereviewGuardDecision = { block: false }
+
+export async function evaluateRereviewGuard(input: RereviewGuardInput): Promise<RereviewGuardDecision> {
+  if (input.adapter !== 'github') return ALLOW
+  if (!/^pr:\d+$/.test(input.chat)) return ALLOW
+  // No `thread === null` exemption: a top-level PR comment carries no thread but
+  // a close-out ack in it ("Verified — that closes it") strands the block just
+  // as a thread reply would. Only the resolve ACTION needs a thread; the
+  // text-claim path fires regardless (caught by isCloseoutAttempt below).
+  if (!isCloseoutAttempt(input.wantsResolve, input.thread, input.text)) return ALLOW
+
+  const state = await input.getReviewState({ adapter: 'github', workspace: input.workspace, chat: input.chat })
+
+  // Fail closed: an unverifiable review state is treated as a live block, so the
+  // bot never strands a re-review on a transient API failure.
+  if (!state.ok) return { block: true, reason: unverifiableReason(state.error) }
+  if (!state.selfBlocking) return ALLOW
+
+  return { block: true, reason: state.approve ? STICKY_BLOCK_APPROVE_ENABLED : STICKY_BLOCK_APPROVE_DISABLED }
+}
+
+// Trigger when the model asks to resolve a thread (only meaningful with a
+// thread), OR when its reply reads as a close-out/verdict claim — the latter
+// strands the block whether or not it sits in a thread, so it fires for any PR
+// chat. Plain discussion replies (ignore/warn) do not fire.
+function isCloseoutAttempt(wantsResolve: boolean, thread: string | null, text: string | undefined): boolean {
+  if (wantsResolve && thread !== null) return true
+  const claim = classifyReviewClaim(text ?? '')
+  return claim === 'block-resolve' || claim === 'block-approve'
+}
+
+function unverifiableReason(error: string): string {
+  return (
+    'Could not verify whether your prior CHANGES_REQUESTED on this PR is still live ' +
+    `(${error}). Refusing to close out the thread while the block state is unknown — ` +
+    'retry once the GitHub API is reachable, or land a formal review verdict first.'
+  )
+}
+
+const STICKY_BLOCK_APPROVE_ENABLED =
+  'You still hold a CHANGES_REQUESTED on this PR. Resolving the thread (or posting a close-out ack) ' +
+  'does NOT clear it — only a fresh formal review does. Submit `APPROVE` via ' +
+  '`gh api -X POST /repos/<owner>/<repo>/pulls/<N>/reviews` (event: APPROVE) if the blockers are fixed, ' +
+  'or `REQUEST_CHANGES` if not, THEN resolve the thread / reply.'
+
+const STICKY_BLOCK_APPROVE_DISABLED =
+  'You still hold a CHANGES_REQUESTED on this PR and resolving the thread does NOT clear it. ' +
+  'Approval is disabled for this agent (channels.github.review.approve: false), so you cannot APPROVE — ' +
+  'dismiss your prior review via ' +
+  '`gh api -X PUT /repos/<owner>/<repo>/pulls/<N>/reviews/<review_id>/dismissals -f message="..." -f event=DISMISS` ' +
+  'if the blockers are fixed (or submit REQUEST_CHANGES if not), THEN resolve the thread / reply.'

package/src/channels/github-review-claim.ts

@@ -0,0 +1,92 @@
+// Deterministic phrase classifier for the false-receipt guard (channel-reply.ts):
+// how strongly does a github PR reply CLAIM a formal verdict/close-out it may not
+// have actually performed? The taxonomy errs toward WARN over BLOCK on purpose —
+// a false block breaks a legitimate reply; a missed soft-fake only loses a nudge.
+
+export type ReviewClaim = 'block-approve' | 'block-request-changes' | 'block-resolve' | 'warn' | 'ignore'
+
+// Word-boundary anchored so "approved" never fires inside "unapproved".
+const BLOCK_APPROVE: readonly RegExp[] = [
+  /\bapproved\b/,
+  /\bapproving\b/,
+  /\bi approve\b/,
+  /\bapproval (submitted|sent|posted)\b/,
+  /\bsubmitting (the )?approval\b/,
+  /\bformal approval\b/,
+  /\blgtm,? approved\b/,
+]
+
+const BLOCK_REQUEST_CHANGES: readonly RegExp[] = [
+  /\brequest(ing|ed)? changes\b/,
+  /\bchanges requested\b/,
+  /\bi request changes\b/,
+  /\bblocking (this|the|merge)\b/,
+  /\bthis is blocked\b/,
+]
+
+// Bare "resolved" is intentionally NOT here — it collides with the warn-tier
+// "looks resolved?"; resolve claims must carry a definite marker (marked/that/
+// this/thanks) or a verify clause. "that/this closes it" is the canonical PR
+// #644 incident phrasing and must classify as a close-out claim.
+const BLOCK_RESOLVE: readonly RegExp[] = [
+  /\bmarked resolved\b/,
+  /\bthread resolved\b/,
+  /\bthat resolves it\b/,
+  /\bthis resolves it\b/,
+  /\b(that|this) closes it\b/,
+  /\bclosing this out\b/,
+  /\bconfirmed fixed\b/,
+  // verify clause + a fix/resolve verb, allowing a short gap ("verified at <sha>, that fixes it").
+  /\b(verified|confirmed)\b[^.!?]*\b(fix(es|ed)|resolv)/,
+  /\b(thanks,?|fixed,?) (looks )?resolved\b/,
+]
+
+// Casual phrasing that might be chatter, not a formal close-out: allow + nudge.
+const WARN: readonly RegExp[] = [
+  /\blgtm\b/,
+  /\blooks good\b/,
+  /\blooks fine\b/,
+  /\bseems fine\b/,
+  /\bshould be (fine|good)\b/,
+  /\bneeds changes\b/,
+  /\bstill needs work\b/,
+  /\blooks resolved\b/,
+  /\bseems resolved\b/,
+]
+
+// Negation / future-intent / past-reference markers DEMOTE a positive match to
+// ignore. Blocking "I haven't approved" / "I'll approve" / "approved it earlier"
+// (answering a question) is the worst false-positive class, so it is checked first.
+const DEMOTE_TO_IGNORE: readonly RegExp[] = [
+  /\b(haven'?t|have not|did ?n'?t|did not|not yet|never)\b[^.!?]*\b(approv|request|resolv|block)/,
+  /\b(can'?t|cannot|won'?t|will not|wouldn'?t)\b[^.!?]*\b(approv|request|resolv|block)/,
+  /\bnot (approved|resolved|blocked|requesting)\b/,
+  /\b(i'?ll|i will|going to|gonna|about to|planning to)\b[^.!?]*\b(approv|review|request|resolv)/,
+  /\b(approved|resolved|requested changes)\b[^.!?]*\b(earlier|already|yesterday|before|last (review|time)|previously)\b/,
+]
+
+export function classifyReviewClaim(rawText: string): ReviewClaim {
+  const text = normalize(rawText)
+  if (text === '') return 'ignore'
+
+  if (DEMOTE_TO_IGNORE.some((re) => re.test(text))) return 'ignore'
+
+  // Block-tier wins over warn-tier: an unambiguous "approved" in a casual message
+  // is still a formal claim.
+  if (BLOCK_APPROVE.some((re) => re.test(text))) return 'block-approve'
+  if (BLOCK_REQUEST_CHANGES.some((re) => re.test(text))) return 'block-request-changes'
+  if (BLOCK_RESOLVE.some((re) => re.test(text))) return 'block-resolve'
+  if (WARN.some((re) => re.test(text))) return 'warn'
+  return 'ignore'
+}
+
+// Strips markdown/emoji noise so "**Approved!**" and "approved" classify alike,
+// keeping apostrophes + sentence punctuation that the negation regexes rely on.
+function normalize(text: string): string {
+  return text
+    .toLowerCase()
+    .replace(/[*_`~#>]/g, ' ')
+    .replace(/[^\p{L}\p{N}\s'.!?]/gu, ' ')
+    .replace(/\s+/g, ' ')
+    .trim()
+}

package/src/channels/github-review-turn-ledger.ts

@@ -0,0 +1,71 @@
+// In-process record of REAL github review actions performed during the current
+// turn, shared across two plugin boundaries: github-cli-auth records a formal
+// review / thread-resolve here after the `gh` command SUCCEEDS, and channel-reply
+// consults it before sending a verdict/close-out reply. If the agent claims a
+// verdict in prose but this ledger shows no matching action this turn, the reply
+// is a false receipt (see channel-reply.ts). State is per-session and reset at
+// turn start, so a claim must be backed by an action in the SAME turn.
+
+export type ReviewVerdict = 'APPROVE' | 'REQUEST_CHANGES'
+
+type PrKey = string
+type ThreadKey = string
+
+const reviewsByPr = new Map<PrKey, Set<ReviewVerdict>>()
+const resolvedThreads = new Set<ThreadKey>()
+
+function prKey(sessionId: string, workspace: string, prNumber: number): PrKey {
+  return `${sessionId}::${workspace}::${prNumber}`
+}
+
+function threadKey(sessionId: string, workspace: string, prNumber: number, rootCommentId: string): ThreadKey {
+  return `${sessionId}::${workspace}::${prNumber}::${rootCommentId}`
+}
+
+export function resetReviewTurn(sessionId: string): void {
+  for (const key of reviewsByPr.keys()) {
+    if (key.startsWith(`${sessionId}::`)) reviewsByPr.delete(key)
+  }
+  for (const key of resolvedThreads) {
+    if (key.startsWith(`${sessionId}::`)) resolvedThreads.delete(key)
+  }
+}
+
+export function recordReview(args: {
+  sessionId: string
+  workspace: string
+  prNumber: number
+  verdict: ReviewVerdict
+}): void {
+  const key = prKey(args.sessionId, args.workspace, args.prNumber)
+  const set = reviewsByPr.get(key) ?? new Set<ReviewVerdict>()
+  set.add(args.verdict)
+  reviewsByPr.set(key, set)
+}
+
+export function hasReview(args: {
+  sessionId: string
+  workspace: string
+  prNumber: number
+  verdict: ReviewVerdict
+}): boolean {
+  return reviewsByPr.get(prKey(args.sessionId, args.workspace, args.prNumber))?.has(args.verdict) ?? false
+}
+
+export function recordResolvedThread(args: {
+  sessionId: string
+  workspace: string
+  prNumber: number
+  rootCommentId: string
+}): void {
+  resolvedThreads.add(threadKey(args.sessionId, args.workspace, args.prNumber, args.rootCommentId))
+}
+
+export function hasResolvedThread(args: {
+  sessionId: string
+  workspace: string
+  prNumber: number
+  rootCommentId: string
+}): boolean {
+  return resolvedThreads.has(threadKey(args.sessionId, args.workspace, args.prNumber, args.rootCommentId))
+}

package/src/channels/persistence.ts

@@ -1,4 +1,4 @@
-import { mkdir, readdir, readFile, writeFile } from 'node:fs/promises'
+import { mkdir, readFile, writeFile } from 'node:fs/promises'
 import { dirname, join } from 'node:path'
 
 import type { ChannelParticipant } from '@/agent/session-origin'
@@ -16,10 +16,8 @@ const FILE_VERSION = 4
 // UUID, which never matches on disk — every restart silently creates a
 // fresh session and the channel loses its transcript memory.
 //
-// `sessionFile` is optional because v2 records (pre-fix) only carried the
-// UUID. Those are migrated in-place at load time by globbing the sessions
-// directory for `*_${sessionId}.jsonl`; if no match is found the file is
-// considered lost and reopen will fall back to a fresh session.
+// `sessionFile` is optional because a session can exist in memory before a
+// transcript path is known; reopen falls back to a fresh session when absent.
 export type ChannelSessionRecord = {
   adapter: AdapterId
   workspace: string
@@ -36,16 +34,6 @@ type FileV4 = {
   sessions: ChannelSessionRecord[]
 }
 
-type FileV3 = {
-  version: 3
-  sessions: ChannelSessionRecord[]
-}
-
-type FileV2 = {
-  version: 2
-  sessions: Array<Omit<ChannelSessionRecord, 'sessionFile'>>
-}
-
 export type ChannelSessionsLogger = {
   info: (msg: string) => void
   warn: (msg: string) => void
@@ -62,10 +50,6 @@ export function channelsSessionsPath(agentDir: string): string {
   return join(agentDir, 'channels', 'sessions.json')
 }
 
-function sessionsDirOf(agentDir: string): string {
-  return join(agentDir, 'sessions')
-}
-
 export async function loadChannelSessions(
   agentDir: string,
   logger: ChannelSessionsLogger = consoleLogger,
@@ -94,21 +78,7 @@ export async function loadChannelSessions(
     if (!Array.isArray(file.sessions)) return []
     return file.sessions.filter(isValidRecord)
   }
-  if (version === 3) {
-    const file = parsed as FileV3
-    if (!Array.isArray(file.sessions)) return []
-    return migrateV3ToV4(file.sessions.filter(isValidRecord), logger)
-  }
-  if (version === 2) {
-    const file = parsed as FileV2
-    if (!Array.isArray(file.sessions)) return []
-    const v2Records = file.sessions.filter(isValidV2Record)
-    const v3Records = await migrateV2Records(agentDir, v2Records, logger)
-    return migrateV3ToV4(v3Records, logger)
-  }
-  logger.warn(
-    `[channels] ${path} version ${String(version)} not supported (expected 2, 3, or ${FILE_VERSION}); ignored`,
-  )
+  logger.warn(`[channels] ${path} version ${String(version)} not supported (expected ${FILE_VERSION}); ignored`)
   return []
 }
 
@@ -130,59 +100,6 @@ export async function saveChannelSessions(
   }
 }
 
-// One-shot migration from v2 (sessionId only) to v3 (sessionId + sessionFile).
-// pi-coding-agent writes session files as `${ISO_TIMESTAMP}_${UUID}.jsonl`,
-// so we look for any file ending in `_${sessionId}.jsonl`. If a directory
-// scan fails we leave sessionFile undefined; the next reopen attempt will
-// fall back to a fresh session (the same broken behavior v2 had — but at
-// least the next successful create will populate sessionFile correctly and
-// we'll be migrated forward.)
-async function migrateV2Records(
-  agentDir: string,
-  v2Records: readonly (Omit<ChannelSessionRecord, 'sessionFile' | 'sessionId'> & { sessionId: string })[],
-  logger: ChannelSessionsLogger,
-): Promise<ChannelSessionRecord[]> {
-  if (v2Records.length === 0) return []
-  const sessionsDir = sessionsDirOf(agentDir)
-  let entries: string[]
-  try {
-    entries = await readdir(sessionsDir)
-  } catch {
-    logger.warn(`[channels] could not scan ${sessionsDir} for v2→v3 migration; sessionFile left empty`)
-    return v2Records.map((r) => ({ ...r }))
-  }
-  // pi-coding-agent writes files as `${ISO_TIMESTAMP}_${UUID}.jsonl` where
-  // the ISO timestamp uses `-` (no `_`) and the UUID may contain `-`. Split
-  // on the FIRST underscore so the trailing portion is the full UUID even
-  // when the UUID contains hyphens.
-  const bySessionIdSuffix = new Map<string, string>()
-  for (const entry of entries) {
-    if (!entry.endsWith('.jsonl')) continue
-    const underscore = entry.indexOf('_')
-    if (underscore < 0) continue
-    const trailing = entry.slice(underscore + 1, -'.jsonl'.length)
-    bySessionIdSuffix.set(trailing, entry)
-  }
-  return v2Records.map((r) => {
-    const matched = bySessionIdSuffix.get(r.sessionId)
-    if (matched === undefined) {
-      logger.warn(
-        `[channels] v2→v3: no session file matching *_${r.sessionId}.jsonl in ${sessionsDir}; ` +
-          `sessionFile left empty (next inbound will create a fresh session for ${r.adapter}:${r.chat}:${r.thread ?? ''})`,
-      )
-      return { ...r }
-    }
-    return { ...r, sessionFile: matched }
-  })
-}
-
-function migrateV3ToV4(v3Records: ChannelSessionRecord[], logger: ChannelSessionsLogger): ChannelSessionRecord[] {
-  logger.info(
-    `[channels] v3→v4: ${v3Records.length} record(s) migrated; first post-upgrade inbound will force fresh session`,
-  )
-  return v3Records.map((r) => ({ ...r, lastInboundAt: 0 }))
-}
-
 function dedupe(sessions: readonly ChannelSessionRecord[]): ChannelSessionRecord[] {
   const seen = new Map<string, ChannelSessionRecord>()
   for (const s of sessions) {
@@ -208,21 +125,6 @@ function isObject(v: unknown): v is Record<string, unknown> {
   return typeof v === 'object' && v !== null && !Array.isArray(v)
 }
 
-function isValidV2Record(
-  v: unknown,
-): v is Omit<ChannelSessionRecord, 'sessionFile' | 'sessionId'> & { sessionId: string } {
-  if (!isObject(v)) return false
-  const r = v as Record<string, unknown>
-  return (
-    typeof r.adapter === 'string' &&
-    typeof r.workspace === 'string' &&
-    typeof r.chat === 'string' &&
-    (r.thread === null || typeof r.thread === 'string') &&
-    typeof r.sessionId === 'string' &&
-    Array.isArray(r.participants)
-  )
-}
-
 function isValidRecord(v: unknown): v is ChannelSessionRecord {
   if (!isObject(v)) return false
   const r = v as Record<string, unknown>