typeclaw 0.29.0 → 0.30.0

package/src/run/index.ts

@@ -42,6 +42,7 @@ import {
 } from '@/cron'
 import { CLI_VERSION } from '@/init/cli-version'
 import { createMcpManager } from '@/mcp'
+import { runStartupMigrations } from '@/migrations'
 import { loadPlugins, type LoadPluginsResult, pluginCronJobs, type PluginRegistry, summarizeLoaded } from '@/plugin'
 import { createPluginLogger } from '@/plugin/context'
 import type { CronHandlerContext } from '@/plugin/types'
@@ -194,6 +195,12 @@ export async function startAgent({
     materializedSkills: null,
   })
 
+  // Graduate any pre-0.20.0 on-disk shapes (v1 secrets.json, legacy auth.json)
+  // to the current v2 envelope before anything reads secrets — otherwise the
+  // v2-only parser rejects the file and hydrate below sees no channels. Runs
+  // exactly once per folder; a folder already at v2 is a no-op.
+  runStartupMigrations(cwd)
+
   // Channel adapters read `process.env[TOKEN_ENV]` (see channels/manager.ts).
   // Hydrate fills any unset env var from secrets.json#channels via env-wins:
   // values already in process.env (from `docker --env-file .env`) are kept
@@ -329,6 +336,8 @@ export async function startAgent({
         ...(subagentOptions?.spawnedByRole !== undefined ? { spawnedByRole: subagentOptions.spawnedByRole } : {}),
         ...(subagentOptions?.spawnedByOrigin !== undefined ? { spawnedByOrigin: subagentOptions.spawnedByOrigin } : {}),
       }
+      const allowBackgroundFromSubagent =
+        entry.pluginSubagent.canBackgroundSpawnSubagents === true && entry.pluginSubagent.canSpawnSubagents === true
       const created = await createSessionWithDispose({
         systemPromptOverride: entry.pluginSubagent.systemPrompt,
         sessionManager,
@@ -359,6 +368,7 @@ export async function startAgent({
               liveSubagentRegistry,
               subagentRegistry: snap.subagents,
               createSessionForSubagent,
+              allowBackgroundFromSubagent,
             }
           : {}),
         ...(entry.pluginSubagent.profile !== undefined ? { profile: entry.pluginSubagent.profile } : {}),
@@ -380,6 +390,9 @@ export async function startAgent({
         agentDir: cwd,
         origin,
         getTranscriptPath: () => sessionManager.getSessionFile(),
+        ...(allowBackgroundFromSubagent
+          ? { backgroundDrain: { stream, sessionId, liveRegistry: liveSubagentRegistry } }
+          : {}),
       }
     }
     return defaultCreateSessionForSubagent(subagent, subagentOptions)

package/src/sandbox/availability.ts

@@ -33,3 +33,15 @@ async function probe(bwrap: string): Promise<boolean> {
 export function _resetBwrapAvailabilityCacheForTests(): void {
   availabilityCache.clear()
 }
+
+// The bun binary this process runs as (process.execPath). build.ts re-exposes
+// it at /proc/self/exe over the masked /proc so sandboxed package runners can
+// self-locate. This is correct ONLY in the bun-centric container: the base
+// image (oven/bun:1-slim) ships no real node — `node` is a bun symlink and
+// bunx/npx/pnpx all resolve to bun (Bun's fake-node model), so every runtime
+// reading /proc/self/exe IS bun. A real node binary would self-locate to the
+// wrong ELF here; if node is ever added to the image this must resolve the
+// actual interpreter instead.
+export function resolveProcSelfExe(): string {
+  return process.execPath
+}

package/src/sandbox/build.ts

@@ -103,6 +103,18 @@ function buildArgv(command: string, policy: SandboxPolicy): string[] {
     // (leaks the outer container's /proc/N/environ — including
     // FIREWORKS_API_KEY — into the sandbox). See sandbox.mdx.
     argv.push('--tmpfs', '/proc')
+
+    // Re-expose ONLY the bun ELF at /proc/self/exe so sandboxed package runners
+    // can self-locate; /proc/N/environ stays masked by the tmpfs above. The
+    // caller passes bun's path (see resolveProcSelfExe): in this bun-centric
+    // container bunx/npx/pnpx all resolve to bun, so bun IS the runtime reading
+    // /proc/self/exe. --symlink (not --ro-bind /proc/self/exe): /proc/self at
+    // setup time is bwrap's pid, so a bind would capture bwrap's own binary.
+    // Must come AFTER --tmpfs /proc (last-op-wins) or the tmpfs erases it.
+    if (policy.procSelfExe !== undefined) {
+      argv.push('--ro-bind', policy.procSelfExe, policy.procSelfExe)
+      argv.push('--symlink', policy.procSelfExe, '/proc/self/exe')
+    }
   }
 
   for (const mount of policy.mounts ?? []) {

package/src/sandbox/index.ts

@@ -1,5 +1,5 @@
 export { buildSandboxedCommand, type SandboxedCommand } from './build'
-export { ensureBwrapAvailable, _resetBwrapAvailabilityCacheForTests } from './availability'
+export { ensureBwrapAvailable, resolveProcSelfExe, _resetBwrapAvailabilityCacheForTests } from './availability'
 export { resolveHiddenPaths, type HiddenPaths } from './hidden-paths'
 export {
   resolveProtectedZones,

package/src/sandbox/policy.ts

@@ -60,6 +60,14 @@ export type SandboxProtectedPolicy = {
 export type SandboxPolicy = {
   bwrapPath?: string
   cwd?: string
+  // Concrete host interpreter ELF (the running bun binary) re-exposed at
+  // /proc/self/exe over the --tmpfs /proc mask. JS runtimes self-locate via
+  // /proc/self/exe; under the empty tmpfs /proc that read fails and bunx panics
+  // in createFakeTemporaryNodeExecutable. A direct --ro-bind of /proc/self/exe
+  // is wrong: at bwrap setup time /proc/self is bwrap's pid, so it captures the
+  // bwrap binary, not the child runtime. The caller resolves this path (I/O);
+  // the builder stays pure.
+  procSelfExe?: string
   mounts?: SandboxMount[]
   masks?: SandboxMaskPolicy
   writable?: SandboxWritablePolicy