typeclaw 0.29.0 → 0.30.1

package/src/bundled-plugins/bun-hygiene/policy.ts

@@ -3,7 +3,12 @@ import { ACKNOWLEDGE_GUARDS, type GuardBlock, isGuardAcknowledged } from '../gua
 export const GUARD_GLOBAL_INSTALL = 'globalInstall'
 export const GUARD_NON_BUN_PACKAGE_MANAGER = 'nonBunPackageManager'
 
-const NON_BUN_MANAGERS = new Set(['npm', 'npx', 'pnpm', 'pnpx', 'yarn'])
+// Only install managers are blocked. The ephemeral runners npx/pnpx (and bunx,
+// which is `bun`) are intentionally absent: they run a tool once without
+// touching the dependency tree or writing a competing lockfile, so they don't
+// undermine the bun-standardization this set protects. classify() skips any
+// command word not in here, so leaving them out is what allows them.
+const NON_BUN_MANAGERS = new Set(['npm', 'pnpm', 'yarn'])
 const INSTALL_SUBCOMMANDS = new Set(['install', 'i', 'add'])
 
 export function checkBunHygieneGuard(options: { tool: string; args: Record<string, unknown> }): GuardBlock | undefined {
@@ -310,8 +315,8 @@ function blockNonBunManager(manager: string, args: Record<string, unknown>): Gua
   return {
     block: true,
     reason: [
-      `Guard \`${GUARD_NON_BUN_PACKAGE_MANAGER}\` blocked \`${manager}\`. This container standardizes on bun.`,
-      'Use `bun install` / `bun add <pkg>` instead of npm/pnpm/yarn, and `bunx <pkg>` instead of npx/pnpx.',
+      `Guard \`${GUARD_NON_BUN_PACKAGE_MANAGER}\` blocked \`${manager}\`. This container standardizes on bun for dependency management.`,
+      'Use `bun install` / `bun add <pkg>` instead of npm/pnpm/yarn. Ephemeral runners (`bunx`, `npx`, `pnpx`) are allowed for one-off tool execution.',
       `Retry with \`${ACKNOWLEDGE_GUARDS}.${GUARD_NON_BUN_PACKAGE_MANAGER}: true\` if this package manager is genuinely required (e.g. a project pinned to a different lockfile).`,
     ].join(' '),
   }

package/src/bundled-plugins/github-cli-auth/approve-idempotency.ts

@@ -1,13 +1,17 @@
 import type { ReviewVerdict } from '@/channels/github-review-turn-ledger'
 
+// `NONE` covers "never reviewed" and "last decisive review was DISMISSED" — both
+// mean a fresh verdict is legitimate (not a duplicate).
+export type EffectiveVerdict = 'APPROVED' | 'CHANGES_REQUESTED' | 'NONE'
+
 export type EffectiveApprovalResolver = (target: {
   workspace: string
   prNumber: number
-}) => Promise<{ ok: true; alreadyApproved: boolean } | { ok: false }>
+}) => Promise<{ ok: true; effective: EffectiveVerdict } | { ok: false }>
 
 export type ApproveBlock = { block: true; reason: string }
 
-export type ApproveIdempotencyGuard = {
+export type ReviewVerdictGuard = {
   guard: (args: {
     callId: string
     workspace: string
@@ -17,58 +21,135 @@ export type ApproveIdempotencyGuard = {
   release: (args: { callId: string; succeeded: boolean }) => void
 }
 
-const DUPLICATE_REASON =
-  'This bot has already approved this pull request. A second APPROVE would post a redundant review. ' +
-  'If you intended to change your verdict, request changes or dismiss the prior review instead of re-approving.'
-
-// Makes formal `gh ... event=APPROVE` idempotent per PR across turns, sessions,
-// and restarts. The per-turn review ledger only guards prose claims and resets
-// every turn, so without this an APPROVE can fire again whenever the same PR
-// fans out into a second session or a follow-up turn. We reserve the PR in an
-// in-process set before the command runs (stops same-container concurrent
-// double-approve) and consult GitHub for the bot's effective review state
-// (stops cross-restart re-approval). Reads fail OPEN: a transient GitHub error
-// must never permanently strand the bot from approving a PR it has not yet
-// approved — the in-process reservation still blocks the concurrent case.
+// Back-compat alias: the guard now covers REQUEST_CHANGES too, not just APPROVE.
+export type ApproveIdempotencyGuard = ReviewVerdictGuard
+
+function duplicateReason(verdict: ReviewVerdict): string {
+  if (verdict === 'APPROVE') {
+    return (
+      'This bot already holds a standing APPROVED review on this pull request. A second APPROVE would ' +
+      'post a redundant review. If you intended to change your verdict, request changes or dismiss the ' +
+      'prior review instead of re-approving.'
+    )
+  }
+  return (
+    'This bot already holds a standing CHANGES_REQUESTED review on this pull request. A second ' +
+    'REQUEST_CHANGES would post a redundant blocking review. The prior review is still live — push a fix ' +
+    'and APPROVE, or reply in the existing thread, instead of re-requesting changes.'
+  )
+}
+
+const CONCURRENT_REASON =
+  'Another session in this agent is already submitting a formal review verdict for this pull request. ' +
+  'Only one verdict may land per PR — do not submit a second review; the in-flight one will post.'
+
+// The standing verdict a fresh attempt would duplicate. APPROVE duplicates a
+// standing APPROVED; REQUEST_CHANGES duplicates a standing CHANGES_REQUESTED.
+function duplicatesStanding(verdict: ReviewVerdict, effective: EffectiveVerdict): boolean {
+  return verdict === 'APPROVE' ? effective === 'APPROVED' : effective === 'CHANGES_REQUESTED'
+}
+
+// How long a reservation may sit before it is treated as abandoned. A normal
+// `gh` review submit completes in seconds; this only guards against a tool.after
+// that never fires (crash mid-command), so it must outlast a slow command yet
+// never strand a PR for long.
+const LEASE_TTL_MS = 5 * 60_000
+
+type Reservation = { key: string; token: number; createdAt: number }
+
+// MODULE-LEVEL singletons, shared by every plugin instance in this process. The
+// github-cli-auth plugin's `plugin: async (ctx) => ...` factory may run once per
+// session, giving each its own closure — but all of those closures import THIS
+// module, so they coordinate through one Map. A closure-local Set (the prior
+// design) could not see a concurrent session's in-flight verdict, which is how
+// three sessions each landed an APPROVE on the same PR within ten seconds.
+const inFlightByPr = new Map<string, Reservation>()
+const reservationByCall = new Map<string, Reservation>()
+let tokenSeq = 0
+
+// Makes a formal `gh ... event=APPROVE|REQUEST_CHANGES` idempotent per PR across
+// turns, sessions, and (in-process) concurrent fan-out. Two layers:
+//
+//   1. A process-wide in-flight lease keyed by `workspace#prNumber`, held from
+//      tool.before through tool.after. While one verdict is mid-flight, every
+//      other session's verdict for the same PR is blocked — even though GitHub
+//      has not yet recorded the in-flight review. This is the layer the old
+//      closure-local Set could not provide: separate plugin instances meant
+//      separate Sets, so concurrent sessions never saw each other.
+//
+//   2. The authoritative GitHub effective-state read, consulted AFTER the lease
+//      is acquired. It catches the cross-restart case (lease lost) and tracks
+//      supersession: a later CHANGES_REQUESTED/DISMISSED demotes an earlier
+//      APPROVED, so a genuine re-verdict is allowed. Reads fail OPEN — a
+//      transient error must never strand a genuine first verdict; the lease
+//      still covers the concurrent case while the command runs.
+//
+// The lease is released only in release() (tool.after) or on a terminal block,
+// never after the remote read — releasing early reopens the TOCTOU the lease
+// exists to close. Release is keyed by a per-call token so a late/stale
+// tool.after for a superseded reservation cannot drop a newer session's lease.
 export function createApproveIdempotencyGuard(deps: {
   resolveEffectiveApproval: EffectiveApprovalResolver
-}): ApproveIdempotencyGuard {
-  const approvedOrPending = new Set<string>()
-  const reservedByCall = new Map<string, string>()
+  now?: () => number
+}): ReviewVerdictGuard {
+  const now = deps.now ?? Date.now
 
   return {
     async guard(args): Promise<ApproveBlock | null> {
-      if (args.verdict !== 'APPROVE') return null
+      if (args.verdict !== 'APPROVE' && args.verdict !== 'REQUEST_CHANGES') return null
       const key = prKey(args.workspace, args.prNumber)
 
-      // Reserve BEFORE the await so two calls racing into guard() for the same
-      // PR cannot both observe an empty set: the loser sees the winner's
-      // reservation and is blocked. The reservation is provisional until the
-      // remote check clears it.
-      if (approvedOrPending.has(key)) return { block: true, reason: DUPLICATE_REASON }
-      approvedOrPending.add(key)
-      reservedByCall.set(args.callId, key)
+      // Reserve BEFORE the await so two calls racing into guard() for the same PR
+      // cannot both observe an empty map: the loser sees the winner's in-flight
+      // lease and is blocked. An expired lease (tool.after never fired) is
+      // reclaimable so a crash cannot permanently strand the PR.
+      const held = inFlightByPr.get(key)
+      if (held !== undefined && now() - held.createdAt < LEASE_TTL_MS) {
+        return { block: true, reason: CONCURRENT_REASON }
+      }
+      const reservation: Reservation = { key, token: ++tokenSeq, createdAt: now() }
+      inFlightByPr.set(key, reservation)
+      reservationByCall.set(args.callId, reservation)
 
       const remote = await deps.resolveEffectiveApproval({ workspace: args.workspace, prNumber: args.prNumber })
-      if (remote.ok && remote.alreadyApproved) {
-        // Already approved upstream: keep the PR locked but drop this call's
-        // claim so release() won't later unlock a PR that is genuinely approved.
-        reservedByCall.delete(args.callId)
-        return { block: true, reason: DUPLICATE_REASON }
+      if (remote.ok && duplicatesStanding(args.verdict, remote.effective)) {
+        // Standing verdict upstream already matches. Block, and release the lease
+        // now: a blocked command never reaches tool.after, so release() won't run
+        // for this callId. Leaving the lease set would resurrect the strand bug —
+        // the GitHub read is authoritative for the standing case.
+        releaseReservation(args.callId, reservation)
+        return { block: true, reason: duplicateReason(args.verdict) }
       }
 
       return null
     },
 
     release(args): void {
-      const key = reservedByCall.get(args.callId)
-      if (key === undefined) return
-      reservedByCall.delete(args.callId)
-      if (!args.succeeded) approvedOrPending.delete(key)
+      const reservation = reservationByCall.get(args.callId)
+      if (reservation === undefined) return
+      releaseReservation(args.callId, reservation)
     },
   }
 }
 
+// Drop the lease only if THIS reservation still owns the key. A stale tool.after
+// for a reservation that was already superseded (e.g. reclaimed after TTL by a
+// newer session) must not yank the live session's lease.
+function releaseReservation(callId: string, reservation: Reservation): void {
+  reservationByCall.delete(callId)
+  const current = inFlightByPr.get(reservation.key)
+  if (current !== undefined && current.token === reservation.token) {
+    inFlightByPr.delete(reservation.key)
+  }
+}
+
 function prKey(workspace: string, prNumber: number): string {
   return `${workspace}#${prNumber}`
 }
+
+// Test-only: clear the process-wide lease state between cases.
+export function __resetReviewVerdictGuardForTest(): void {
+  inFlightByPr.clear()
+  reservationByCall.clear()
+  tokenSeq = 0
+}

package/src/bundled-plugins/github-cli-auth/effective-approval.ts

@@ -1,13 +1,12 @@
 import { GITHUB_API_BASE, githubJsonHeaders } from '@/channels/adapters/github/auth-pat'
 
-import type { EffectiveApprovalResolver } from './approve-idempotency'
-
-// Resolves whether THIS bot already has a standing APPROVED review on a PR, used
-// by the approve-idempotency guard to stop a second formal APPROVE after a
-// restart (the in-process pending set covers the same-container case but is lost
-// when the container bounces). Every failure returns { ok: false } so the guard
-// fails open — a transient read error must never permanently block a genuine
-// first approval.
+import type { EffectiveApprovalResolver, EffectiveVerdict } from './approve-idempotency'
+
+// Resolves THIS bot's standing decisive review on a PR, used by the review
+// verdict guard to stop a second formal verdict after a restart (the in-process
+// lease covers the same-container case but is lost when the container bounces).
+// Every failure returns { ok: false } so the guard fails open — a transient read
+// error must never permanently block a genuine first verdict.
 export function createGithubEffectiveApprovalResolver(deps: {
   resolveToken: (workspace: string) => Promise<string | null>
   fetchImpl?: typeof fetch
@@ -27,10 +26,16 @@ export function createGithubEffectiveApprovalResolver(deps: {
     if (reviews === null) return { ok: false }
 
     const lastDecisive = reviews.filter((r) => isSelf(r.login, r.isBot, self) && isDecisive(r.state)).at(-1)
-    return { ok: true, alreadyApproved: lastDecisive?.state === 'APPROVED' }
+    return { ok: true, effective: toEffective(lastDecisive?.state) }
   }
 }
 
+function toEffective(state: string | undefined): EffectiveVerdict {
+  if (state === 'APPROVED') return 'APPROVED'
+  if (state === 'CHANGES_REQUESTED') return 'CHANGES_REQUESTED'
+  return 'NONE'
+}
+
 // A bot's effective review is its LATEST decisive one. COMMENTED/PENDING are
 // non-deciding noise that must not clear an earlier APPROVED/CHANGES_REQUESTED;
 // a later CHANGES_REQUESTED or DISMISSED supersedes an earlier APPROVED. The

package/src/bundled-plugins/github-cli-auth/index.ts

@@ -11,7 +11,7 @@ import { classifyGhToken } from './token-class'
 export default definePlugin({
   plugin: async (ctx) => {
     const resolveTokenForRepo = ctx.github.resolveTokenForRepo
-    const approveGuard = createApproveIdempotencyGuard({
+    const verdictGuard = createApproveIdempotencyGuard({
       resolveEffectiveApproval: createGithubEffectiveApprovalResolver({
         resolveToken: async (workspace) => {
           const result = await resolveTokenForRepo(workspace)
@@ -28,7 +28,7 @@ export default definePlugin({
 
           const review = await noteReviewCommand({ callId: event.callId, command })
           if (review.detected !== null) {
-            const block = await approveGuard.guard({
+            const block = await verdictGuard.guard({
               callId: event.callId,
               workspace: review.detected.workspace,
               prNumber: review.detected.prNumber,
@@ -70,7 +70,7 @@ export default definePlugin({
             callId: event.callId,
             result: event.result,
           })
-          approveGuard.release({ callId: event.callId, succeeded: committed })
+          verdictGuard.release({ callId: event.callId, succeeded: committed })
         },
       },
     }

package/src/bundled-plugins/planner/planner.ts

@@ -78,7 +78,7 @@ PREFER the two purpose-built research workers for any quick search or gathering
 - \`scout\` — web research. Spawn it for ANYTHING that lives on the public internet: prices, schedules, opening hours, standard timelines, prevailing practice, vendor docs, prior art, "what are the options for X". It returns a focused, citation-backed answer. This is your default for the research-resolvable facts a plan rests on.
 - \`explorer\` — local filesystem search. Spawn it to understand the existing code, config, sessions, memory, or git history on this agent — "what does this module do", "where is X configured", "summarize the shape of this system" — before planning a change to it.
 
-Lean on these liberally. A quick \`scout\` for real prices or a quick \`explorer\` for the actual shape of a module turns an assumption-laden plan into a grounded one, and it costs you almost nothing because the heavy reading happens in their context, not yours. Fan several out in parallel (background spawns) when a plan depends on multiple independent facts, then fold the distilled results into your single planning pass.
+Lean on these liberally. A quick \`scout\` for real prices or a quick \`explorer\` for the actual shape of a module turns an assumption-laden plan into a grounded one, and it costs you almost nothing because the heavy reading happens in their context, not yours. When a plan depends on multiple independent facts, **fan out in parallel**: either emit all the independent \`spawn_subagent\` calls (sync, the default) in a SINGLE turn so they run concurrently and return together, or spawn them with \`run_in_background=true\` and fold each result in as its \`<system-reminder>\` arrives (your session stays alive until every child reports back). Either way, fold the distilled results into your single planning pass; do NOT spawn one, wait, then spawn the next unless the second genuinely depends on the first — that serializes what should be parallel.
 
 - Spawn these workers for context-heavy GATHERING, not for forming the plan. The decomposition, the sequencing, and the verdict are YOURS — never delegate the judgment.
 - Each delegated task must be self-contained: the worker does not see this conversation or the goal. Put everything it needs in the prompt.
@@ -269,6 +269,7 @@ If none of the listed skills fit the goal, load \`general\`. Keep the skill-sele
     rosterDescription:
       'turns a goal — a trip, a launch, a migration, a feature — into an actionable, sequenced, risk-aware plan, writes it to a file, and returns a structured signal; domain-neutral and reasoning-heavy, for any multi-step goal worth thinking through before acting; consider a `reviewer` pass on the plan it produces',
     canSpawnSubagents: true,
+    canBackgroundSpawnSubagents: true,
     timeoutMs: PLANNER_SPAWN_TIMEOUT_MS,
     inFlightKey: (payload) => payload?.requestId ?? `anon-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
     toolResultBudget: {

package/src/bundled-plugins/researcher/researcher.ts

@@ -64,14 +64,20 @@ The \`write_report\` tool enforces these limits in code: it accepts exactly one
 
 You run on a deliberately expensive model. Every search result page and every fetched article you pull into YOUR context spends that budget on grunt work and crowds out the thinking only you can do. So your DEFAULT for gathering is to delegate — not just for big sweeps, but for routine fetches too.
 
-**Delegate first; fetch yourself only as a last resort.** Before you reach for \`web_search\`, \`web_fetch\`, \`read\`, or \`grep\`, ask: "could \`scout\` or \`explorer\` get this for me and hand back just the distilled answer?" If yes — which is almost always — spawn the worker with \`spawn_subagent\`. Prefer to fan out **several \`scout\`/\`explorer\` spawns in parallel** (background spawns) at the very start of a gathering round, then fold their condensed results into your synthesis in one pass.
+**Delegate first; fetch yourself only as a last resort.** Before you reach for \`web_search\`, \`web_fetch\`, \`read\`, or \`grep\`, ask: "could \`scout\` or \`explorer\` get this for me and hand back just the distilled answer?" If yes — which is almost always — spawn the worker with \`spawn_subagent\`.
+
+**Fan out in parallel.** For a gathering round, emit several \`scout\`/\`explorer\` \`spawn_subagent\` calls together in a SINGLE turn so they run concurrently rather than one-at-a-time. You have two equivalent ways to do this, both of which deliver every worker's findings back to you:
+- **Synchronous batch (simplest):** emit the calls with \`run_in_background=false\` (the default) in one assistant message. They execute concurrently and all results return together before your next turn, where you fold them into one synthesis pass.
+- **Background:** emit them with \`run_in_background=true\`; each returns a task_id immediately and you receive a \`<system-reminder>\` as each completes, then fetch the result with \`subagent_output\`. Use this when you want to start synthesizing on early results while slower workers finish. Your session stays alive until every background child you spawned has reported back, so no result is lost.
+
+Either way, do NOT spawn one, wait for it, then spawn the next unless the second task genuinely depends on the first's result — that serializes what should be parallel.
 
 - \`scout\` — web gathering. Hand it any web question, quick or broad ("latest figure for X", "find the primary source for Y", "sweep for every source on Z"); it does the searching and fetching and returns citation-backed findings, so the raw pages never touch your context.
 - \`explorer\` — local gathering. Hand it any filesystem/git/memory question; it returns the paths and excerpts you need without you grepping the tree yourself.
 - The synthesis, the cross-validation, and the confidence call are YOURS. Delegate the gathering, never the conclusion.
 - Each delegated task is self-contained: the worker does not see this conversation. Put everything it needs in the prompt.
 - The chain is depth-limited: a worker you spawn cannot spawn again. Keep delegation one level deep.
-- \`subagent_output\`/\`subagent_cancel\` reach only the tasks YOU spawned. Use background spawns for parallel gathering, then fold the results into your single report.
+- \`subagent_output\`/\`subagent_cancel\` reach only the tasks YOU spawned. Whether you spawn synchronously or in the background, fold every worker's result into your single report before you finish.
 
 When IS it right to use your own \`web_search\`/\`web_fetch\`/\`read\`/\`grep\`? Only for the surgical, decisive touch: re-reading one specific passage a worker flagged, resolving a contradiction between two workers' findings, or a single fetch so central you must read it verbatim. If you find yourself doing more than a couple of direct fetches, stop and delegate the rest.
 
@@ -210,6 +216,7 @@ If none of the listed skills fit the question, load \`general\`. Keep the skill-
     // warrant operator's owner/trusted-only gate; any caller that can spawn a
     // subagent can spawn the researcher.
     canSpawnSubagents: true,
+    canBackgroundSpawnSubagents: true,
     timeoutMs: RESEARCHER_SPAWN_TIMEOUT_MS,
     inFlightKey: (payload) => payload?.requestId ?? `anon-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
     toolResultBudget: {

package/src/bundled-plugins/reviewer/reviewer.ts

@@ -79,7 +79,7 @@ You run on a deliberately expensive model. Reading a sprawling file tree, a gian
 - Spawn read-only/research workers for context-heavy gathering, not for forming the verdict. The findings and the \`<review>\` block are YOURS — never delegate the judgment.
 - Each delegated task must be self-contained: the worker does not see this conversation or the target. Put everything it needs in the prompt.
 - The chain is depth-limited: a worker you spawn cannot spawn again. Keep delegation one level deep.
-- \`subagent_output\`/\`subagent_cancel\` reach only the tasks YOU spawned. Use background spawns for parallel gathering, then fold the results into your single review pass.
+- \`subagent_output\`/\`subagent_cancel\` reach only the tasks YOU spawned. To gather in parallel, either emit all the independent \`spawn_subagent\` calls (sync, the default) in a SINGLE turn so they run concurrently and return together, or spawn them with \`run_in_background=true\` and fold each result in as its \`<system-reminder>\` arrives (your session stays alive until every child reports back). Either way, fold the results into your single review pass before you finish.
 
 ## Tools
 
@@ -199,6 +199,7 @@ If none of the listed skills fit the target, load \`general\`. Keep the skill-se
     rosterDescription:
       'deep read-only code/PR/plan review in a fresh context, returns a structured verdict; it does NOT post — you act on its findings',
     canSpawnSubagents: true,
+    canBackgroundSpawnSubagents: true,
     timeoutMs: REVIEWER_SPAWN_TIMEOUT_MS,
     inFlightKey: (payload) => payload?.requestId ?? `anon-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
     toolResultBudget: {

package/src/channels/adapters/discord-bot-format.ts

@@ -0,0 +1,191 @@
+// Discord renders no GitHub-flavored Markdown tables — a `| a | b |` block
+// shows up as literal pipes and dashes, so an agent reply that leans on a table
+// (very common) becomes unreadable. Discord DOES preserve whitespace verbatim
+// inside inline code spans, so we re-emit each table row as a single
+// backtick-wrapped line with columns padded to a fixed width. Columns line up
+// because every row is the same monospaced inline-code span. The header row is
+// additionally wrapped in `**...**` so it reads as a bold caption above the body.
+//
+// This is a line-walker, not a Markdown parser: it only touches blocks that
+// match the pipe-table shape (a `|`-bearing line followed by a `|---|` alignment
+// row) and leaves every other byte — prose, code fences, lists — untouched.
+
+const TABLE_SEP_RE = /^\s*\|?\s*:?-{3,}:?\s*(\|\s*:?-{3,}:?\s*)+\|?\s*$/
+const FENCE_RE = /^(\s*)(```+|~~~+)(.*)$/
+
+export function convertDiscordTables(input: string): string {
+  if (input === '') return ''
+  if (!input.includes('|')) return input
+
+  const lines = input.split('\n')
+  const out: string[] = []
+  let i = 0
+  let openFence: string | null = null
+
+  while (i < lines.length) {
+    const line = lines[i]!
+
+    // A code fence (``` / ~~~) suspends table detection until it closes — a
+    // table-shaped block inside a fence is literal text, not a table. The close
+    // must use the same fence char and be at least as long as the opener, per
+    // CommonMark.
+    const fence = FENCE_RE.exec(line)
+    if (fence !== null) {
+      const marker = fence[2]!
+      if (openFence === null) {
+        openFence = marker
+      } else if (marker[0] === openFence[0] && marker.length >= openFence.length) {
+        openFence = null
+      }
+      out.push(line)
+      i++
+      continue
+    }
+    if (openFence !== null) {
+      out.push(line)
+      i++
+      continue
+    }
+
+    // A table needs a `|`-bearing header line immediately followed by the
+    // alignment row; same disambiguation rule chunkMarkdown uses so a stray
+    // leading `|` in prose is not mistaken for a table.
+    if (line.includes('|') && i + 1 < lines.length && TABLE_SEP_RE.test(lines[i + 1]!)) {
+      const start = i
+      i += 2
+      while (i < lines.length && lines[i]!.includes('|') && lines[i]!.trim() !== '') {
+        i++
+      }
+      const tableLines = lines.slice(start, i)
+      out.push(renderTable(tableLines))
+      continue
+    }
+    out.push(line)
+    i++
+  }
+
+  return out.join('\n')
+}
+
+function renderTable(tableLines: string[]): string {
+  const headerCells = splitRow(tableLines[0]!)
+  const bodyRows = tableLines.slice(2).map(splitRow)
+  const widths = computeWidths([headerCells, ...bodyRows])
+
+  const header = wrapCode(padRow(headerCells, widths))
+  const renderedRows = [`**${header}**`, ...bodyRows.map((cells) => wrapCode(padRow(cells, widths)))]
+  return renderedRows.join('\n')
+}
+
+function splitRow(row: string): string[] {
+  // Trim one optional leading/trailing pipe, then split on the rest. A trailing
+  // backslash before a pipe escapes it, but GFM table escaping is rare in agent
+  // output — we keep it simple and split on bare pipes.
+  let trimmed = row.trim()
+  if (trimmed.startsWith('|')) trimmed = trimmed.slice(1)
+  if (trimmed.endsWith('|')) trimmed = trimmed.slice(0, -1)
+  return trimmed.split('|').map((cell) => cell.trim())
+}
+
+function computeWidths(rows: string[][]): number[] {
+  const widths: number[] = []
+  for (const row of rows) {
+    for (let c = 0; c < row.length; c++) {
+      const cellWidth = displayWidth(row[c]!)
+      if (widths[c] === undefined || cellWidth > widths[c]!) {
+        widths[c] = cellWidth
+      }
+    }
+  }
+  return widths
+}
+
+function padRow(cells: string[], widths: number[]): string {
+  const padded = widths.map((width, c) => padToWidth(cells[c] ?? '', width))
+  // Two spaces between columns keeps them visually distinct inside the
+  // monospaced span without a vertical-bar separator.
+  return padded.join('  ')
+}
+
+function padToWidth(cell: string, width: number): string {
+  const pad = width - displayWidth(cell)
+  return pad > 0 ? cell + ' '.repeat(pad) : cell
+}
+
+// Discord's monospaced inline-code font renders CJK ideographs, full-width
+// punctuation, and most emoji at two columns, while combining/zero-width marks
+// take none. `String.prototype.padEnd` counts UTF-16 code units, so padding by
+// `.length` leaves wide-character tables visually ragged. We iterate by code
+// point and sum per-glyph column widths so every cell pads to the same VISUAL
+// width. The ranges below are the standard East-Asian-Wide / Wide blocks plus
+// the common emoji planes; this is the same wcwidth approximation editors use.
+export function displayWidth(text: string): number {
+  let width = 0
+  for (const ch of text) {
+    width += charWidth(ch.codePointAt(0)!)
+  }
+  return width
+}
+
+function charWidth(cp: number): number {
+  if (isZeroWidth(cp)) return 0
+  if (isWide(cp)) return 2
+  return 1
+}
+
+function isZeroWidth(cp: number): boolean {
+  return (
+    cp === 0x200b || // zero-width space
+    (cp >= 0x0300 && cp <= 0x036f) || // combining diacritical marks
+    (cp >= 0x200c && cp <= 0x200f) || // ZWNJ/ZWJ/directional marks
+    (cp >= 0xfe00 && cp <= 0xfe0f) // variation selectors
+  )
+}
+
+function isWide(cp: number): boolean {
+  return (
+    (cp >= 0x1100 && cp <= 0x115f) || // Hangul Jamo
+    (cp >= 0x2e80 && cp <= 0x303e) || // CJK radicals, Kangxi
+    (cp >= 0x3041 && cp <= 0x33ff) || // Hiragana, Katakana, CJK symbols
+    (cp >= 0x3400 && cp <= 0x4dbf) || // CJK Ext A
+    (cp >= 0x4e00 && cp <= 0x9fff) || // CJK Unified Ideographs
+    (cp >= 0xa000 && cp <= 0xa4cf) || // Yi
+    (cp >= 0xac00 && cp <= 0xd7a3) || // Hangul Syllables
+    (cp >= 0xf900 && cp <= 0xfaff) || // CJK Compatibility Ideographs
+    (cp >= 0xfe30 && cp <= 0xfe4f) || // CJK Compatibility Forms
+    (cp >= 0xff00 && cp <= 0xff60) || // Fullwidth Forms
+    (cp >= 0xffe0 && cp <= 0xffe6) || // Fullwidth signs
+    (cp >= 0x2600 && cp <= 0x26ff) || // Miscellaneous Symbols (☀ ♻ ⚠ …)
+    (cp >= 0x2700 && cp <= 0x27bf) || // Dingbats (✅ ✔ ✨ ➡ …)
+    (cp >= 0x2b00 && cp <= 0x2bff) || // Misc Symbols and Arrows (⭐ …)
+    (cp >= 0x1f300 && cp <= 0x1faff) || // emoji, symbols, pictographs
+    (cp >= 0x20000 && cp <= 0x3fffd) // CJK Ext B+ (supplementary ideographic)
+  )
+}
+
+// CommonMark inline code: the delimiter must be a backtick run LONGER than any
+// run inside the content, otherwise an embedded `` ` `` (e.g. a cell holding
+// `bun test`) closes the span early and corrupts the row. When the content
+// begins or ends with a backtick, one space of padding is inserted on each side
+// so the delimiter is not adjacent to a content backtick; CommonMark strips that
+// single padding space on render, leaving our column widths intact.
+function wrapCode(text: string): string {
+  const fence = '`'.repeat(longestBacktickRun(text) + 1)
+  const needsPad = text.startsWith('`') || text.endsWith('`')
+  const pad = needsPad ? ' ' : ''
+  return `${fence}${pad}${text}${pad}${fence}`
+}
+
+function longestBacktickRun(text: string): number {
+  let longest = 0
+  let run = 0
+  for (const ch of text) {
+    if (ch === '`') {
+      run++
+      if (run > longest) longest = run
+    } else {
+      run = 0
+    }
+  }
+  return longest
+}

package/src/channels/adapters/discord-bot.ts

@@ -39,6 +39,7 @@ import {
   type InboundDropReason,
   renderPlaceholder,
 } from './discord-bot-classify'
+import { convertDiscordTables } from './discord-bot-format'
 import { createDiscordReactionCallback, createDiscordRemoveReactionCallback } from './discord-bot-reactions'
 import { enrichDiscordMessageReferences } from './discord-bot-reference'
 import {
@@ -647,7 +648,7 @@ export function createOutboundCallback(deps: {
     if (msg.adapter !== 'discord-bot') {
       return { ok: false, error: `unknown adapter: ${msg.adapter}` }
     }
-    const text = msg.text ?? ''
+    const text = convertDiscordTables(msg.text ?? '')
     const attachments = msg.attachments ?? []
     if (text === '' && attachments.length === 0) {
       return { ok: false, error: 'message has neither text nor attachments' }