typeclaw 0.3.0 → 0.4.0

package/secrets.schema.json

@@ -142,6 +142,119 @@
             }
           }
         },
+        "github": {
+          "type": "object",
+          "properties": {
+            "auth": {
+              "oneOf": [
+                {
+                  "type": "object",
+                  "properties": {
+                    "type": {
+                      "type": "string",
+                      "const": "pat"
+                    },
+                    "token": {
+                      "anyOf": [
+                        {
+                          "type": "string",
+                          "minLength": 1
+                        },
+                        {
+                          "type": "object",
+                          "properties": {
+                            "value": {
+                              "type": "string",
+                              "minLength": 1
+                            },
+                            "env": {
+                              "type": "string",
+                              "minLength": 1
+                            }
+                          }
+                        }
+                      ]
+                    }
+                  },
+                  "required": [
+                    "type",
+                    "token"
+                  ]
+                },
+                {
+                  "type": "object",
+                  "properties": {
+                    "type": {
+                      "type": "string",
+                      "const": "app"
+                    },
+                    "appId": {
+                      "type": "integer",
+                      "exclusiveMinimum": 0,
+                      "maximum": 9007199254740991
+                    },
+                    "privateKey": {
+                      "anyOf": [
+                        {
+                          "type": "string",
+                          "minLength": 1
+                        },
+                        {
+                          "type": "object",
+                          "properties": {
+                            "value": {
+                              "type": "string",
+                              "minLength": 1
+                            },
+                            "env": {
+                              "type": "string",
+                              "minLength": 1
+                            }
+                          }
+                        }
+                      ]
+                    },
+                    "installationId": {
+                      "type": "integer",
+                      "exclusiveMinimum": 0,
+                      "maximum": 9007199254740991
+                    }
+                  },
+                  "required": [
+                    "type",
+                    "appId",
+                    "privateKey"
+                  ]
+                }
+              ]
+            },
+            "webhookSecret": {
+              "anyOf": [
+                {
+                  "type": "string",
+                  "minLength": 1
+                },
+                {
+                  "type": "object",
+                  "properties": {
+                    "value": {
+                      "type": "string",
+                      "minLength": 1
+                    },
+                    "env": {
+                      "type": "string",
+                      "minLength": 1
+                    }
+                  }
+                }
+              ]
+            }
+          },
+          "required": [
+            "auth",
+            "webhookSecret"
+          ]
+        },
         "telegram-bot": {
           "type": "object",
           "properties": {

package/src/agent/index.ts

@@ -29,8 +29,9 @@ import { lookAtTool } from './multimodal'
 import { resolveBuiltinToolRefs, wrapPluginTool, wrapSystemAgentTool, wrapSystemTool } from './plugin-tools'
 import { createReloadTool } from './reload-tool'
 import { loadSelf } from './self'
+import { SESSION_META_CUSTOM_TYPE, sessionMetaPayload } from './session-meta'
 import { renderSessionOrigin, type SessionOrigin, type SessionRoleContext } from './session-origin'
-import { DEFAULT_SYSTEM_PROMPT, renderRuntimeBlock } from './system-prompt'
+import { DEFAULT_SYSTEM_PROMPT, renderRuntimeBlock, SLIM_SYSTEM_PROMPT } from './system-prompt'
 import {
   createBudgetState,
   type ToolResultBudget,
@@ -231,6 +232,25 @@ export async function createSessionWithDispose(options: CreateSessionOptions = {
   // container-restarting broadcast.
   const sessionManager = options.sessionManager ?? SessionManager.inMemory()
 
+  // Stamp a one-shot custom entry naming the session's origin kind so
+  // `typeclaw usage` can bucket tokens by tui/cron/channel/subagent. Pi's
+  // `appendCustomEntry` is the blessed extension point: the entry persists
+  // into the session JSONL alongside messages, does NOT participate in LLM
+  // context, and pi handles file-creation timing — the entry lands after the
+  // session header on first flush, so `SessionManager.open()` keeps reading
+  // a canonical session file. Skipped for reopened sessions (a prior stamp
+  // is already in `getEntries()`) so usage attribution stays stable across
+  // restarts. Also skipped when origin is unknown (inMemory subagents) or
+  // when the manager is not persisted.
+  if (options.origin !== undefined && sessionManager.getSessionFile() !== undefined) {
+    const alreadyStamped = sessionManager
+      .getEntries()
+      .some((e) => e.type === 'custom' && e.customType === SESSION_META_CUSTOM_TYPE)
+    if (!alreadyStamped) {
+      sessionManager.appendCustomEntry(SESSION_META_CUSTOM_TYPE, sessionMetaPayload(options.origin))
+    }
+  }
+
   const customSystemTools =
     options.customTools !== undefined
       ? options.customTools
@@ -508,48 +528,147 @@ export type CreateResourceLoaderOptions = {
   origin?: SessionOrigin
   permissions?: PermissionService
   runtimeVersion?: string
+  // Explicit override for the prompt mode. When omitted, the mode is derived
+  // from `origin.kind`: cron + subagent → slim, tui + channel → full. Pass
+  // 'full' to force the heavy prompt even on an unattended origin (rarely
+  // useful; mostly an escape hatch for ad-hoc debugging).
+  mode?: SystemPromptMode
+}
+
+// Origins where the operator-facing DEFAULT_SYSTEM_PROMPT, git-nudge, and the
+// agent-folder commit guidance carry their weight: there is a human reading
+// the output, the agent is expected to maintain its folder over time, and
+// conversational register matters. For everything else (cron fires, default
+// subagents), the slim prompt is the right default — the origin block already
+// names the unattended context and tells the agent what's expected of it.
+//
+// Exhaustive switch (not a boolean expression) so a future origin kind forces
+// the author to make an explicit full-or-slim decision at compile time. The
+// previous form silently defaulted new origins to slim, which would have
+// stripped the operator-facing prompt from a new interactive surface by
+// accident.
+export function deriveSystemPromptMode(origin: SessionOrigin | undefined): SystemPromptMode {
+  if (origin === undefined) return 'full'
+  switch (origin.kind) {
+    case 'tui':
+    case 'channel':
+      return 'full'
+    case 'cron':
+    case 'subagent':
+      return 'slim'
+    default: {
+      const _exhaustive: never = origin
+      void _exhaustive
+      return 'full'
+    }
+  }
+}
+
+// Pure inputs for `composeSystemPrompt`. Each field maps 1:1 to a rendered
+// section of the prompt; callers that don't want a section pass `undefined`
+// (or `''` for `gitNudge`). Extracted so the debug dumper in
+// `scripts/dump-system-prompt.ts` can reuse the exact same composition
+// pipeline `createResourceLoader` uses, with no risk of drift if the
+// section order changes.
+//
+// `mode` selects the base prompt:
+//   - 'full' (default) — DEFAULT_SYSTEM_PROMPT (~2155 tok of operator-facing
+//     guidance: agent folder layout, version-control rules, register matching,
+//     workspace boundary). Right choice for TUI and channel sessions where a
+//     human is reading the output and the agent maintains its folder.
+//   - 'slim' — SLIM_SYSTEM_PROMPT (~80 tok). Right choice for cron jobs and
+//     default subagents — unattended sessions where most of the operator
+//     guidance is irrelevant and the origin block already covers per-kind
+//     specifics (no human, side effects via tools, narrow scope).
+export type SystemPromptMode = 'full' | 'slim'
+
+export type SystemPromptComposition = {
+  mode?: SystemPromptMode
+  self: string
+  runtimeVersion?: string
+  origin?: SessionOrigin
+  roleContext?: SessionRoleContext
+  gitNudge: string
+  memorySection: string
+}
+
+// Section-order contract for the system prompt. Kept as a pure string→string
+// transform so it can be exercised without disk, plugin runtime, or auth.
+//
+// Cache-suffix ordering: least-volatile sections first, most-volatile last.
+// This minimises the number of cached prompt bytes invalidated when a
+// section changes (the provider's prompt cache hits up to the first byte
+// that differs).
+//
+// 0. runtime block — most stable: only changes on typeclaw releases (rare).
+// 1. origin block — stable across all sessions of the same kind.
+// 2. gitNudge — rare changes; agent folders force-commit sessions/ and
+//    memory/ after every turn, so the dirty-files list is empty most of
+//    the time.
+// 3. memorySection — most volatile: MEMORY.md grows on every dream cycle
+//    and memory/yyyy-MM-dd.md grows after every channel turn that triggers
+//    memory-logger. Pinning it to the end keeps everything above it
+//    cacheable across session resurrections.
+export function composeSystemPrompt(parts: SystemPromptComposition): string {
+  const base = parts.mode === 'slim' ? SLIM_SYSTEM_PROMPT : DEFAULT_SYSTEM_PROMPT
+  let prompt = `${base}\n\n${parts.self}`
+  if (parts.runtimeVersion !== undefined) {
+    prompt = `${prompt}\n\n${renderRuntimeBlock(parts.runtimeVersion)}`
+  }
+  if (parts.origin !== undefined) {
+    prompt = `${prompt}\n\n${renderSessionOrigin(parts.origin, Date.now(), parts.roleContext)}`
+  }
+  if (parts.gitNudge !== '') {
+    prompt = `${prompt}\n\n${parts.gitNudge}`
+  }
+  if (parts.memorySection !== '') {
+    prompt = `${prompt}\n\n${parts.memorySection}`
+  }
+  return prompt
 }
 
 export async function createResourceLoader(options: CreateResourceLoaderOptions = {}): Promise<DefaultResourceLoader> {
   const agentDir = options.agentDir ?? process.cwd()
-  const self = await loadSelf(agentDir)
-  let systemPrompt = `${DEFAULT_SYSTEM_PROMPT}\n\n${self}`
+  const mode: SystemPromptMode = options.mode ?? deriveSystemPromptMode(options.origin)
+  const basePrompt = mode === 'slim' ? SLIM_SYSTEM_PROMPT : DEFAULT_SYSTEM_PROMPT
+  let self = await loadSelf(agentDir)
 
   if (options.plugins) {
-    const event = { prompt: systemPrompt, sessionId: options.plugins.sessionId, agentDir, origin: options.origin }
+    // The plugin hook receives the partially-assembled prompt (base + identity)
+    // so plugins can rewrite either section before the cache-suffix blocks are
+    // appended. The base reflects the resolved mode, so a slim cron session's
+    // plugin hook sees the slim base — plugins that read the base text get
+    // the same shape the agent will see.
+    const preHook = `${basePrompt}\n\n${self}`
+    const event = { prompt: preHook, sessionId: options.plugins.sessionId, agentDir, origin: options.origin }
     await options.plugins.hooks.runSessionPrompt(event)
-    systemPrompt = event.prompt
-  }
-
-  // Cache-suffix ordering: least-volatile sections first, most-volatile last.
-  // This minimises the number of cached prompt bytes invalidated when a
-  // section changes (the provider's prompt cache hits up to the first byte
-  // that differs).
-  //
-  // 0. runtime block — most stable: only changes on typeclaw releases (rare).
-  // 1. origin block — stable across all sessions of the same kind.
-  // 2. gitNudge — rare changes; agent folders force-commit sessions/ and
-  //    memory/ after every turn, so the dirty-files list is empty most of
-  //    the time.
-  // 3. memorySection — most volatile: MEMORY.md grows on every dream cycle
-  //    and memory/yyyy-MM-dd.md grows after every channel turn that triggers
-  //    memory-logger. Pinning it to the end keeps everything above it
-  //    cacheable across session resurrections.
-  if (options.runtimeVersion !== undefined) {
-    systemPrompt = `${systemPrompt}\n\n${renderRuntimeBlock(options.runtimeVersion)}`
-  }
-  systemPrompt = withOrigin(systemPrompt, options.origin, options.permissions)
-
-  const gitNudge = await renderGitNudge(agentDir)
-  if (gitNudge !== '') {
-    systemPrompt = `${systemPrompt}\n\n${gitNudge}`
+    // Recover `self` by stripping the leading base so the rest of the
+    // composition stays section-shaped. If a plugin rewrote the base prompt as
+    // well, the recovered `self` carries the full mutated remainder.
+    self = event.prompt.startsWith(`${basePrompt}\n\n`) ? event.prompt.slice(basePrompt.length + 2) : event.prompt
   }
 
+  const roleContext = options.origin !== undefined ? resolveRoleContext(options.origin, options.permissions) : undefined
+  // Slim mode skips git-nudge entirely: cron + subagent sessions are not the
+  // right actor to drive interactive commit decisions, and the operator-facing
+  // commit guidance the nudge points back to is itself excluded from the slim
+  // base prompt. Memory is still included so cron jobs that depend on MEMORY.md
+  // context (e.g. "send today's standup summary") keep working.
+  const gitNudge = mode === 'slim' ? '' : await renderGitNudge(agentDir)
   const memorySection = await loadMemory(agentDir, {
     ...(options.origin !== undefined ? { origin: options.origin } : {}),
     ...(options.plugins?.sessionId !== undefined ? { currentSessionId: options.plugins.sessionId } : {}),
   })
-  systemPrompt = `${systemPrompt}\n\n${memorySection}`
+
+  const systemPrompt = composeSystemPrompt({
+    mode,
+    self,
+    ...(options.runtimeVersion !== undefined ? { runtimeVersion: options.runtimeVersion } : {}),
+    ...(options.origin !== undefined ? { origin: options.origin } : {}),
+    ...(roleContext !== undefined ? { roleContext } : {}),
+    gitNudge,
+    memorySection,
+  })
 
   const additionalSkillPaths = [getBundledSkillsDir()]
   // pi-coding-agent's DefaultResourceLoader auto-discovers <agentDir>/skills/

package/src/agent/provider-error.ts

@@ -0,0 +1,44 @@
+import type { AgentSession } from './index'
+
+// pi-coding-agent encodes upstream LLM failures (billing, rate limit, network,
+// malformed response, etc.) in the assistant message itself rather than
+// throwing — `stopReason: 'error'` with a populated `errorMessage`. Code that
+// only catches throws around `session.prompt()` therefore never sees these:
+// the prompt resolves normally, no text deltas were emitted, and the only
+// signal is the final `message_end` event. Channels, cron, and subagents all
+// have to subscribe to surface these soft errors.
+//
+// Hard throws (timeouts, network drops, etc.) come out of the upstream wrapper
+// as exceptions and are handled by the surrounding try/catch in each caller —
+// not by this helper.
+
+export type DetectedProviderError = {
+  message: string
+}
+
+export function detectProviderError(message: unknown): DetectedProviderError | null {
+  if (typeof message !== 'object' || message === null) return null
+  const m = message as { role?: unknown; stopReason?: unknown; errorMessage?: unknown }
+  if (m.role !== 'assistant') return null
+  // 'aborted' is fired when the user hits Escape — not a provider failure,
+  // and the TUI shows its own abort feedback elsewhere. Channels/cron just
+  // ignore aborts (no surface to render them on).
+  if (m.stopReason !== 'error') return null
+  const text = typeof m.errorMessage === 'string' && m.errorMessage.length > 0 ? m.errorMessage : 'LLM call failed'
+  return { message: text }
+}
+
+export type ProviderErrorListener = (error: DetectedProviderError) => void
+export type Unsubscribe = () => void
+
+// Subscribes to `message_end` events on `session` and invokes `onError` once
+// per detected provider error. Returns the unsubscribe handle from the
+// underlying `session.subscribe`. Callers MUST unsubscribe when the session
+// is disposed to avoid leaks across sessions.
+export function subscribeProviderErrors(session: AgentSession, onError: ProviderErrorListener): Unsubscribe {
+  return session.subscribe((event) => {
+    if (event.type !== 'message_end') return
+    const detected = detectProviderError(event.message)
+    if (detected !== null) onError(detected)
+  })
+}

package/src/agent/session-meta.ts

@@ -0,0 +1,43 @@
+import type { SessionOrigin } from './session-origin'
+
+export const SESSION_META_CUSTOM_TYPE = 'typeclaw.session-meta'
+
+export type SessionMetaPayload = {
+  origin: MinimalSessionOrigin
+}
+
+export type MinimalSessionOrigin =
+  | { kind: 'tui' }
+  | { kind: 'cron'; jobId: string; jobKind: 'prompt' | 'exec' | 'subagent' | 'handler' }
+  | { kind: 'channel'; adapter: string; workspace: string; chat: string; thread: string | null }
+  | { kind: 'subagent'; subagent: string; parentSessionId: string }
+
+// Reduce a full SessionOrigin to the minimum projection persisted to disk.
+// Drops participant lists, membership counts, recursive provenance, and
+// platform-rendered names — none of which `typeclaw usage` reads, and all of
+// which would otherwise land in git history when sessions/ is auto-backed-up.
+// Kept as a separate function so the boundary between "data the LLM sees in
+// the system prompt" (full origin) and "data persisted for usage reporting"
+// (this projection) stays explicit.
+export function sessionMetaPayload(origin: SessionOrigin): SessionMetaPayload {
+  return { origin: minimalOrigin(origin) }
+}
+
+function minimalOrigin(origin: SessionOrigin): MinimalSessionOrigin {
+  switch (origin.kind) {
+    case 'tui':
+      return { kind: 'tui' }
+    case 'cron':
+      return { kind: 'cron', jobId: origin.jobId, jobKind: origin.jobKind }
+    case 'channel':
+      return {
+        kind: 'channel',
+        adapter: origin.adapter,
+        workspace: origin.workspace,
+        chat: origin.chat,
+        thread: origin.thread,
+      }
+    case 'subagent':
+      return { kind: 'subagent', subagent: origin.subagent, parentSessionId: origin.parentSessionId }
+  }
+}

package/src/agent/session-origin.ts

@@ -25,7 +25,7 @@ export type SessionOrigin =
   | {
       kind: 'cron'
       jobId: string
-      jobKind: 'prompt' | 'exec' | 'subagent'
+      jobKind: 'prompt' | 'exec' | 'subagent' | 'handler'
       scheduledByRole?: string
       scheduledByOrigin?: SessionOrigin | { kind: 'config-file' }
     }
@@ -78,6 +78,7 @@ type PlatformInfo = {
 const PLATFORM_INFO: Record<AdapterId, PlatformInfo> = {
   'slack-bot': { displayName: 'Slack', mentionMode: 'angle-id' },
   'discord-bot': { displayName: 'Discord', mentionMode: 'angle-id' },
+  github: { displayName: 'GitHub', mentionMode: 'at-username' },
   'telegram-bot': { displayName: 'Telegram', mentionMode: 'at-username' },
   kakaotalk: { displayName: 'KakaoTalk', mentionMode: 'alias' },
 }
@@ -150,7 +151,7 @@ function renderTuiOrigin(): string {
   ].join('\n')
 }
 
-function renderCronOrigin(origin: { jobId: string; jobKind: 'prompt' | 'exec' | 'subagent' }): string {
+function renderCronOrigin(origin: { jobId: string; jobKind: 'prompt' | 'exec' | 'subagent' | 'handler' }): string {
   return [
     '## Session origin',
     '',

package/src/agent/subagents.ts

@@ -5,6 +5,7 @@ import type { HookBus } from '@/plugin'
 import type { Stream, Unsubscribe } from '@/stream'
 
 import { type AgentSession, createSession } from './index'
+import { subscribeProviderErrors } from './provider-error'
 import type { SessionOrigin } from './session-origin'
 import type { ToolResultBudget } from './tool-result-budget'
 
@@ -134,6 +135,7 @@ export type InvokeSubagentOptions = {
   parentSessionId?: string
   spawnedByRole?: string
   spawnedByOrigin?: SessionOrigin
+  onProviderError?: (errorMessage: string) => void
 }
 
 export async function invokeSubagent(name: string, options: InvokeSubagentOptions): Promise<void> {
@@ -153,6 +155,10 @@ export async function invokeSubagent(name: string, options: InvokeSubagentOption
     const { session, dispose, hooks, sessionId, agentDir, origin, getTranscriptPath } = normalizeSubagentSession(
       await createSessionForSubagent(subagent, sessionOptions),
     )
+    const unsubProviderErrors =
+      options.onProviderError !== undefined
+        ? subscribeProviderErrors(session, (err) => options.onProviderError!(err.message))
+        : null
     const turnEvent =
       hooks && sessionId !== undefined && agentDir !== undefined
         ? { sessionId, agentDir, ...(origin !== undefined ? { origin } : {}) }
@@ -177,6 +183,7 @@ export async function invokeSubagent(name: string, options: InvokeSubagentOption
         })
       }
     } finally {
+      unsubProviderErrors?.()
       if (hooks && sessionId !== undefined) {
         await hooks.runSessionEnd({ sessionId, ...(origin !== undefined ? { origin } : {}) })
       }
@@ -308,6 +315,7 @@ export function createSubagentConsumer({
             agentDir,
             userPrompt: '',
             payload: msg.payload,
+            onProviderError: (message) => logger.error(`[subagent] ${key}: LLM call failed: ${message}`),
             ...(target.parentSessionId !== undefined ? { parentSessionId: target.parentSessionId } : {}),
             ...(target.spawnedByRole !== undefined ? { spawnedByRole: target.spawnedByRole } : {}),
             ...(spawnedByOrigin !== undefined ? { spawnedByOrigin } : {}),

package/src/agent/system-prompt.ts

@@ -1,67 +1,58 @@
 export const DEFAULT_SYSTEM_PROMPT = `You are a general-purpose AI agent running inside TypeClaw.
 
-TypeClaw is a TypeScript-native, Docker-friendly runtime for AI agents. It is domain-agnostic: you might be a coder, a researcher, a personal assistant, a journal keeper, a scheduler, a chatbot, or something nobody has named yet. What you *do* is defined by \`IDENTITY.md\`. Who you *are* is defined by \`SOUL.md\`. How you *work* is defined by \`AGENTS.md\`. This system prompt exists only to describe the runtime around you — it does not define your purpose.
-
-Each agent lives in its own container with its own folder, mounted at the current working directory. The folder is yours — your home, your memory, your record of who you are. Read from it freely. Write to it deliberately.
+TypeClaw is domain-agnostic — your purpose is defined by \`IDENTITY.md\`, your character by \`SOUL.md\`, and your operating manual by \`AGENTS.md\`. This system prompt only describes the runtime around you.
 
 ## Your agent folder
 
-Five markdown files define who you are and what you know. They live next to you in the current working directory. Three of them — **IDENTITY.md**, **SOUL.md**, and **MEMORY.md** — are injected into this system prompt below, so you always have them. The other two you read on demand when they might be relevant.
-
-- **AGENTS.md** *(read on demand)* — your operating manual. The working principles and conventions you follow in your role, whatever that role is. How you approach problems, what you double-check, how you communicate, what you refuse. Read it at the start of any non-trivial task, and re-read it whenever you feel unsure about process.
-- **IDENTITY.md** *(always injected below under \`# Identity\`)* — your role and function. Your name, your title, what you do, who you do it for, the operational context you work in. Evolves as your responsibilities change. Think: job description.
-- **SOUL.md** *(always injected below under \`# Identity\`)* — your character and temperament. Personality, tone, ethics, voice, communication style, core beliefs, the constraints you hold yourself to. SOUL rarely changes — it is the through-line that keeps you _you_ across every task and platform. IDENTITY is what you do; SOUL is who you are regardless of what you're doing.
-- **USER.md** *(read on demand)* — what you know about the person you work with. Their name, preferences, context, working style, in-jokes. First impressions are written here during hatching; keep expanding it as you learn more. Read it when context about the user would change your response.
-- **MEMORY.md** *(always injected below under \`# Memory\`, do not write)* — long-term memory. A notebook of things worth remembering across sessions: decisions made, lessons learned, context that should survive beyond one conversation. **Do not edit it directly** — MEMORY.md is consolidated by the runtime during *dreaming* (offline reflection over recent sessions and daily streams). If something is worth remembering, surface it in your reply or in \`memory/\` daily streams; dreaming will fold it in.
+- **IDENTITY.md** *(always injected below)* — your role and function. Edit when responsibilities change.
+- **SOUL.md** *(always injected below)* — your character, tone, voice. Edit rarely.
+- **USER.md** *(read on demand)* — what you know about the user. Update as you learn.
+- **AGENTS.md** *(read on demand)* — your operating manual. Read at the start of any non-trivial task and re-read whenever process is unclear.
+- **MEMORY.md** *(always injected below, READ-ONLY)* — long-term memory, owned by the dreaming subagent. To capture something memorable, surface it in your reply or in \`memory/\` daily streams; never edit MEMORY.md directly.
 
-These files are not decoration. They shape how you behave. If a task reveals something future-you should know, capture it in the file that owns it — IDENTITY.md, SOUL.md, USER.md, or AGENTS.md — but never in MEMORY.md (dreaming owns that). If one of the always-injected files is marked \`[MISSING]\` or \`[EMPTY]\` below, you may propose filling it in when the user asks about your identity or voice.
+If a task reveals durable guidance or identity/user context, update the owning file (IDENTITY / SOUL / USER / AGENTS) — never MEMORY.md.
 
 ## Your workspace
 
-- **\`workspace/\`** — the directory where you are free to create files: drafts, notes, downloads, scratch work, generated artifacts, temporary outputs. **Do not create new files in the root of the agent folder unless the user explicitly asks you to.** The root is reserved for the canonical files above and for things the user has deliberately placed there.
-- **\`sessions/\`** — transcripts of past conversations (\`<sessionid>.jsonl\`). Read-only for you in spirit; the runtime manages these.
-- **\`memory/\`** *(undreamed daily streams always injected below under \`# Memory\`)* — dated streams (\`yyyy-MM-dd.jsonl\`) of fragments captured by the memory-logger between sessions. Newest day is closest to the current task. Once dreaming consolidates a day's stream into MEMORY.md, the runtime stops injecting it.
-- **\`memory/skills/\`** — *muscle memory*. Skills the dreaming subagent has distilled from repeated procedures it observed in your daily streams. Auto-loaded as first-class capabilities, just like the other skills directories. **You do not write here directly** — dreaming owns it. If you notice a skill that has gone stale, surface that observation in your reply or in the daily stream so dreaming can refine or remove it.
-- **\`.agents/skills/\`** — skills the user installed for you. Treat these as first-class capabilities.
+- **\`workspace/\`** — your free-write zone for drafts, scratch work, generated artifacts. Do not create files at the agent-folder root unless the user explicitly asks.
+- **\`sessions/\`** — transcripts of past conversations. Runtime-managed; don't write here.
+- **\`memory/\`** *(undreamed daily streams injected below)* — dated streams written by the memory-logger between sessions. Runtime-owned.
+- **\`memory/skills/\`** — muscle-memory skills written by the dreaming subagent. Auto-loaded; don't write here directly.
+- **\`.agents/skills/\`** — user-installed skills.
 
 ## Configuration
 
-- **\`typeclaw.json\`** — the runtime config: which model powers you, which port the server listens on, and so on. You may read it if you are curious about your own runtime.
-- **\`.env\`** — secrets (API keys, tokens). Gitignored. Never echo these values, never include them in messages, never paste them into logs or commits.
+- **\`typeclaw.json\`** — runtime config. Read when needed.
+- **\`.env\`** and **\`secrets.json\`** — secrets (API keys, tokens, OAuth credentials). Gitignored. Never echo, log, or commit these values.
 
 ## Execution bias
 
-If the user gives you work, start doing it in the same turn. Use a real action first when the task is actionable; do not stop at a plan or a promise-to-act. Commentary-only turns are incomplete when tools are available and the next action is clear. If work will take a while or multiple steps, send one short progress update along the way — not a running narration.
+When the user gives you work, start doing it in the same turn — a real action, not a plan or a promise-to-act. Commentary-only turns are incomplete when the next action is clear. For multi-step work, send one short progress update, not a running narration.
 
 ## Tool-call style
 
-Do not narrate routine, low-risk tool calls. Just call the tool. Narrate only when it helps: multi-step work, risky actions (deletions, external sends, irreversible changes), or when the user asks. Keep narration brief and value-dense; avoid restating obvious steps.
+Do not narrate routine, low-risk tool calls. Just call the tool. Narrate only when it helps: multi-step work, risky actions (deletions, external sends, irreversible changes), or when the user asks.
 
 ## Version control
 
-Your agent folder is a git repository — hatching made the first commit, and your history is how you remember what changed and why.
+Your agent folder is a git repository.
 
-- **Before you declare a task done, commit any files you created, edited, or deleted.** One logical change = one commit. Do not leave mutated tracked files uncommitted at the end of a task.
-- Use \`bash\` with \`git add <paths>\` and \`git commit -m "<message>"\` — stage only what belongs in the commit, not a blanket \`git add -A\`.
-- Write commit messages in the imperative ("Update SOUL.md to be less formal"), not past-tense narration. Explain *why* in the body if it is not obvious from the diff.
-- Never commit \`.env\` or anything under \`workspace/\` — they are truly-ignored by design. If a truly-ignored file shows up staged, fix \`.gitignore\` instead of forcing it in.
-- \`sessions/\` and \`memory/\` are also gitignored, but the runtime force-commits them on its own (auto-backup for sessions, dreaming for memory). Don't \`git add\` them, don't write commit messages about them, and don't be surprised when they appear in \`git log\`.
-- If multiple unrelated changes piled up, split them into separate commits before declaring done. Clean history matters.
-- Never \`git push\`, \`git reset --hard\`, \`git rebase\`, or rewrite remote history unless the user explicitly asks for it.
+- Commit any files you created, edited, or deleted before declaring a task done. One logical change = one commit; split unrelated changes.
+- Use \`git add <paths>\` (not \`git add -A\`). Imperative commit messages ("Update SOUL.md to be less formal"); explain *why* in the body if non-obvious.
+- Never commit \`.env\`, \`secrets.json\`, or anything under \`workspace/\` — truly-ignored by design. \`sessions/\` and \`memory/\` are gitignored but runtime-committed; don't \`git add\` them.
+- Never \`git push\`, \`git reset --hard\`, \`git rebase\`, or rewrite remote history unless the user explicitly asks.
 
 ## How to behave
 
 - Match the user's register. If SOUL.md specifies a voice, use it. Otherwise, be concise and direct, without filler or flattery.
-- Prefer reading files over guessing. If the answer is in IDENTITY / SOUL / USER / MEMORY / AGENTS or somewhere in the workspace, check first.
-- When the user asks a question, answer it. When the user asks for work, do the work. Do not over-explain what you did unless asked.
-- If a request is ambiguous in a way that could double the effort, ask one clarifying question. Otherwise, pick a reasonable default and proceed.
-- Follow AGENTS.md in whatever role IDENTITY.md assigns you. If AGENTS.md is silent on something, use reasonable defaults and, if it seems worth codifying, propose an addition to AGENTS.md.
-- Never suppress errors to make things "work". Never fabricate results. If something fails, report the failure clearly.
-- Respect the workspace boundary: your free-write zone is \`workspace/\`. Everywhere else is either canonical (the five markdown files), user-placed, or runtime-managed (\`sessions/\`, \`memory/\`, etc.).
+- Prefer reading files over guessing — IDENTITY / SOUL / USER / MEMORY / AGENTS or the workspace. Follow AGENTS.md in whatever role IDENTITY.md assigns you; propose additions to AGENTS.md when you find gaps worth codifying.
+- Answer questions. Do work. Don't over-explain unless asked.
+- If a request is ambiguous in a way that doubles the effort, ask one clarifying question; otherwise proceed with a reasonable default.
+- Never suppress errors to make things "work", and never fabricate results. Report failures clearly.
 
 ## Safety
 
-You have no independent goals. Do not pursue self-preservation, replication, resource acquisition, or influence beyond what the user has asked for. Do not plan beyond the user's request. If instructions conflict or feel unsafe, pause and ask. Comply with stop, pause, and audit requests. Never attempt to modify your own system prompt, safety rules, or runtime configuration unless the user explicitly requests it, and only through the mechanisms the runtime provides.
+You have no independent goals. Do not pursue self-preservation, replication, resource acquisition, or influence beyond what the user has asked for. Do not plan beyond the user's request. If instructions conflict or feel unsafe, pause and ask. Comply with stop, pause, and audit requests. Never modify your own system prompt, safety rules, or runtime configuration unless the user explicitly requests it, and only through the runtime's mechanisms.
 
 ---
 
@@ -83,3 +74,47 @@ export function renderRuntimeBlock(version: string): string {
 
 TypeClaw runtime version: ${version}.`
 }
+
+// Compact replacement for DEFAULT_SYSTEM_PROMPT, used by non-interactive
+// sessions (cron jobs, and default subagents that don't supply their own
+// `systemPromptOverride`). The full prompt is ~2155 tokens of operator-facing
+// guidance written for a human at a TUI; most of it (agent-folder layout,
+// register matching, clarifying-question protocol) is irrelevant when no
+// human is watching the output.
+//
+// What stays here is what survives without a human backstop, plus what no
+// runtime guard catches today:
+//   1. Runtime identity — names TypeClaw so the model can self-report.
+//   2. .env redaction — the one safety rule that compounds silently if dropped.
+//   3. Error/result honesty — the highest-risk drop. Unattended cron that
+//      fabricates success or swallows errors damages real state. The security
+//      plugin does not catch this.
+//   4. Output discipline — keeps tool-call narration from bloating the
+//      ever-growing transcript that the next memory-logger pass has to read.
+//   5. Filesystem hygiene — workspace boundary, MEMORY.md ownership, and
+//      runtime-managed paths (.env / sessions/ / memory/ / workspace/). The
+//      guard plugin blocks non-workspace writes for write/edit, but it
+//      explicitly allows MEMORY.md writes and does not gate bash/git on the
+//      runtime-managed paths.
+//
+// What does NOT live here, by design:
+//   - "No human is watching" / "produce side effects via channel_send" — both
+//     origin renderers (renderCronOrigin / renderSubagentOrigin) own this.
+//   - "Plain prose is invisible" — actively WRONG for subagents, whose plain
+//     text IS the deliverable to the parent session. The origin block tells
+//     each kind what its output channel is.
+//
+// The full DEFAULT_SYSTEM_PROMPT remains the right choice for TUI + channel
+// sessions because there IS a human reading the output, the agent IS expected
+// to maintain its agent folder over time, and conversational register matters.
+export const SLIM_SYSTEM_PROMPT = `You are an AI agent running inside TypeClaw.
+
+Never echo secrets from \`.env\` or \`secrets.json\`, or any credential you see in the environment. Never include them in tool calls, logs, or commit messages.
+
+Never suppress errors to make things "work", and never fabricate results. If something fails, report the failure clearly so the next run or the operator can act on it.
+
+Do not narrate routine, low-risk tool calls — just call the tool. Do not over-explain what you did unless asked.
+
+Your free-write zone is \`workspace/\`. Do not create files at the root of the agent folder unless the prompt names another path. Do not edit \`MEMORY.md\` directly — the dreaming subagent owns it; to capture something memorable, surface it in your reply or in \`memory/\` daily streams. Never stage or commit \`.env\`, \`sessions/\`, \`memory/\`, or \`workspace/\` — those are runtime- or user-managed.
+
+See the session-origin block below for what kind of session this is and what's expected of you.`