typeclaw 0.3.1 → 0.5.0

package/src/cli/channel.ts

@@ -1,3 +1,6 @@
+import { randomBytes } from 'node:crypto'
+import { readFile } from 'node:fs/promises'
+
 import { cancel, confirm, intro, isCancel, log, note, password, select, spinner, text } from '@clack/prompts'
 import { defineCommand } from 'citty'
 
@@ -6,11 +9,17 @@ import { start, status, stop } from '@/container'
 import {
   CHANNEL_KINDS,
   findAgentDir,
+  formatEagerGithubWebhookInstallResult,
   isInitialized,
   readConfiguredChannels,
+  readGithubAuthType,
   runAddChannel,
+  setChannelSecrets,
+  setGithubSecrets,
   type AddChannelStepEvent,
   type ChannelKind,
+  type GithubCredentialPatch,
+  type GithubTunnelProvider,
   type KakaotalkAuthResult,
 } from '@/init'
 import { runKakaotalkBootstrap } from '@/init/kakaotalk-auth'
@@ -23,6 +32,7 @@ const CHANNEL_LABELS: Record<ChannelKind, string> = {
   'discord-bot': 'Discord',
   'telegram-bot': 'Telegram',
   kakaotalk: 'KakaoTalk',
+  github: 'GitHub',
 }
 
 const addSub = defineCommand({
@@ -60,6 +70,11 @@ const addSub = defineCommand({
         ...credentials,
         onProgress: reportProgress(events),
       })
+      if (credentials.channel === 'github' && credentials.tunnelProvider === 'none') {
+        log.warn(
+          'Webhook delivery is disabled until you add a `tunnels[]` entry or set `channels.github.webhookUrl` manually.',
+        )
+      }
     } catch (error) {
       console.error(errorLine(error instanceof Error ? error.message : String(error)))
       process.exit(1)
@@ -69,11 +84,58 @@ const addSub = defineCommand({
   },
 })
 
-// Only adapters with an interactive credential flow appear here. Bot tokens
-// (Discord/Slack/Telegram) are rotated by editing secrets.json or .env
-// directly — they don't need a guided CLI flow because there's no
-// passcode-on-phone equivalent. KakaoTalk is the only adapter that does, so
-// it's the only adapter that needs `reauth`.
+// Adapters whose credentials are rotated via the generic `channel set` flow:
+// one or more named token fields, no passcode-on-phone, no encryption envelope.
+// KakaoTalk is excluded by design — it has its own `channel reauth` flow that
+// replays the full interactive login (see REAUTHABLE_ADAPTERS below). GitHub
+// is included here but routed through its own prompt path because it has
+// three independent secrets (PAT or App private key + webhook secret) and a
+// structural auth-type flip is forbidden during rotation.
+const SETTABLE_ADAPTERS = ['slack-bot', 'discord-bot', 'telegram-bot', 'github'] as const
+type SettableAdapter = (typeof SETTABLE_ADAPTERS)[number]
+
+const setSub = defineCommand({
+  meta: {
+    name: 'set',
+    description: 'rotate credentials of an already-configured channel adapter (symmetric with `typeclaw provider set`)',
+  },
+  args: {
+    adapter: {
+      type: 'positional',
+      description: `which adapter to rotate (${SETTABLE_ADAPTERS.join(' | ')}); omit to pick interactively`,
+      required: false,
+    },
+  },
+  async run({ args }) {
+    const cwd = findAgentDir(process.cwd()) ?? process.cwd()
+
+    if (!isInitialized(cwd)) {
+      console.error(errorLine('TypeClaw config file not found. Run `typeclaw init` first, or cd into an agent folder.'))
+      process.exit(1)
+    }
+
+    const configured = await readConfiguredChannels(cwd)
+
+    if (args.adapter === 'kakaotalk') {
+      console.error(
+        errorLine(
+          'KakaoTalk uses an interactive auth flow (phone passcode + device_uuid). Use `typeclaw channel reauth kakaotalk` to rotate its credentials.',
+        ),
+      )
+      process.exit(1)
+    }
+
+    const adapter =
+      args.adapter === undefined
+        ? await pickSettableAdapter(configured)
+        : validateSetAdapterArg(args.adapter, configured)
+
+    intro(`Rotating channel: ${CHANNEL_LABELS[adapter]}`)
+
+    await runSet(cwd, adapter)
+  },
+})
+
 const REAUTHABLE_ADAPTERS = ['kakaotalk'] as const
 type ReauthableAdapter = (typeof REAUTHABLE_ADAPTERS)[number]
 
@@ -114,6 +176,7 @@ export const channelCommand = defineCommand({
   },
   subCommands: {
     add: addSub,
+    set: setSub,
     reauth: reauthSub,
   },
 })
@@ -220,11 +283,18 @@ async function readExistingKakaotalkEmail(cwd: string): Promise<string | undefin
 // We can't reliably distinguish the last two cases from outside the container
 // without calling reload first, so the next-step hints surface both paths.
 async function maybePromptReauthRefresh(cwd: string, adapter: ReauthableAdapter): Promise<void> {
-  const label = CHANNEL_LABELS[adapter]
+  await maybePromptCredentialRefresh(cwd, CHANNEL_LABELS[adapter], 're-authenticated')
+}
+
+async function maybePromptCredentialRefresh(
+  cwd: string,
+  label: string,
+  verbPast: 're-authenticated' | 'credentials updated',
+): Promise<void> {
   const current = await status({ cwd }).catch(() => null)
   if (current === null || current.kind !== 'running') {
     done({
-      title: c.green(`${label} re-authenticated.`),
+      title: c.green(`${label} ${verbPast}.`),
       hints: [
         { label: 'Start the agent:', command: 'typeclaw start' },
         { label: 'Then check status:', command: 'typeclaw status' },
@@ -240,7 +310,7 @@ async function maybePromptReauthRefresh(cwd: string, adapter: ReauthableAdapter)
   })
   if (isCancel(restartNow) || !restartNow) {
     done({
-      title: c.green(`${label} re-authenticated.`),
+      title: c.green(`${label} ${verbPast}.`),
       hints: [
         { label: 'Try a live reload first:', command: 'typeclaw reload' },
         { label: 'If reload reports restart-required:', command: 'typeclaw restart' },
@@ -260,9 +330,7 @@ async function maybePromptReauthRefresh(cwd: string, adapter: ReauthableAdapter)
     process.exit(1)
   }
   done({
-    title: c.green(
-      `${label} re-authenticated. Restarted ${started.plan.containerName} on host port ${started.hostPort}.`,
-    ),
+    title: c.green(`${label} ${verbPast}. Restarted ${started.plan.containerName} on host port ${started.hostPort}.`),
     hints: [
       { label: 'Attach TUI:', command: 'typeclaw tui' },
       { label: 'Follow logs:', command: 'typeclaw logs -f' },
@@ -309,11 +377,232 @@ async function pickChannel(configured: Set<ChannelKind>): Promise<ChannelKind> {
   return selected
 }
 
+function isSettableAdapter(value: string): value is SettableAdapter {
+  return (SETTABLE_ADAPTERS as ReadonlyArray<string>).includes(value)
+}
+
+function validateSetAdapterArg(adapter: string, configured: Set<ChannelKind>): SettableAdapter {
+  if (!isSettableAdapter(adapter)) {
+    if (isChannelKind(adapter)) {
+      console.error(
+        errorLine(
+          `Adapter "${adapter}" does not support \`channel set\`. Use \`typeclaw channel reauth ${adapter}\` instead.`,
+        ),
+      )
+    } else {
+      console.error(errorLine(`Unknown adapter "${adapter}". Expected one of: ${SETTABLE_ADAPTERS.join(', ')}.`))
+    }
+    process.exit(1)
+  }
+  if (!configured.has(adapter)) {
+    console.error(
+      errorLine(
+        `${CHANNEL_LABELS[adapter]} ("${adapter}") is not configured in typeclaw.json. Run \`typeclaw channel add ${adapter}\` first.`,
+      ),
+    )
+    process.exit(1)
+  }
+  return adapter
+}
+
+async function pickSettableAdapter(configured: Set<ChannelKind>): Promise<SettableAdapter> {
+  const available = SETTABLE_ADAPTERS.filter((kind) => configured.has(kind))
+  if (available.length === 0) {
+    console.error(
+      errorLine(
+        'No rotatable channels are configured. Run `typeclaw channel add <adapter>` first, or use `typeclaw channel reauth kakaotalk` for KakaoTalk.',
+      ),
+    )
+    process.exit(1)
+  }
+  if (available.length === 1) return available[0]!
+
+  const selected = await select<SettableAdapter>({
+    message: 'Pick a channel to rotate credentials for',
+    options: available.map((kind) => ({ value: kind, label: CHANNEL_LABELS[kind] })),
+    initialValue: available[0],
+  })
+  if (isCancel(selected)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+  return selected
+}
+
+async function runSet(cwd: string, adapter: SettableAdapter): Promise<void> {
+  switch (adapter) {
+    case 'discord-bot':
+      await runSetDiscord(cwd)
+      break
+    case 'telegram-bot':
+      await runSetTelegram(cwd)
+      break
+    case 'slack-bot':
+      await runSetSlack(cwd)
+      break
+    case 'github':
+      await runSetGithub(cwd)
+      break
+  }
+}
+
+async function runSetDiscord(cwd: string): Promise<void> {
+  const token = await promptDiscordToken()
+  const result = await setChannelSecrets(cwd, 'discord-bot', { token })
+  if (!result.ok) {
+    console.error(errorLine(result.reason))
+    process.exit(1)
+  }
+  await maybePromptCredentialRefresh(cwd, CHANNEL_LABELS['discord-bot'], 'credentials updated')
+}
+
+async function runSetTelegram(cwd: string): Promise<void> {
+  const token = await promptTelegramToken()
+  const result = await setChannelSecrets(cwd, 'telegram-bot', { token })
+  if (!result.ok) {
+    console.error(errorLine(result.reason))
+    process.exit(1)
+  }
+  await maybePromptCredentialRefresh(cwd, CHANNEL_LABELS['telegram-bot'], 'credentials updated')
+}
+
+type SlackSetChoice = 'bot' | 'app' | 'both'
+
+async function runSetSlack(cwd: string): Promise<void> {
+  note(
+    [
+      'Rotate at https://api.slack.com/apps → your app:',
+      '  Bot token  (xoxb-...) — OAuth & Permissions → Reset Token.',
+      '  App-level token (xapp-...) — Basic Information → App-Level Tokens → Revoke and regenerate.',
+      'Slack only shows the app-level token once on screen — copy it before closing.',
+    ].join('\n'),
+    'Rotate the Slack tokens',
+  )
+  const choice = await select<SlackSetChoice>({
+    message: 'Which Slack token do you want to rotate?',
+    options: [
+      { value: 'bot', label: 'Bot user token (xoxb-...) — used to post messages as the bot (recommended)' },
+      { value: 'app', label: 'App-level token (xapp-...) — required for Socket Mode' },
+      { value: 'both', label: 'Both tokens — rotate the bot token and the app-level token' },
+    ],
+    initialValue: 'bot',
+  })
+  if (isCancel(choice)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+
+  const tokens: Record<string, string> = {}
+  if (choice === 'bot' || choice === 'both') tokens.botToken = await promptSlackBotToken()
+  if (choice === 'app' || choice === 'both') tokens.appToken = await promptSlackAppToken()
+
+  const result = await setChannelSecrets(cwd, 'slack-bot', tokens)
+  if (!result.ok) {
+    console.error(errorLine(result.reason))
+    process.exit(1)
+  }
+  await maybePromptCredentialRefresh(cwd, CHANNEL_LABELS['slack-bot'], 'credentials updated')
+}
+
+type GithubSetChoice = 'auth' | 'webhook' | 'both'
+
+async function runSetGithub(cwd: string): Promise<void> {
+  const authType = readGithubAuthType(cwd)
+  if (authType === null) {
+    console.error(
+      errorLine(
+        'GitHub auth block is missing or malformed in secrets.json. Run `typeclaw channel add github` first, or fix the file by hand.',
+      ),
+    )
+    process.exit(1)
+  }
+  const authLabel =
+    authType === 'pat'
+      ? 'Personal access token (PAT) — the authentication credential (recommended)'
+      : 'GitHub App private key — the authentication credential (recommended)'
+  const choice = await select<GithubSetChoice>({
+    message: 'Which GitHub secret do you want to rotate?',
+    options: [
+      { value: 'auth', label: authLabel },
+      { value: 'webhook', label: 'Webhook secret — shared secret for verifying GitHub payloads' },
+      { value: 'both', label: 'Both secrets — rotate the auth credential and the webhook secret' },
+    ],
+    initialValue: 'auth',
+  })
+  if (isCancel(choice)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+
+  const patch: GithubCredentialPatch = {}
+
+  if (choice === 'auth' || choice === 'both') {
+    if (authType === 'pat') {
+      note(
+        [
+          'Rotate at https://github.com/settings/personal-access-tokens.',
+          'Required permissions: Issues read/write, Pull requests read/write, Discussions read/write (if used),',
+          'Metadata read, and Webhooks read/write.',
+        ].join('\n'),
+        'Rotate the GitHub PAT',
+      )
+      const { pat } = await promptGithubPatAuth()
+      patch.auth = { type: 'pat', pat }
+    } else {
+      note(
+        [
+          'Rotate at https://github.com/settings/apps/<your-app> → Private keys → Generate a private key.',
+          'GitHub immediately downloads the new .pem. The previous key keeps working until you delete it,',
+          'so it is safe to rotate without downtime.',
+        ].join('\n'),
+        'Rotate the GitHub App private key',
+      )
+      const privateKeyInput = await text({
+        message: 'New GitHub App private key PEM, escaped PEM, or path to .pem file',
+        validate: (value) => (value && value.length > 0 ? undefined : 'Private key is required'),
+      })
+      if (isCancel(privateKeyInput)) {
+        cancel('Aborted.')
+        process.exit(0)
+      }
+      patch.auth = { type: 'app', privateKey: await resolvePrivateKeyInput(privateKeyInput) }
+    }
+  }
+
+  if (choice === 'webhook' || choice === 'both') {
+    const secret = await password({
+      message: 'New webhook secret (leave blank to auto-generate)',
+    })
+    if (isCancel(secret)) {
+      cancel('Aborted.')
+      process.exit(0)
+    }
+    const enteredSecret = typeof secret === 'string' ? secret : ''
+    patch.webhookSecret = enteredSecret.length > 0 ? enteredSecret : randomBytes(32).toString('hex')
+  }
+
+  const result = await setGithubSecrets(cwd, patch)
+  if (!result.ok) {
+    console.error(errorLine(result.reason))
+    process.exit(1)
+  }
+  await maybePromptCredentialRefresh(cwd, CHANNEL_LABELS.github, 'credentials updated')
+}
+
 type CollectedCredentials =
   | { channel: 'discord-bot'; discordBotToken: string }
   | { channel: 'slack-bot'; slackBotToken: string; slackAppToken: string }
   | { channel: 'telegram-bot'; telegramBotToken: string }
   | { channel: 'kakaotalk'; runKakaotalkAuth: (options: { cwd: string }) => Promise<KakaotalkAuthResult> }
+  | {
+      channel: 'github'
+      webhookSecret: string
+      tunnelProvider: GithubTunnelProvider
+      webhookUrl?: string
+      webhookPort?: number
+      repos: string[]
+      auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string; installationId?: number }
+    }
 
 async function collectCredentials(channel: ChannelKind): Promise<CollectedCredentials> {
   switch (channel) {
@@ -338,9 +627,192 @@ async function collectCredentials(channel: ChannelKind): Promise<CollectedCreden
           }),
       }
     }
+    case 'github': {
+      const creds = await promptGithubCredentials()
+      return { channel, ...creds }
+    }
   }
 }
 
+async function promptGithubCredentials(): Promise<{
+  webhookSecret: string
+  tunnelProvider: GithubTunnelProvider
+  webhookUrl?: string
+  webhookPort?: number
+  repos: string[]
+  auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string; installationId?: number }
+}> {
+  note(
+    [
+      'Choose PAT auth for a quick setup, or GitHub App auth for expiring installation tokens.',
+      'Required permissions: Issues read/write, Pull requests read/write, Discussions read/write (if used),',
+      'Metadata read, and Webhooks read/write (TypeClaw will create and manage the repository webhooks for you).',
+    ].join('\n'),
+    'Get GitHub credentials',
+  )
+  const authType = await select({
+    message: 'GitHub authentication type',
+    options: [
+      { value: 'pat', label: 'Fine-grained personal access token' },
+      { value: 'app', label: 'GitHub App installation token' },
+    ],
+  })
+  if (isCancel(authType)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+  const auth = authType === 'pat' ? await promptGithubPatAuth() : await promptGithubAppAuth()
+  note('GitHub webhooks need a public URL. TypeClaw can manage a tunnel for you.', 'GitHub webhook tunnel')
+  const tunnelProvider = await select<GithubTunnelProvider>({
+    message: 'Tunnel provider',
+    options: [
+      {
+        value: 'cloudflare-quick',
+        label: 'Cloudflare Quick Tunnel — no signup, URL rotates on restart (recommended)',
+      },
+      { value: 'external', label: 'External URL — I have my own reverse proxy / tunnel' },
+      { value: 'none', label: 'None — configure later by hand-editing typeclaw.json' },
+    ],
+    initialValue: 'cloudflare-quick',
+  })
+  if (isCancel(tunnelProvider)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+  const webhookUrl =
+    tunnelProvider === 'external'
+      ? await text({
+          message: 'Public webhook URL (GitHub will POST events here)',
+          validate: (value) => validateUrl(value ?? '', 'Webhook URL is required'),
+        })
+      : undefined
+  if (isCancel(webhookUrl)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+  const port = await text({
+    message: 'Local webhook port inside the agent container',
+    initialValue: '8975',
+    validate: (value) => {
+      const parsed = Number(value)
+      return Number.isInteger(parsed) && parsed > 0 ? undefined : 'Port must be a positive integer'
+    },
+  })
+  if (isCancel(port)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+  const secret = await password({
+    message: 'Webhook secret (leave blank to auto-generate)',
+  })
+  if (isCancel(secret)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+  // clack's password() returns `undefined` on an empty submission (it has no
+  // validate guard and never coerces to ''), so we normalize before the
+  // length checks below to avoid a TypeError on the "leave blank" path.
+  const enteredSecret = typeof secret === 'string' ? secret : ''
+  const reposRaw = await text({
+    message: 'Repositories to allow (comma-separated owner/repo)',
+    validate: (value) => (parseRepos(value ?? '').length > 0 ? undefined : 'At least one owner/repo is required'),
+  })
+  if (isCancel(reposRaw)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+  const resolvedSecret = enteredSecret.length > 0 ? enteredSecret : randomBytes(32).toString('hex')
+  return {
+    webhookSecret: resolvedSecret,
+    tunnelProvider,
+    ...(webhookUrl !== undefined ? { webhookUrl } : {}),
+    webhookPort: Number(port),
+    repos: parseRepos(reposRaw),
+    auth,
+  }
+}
+
+async function promptGithubPatAuth(): Promise<{ type: 'pat'; pat: string }> {
+  const pat = await password({
+    message: 'GitHub fine-grained PAT',
+    validate: (value) => (value && value.length > 0 ? undefined : 'PAT is required'),
+  })
+  if (isCancel(pat)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+  return { type: 'pat', pat }
+}
+
+async function promptGithubAppAuth(): Promise<{
+  type: 'app'
+  appId: number
+  privateKey: string
+  installationId?: number
+}> {
+  const appId = await text({
+    message: 'GitHub App ID',
+    validate: (value) => validatePositiveInteger(value ?? '', 'App ID is required'),
+  })
+  if (isCancel(appId)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+  const privateKeyInput = await text({
+    message: 'GitHub App private key PEM, escaped PEM, or path to .pem file',
+    validate: (value) => (value && value.length > 0 ? undefined : 'Private key is required'),
+  })
+  if (isCancel(privateKeyInput)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+  const installationId = await text({
+    message: 'Installation ID (optional; leave blank to auto-discover)',
+    validate: (value) =>
+      value === undefined || value === '' ? undefined : validatePositiveInteger(value, 'Installation ID is required'),
+  })
+  if (isCancel(installationId)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+  const parsedInstallationId = installationId === '' ? undefined : Number(installationId)
+  return {
+    type: 'app',
+    appId: Number(appId),
+    privateKey: await resolvePrivateKeyInput(privateKeyInput),
+    ...(parsedInstallationId !== undefined ? { installationId: parsedInstallationId } : {}),
+  }
+}
+
+async function resolvePrivateKeyInput(input: string): Promise<string> {
+  const normalized = input.replace(/\\n/g, '\n')
+  if (normalized.includes('-----BEGIN') && normalized.includes('PRIVATE KEY-----')) return normalized
+  return await readFile(input, 'utf8')
+}
+
+function parseRepos(input: string): string[] {
+  return input
+    .split(',')
+    .map((v) => v.trim())
+    .filter((v) => /^[^\s/]+\/[^\s/]+$/.test(v))
+}
+
+function validateUrl(value: string, requiredMessage: string): string | undefined {
+  if (!value || value.length === 0) return requiredMessage
+  try {
+    new URL(value)
+    return undefined
+  } catch {
+    return 'Must be a valid URL'
+  }
+}
+
+function validatePositiveInteger(value: string, requiredMessage: string): string | undefined {
+  if (!value || value.length === 0) return requiredMessage
+  const parsed = Number(value)
+  return Number.isInteger(parsed) && parsed > 0 ? undefined : 'Must be a positive integer'
+}
+
 async function promptDiscordToken(): Promise<string> {
   note(
     [
@@ -406,19 +878,7 @@ async function promptSlackTokens(): Promise<{ bot: string; app: string }> {
     ].join('\n'),
     'Get a Slack bot',
   )
-  const botToken = await password({
-    message: 'Slack bot token (xoxb-...)',
-    validate: (value) =>
-      value && value.length > 0
-        ? value.startsWith('xoxb-')
-          ? undefined
-          : 'Bot token must start with "xoxb-"'
-        : 'Token is required',
-  })
-  if (isCancel(botToken)) {
-    cancel('Aborted.')
-    process.exit(0)
-  }
+  const bot = await promptSlackBotToken()
   note(
     [
       'Slack does not accept connections:write inside the manifest, so',
@@ -432,6 +892,28 @@ async function promptSlackTokens(): Promise<{ bot: string; app: string }> {
     ].join('\n'),
     'Generate the Slack app-level token',
   )
+  const app = await promptSlackAppToken()
+  return { bot, app }
+}
+
+async function promptSlackBotToken(): Promise<string> {
+  const botToken = await password({
+    message: 'Slack bot token (xoxb-...)',
+    validate: (value) =>
+      value && value.length > 0
+        ? value.startsWith('xoxb-')
+          ? undefined
+          : 'Bot token must start with "xoxb-"'
+        : 'Token is required',
+  })
+  if (isCancel(botToken)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+  return botToken
+}
+
+async function promptSlackAppToken(): Promise<string> {
   const appToken = await password({
     message: 'Slack app-level token (xapp-...) — Socket Mode requires this',
     validate: (value) =>
@@ -445,7 +927,7 @@ async function promptSlackTokens(): Promise<{ bot: string; app: string }> {
     cancel('Aborted.')
     process.exit(0)
   }
-  return { bot: botToken, app: appToken }
+  return appToken
 }
 
 async function promptTelegramToken(): Promise<string> {
@@ -534,6 +1016,9 @@ function reportProgress(events: AddChannelStepEvent[]): (event: AddChannelStepEv
       case 'secrets':
         s.stop('Saved credentials to secrets.json.')
         break
+      case 'github-webhooks':
+        s.stop(formatEagerGithubWebhookInstallResult(event.result))
+        break
     }
   }
 }
@@ -542,6 +1027,7 @@ const START_MESSAGES: Record<AddChannelStepEvent['step'], string> = {
   'kakaotalk-auth': 'Logging in to KakaoTalk...',
   config: 'Updating typeclaw.json...',
   secrets: 'Saving credentials to secrets.json...',
+  'github-webhooks': 'Installing GitHub repository webhooks...',
 }
 
 function reportKakaotalkAuth(result: KakaotalkAuthResult): string {