typeclaw 0.32.1 → 0.34.0

package/src/secrets/line-store.ts

@@ -0,0 +1,112 @@
+import type { LineAccountCredentials, LineConfig } from 'agent-messenger/line'
+
+import { sendHttp } from '@/hostd/client'
+
+import { type LineChannelBlock, lineChannelBlockSchema } from './schema'
+import { SecretsBackend } from './storage'
+
+export type SecretsLineCredentialStoreOptions =
+  | { mode: 'host'; secretsPath: string }
+  | { mode: 'container'; secretsPath: string; hostdUrl: string; restartToken: string; containerName: string }
+
+const EMPTY_BLOCK: LineChannelBlock = { currentAccount: null, accounts: {} }
+
+export class SecretsLineCredentialStore {
+  private readonly backend: SecretsBackend
+  private writeChain: Promise<void> = Promise.resolve()
+
+  constructor(private readonly options: SecretsLineCredentialStoreOptions) {
+    this.backend = new SecretsBackend(options.secretsPath)
+  }
+
+  async load(): Promise<LineConfig> {
+    return toLineConfig(this.readBlock())
+  }
+
+  async save(config: LineConfig): Promise<void> {
+    await this.writeBlock(() => fromLineConfig(config))
+  }
+
+  async getAccount(id?: string): Promise<LineAccountCredentials | null> {
+    const config = await this.load()
+    if (id) return config.accounts[id] ?? null
+    if (!config.current_account) return null
+    return config.accounts[config.current_account] ?? null
+  }
+
+  async setAccount(account: LineAccountCredentials): Promise<void> {
+    await this.writeBlock((block) => {
+      const accounts = { ...block.accounts, [account.account_id]: account }
+      return { ...block, currentAccount: block.currentAccount ?? account.account_id, accounts }
+    })
+  }
+
+  async removeAccount(id: string): Promise<void> {
+    await this.writeBlock((block) => {
+      const accounts = { ...block.accounts }
+      delete accounts[id]
+      const currentAccount = block.currentAccount === id ? (Object.keys(accounts)[0] ?? null) : block.currentAccount
+      return { ...block, currentAccount, accounts }
+    })
+  }
+
+  async listAccounts(): Promise<Array<LineAccountCredentials & { is_current: boolean }>> {
+    const config = await this.load()
+    return Object.values(config.accounts).map((account) => ({
+      ...account,
+      is_current: account.account_id === config.current_account,
+    }))
+  }
+
+  async setCurrentAccount(id: string): Promise<void> {
+    await this.writeBlock((block) => ({ ...block, currentAccount: id }))
+  }
+
+  private readBlock(): LineChannelBlock {
+    const channels =
+      this.options.mode === 'container' ? this.backend.tryReadChannelsSync() : this.backend.readChannelsSync()
+    return parseBlock(channels?.line)
+  }
+
+  private async writeBlock(update: (current: LineChannelBlock) => LineChannelBlock): Promise<void> {
+    return this.enqueueWrite(async () => {
+      if (this.options.mode === 'container') {
+        const next = update(this.readBlock())
+        const response = await sendHttp(
+          {
+            kind: 'secrets-patch',
+            containerName: this.options.containerName,
+            patch: { channels: { line: next } },
+          },
+          { url: this.options.hostdUrl, token: this.options.restartToken },
+        )
+        if (!response.ok) throw new Error(`secrets-patch failed: ${response.reason}`)
+        return
+      }
+
+      await this.backend.updateChannelsAsync(async (channels) => {
+        const next = { ...channels, line: update(parseBlock(channels.line)) }
+        return { result: undefined, next }
+      })
+    })
+  }
+
+  private enqueueWrite(op: () => Promise<void>): Promise<void> {
+    const next = this.writeChain.then(op, op)
+    this.writeChain = next.catch(() => {})
+    return next
+  }
+}
+
+function parseBlock(value: unknown): LineChannelBlock {
+  if (value === undefined) return EMPTY_BLOCK
+  return lineChannelBlockSchema.parse(value)
+}
+
+function toLineConfig(block: LineChannelBlock): LineConfig {
+  return { current_account: block.currentAccount, accounts: block.accounts }
+}
+
+function fromLineConfig(config: LineConfig): LineChannelBlock {
+  return { currentAccount: config.current_account, accounts: config.accounts }
+}

package/src/secrets/oauth-xai.ts

@@ -0,0 +1,342 @@
+import { createServer, type Server } from 'node:http'
+
+import { registerOAuthProvider } from '@mariozechner/pi-ai/oauth'
+import type { OAuthCredentials, OAuthLoginCallbacks, OAuthProviderInterface } from '@mariozechner/pi-ai/oauth'
+
+// xAI (Grok) OAuth 2.0. xAI runs a standard OIDC authorization server at
+// auth.x.ai that supports BOTH authorization-code + PKCE (loopback callback)
+// and the device-authorization grant. We implement the auth-code path with a
+// localhost callback server (same UX as pi-ai's anthropic provider) plus a
+// manual-paste fallback for cross-device/SSH flows.
+//
+// There is no public developer console to register a third-party OAuth client,
+// so — like every OSS Grok integration (Grok CLI, opencode, hermes-agent,
+// pi-xai-oauth) — we reuse the Grok CLI's public client id. The `plan=generic`
+// query param is load-bearing: loopback OAuth against this client id is
+// rejected without it. `referrer` is attribution only.
+//
+// Endpoints below are the live values from
+// https://auth.x.ai/.well-known/openid-configuration. The token endpoint speaks
+// application/x-www-form-urlencoded (OAuth2 default) — NOT JSON like Anthropic.
+export const XAI_OAUTH_PROVIDER_ID = 'xai'
+
+const CLIENT_ID = 'b1a00492-073a-47ea-816f-4c329264a828'
+const AUTHORIZE_URL = 'https://auth.x.ai/oauth2/authorize'
+const TOKEN_URL = 'https://auth.x.ai/oauth2/token'
+const CALLBACK_HOST = '127.0.0.1'
+const CALLBACK_PORT = 56121
+const CALLBACK_PATH = '/callback'
+const REDIRECT_URI = `http://${CALLBACK_HOST}:${CALLBACK_PORT}${CALLBACK_PATH}`
+const SCOPES = 'openid profile email offline_access grok-cli:access api:access'
+const REFERRER = 'typeclaw'
+// Refresh slightly early so an in-flight request never races expiry.
+const EXPIRY_SKEW_MS = 5 * 60 * 1000
+const REQUEST_TIMEOUT_MS = 30_000
+
+type XaiTokenResponse = {
+  access_token?: string
+  refresh_token?: string
+  expires_in?: number
+  token_type?: string
+}
+
+function base64UrlEncode(bytes: Uint8Array): string {
+  let binary = ''
+  for (const byte of bytes) binary += String.fromCharCode(byte)
+  return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
+}
+
+// PKCE (RFC 7636, S256). pi-ai keeps its `generatePKCE` helper out of the
+// public `/oauth` barrel, so we generate the verifier/challenge with Web Crypto
+// directly — available in both Node and Bun.
+async function generatePkce(): Promise<{ verifier: string; challenge: string }> {
+  const verifier = base64UrlEncode(crypto.getRandomValues(new Uint8Array(32)))
+  const digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(verifier))
+  return { verifier, challenge: base64UrlEncode(new Uint8Array(digest)) }
+}
+
+function parseAuthorizationInput(input: string): { code?: string; state?: string } {
+  const value = input.trim()
+  if (!value) return {}
+  try {
+    const url = new URL(value)
+    return {
+      code: url.searchParams.get('code') ?? undefined,
+      state: url.searchParams.get('state') ?? undefined,
+    }
+  } catch {
+    // Not a full URL — fall through to query-string / bare-code handling.
+  }
+  if (value.includes('code=')) {
+    const params = new URLSearchParams(value)
+    return {
+      code: params.get('code') ?? undefined,
+      state: params.get('state') ?? undefined,
+    }
+  }
+  return { code: value }
+}
+
+type CallbackServer = {
+  server: Server
+  cancelWait: () => void
+  waitForCode: () => Promise<{ code: string; state: string | null } | null>
+}
+
+function successHtml(): string {
+  return '<!doctype html><html><body style="font-family:sans-serif;padding:2rem"><h2>xAI authentication complete.</h2><p>You can close this window and return to the terminal.</p></body></html>'
+}
+
+// The OAuth `error` query param is provider-supplied and reflected into the
+// callback page, so escape it to keep a crafted callback URL
+// (`?error=<script>…`) from injecting markup into the local page.
+function escapeHtml(value: string): string {
+  return value
+    .replaceAll('&', '&amp;')
+    .replaceAll('<', '&lt;')
+    .replaceAll('>', '&gt;')
+    .replaceAll('"', '&quot;')
+    .replaceAll("'", '&#39;')
+}
+
+export function errorHtml(message: string): string {
+  return `<!doctype html><html><body style="font-family:sans-serif;padding:2rem"><h2>xAI authentication failed.</h2><p>${escapeHtml(message)}</p></body></html>`
+}
+
+// Resolves to `null` when the fixed loopback port can't be bound (EADDRINUSE,
+// sandbox bind restriction). The caller then falls back to manual-paste mode
+// rather than failing the whole login — the browser callback is a convenience,
+// not a hard requirement, since the user can always paste the redirect URL.
+function startCallbackServer(expectedState: string): Promise<CallbackServer | null> {
+  return new Promise((resolve) => {
+    let settle: ((value: { code: string; state: string | null } | null) => void) | undefined
+    const waitForCodePromise = new Promise<{ code: string; state: string | null } | null>((resolveWait) => {
+      let settled = false
+      settle = (value) => {
+        if (settled) return
+        settled = true
+        resolveWait(value)
+      }
+    })
+
+    const server = createServer((req, res) => {
+      try {
+        const url = new URL(req.url || '', `http://${CALLBACK_HOST}`)
+        if (url.pathname !== CALLBACK_PATH) {
+          res.writeHead(404, { 'Content-Type': 'text/html; charset=utf-8' })
+          res.end(errorHtml('Callback route not found.'))
+          return
+        }
+        const code = url.searchParams.get('code')
+        const state = url.searchParams.get('state')
+        const error = url.searchParams.get('error')
+        if (error) {
+          res.writeHead(400, { 'Content-Type': 'text/html; charset=utf-8' })
+          res.end(errorHtml(`Error: ${error}`))
+          return
+        }
+        if (!code) {
+          res.writeHead(400, { 'Content-Type': 'text/html; charset=utf-8' })
+          res.end(errorHtml('Missing code parameter.'))
+          return
+        }
+        if (state !== expectedState) {
+          res.writeHead(400, { 'Content-Type': 'text/html; charset=utf-8' })
+          res.end(errorHtml('State mismatch.'))
+          return
+        }
+        res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' })
+        res.end(successHtml())
+        settle?.({ code, state })
+      } catch {
+        res.writeHead(500, { 'Content-Type': 'text/plain; charset=utf-8' })
+        res.end('Internal error')
+      }
+    })
+
+    server.on('error', () => {
+      server.close()
+      resolve(null)
+    })
+    server.listen(CALLBACK_PORT, CALLBACK_HOST, () => {
+      resolve({
+        server,
+        cancelWait: () => settle?.(null),
+        waitForCode: () => waitForCodePromise,
+      })
+    })
+  })
+}
+
+export type FetchFn = (input: string, init: RequestInit) => Promise<Response>
+
+async function postForm(url: string, body: Record<string, string>, fetchImpl: FetchFn): Promise<XaiTokenResponse> {
+  const response = await fetchImpl(url, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+      Accept: 'application/json',
+    },
+    body: new URLSearchParams(body).toString(),
+    signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
+  })
+  const text = await response.text()
+  if (!response.ok) {
+    throw new Error(`xAI OAuth request failed. status=${response.status}; url=${url}; body=${text}`)
+  }
+  try {
+    return JSON.parse(text) as XaiTokenResponse
+  } catch {
+    throw new Error(`xAI OAuth returned invalid JSON. url=${url}; body=${text}`)
+  }
+}
+
+function toCredentials(token: XaiTokenResponse): OAuthCredentials {
+  if (!token.access_token || !token.refresh_token || token.expires_in === undefined) {
+    throw new Error('xAI OAuth response missing access_token, refresh_token, or expires_in')
+  }
+  return {
+    access: token.access_token,
+    refresh: token.refresh_token,
+    expires: Date.now() + token.expires_in * 1000 - EXPIRY_SKEW_MS,
+  }
+}
+
+async function exchangeAuthorizationCode(
+  code: string,
+  verifier: string,
+  fetchImpl: FetchFn,
+): Promise<OAuthCredentials> {
+  const token = await postForm(
+    TOKEN_URL,
+    {
+      grant_type: 'authorization_code',
+      client_id: CLIENT_ID,
+      code,
+      redirect_uri: REDIRECT_URI,
+      code_verifier: verifier,
+    },
+    fetchImpl,
+  )
+  return toCredentials(token)
+}
+
+export async function loginXai(callbacks: OAuthLoginCallbacks, fetchImpl: FetchFn = fetch): Promise<OAuthCredentials> {
+  const { verifier, challenge } = await generatePkce()
+  const server = await startCallbackServer(verifier)
+  let code: string | undefined
+  try {
+    const authParams = new URLSearchParams({
+      client_id: CLIENT_ID,
+      response_type: 'code',
+      redirect_uri: REDIRECT_URI,
+      scope: SCOPES,
+      code_challenge: challenge,
+      code_challenge_method: 'S256',
+      state: verifier,
+      plan: 'generic',
+      referrer: REFERRER,
+    })
+    callbacks.onAuth({
+      url: `${AUTHORIZE_URL}?${authParams.toString()}`,
+      instructions:
+        'Complete login in your browser. Grok shows a code to copy on the "could not establish connection" page — paste that code here. If the browser is on another machine, paste the code (or the final redirect URL) here.',
+    })
+
+    if (server && callbacks.onManualCodeInput) {
+      // Race the local callback server against a manual paste: whichever lands
+      // a code first wins (cross-device/SSH logins can't reach the loopback).
+      let manualInput: string | undefined
+      let manualError: Error | undefined
+      const manualPromise = callbacks
+        .onManualCodeInput()
+        .then((input) => {
+          manualInput = input
+          server.cancelWait()
+        })
+        .catch((err) => {
+          manualError = err instanceof Error ? err : new Error(String(err))
+          server.cancelWait()
+        })
+
+      const result = await server.waitForCode()
+      if (manualError) throw manualError
+      if (result?.code) {
+        code = result.code
+      } else if (manualInput) {
+        code = parseManualCode(manualInput, verifier)
+      }
+      if (!code) {
+        await manualPromise
+        if (manualError) throw manualError
+        if (manualInput) {
+          code = parseManualCode(manualInput, verifier)
+        }
+      }
+    } else if (server) {
+      const result = await server.waitForCode()
+      if (result?.code) code = result.code
+    } else if (callbacks.onManualCodeInput) {
+      // No callback server bound — manual paste is the only path to a code.
+      code = parseManualCode(await callbacks.onManualCodeInput(), verifier)
+    }
+
+    if (!code) {
+      const input = await callbacks.onPrompt({
+        message: 'Paste the authorization code or full redirect URL:',
+        placeholder: REDIRECT_URI,
+      })
+      code = parseManualCode(input, verifier)
+    }
+
+    if (!code) throw new Error('Missing authorization code')
+
+    callbacks.onProgress?.('Exchanging authorization code for tokens...')
+    return await exchangeAuthorizationCode(code, verifier, fetchImpl)
+  } finally {
+    server?.server.close()
+  }
+}
+
+function parseManualCode(input: string, verifier: string): string | undefined {
+  const parsed = parseAuthorizationInput(input)
+  if (parsed.state && parsed.state !== verifier) throw new Error('OAuth state mismatch')
+  return parsed.code
+}
+
+export async function refreshXaiToken(refreshToken: string, fetchImpl: FetchFn = fetch): Promise<OAuthCredentials> {
+  const token = await postForm(
+    TOKEN_URL,
+    {
+      grant_type: 'refresh_token',
+      client_id: CLIENT_ID,
+      refresh_token: refreshToken,
+    },
+    fetchImpl,
+  )
+  // Some OAuth servers omit a rotated refresh token on refresh; keep the prior
+  // one so the credential stays usable across the next cycle.
+  return toCredentials({ ...token, refresh_token: token.refresh_token ?? refreshToken })
+}
+
+export const xaiOAuthProvider: OAuthProviderInterface = {
+  id: XAI_OAUTH_PROVIDER_ID,
+  name: 'xAI (Grok)',
+  usesCallbackServer: true,
+  login: loginXai,
+  refreshToken: (credentials) => refreshXaiToken(credentials.refresh),
+  getApiKey: (credentials) => credentials.access,
+}
+
+let registered = false
+
+// pi-ai ships no built-in xAI OAuth provider, so we register ours. Idempotent
+// and called from `createSecretsStoreForAgent` — the single chokepoint both the
+// init-time login path and the container-runtime auth/refresh path go through —
+// so the provider is always present before `AuthStorage.login()` /
+// `getApiKey()` look it up via `getOAuthProvider('xai')`.
+export function registerXaiOAuthProvider(): void {
+  if (registered) return
+  registerOAuthProvider(xaiOAuthProvider)
+  registered = true
+}

package/src/secrets/schema.ts

@@ -55,6 +55,28 @@ const githubChannelSchema = z.object({
   webhookSecret: secretFieldSchema,
 })
 
+const lineDeviceSchema = z.enum(['DESKTOPWIN', 'DESKTOPMAC', 'ANDROID', 'ANDROIDSECONDARY', 'IOS', 'IOSIPAD'])
+
+// LINE persists a long-lived auth token (+ optional certificate that lets a
+// later re-login skip the e-mail/PIN step on the same device). There is no
+// encrypted-password / renewal-cron path the way KakaoTalk has — LINE tokens
+// don't expire on a fixed short schedule, so the renewal fields are absent by
+// design.
+export const lineAccountRecordSchema = z.object({
+  account_id: z.string(),
+  auth_token: z.string(),
+  certificate: z.string().optional(),
+  device: lineDeviceSchema,
+  display_name: z.string().optional(),
+  created_at: z.string(),
+  updated_at: z.string(),
+})
+
+export const lineChannelBlockSchema = z.object({
+  currentAccount: z.string().nullable(),
+  accounts: z.record(z.string(), lineAccountRecordSchema),
+})
+
 // Encrypted password envelope produced by src/secrets/encryption.ts. Optional
 // in the schema because legacy v2 accounts (pre-renewal feature) don't have
 // one; the renewal cron treats a missing envelope as "reauth required" and
@@ -109,6 +131,7 @@ export const channelsSchema = z
     'discord-bot': discordBotChannelSchema.optional(),
     github: githubChannelSchema.optional(),
     'telegram-bot': telegramBotChannelSchema.optional(),
+    line: lineChannelBlockSchema.optional(),
     kakaotalk: kakaoChannelBlockSchema.optional(),
   })
   .catchall(z.unknown())
@@ -130,6 +153,8 @@ export type Channels = z.infer<typeof channelsSchema>
 export type GithubPatAuthBlock = z.infer<typeof githubPatAuthSchema>
 export type GithubAppAuthBlock = z.infer<typeof githubAppAuthSchema>
 export type GithubSecretsBlock = z.infer<typeof githubChannelSchema>
+export type LineAccountRecord = z.infer<typeof lineAccountRecordSchema>
+export type LineChannelBlock = z.infer<typeof lineChannelBlockSchema>
 export type KakaoAccountRecord = z.infer<typeof kakaoAccountRecordSchema>
 export type PendingLoginRecord = z.infer<typeof kakaoPendingLoginRecordSchema>
 export type KakaoChannelBlock = z.infer<typeof kakaoChannelBlockSchema>

package/src/secrets/storage.ts

@@ -9,6 +9,7 @@ import {
 import lockfile from 'proper-lockfile'
 
 import { providerKeyDefaultEnv } from './defaults'
+import { registerXaiOAuthProvider } from './oauth-xai'
 import { resolveSecret, type Secret } from './resolve'
 import {
   type Channels,
@@ -374,6 +375,7 @@ export class SecretsBackend implements AuthStorageBackend {
 }
 
 export function createSecretsStoreForAgent(secretsPath: string): AuthStorage {
+  registerXaiOAuthProvider()
   return AuthStorageImpl.fromStorage(new SecretsBackend(secretsPath))
 }
 

package/src/server/index.ts

@@ -28,7 +28,7 @@ import {
 } from '@/agent/todo/continuation-wiring'
 import { SUBAGENT_OUTPUT_TOOL_NAME } from '@/agent/tools/subagent-output'
 import type { ChannelRouter } from '@/channels/router'
-import { aggregateCronList, type CronListEntry, loadCron } from '@/cron'
+import { aggregateCronList, type CronJob, type CronListEntry, loadCron } from '@/cron'
 import type { McpManager } from '@/mcp'
 import type { HookBus } from '@/plugin'
 import type { BrokerWsData, ContainerBroker } from '@/portbroker'
@@ -75,6 +75,9 @@ export type ServerOptions = {
   mcpManager?: McpManager
   agentDir?: string
   pluginRuntime?: PluginRuntime
+  // Durable cron fire-progress lookup so `cron list` marks count-exhausted jobs
+  // as retired instead of showing a stale future fire time. Omit in tests/dev.
+  getFiredCount?: (job: CronJob) => number
   containerName?: string
   runtimeVersion?: string
   tuiToken?: string
@@ -252,6 +255,7 @@ export function createServer({
   mcpManager,
   agentDir,
   pluginRuntime,
+  getFiredCount,
   containerName,
   runtimeVersion,
   tuiToken,
@@ -716,7 +720,7 @@ export function createServer({
           }
 
           if (msg.type === 'cron_list') {
-            await handleCronList(ws, msg.requestId, pluginRuntime, agentDir)
+            await handleCronList(ws, msg.requestId, pluginRuntime, agentDir, getFiredCount)
             return
           }
 
@@ -1186,6 +1190,7 @@ async function handleCronList(
   requestId: string,
   pluginRuntime: PluginRuntime | undefined,
   agentDir: string | undefined,
+  getFiredCount?: (job: CronJob) => number,
 ): Promise<void> {
   if (agentDir === undefined) {
     send(ws, { type: 'cron_list_result', requestId, result: { ok: false, reason: 'agentDir not configured' } })
@@ -1208,7 +1213,12 @@ async function handleCronList(
     const userJobs = loadResult.file?.jobs ?? []
     const pluginJobs = snapshot?.registry.cronJobs ?? []
     const nowMs = Date.now()
-    const entries = aggregateCronList({ userJobs, pluginJobs, now: nowMs })
+    const entries = aggregateCronList({
+      userJobs,
+      pluginJobs,
+      now: nowMs,
+      ...(getFiredCount !== undefined ? { firedCount: getFiredCount } : {}),
+    })
     send(ws, {
       type: 'cron_list_result',
       requestId,
@@ -1541,9 +1551,12 @@ function toPayload(entry: CronListEntry): CronListEntryPayload {
     id: entry.id,
     source,
     kind: entry.kind,
-    schedule: entry.schedule,
     enabled: entry.enabled,
     nextFireMs: entry.nextFireMs,
+    ...(entry.schedule !== undefined ? { schedule: entry.schedule } : {}),
+    ...(entry.at !== undefined ? { at: entry.at } : {}),
+    ...(entry.until !== undefined ? { until: entry.until } : {}),
+    ...(entry.count !== undefined ? { count: entry.count } : {}),
     ...(entry.timezone !== undefined ? { timezone: entry.timezone } : {}),
     ...(entry.scheduledByRole !== undefined ? { scheduledByRole: entry.scheduledByRole } : {}),
     ...(entry.scheduleError !== undefined ? { scheduleError: entry.scheduleError } : {}),

package/src/shared/protocol.ts

@@ -165,7 +165,10 @@ export type CronListEntryPayload = {
   id: string
   source: CronListSourcePayload
   kind: 'prompt' | 'exec' | 'handler'
-  schedule: string
+  schedule?: string
+  at?: string
+  until?: string
+  count?: number
   timezone?: string
   enabled: boolean
   scheduledByRole?: string

package/src/skills/typeclaw-channel-line/SKILL.md

@@ -0,0 +1,46 @@
+---
+name: typeclaw-channel-line
+description: Use this skill BEFORE every `channel_reply` or `channel_send` call whose adapter is `line`. LINE renders messages as plain text — `**bold**`, `## headings`, `| tables |`, fenced code blocks, and other markdown all appear literally. There is no `@mention` syntax, no message threads, no replies-with-quote, and no outbound attachments or stickers. Inbound non-text content (images, stickers, files) is not fetchable through this adapter. Read this skill before composing anything on LINE.
+---
+
+# typeclaw-channel-line
+
+You are speaking through the `line` channel adapter. The adapter wraps `agent-messenger`'s LineClient/LineListener, which speaks LINE's protocol as a registered sub-device of a real user account.
+
+This means **you are messaging as a person, not as a bot.** Other participants see your account's name and profile photo. Match their tone — the people you're talking with assume they're talking to a human.
+
+## What LINE does NOT support
+
+LINE renders messages as plain text — it has no rich-text formatting. **Write plain text from the start.** The adapter strips common markdown as a safety net before sending (so an accidental `**bold**` won't leak literal asterisks), but treat that as a last-resort guard, not a license to write markdown: the strip removes _markers_, it cannot make formatting-dependent layouts like tables readable. Compose for a plain-text surface and you control the result.
+
+Specifically, do not rely on any of the following — write the plain-text equivalent yourself:
+
+- **Bold / italic / strikethrough** — emphasize with word choice, not `**asterisks**`.
+- **Headings** — `# H1`, `## H2`, `### H3` carry no visual weight here. Lead with the point.
+- **Tables** — the stripper cannot rescue a pipe-delimited table. Use bullet lists or short prose.
+- **Code fences** — for short snippets, paste the code inline as plain text. For long snippets, summarize and offer to send it another way.
+- **Inline code** — just write `foo`, no backticks.
+- **Links with display text** — send the bare URL on its own line; the LINE client auto-links it. A `[label](url)` that slips through is reduced to `label (url)`, but a bare URL reads cleaner.
+- **Mentions** — there is no `@user` syntax the protocol surfaces. Address people by name in the message body.
+- **Threads / replies-with-quote** — every message is a top-level chat post. There is no per-message reply UI.
+- **Outbound attachments / stickers** — the adapter sends text only. If the user asks you to send a file, image, or sticker, acknowledge the limit and offer text (e.g. paste a link to the file instead).
+
+## What LINE DOES support
+
+- Plain UTF-8 text. Emoji are fine.
+- URLs auto-linkify in the client. Send them bare — `https://example.com/foo`, no markdown wrapping.
+- Newlines render as line breaks. Use `\n\n` to space paragraphs.
+
+## Inbound content
+
+Inbound messages are text. LINE may deliver non-text content (images, stickers, files); the adapter surfaces only the text portion and you cannot fetch the bytes through this adapter. If a message arrives with no text, there is nothing for you to act on — do not invent attachment ids.
+
+## Chats
+
+LINE chats fall into three workspace buckets:
+
+- `@line-dm` — a 1:1 direct message.
+- `@line-group` — a group or room (multi-party invite chat).
+- `@line-square` — an OpenChat-style public community. Treat these as the most public surface; be conservative about what you say.
+
+Engagement on group and square chats is alias-only (there is no @-mention): you are woken when someone uses one of your configured aliases, replies in a way the engagement layer tracks, or in a DM. In a 1:1 DM every message engages.