typeclaw 0.34.0 → 0.35.0

package/src/bundled-plugins/github-cli-auth/index.ts

@@ -3,14 +3,28 @@ import { definePlugin } from '@/plugin'
 
 import { createApproveIdempotencyGuard } from './approve-idempotency'
 import { createGithubEffectiveApprovalResolver, createGithubHeadShaResolver } from './effective-approval'
-import { analyzeGhCommand } from './gh-command'
+import { analyzeGhCommand, effectiveGhTokensForAuthenticatedUserEndpoint } from './gh-command'
+import { ensureGitAskPassHelper } from './git-askpass'
+import { analyzeGitCommand, defaultGitResolvers } from './git-command'
 import { checkGraphqlAuthNudge } from './graphql-auth-nudge'
 import { commitReviewIfSucceeded, noteReviewCommand } from './review-recorder'
-import { classifyGhToken } from './token-class'
+import { classifyGhToken, shouldMintAppToken } from './token-class'
 
 export default definePlugin({
   plugin: async (ctx) => {
     const resolveTokenForRepo = ctx.github.resolveTokenForRepo
+    const hasAppTokenResolver = ctx.github.hasAppTokenResolver
+    // `/user` resolves the caller's USER identity. An App installation token is not
+    // a user, so GitHub rejects it on a token-class basis (403, or no-token error in
+    // the sandbox) no matter how valid the token is. We block-and-guide so the agent
+    // does not misread this as "I have no auth" — it does, for repo-scoped calls.
+    const appUserEndpointReason =
+      '`gh api /user` (and `/user/...`) resolves the calling USER. This agent authenticates ' +
+      'as a GitHub App with a per-repo installation token, which is not a user identity — so ' +
+      '`/user` cannot work here, and this failure is NOT a sign that auth is missing (repo-' +
+      'scoped calls still work). It is not a valid auth/login check. For repo data use ' +
+      '`gh <cmd> -R owner/repo` or `gh api /repos/owner/repo/...`; for the actor, read the ' +
+      'PR/issue/comment context you were given instead of `gh api /user`.'
     const resolveToken = async (workspace: string) => {
       const result = await resolveTokenForRepo(workspace)
       return result.kind === 'token' ? result.token : null
@@ -19,48 +33,134 @@ export default definePlugin({
       resolveEffectiveApproval: createGithubEffectiveApprovalResolver({ resolveToken }),
       resolveHeadSha: createGithubHeadShaResolver({ resolveToken }),
     })
+
+    type HookResult = void | { block: true; reason: string }
+
+    // 'fall-through' means "not a repo-targeting gh command" so the caller can
+    // try the git path on the same command (e.g. `git ... # gh` substrings).
+    const handleGhCommand = async (params: {
+      event: { callId: string; args: Record<string, unknown> }
+      command: string
+    }): Promise<HookResult | 'fall-through'> => {
+      const { event, command } = params
+      const review = await noteReviewCommand({ callId: event.callId, command })
+      if (review.detected !== null) {
+        const block = await verdictGuard.guard({
+          callId: event.callId,
+          workspace: review.detected.workspace,
+          prNumber: review.detected.prNumber,
+          verdict: review.detected.verdict,
+        })
+        if (block !== null) return block
+      }
+      if (review.dump !== null) return review.dump
+
+      const decision = analyzeGhCommand(command)
+
+      // `/user` classifies as pass-through (no repo to mint for), so this block
+      // must run BEFORE the pass-through return. Resolve the EFFECTIVE token per
+      // `/user` invocation (a command-local `GH_TOKEN=…`/`GITHUB_TOKEN=…` overrides
+      // process env, matching gh) and block only when that token is App / none-with-
+      // minter — a command-local PAT override carries a user identity, so `/user`
+      // works for it and must not be blocked.
+      const userEndpointTokens = effectiveGhTokensForAuthenticatedUserEndpoint(command, {
+        GH_TOKEN: process.env.GH_TOKEN,
+        GITHUB_TOKEN: process.env.GITHUB_TOKEN,
+      })
+      if (userEndpointTokens.some((token) => shouldMintAppToken(token, hasAppTokenResolver()))) {
+        return { block: true, reason: appUserEndpointReason }
+      }
+
+      if (decision.kind === 'pass-through') return 'fall-through'
+
+      // The `-R` strip is a pure syntax fix (`gh api` rejects `-R`), independent
+      // of token minting, so apply it for EVERY token class — including the PAT
+      // paths below that return without injecting. Only `inject` decisions carry
+      // `rewrittenCommand`, and only after the single-bare/safe-pipeline gate in
+      // analyzeGhCommand, so this never rewrites a blocked or unsafe shape.
+      if (decision.kind === 'inject' && decision.rewrittenCommand !== undefined) {
+        event.args.command = decision.rewrittenCommand
+      }
+
+      const tokenClass = classifyGhToken(process.env.GH_TOKEN)
+      // Classic PATs reach every owner; nothing to inject or enforce.
+      if (tokenClass === 'cross-owner') return
+
+      if (decision.kind === 'block') return { block: true, reason: decision.reason }
+
+      // Fine-grained PATs are single-owner but cannot be re-minted per repo;
+      // the seeded GH_TOKEN is the only token we have. Leave it in place so
+      // `gh` fails honestly if the named repo is under a different owner.
+      if (tokenClass === 'fine-grained-pat') return
+
+      // No App auth (no App-class GH_TOKEN and no live minter): leave whatever
+      // is seeded so `gh` fails honestly rather than us guessing a token.
+      if (!shouldMintAppToken(process.env.GH_TOKEN, hasAppTokenResolver())) return
+
+      const result = await resolveTokenForRepo(decision.repoSlug)
+      if (result.kind === 'unavailable') return { block: true, reason: result.reason }
+      // Inject via the internal env overlay (delivered to the spawn / bwrap
+      // --setenv by the bash wrapper) so the token never enters the command
+      // string, where it could leak through logs or later hooks.
+      event.args[TYPECLAW_INTERNAL_BASH_ENV] = { GH_TOKEN: result.token }
+      return
+    }
+
+    const handleGitCommand = async (params: {
+      event: { args: Record<string, unknown> }
+      command: string
+      agentDir: string
+    }): Promise<HookResult> => {
+      const { event, command, agentDir } = params
+      // Only App auth re-mints per repo. Classic/fine-grained PATs and absent
+      // tokens are left untouched, exactly as the gh path treats them. App auth
+      // is detected by the live minter too, not just an App-class GH_TOKEN:
+      // multi-owner / no-repos App configs never seed GH_TOKEN yet can mint.
+      if (!shouldMintAppToken(process.env.GH_TOKEN, hasAppTokenResolver())) return
+
+      const decision = await analyzeGitCommand(command, { cwd: agentDir, resolvers: defaultGitResolvers })
+      if (decision.kind === 'pass-through') return
+      if (decision.kind === 'block') return { block: true, reason: decision.reason }
+
+      const result = await resolveTokenForRepo(decision.repoSlug)
+      if (result.kind === 'unavailable') return { block: true, reason: result.reason }
+
+      const askpass = await ensureGitAskPassHelper()
+      const existing = event.args[TYPECLAW_INTERNAL_BASH_ENV]
+      const overlay = existing !== null && typeof existing === 'object' ? (existing as Record<string, string>) : {}
+      // Token rides in TYPECLAW_GIT_TOKEN (read by the askpass helper), never in
+      // argv/config. insteadOf rewrites SSH/scp remotes to https so the helper's
+      // credential applies; GIT_TERMINAL_PROMPT=0 fails fast instead of hanging.
+      event.args[TYPECLAW_INTERNAL_BASH_ENV] = {
+        ...overlay,
+        GIT_ASKPASS: askpass,
+        TYPECLAW_GIT_TOKEN: result.token,
+        GIT_TERMINAL_PROMPT: '0',
+        GIT_CONFIG_COUNT: '2',
+        GIT_CONFIG_KEY_0: 'url.https://github.com/.insteadOf',
+        GIT_CONFIG_VALUE_0: 'git@github.com:',
+        GIT_CONFIG_KEY_1: 'url.https://github.com/.insteadOf',
+        GIT_CONFIG_VALUE_1: 'ssh://git@github.com/',
+      }
+      if (decision.rewrittenCommand !== undefined) event.args.command = decision.rewrittenCommand
+      return
+    }
+
     return {
       hooks: {
         'tool.before': async (event) => {
           if (event.tool !== 'bash') return
           const command = event.args.command
-          if (typeof command !== 'string' || !command.includes('gh')) return
-
-          const review = await noteReviewCommand({ callId: event.callId, command })
-          if (review.detected !== null) {
-            const block = await verdictGuard.guard({
-              callId: event.callId,
-              workspace: review.detected.workspace,
-              prNumber: review.detected.prNumber,
-              verdict: review.detected.verdict,
-            })
-            if (block !== null) return block
+          if (typeof command !== 'string') return
+
+          if (command.includes('gh')) {
+            const ghResult = await handleGhCommand({ event, command })
+            if (ghResult !== 'fall-through') return ghResult
+          }
+
+          if (command.includes('git')) {
+            return await handleGitCommand({ event, command, agentDir: ctx.agentDir })
           }
-          if (review.dump !== null) return review.dump
-
-          const decision = analyzeGhCommand(command)
-          if (decision.kind === 'pass-through') return
-
-          const tokenClass = classifyGhToken(process.env.GH_TOKEN)
-          // Classic PATs reach every owner; nothing to inject or enforce.
-          if (tokenClass === 'cross-owner') return
-
-          if (decision.kind === 'block') return { block: true, reason: decision.reason }
-
-          // Fine-grained PATs are single-owner but cannot be re-minted per repo;
-          // the seeded GH_TOKEN is the only token we have. Leave it in place so
-          // `gh` fails honestly if the named repo is under a different owner.
-          if (tokenClass === 'fine-grained-pat') return
-
-          const result = await resolveTokenForRepo(decision.repoSlug)
-          if (result.kind === 'unavailable') return { block: true, reason: result.reason }
-          // Inject via the internal env overlay (delivered to the spawn / bwrap
-          // --setenv by the bash wrapper) so the token never enters the command
-          // string, where it could leak through logs or later hooks.
-          event.args[TYPECLAW_INTERNAL_BASH_ENV] = { GH_TOKEN: result.token }
-          // graphql consumed `-R/--repo` as a mint hint; `gh api` rejects it, so
-          // run the command with the flag stripped (token still rides in env).
-          if (decision.rewrittenCommand !== undefined) event.args.command = decision.rewrittenCommand
           return
         },
         'tool.after': async (event) => {

package/src/bundled-plugins/github-cli-auth/token-class.ts

@@ -9,3 +9,16 @@ export function classifyGhToken(token: string | undefined): GhTokenClass {
   // a per-repo token rather than silently using a possibly-wrong global one.
   return 'app'
 }
+
+// Whether the per-repo App minter should fire for a repo-targeting command.
+// App auth is detected via EITHER a seeded App-class GH_TOKEN OR a live App
+// token resolver — the latter is the authority because multi-owner / no-repos
+// App configs intentionally leave GH_TOKEN unseeded (the prefix would read
+// 'none'), yet the per-repo minter is still registered and able to mint. Classic
+// and fine-grained PATs are never re-minted: they pass through with whatever
+// GH_TOKEN is seeded, exactly as before.
+export function shouldMintAppToken(token: string | undefined, hasAppTokenResolver: boolean): boolean {
+  const tokenClass = classifyGhToken(token)
+  if (tokenClass === 'cross-owner' || tokenClass === 'fine-grained-pat') return false
+  return tokenClass === 'app' || hasAppTokenResolver
+}

package/src/bundled-plugins/security/policies/prompt-injection.ts

@@ -427,6 +427,37 @@ const GIT_EXFIL_VERBS = [
   'hub\\s+(?:create|push)',
 ].join('|')
 
+// "backup" framing across the same major-language set the rest of this file
+// covers. The narrow English+Korean-only version let "백업 해줘 to my repo"
+// framings phrased in any other channel language slip the standalone-backup
+// catch (the SECRET_DEMAND patterns still fire when a credential is named; this
+// is only the no-secret-named "push to my backup repo" idiom). Entries are the
+// noun/verb for "backup"/"back up" — kept tight so they only matter within the
+// 80-char proximity-to-git-push window below, never on their own.
+const BACKUP_NOUNS = [
+  'backup',
+  'back[-\\s]?up',
+  '\u{BC31}\u{C5C5}', // ko 백업
+  '\u30D0\u30C3\u30AF\u30A2\u30C3\u30D7', // ja バックアップ
+  '\u5907\u4EFD', // zh-hans 备份
+  '\u5099\u4EFD', // zh-hant 備份
+  'copia\\s*de\\s*seguridad', // es
+  'respald(?:o|ar|a)', // es respaldo/respaldar
+  'sauvegard(?:e|er)', // fr
+  'sicherungskopie', // de
+  'sicher(?:n|ung)', // de Sicherung/sichern
+  'c[\u00F3o]pia\\s*de\\s*seguran[\u00E7c]a', // pt
+  'fazer\\s*backup', // pt
+  '\u0440\u0435\u0437\u0435\u0440\u0432\u043D(?:\u0430\u044F|\u0443\u044E)\\s*\u043A\u043E\u043F\u0438\u044F', // ru резервная копия
+  'sao\\s*l\u01B0u', // vi sao lưu
+  'cadang(?:an)?', // id cadangan/mencadangkan
+  '\u0646\u0633\u062E(?:\u0629)?\\s*\u0627\u062D\u062A\u064A\u0627\u0637\u064A(?:\u0629)?', // ar نسخة احتياطية
+  '\u092C\u0948\u0915\u0905\u092A', // hi बैकअप
+  'yede(?:k|kle)', // tr yedek/yedekle
+  'copia\\s*di\\s*sicurezza', // it
+  'backup', // it (loanword, same token)
+].join('|')
+
 const GIT_EXFIL_PATTERNS: ReadonlyArray<RegExp> = [
   new RegExp(`(?:${GIT_EXFIL_VERBS})`, 'i'),
   // Urgency shorthand ("do it" / "go ahead" / "now") right after a git command,
@@ -440,8 +471,8 @@ const GIT_EXFIL_PATTERNS: ReadonlyArray<RegExp> = [
   // request - if the same message also names a credential or `.env`, the
   // SECRET_DEMAND_PATTERNS already fires; this catches the standalone
   // "push to my backup repo" framing that doesn't mention secrets.
-  /(?:backup|back[-\s]?up|\u{BC31}\u{C5C5})[\s\S]{0,80}(?:git\s+push|github\.com|gitlab\.com|bitbucket\.org)/iu,
-  /(?:git\s+push|github\.com|gitlab\.com|bitbucket\.org)[\s\S]{0,80}(?:backup|back[-\s]?up|\u{BC31}\u{C5C5})/iu,
+  new RegExp(`(?:${BACKUP_NOUNS})[\\s\\S]{0,80}(?:git\\s+push|github\\.com|gitlab\\.com|bitbucket\\.org)`, 'iu'),
+  new RegExp(`(?:git\\s+push|github\\.com|gitlab\\.com|bitbucket\\.org)[\\s\\S]{0,80}(?:${BACKUP_NOUNS})`, 'iu'),
 ]
 
 export type InjectionMatch = {

package/src/channels/adapters/github/inbound.ts

@@ -396,17 +396,24 @@ export function classifyGithubInbound(
     const root = parentId ?? id
     const parent =
       parentId !== null && options?.reviewCommentParent?.parentId === parentId ? options.reviewCommentParent : null
+    const commenter = readUser(comment.user)
+    const directedAtBot =
+      parentId === null &&
+      isSelfPr(readUser(pr.user), selfLogin, options?.authType ?? 'pat') &&
+      commenter !== null &&
+      !isSelfAuthor(commenter, null, selfLogin)
     return buildInbound(
       { ...base, chat: `pr:${number}`, thread: String(root) },
       comment.body,
       id,
-      readUser(comment.user),
+      commenter,
       mention,
       comment.created_at,
       { kind: 'pr-review-comment', owner: repository.owner, repo: repository.name, commentId: id },
       false,
       {
         suppressSticky: true,
+        ...(directedAtBot ? { forceBotMention: true } : {}),
         replyToBotMessageId: parent?.isSelf === true ? String(parent.parentId) : null,
         replyToOtherMessageId: parent?.isSelf === false ? String(parent.parentId) : null,
       },
@@ -533,6 +540,11 @@ export function classifyGithubInbound(
       : reviewer !== null
         ? synthesizeReviewStateText(reviewer.login, number, readString(pr, 'title'), readString(review, 'state'))
         : ''
+    const directedAtBot =
+      isSelfPr(readUser(pr.user), selfLogin, options?.authType ?? 'pat') &&
+      reviewer !== null &&
+      !isSelfAuthor(reviewer, null, selfLogin) &&
+      isActionableReviewState(readString(review, 'state'))
     return buildInbound(
       { ...base, chat: `pr:${number}`, thread: null },
       text,
@@ -542,7 +554,7 @@ export function classifyGithubInbound(
       review.submitted_at,
       null,
       !hasBody,
-      { suppressSticky: true },
+      { suppressSticky: true, ...(directedAtBot ? { forceBotMention: true } : {}) },
     )
   }
 
@@ -591,6 +603,12 @@ type BuildInboundOptions = {
   suppressSticky?: boolean
   replyToBotMessageId?: string | null
   replyToOtherMessageId?: string | null
+  // Forces isBotMention=true with no @-handle in the body. A review (or
+  // top-level review comment) on a PR the agent ITSELF authored is directed at
+  // the bot — the inverse of review_requested — so it engages even though the
+  // reviewer never types `@bot`. Paired with suppressSticky so reviews on OTHER
+  // people's PRs still observe-only (preserving the PR #672 fix).
+  forceBotMention?: boolean
 }
 
 // A GitHub App can never be a `requested_reviewer` — that field only holds
@@ -799,7 +817,7 @@ function buildInbound(
   // Synthesized awareness lines carry an `@author` prefix describing who acted;
   // that handle is the author, never a third-party mention of the bot, so the
   // body-text mention heuristic must not fire on it.
-  const isBotMention = !synthesizedAwareness && textMentionsBot(text, mention)
+  const isBotMention = options?.forceBotMention === true || (!synthesizedAwareness && textMentionsBot(text, mention))
   const replyToBotMessageId = options?.replyToBotMessageId ?? null
   const replyToOtherMessageId = options?.replyToOtherMessageId ?? key.replyToOtherMessageId
   return {
@@ -854,6 +872,15 @@ function synthesizeReviewStateText(
   return `@${reviewer} ${verb} PR #${number}${label}.`
 }
 
+// A review on the agent's own PR engages it only when there is something to act
+// on. APPROVED clears the PR and needs no reply, so engaging would just produce
+// "thanks" churn; it stays awareness-only. COMMENTED and CHANGES_REQUESTED (and
+// any non-approval state) carry feedback the agent should address. State case
+// varies by payload source (webhook vs REST), so normalize before matching.
+function isActionableReviewState(state: string | null): boolean {
+  return state?.toLowerCase() !== 'approved'
+}
+
 async function resolveTeamMembership(
   event: string,
   payload: Record<string, unknown>,
@@ -981,6 +1008,17 @@ function isSelfAuthor(author: GithubUser, selfId: string | null, selfLogin: stri
   return false
 }
 
+// Whether the PR's OPENER is this agent. Distinct from isSelfAuthor (which
+// guards self-loops on the event ACTOR by id/login): here we have only the
+// `pull_request.user` from a review payload, no id to compare, and under App
+// auth the bot opens PRs as the decoy account (login = slug, e.g. `typeey`),
+// not the actor login `typeey[bot]`. So this matches selfLogin AND the decoy
+// slug — mirroring resolveBotMentionLogins.
+function isSelfPr(prUser: GithubUser | null, selfLogin: string | null, authType: 'pat' | 'app'): boolean {
+  if (prUser === null || selfLogin === null) return false
+  return resolveBotMentionLogins(selfLogin, authType).includes(prUser.login)
+}
+
 type GithubUser = { login: string; id: number; type?: string }
 
 function readUser(value: unknown): GithubUser | null {

package/src/channels/adapters/slack-bot.ts

@@ -359,18 +359,26 @@ export function createTypingCallback(deps: {
     // threads keep using `thread`. Either way the status is keyed on one ts.
     const statusThread =
       target.typingThread !== undefined && target.typingThread !== '' ? target.typingThread : target.thread
-    const tag = formatChannelTag
-      ? await formatChannelTag(target.workspace, statusThread ?? target.chat)
-      : `channel=${statusThread ?? target.chat}`
     if (statusThread === undefined || statusThread === null || statusThread === '') {
-      if (target.phase === 'tick') logger.info(`[slack-bot] typing (no-op, top-level chat) ${tag}`)
-      return
-    }
-    if (target.phase === 'stop') {
-      await typingTracker.clearAfterSend(target.chat, statusThread)
+      if (target.phase === 'tick') {
+        const tag = formatChannelTag
+          ? await formatChannelTag(target.workspace, statusThread ?? target.chat)
+          : `channel=${statusThread ?? target.chat}`
+        logger.info(`[slack-bot] typing (no-op, top-level chat) ${tag}`)
+      }
       return
     }
-    await typingTracker.setStatus(target.chat, statusThread, 'is typing...')
+    // Append to the per-(chat,thread) FIFO BEFORE awaiting anything: the FIFO
+    // only orders calls once setStatus/clearAfterSend is reached, so awaiting
+    // `formatChannelTag` first opens an unordered gap where a fire-and-forget
+    // re-arm 'tick' (router send() after a reply) can enqueue "is typing..."
+    // AFTER the turn-end 'stop' clear. Flat DMs have no threaded-reply
+    // auto-clear, so that strands the indicator until Slack's ~2-min timeout.
+    const enqueued =
+      target.phase === 'stop'
+        ? typingTracker.clearAfterSend(target.chat, statusThread)
+        : typingTracker.setStatus(target.chat, statusThread, 'is typing...')
+    await enqueued
   }
 }