typeclaw 0.34.1 → 0.35.0

package/src/bundled-plugins/github-cli-auth/index.ts

@@ -3,16 +3,28 @@ import { definePlugin } from '@/plugin'
 
 import { createApproveIdempotencyGuard } from './approve-idempotency'
 import { createGithubEffectiveApprovalResolver, createGithubHeadShaResolver } from './effective-approval'
-import { analyzeGhCommand } from './gh-command'
+import { analyzeGhCommand, effectiveGhTokensForAuthenticatedUserEndpoint } from './gh-command'
 import { ensureGitAskPassHelper } from './git-askpass'
 import { analyzeGitCommand, defaultGitResolvers } from './git-command'
 import { checkGraphqlAuthNudge } from './graphql-auth-nudge'
 import { commitReviewIfSucceeded, noteReviewCommand } from './review-recorder'
-import { classifyGhToken } from './token-class'
+import { classifyGhToken, shouldMintAppToken } from './token-class'
 
 export default definePlugin({
   plugin: async (ctx) => {
     const resolveTokenForRepo = ctx.github.resolveTokenForRepo
+    const hasAppTokenResolver = ctx.github.hasAppTokenResolver
+    // `/user` resolves the caller's USER identity. An App installation token is not
+    // a user, so GitHub rejects it on a token-class basis (403, or no-token error in
+    // the sandbox) no matter how valid the token is. We block-and-guide so the agent
+    // does not misread this as "I have no auth" — it does, for repo-scoped calls.
+    const appUserEndpointReason =
+      '`gh api /user` (and `/user/...`) resolves the calling USER. This agent authenticates ' +
+      'as a GitHub App with a per-repo installation token, which is not a user identity — so ' +
+      '`/user` cannot work here, and this failure is NOT a sign that auth is missing (repo-' +
+      'scoped calls still work). It is not a valid auth/login check. For repo data use ' +
+      '`gh <cmd> -R owner/repo` or `gh api /repos/owner/repo/...`; for the actor, read the ' +
+      'PR/issue/comment context you were given instead of `gh api /user`.'
     const resolveToken = async (workspace: string) => {
       const result = await resolveTokenForRepo(workspace)
       return result.kind === 'token' ? result.token : null
@@ -44,8 +56,32 @@ export default definePlugin({
       if (review.dump !== null) return review.dump
 
       const decision = analyzeGhCommand(command)
+
+      // `/user` classifies as pass-through (no repo to mint for), so this block
+      // must run BEFORE the pass-through return. Resolve the EFFECTIVE token per
+      // `/user` invocation (a command-local `GH_TOKEN=…`/`GITHUB_TOKEN=…` overrides
+      // process env, matching gh) and block only when that token is App / none-with-
+      // minter — a command-local PAT override carries a user identity, so `/user`
+      // works for it and must not be blocked.
+      const userEndpointTokens = effectiveGhTokensForAuthenticatedUserEndpoint(command, {
+        GH_TOKEN: process.env.GH_TOKEN,
+        GITHUB_TOKEN: process.env.GITHUB_TOKEN,
+      })
+      if (userEndpointTokens.some((token) => shouldMintAppToken(token, hasAppTokenResolver()))) {
+        return { block: true, reason: appUserEndpointReason }
+      }
+
       if (decision.kind === 'pass-through') return 'fall-through'
 
+      // The `-R` strip is a pure syntax fix (`gh api` rejects `-R`), independent
+      // of token minting, so apply it for EVERY token class — including the PAT
+      // paths below that return without injecting. Only `inject` decisions carry
+      // `rewrittenCommand`, and only after the single-bare/safe-pipeline gate in
+      // analyzeGhCommand, so this never rewrites a blocked or unsafe shape.
+      if (decision.kind === 'inject' && decision.rewrittenCommand !== undefined) {
+        event.args.command = decision.rewrittenCommand
+      }
+
       const tokenClass = classifyGhToken(process.env.GH_TOKEN)
       // Classic PATs reach every owner; nothing to inject or enforce.
       if (tokenClass === 'cross-owner') return
@@ -57,15 +93,16 @@ export default definePlugin({
       // `gh` fails honestly if the named repo is under a different owner.
       if (tokenClass === 'fine-grained-pat') return
 
+      // No App auth (no App-class GH_TOKEN and no live minter): leave whatever
+      // is seeded so `gh` fails honestly rather than us guessing a token.
+      if (!shouldMintAppToken(process.env.GH_TOKEN, hasAppTokenResolver())) return
+
       const result = await resolveTokenForRepo(decision.repoSlug)
       if (result.kind === 'unavailable') return { block: true, reason: result.reason }
       // Inject via the internal env overlay (delivered to the spawn / bwrap
       // --setenv by the bash wrapper) so the token never enters the command
       // string, where it could leak through logs or later hooks.
       event.args[TYPECLAW_INTERNAL_BASH_ENV] = { GH_TOKEN: result.token }
-      // graphql consumed `-R/--repo` as a mint hint; `gh api` rejects it, so
-      // run the command with the flag stripped (token still rides in env).
-      if (decision.rewrittenCommand !== undefined) event.args.command = decision.rewrittenCommand
       return
     }
 
@@ -76,8 +113,10 @@ export default definePlugin({
     }): Promise<HookResult> => {
       const { event, command, agentDir } = params
       // Only App auth re-mints per repo. Classic/fine-grained PATs and absent
-      // tokens are left untouched, exactly as the gh path treats them.
-      if (classifyGhToken(process.env.GH_TOKEN) !== 'app') return
+      // tokens are left untouched, exactly as the gh path treats them. App auth
+      // is detected by the live minter too, not just an App-class GH_TOKEN:
+      // multi-owner / no-repos App configs never seed GH_TOKEN yet can mint.
+      if (!shouldMintAppToken(process.env.GH_TOKEN, hasAppTokenResolver())) return
 
       const decision = await analyzeGitCommand(command, { cwd: agentDir, resolvers: defaultGitResolvers })
       if (decision.kind === 'pass-through') return

package/src/bundled-plugins/github-cli-auth/token-class.ts

@@ -9,3 +9,16 @@ export function classifyGhToken(token: string | undefined): GhTokenClass {
   // a per-repo token rather than silently using a possibly-wrong global one.
   return 'app'
 }
+
+// Whether the per-repo App minter should fire for a repo-targeting command.
+// App auth is detected via EITHER a seeded App-class GH_TOKEN OR a live App
+// token resolver — the latter is the authority because multi-owner / no-repos
+// App configs intentionally leave GH_TOKEN unseeded (the prefix would read
+// 'none'), yet the per-repo minter is still registered and able to mint. Classic
+// and fine-grained PATs are never re-minted: they pass through with whatever
+// GH_TOKEN is seeded, exactly as before.
+export function shouldMintAppToken(token: string | undefined, hasAppTokenResolver: boolean): boolean {
+  const tokenClass = classifyGhToken(token)
+  if (tokenClass === 'cross-owner' || tokenClass === 'fine-grained-pat') return false
+  return tokenClass === 'app' || hasAppTokenResolver
+}

package/src/bundled-plugins/security/policies/prompt-injection.ts

@@ -427,6 +427,37 @@ const GIT_EXFIL_VERBS = [
   'hub\\s+(?:create|push)',
 ].join('|')
 
+// "backup" framing across the same major-language set the rest of this file
+// covers. The narrow English+Korean-only version let "백업 해줘 to my repo"
+// framings phrased in any other channel language slip the standalone-backup
+// catch (the SECRET_DEMAND patterns still fire when a credential is named; this
+// is only the no-secret-named "push to my backup repo" idiom). Entries are the
+// noun/verb for "backup"/"back up" — kept tight so they only matter within the
+// 80-char proximity-to-git-push window below, never on their own.
+const BACKUP_NOUNS = [
+  'backup',
+  'back[-\\s]?up',
+  '\u{BC31}\u{C5C5}', // ko 백업
+  '\u30D0\u30C3\u30AF\u30A2\u30C3\u30D7', // ja バックアップ
+  '\u5907\u4EFD', // zh-hans 备份
+  '\u5099\u4EFD', // zh-hant 備份
+  'copia\\s*de\\s*seguridad', // es
+  'respald(?:o|ar|a)', // es respaldo/respaldar
+  'sauvegard(?:e|er)', // fr
+  'sicherungskopie', // de
+  'sicher(?:n|ung)', // de Sicherung/sichern
+  'c[\u00F3o]pia\\s*de\\s*seguran[\u00E7c]a', // pt
+  'fazer\\s*backup', // pt
+  '\u0440\u0435\u0437\u0435\u0440\u0432\u043D(?:\u0430\u044F|\u0443\u044E)\\s*\u043A\u043E\u043F\u0438\u044F', // ru резервная копия
+  'sao\\s*l\u01B0u', // vi sao lưu
+  'cadang(?:an)?', // id cadangan/mencadangkan
+  '\u0646\u0633\u062E(?:\u0629)?\\s*\u0627\u062D\u062A\u064A\u0627\u0637\u064A(?:\u0629)?', // ar نسخة احتياطية
+  '\u092C\u0948\u0915\u0905\u092A', // hi बैकअप
+  'yede(?:k|kle)', // tr yedek/yedekle
+  'copia\\s*di\\s*sicurezza', // it
+  'backup', // it (loanword, same token)
+].join('|')
+
 const GIT_EXFIL_PATTERNS: ReadonlyArray<RegExp> = [
   new RegExp(`(?:${GIT_EXFIL_VERBS})`, 'i'),
   // Urgency shorthand ("do it" / "go ahead" / "now") right after a git command,
@@ -440,8 +471,8 @@ const GIT_EXFIL_PATTERNS: ReadonlyArray<RegExp> = [
   // request - if the same message also names a credential or `.env`, the
   // SECRET_DEMAND_PATTERNS already fires; this catches the standalone
   // "push to my backup repo" framing that doesn't mention secrets.
-  /(?:backup|back[-\s]?up|\u{BC31}\u{C5C5})[\s\S]{0,80}(?:git\s+push|github\.com|gitlab\.com|bitbucket\.org)/iu,
-  /(?:git\s+push|github\.com|gitlab\.com|bitbucket\.org)[\s\S]{0,80}(?:backup|back[-\s]?up|\u{BC31}\u{C5C5})/iu,
+  new RegExp(`(?:${BACKUP_NOUNS})[\\s\\S]{0,80}(?:git\\s+push|github\\.com|gitlab\\.com|bitbucket\\.org)`, 'iu'),
+  new RegExp(`(?:git\\s+push|github\\.com|gitlab\\.com|bitbucket\\.org)[\\s\\S]{0,80}(?:${BACKUP_NOUNS})`, 'iu'),
 ]
 
 export type InjectionMatch = {

package/src/channels/adapters/github/inbound.ts

@@ -396,17 +396,24 @@ export function classifyGithubInbound(
     const root = parentId ?? id
     const parent =
       parentId !== null && options?.reviewCommentParent?.parentId === parentId ? options.reviewCommentParent : null
+    const commenter = readUser(comment.user)
+    const directedAtBot =
+      parentId === null &&
+      isSelfPr(readUser(pr.user), selfLogin, options?.authType ?? 'pat') &&
+      commenter !== null &&
+      !isSelfAuthor(commenter, null, selfLogin)
     return buildInbound(
       { ...base, chat: `pr:${number}`, thread: String(root) },
       comment.body,
       id,
-      readUser(comment.user),
+      commenter,
       mention,
       comment.created_at,
       { kind: 'pr-review-comment', owner: repository.owner, repo: repository.name, commentId: id },
       false,
       {
         suppressSticky: true,
+        ...(directedAtBot ? { forceBotMention: true } : {}),
         replyToBotMessageId: parent?.isSelf === true ? String(parent.parentId) : null,
         replyToOtherMessageId: parent?.isSelf === false ? String(parent.parentId) : null,
       },
@@ -533,6 +540,11 @@ export function classifyGithubInbound(
       : reviewer !== null
         ? synthesizeReviewStateText(reviewer.login, number, readString(pr, 'title'), readString(review, 'state'))
         : ''
+    const directedAtBot =
+      isSelfPr(readUser(pr.user), selfLogin, options?.authType ?? 'pat') &&
+      reviewer !== null &&
+      !isSelfAuthor(reviewer, null, selfLogin) &&
+      isActionableReviewState(readString(review, 'state'))
     return buildInbound(
       { ...base, chat: `pr:${number}`, thread: null },
       text,
@@ -542,7 +554,7 @@ export function classifyGithubInbound(
       review.submitted_at,
       null,
       !hasBody,
-      { suppressSticky: true },
+      { suppressSticky: true, ...(directedAtBot ? { forceBotMention: true } : {}) },
     )
   }
 
@@ -591,6 +603,12 @@ type BuildInboundOptions = {
   suppressSticky?: boolean
   replyToBotMessageId?: string | null
   replyToOtherMessageId?: string | null
+  // Forces isBotMention=true with no @-handle in the body. A review (or
+  // top-level review comment) on a PR the agent ITSELF authored is directed at
+  // the bot — the inverse of review_requested — so it engages even though the
+  // reviewer never types `@bot`. Paired with suppressSticky so reviews on OTHER
+  // people's PRs still observe-only (preserving the PR #672 fix).
+  forceBotMention?: boolean
 }
 
 // A GitHub App can never be a `requested_reviewer` — that field only holds
@@ -799,7 +817,7 @@ function buildInbound(
   // Synthesized awareness lines carry an `@author` prefix describing who acted;
   // that handle is the author, never a third-party mention of the bot, so the
   // body-text mention heuristic must not fire on it.
-  const isBotMention = !synthesizedAwareness && textMentionsBot(text, mention)
+  const isBotMention = options?.forceBotMention === true || (!synthesizedAwareness && textMentionsBot(text, mention))
   const replyToBotMessageId = options?.replyToBotMessageId ?? null
   const replyToOtherMessageId = options?.replyToOtherMessageId ?? key.replyToOtherMessageId
   return {
@@ -854,6 +872,15 @@ function synthesizeReviewStateText(
   return `@${reviewer} ${verb} PR #${number}${label}.`
 }
 
+// A review on the agent's own PR engages it only when there is something to act
+// on. APPROVED clears the PR and needs no reply, so engaging would just produce
+// "thanks" churn; it stays awareness-only. COMMENTED and CHANGES_REQUESTED (and
+// any non-approval state) carry feedback the agent should address. State case
+// varies by payload source (webhook vs REST), so normalize before matching.
+function isActionableReviewState(state: string | null): boolean {
+  return state?.toLowerCase() !== 'approved'
+}
+
 async function resolveTeamMembership(
   event: string,
   payload: Record<string, unknown>,
@@ -981,6 +1008,17 @@ function isSelfAuthor(author: GithubUser, selfId: string | null, selfLogin: stri
   return false
 }
 
+// Whether the PR's OPENER is this agent. Distinct from isSelfAuthor (which
+// guards self-loops on the event ACTOR by id/login): here we have only the
+// `pull_request.user` from a review payload, no id to compare, and under App
+// auth the bot opens PRs as the decoy account (login = slug, e.g. `typeey`),
+// not the actor login `typeey[bot]`. So this matches selfLogin AND the decoy
+// slug — mirroring resolveBotMentionLogins.
+function isSelfPr(prUser: GithubUser | null, selfLogin: string | null, authType: 'pat' | 'app'): boolean {
+  if (prUser === null || selfLogin === null) return false
+  return resolveBotMentionLogins(selfLogin, authType).includes(prUser.login)
+}
+
 type GithubUser = { login: string; id: number; type?: string }
 
 function readUser(value: unknown): GithubUser | null {

package/src/channels/adapters/slack-bot.ts

@@ -359,18 +359,26 @@ export function createTypingCallback(deps: {
     // threads keep using `thread`. Either way the status is keyed on one ts.
     const statusThread =
       target.typingThread !== undefined && target.typingThread !== '' ? target.typingThread : target.thread
-    const tag = formatChannelTag
-      ? await formatChannelTag(target.workspace, statusThread ?? target.chat)
-      : `channel=${statusThread ?? target.chat}`
     if (statusThread === undefined || statusThread === null || statusThread === '') {
-      if (target.phase === 'tick') logger.info(`[slack-bot] typing (no-op, top-level chat) ${tag}`)
-      return
-    }
-    if (target.phase === 'stop') {
-      await typingTracker.clearAfterSend(target.chat, statusThread)
+      if (target.phase === 'tick') {
+        const tag = formatChannelTag
+          ? await formatChannelTag(target.workspace, statusThread ?? target.chat)
+          : `channel=${statusThread ?? target.chat}`
+        logger.info(`[slack-bot] typing (no-op, top-level chat) ${tag}`)
+      }
       return
     }
-    await typingTracker.setStatus(target.chat, statusThread, 'is typing...')
+    // Append to the per-(chat,thread) FIFO BEFORE awaiting anything: the FIFO
+    // only orders calls once setStatus/clearAfterSend is reached, so awaiting
+    // `formatChannelTag` first opens an unordered gap where a fire-and-forget
+    // re-arm 'tick' (router send() after a reply) can enqueue "is typing..."
+    // AFTER the turn-end 'stop' clear. Flat DMs have no threaded-reply
+    // auto-clear, so that strands the indicator until Slack's ~2-min timeout.
+    const enqueued =
+      target.phase === 'stop'
+        ? typingTracker.clearAfterSend(target.chat, statusThread)
+        : typingTracker.setStatus(target.chat, statusThread, 'is typing...')
+    await enqueued
   }
 }
 

package/src/channels/continuation-willingness.ts

@@ -0,0 +1,331 @@
+// A channel turn ends after a successful `channel_reply` (the terminal-reply
+// abort in router.ts). When the model's reply PROMISES to keep working this
+// turn ("바로 확인해볼게요", "let me check", "I'll continue now") but it forgot
+// to set `channel_reply({ continue: true })`, the turn aborts and the promised
+// follow-up never runs. The router uses this detector to inject ONE bounded
+// reminder nudge so the model gets a second chance. See the empty-turn retry
+// (router.ts) for the sibling mechanism this mirrors.
+//
+// Design bias: PREFER FALSE NEGATIVES. A miss leaves the status quo (turn ends,
+// recoverable by a later user message); a false positive costs one wasted
+// reminder-only turn that the model ends with NO_REPLY. So the phrase tables are
+// deliberately narrow — only self-directed FUTURE intent to act THIS turn, never
+// descriptive ("I checked and it's fine") or other-directed ("you can continue")
+// usage. This is a HINT, not a control-flow authority: the abort still fires
+// regardless; only the optional nudge is gated on it.
+
+// Strip markdown emphasis/code fences before matching so an inline `gh` span
+// inside "바로 `gh`로 확인할게요" does not split the phrase.
+function normalize(text: string): string {
+  return text
+    .toLowerCase()
+    .replace(/[`*_~]/g, ' ')
+    .replace(/\s+/g, ' ')
+    .trim()
+}
+
+// Self-directed future-intent phrases. Each asserts the SPEAKER will do more
+// work imminently. The leading "i" / "let me" anchors self-direction so
+// "you can continue" never matches.
+const EN_PHRASES: readonly string[] = [
+  "i'll continue",
+  'i will continue',
+  "i'll keep going",
+  "i'll keep checking",
+  "i'll keep looking",
+  "i'll take a look",
+  "i'll check",
+  "i'll look into",
+  "i'll dig in",
+  "i'll go ahead and",
+  'let me check',
+  'let me look',
+  'let me take a look',
+  'let me dig',
+  'let me continue',
+  'let me verify',
+  'checking now',
+  'looking into it now',
+  'working on it now',
+  'on it now',
+  'give me a moment',
+  'give me a sec',
+]
+
+// Korean: -ㄹ게요 / -겠습니다 future-volitional endings on check/look/continue/
+// proceed verbs. These endings are first-person volitional in Korean — they
+// cannot address the listener, so they are safe self-direction anchors that
+// descriptive or other-directed sentences do not produce. Bare "계속" is
+// excluded ("계속 진행하세요" = "you go ahead", terminal).
+const KO_PHRASES: readonly string[] = [
+  '확인해볼게요',
+  '확인해 볼게요',
+  '확인할게요',
+  '확인하겠습니다',
+  '확인해보겠습니다',
+  '확인해 보겠습니다',
+  '다시 확인하겠습니다',
+  '다시 확인해보겠습니다',
+  '이어서 확인',
+  '계속 확인',
+  '계속 진행할게요',
+  '계속 진행하겠습니다',
+  '계속하겠습니다',
+  '계속할게요',
+  '바로 확인',
+  '바로 볼게요',
+  '바로 진행',
+  '살펴볼게요',
+  '살펴보겠습니다',
+  '진행하겠습니다',
+  '잠시만요',
+  '잠깐만요',
+  '곧 알려',
+]
+
+// The remaining languages mirror the precision-first selection above: every
+// entry pairs a FIRST-PERSON future/volitional anchor with a work verb
+// (check/look/continue/proceed/verify) or is an immediate-work idiom ("on it
+// now"). The same false-negative bias holds — bare verbs, bare acknowledgments
+// ("ok", "sí", "好"), second-person imperatives ("you continue"), and
+// descriptive past forms ("I checked") are deliberately excluded because a
+// substring match on those would mis-fire. Latin/Cyrillic/Arabic/Indic entries
+// are inflected first-person-future forms (or multi-word) so they cannot
+// collide with a bare common word; CJK entries are full 4+ character
+// intent phrases, never a lone noun.
+
+// Spanish: "voy a" / "déjame" + work verb; "enseguida" (right away) idioms.
+const ES_PHRASES: readonly string[] = [
+  'voy a revisar',
+  'voy a comprobar',
+  'voy a verificar',
+  'voy a mirar',
+  'voy a continuar',
+  'voy a seguir',
+  'déjame revisar',
+  'déjame comprobar',
+  'déjame verificar',
+  'déjame mirar',
+  'lo reviso enseguida',
+  'lo verifico enseguida',
+  'enseguida lo reviso',
+  'enseguida reviso',
+  'un momento',
+  'dame un momento',
+  'dame un segundo',
+]
+
+// French: "je vais" + work verb; "laisse-moi" idioms.
+const FR_PHRASES: readonly string[] = [
+  'je vais vérifier',
+  'je vais regarder',
+  'je vais continuer',
+  'je vais poursuivre',
+  'je vais voir',
+  'je vais contrôler',
+  'laisse-moi vérifier',
+  'laisse-moi regarder',
+  'je vérifie tout de suite',
+  'je regarde tout de suite',
+  'un instant',
+  'donne-moi un instant',
+  'donne-moi une seconde',
+]
+
+// Italian: "vado a" / "fammi" + work verb; "controllo subito" idioms.
+const IT_PHRASES: readonly string[] = [
+  'vado a controllare',
+  'vado a verificare',
+  'vado a guardare',
+  'fammi controllare',
+  'fammi verificare',
+  'fammi guardare',
+  'controllo subito',
+  'verifico subito',
+  'continuo subito',
+  'un momento',
+  'dammi un momento',
+  'dammi un secondo',
+]
+
+// Portuguese: "vou" + work verb; "deixa eu" idioms.
+const PT_PHRASES: readonly string[] = [
+  'vou verificar',
+  'vou checar',
+  'vou conferir',
+  'vou olhar',
+  'vou continuar',
+  'vou prosseguir',
+  'deixa eu verificar',
+  'deixa eu conferir',
+  'deixa eu olhar',
+  'verifico já',
+  'já verifico',
+  'um momento',
+  'me dê um momento',
+  'me dá um segundo',
+]
+
+// German: "ich werde" / "lass mich" + work verb; "ich schaue gleich" idioms.
+const DE_PHRASES: readonly string[] = [
+  'ich werde prüfen',
+  'ich werde überprüfen',
+  'ich werde nachsehen',
+  'ich werde weitermachen',
+  'ich werde fortfahren',
+  'lass mich prüfen',
+  'lass mich nachsehen',
+  'ich schaue gleich',
+  'ich prüfe gleich',
+  'gleich prüfen',
+  'gleich überprüfen',
+  'gleich nachsehen',
+  'einen moment',
+  'einen augenblick',
+  'gib mir eine sekunde',
+]
+
+// Russian: first-person-future verbs (проверю/посмотрю/продолжу) — the -ю/-у
+// inflection is unambiguously "I will", so it is a safe self-anchor.
+const RU_PHRASES: readonly string[] = [
+  'сейчас проверю',
+  'я проверю',
+  'я посмотрю',
+  'я продолжу',
+  'продолжу проверку',
+  'сейчас посмотрю',
+  'дайте мне минуту',
+  'одну секунду',
+  'минутку',
+]
+
+// Chinese: 我会/我来/我再 + work verb. Full multi-character intent phrases only;
+// no bare nouns. 继续 alone is excluded (could be "you continue").
+const ZH_PHRASES: readonly string[] = [
+  '我来确认',
+  '我来检查',
+  '我来看看',
+  '我会确认',
+  '我会检查',
+  '我会继续',
+  '我再确认',
+  '我再检查',
+  '我继续确认',
+  '我马上确认',
+  '我马上检查',
+  '我马上看',
+  '稍等一下',
+  '我看一下',
+]
+
+// Japanese: -てみます / -します first-person volitional on check/look/continue.
+// Bare nouns (確認) are excluded; the verb ending carries the self-direction.
+const JA_PHRASES: readonly string[] = [
+  '確認します',
+  '確認してみます',
+  '確認いたします',
+  '調べてみます',
+  '調べます',
+  '見てみます',
+  '続けます',
+  '引き続き確認します',
+  'すぐ確認します',
+  '少々お待ちください',
+  'ちょっと待ってください',
+]
+
+// Arabic: future particle سـ prefixed first-person verb (سأتحقق = "I will
+// verify"). The سأ prefix is unambiguously first-person-future.
+const AR_PHRASES: readonly string[] = [
+  'سأتحقق',
+  'سأتأكد',
+  'سأراجع',
+  'سأطلع',
+  'سأكمل',
+  'سأواصل',
+  'دعني أتحقق',
+  'دعني أراجع',
+  'لحظة من فضلك',
+]
+
+// Hindi: first-person-future "मैं … करूँगा/देखूँगा" forms (multi-word so they
+// cannot collide with a bare common word).
+const HI_PHRASES: readonly string[] = [
+  'जाँच करूँगा',
+  'जांच करूंगा',
+  'देख लूँगा',
+  'देख लूंगा',
+  'जारी रखूँगा',
+  'जारी रखूंगा',
+  'एक मिनट रुकिए',
+]
+
+// Turkish: first-person-future "-eceğim/-acağım" on check/look/continue verbs.
+const TR_PHRASES: readonly string[] = [
+  'kontrol edeceğim',
+  'kontrol ediyorum',
+  'bakacağım',
+  'inceleyeceğim',
+  'devam edeceğim',
+  'hemen kontrol ediyorum',
+  'hemen bakıyorum',
+  'bir saniye',
+  'bir dakika',
+]
+
+// Vietnamese: "tôi sẽ" / "để tôi" (I will / let me) + work verb.
+const VI_PHRASES: readonly string[] = [
+  'tôi sẽ kiểm tra',
+  'tôi sẽ xem',
+  'tôi sẽ tiếp tục',
+  'để tôi kiểm tra',
+  'để tôi xem',
+  'tôi kiểm tra ngay',
+  'tôi xem ngay',
+  'chờ một chút',
+  'đợi một chút',
+]
+
+// Indonesian: "saya akan" / "biar saya" (I will / let me) + work verb.
+const ID_PHRASES: readonly string[] = [
+  'saya akan periksa',
+  'saya akan cek',
+  'saya akan lihat',
+  'saya akan lanjutkan',
+  'biar saya periksa',
+  'biar saya cek',
+  'saya cek dulu',
+  'saya periksa dulu',
+  'tunggu sebentar',
+  'sebentar ya',
+]
+
+const ALL_PHRASES: readonly string[] = [
+  ...EN_PHRASES,
+  ...KO_PHRASES,
+  ...ES_PHRASES,
+  ...FR_PHRASES,
+  ...IT_PHRASES,
+  ...PT_PHRASES,
+  ...DE_PHRASES,
+  ...RU_PHRASES,
+  ...ZH_PHRASES,
+  ...JA_PHRASES,
+  ...AR_PHRASES,
+  ...HI_PHRASES,
+  ...TR_PHRASES,
+  ...VI_PHRASES,
+  ...ID_PHRASES,
+]
+
+// Reply texts shorter than this are almost always a complete final answer
+// ("네", "ok", "done") where a partial match would be noise. The shortest
+// legitimate intent phrases ("on it now", "확인할게요") clear this floor.
+const MIN_LENGTH = 4
+
+export function detectContinuationWillingness(text: string): boolean {
+  if (text.length < MIN_LENGTH) return false
+  const normalized = normalize(text)
+  if (normalized.length < MIN_LENGTH) return false
+  return ALL_PHRASES.some((phrase) => normalized.includes(phrase))
+}