typeclaw 0.34.1 → 0.35.1

package/src/bundled-plugins/github-cli-auth/git-command.ts

@@ -91,33 +91,97 @@ export async function analyzeGitCommand(
   command: string,
   options: { cwd: string; resolvers: GitResolvers },
 ): Promise<GitCommandDecision> {
+  // The single permitted `cd <simple-path> && git …` shortcut is rewritten to a
+  // bare `git -C …` before any chain parsing, so a chain never has to reason
+  // about a `cd` segment changing cwd for the gits that follow it. Multi-git
+  // chains must use explicit `git -C` per segment instead.
   const stripped = stripSafeCdPrefix(command)
   if (stripped.unsafe) return { kind: 'pass-through' }
+  if (stripped.cdDir !== null) return analyzeSingleCdGit(stripped, options)
+
+  // Split the command into `&&`-joined git segments. null = not a pure
+  // git-only `&&` chain (a non-git segment, a forbidden shell operator, a
+  // leading env assignment, or no git at all).
+  const chain = extractGitInvocationChain(command)
+  if (chain === null) {
+    // Distinguish "no git here at all" (pass-through) from "git is present but
+    // the composition is unsafe" (block). A bare `ls`/`echo` is not our concern;
+    // a `git push … | tee` or `git … && curl evil` must be blocked, never run
+    // tokenless (which is what silently passing through used to do — the bug).
+    return containsGitInvocation(command) ? { kind: 'block', reason: COMPOSITION_REASON } : { kind: 'pass-through' }
+  }
+
+  const remoteSegments = chain.filter((s) => {
+    const sub = findSubcommand(s.args)
+    return sub !== undefined && REMOTE_SUBCOMMANDS.has(sub)
+  })
+  // No segment talks to a remote (e.g. `git status && git log`): nothing to
+  // authenticate, so pass through and let git run with no token.
+  if (remoteSegments.length === 0) return { kind: 'pass-through' }
+
+  // Every segment — even non-remote ones like `git status` that ride along in
+  // the chain — must pass the redirect screen: a token lives in the shared env
+  // the whole chain inherits, so a `-c`/env-assignment on ANY git could steer
+  // auth or destination.
+  for (const seg of chain) {
+    if (seg.hasLeadingEnvAssignment || hasDangerousGitConfig(seg.args)) {
+      return { kind: 'block', reason: DANGEROUS_CONFIG_REASON }
+    }
+    const sub = findSubcommand(seg.args)
+    if ((sub === 'fetch' || sub === 'pull') && seg.args.includes('--all')) {
+      return { kind: 'block', reason: FETCH_ALL_REASON }
+    }
+  }
+
+  const owners = new Set<string>()
+  let representativeSlug: string | null = null
+  for (const seg of remoteSegments) {
+    const sub = findSubcommand(seg.args) as string
+    const effectiveCwd = resolveCwd(options.cwd, extractDashCDir(seg.args))
+    // A resolver that throws is treated as "couldn't resolve" → pass-through, so
+    // a git/subprocess failure never crashes the hook or guesses a repo.
+    let slugs: string[]
+    try {
+      slugs = await resolveRepoSlugs(sub, seg.args, effectiveCwd, options.resolvers)
+    } catch {
+      return { kind: 'pass-through' }
+    }
+    for (const slug of slugs) {
+      owners.add(slug.split('/')[0] as string)
+      representativeSlug ??= slug
+    }
+  }
+
+  // A GitHub remote subcommand whose target owner we could not resolve: we must
+  // not mint a possibly-wrong-owner token, and silently passing through would
+  // reproduce the credential-less failure. Block with an actionable reason.
+  if (representativeSlug === null) return { kind: 'pass-through' }
+  if (owners.size > 1) return { kind: 'block', reason: MULTI_OWNER_REASON }
+
+  return { kind: 'inject', repoSlug: representativeSlug }
+}
+
+// The single-git `cd <path> && git …` shortcut. Kept separate (and single-git
+// only) so the cwd rewrite stays simple: the token-bearing command becomes one
+// bare `git -C <path> …`, with no sibling inheriting the env. A `cd` in a
+// multi-git chain is rejected (callers use explicit `git -C` per segment).
+async function analyzeSingleCdGit(
+  stripped: StrippedCd,
+  options: { cwd: string; resolvers: GitResolvers },
+): Promise<GitCommandDecision> {
   const segment = extractSingleGitInvocation(stripped.rest)
   if (segment === null) return { kind: 'pass-through' }
-
   const args = segment.args
   const subcommand = findSubcommand(args)
   if (subcommand === undefined || !REMOTE_SUBCOMMANDS.has(subcommand)) return { kind: 'pass-through' }
-
-  // We are about to put a live token in this process's env. Reject any command
-  // that could redirect git's auth/destination away from the resolved repo:
-  // user `-c` (url.*.insteadOf, core.askPass, credential.*, http.*), a leading
-  // env assignment (`GIT_ASKPASS=… git …`), or a different git-dir/work-tree.
   if (segment.hasLeadingEnvAssignment || hasDangerousGitConfig(args)) {
     return { kind: 'block', reason: DANGEROUS_CONFIG_REASON }
   }
-  // `fetch/pull --all` contacts every configured remote; we cannot enumerate
-  // them here, so we could mint for one and leak the token to another. Block.
   if ((subcommand === 'fetch' || subcommand === 'pull') && args.includes('--all')) {
     return { kind: 'block', reason: FETCH_ALL_REASON }
   }
-
   const dashCDir = extractDashCDir(args)
   const effectiveCwd = resolveCwd(resolveCwd(options.cwd, stripped.cdDir), dashCDir)
-
-  // A resolver that throws is treated as "couldn't resolve" → pass-through, so a
-  // git/subprocess failure never crashes the hook or guesses a repo.
   let slugs: string[]
   try {
     slugs = await resolveRepoSlugs(subcommand, args, effectiveCwd, options.resolvers)
@@ -125,24 +189,15 @@ export async function analyzeGitCommand(
     return { kind: 'pass-through' }
   }
   if (slugs.length === 0) return { kind: 'pass-through' }
-
   const owners = new Set(slugs.map((s) => s.split('/')[0]))
   if (owners.size > 1) return { kind: 'block', reason: MULTI_OWNER_REASON }
-
   const repoSlug = slugs[0] as string
-
-  // Injecting the askpass token into env means any sibling process inherits it,
-  // so a token-bearing command must be a single bare `git`. A `cd … && git …`
-  // is allowed only by rewriting away the `&&` into `git -C …` — but not when the
-  // git part already has its own `-C` (the rewrite would stack two and change cwd).
-  if (stripped.cdDir !== null) {
-    if (containsShellActiveMetachar(stripped.rest) || dashCDir !== null) {
-      return { kind: 'block', reason: COMPOSITION_REASON }
-    }
-    return { kind: 'inject', repoSlug, rewrittenCommand: rewriteCdToDashC(effectiveCwd, stripped.rest) }
+  // The rewrite cannot stack two `-C` (the git part must not already carry one)
+  // and the rest must be a single bare git (no further composition).
+  if (containsShellActiveMetachar(stripped.rest) || dashCDir !== null) {
+    return { kind: 'block', reason: COMPOSITION_REASON }
   }
-  if (containsShellActiveMetachar(command)) return { kind: 'block', reason: COMPOSITION_REASON }
-  return { kind: 'inject', repoSlug }
+  return { kind: 'inject', repoSlug, rewrittenCommand: rewriteCdToDashC(effectiveCwd, stripped.rest) }
 }
 
 // Global flags that can redirect git's auth or destination. `-c`/`--config-env`
@@ -358,6 +413,97 @@ function extractSingleGitInvocation(command: string): GitInvocation | null {
   return { args, hasLeadingEnvAssignment }
 }
 
+// True if `git` appears at any command boundary. Used to decide block-vs-pass:
+// a command with no git at all is none of our business (pass-through), but one
+// that DOES contain git yet is not a clean git-only `&&` chain must be blocked,
+// not run tokenless.
+function containsGitInvocation(command: string): boolean {
+  const tokens = tokenize(command)
+  for (let i = 0; i < tokens.length; i++) {
+    if (tokens[i] === 'git' && (i === 0 || isCommandBoundaryBefore(tokens, i))) return true
+  }
+  return false
+}
+
+// Splits a command into `&&`-joined segments and accepts it ONLY when EVERY
+// segment is a single bare `git` invocation. Returns null (caller blocks or
+// passes through) when any segment is non-git, the chain uses any operator other
+// than `&&` (`;`, `|`, `||`, `&`, newline) at top level, or a segment carries a
+// shell-active metachar (`$`, backtick, redirection, subshell) that could spawn
+// or feed a NON-git process — which would inherit the shared token env. The
+// all-git invariant is load-bearing: the token rides in a plain inherited env
+// var, so a single non-git sibling could read it directly.
+function extractGitInvocationChain(command: string): GitInvocation[] | null {
+  // Quote-aware screen on the ORIGINAL command: every shell-active metachar
+  // except the `&&` chain operator must be absent. This rejects `;`, `|`, `||`,
+  // single `&`, redirection, subshells, and `$`/backtick (active outside single
+  // quotes) — anything that could spawn or feed a non-git process that would
+  // inherit the shared token env. Screening the original (not dequoted tokens)
+  // keeps a safely single-quoted `$` from being a false positive.
+  if (containsUnsafeMetacharOutsideAndAnd(command)) return null
+
+  const tokens = tokenize(command)
+  if (tokens.length === 0) return null
+
+  const segments: string[][] = [[]]
+  for (const token of tokens) {
+    if (token === '&&') {
+      segments.push([])
+      continue
+    }
+    // The metachar screen above already rejected every other operator; this is
+    // belt-and-suspenders in case the tokenizer ever emits one we missed.
+    if (token === ';' || token === '|' || token === '||' || token === '&' || token === '\n') return null
+    ;(segments[segments.length - 1] as string[]).push(token)
+  }
+
+  const invocations: GitInvocation[] = []
+  for (const seg of segments) {
+    if (seg.length === 0) return null
+    let start = 0
+    while (start < seg.length && /^[A-Za-z_][A-Za-z0-9_]*=/.test(seg[start] ?? '')) start += 1
+    const hasLeadingEnvAssignment = start > 0
+    if (seg[start] !== 'git') return null
+    invocations.push({ args: seg.slice(start + 1), hasLeadingEnvAssignment })
+  }
+  return invocations
+}
+
+// Quote-aware: true if any shell-active metachar appears outside quotes EXCEPT
+// the `&&` operator (a lone `&` IS unsafe — backgrounding). `$`/backtick are
+// active inside double quotes too, so they trip even there; single-quoted
+// content is inert. Companion to containsShellActiveMetachar, which forbids ALL
+// of them (no `&&` exception) for the single-git path.
+function containsUnsafeMetacharOutsideAndAnd(command: string): boolean {
+  let quote: '"' | "'" | null = null
+  for (let i = 0; i < command.length; i++) {
+    const ch = command[i] as string
+    if (quote === "'") {
+      if (ch === "'") quote = null
+      continue
+    }
+    if (quote === '"') {
+      if (ch === '$' || ch === '`') return true
+      if (ch === '"') quote = null
+      continue
+    }
+    if (ch === "'" || ch === '"') {
+      quote = ch
+      continue
+    }
+    if (ch === '&') {
+      // `&&` is the one allowed composer; a single `&` is backgrounding.
+      if (command[i + 1] === '&') {
+        i += 1
+        continue
+      }
+      return true
+    }
+    if (SHELL_ACTIVE_METACHARS.has(ch)) return true
+  }
+  return false
+}
+
 function isCommandBoundaryBefore(tokens: readonly string[], index: number): boolean {
   let cursor = index - 1
   while (cursor >= 0) {

package/src/bundled-plugins/github-cli-auth/index.ts

@@ -3,16 +3,28 @@ import { definePlugin } from '@/plugin'
 
 import { createApproveIdempotencyGuard } from './approve-idempotency'
 import { createGithubEffectiveApprovalResolver, createGithubHeadShaResolver } from './effective-approval'
-import { analyzeGhCommand } from './gh-command'
+import { analyzeGhCommand, effectiveGhTokensForAuthenticatedUserEndpoint } from './gh-command'
 import { ensureGitAskPassHelper } from './git-askpass'
 import { analyzeGitCommand, defaultGitResolvers } from './git-command'
 import { checkGraphqlAuthNudge } from './graphql-auth-nudge'
 import { commitReviewIfSucceeded, noteReviewCommand } from './review-recorder'
-import { classifyGhToken } from './token-class'
+import { classifyGhToken, shouldMintAppToken } from './token-class'
 
 export default definePlugin({
   plugin: async (ctx) => {
     const resolveTokenForRepo = ctx.github.resolveTokenForRepo
+    const hasAppTokenResolver = ctx.github.hasAppTokenResolver
+    // `/user` resolves the caller's USER identity. An App installation token is not
+    // a user, so GitHub rejects it on a token-class basis (403, or no-token error in
+    // the sandbox) no matter how valid the token is. We block-and-guide so the agent
+    // does not misread this as "I have no auth" — it does, for repo-scoped calls.
+    const appUserEndpointReason =
+      '`gh api /user` (and `/user/...`) resolves the calling USER. This agent authenticates ' +
+      'as a GitHub App with a per-repo installation token, which is not a user identity — so ' +
+      '`/user` cannot work here, and this failure is NOT a sign that auth is missing (repo-' +
+      'scoped calls still work). It is not a valid auth/login check. For repo data use ' +
+      '`gh <cmd> -R owner/repo` or `gh api /repos/owner/repo/...`; for the actor, read the ' +
+      'PR/issue/comment context you were given instead of `gh api /user`.'
     const resolveToken = async (workspace: string) => {
       const result = await resolveTokenForRepo(workspace)
       return result.kind === 'token' ? result.token : null
@@ -44,8 +56,32 @@ export default definePlugin({
       if (review.dump !== null) return review.dump
 
       const decision = analyzeGhCommand(command)
+
+      // `/user` classifies as pass-through (no repo to mint for), so this block
+      // must run BEFORE the pass-through return. Resolve the EFFECTIVE token per
+      // `/user` invocation (a command-local `GH_TOKEN=…`/`GITHUB_TOKEN=…` overrides
+      // process env, matching gh) and block only when that token is App / none-with-
+      // minter — a command-local PAT override carries a user identity, so `/user`
+      // works for it and must not be blocked.
+      const userEndpointTokens = effectiveGhTokensForAuthenticatedUserEndpoint(command, {
+        GH_TOKEN: process.env.GH_TOKEN,
+        GITHUB_TOKEN: process.env.GITHUB_TOKEN,
+      })
+      if (userEndpointTokens.some((token) => shouldMintAppToken(token, hasAppTokenResolver()))) {
+        return { block: true, reason: appUserEndpointReason }
+      }
+
       if (decision.kind === 'pass-through') return 'fall-through'
 
+      // The `-R` strip is a pure syntax fix (`gh api` rejects `-R`), independent
+      // of token minting, so apply it for EVERY token class — including the PAT
+      // paths below that return without injecting. Only `inject` decisions carry
+      // `rewrittenCommand`, and only after the single-bare/safe-pipeline gate in
+      // analyzeGhCommand, so this never rewrites a blocked or unsafe shape.
+      if (decision.kind === 'inject' && decision.rewrittenCommand !== undefined) {
+        event.args.command = decision.rewrittenCommand
+      }
+
       const tokenClass = classifyGhToken(process.env.GH_TOKEN)
       // Classic PATs reach every owner; nothing to inject or enforce.
       if (tokenClass === 'cross-owner') return
@@ -57,15 +93,16 @@ export default definePlugin({
       // `gh` fails honestly if the named repo is under a different owner.
       if (tokenClass === 'fine-grained-pat') return
 
+      // No App auth (no App-class GH_TOKEN and no live minter): leave whatever
+      // is seeded so `gh` fails honestly rather than us guessing a token.
+      if (!shouldMintAppToken(process.env.GH_TOKEN, hasAppTokenResolver())) return
+
       const result = await resolveTokenForRepo(decision.repoSlug)
       if (result.kind === 'unavailable') return { block: true, reason: result.reason }
       // Inject via the internal env overlay (delivered to the spawn / bwrap
       // --setenv by the bash wrapper) so the token never enters the command
       // string, where it could leak through logs or later hooks.
       event.args[TYPECLAW_INTERNAL_BASH_ENV] = { GH_TOKEN: result.token }
-      // graphql consumed `-R/--repo` as a mint hint; `gh api` rejects it, so
-      // run the command with the flag stripped (token still rides in env).
-      if (decision.rewrittenCommand !== undefined) event.args.command = decision.rewrittenCommand
       return
     }
 
@@ -76,8 +113,10 @@ export default definePlugin({
     }): Promise<HookResult> => {
       const { event, command, agentDir } = params
       // Only App auth re-mints per repo. Classic/fine-grained PATs and absent
-      // tokens are left untouched, exactly as the gh path treats them.
-      if (classifyGhToken(process.env.GH_TOKEN) !== 'app') return
+      // tokens are left untouched, exactly as the gh path treats them. App auth
+      // is detected by the live minter too, not just an App-class GH_TOKEN:
+      // multi-owner / no-repos App configs never seed GH_TOKEN yet can mint.
+      if (!shouldMintAppToken(process.env.GH_TOKEN, hasAppTokenResolver())) return
 
       const decision = await analyzeGitCommand(command, { cwd: agentDir, resolvers: defaultGitResolvers })
       if (decision.kind === 'pass-through') return

package/src/bundled-plugins/github-cli-auth/token-class.ts

@@ -9,3 +9,16 @@ export function classifyGhToken(token: string | undefined): GhTokenClass {
   // a per-repo token rather than silently using a possibly-wrong global one.
   return 'app'
 }
+
+// Whether the per-repo App minter should fire for a repo-targeting command.
+// App auth is detected via EITHER a seeded App-class GH_TOKEN OR a live App
+// token resolver — the latter is the authority because multi-owner / no-repos
+// App configs intentionally leave GH_TOKEN unseeded (the prefix would read
+// 'none'), yet the per-repo minter is still registered and able to mint. Classic
+// and fine-grained PATs are never re-minted: they pass through with whatever
+// GH_TOKEN is seeded, exactly as before.
+export function shouldMintAppToken(token: string | undefined, hasAppTokenResolver: boolean): boolean {
+  const tokenClass = classifyGhToken(token)
+  if (tokenClass === 'cross-owner' || tokenClass === 'fine-grained-pat') return false
+  return tokenClass === 'app' || hasAppTokenResolver
+}

package/src/bundled-plugins/security/policies/prompt-injection.ts

@@ -427,6 +427,37 @@ const GIT_EXFIL_VERBS = [
   'hub\\s+(?:create|push)',
 ].join('|')
 
+// "backup" framing across the same major-language set the rest of this file
+// covers. The narrow English+Korean-only version let "백업 해줘 to my repo"
+// framings phrased in any other channel language slip the standalone-backup
+// catch (the SECRET_DEMAND patterns still fire when a credential is named; this
+// is only the no-secret-named "push to my backup repo" idiom). Entries are the
+// noun/verb for "backup"/"back up" — kept tight so they only matter within the
+// 80-char proximity-to-git-push window below, never on their own.
+const BACKUP_NOUNS = [
+  'backup',
+  'back[-\\s]?up',
+  '\u{BC31}\u{C5C5}', // ko 백업
+  '\u30D0\u30C3\u30AF\u30A2\u30C3\u30D7', // ja バックアップ
+  '\u5907\u4EFD', // zh-hans 备份
+  '\u5099\u4EFD', // zh-hant 備份
+  'copia\\s*de\\s*seguridad', // es
+  'respald(?:o|ar|a)', // es respaldo/respaldar
+  'sauvegard(?:e|er)', // fr
+  'sicherungskopie', // de
+  'sicher(?:n|ung)', // de Sicherung/sichern
+  'c[\u00F3o]pia\\s*de\\s*seguran[\u00E7c]a', // pt
+  'fazer\\s*backup', // pt
+  '\u0440\u0435\u0437\u0435\u0440\u0432\u043D(?:\u0430\u044F|\u0443\u044E)\\s*\u043A\u043E\u043F\u0438\u044F', // ru резервная копия
+  'sao\\s*l\u01B0u', // vi sao lưu
+  'cadang(?:an)?', // id cadangan/mencadangkan
+  '\u0646\u0633\u062E(?:\u0629)?\\s*\u0627\u062D\u062A\u064A\u0627\u0637\u064A(?:\u0629)?', // ar نسخة احتياطية
+  '\u092C\u0948\u0915\u0905\u092A', // hi बैकअप
+  'yede(?:k|kle)', // tr yedek/yedekle
+  'copia\\s*di\\s*sicurezza', // it
+  'backup', // it (loanword, same token)
+].join('|')
+
 const GIT_EXFIL_PATTERNS: ReadonlyArray<RegExp> = [
   new RegExp(`(?:${GIT_EXFIL_VERBS})`, 'i'),
   // Urgency shorthand ("do it" / "go ahead" / "now") right after a git command,
@@ -440,8 +471,8 @@ const GIT_EXFIL_PATTERNS: ReadonlyArray<RegExp> = [
   // request - if the same message also names a credential or `.env`, the
   // SECRET_DEMAND_PATTERNS already fires; this catches the standalone
   // "push to my backup repo" framing that doesn't mention secrets.
-  /(?:backup|back[-\s]?up|\u{BC31}\u{C5C5})[\s\S]{0,80}(?:git\s+push|github\.com|gitlab\.com|bitbucket\.org)/iu,
-  /(?:git\s+push|github\.com|gitlab\.com|bitbucket\.org)[\s\S]{0,80}(?:backup|back[-\s]?up|\u{BC31}\u{C5C5})/iu,
+  new RegExp(`(?:${BACKUP_NOUNS})[\\s\\S]{0,80}(?:git\\s+push|github\\.com|gitlab\\.com|bitbucket\\.org)`, 'iu'),
+  new RegExp(`(?:git\\s+push|github\\.com|gitlab\\.com|bitbucket\\.org)[\\s\\S]{0,80}(?:${BACKUP_NOUNS})`, 'iu'),
 ]
 
 export type InjectionMatch = {

package/src/channels/adapters/github/inbound.ts

@@ -396,17 +396,24 @@ export function classifyGithubInbound(
     const root = parentId ?? id
     const parent =
       parentId !== null && options?.reviewCommentParent?.parentId === parentId ? options.reviewCommentParent : null
+    const commenter = readUser(comment.user)
+    const directedAtBot =
+      parentId === null &&
+      isSelfPr(readUser(pr.user), selfLogin, options?.authType ?? 'pat') &&
+      commenter !== null &&
+      !isSelfAuthor(commenter, null, selfLogin)
     return buildInbound(
       { ...base, chat: `pr:${number}`, thread: String(root) },
       comment.body,
       id,
-      readUser(comment.user),
+      commenter,
       mention,
       comment.created_at,
       { kind: 'pr-review-comment', owner: repository.owner, repo: repository.name, commentId: id },
       false,
       {
         suppressSticky: true,
+        ...(directedAtBot ? { forceBotMention: true } : {}),
         replyToBotMessageId: parent?.isSelf === true ? String(parent.parentId) : null,
         replyToOtherMessageId: parent?.isSelf === false ? String(parent.parentId) : null,
       },
@@ -533,6 +540,11 @@ export function classifyGithubInbound(
       : reviewer !== null
         ? synthesizeReviewStateText(reviewer.login, number, readString(pr, 'title'), readString(review, 'state'))
         : ''
+    const directedAtBot =
+      isSelfPr(readUser(pr.user), selfLogin, options?.authType ?? 'pat') &&
+      reviewer !== null &&
+      !isSelfAuthor(reviewer, null, selfLogin) &&
+      isActionableReviewState(readString(review, 'state'))
     return buildInbound(
       { ...base, chat: `pr:${number}`, thread: null },
       text,
@@ -542,7 +554,7 @@ export function classifyGithubInbound(
       review.submitted_at,
       null,
       !hasBody,
-      { suppressSticky: true },
+      { suppressSticky: true, ...(directedAtBot ? { forceBotMention: true } : {}) },
     )
   }
 
@@ -591,6 +603,12 @@ type BuildInboundOptions = {
   suppressSticky?: boolean
   replyToBotMessageId?: string | null
   replyToOtherMessageId?: string | null
+  // Forces isBotMention=true with no @-handle in the body. A review (or
+  // top-level review comment) on a PR the agent ITSELF authored is directed at
+  // the bot — the inverse of review_requested — so it engages even though the
+  // reviewer never types `@bot`. Paired with suppressSticky so reviews on OTHER
+  // people's PRs still observe-only (preserving the PR #672 fix).
+  forceBotMention?: boolean
 }
 
 // A GitHub App can never be a `requested_reviewer` — that field only holds
@@ -799,7 +817,7 @@ function buildInbound(
   // Synthesized awareness lines carry an `@author` prefix describing who acted;
   // that handle is the author, never a third-party mention of the bot, so the
   // body-text mention heuristic must not fire on it.
-  const isBotMention = !synthesizedAwareness && textMentionsBot(text, mention)
+  const isBotMention = options?.forceBotMention === true || (!synthesizedAwareness && textMentionsBot(text, mention))
   const replyToBotMessageId = options?.replyToBotMessageId ?? null
   const replyToOtherMessageId = options?.replyToOtherMessageId ?? key.replyToOtherMessageId
   return {
@@ -854,6 +872,15 @@ function synthesizeReviewStateText(
   return `@${reviewer} ${verb} PR #${number}${label}.`
 }
 
+// A review on the agent's own PR engages it only when there is something to act
+// on. APPROVED clears the PR and needs no reply, so engaging would just produce
+// "thanks" churn; it stays awareness-only. COMMENTED and CHANGES_REQUESTED (and
+// any non-approval state) carry feedback the agent should address. State case
+// varies by payload source (webhook vs REST), so normalize before matching.
+function isActionableReviewState(state: string | null): boolean {
+  return state?.toLowerCase() !== 'approved'
+}
+
 async function resolveTeamMembership(
   event: string,
   payload: Record<string, unknown>,
@@ -981,6 +1008,17 @@ function isSelfAuthor(author: GithubUser, selfId: string | null, selfLogin: stri
   return false
 }
 
+// Whether the PR's OPENER is this agent. Distinct from isSelfAuthor (which
+// guards self-loops on the event ACTOR by id/login): here we have only the
+// `pull_request.user` from a review payload, no id to compare, and under App
+// auth the bot opens PRs as the decoy account (login = slug, e.g. `typeey`),
+// not the actor login `typeey[bot]`. So this matches selfLogin AND the decoy
+// slug — mirroring resolveBotMentionLogins.
+function isSelfPr(prUser: GithubUser | null, selfLogin: string | null, authType: 'pat' | 'app'): boolean {
+  if (prUser === null || selfLogin === null) return false
+  return resolveBotMentionLogins(selfLogin, authType).includes(prUser.login)
+}
+
 type GithubUser = { login: string; id: number; type?: string }
 
 function readUser(value: unknown): GithubUser | null {

package/src/channels/adapters/slack-bot.ts

@@ -359,18 +359,26 @@ export function createTypingCallback(deps: {
     // threads keep using `thread`. Either way the status is keyed on one ts.
     const statusThread =
       target.typingThread !== undefined && target.typingThread !== '' ? target.typingThread : target.thread
-    const tag = formatChannelTag
-      ? await formatChannelTag(target.workspace, statusThread ?? target.chat)
-      : `channel=${statusThread ?? target.chat}`
     if (statusThread === undefined || statusThread === null || statusThread === '') {
-      if (target.phase === 'tick') logger.info(`[slack-bot] typing (no-op, top-level chat) ${tag}`)
-      return
-    }
-    if (target.phase === 'stop') {
-      await typingTracker.clearAfterSend(target.chat, statusThread)
+      if (target.phase === 'tick') {
+        const tag = formatChannelTag
+          ? await formatChannelTag(target.workspace, statusThread ?? target.chat)
+          : `channel=${statusThread ?? target.chat}`
+        logger.info(`[slack-bot] typing (no-op, top-level chat) ${tag}`)
+      }
       return
     }
-    await typingTracker.setStatus(target.chat, statusThread, 'is typing...')
+    // Append to the per-(chat,thread) FIFO BEFORE awaiting anything: the FIFO
+    // only orders calls once setStatus/clearAfterSend is reached, so awaiting
+    // `formatChannelTag` first opens an unordered gap where a fire-and-forget
+    // re-arm 'tick' (router send() after a reply) can enqueue "is typing..."
+    // AFTER the turn-end 'stop' clear. Flat DMs have no threaded-reply
+    // auto-clear, so that strands the indicator until Slack's ~2-min timeout.
+    const enqueued =
+      target.phase === 'stop'
+        ? typingTracker.clearAfterSend(target.chat, statusThread)
+        : typingTracker.setStatus(target.chat, statusThread, 'is typing...')
+    await enqueued
   }
 }