typeclaw 0.36.1 → 0.36.2

package/src/channels/router.ts

@@ -138,6 +138,20 @@ export const SESSION_GC_INTERVAL_MS = 60 * 1000
 // recovery paths (`source: 'system'`) bypass.
 export const MAX_CHANNEL_SENDS_PER_TURN = 10
 export const ENGAGE_REACTION_EMOJI = 'eyes'
+// Best-effort "zipping it / going quiet" ack dropped on the triggering message
+// when the model disengages (channel_disengage); fire-and-forget like engage :eyes:.
+export const DISENGAGE_REACTION_EMOJI = 'zipper_mouth_face'
+// Per-adapter fallback for platforms that cannot render the default. GitHub's
+// Reactions API is a fixed 8-emoji set with no zipper-mouth; 'confused' is the
+// closest "stepping back" signal it can post, so a GitHub disengage still acks
+// instead of silently no-op'ing on the unsupported result.
+const DISENGAGE_REACTION_EMOJI_OVERRIDES: Partial<Record<AdapterId, string>> = {
+  github: 'confused',
+}
+
+export function disengageReactionEmojiFor(adapter: AdapterId): string {
+  return DISENGAGE_REACTION_EMOJI_OVERRIDES[adapter] ?? DISENGAGE_REACTION_EMOJI
+}
 
 // Wake nudge pushed into a resumed channel session at boot so drain() has a
 // non-empty batch and fires a turn. The substantive instruction the model acts
@@ -691,6 +705,12 @@ type LiveSession = {
 type ChannelCommandContext = {
   live: LiveSession | null
   event: InboundMessage | null
+  // The user who actually invoked the command, supplied by BOTH dispatch
+  // paths (text: event.authorId; native slash: options.invokerId, where
+  // event is null). /restart stamps the resume handoff's triggeringAuthorId
+  // from this so a restart resumes under the INVOKER's author-scoped role,
+  // not whichever speaker happened to own the live turn.
+  invokerId: string | null
 }
 
 export type ExecuteCommandResult =
@@ -999,6 +1019,7 @@ export type RestartCommandContext = {
   originatingSessionId: string
   originatingSessionFile?: string
   handoffOrigin: { kind: 'channel'; key: ChannelKey }
+  triggeringAuthorId?: string
 }
 
 export type ClaimHandlerInput = {
@@ -1125,18 +1146,8 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       // Resolve the live session when one exists so the restart can write a
       // resume handoff for this conversation; still bounces from a cold channel.
       wantsLiveSession: true,
-      handler: async ({ live }) => ({
-        reply: await onRestart(
-          live !== null
-            ? {
-                originatingSessionId: live.sessionId,
-                ...(live.getTranscriptPath?.() !== undefined
-                  ? { originatingSessionFile: live.getTranscriptPath!()! }
-                  : {}),
-                handoffOrigin: { kind: 'channel', key: live.key },
-              }
-            : undefined,
-        ),
+      handler: async ({ live, invokerId }) => ({
+        reply: await onRestart(live !== null ? buildRestartCommandContext(live, invokerId) : undefined),
       }),
     })
   }
@@ -1933,6 +1944,19 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     }
   }
 
+  const buildRestartCommandContext = (live: LiveSession, invokerId: string | null): RestartCommandContext => {
+    // Prefer the command invoker: a restart resumes under the author who ran
+    // /restart, not whichever speaker last owned the live turn. Fall back to
+    // live turn state only when the dispatch path supplied no invoker.
+    const triggeringAuthorId = invokerId ?? live.currentTurnAuthorId ?? live.lastTurnAuthorId ?? undefined
+    return {
+      originatingSessionId: live.sessionId,
+      ...(live.getTranscriptPath?.() !== undefined ? { originatingSessionFile: live.getTranscriptPath!()! } : {}),
+      handoffOrigin: { kind: 'channel', key: live.key },
+      ...(triggeringAuthorId !== undefined ? { triggeringAuthorId } : {}),
+    }
+  }
+
   const buildLiveOrigin = (live: LiveSession): SessionOrigin => {
     const membership = readMembership(live.key)
     const self = resolveSelfIdentity(live.key)
@@ -2234,7 +2258,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
   // Gating (channel.respond / session.control) and live-session resolution stay
   // at the call sites — this helper only runs the handler and delivers the reply.
   const runChannelCommand = async (event: InboundMessage, live: LiveSession | null): Promise<CommandResult> => {
-    const result = await commands.execute(event.text, { live, event })
+    const result = await commands.execute(event.text, { live, event, invokerId: event.authorId })
     if (result.kind === 'handled' && result.reply !== undefined) {
       await send(
         {
@@ -3686,7 +3710,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
 
         let live: LiveSession
         try {
-          live = await ensureLive(key, undefined, undefined, {
+          live = await ensureLive(key, undefined, handoff.triggeringAuthorId, {
             sessionId: handoff.originatingSessionId,
             sessionFile: handoff.originatingSessionFile,
           })
@@ -3785,7 +3809,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       const resolved = resolveLiveSessionForCommand(liveSessions, key)
       live = resolved.kind === 'found' ? resolved.session : null
     }
-    const result = await commands.execute(`/${lowered}`, { live, event: null })
+    const result = await commands.execute(`/${lowered}`, { live, event: null, invokerId: options.invokerId })
     if (result.kind === 'handled') {
       return result.reply !== undefined
         ? { kind: 'handled', name: result.name, reply: result.reply }
@@ -3911,11 +3935,38 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     // not re-grant the credit just cleared (see `disengagedTurn`). No-op when
     // the key has no live session — the ledger clear above still stands.
     const live = liveSessions.get(keyId)
-    if (live && !live.destroyed) live.disengagedTurn = live.turnSeq
+    if (live && !live.destroyed) {
+      live.disengagedTurn = live.turnSeq
+      reactOnDisengage(live)
+    }
     logger.info(`[channels] ${keyId} sticky cleared count=${cleared}`)
     return { keyId, cleared }
   }
 
+  const reactOnDisengage = (live: LiveSession): void => {
+    if (live.currentTurnReactionRef === null) return
+    void react({
+      adapter: live.key.adapter,
+      workspace: live.key.workspace,
+      chat: live.key.chat,
+      thread: live.key.thread,
+      reactionRef: live.currentTurnReactionRef,
+      emoji: disengageReactionEmojiFor(live.key.adapter),
+    })
+      .then((result) => {
+        if (!result.ok && result.code !== 'unsupported') {
+          logger.info(
+            `[channels] disengage-react failed adapter=${live.key.adapter} chat=${live.key.chat}: ${result.error}`,
+          )
+        }
+      })
+      .catch((err) => {
+        logger.info(
+          `[channels] disengage-react threw adapter=${live.key.adapter} chat=${live.key.chat}: ${describe(err)}`,
+        )
+      })
+  }
+
   return {
     route,
     send,

package/src/cli/hostd.ts

@@ -7,6 +7,7 @@ import { createKakaoRenewalManager } from '@/hostd/kakao-renewal-manager'
 import { createPortbrokerManager } from '@/hostd/portbroker-manager'
 import type { SupervisorLogEvent, SupervisorRestart } from '@/hostd/supervisor'
 import { computeSourceVersion, resolveSrcRoot, UNVERSIONED_SENTINEL } from '@/hostd/version'
+import { validateRestartDeps, type RestartDepsPreflightResult } from '@/init/restart-deps-preflight'
 
 export const hostdCommand = defineCommand({
   meta: {
@@ -43,7 +44,7 @@ export const hostdCommand = defineCommand({
       onShutdown: () => process.exit(0),
       portbroker,
       kakaoRenewal,
-      restartPreflight: buildHostdRestartPreflight(cliEntry, version),
+      restartPreflight: buildHostdRestartPreflight(cliEntry, version, defaultPreflightDeps),
       restart: hostdRestart,
     })
 
@@ -104,10 +105,42 @@ export function buildHostdRestart(
   }
 }
 
-export function buildHostdRestartPreflight(cliEntry: string, daemonVersion: string): RestartPreflight {
-  return async () => {
+export type HostdPreflightDeps = {
+  loadConfigSync: (cwd: string) => Config
+  validateRestartDeps: (opts: { cwd: string; plugins: readonly string[] }) => Promise<RestartDepsPreflightResult>
+}
+
+const defaultPreflightDeps: HostdPreflightDeps = {
+  loadConfigSync,
+  validateRestartDeps,
+}
+
+export function buildHostdRestartPreflight(
+  cliEntry: string,
+  daemonVersion: string,
+  deps: HostdPreflightDeps = defaultPreflightDeps,
+): RestartPreflight {
+  return async ({ containerName, cwd }) => {
     const drift = await detectSourceDrift(cliEntry, daemonVersion)
-    return drift ? { ok: false, reason: drift } : null
+    if (drift) return { ok: false, reason: drift }
+
+    // Read plugins through loadConfigSync, not validateConfig: a config that
+    // fails schema validation is caught later in buildHostdRestart (before
+    // stop). On read/parse failure we let the restart proceed — start() is the
+    // fail-closed gate, and a preflight that can't read config must not strand a
+    // healthy agent.
+    let plugins: readonly string[]
+    try {
+      plugins = deps.loadConfigSync(cwd).plugins
+    } catch {
+      return null
+    }
+
+    const depsCheck = await deps.validateRestartDeps({ cwd, plugins })
+    if (!depsCheck.ok) {
+      return { ok: false, reason: `restart refused for ${containerName}: ${depsCheck.reason}` }
+    }
+    return null
   }
 }
 

package/src/cli/ui.ts

@@ -152,6 +152,7 @@ export type StartLikeResult = {
   containerId: string
   hostd: { state: 'registered' } | { state: 'unavailable'; reason: string } | { state: 'disabled' }
   autoUpgrade?: AutoUpgradeOutcome
+  skippedPlugins?: string[]
 }
 
 export function renderStartSuccess(result: StartLikeResult): string {
@@ -167,6 +168,11 @@ export function renderStartSuccess(result: StartLikeResult): string {
     }
   }
 
+  if (result.skippedPlugins && result.skippedPlugins.length > 0) {
+    const list = result.skippedPlugins.join(', ')
+    lines.push(`${c.yellow('Skipped plugins not found in the registry:')} ${list}`)
+  }
+
   if (result.alreadyRunning) {
     lines.push(`${c.green('●')} ${name} is already running on host port ${port}.`)
   } else {

package/src/container/start.ts

@@ -140,6 +140,10 @@ export type StartResult =
       // path — that one rebuilds the container from scratch.
       alreadyRunning: boolean
       autoUpgrade: AutoUpgradeOutcome
+      // npm plugins dropped this start because their package 404s in the
+      // registry. Non-fatal by design: a typo'd or unpublished plugin warns
+      // instead of blocking the launch.
+      skippedPlugins: string[]
     }
   | { ok: false; reason: string }
 
@@ -438,6 +442,7 @@ export async function start({
       hostd: stripHostDaemonControl(hostd),
       alreadyRunning: false,
       autoUpgrade: upgrade,
+      skippedPlugins: pluginReconcile.skipped,
     }
   } catch (error) {
     return { ok: false, reason: error instanceof Error ? error.message : String(error) }
@@ -758,6 +763,7 @@ async function reportAlreadyRunning(exec: DockerExec, cwd: string, containerName
     hostd: { state: 'disabled' },
     alreadyRunning: true,
     autoUpgrade: { kind: 'skipped-already-running' },
+    skippedPlugins: [],
   }
 }
 

package/src/init/reconcile-plugin-deps.ts

@@ -6,12 +6,23 @@ import { splitPluginEntrySpec } from '@/plugin'
 
 const PACKAGE_FILE = 'package.json'
 
+const NOOP: ReconcilePluginDepsResult = { changed: false, files: [], skipped: [] }
+
 export type ReconcilePluginDepsResult = {
   changed: boolean
   files: string[]
+  // Plugins skipped because their package could not be found in the registry
+  // (npm 404 / E404). A missing plugin must not block `start`: the entry is
+  // dropped from this reconcile pass and surfaced here so the caller can warn.
+  skipped: string[]
 }
 
-export type ResolveLatestVersion = (packageName: string) => Promise<string>
+// Resolves a bare plugin name to its latest published version. Returns null
+// when the package genuinely does not exist in the registry (404 / E404) so
+// the caller can skip it without blocking start. Throws on every other failure
+// (network outage, missing bun runtime, empty registry response) — those are
+// transient or environmental, not "plugin not found", and must still block.
+export type ResolveLatestVersion = (packageName: string) => Promise<string | null>
 
 export type ReconcilePluginDepsOptions = {
   cwd: string
@@ -31,27 +42,27 @@ export async function reconcilePluginDeps(options: ReconcilePluginDepsOptions):
   const resolveLatest = options.resolveLatest ?? resolveLatestFromRegistry
 
   const pkgPath = join(cwd, PACKAGE_FILE)
-  if (!existsSync(pkgPath)) return { changed: false, files: [] }
+  if (!existsSync(pkgPath)) return NOOP
 
   let raw: string
   try {
     raw = await readFile(pkgPath, 'utf8')
   } catch {
-    return { changed: false, files: [] }
+    return NOOP
   }
 
   let pkg: PackageJsonShape
   try {
     const parsed = JSON.parse(raw) as unknown
-    if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) return { changed: false, files: [] }
+    if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) return NOOP
     pkg = parsed as PackageJsonShape
   } catch {
-    return { changed: false, files: [] }
+    return NOOP
   }
 
   const dependencies = { ...pkg.dependencies }
   const previousManaged = readManagedPlugins(pkg)
-  const desired = await resolveDesiredManaged(plugins, previousManaged, resolveLatest)
+  const { desired, skipped } = await resolveDesiredManaged(plugins, previousManaged, resolveLatest)
 
   let changed = false
 
@@ -73,11 +84,11 @@ export async function reconcilePluginDeps(options: ReconcilePluginDepsOptions):
 
   if (!managedEqual(previousManaged, desired)) changed = true
 
-  if (!changed) return { changed: false, files: [] }
+  if (!changed) return { changed: false, files: [], skipped }
 
   const next = withManagedPlugins({ ...pkg, dependencies: sortKeys(dependencies) }, desired)
   await writeFile(pkgPath, `${JSON.stringify(next, null, 2)}\n`)
-  return { changed: true, files: [PACKAGE_FILE] }
+  return { changed: true, files: [PACKAGE_FILE], skipped }
 }
 
 type PackageJsonShape = {
@@ -97,19 +108,30 @@ async function resolveDesiredManaged(
   plugins: readonly string[],
   previousManaged: Record<string, string>,
   resolveLatest: ResolveLatestVersion,
-): Promise<Record<string, string>> {
+): Promise<{ desired: Record<string, string>; skipped: string[] }> {
   const desired: Record<string, string> = {}
+  const skipped: string[] = []
   for (const entry of plugins) {
     if (isLocalEntry(entry)) continue
     const { name, versionSpec } = splitPluginEntrySpec(entry)
     if (name.length === 0) continue
     if (versionSpec !== undefined) {
       desired[name] = versionSpec
-    } else {
-      desired[name] = previousManaged[name] ?? (await resolveLatest(name))
+      continue
+    }
+    const pinned = previousManaged[name]
+    if (pinned !== undefined) {
+      desired[name] = pinned
+      continue
+    }
+    const resolved = await resolveLatest(name)
+    if (resolved === null) {
+      skipped.push(name)
+      continue
     }
+    desired[name] = resolved
   }
-  return sortKeys(desired)
+  return { desired: sortKeys(desired), skipped }
 }
 
 function isLocalEntry(entry: string): boolean {
@@ -154,7 +176,7 @@ function sortKeys(obj: Record<string, string>): Record<string, string> {
   return out
 }
 
-async function resolveLatestFromRegistry(packageName: string): Promise<string> {
+async function resolveLatestFromRegistry(packageName: string): Promise<string | null> {
   const bun = (globalThis as { Bun?: { spawn: typeof Bun.spawn } }).Bun
   if (!bun) throw new Error(`cannot resolve latest version for ${packageName}: bun runtime not available`)
   const proc = bun.spawn({
@@ -164,10 +186,18 @@ async function resolveLatestFromRegistry(packageName: string): Promise<string> {
   })
   const code = await proc.exited
   if (code !== 0) {
-    const stderr = await new Response(proc.stderr).text()
-    throw new Error(`failed to resolve latest version for ${packageName}: ${stderr.trim() || `exit ${code}`}`)
+    const stderr = (await new Response(proc.stderr).text()).trim()
+    if (isPackageNotFound(stderr)) return null
+    throw new Error(`failed to resolve latest version for ${packageName}: ${stderr || `exit ${code}`}`)
   }
   const version = (await new Response(proc.stdout).text()).trim().replace(/^["']|["']$/g, '')
   if (version.length === 0) throw new Error(`registry returned no version for ${packageName}`)
   return version
 }
+
+// A registry 404 means the package does not exist — a user typo or an
+// unpublished plugin — which `start` must tolerate, not abort on. Network and
+// auth failures are deliberately NOT matched here so they keep throwing.
+export function isPackageNotFound(stderr: string): boolean {
+  return /\bE404\b/.test(stderr) || /\b404\b/.test(stderr) || /not found/i.test(stderr)
+}

package/src/init/restart-deps-preflight.ts

@@ -0,0 +1,155 @@
+import { existsSync } from 'node:fs'
+import { readFile, readdir } from 'node:fs/promises'
+import { isAbsolute, join, relative, resolve } from 'node:path'
+
+import { PACKAGE_FILE } from './packagejson'
+import { PACKAGES_DIR } from './paths'
+
+// The hostd restart path is destroy-then-recreate: it `docker rm -f`s the live
+// container BEFORE `start()` runs `bun install`. A bad agent edit to
+// typeclaw.json#plugins or a packages/* manifest aborts that install AFTER the
+// old container is gone, with no rollback and no client to report to — the agent
+// self-locks out. This runs BEFORE stop() (via RestartPreflight) so a bad edit
+// becomes "restart refused, agent keeps running" instead of "agent bricked".
+//
+// Mirrors PR #770: ONLY deterministic local config errors block. No bun
+// invocation, no network — a transient registry hiccup must never strand a
+// healthy agent. start() stays the real fail-closed gate for everything else.
+
+export type RestartDepsPreflightResult = { ok: true } | { ok: false; reason: string }
+
+export type RestartDepsPreflightOptions = {
+  cwd: string
+  plugins: readonly string[]
+}
+
+const WORKSPACE_PROTOCOL = 'workspace:'
+
+const DEPENDENCY_FIELDS = ['dependencies', 'devDependencies', 'peerDependencies', 'optionalDependencies'] as const
+
+export async function validateRestartDeps(options: RestartDepsPreflightOptions): Promise<RestartDepsPreflightResult> {
+  const { cwd, plugins } = options
+
+  const localPluginError = checkLocalPluginPaths(cwd, plugins)
+  if (localPluginError) return { ok: false, reason: localPluginError }
+
+  const workspaceError = await checkWorkspaceMembers(cwd)
+  if (workspaceError) return { ok: false, reason: workspaceError }
+
+  return { ok: true }
+}
+
+// Mirrors loadLocal() in src/plugin/loader.ts: a local plugin entry is resolved
+// against cwd and confined to it (`rel.startsWith('..') || isAbsolute(rel)`
+// throws). An escaping entry (`../x`, `/abs/x`) that happens to EXIST passes a
+// bare existsSync but the loader rejects it post-stop — so the escape check must
+// run before, and independently of, the existence check.
+function checkLocalPluginPaths(cwd: string, plugins: readonly string[]): string | null {
+  for (const entry of plugins) {
+    if (!isLocalEntry(entry)) continue
+    const resolved = resolve(cwd, entry)
+    const rel = relative(cwd, resolved)
+    if (rel.startsWith('..') || isAbsolute(rel)) {
+      return `local plugin "${entry}" referenced in typeclaw.json#plugins escapes the agent directory; the plugin loader confines local plugins to the agent folder and would reject it after the container has stopped. Use a path inside the agent folder before restarting.`
+    }
+    if (!existsSync(resolved)) {
+      return `local plugin "${entry}" referenced in typeclaw.json#plugins does not exist on disk; restart would fail at dependency install. Remove the entry or restore the path before restarting.`
+    }
+  }
+  return null
+}
+
+function isLocalEntry(entry: string): boolean {
+  return entry.startsWith('./') || entry.startsWith('../') || isAbsolute(entry)
+}
+
+// Bun resolves the `workspace:` protocol strictly against the local workspace
+// set, so a member declaring `"<dep>": "workspace:*"` where `<dep>` is not
+// itself a workspace member aborts the WHOLE install with `<dep>@workspace:*
+// failed to resolve`. Canonical trigger: a half-migrated local plugin still
+// pinning `"typeclaw": "workspace:*"` after typeclaw became an external npm dep.
+async function checkWorkspaceMembers(cwd: string): Promise<string | null> {
+  const members = await readWorkspaceMembers(cwd)
+  if (members.length === 0) return null
+
+  const memberNames = new Set<string>()
+  for (const m of members) {
+    if (m.name !== null) memberNames.add(m.name)
+  }
+
+  for (const member of members) {
+    for (const field of DEPENDENCY_FIELDS) {
+      const deps = member.deps[field]
+      if (!deps) continue
+      for (const [depName, spec] of Object.entries(deps)) {
+        if (!spec.startsWith(WORKSPACE_PROTOCOL)) continue
+        if (!memberNames.has(depName)) {
+          return `local workspace package "${member.dirName}" depends on "${depName}": "${spec}", but "${depName}" is not a workspace package under ${PACKAGES_DIR}/. \`bun install\` would abort with "${depName}@${spec} failed to resolve", leaving the agent unable to restart. Fix ${PACKAGES_DIR}/${member.dirName}/${PACKAGE_FILE} (use a registry version range, or remove the package) before restarting.`
+        }
+      }
+    }
+  }
+
+  return null
+}
+
+type WorkspaceMember = {
+  dirName: string
+  name: string | null
+  deps: Partial<Record<(typeof DEPENDENCY_FIELDS)[number], Record<string, string>>>
+}
+
+// A member whose manifest is missing/unparseable is skipped, not failed: bun may
+// tolerate it, and we only block on the workspace-resolution class above. No
+// packages/ dir at all returns [].
+async function readWorkspaceMembers(cwd: string): Promise<WorkspaceMember[]> {
+  const packagesDir = join(cwd, PACKAGES_DIR)
+  let entries: string[]
+  try {
+    entries = await readdir(packagesDir)
+  } catch {
+    return []
+  }
+
+  const members: WorkspaceMember[] = []
+  for (const dirName of entries) {
+    const manifestPath = join(packagesDir, dirName, PACKAGE_FILE)
+    if (!existsSync(manifestPath)) continue
+    let raw: string
+    try {
+      raw = await readFile(manifestPath, 'utf8')
+    } catch {
+      continue
+    }
+    let parsed: unknown
+    try {
+      parsed = JSON.parse(raw)
+    } catch {
+      continue
+    }
+    if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) continue
+    const pkg = parsed as Record<string, unknown>
+    members.push({
+      dirName,
+      name: typeof pkg.name === 'string' ? pkg.name : null,
+      deps: extractDeps(pkg),
+    })
+  }
+  return members
+}
+
+function extractDeps(
+  pkg: Record<string, unknown>,
+): Partial<Record<(typeof DEPENDENCY_FIELDS)[number], Record<string, string>>> {
+  const out: Partial<Record<(typeof DEPENDENCY_FIELDS)[number], Record<string, string>>> = {}
+  for (const field of DEPENDENCY_FIELDS) {
+    const value = pkg[field]
+    if (value === null || typeof value !== 'object' || Array.isArray(value)) continue
+    const deps: Record<string, string> = {}
+    for (const [k, v] of Object.entries(value as Record<string, unknown>)) {
+      if (typeof v === 'string') deps[k] = v
+    }
+    if (Object.keys(deps).length > 0) out[field] = deps
+  }
+  return out
+}

package/src/permissions/permissions.ts

@@ -20,6 +20,17 @@ export type PermissionService = {
   // the config reloadable so role match-rule edits (typeclaw role claim,
   // hand-edits to typeclaw.json) take effect without a container restart.
   replaceRoles(roles: RolesConfig | undefined): void
+  // Rebuilds the role table with a new plugin-permission set, preserving the
+  // object identity that plugin factories captured. The plugin manager calls
+  // this AFTER the load loop to finalize the permission model from only the
+  // plugins that survived: a user plugin that failed to load must not leave
+  // its declared permissions or owner-wildcard exclusions in the live service.
+  // Optional so the many partial test stubs and the channel-respond stub need
+  // not implement it; the real service from createPermissionService always does.
+  replacePluginPermissions?(opts: {
+    pluginPermissions: readonly string[]
+    ownerWildcardExclusions: readonly string[]
+  }): void
 }
 
 export type UnknownPermissionWarning = {
@@ -34,6 +45,7 @@ export const noopPermissionService: PermissionService = {
   compareRoleSeverity: () => undefined,
   describe: () => ({ role: 'guest', permissions: [] }),
   replaceRoles: () => {},
+  replacePluginPermissions: () => {},
 }
 
 type ResolvedRole = {
@@ -109,9 +121,10 @@ function levenshtein(a: string, b: string): number {
 }
 
 export function createPermissionService(opts: CreatePermissionServiceOptions = {}): PermissionService {
-  const pluginPermissions = opts.pluginPermissions ?? []
-  const ownerWildcardExclusions = opts.ownerWildcardExclusions ?? []
-  let resolved = buildRoleTable(opts.roles ?? {}, pluginPermissions, ownerWildcardExclusions)
+  let pluginPermissions = opts.pluginPermissions ?? []
+  let ownerWildcardExclusions = opts.ownerWildcardExclusions ?? []
+  let lastRoles = opts.roles ?? {}
+  let resolved = buildRoleTable(lastRoles, pluginPermissions, ownerWildcardExclusions)
   let byName = new Map(resolved.map((r) => [r.name, r]))
 
   function resolveRole(origin: SessionOrigin | undefined): string {
@@ -186,7 +199,14 @@ export function createPermissionService(opts: CreatePermissionServiceOptions = {
       return { role: name, permissions: role?.permissions ?? [] }
     },
     replaceRoles(roles) {
-      resolved = buildRoleTable(roles ?? {}, pluginPermissions, ownerWildcardExclusions)
+      lastRoles = roles ?? {}
+      resolved = buildRoleTable(lastRoles, pluginPermissions, ownerWildcardExclusions)
+      byName = new Map(resolved.map((r) => [r.name, r]))
+    },
+    replacePluginPermissions(next) {
+      pluginPermissions = next.pluginPermissions
+      ownerWildcardExclusions = next.ownerWildcardExclusions
+      resolved = buildRoleTable(lastRoles, pluginPermissions, ownerWildcardExclusions)
       byName = new Map(resolved.map((r) => [r.name, r]))
     },
   }

package/src/plugin/loader.ts

@@ -15,9 +15,7 @@ export type LoadPluginEntryFn = (entry: string, agentDir: string) => Promise<Res
 
 // Thrown only when a plugin entry cannot be resolved at all (uninstalled
 // package, missing local file, unresolvable export subpath). The manager
-// treats this as non-fatal and skips the entry. Every other failure --
-// path-escape, import-time evaluation throws, invalid definition -- stays a
-// plain Error so it remains a hard boot error.
+// treats this as non-fatal and skips the entry.
 export class PluginNotFoundError extends Error {
   readonly entry: string
   constructor(entry: string, message: string, options?: { cause?: unknown }) {
@@ -27,6 +25,20 @@ export class PluginNotFoundError extends Error {
   }
 }
 
+// Thrown when a plugin entry violates a security boundary (e.g. a local path
+// escaping the agent directory). Stays fatal for ALL plugins — even the
+// per-plugin tolerance for user plugin bugs MUST NOT swallow this, or a
+// malicious typeclaw.json could point at arbitrary host files and have the
+// failure silently downgraded to a warning.
+export class PluginSecurityError extends Error {
+  readonly entry: string
+  constructor(entry: string, message: string) {
+    super(message)
+    this.name = 'PluginSecurityError'
+    this.entry = entry
+  }
+}
+
 export async function loadPluginEntry(entry: string, agentDir: string): Promise<ResolvedPlugin> {
   if (isLocalPath(entry)) {
     return loadLocal(entry, agentDir)
@@ -44,7 +56,7 @@ async function loadLocal(entry: string, agentDir: string): Promise<ResolvedPlugi
   // cannot point at arbitrary files on the host.
   const rel = relative(agentDir, resolved)
   if (rel.startsWith('..') || isAbsolute(rel)) {
-    throw new Error(`plugin path escapes agent directory: ${entry} (resolved to ${resolved})`)
+    throw new PluginSecurityError(entry, `plugin path escapes agent directory: ${entry} (resolved to ${resolved})`)
   }
   if (!existsSync(resolved)) {
     throw new PluginNotFoundError(entry, `plugin path does not exist: ${entry} (resolved to ${resolved})`)