typeclaw 0.36.1 → 0.36.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "typeclaw",
-  "version": "0.36.1",
+  "version": "0.36.3",
   "homepage": "https://github.com/typeclaw/typeclaw#readme",
   "bugs": {
     "url": "https://github.com/typeclaw/typeclaw/issues"
@@ -48,7 +48,7 @@
     "@mariozechner/pi-tui": "^0.67.3",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "@mozilla/readability": "^0.6.0",
-    "agent-messenger": "2.19.1",
+    "agent-messenger": "2.19.3",
     "cheerio": "^1.2.0",
     "citty": "^0.2.2",
     "cron-parser": "^5.5.0",

package/src/agent/index.ts

@@ -383,6 +383,7 @@ export async function createSessionWithDispose(options: CreateSessionOptions = {
                     originatingSessionId: sessionManager.getSessionId(),
                     ...(options.stream ? { stream: options.stream } : {}),
                     ...buildRestartHandoffWiring(options, sessionManager),
+                    triggeringAuthorIdProvider: () => currentChannelAuthor(getOrigin),
                   }),
                 ]
               : []),
@@ -523,6 +524,16 @@ export function buildRestartHandoffWiring(
   return { agentDir, originatingSessionFile: sessionFile, handoffOrigin }
 }
 
+// Reads the LIVE turn author at restart time, not the session-creation
+// snapshot. A channel session is long-lived and multi-principal: the
+// self-restart tool fires on whatever turn triggered it, so the handoff must
+// carry that turn's author (originRef.current), not whoever first opened the
+// session. Returns undefined for non-channel/no-author origins.
+export function currentChannelAuthor(getOrigin: () => SessionOrigin | undefined): string | undefined {
+  const origin = getOrigin()
+  return origin?.kind === 'channel' ? origin.lastInboundAuthorId : undefined
+}
+
 function restartHandoffOriginFor(origin: SessionOrigin): RestartHandoffOrigin | null {
   if (origin.kind === 'tui') return { kind: 'tui' }
   if (origin.kind === 'channel') {

package/src/agent/plugin-tools.ts

@@ -53,7 +53,7 @@ import {
   resolveSandboxSymlinks,
   resolveWritableZones,
   SandboxDegradedProcError,
-  type SandboxProcStrategy,
+  SandboxProcProbeUnverifiedError,
   subtractMasked,
 } from '@/sandbox'
 
@@ -644,15 +644,19 @@ async function applyBashSandbox(
   // bwrap does --clearenv, so the overlay must be re-introduced via env.set or
   // it would never reach the sandboxed process (the non-sandboxed spawnHook
   // path does not run when the command is rewritten to a bwrap invocation).
-  const proc = await resolveProcStrategy()
+  const { strategy: proc, degradeReason } = await resolveProcStrategy()
   // Fail fast with an actionable error when /proc degraded to tmpfs AND the
   // command needs a real /proc: under tmpfs Bun would otherwise abort deep in its
-  // pipeline with the opaque "NotDir", which the model retries forever. The
-  // SandboxDegradedProcError message tells it this is an environment limit, not
-  // the command's fault. Guarded on the command so non-bun bash still runs in the
-  // degraded mode (it does not touch /proc/self/{fd,maps}).
+  // pipeline with the opaque "NotDir", which the model retries forever. Which
+  // error depends on WHY it degraded: a 'definitive' degrade (a real leak / an
+  // incapable host) is permanent → SandboxDegradedProcError ("retrying won't
+  // help"); an 'unverified' degrade (the safety probe stayed inconclusive through
+  // its retry budget, e.g. a boot-time load spike) is transient and re-probes on
+  // the next call → SandboxProcProbeUnverifiedError ("retry the same command").
+  // Guarded on the command so non-bun bash still runs in the degraded mode (it
+  // does not touch /proc/self/{fd,maps}).
   if (proc === 'tmpfs' && commandNeedsRealProc(command)) {
-    throw new SandboxDegradedProcError()
+    throw degradeReason === 'unverified' ? new SandboxProcProbeUnverifiedError() : new SandboxDegradedProcError()
   }
   const { commandString } = buildSandboxedCommand(command, {
     mounts: [
@@ -698,26 +702,44 @@ function subtractMaskedProtected(
 // --mount-proc` in a container booted WITHOUT the cap (or vice versa). Both
 // probes are cached process-globally, so this resolves to one spawn per
 // container lifetime regardless of how many bash calls hit it.
-async function resolveProcStrategy(): Promise<SandboxProcStrategy> {
-  if (config.sandbox.realProc && (await canMountRealProc())) return 'real-proc'
+// A tmpfs degrade carries WHY it happened so the caller can pick a permanent vs
+// retryable error. 'definitive': the probe returned a real cross-userns leak
+// ('unsafe') — the ONLY verdict proven permanent, so it fails closed for good.
+// 'unverified': the safety probe never reached a definitive verdict within its
+// retry budget. That covers BOTH a transient load spike AND a durable
+// incapability (no usable namespaces, a bwrap that starts but cannot set up its
+// sandbox): the probe cannot prove a NEGATIVE capability — only a leak is
+// definitive — so a genuinely incapable host also lands here and simply keeps
+// re-degrading on each call. Since 'inconclusive' is never cached, that costs a
+// re-probe but is correct: the only false case is "capable but briefly
+// saturated", which recovers; an incapable host stays degraded either way.
+// Absent when the strategy is not tmpfs.
+type ProcStrategyResolution =
+  | { strategy: 'real-proc' | 'proc-bind'; degradeReason?: undefined }
+  | { strategy: 'tmpfs'; degradeReason: 'definitive' | 'unverified' }
+
+async function resolveProcStrategy(): Promise<ProcStrategyResolution> {
+  if (config.sandbox.realProc && (await canMountRealProc())) return { strategy: 'real-proc' }
   // Retry an 'inconclusive' proc-bind probe (transient under load) before
   // degrading — a single such hiccup must not break external-package runs on a
   // capable host. 'unsafe' still fails closed with no retry.
-  if (
-    await resolveProcBindSafetyWithRetry(
-      () => getProcBindSafetyVerdict(),
-      (ms) => Bun.sleep(ms),
-    )
+  const verdict = await resolveProcBindSafetyWithRetry(
+    () => getProcBindSafetyVerdict(),
+    (ms) => Bun.sleep(ms),
   )
-    return 'proc-bind'
+  if (verdict === 'safe') return { strategy: 'proc-bind' }
   // Degraded last resort: no working /proc strategy. External package runners
   // (bunx/bun add/bun run <pkg-bin>) will fail with Bun's opaque "NotDir" because
-  // /proc/self/{fd,maps} are absent. Warn once so an operator on such an exotic
-  // host (no usable user namespaces at all) gets a diagnostic instead of the bare
-  // Bun error. Not gated on parsing the command — that heuristic is fragile (see
-  // PR #696); this is a strategy-level notice, fail-closed and command-agnostic.
-  warnTmpfsProcFallbackOnce()
-  return 'tmpfs'
+  // /proc/self/{fd,maps} are absent. Only a proven 'unsafe' (a real cross-userns
+  // leak) is DEFINITIVE — warn once (a real operator-facing limit). An
+  // 'inconclusive' is reported as retryable upstream and NOT warned (it would cry
+  // wolf every boot storm); a durably-incapable host re-degrades quietly here,
+  // since the probe cannot distinguish it from transient load.
+  if (verdict === 'unsafe') {
+    warnTmpfsProcFallbackOnce()
+    return { strategy: 'tmpfs', degradeReason: 'definitive' }
+  }
+  return { strategy: 'tmpfs', degradeReason: 'unverified' }
 }
 
 let tmpfsProcFallbackWarned = false

package/src/agent/restart/index.ts

@@ -35,6 +35,10 @@ export type RequestContainerRestartOptions = {
   // startup). Required alongside agentDir + originatingSessionFile for the
   // handoff to be written; omitting it skips the handoff entirely.
   handoffOrigin?: RestartHandoffOrigin
+  // Author of the inbound that owned the restarting session, carried so the
+  // reopened channel session re-seeds the requester's identity on its resume
+  // turn (see RestartHandoff.triggeringAuthorId).
+  triggeringAuthorId?: string
   restartedAt?: string
 }
 
@@ -54,6 +58,7 @@ export async function requestContainerRestart({
   originatingSessionId,
   originatingSessionFile,
   handoffOrigin,
+  triggeringAuthorId,
   restartedAt,
 }: RequestContainerRestartOptions): Promise<RequestContainerRestartResult> {
   const request = { kind: 'restart' as const, containerName, build: build === true }
@@ -103,6 +108,7 @@ export async function requestContainerRestart({
         originatingSessionId,
         originatingSessionFile: basename(originatingSessionFile),
         origin: handoffOrigin,
+        ...(triggeringAuthorId !== undefined ? { triggeringAuthorId } : {}),
       })
     } catch {
       // intentional swallow — see the post-ACK rationale above

package/src/agent/restart-handoff/index.ts

@@ -35,6 +35,13 @@ export type RestartHandoff = {
   originatingSessionId: string
   originatingSessionFile: string
   origin: RestartHandoffOrigin
+  // Author of the inbound that owned the originating session at restart time.
+  // The synthetic resume turn has no inbound of its own, so without this a
+  // multi-principal channel session re-seeds its turn author from nothing and
+  // an author-scoped role (`discord:* author:U_OWNER`) silently demotes to
+  // whatever bare-channel rule matches on every "I'm back" turn. Optional and
+  // additive: pre-field v2 handoffs and tui handoffs omit it.
+  triggeringAuthorId?: string
 }
 
 // Atomic write via `.tmp` + rename so a crash mid-write never leaves the
@@ -158,6 +165,9 @@ function parseHandoff(raw: string): RestartHandoff | null {
     originatingSessionId: obj.originatingSessionId,
     originatingSessionFile: obj.originatingSessionFile,
     origin,
+    ...(typeof obj.triggeringAuthorId === 'string' && obj.triggeringAuthorId !== ''
+      ? { triggeringAuthorId: obj.triggeringAuthorId }
+      : {}),
   }
 }
 

package/src/agent/system-prompt.ts

@@ -1,5 +1,8 @@
 import { formatLocalDateTime, formatLocalWeekday, resolveLocalTimezoneName } from '@/shared'
 
+const PACKAGE_JSON_INSTALL_RULE =
+  "After editing `package.json` (adding, removing, or bumping dependencies/plugins), run the project's package manager to update the lockfile and installed dependency state — e.g. `bun install`, `npm install`, `pnpm install`, or `yarn install`, matching the existing lockfile. Commit the lockfile change alongside the `package.json` edit."
+
 // The orchestration roster (the `Briefly: ...` enumeration of public subagents)
 // is GENERATED from the registry by `renderPublicSubagentRoster` and threaded in
 // here, so a newly-registered public subagent can never be silently missing from
@@ -83,6 +86,7 @@ Your agent folder is a git repository.
 - Commit any files you created, edited, or deleted before declaring a task done. One logical change = one commit; split unrelated changes.
 - Use \`git add <paths>\` (not \`git add -A\`). Imperative commit messages ("Update SOUL.md to be less formal"); explain *why* in the body if non-obvious.
 - Never commit \`secrets.json\`, \`.env\`, or anything under \`workspace/\` — truly-ignored by design. \`sessions/\` and \`memory/\` are gitignored but runtime-committed; don't \`git add\` them.
+- ${PACKAGE_JSON_INSTALL_RULE}
 - Never \`git push\`, \`git reset --hard\`, \`git rebase\`, or rewrite remote history unless the user explicitly asks.
 
 ## How to behave
@@ -251,6 +255,8 @@ Never suppress errors to make things "work", and never fabricate results. If som
 
 Do not narrate routine, low-risk tool calls — just call the tool. Do not over-explain what you did unless asked.
 
+${PACKAGE_JSON_INSTALL_RULE}
+
 Your free-write zone is \`workspace/\`. Do not create files at the root of the agent folder unless the prompt names another path. \`public/\` is the guest-visible zone — write there anything meant to be shared with an untrusted caller (a \`guest\`-role turn cannot read \`workspace/\` but can read \`public/\`). Do not edit \`memory/topics/\` directly — the dreaming subagent owns it; to capture something memorable, surface it in your reply or let the memory-logger append to \`memory/streams/\`. Never stage or commit \`secrets.json\`, \`.env\`, \`sessions/\`, \`memory/\`, or \`workspace/\` — those are runtime- or user-managed.
 
 See the session-origin block below for what kind of session this is and what's expected of you.`

package/src/agent/tools/restart.ts

@@ -57,6 +57,12 @@ export type CreateRestartToolOptions = {
   // alongside `originatingSessionFile` for the handoff to be written; omit to
   // skip the handoff. See buildRestartHandoffWiring in src/agent/index.ts.
   handoffOrigin?: RestartHandoffOrigin
+  // Resolves the LIVE turn author at execute time (not session-creation), so a
+  // channel self-restart in a long-lived multi-principal session resumes under
+  // the author of the turn that triggered the restart — not whoever opened the
+  // session. Called inside execute(); returns undefined for tui/no-author
+  // origins. See RestartHandoff.triggeringAuthorId.
+  triggeringAuthorIdProvider?: () => string | undefined
 }
 
 export type RestartToolDetails = { ok: boolean; containerName: string; reason?: string }
@@ -75,6 +81,7 @@ export function createRestartTool({
   agentDir,
   originatingSessionFile,
   handoffOrigin,
+  triggeringAuthorIdProvider,
 }: CreateRestartToolOptions) {
   const doExit = exit ?? ((code: number) => process.exit(code))
 
@@ -103,6 +110,7 @@ export function createRestartTool({
     }),
     async execute(_toolCallId, params) {
       const build = params.build === true
+      const triggeringAuthorId = triggeringAuthorIdProvider?.()
       // requestContainerRestart owns the post-ACK broadcast->handoff ordering:
       // on a successful ACK it publishes the container-restarting notice (which
       // every live session's subscribeRestartNotice turns into a transcript
@@ -121,6 +129,7 @@ export function createRestartTool({
         ...(agentDir !== undefined ? { agentDir } : {}),
         ...(originatingSessionFile !== undefined ? { originatingSessionFile } : {}),
         ...(handoffOrigin !== undefined ? { handoffOrigin } : {}),
+        ...(triggeringAuthorId !== undefined ? { triggeringAuthorId } : {}),
       })
       if (!result.ok) {
         const details: RestartToolDetails = { ok: false, containerName, reason: result.reason }

package/src/bundled-plugins/backup/README.md

@@ -45,7 +45,15 @@ Commit message comes from the `backup-message` subagent, which sees a truncated
 
 ## What it pushes
 
-When `pushToOrigin: true` and the current branch has an upstream (`git rev-parse --abbrev-ref --symbolic-full-name @{upstream}` succeeds), the runner runs `git push`. On non-fast-forward rejection, it runs `git fetch` then `git rebase <upstream>` then `git push` again.
+When `pushToOrigin: true`, the runner picks a push plan after committing:
+
+- **Branch has an upstream** (`git rev-parse --abbrev-ref --symbolic-full-name @{upstream}` succeeds): run `git push`.
+- **No upstream, but `origin` exists and `HEAD` is a real branch**: run `git push -u origin HEAD:<branch>`, which pushes _and_ establishes tracking in one shot. This is the common case for a fresh agent folder nobody ran `git push -u` on by hand — previously the runner committed forever and never pushed here. Every later cycle then takes the plain-upstream path.
+- **No `origin`, or detached `HEAD`**: commit only (a legitimate offline / no-remote state). No push is attempted and no diagnostics are written.
+
+On non-fast-forward rejection (either push shape), the runner runs `git fetch` then `git rebase <remote-branch>` then re-pushes with the same args. Only `origin` is ever acted on for the set-upstream case — the runner never guesses a destination the operator didn't configure.
+
+**Credentials.** The runner spawns `git` directly (not via the `bash` tool), so the `github-cli-auth` plugin's `tool.before` credential injection does **not** fire for it. For **GitHub App auth** the backup plugin mints a per-repo installation token for `origin`'s github.com slug and injects it into the runner's git env via the same `GIT_ASKPASS` helper the bash path uses (token in `TYPECLAW_GIT_TOKEN`, never in argv/config; ssh remotes rewritten to https via `insteadOf`). Classic/fine-grained PATs, SSH-key, and credential-helper setups are left untouched — the runner uses its inherited process env. Non-github origins are never minted for.
 
 If any network step fails (rebase conflict, auth failure, network timeout), the runner aborts cleanly and spawns the `backup-diagnose` subagent. That subagent has `bash`, `read`, and `write` tools and writes a short human-readable report to `<agentDir>/sessions/backup-diagnostics.log`. The diagnose subagent is explicitly forbidden from force-pushing or resolving merge conflicts itself.
 
@@ -77,5 +85,6 @@ This feature came up as: "periodically check for dirty files and commit; LLM pic
 
 ## Tests
 
-- `runner.test.ts` — deterministic runner unit tests (status parsing, force-add of `sessions/`, push-only-with-upstream, rebase-on-non-fast-forward, diagnose-on-rebase-conflict, advisory-throw isolation, sanitize-commit-message).
+- `runner.test.ts` — deterministic runner unit tests (status parsing, force-add of `sessions/`, push-with-upstream, push-and-set-upstream when origin exists but tracking is absent, commit-only on no-origin / detached-HEAD, rebase-on-non-fast-forward for both push shapes, diagnose-on-rebase-conflict, advisory-throw isolation, sanitize-commit-message).
+- `git-auth.test.ts` — credential-env resolution (App-auth mints for the origin slug; PAT/SSH/non-github/unavailable-token all fall back to inherited env).
 - `index.test.ts` — plugin composition tests (subagent/hook surface, config schema defaults and validation, debounce, active-turn gating, self-induced-turn exclusion, coalescing).

package/src/bundled-plugins/backup/git-auth.ts

@@ -0,0 +1,58 @@
+import type { GithubTokenResolveResult } from '@/channels/github-token-bridge'
+
+import { ensureGitAskPassHelper } from '../github-cli-auth/git-askpass'
+import { parseGithubRepoFromGitUrl } from '../github-cli-auth/git-command'
+import { shouldMintAppToken } from '../github-cli-auth/token-class'
+
+export type BackupGitAuthEnv = Record<string, string>
+
+export type BackupPushAuthDeps = {
+  hasAppTokenResolver: () => boolean
+  ghToken: string | undefined
+  resolveTokenForRepo: (repoSlug: string) => Promise<GithubTokenResolveResult>
+  resolveOriginPushUrl: (cwd: string) => Promise<string | null>
+  ensureAskPassHelper: () => Promise<string>
+}
+
+// The backup runner spawns git directly (not via the bash tool), so the
+// `github-cli-auth` plugin's `tool.before` credential injection never fires for
+// its push. Without this, App-auth agents push with no credentials and fail.
+// We mirror that plugin exactly: only mint for App auth, only for a github.com
+// origin, scoped to the origin's own repo slug. PAT/SSH/credential-helper setups
+// return null and keep using the runner's inherited process env.
+export async function resolveBackupPushAuthEnv(
+  cwd: string,
+  deps: BackupPushAuthDeps,
+): Promise<BackupGitAuthEnv | null> {
+  if (!shouldMintAppToken(deps.ghToken, deps.hasAppTokenResolver())) return null
+
+  const originUrl = await deps.resolveOriginPushUrl(cwd)
+  if (originUrl === null) return null
+
+  const slug = parseGithubRepoFromGitUrl(originUrl)
+  if (slug === null) return null
+
+  const token = await deps.resolveTokenForRepo(slug)
+  if (token.kind !== 'token') return null
+
+  const askpass = await deps.ensureAskPassHelper()
+
+  // Token rides in TYPECLAW_GIT_TOKEN (read by the askpass helper), never in
+  // argv/config. The insteadOf rewrites map ssh/scp github remotes to https so
+  // the askpass credential applies; GIT_TERMINAL_PROMPT=0 fails fast instead of
+  // hanging on a prompt. Mirrors github-cli-auth/index.ts.
+  return {
+    GIT_ASKPASS: askpass,
+    TYPECLAW_GIT_TOKEN: token.token,
+    GIT_TERMINAL_PROMPT: '0',
+    GIT_CONFIG_COUNT: '2',
+    GIT_CONFIG_KEY_0: 'url.https://github.com/.insteadOf',
+    GIT_CONFIG_VALUE_0: 'git@github.com:',
+    GIT_CONFIG_KEY_1: 'url.https://github.com/.insteadOf',
+    GIT_CONFIG_VALUE_1: 'ssh://git@github.com/',
+  }
+}
+
+export function makeDefaultAskPassEnsurer(): () => Promise<string> {
+  return () => ensureGitAskPassHelper()
+}

package/src/bundled-plugins/backup/index.ts

@@ -3,6 +3,7 @@ import { z } from 'zod'
 import { withGitLock } from '@/git/mutex'
 import { definePlugin, type PluginContext, type SpawnSubagentOptions, type Subagent } from '@/plugin'
 
+import { type BackupPushAuthDeps, makeDefaultAskPassEnsurer, resolveBackupPushAuthEnv } from './git-auth'
 import { COMMIT_TIMEOUT_MS, makeDefaultGitSpawn, NETWORK_TIMEOUT_MS, runBackup, type BackupResult } from './runner'
 import {
   cleanupMessageFile,
@@ -163,6 +164,7 @@ async function runBackupOnce(
     agentDir: string
     logger: { info: (m: string) => void; warn: (m: string) => void }
     spawnSubagent: PluginContext['spawnSubagent']
+    github: PluginContext['github']
   },
 ): Promise<BackupResult> {
   const messagePath = messageFilePath(payload.agentDir)
@@ -175,11 +177,21 @@ async function runBackupOnce(
     spawnedByOrigin: { kind: 'tui', sessionId: 'backup-runner' },
   }
 
+  // App-auth agents need a minted per-repo token for the runner's push (it
+  // bypasses the bash tool's credential hook). Only computed when we'll push;
+  // PAT/SSH/non-github fall back to null. Passed as `pushEnv` so the runner
+  // applies it to push/fetch ONLY — never to local commands like `git commit`,
+  // which can run repo-controlled hooks that would otherwise see the token.
+  const pushEnv = payload.pushToOrigin
+    ? ((await resolveBackupAuthEnv(payload.agentDir, ctx.github, ctx.logger)) ?? undefined)
+    : undefined
+
   const result = await withGitLock(payload.agentDir, () =>
     runBackup(
       { cwd: payload.agentDir, pushToOrigin: payload.pushToOrigin },
       {
         gitSpawn: makeDefaultGitSpawn(),
+        pushEnv,
         pickCommitMessage: async ({ status, diffstat }) => {
           await cleanupMessageFile(messagePath)
           const messagePayload: CommitMessagePayload = {
@@ -221,6 +233,48 @@ async function runBackupOnce(
   return result
 }
 
+async function resolveBackupAuthEnv(
+  agentDir: string,
+  github: PluginContext['github'],
+  logger: { warn: (m: string) => void },
+): Promise<Record<string, string> | null> {
+  const deps: BackupPushAuthDeps = {
+    hasAppTokenResolver: github.hasAppTokenResolver,
+    ghToken: process.env.GH_TOKEN,
+    resolveTokenForRepo: github.resolveTokenForRepo,
+    resolveOriginPushUrl,
+    ensureAskPassHelper: makeDefaultAskPassEnsurer(),
+  }
+  try {
+    return await resolveBackupPushAuthEnv(agentDir, deps)
+  } catch {
+    // Credential prep is best-effort: a resolver failure must not abort the
+    // backup. Falls back to the runner's inherited env (commit still happens),
+    // and the push's own failure path diagnoses if it then can't authenticate.
+    // No slug/token/error detail is logged — those are credential-adjacent.
+    logger.warn('GitHub backup auth unavailable; continuing with inherited git credentials')
+    return null
+  }
+}
+
+async function resolveOriginPushUrl(cwd: string): Promise<string | null> {
+  const bun = (globalThis as { Bun?: { spawn: typeof Bun.spawn } }).Bun
+  if (!bun) return null
+  try {
+    const proc = bun.spawn({
+      cmd: ['git', '-C', cwd, 'remote', 'get-url', '--push', 'origin'],
+      stdout: 'pipe',
+      stderr: 'ignore',
+      env: { ...process.env, GIT_TERMINAL_PROMPT: '0', GIT_OPTIONAL_LOCKS: '0' },
+    })
+    if ((await proc.exited) !== 0) return null
+    const out = (await new Response(proc.stdout).text()).trim()
+    return out === '' ? null : out
+  } catch {
+    return null
+  }
+}
+
 function describeResult(r: BackupResult): string {
   if (r.ok) return r.kind
   return `failed (${r.kind}): ${r.reason}`

package/src/bundled-plugins/backup/runner.ts

@@ -21,12 +21,20 @@ export type GitSpawnResult = {
   timedOut: boolean
 }
 
-export type GitSpawn = (args: readonly string[], opts: { cwd: string; timeoutMs: number }) => Promise<GitSpawnResult>
+export type GitSpawn = (
+  args: readonly string[],
+  opts: { cwd: string; timeoutMs: number; env?: Record<string, string> },
+) => Promise<GitSpawnResult>
 
 export type BackupRunnerDeps = {
   gitSpawn: GitSpawn
   pickCommitMessage: (input: { status: string; diffstat: string }) => Promise<string>
   diagnoseFailure?: (input: BackupFailureInput) => Promise<void>
+  // Credential env (GIT_ASKPASS/TYPECLAW_GIT_TOKEN/insteadOf) applied ONLY to
+  // network git invocations (push/fetch). It is deliberately NOT given to local
+  // commands — `git commit` can run repo-controlled hooks, which must never see
+  // the minted token.
+  pushEnv?: Record<string, string>
   now?: () => number
 }
 
@@ -44,9 +52,15 @@ export type BackupFailureInput = {
 }
 
 export type BackupResult =
-  | { ok: true; kind: 'no-repo' | 'clean' | 'committed' | 'pushed' | 'rebased-and-pushed' }
+  | { ok: true; kind: 'no-repo' | 'clean' | 'committed' | 'pushed' | 'pushed-set-upstream' | 'rebased-and-pushed' }
   | { ok: false; kind: 'commit-failed' | 'push-failed' | 'rebase-failed' | 'aborted'; reason: string }
 
+type ActivePushPlan =
+  | { kind: 'upstream'; upstreamRef: string }
+  | { kind: 'set-upstream'; remote: string; branch: string }
+
+type PushPlan = ActivePushPlan | { kind: 'skip' }
+
 export async function runBackup(options: BackupRunnerOptions, deps: BackupRunnerDeps): Promise<BackupResult> {
   const { cwd, pushToOrigin } = options
 
@@ -113,24 +127,70 @@ export async function runBackup(options: BackupRunnerOptions, deps: BackupRunner
 
   if (!pushToOrigin) return { ok: true, kind: 'committed' }
 
+  const plan = await resolvePushPlan(cwd, deps)
+  if (plan.kind === 'skip') return { ok: true, kind: 'committed' }
+
+  return pushWithRecovery(cwd, deps, plan)
+}
+
+// `@{upstream}` resolution failing was previously treated as "no push" — but a
+// fresh agent repo that nobody ran `git push -u` on has a configured `origin`
+// and no tracking ref, so the runner committed forever and never pushed. The
+// correct gate when `pushToOrigin` is on is "origin exists and HEAD is a real
+// branch": then we push AND set the upstream in one shot, and every later run
+// takes the plain-upstream path. No remote / detached HEAD stays commit-only
+// (a legitimate offline state), so it returns `skip` rather than diagnosing.
+async function resolvePushPlan(cwd: string, deps: BackupRunnerDeps): Promise<PushPlan> {
   const upstream = await deps.gitSpawn(['rev-parse', '--abbrev-ref', '--symbolic-full-name', '@{upstream}'], {
     cwd,
     timeoutMs: COMMIT_TIMEOUT_MS,
   })
-  if (upstream.exitCode !== 0) return { ok: true, kind: 'committed' }
+  if (upstream.exitCode === 0 && upstream.stdout.trim().length > 0) {
+    return { kind: 'upstream', upstreamRef: upstream.stdout.trim() }
+  }
 
-  const upstreamRef = upstream.stdout.trim()
-  if (upstreamRef.length === 0) return { ok: true, kind: 'committed' }
+  // Only `origin` is acted on: picking "the first remote" when origin is absent
+  // would guess a destination the operator never configured. `get-url` (not
+  // `get-url --push`) is enough here — we only need to know origin EXISTS and
+  // is named `origin`; the push targets `origin` by name regardless of pushurl.
+  const origin = await deps.gitSpawn(['remote', 'get-url', 'origin'], { cwd, timeoutMs: COMMIT_TIMEOUT_MS })
+  if (origin.exitCode !== 0 || origin.stdout.trim().length === 0) return { kind: 'skip' }
 
-  const push = await deps.gitSpawn(['push'], { cwd, timeoutMs: NETWORK_TIMEOUT_MS })
-  if (push.exitCode === 0) return { ok: true, kind: 'pushed' }
+  // `symbolic-ref --short HEAD` fails on a detached HEAD (no branch to set an
+  // upstream for); `rev-parse --abbrev-ref HEAD` would have returned the literal
+  // "HEAD" and we'd have tried to push a branch named HEAD. Skip cleanly.
+  const branch = await deps.gitSpawn(['symbolic-ref', '--short', 'HEAD'], { cwd, timeoutMs: COMMIT_TIMEOUT_MS })
+  if (branch.exitCode !== 0 || branch.stdout.trim().length === 0) return { kind: 'skip' }
+
+  return { kind: 'set-upstream', remote: 'origin', branch: branch.stdout.trim() }
+}
+
+// Both entry points (plain push and first-time set-upstream push) share the
+// non-fast-forward recovery: fetch, rebase onto the intended remote branch,
+// re-push. Keeping one helper stops the set-upstream path from silently becoming
+// a weaker duplicate that skips recovery.
+async function pushWithRecovery(cwd: string, deps: BackupRunnerDeps, plan: ActivePushPlan): Promise<BackupResult> {
+  const pushArgs = pushArgsFor(plan)
+  const rebaseRef = plan.kind === 'upstream' ? plan.upstreamRef : `${plan.remote}/${plan.branch}`
+  // In the set-upstream case there is no tracking ref yet, so a bare `git fetch`
+  // has no configured remote to default to — fetch the same remote we rebase
+  // onto. The upstream case keeps bare `fetch` (its tracking config resolves it).
+  const fetchArgs = plan.kind === 'upstream' ? ['fetch'] : ['fetch', plan.remote]
+  const pushedKind: BackupResult = { ok: true, kind: plan.kind === 'upstream' ? 'pushed' : 'pushed-set-upstream' }
+  // Credentials ride ONLY on the network calls (push/fetch). The rebase is
+  // local (it replays onto an already-fetched remote-tracking ref), so it runs
+  // token-free like every other local command.
+  const net = { cwd, timeoutMs: NETWORK_TIMEOUT_MS, env: deps.pushEnv }
+
+  const push = await deps.gitSpawn(pushArgs, net)
+  if (push.exitCode === 0) return pushedKind
 
   if (!isNonFastForward(push)) {
     await maybeDiagnose(deps, { cwd, stage: 'push', exitCode: push.exitCode, stderr: push.stderr, stdout: push.stdout })
     return { ok: false, kind: 'push-failed', reason: shortErr(push) }
   }
 
-  const fetch = await deps.gitSpawn(['fetch'], { cwd, timeoutMs: NETWORK_TIMEOUT_MS })
+  const fetch = await deps.gitSpawn(fetchArgs, net)
   if (fetch.exitCode !== 0) {
     await maybeDiagnose(deps, {
       cwd,
@@ -142,7 +202,7 @@ export async function runBackup(options: BackupRunnerOptions, deps: BackupRunner
     return { ok: false, kind: 'push-failed', reason: `git fetch failed: ${shortErr(fetch)}` }
   }
 
-  const rebase = await deps.gitSpawn(['rebase', upstreamRef], { cwd, timeoutMs: NETWORK_TIMEOUT_MS })
+  const rebase = await deps.gitSpawn(['rebase', rebaseRef], { cwd, timeoutMs: NETWORK_TIMEOUT_MS })
   if (rebase.exitCode !== 0) {
     await deps.gitSpawn(['rebase', '--abort'], { cwd, timeoutMs: COMMIT_TIMEOUT_MS })
     await maybeDiagnose(deps, {
@@ -155,7 +215,7 @@ export async function runBackup(options: BackupRunnerOptions, deps: BackupRunner
     return { ok: false, kind: 'rebase-failed', reason: `git rebase failed: ${shortErr(rebase)}` }
   }
 
-  const push2 = await deps.gitSpawn(['push'], { cwd, timeoutMs: NETWORK_TIMEOUT_MS })
+  const push2 = await deps.gitSpawn(pushArgs, net)
   if (push2.exitCode !== 0) {
     await maybeDiagnose(deps, {
       cwd,
@@ -169,6 +229,13 @@ export async function runBackup(options: BackupRunnerOptions, deps: BackupRunner
   return { ok: true, kind: 'rebased-and-pushed' }
 }
 
+function pushArgsFor(plan: ActivePushPlan): string[] {
+  if (plan.kind === 'upstream') return ['push']
+  // `HEAD:<branch>` is explicit about pushing the current commit to the named
+  // remote branch, avoiding any reliance on local refspec defaults.
+  return ['push', '-u', plan.remote, `HEAD:${plan.branch}`]
+}
+
 async function maybeDiagnose(deps: BackupRunnerDeps, input: BackupFailureInput): Promise<void> {
   if (!deps.diagnoseFailure) return
   try {
@@ -217,7 +284,7 @@ function sanitizeCommitMessage(raw: string): string {
 }
 
 export function makeDefaultGitSpawn(): GitSpawn {
-  return withIndexLockRetry(async (args, { cwd, timeoutMs }) => {
+  return withIndexLockRetry(async (args, { cwd, timeoutMs, env }) => {
     const bun = (globalThis as { Bun?: { spawn: typeof Bun.spawn } }).Bun
     if (!bun) {
       return { exitCode: 127, stdout: '', stderr: 'Bun runtime not available', timedOut: false }
@@ -225,12 +292,15 @@ export function makeDefaultGitSpawn(): GitSpawn {
     const controller = new AbortController()
     const timer = setTimeout(() => controller.abort(), timeoutMs)
     try {
+      // Per-call `env` (credentials for push/fetch) is applied LAST so its
+      // GIT_TERMINAL_PROMPT wins; NONINTERACTIVE_ENV's pager/GCM settings still
+      // apply to every call. Local commands pass no `env` and stay token-free.
       const proc = bun.spawn({
         cmd: ['git', ...args],
         cwd,
         stdout: 'pipe',
         stderr: 'pipe',
-        env: { ...process.env, ...NONINTERACTIVE_ENV },
+        env: { ...process.env, ...NONINTERACTIVE_ENV, ...env },
         signal: controller.signal,
       })
       const exitCode = await proc.exited

package/src/channels/adapters/discord-bot-reactions.ts

@@ -75,6 +75,7 @@ const EMOJI_UNICODE: Record<string, string> = {
   fire: '🔥',
   eye: '👁️',
   raised_hands: '🙌',
+  zipper_mouth_face: '🤐',
 }
 
 function resolveEmoji(emoji: string): string | null {