typeclaw 0.37.0 → 0.37.2

package/README.md

@@ -4,7 +4,7 @@
   <img src="./docs/public/typeclaw.png" alt="TypeClaw logo" width="240" />
 </p>
 
-> A TypeScript-native, Bun-powered, Docker-friendly general-purpose agent runtime.
+> The agent for perfectionists — crafted in every detail. It behaves in your team's chat and gets sharper the longer it runs. Sandboxed and self-managing.
 
 ## Why?
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "typeclaw",
-  "version": "0.37.0",
+  "version": "0.37.2",
   "homepage": "https://github.com/typeclaw/typeclaw#readme",
   "bugs": {
     "url": "https://github.com/typeclaw/typeclaw/issues"
@@ -37,6 +37,7 @@
     "format:check": "oxfmt --check .",
     "check": "bun run typecheck && bun run lint && bun run format:check",
     "test": "bun test --parallel",
+    "dev:docs": "cd docs && bun run dev",
     "generate:schema": "bun run scripts/generate-schema.ts",
     "debug:prompt": "bun run scripts/dump-system-prompt.ts",
     "postinstall": "bun run scripts/generate-schema.ts"

package/src/agent/index.ts

@@ -15,7 +15,7 @@ import { loadMemory } from '@/bundled-plugins/memory/load-memory'
 import type { ChannelRouter } from '@/channels/router'
 import type { ReactionRef } from '@/channels/types'
 import { getConfig, resolveModel, resolveProfile } from '@/config'
-import { defaultThinkingLevelForRef, providerForModelRef, type ModelRef } from '@/config/providers'
+import { defaultThinkingLevelForRef, isOpenAiFamilyRef, providerForModelRef, type ModelRef } from '@/config/providers'
 import { renderMcpCatalog } from '@/mcp/catalog'
 import type { McpManager } from '@/mcp/manager'
 import { createMcpDispatcherTools, MCP_DISPATCHER_TOOL_NAMES } from '@/mcp/tools'
@@ -47,6 +47,7 @@ import {
   wrapSystemTool,
   zodToToolParameters,
 } from './plugin-tools'
+import { PROACTIVE_NEXT_STEP_NUDGE } from './proactive-next-step-nudge'
 import { createReloadTool } from './reload-tool'
 import type { RestartHandoffOrigin } from './restart-handoff'
 import type { SubagentBashPolicy } from './reviewer-bash-policy'
@@ -277,6 +278,7 @@ export async function createSessionWithDispose(options: CreateSessionOptions = {
           ...(options.mcpManager !== undefined ? { mcpManager: options.mcpManager } : {}),
           ...(options.subagentRegistry !== undefined ? { subagentRegistry: options.subagentRegistry } : {}),
           ...(options.suppressSystemMemory !== undefined ? { suppressSystemMemory: options.suppressSystemMemory } : {}),
+          ...(isOpenAiFamilyRef(activeRef) ? { proactiveNextStepNudge: true } : {}),
         })
 
   const getOrigin: () => SessionOrigin | undefined =
@@ -957,6 +959,7 @@ export type CreateResourceLoaderOptions = {
   // from `memory.vector.enabled` — vector is restart-required, so the boot
   // snapshot is coherent with the per-turn injection decision.
   suppressSystemMemory?: boolean
+  proactiveNextStepNudge?: boolean
 }
 
 // Origins where the operator-facing DEFAULT_SYSTEM_PROMPT, git-nudge, and the
@@ -1020,6 +1023,7 @@ export type SystemPromptComposition = {
   roleContext?: SessionRoleContext
   mcpCatalog?: string
   gitNudge: string
+  proactiveNextStepNudge?: string
   memorySection: string
 }
 
@@ -1065,6 +1069,9 @@ export function composeSystemPrompt(parts: SystemPromptComposition): string {
   if (parts.gitNudge !== '') {
     prompt = `${prompt}\n\n${parts.gitNudge}`
   }
+  if (parts.proactiveNextStepNudge !== undefined && parts.proactiveNextStepNudge !== '') {
+    prompt = `${prompt}\n\n${parts.proactiveNextStepNudge}`
+  }
   if (parts.memorySection !== '') {
     prompt = `${prompt}\n\n${parts.memorySection}`
   }
@@ -1164,6 +1171,7 @@ export async function createResourceLoader(options: CreateResourceLoaderOptions
       ? { mcpCatalog: renderMcpCatalog(options.mcpManager.listServers()) }
       : {}),
     gitNudge,
+    ...(options.proactiveNextStepNudge === true ? { proactiveNextStepNudge: PROACTIVE_NEXT_STEP_NUDGE } : {}),
     memorySection,
   })
 

package/src/agent/proactive-next-step-nudge.ts

@@ -0,0 +1,11 @@
+export const PROACTIVE_NEXT_STEP_NUDGE_TITLE = '## Proactive and requested next-step guidance'
+
+// GPT-only prompt text is intentionally absent from scripts/dump-system-prompt.ts
+// token accounting because the dump tooling renders with non-GPT placeholders.
+export const PROACTIVE_NEXT_STEP_NUDGE = [
+  PROACTIVE_NEXT_STEP_NUDGE_TITLE,
+  '',
+  'GPT/OpenAI-family behavior nudge: when the user asks for work and a reasonable or necessary next step is obvious, do not ask for permission or confirmation before doing it. Do the next step when it makes sense, especially when it is necessary to complete the task well. Avoid empty optional follow-up CTAs such as “if you want, I can also …”; either take the useful next action or end with the completed result.',
+  '',
+  'When the user explicitly asks for suggestions, options, alternatives, or what to do next, answer that request directly with concrete next-step suggestions instead of treating suggestions as an unwanted follow-up CTA.',
+].join('\n')

package/src/agent/session-origin.ts

@@ -384,6 +384,27 @@ function renderChannelOrigin(
     )
   }
 
+  // Discord renders no GFM tables — a raw `| a | b |` block shows as literal
+  // pipes. The discord-bot adapter rewrites BARE pipe tables into aligned
+  // inline-code rows for readability, but it skips any table inside a ``` /
+  // ~~~ fence (a fenced table is literal text by CommonMark). Models that have
+  // "learned" Discord mangles tables defensively wrap them in a fence, which is
+  // exactly what disables the auto-conversion — so the table renders ragged
+  // anyway. Tell the model to emit tables bare and let the adapter format them.
+  if (origin.adapter === 'discord-bot') {
+    lines.push(
+      '',
+      '**Emit Markdown tables as bare `| a | b |` blocks — never inside a code',
+      'fence.** Discord does not render Markdown tables, so this session',
+      'auto-reformats a bare pipe table (a `|`-row followed by a `|---|`',
+      'alignment row) into aligned, readable columns before it sends. That',
+      'reformatting only fires on raw Markdown: the moment you wrap the table in',
+      'a ``` or ~~~ fence it is treated as literal text and lands as ragged pipes.',
+      'So write the table directly in your reply with no surrounding fence. Use',
+      'fences only for actual code or output you want shown verbatim.',
+    )
+  }
+
   const conversationLine = renderConversationLine(origin)
   if (conversationLine !== null) lines.push('', conversationLine)
 

package/src/agent/subagents.ts

@@ -1,10 +1,11 @@
 import type { ToolDefinition } from '@mariozechner/pi-coding-agent'
 import type { z } from 'zod'
 
+import type { PermissionService } from '@/permissions'
 import type { HookBus } from '@/plugin'
 import type { Stream, Unsubscribe } from '@/stream'
 
-import { type AgentSession, createSession } from './index'
+import { type AgentSession, createSession, type PluginSessionWiring } from './index'
 import { subscribeProviderErrors } from './provider-error'
 import type { SubagentBashPolicy } from './reviewer-bash-policy'
 import type { SessionOrigin } from './session-origin'
@@ -143,6 +144,21 @@ export type CreateSessionForSubagentOptions = {
   parentSessionId?: string
   spawnedByRole?: string
   spawnedByOrigin?: SessionOrigin
+  // Plugin hook wiring for the subagent's tools. When present, the subagent's
+  // builtin bash/read/edit/write run through the plugin `tool.before`/`tool.after`
+  // hooks (security guards AND github-cli-auth GitHub-token injection) exactly
+  // like the main and plugin-subagent sessions. Without it, the builtin tools run
+  // raw (the prior behavior) — so standalone/test callers stay unaffected. The
+  // production runtime always supplies it (src/run/index.ts) so a generic
+  // task-spawned subagent's `git push`/`gh` gets a minted token instead of
+  // failing with "could not read Username".
+  plugins?: PluginSessionWiring
+  // The role/permission service that drives builtin-bash sandboxing. It MUST be
+  // forwarded alongside `plugins`: buildBuiltinPiToolOverrides only applies
+  // applyBashSandbox / applyTmpPathRedirect when `permissions` is present, so
+  // wiring hooks without permissions would inject the GitHub token yet leave the
+  // sandbox OFF — strictly weaker than the plugin-subagent branch this matches.
+  permissions?: PermissionService
 }
 export type CreateSessionForSubagent = (
   subagent: Subagent<any>,
@@ -161,6 +177,8 @@ export const defaultCreateSessionForSubagent: CreateSessionForSubagent = (subage
     },
     ...(subagent.tools ? { tools: subagent.tools } : {}),
     customTools: subagent.customTools ?? [],
+    ...(options?.plugins !== undefined ? { plugins: options.plugins } : {}),
+    ...(options?.permissions !== undefined ? { permissions: options.permissions } : {}),
     ...(subagent.profile !== undefined ? { profile: subagent.profile } : {}),
     ...(subagent.toolResultBudget !== undefined ? { toolResultBudget: subagent.toolResultBudget } : {}),
     ...(subagent.bashPolicy !== undefined ? { bashPolicy: subagent.bashPolicy } : {}),

package/src/channels/router.ts

@@ -3358,23 +3358,6 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       live.skippedTurn = null
       logger.info(`[channels] ${live.keyId} skip_contested_by_send recovering reply`)
     }
-    // A send landed this turn, but the model may have posted a `continue: true`
-    // progress reply, kept working, then ENDED with its final answer as plain
-    // prose — never calling a channel tool again. The terminal-reply abort fires
-    // only for a `channel_reply` WITHOUT `continue: true`, so that `stopReason:
-    // 'stop'` text leaf is left undelivered and unguarded (the false-receipt
-    // guard is github-only). The discriminator is leaf IDENTITY: only when the
-    // turn-end `stop` leaf is a DIFFERENT entry than the one in place at the last
-    // send did the model produce fresh post-reply prose. A leaf unchanged since
-    // the send is narration the model emitted with/before the reply that already
-    // landed — suppress it, as before.
-    if (live.successfulChannelSends > successfulSendsBeforePrompt) {
-      maybeNudgeContinuationWillingness(live)
-      const trailing = recoverableAssistantText(live.session)
-      if (trailing === null || trailing.source !== 'leaf') return
-      if (live.session.sessionManager.getLeafEntry()?.id === live.lastSendLeafId) return
-    }
-
     const postEmptyTurnFallback = async (cause: string): Promise<void> => {
       logger.warn(`[channels] ${live.keyId} empty_turn_fallback cause=${cause}`)
       const result = await send(
@@ -3392,6 +3375,49 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       }
     }
 
+    // A send landed this turn, but the model may have posted a `continue: true`
+    // progress reply, kept working, then ENDED with its final answer as plain
+    // prose — never calling a channel tool again. The terminal-reply abort fires
+    // only for a `channel_reply` WITHOUT `continue: true`, so that `stopReason:
+    // 'stop'` text leaf is left undelivered and unguarded (the false-receipt
+    // guard is github-only). The discriminator is leaf IDENTITY: only when the
+    // turn-end `stop` leaf is a DIFFERENT entry than the one in place at the last
+    // send did the model produce fresh post-reply prose. A leaf unchanged since
+    // the send is narration the model emitted with/before the reply that already
+    // landed — suppress it, as before.
+    if (live.successfulChannelSends > successfulSendsBeforePrompt) {
+      maybeNudgeContinuationWillingness(live)
+      const trailing = recoverableAssistantText(live.session)
+      if (trailing === null || trailing.source !== 'leaf') {
+        // A `continue: true` status reply landed, then the turn stranded on an
+        // unanswered `toolUse` (the post-tool follow-up never produced an
+        // assistant message — aborted loop / cancelled stream). The promised
+        // work never finished, so the user is left with a bare "checking now…"
+        // and nothing after it. Re-prompt the same logical turn so the model
+        // completes its investigation and actually replies, instead of ending
+        // in silence. On retry-exhaustion post the fallback rather than
+        // returning silently — a retry turn that re-sends a status and re-strands
+        // on the same no-prose shape must not deadair the user. Any postable
+        // pre-tool/mid-turn prose is suppressed here as before (it was narration
+        // that accompanied the already-landed reply); only the no-prose strand
+        // gets a retry-or-fallback.
+        if (leafIsStrandedToolUse(live.session) && live.currentTurnAuthorId !== null) {
+          if (live.emptyTurnRetries < MAX_EMPTY_TURN_RETRIES) {
+            live.emptyTurnRetries++
+            logger.warn(
+              `[channels] ${live.keyId} empty_turn_retry attempt=${live.emptyTurnRetries}/${MAX_EMPTY_TURN_RETRIES} ` +
+                `cause=stranded_toolUse_after_send`,
+            )
+            live.pendingSystemReminders.push(EMPTY_TURN_RETRY_NUDGE)
+          } else {
+            await postEmptyTurnFallback('stranded_toolUse_retries_exhausted')
+          }
+        }
+        return
+      }
+      if (live.session.sessionManager.getLeafEntry()?.id === live.lastSendLeafId) return
+    }
+
     let candidate = recoverableAssistantText(live.session)
     // A `length` leaf is recovered ONLY when stripping leaked `<think>…</think>`
     // spans actually removed something AND leaves a postable reply. The removal
@@ -4961,6 +4987,40 @@ function assistantLeafStopReason(session: AgentSession): 'length' | 'error' | 'a
   return undefined
 }
 
+// True when the branch ends on an UNANSWERED `toolUse` that left NO postable
+// prose — the model called a tool and the upstream pi-agent-core post-tool
+// follow-up never produced an assistant message (the loop was aborted, or the
+// follow-up stream cancelled). Two leaf shapes carry this signature: the leaf
+// IS a `toolUse` assistant, or the leaf is a `toolResult` whose nearest
+// assistant ancestor (reached before any user message) is `toolUse`. The
+// no-prose requirement is the discriminator from a model that narrated a reply
+// alongside its tool call and DID land a real send this turn (that trailing
+// `toolUse` is delivered narration, not a stranded promise — leave it alone).
+// Keys on the model having INTENDED to keep working with nothing yet said; used
+// to re-prompt a turn that strands mid-work after a `continue: true` status
+// reply instead of ending in silence.
+function leafIsStrandedToolUse(session: AgentSession): boolean {
+  const leaf = session.sessionManager.getLeafEntry()
+  if (!leaf || leaf.type !== 'message') return false
+  if (leaf.message.role === 'assistant') {
+    return leaf.message.stopReason === 'toolUse' && visibleAssistantText(leaf.message).trim() === ''
+  }
+  if (leaf.message.role !== 'toolResult') return false
+  let cursor: { parentId: string | null } | undefined = leaf
+  for (let depth = 0; depth < 32 && cursor?.parentId; depth++) {
+    const parent = session.sessionManager.getEntry(cursor.parentId)
+    if (!parent) return false
+    if (parent.type === 'message') {
+      if (parent.message.role === 'assistant') {
+        return parent.message.stopReason === 'toolUse' && visibleAssistantText(parent.message).trim() === ''
+      }
+      if (parent.message.role === 'user') return false
+    }
+    cursor = parent
+  }
+  return false
+}
+
 function visibleAssistantText(message: AssistantMessage): string {
   return message.content
     .filter((block) => block.type === 'text')

package/src/cli/fuzzy-filter.ts

@@ -0,0 +1,32 @@
+import type { Option } from '@clack/prompts'
+
+type FuzzyFilter<Value> = (search: string, option: Option<Value>) => boolean
+
+function optionHaystack<Value>(option: Option<Value>): string {
+  const label = option.label ?? String(option.value)
+  const hint = option.hint ?? ''
+  return `${label} ${String(option.value)} ${hint}`.toLowerCase()
+}
+
+function isSubsequence(query: string, haystack: string): boolean {
+  let i = 0
+  for (let j = 0; j < haystack.length && i < query.length; j++) {
+    if (haystack[j] === query[i]) i++
+  }
+  return i === query.length
+}
+
+// Splitting the query on whitespace lets "gpt 5.5" match "GPT-5.5 Turbo": each
+// token is matched independently as a subsequence, so the "-" inside "GPT-5.5"
+// no longer breaks the search the way a plain substring "gpt 5.5" would. Tokens
+// are order-independent so "turbo gpt" finds "GPT Turbo" too.
+export function fuzzyMatch<Value>(search: string, option: Option<Value>): boolean {
+  const tokens = search.toLowerCase().split(/\s+/).filter(Boolean)
+  if (tokens.length === 0) return true
+  const haystack = optionHaystack(option)
+  return tokens.every((token) => isSubsequence(token, haystack))
+}
+
+export const fuzzyFilter: FuzzyFilter<unknown> = fuzzyMatch
+
+export type { FuzzyFilter }

package/src/cli/init.ts

@@ -1,6 +1,18 @@
 import { randomBytes } from 'node:crypto'
 
-import { cancel, confirm, intro, isCancel, log, note, password, select, spinner, text } from '@clack/prompts'
+import {
+  autocomplete,
+  cancel,
+  confirm,
+  intro,
+  isCancel,
+  log,
+  note,
+  password,
+  select,
+  spinner,
+  text,
+} from '@clack/prompts'
 import { defineCommand } from 'citty'
 
 import {
@@ -54,6 +66,7 @@ import {
   type KeyValidationResult,
 } from '@/init/validate-api-key'
 
+import { fuzzyMatch } from './fuzzy-filter'
 import { buildOAuthCallbacks } from './oauth-callbacks'
 import { CANCEL_SYMBOL, promptPrivateKeyPem } from './prompt-pem'
 import {
@@ -1083,8 +1096,10 @@ async function pickVendor(
   initial: KnownProviderVendorId | undefined,
 ): Promise<StepResult<KnownProviderVendorId>> {
   const vendors = uniqueVendors(options)
-  const choice = await select({
+  const choice = await autocomplete({
     message: 'Pick an LLM provider',
+    placeholder: 'Type to search…',
+    filter: fuzzyMatch,
     options: vendors.map((id) => ({
       value: id,
       label: KNOWN_PROVIDER_VENDORS[id].name,
@@ -1104,8 +1119,10 @@ async function pickProviderVariant(
   const variants = providersForVendorInCatalog(vendorId, options)
   if (variants.length === 0) throw new Error(`Internal error: vendor ${vendorId} has no providers in the catalog`)
   if (variants.length === 1) return autoValue(variants[0]!)
-  const choice = await select<KnownProviderId>({
+  const choice = await autocomplete<KnownProviderId>({
     message: `Pick a ${KNOWN_PROVIDER_VENDORS[vendorId].name} option`,
+    placeholder: 'Type to search…',
+    filter: fuzzyMatch,
     options: variants.map((id) => {
       const hint = variantHint(vendorId, id)
       return hint !== undefined
@@ -1128,8 +1145,10 @@ async function pickModelForProvider(
   // distributive conditional type, so a large KnownModelRef union explodes into
   // a per-literal option union that no longer accepts `value: ref`. The runtime
   // value is the ref string and is re-narrowed via `candidates.find` below.
-  const choice = await select<string>({
+  const choice = await autocomplete<string>({
     message: `Pick a ${KNOWN_PROVIDERS[providerId].name} model`,
+    placeholder: 'Type to search…',
+    filter: fuzzyMatch,
     options: candidates.map((o) => ({
       value: o.ref,
       label: formatModelLabel(o),
@@ -1173,8 +1192,10 @@ async function pickVisionVendor(
     log.warn('No vision-capable models available; skipping vision profile.')
     return autoValue('skip')
   }
-  const choice = await select<KnownProviderVendorId | 'skip'>({
+  const choice = await autocomplete<KnownProviderVendorId | 'skip'>({
     message: 'Your model is text-only. Pick a provider for the `vision` profile (used for image input)',
+    placeholder: 'Type to search…',
+    filter: fuzzyMatch,
     options: [
       ...vendors.map((id) => ({
         value: id as KnownProviderVendorId | 'skip',
@@ -1204,8 +1225,10 @@ async function pickVisionModel(
 ): Promise<StepResult<ModelOption>> {
   const candidates = sortRecommendedFirst(options.filter((o) => o.providerId === providerId))
   // select<string> for the same distributive-Option reason as pickModelForProvider.
-  const choice = await select<string>({
+  const choice = await autocomplete<string>({
     message: `Pick a vision-capable ${KNOWN_PROVIDERS[providerId].name} model`,
+    placeholder: 'Type to search…',
+    filter: fuzzyMatch,
     options: candidates.map((o) => ({
       value: o.ref,
       label: formatModelLabel(o),

package/src/cli/model.ts

@@ -1,4 +1,4 @@
-import { cancel, intro, isCancel, log, select } from '@clack/prompts'
+import { autocomplete, cancel, intro, isCancel, log, select } from '@clack/prompts'
 import { defineCommand } from 'citty'
 
 import type { CustomModelMeta } from '@/config'
@@ -19,6 +19,7 @@ import {
 import { findAgentDir, isInitialized } from '@/init'
 import { customModelMetaFromOption, fetchModelOptions, type ModelOption } from '@/init/models-dev'
 
+import { fuzzyMatch } from './fuzzy-filter'
 import { runProviderAddFlow } from './provider'
 import { c, done, errorLine } from './ui'
 
@@ -248,8 +249,10 @@ async function pickModelRef(cwd: string): Promise<PickedModelRef> {
     // assignability. Values are ref strings (+ the sentinel) and stay correct
     // at runtime — the sentinel check and `return choice` below are unaffected.
     const modelOptions = await listCredentialedModelOptions(refs)
-    const choice = await select<string>({
+    const choice = await autocomplete<string>({
       message: 'Pick a model',
+      placeholder: 'Type to search…',
+      filter: fuzzyMatch,
       options: [
         ...modelOptions.map((option) => ({
           value: option.ref,

package/src/cli/provider.ts

@@ -1,4 +1,4 @@
-import { cancel, intro, isCancel, log, password, select } from '@clack/prompts'
+import { autocomplete, cancel, intro, isCancel, log, password, select } from '@clack/prompts'
 import { defineCommand } from 'citty'
 
 import {
@@ -23,6 +23,7 @@ import {
 import { findAgentDir, isInitialized } from '@/init'
 import { makeOAuthLoginRunner } from '@/init/oauth-login'
 
+import { fuzzyMatch } from './fuzzy-filter'
 import { buildOAuthCallbacks } from './oauth-callbacks'
 import { c, done, errorLine } from './ui'
 
@@ -282,8 +283,10 @@ async function resolveProviderForAdd(input: string | undefined): Promise<KnownPr
 
 async function pickVendorToAdd(): Promise<KnownProviderVendorId> {
   const vendorIds = listKnownProviderVendorIds()
-  const choice = await select<KnownProviderVendorId>({
+  const choice = await autocomplete<KnownProviderVendorId>({
     message: 'Pick a provider to add',
+    placeholder: 'Type to search…',
+    filter: fuzzyMatch,
     options: vendorIds.map((id) => ({
       value: id,
       label: KNOWN_PROVIDER_VENDORS[id].name,
@@ -301,8 +304,10 @@ async function pickVendorToAdd(): Promise<KnownProviderVendorId> {
 async function pickVariantToAdd(vendorId: KnownProviderVendorId): Promise<KnownProviderId> {
   const variants = providerIdsForVendor(vendorId)
   if (variants.length === 1) return variants[0]!
-  const choice = await select<KnownProviderId>({
+  const choice = await autocomplete<KnownProviderId>({
     message: `Pick a ${KNOWN_PROVIDER_VENDORS[vendorId].name} option`,
+    placeholder: 'Type to search…',
+    filter: fuzzyMatch,
     options: variants.map((id) => {
       const hint = variantHint(vendorId, id)
       return hint !== undefined

package/src/config/providers.ts

@@ -991,9 +991,12 @@ function knownProviderForModelRef(ref: string): KnownProviderId | null {
 //
 // Anthropic, GLM, and Kimi don't share the padding behavior, so they keep the
 // SDK default.
+export function isOpenAiFamilyRef(ref: KnownModelRef | ModelRef | string): boolean {
+  return vendorForProviderId(providerForModelRef(ref)) === 'openai'
+}
+
 export function defaultThinkingLevelForRef(ref: KnownModelRef | ModelRef | string): 'low' | undefined {
-  const providerId = providerForModelRef(ref)
-  if (providerId === 'openai' || providerId === 'openai-codex') return 'low'
+  if (isOpenAiFamilyRef(ref)) return 'low'
   return undefined
 }
 

package/src/run/index.ts

@@ -439,7 +439,30 @@ export async function startAgent({
           : {}),
       }
     }
-    return defaultCreateSessionForSubagent(subagent, subagentOptions)
+    // Non-plugin (built-in) subagents — general/explore/scout/memory-logger/
+    // dreaming and anything spawned through the generic task path. They used to
+    // run with NO plugin tool.before/tool.after coverage, so their bash skipped
+    // the security guards AND the github-cli-auth GitHub-token injection — a
+    // generic subagent's `git push` got no minted token and died with "could
+    // not read Username" even when a GitHub App was configured. Thread the same
+    // hook bus the plugin-subagent branch uses, against a freshly allocated
+    // subagent session id (never the parent's, so hooks/audit/permission
+    // attribution stay per-session).
+    const sessionManager = SessionManager.create(cwd, sessionFactory.sessionDir())
+    return defaultCreateSessionForSubagent(subagent, {
+      ...subagentOptions,
+      plugins: {
+        registry: snap.registry,
+        hooks: snap.hooks,
+        sessionId: sessionManager.getSessionId(),
+        agentDir: cwd,
+      },
+      // Pass permissions alongside plugins (same as the plugin-subagent branch
+      // at line 384): without it the builtin-bash sandbox (applyBashSandbox /
+      // applyTmpPathRedirect) stays off and the subagent would get the injected
+      // token but no role-derived sandboxing.
+      permissions: pluginsLoaded.permissions,
+    })
   }
 
   const subagentConsumer = createSubagentConsumer({