typeclaw 0.37.5 → 0.37.7

package/src/bundled-plugins/github-cli-auth/index.ts

@@ -7,7 +7,7 @@ import { createApproveIdempotencyGuard } from './approve-idempotency'
 import { createGithubEffectiveApprovalResolver, createGithubHeadShaResolver } from './effective-approval'
 import { analyzeGhCommand, effectiveGhTokensForAuthenticatedUserEndpoint } from './gh-command'
 import { ensureGitAskPassHelper } from './git-askpass'
-import { analyzeGitCommand, defaultGitResolvers } from './git-command'
+import { analyzeGitCommand, defaultGitResolvers, resolveGhDefaultRepoFromCwd } from './git-command'
 import { checkGraphqlAuthNudge } from './graphql-auth-nudge'
 import { commitReviewIfSucceeded, noteReviewCommand } from './review-recorder'
 import { classifyGhToken, shouldMintAppToken } from './token-class'
@@ -72,6 +72,35 @@ export default definePlugin({
 
     type HookResult = void | { block: true; reason: string }
 
+    // A TRUSTED repo to fill in for a repo-less `gh` command, resolved from
+    // sources the command author cannot forge: (1) a GitHub channel session's
+    // own repo (origin.workspace comes from the signed webhook payload), then
+    // (2) the working tree's `origin` remote. NOT from any `-R`/path in the
+    // command (that is the attacker-controllable input the parser already
+    // handles). The slug is still gated by the repos[] allowlist at mint time.
+    const resolveTrustedFallbackRepo = async (origin: SessionOrigin | undefined): Promise<string | undefined> => {
+      if (origin?.kind === 'channel' && origin.adapter === 'github' && origin.workspace !== '') {
+        return origin.workspace
+      }
+      const fromCwd = await resolveGhDefaultRepoFromCwd(ctx.agentDir, defaultGitResolvers)
+      return fromCwd ?? undefined
+    }
+
+    // When a repo-less `gh` is blocked but a trusted repo IS available, show the
+    // exact single-bare rewrite so the agent recovers in one step instead of
+    // guessing. Composition blocks get a split-the-script instruction. The
+    // returned text is appended to the block reason (synchronous, always seen).
+    const buildGhBlockGuidance = (code: string, fallbackRepo: string | undefined): string => {
+      const slug = fallbackRepo ?? 'owner/repo'
+      if (code === 'composition') {
+        return (
+          ` Run each gh as its own single bare command, e.g. \`gh label edit <name> -R ${slug} --name ...\` —` +
+          ' not inside a function, `if`/`then`, `&&`, `;`, or `$(...)`.'
+        )
+      }
+      return ` For example: \`gh <cmd> -R ${slug}\` as a single bare command.`
+    }
+
     // 'fall-through' means "not a repo-targeting gh command" so the caller can
     // try the git path on the same command (e.g. `git ... # gh` substrings).
     const handleGhCommand = async (params: {
@@ -91,7 +120,26 @@ export default definePlugin({
       }
       if (review.dump !== null) return review.dump
 
-      const decision = analyzeGhCommand(command)
+      // Analyze first WITHOUT the fallback: an explicit `-R`/path repo must win,
+      // and we only pay for fallback resolution (a git subprocess) when the
+      // command is otherwise repo-less. A trusted fallback is then applied ONLY to
+      // a `missing-repo` block (never to composition/non-literal/multi-owner/api),
+      // and re-analysis re-runs the SAME composition gate, so a compound command
+      // still blocks. `fallbackRepoUsed` marks an inject that came from the
+      // fallback so we also set GH_REPO (gh needs the repo, not just the token).
+      let decision = analyzeGhCommand(command)
+      let fallbackRepo: string | undefined
+      let fallbackRepoUsed = false
+      if (decision.kind === 'block' && decision.code === 'missing-repo') {
+        fallbackRepo = await resolveTrustedFallbackRepo(event.origin)
+        if (fallbackRepo !== undefined) {
+          const withFallback = analyzeGhCommand(command, fallbackRepo)
+          if (withFallback.kind === 'inject') {
+            decision = withFallback
+            fallbackRepoUsed = true
+          }
+        }
+      }
 
       // `/user` classifies as pass-through (no repo to mint for), so this block
       // must run BEFORE the pass-through return. Resolve the EFFECTIVE token per
@@ -140,7 +188,10 @@ export default definePlugin({
         // NOT apply — a PAT needs no per-repo mint — so we never surface it here.
         if (runsUnsandboxed(event.origin)) {
           if (decision.kind === 'inject') {
-            event.args[TYPECLAW_INTERNAL_BASH_ENV] = { GH_TOKEN: process.env.GH_TOKEN as string }
+            event.args[TYPECLAW_INTERNAL_BASH_ENV] = {
+              GH_TOKEN: process.env.GH_TOKEN as string,
+              ...(fallbackRepoUsed && fallbackRepo !== undefined ? { GH_REPO: fallbackRepo } : {}),
+            }
           }
           return
         }
@@ -148,14 +199,18 @@ export default definePlugin({
         // available (a PAT must NOT suppress it, or the original silent-failure
         // bug returns); otherwise block with guidance rather than failing mute.
         if (!shouldMintAppToken(undefined, hasAppTokenResolver())) {
-          if (decision.kind === 'block') return { block: true, reason: decision.reason }
+          if (decision.kind === 'block') {
+            return { block: true, reason: decision.reason + buildGhBlockGuidance(decision.code, fallbackRepo) }
+          }
           warnSandboxedPatWithheldOnce()
           return { block: true, reason: sandboxedPatWithheldReason }
         }
         mintForSandboxedPat = true
       }
 
-      if (decision.kind === 'block') return { block: true, reason: decision.reason }
+      if (decision.kind === 'block') {
+        return { block: true, reason: decision.reason + buildGhBlockGuidance(decision.code, fallbackRepo) }
+      }
 
       // No App auth (no App-class GH_TOKEN and no live minter): leave whatever
       // is seeded so `gh` fails honestly rather than us guessing a token. The
@@ -166,8 +221,14 @@ export default definePlugin({
       if (result.kind === 'unavailable') return { block: true, reason: result.reason }
       // Inject via the internal env overlay (delivered to the spawn / bwrap
       // --setenv by the bash wrapper) so the token never enters the command
-      // string, where it could leak through logs or later hooks.
-      event.args[TYPECLAW_INTERNAL_BASH_ENV] = { GH_TOKEN: result.token }
+      // string, where it could leak through logs or later hooks. When the repo
+      // came from a trusted fallback (not an explicit -R), also set GH_REPO so
+      // `gh` actually targets it — a token alone leaves the repo unresolved.
+      // GH_REPO is non-secret; the token still scopes reach to that repo.
+      event.args[TYPECLAW_INTERNAL_BASH_ENV] = {
+        GH_TOKEN: result.token,
+        ...(fallbackRepoUsed ? { GH_REPO: decision.repoSlug } : {}),
+      }
       return
     }
 

package/src/channels/manager.ts

@@ -104,6 +104,17 @@ export type ChannelManagerOptions = {
   // unregistered. See CreateChannelRouterOptions.onReload/onRestart.
   onReload?: () => Promise<string>
   onRestart?: (ctx?: RestartCommandContext) => Promise<string>
+  // Persistent messenger SDKs usually reconnect themselves, but a host sleep/offline
+  // cycle can leave a socket half-dead forever. The manager watches live adapters
+  // and restarts one that stays disconnected past this grace period. Test seams are
+  // optional so production uses normal timers/time.
+  connectionRecovery?: {
+    checkIntervalMs?: number
+    disconnectedGraceMs?: number
+    now?: () => number
+    setInterval?: (fn: () => void, ms: number) => unknown
+    clearInterval?: (handle: unknown) => void
+  }
 }
 
 export type ChannelManager = {
@@ -132,6 +143,8 @@ type AnyAdapter =
 type AdapterEntry = {
   adapter: AnyAdapter
   credentialSignature: string
+  disconnectedSinceMs: number | null
+  recoveryRestartQueued: boolean
 }
 
 export function createChannelManager(options: ChannelManagerOptions): ChannelManager {
@@ -158,6 +171,14 @@ export function createChannelManager(options: ChannelManagerOptions): ChannelMan
 
   const live = new Map<AdapterId, AdapterEntry>()
   const perAdapterSerial = new Map<AdapterId, Promise<unknown>>()
+  const recovery = options.connectionRecovery ?? {}
+  const recoveryCheckIntervalMs = recovery.checkIntervalMs ?? 30_000
+  const recoveryDisconnectedGraceMs = recovery.disconnectedGraceMs ?? 90_000
+  const recoveryNow = recovery.now ?? (() => Date.now())
+  const recoverySetInterval = recovery.setInterval ?? ((fn: () => void, ms: number) => setInterval(fn, ms))
+  const recoveryClearInterval =
+    recovery.clearInterval ?? ((handle: unknown) => clearInterval(handle as ReturnType<typeof setInterval>))
+  let recoveryTimer: unknown = null
 
   const runSerially = <T>(name: AdapterId, op: () => Promise<T>): Promise<T> => {
     const prev = perAdapterSerial.get(name) ?? Promise.resolve()
@@ -271,7 +292,12 @@ export function createChannelManager(options: ChannelManagerOptions): ChannelMan
     }
     try {
       await adapter.start()
-      live.set(name, { adapter, credentialSignature: signature })
+      live.set(name, {
+        adapter,
+        credentialSignature: signature,
+        disconnectedSinceMs: adapter.isConnected() ? null : recoveryNow(),
+        recoveryRestartQueued: false,
+      })
       logger.info(`[channels] adapter "${name}" started`)
       return true
     } catch (err) {
@@ -292,6 +318,54 @@ export function createChannelManager(options: ChannelManagerOptions): ChannelMan
     }
   }
 
+  const checkConnectionRecovery = (): void => {
+    const now = recoveryNow()
+    for (const [name, entry] of live) {
+      if (entry.adapter.isConnected()) {
+        entry.disconnectedSinceMs = null
+        entry.recoveryRestartQueued = false
+        continue
+      }
+      if (entry.disconnectedSinceMs === null) {
+        entry.disconnectedSinceMs = now
+        logger.warn(`[channels] adapter "${name}" is disconnected; waiting for SDK recovery`)
+        continue
+      }
+      const disconnectedForMs = now - entry.disconnectedSinceMs
+      if (disconnectedForMs < recoveryDisconnectedGraceMs || entry.recoveryRestartQueued) continue
+      entry.recoveryRestartQueued = true
+      logger.warn(
+        `[channels] adapter "${name}" disconnected for ${Math.round(disconnectedForMs)}ms; restarting adapter`,
+      )
+      void runSerially(name, async () => {
+        try {
+          const current = live.get(name)
+          if (current !== entry) return
+          const currentCfg = options.channelsConfigRef()[name]
+          if (currentCfg === undefined || currentCfg.enabled === false) {
+            logger.info(`[channels] recovery restart for "${name}" skipped; adapter no longer enabled`)
+            return
+          }
+          await stopAdapter(name)
+          await startAdapter(name, currentCfg)
+        } finally {
+          if (live.get(name) === entry) entry.recoveryRestartQueued = false
+        }
+      })
+    }
+  }
+
+  const startRecoveryTimer = (): void => {
+    if (recoveryTimer !== null) return
+    recoveryTimer = recoverySetInterval(checkConnectionRecovery, recoveryCheckIntervalMs)
+  }
+
+  const stopRecoveryTimer = (): void => {
+    if (recoveryTimer === null) return
+    recoveryClearInterval(recoveryTimer)
+    recoveryTimer = null
+  }
+
   return {
     router,
 
@@ -313,9 +387,11 @@ export function createChannelManager(options: ChannelManagerOptions): ChannelMan
       const results = await Promise.allSettled(starts)
       const failure = results.find((r): r is PromiseRejectedResult => r.status === 'rejected')
       if (failure !== undefined) throw failure.reason
+      startRecoveryTimer()
     },
 
     async stop(): Promise<void> {
+      stopRecoveryTimer()
       for (const name of Array.from(live.keys())) await runSerially(name, () => stopAdapter(name))
       await router.stop()
     },

package/src/channels/router.ts

@@ -5,6 +5,7 @@ import type { AssistantMessage } from '@mariozechner/pi-ai'
 import { SessionManager } from '@mariozechner/pi-coding-agent'
 
 import { createSession, renderTurnRoleAnchor, renderTurnTimeAnchor, type AgentSession } from '@/agent'
+import { applyTurnThinkingLevel } from '@/agent/attention-escalation'
 import { forgetSharedLoopGuardTool } from '@/agent/plugin-tools'
 import { subscribeProviderErrors } from '@/agent/provider-error'
 import type { RestartHandoff } from '@/agent/restart-handoff'
@@ -573,6 +574,10 @@ type LiveSession = {
   key: ChannelKey
   keyId: string
   session: AgentSession
+  // The session's creation-time thinking level, captured once. A later escalated
+  // turn moves `session.thinkingLevel` to `high`, so the live getter can't be the
+  // reset target — this preserves the real default across the session's lifetime.
+  turnThinkingDefault: AgentSession['thinkingLevel']
   sessionId: string
   dispose: () => Promise<void>
   hooks: HookBus | undefined
@@ -607,6 +612,11 @@ type LiveSession = {
   typingStartedAt: number
   typingTimedOut: boolean
   typingStopPromise: Promise<void> | null
+  // True only while `live.session.prompt()` is actively running. Gates the
+  // deferred typing revival: a revival queued behind an in-flight cap-trip
+  // 'stop' must NOT re-arm the heartbeat once the prompt has finished, or it
+  // leaks a timer that fires past the turn's end.
+  promptInFlight: boolean
   lastInboundAt: number
   // Transcript-file size (bytes) captured immediately after cold-start, before
   // any user turn — a proxy for the fixed base-context rebuild cost (rendered
@@ -1654,6 +1664,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         key,
         keyId,
         session: created.session,
+        turnThinkingDefault: created.session.thinkingLevel,
         sessionId: created.sessionId,
         dispose: created.dispose,
         hooks: created.hooks,
@@ -1673,6 +1684,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         typingStartedAt: 0,
         typingTimedOut: false,
         typingStopPromise: null,
+        promptInFlight: false,
         lastInboundAt: now(),
         baseContextBytes: 0,
         firstUnprocessedAt: 0,
@@ -1930,16 +1942,69 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     live.typingStartedAt = now()
   }
 
+  // Re-arm a heartbeat that the silence cap already stopped. PR #930 made
+  // streamed deltas refresh the clock, but only via `bumpTypingActivity`,
+  // which no-ops once `typingTimer` is null. So a turn that goes silent for
+  // >MAX_TYPING_HEARTBEAT_MS (a long single tool call, a slow provider, an
+  // extended-thinking phase that emits no deltas) trips the cap, and the
+  // delta/tool signals that arrive afterwards can no longer revive it —
+  // `startTypingHeartbeat` short-circuits on `typingTimedOut`, which only
+  // resets at the next drain() iteration (i.e. never, within one long turn).
+  // Reviving here lets demonstrable progress after a timeout bring the
+  // indicator back. The revival is gated on streamed activity ONLY, never on
+  // a new inbound (a later inbound during the same in-flight turn must stay
+  // silenced — see the matching router test).
+  //
+  // On Slack this is the visible bug: its `'stop'` phase sends a permanent
+  // empty-string `setStatus` clear that does not auto-expire, so a tripped
+  // indicator stays gone. Discord/Telegram mask the same defect because their
+  // native indicators auto-expire and self-heal on the next tick.
+  const reviveTypingActivity = (live: LiveSession): void => {
+    if (live.destroyed) return
+    if (!live.typingTimedOut) {
+      bumpTypingActivity(live)
+      return
+    }
+    // A `'stop'` clear may still be in flight. Starting a new heartbeat now
+    // would short-circuit on the non-null `typingStopPromise` (losing the
+    // revival), and firing a fresh `'tick'` before Slack's empty-string clear
+    // lands would let the clear wipe the just-revived status. Defer until the
+    // stop settles so the new `'tick'` is ordered strictly after the clear.
+    const stopPromise = live.typingStopPromise
+    if (stopPromise) {
+      void stopPromise.catch(() => undefined).then(() => restartTypingAfterTimeout(live))
+      return
+    }
+    restartTypingAfterTimeout(live)
+  }
+
+  const restartTypingAfterTimeout = (live: LiveSession): void => {
+    // Re-checked after the awaited stop:
+    //  - `destroyed`: the session may have been torn down.
+    //  - `!typingTimedOut`: an earlier queued revival already cleared the flag
+    //    and re-armed (so this one is a no-op — no double interval/tick).
+    //  - `!promptInFlight`: the prompt finished while the cap-trip 'stop' was
+    //    still in flight. A revival queued by a late delta would otherwise
+    //    re-arm a heartbeat after generation ended — a timer nothing stops
+    //    (drain()'s turn-end stop already ran with `typingTimer === null`).
+    //    `draining` is too coarse: it stays true through the turn-end hook tail
+    //    (turn-end/idle/todos) after `prompt()` returns, so a revival running
+    //    in that window would still leak. Gate on active generation instead.
+    if (live.destroyed || !live.promptInFlight || !live.typingTimedOut) return
+    live.typingTimedOut = false
+    startTypingHeartbeat(live)
+  }
+
   const subscribeTypingActivity = (session: AgentSession, live: LiveSession): (() => void) => {
     return session.subscribe((event) => {
       if (event.type === 'tool_execution_end') {
-        bumpTypingActivity(live)
+        reviveTypingActivity(live)
         return
       }
       if (event.type !== 'message_update') return
       const streamed = event.assistantMessageEvent.type
       if (streamed === 'text_delta' || streamed === 'thinking_delta') {
-        bumpTypingActivity(live)
+        reviveTypingActivity(live)
       }
     })
   }
@@ -2336,8 +2401,11 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         live.policyDeniedToolSendsThisTurn.clear()
         resetReviewTurn(live.sessionId)
         const isRealUserTurn = batch.length > 0
-        const retrievalContext = await fireSessionTurnStart(live, composeRetrievalQuery(batch))
+        const retrievalQuery = composeRetrievalQuery(batch)
+        const retrievalContext = await fireSessionTurnStart(live, retrievalQuery)
         const promptText = retrievalContext.results.length > 0 ? `${text}\n\n${retrievalContext.results}` : text
+        applyTurnThinkingLevel(live.session, retrievalQuery, live.turnThinkingDefault)
+        live.promptInFlight = true
         try {
           await live.session.prompt(promptText)
           await validateChannelTurn(live, successfulSendsBeforePrompt)
@@ -2349,6 +2417,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
           live.lastSentText.clear()
           live.lastSendLeafId = null
         } finally {
+          live.promptInFlight = false
           const sentReplyThisTurn = live.successfulChannelSends > successfulSendsBeforePrompt
           if (sentReplyThisTurn) dropEngageReactionsAfterReply(live, engageAddPromises)
           const emptyTurnRetryQueued = live.emptyTurnRetries > emptyTurnRetriesBeforePrompt

package/src/cli/channel.ts

@@ -1116,7 +1116,7 @@ async function promptDiscordToken(): Promise<string> {
     [
       'https://discord.com/developers/applications',
       'New Application → Bot tab → Reset Token.',
-      'Enable the MESSAGE CONTENT intent.',
+      'Under Privileged Gateway Intents, enable MESSAGE CONTENT and GUILD MEMBERS.',
     ].join('\n'),
     'Get a Discord bot token',
   )

package/src/cli/compose.ts

@@ -325,7 +325,8 @@ function makeBoard(header: string): Board {
 function formatStartDone<T extends { alreadyRunning?: boolean; hostPort: number }>(result: AgentResult<T>): string {
   if (!result.ok) return `${c.red('✖')} ${c.red('failed:')} ${result.reason}`
   const verb = result.data.alreadyRunning ? 'already running' : 'started'
-  return `${c.green('✔')} ${verb} on host port ${c.cyan(String(result.data.hostPort))}`
+  const head = `${c.green('✔')} ${verb} on host port ${c.cyan(String(result.data.hostPort))}`
+  return appendWarnings(head, result.warnings)
 }
 
 function formatStopDone<T extends { running: boolean }>(result: AgentResult<T>): string {
@@ -336,7 +337,15 @@ function formatStopDone<T extends { running: boolean }>(result: AgentResult<T>):
 
 function formatRestartDone<T extends { start: { hostPort: number } }>(result: AgentResult<T>): string {
   if (!result.ok) return `${c.red('✖')} ${c.red('failed:')} ${result.reason}`
-  return `${c.green('✔')} restarted on host port ${c.cyan(String(result.data.start.hostPort))}`
+  const head = `${c.green('✔')} restarted on host port ${c.cyan(String(result.data.start.hostPort))}`
+  return appendWarnings(head, result.warnings)
+}
+
+// Surface non-fatal validateConfig warnings under the per-agent compose status
+// line so compose start/restart don't silently drop what `typeclaw start` prints.
+function appendWarnings(head: string, warnings: string[] | undefined): string {
+  if (warnings === undefined || warnings.length === 0) return head
+  return [head, ...warnings.map((w) => `  ${c.yellow('⚠')} ${w}`)].join('\n')
 }
 
 function emitComposeDoctor(report: ComposeDoctorReport, opts: { verbose: boolean; json: boolean }): void {

package/src/cli/init.ts

@@ -554,6 +554,7 @@ export async function collectWizardInputs(
       const decision = await prompts.confirmResumeCheckpoint(sanitized)
       if (decision === 'resume') {
         seedWizardState(state, sanitized)
+        step = resumeStep(state)
       } else {
         await checkpointStore.clear(cwd)
       }
@@ -1030,6 +1031,12 @@ function resolveModelOption(catalog: WizardState['catalog'], ref: string | undef
   return catalog.options.find((option) => option.ref === ref)
 }
 
+function resumeStep(state: WizardState): StepId {
+  if (state.providerId !== undefined) return 'reuse-existing-key'
+  if (state.vendorId !== undefined) return 'pick-provider-variant'
+  return 'pick-vendor'
+}
+
 function projectCheckpoint(cwd: string, state: WizardState): WizardAnswerCheckpointV1 {
   return checkpointFromSelections({
     cwd,
@@ -1429,7 +1436,7 @@ async function runDiscordFlow(): Promise<StepResult<CollectedInputs['channelSecr
     [
       'https://discord.com/developers/applications',
       'New Application → Bot tab → Reset Token.',
-      'Enable the MESSAGE CONTENT intent.',
+      'Under Privileged Gateway Intents, enable MESSAGE CONTENT and GUILD MEMBERS.',
     ].join('\n'),
     'Get a Discord bot token',
   )

package/src/cli/mount.ts

@@ -8,7 +8,7 @@ import { c, errorLine, successLine } from './ui'
 const listSub = defineCommand({
   meta: {
     name: 'list',
-    description: 'list host directories mounted into the agent container',
+    description: 'list host files and directories mounted into the agent container',
   },
   args: {
     json: {
@@ -31,7 +31,7 @@ const listSub = defineCommand({
 const addSub = defineCommand({
   meta: {
     name: 'add',
-    description: 'add a host directory mount to typeclaw.json',
+    description: 'add a host file or directory mount to typeclaw.json',
   },
   args: {
     name: {
@@ -41,7 +41,7 @@ const addSub = defineCommand({
     },
     path: {
       type: 'positional',
-      description: 'host directory path to expose inside the container',
+      description: 'host file or directory path to expose inside the container',
       required: true,
     },
     'read-only': {
@@ -74,7 +74,7 @@ const addSub = defineCommand({
 const removeSub = defineCommand({
   meta: {
     name: 'remove',
-    description: 'remove a host directory mount from typeclaw.json',
+    description: 'remove a host mount from typeclaw.json',
   },
   args: {
     name: {
@@ -98,7 +98,7 @@ const removeSub = defineCommand({
 export const mountCommand = defineCommand({
   meta: {
     name: 'mount',
-    description: 'manage host directories mounted into the agent container',
+    description: 'manage host files and directories mounted into the agent container',
   },
   subCommands: {
     list: listSub,

package/src/cli/restart.ts

@@ -6,7 +6,7 @@ import { start, stop } from '@/container'
 import { findAgentDir, isInitialized } from '@/init'
 
 import { guardIncompleteInit } from './incomplete-init'
-import { c, errorLine, renderStartSuccess, spinner } from './ui'
+import { c, errorLine, renderStartSuccess, reportConfigWarnings, spinner } from './ui'
 
 export const restartCommand = defineCommand({
   meta: {
@@ -61,6 +61,7 @@ export const restartCommand = defineCommand({
       console.error(errorLine(validated.reason))
       process.exit(1)
     }
+    reportConfigWarnings(validated.warnings)
 
     const stopSpin = spinner()
     stopSpin.start('Stopping container...')
@@ -85,6 +86,7 @@ export const restartCommand = defineCommand({
     }
     startSpin.stop('Started.')
 
+    reportConfigWarnings(started.dockerfileWarnings)
     console.log(renderStartSuccess(started))
   },
 })

package/src/cli/start.ts

@@ -6,7 +6,7 @@ import { start } from '@/container'
 import { findAgentDir, isInitialized } from '@/init'
 
 import { guardIncompleteInit } from './incomplete-init'
-import { errorLine, renderStartSuccess, spinner } from './ui'
+import { errorLine, renderStartSuccess, reportConfigWarnings, spinner } from './ui'
 
 export const startCommand = defineCommand({
   meta: {
@@ -61,6 +61,7 @@ export const startCommand = defineCommand({
       console.error(errorLine(validated.reason))
       process.exit(1)
     }
+    reportConfigWarnings(validated.warnings)
 
     const s = spinner()
     s.start('Starting container...')
@@ -76,6 +77,7 @@ export const startCommand = defineCommand({
     }
     s.stop(result.alreadyRunning ? 'Already running.' : 'Started.')
 
+    reportConfigWarnings(result.dockerfileWarnings)
     console.log(renderStartSuccess(result))
   },
 })

package/src/cli/ui.ts

@@ -222,6 +222,19 @@ export function successLine(message: string): string {
   return `${c.green('●')} ${message}`
 }
 
+export function warnLine(message: string): string {
+  return `${c.yellow('⚠')} ${message}`
+}
+
+// Single host-side sink for non-fatal validateConfig warnings (e.g. a
+// curl|bash docker.file.append line). Every CLI gate that calls validateConfig
+// before a start/rebuild routes through this so no path silently drops them.
+export function reportConfigWarnings(warnings: string[] | undefined): void {
+  for (const warning of warnings ?? []) {
+    console.warn(warnLine(warning))
+  }
+}
+
 // The exact JSON manifest a user pastes into
 // https://api.slack.com/apps → From a manifest. Kept as a typed object so
 // the file stays a single source of truth and `JSON.stringify` guarantees

package/src/compose/restart.ts

@@ -62,7 +62,7 @@ async function runOne(
     onStopped()
     const started = await start({ cwd, preferredHostPort, forceBuild, cliEntry })
     if (!started.ok) return { name, ok: false, reason: started.reason }
-    return { name, ok: true, data: { stop: stopped, start: started } }
+    return { name, ok: true, data: { stop: stopped, start: started }, warnings: validated.warnings }
   } catch (error) {
     return { name, ok: false, reason: error instanceof Error ? error.message : String(error) }
   }

package/src/compose/start.ts

@@ -3,7 +3,9 @@ import { start, type StartResult } from '@/container'
 
 import { discoverAgents, type AgentEntry } from './discover'
 
-export type AgentResult<T> = { name: string; ok: true; data: T } | { name: string; ok: false; reason: string }
+export type AgentResult<T> =
+  | { name: string; ok: true; data: T; warnings?: string[] }
+  | { name: string; ok: false; reason: string }
 
 export type StartSuccess = Extract<StartResult, { ok: true }>
 
@@ -55,7 +57,7 @@ async function runOne(
   try {
     const data = await start({ cwd, preferredHostPort, forceBuild, cliEntry })
     if (!data.ok) return { name, ok: false, reason: data.reason }
-    return { name, ok: true, data }
+    return { name, ok: true, data, warnings: validated.warnings }
   } catch (error) {
     return { name, ok: false, reason: error instanceof Error ? error.message : String(error) }
   }