typeclaw 0.37.5 → 0.37.7

package/src/config/config.ts

@@ -1168,7 +1168,7 @@ function persistMigratedConfig(cwd: string, json: unknown, applied: readonly Mig
   }
 }
 
-export type ValidateConfigResult = { ok: true } | { ok: false; reason: string }
+export type ValidateConfigResult = { ok: true; warnings?: string[] } | { ok: false; reason: string }
 
 // Missing file → ok (matches `loadMounts` in src/container/up.ts; `isInitialized`
 // is the dedicated check for "not initialized"). Present but invalid → fail, so
@@ -1200,6 +1200,22 @@ export function validateConfig(cwd: string, options: ValidateConfigOptions = {})
   const parsed = parseConfigJson(raw, { migrate: true, persistTarget: cwd })
   if (!parsed.ok) return parsed
 
+  // Append lines are advisory here — never fatal. The Dockerfile renderer
+  // (renderCustomDockerfileLines) is the enforcement boundary: it STRIPS unsafe
+  // lines so the container still comes up, and a bad line written by the
+  // in-container agent can never brick `typeclaw start`. We surface the same
+  // strip/warn decisions as warnings so the operator sees them pre-build.
+  const warnings: string[] = []
+  const appendLines = parsed.config.docker.file.append
+  for (let i = 0; i < appendLines.length; i++) {
+    const check = validateDockerfileAppendLine(appendLines[i]!)
+    if (!check.ok) {
+      warnings.push(`docker.file.append[${i}] will be stripped on start — ${check.reason}`)
+      continue
+    }
+    if (check.warning) warnings.push(`docker.file.append[${i}] ${check.warning}`)
+  }
+
   if (!options.skipMounts) {
     for (const mount of parsed.config.mounts) {
       const check = validateMount(mount, cwd)
@@ -1207,7 +1223,7 @@ export function validateConfig(cwd: string, options: ValidateConfigOptions = {})
     }
   }
 
-  return { ok: true }
+  return warnings.length > 0 ? { ok: true, warnings } : { ok: true }
 }
 
 export type ParseConfigJsonResult = { ok: true; config: Config } | { ok: false; reason: string }
@@ -1253,11 +1269,15 @@ export function parseConfigJson(raw: string, options: ParseConfigJsonOptions = {
   return { ok: true, config: result.data }
 }
 
-// Verifies a mount's host path: exists, is a directory, is readable, and is
-// writable when not declared `readOnly`. Symlinks are followed (statSync's
-// default) so a broken symlink reads as "does not exist". Permission checks
-// are skipped when running as root (uid 0) — euidaccess returns success
-// regardless, so the test would be vacuous and inconsistent with non-root.
+// Verifies a mount's host path: exists, is a regular file or directory, is
+// readable, and is writable when not declared `readOnly`. Symlinks are
+// followed (statSync's default) so a broken symlink reads as "does not exist".
+// File mounts are allowed so credentials and config can be exposed as a single
+// path (e.g. an SSH private key); sockets, FIFOs, and devices are rejected
+// because exposing them is an advanced, security-sensitive case we don't take
+// implicitly. Permission checks are skipped when running as root (uid 0) —
+// euidaccess returns success regardless, so the test would be vacuous and
+// inconsistent with non-root.
 export function validateMount(mount: Mount, cwd: string): ValidateConfigResult {
   const resolved = expandMountPath(mount.path, cwd)
   const label = `mount "${mount.name}"`
@@ -1274,8 +1294,8 @@ export function validateMount(mount: Mount, cwd: string): ValidateConfigResult {
     return { ok: false, reason: `${label}: cannot stat ${resolved}: ${detail}` }
   }
 
-  if (!stats.isDirectory()) {
-    return { ok: false, reason: `${label}: path ${resolved} is not a directory` }
+  if (!stats.isDirectory() && !stats.isFile()) {
+    return { ok: false, reason: `${label}: path ${resolved} is not a file or directory` }
   }
 
   const isRoot = typeof process.getuid === 'function' && process.getuid() === 0
@@ -1301,6 +1321,179 @@ export function validateMount(mount: Mount, cwd: string): ValidateConfigResult {
   return { ok: true }
 }
 
+// FROM/ENTRYPOINT/CMD/MAINTAINER are intentionally excluded — see the
+// structural blocks in validateDockerfileAppendLine for why.
+const ALLOWED_APPEND_INSTRUCTIONS = new Set([
+  'RUN',
+  'ENV',
+  'ARG',
+  'LABEL',
+  'COPY',
+  'ADD',
+  'USER',
+  'WORKDIR',
+  'SHELL',
+  'EXPOSE',
+  'VOLUME',
+  'STOPSIGNAL',
+  'HEALTHCHECK',
+  'ONBUILD',
+])
+
+// Decode primitives that, paired with dynamic execution on the same line, form
+// the "decode an opaque blob and run it" anti-pattern that bricked a real build
+// (an agent base64-decoded the bash entrypoint shim and fed it to python3
+// exec). Matching is substring/case-insensitive — these are code tokens the
+// agent emits, not natural-language, so English literals are correct here (cf.
+// the protocol-token exception in AGENTS.md).
+const DECODE_PRIMITIVES = ['base64', 'b64decode', 'atob(', 'unhexlify', '.fromhex(', 'xxd -r']
+
+// True dynamic-execution sinks — language constructs that run a STRING as code.
+// Deliberately NOT including interpreter flags like `python3 -c`/`node -e`: a
+// benign `python3 -c "print(base64.b64encode(...))"` legitimately mentions a
+// decode primitive without ever executing the decoded bytes. The footgun is
+// decode + a real exec sink (or decode piped to an interpreter, below).
+const EXEC_PRIMITIVES = ['exec(', 'eval(', 'new function(', 'function(']
+
+// Decoded stdout piped straight into an interpreter: `base64 -d ... | sh`,
+// `... | python3`, etc. The pipe is the execution step here, so it pairs with
+// DECODE_PRIMITIVES independently of the EXEC_PRIMITIVES sinks above.
+const DECODE_PIPED_TO_INTERPRETER =
+  /\|\s*(?:sudo\s+)?(?:ba)?sh\b|\|\s*(?:sudo\s+)?python3?\b|\|\s*(?:sudo\s+)?(?:node|perl|ruby)\b/i
+
+// Risky-but-legitimate operator patterns: piping a remote script straight into
+// a shell, or ADDing a remote URL. Common enough in real build steps that a
+// hard block would frustrate power users, dangerous enough to flag.
+const APPEND_WARN_PATTERNS: Array<{ test: RegExp; note: string }> = [
+  {
+    test: /\b(?:curl|wget)\b[^|]*\|\s*(?:sudo\s+)?(?:ba)?sh\b/i,
+    note: 'pipes a remote script directly into a shell (curl|bash); verify the source is trusted',
+  },
+  {
+    test: /<\(\s*(?:curl|wget)\b/i,
+    note: 'executes a remote script via process substitution; verify the source is trusted',
+  },
+  {
+    test: /^ADD\s+https?:\/\//i,
+    note: 'ADD of a remote URL fetches an unpinned artifact at build time; prefer a pinned COPY or checksum-verified RUN',
+  },
+]
+
+export type AppendLineCheck =
+  | { ok: true; warning?: string }
+  // `structural` blocks are unconditional (they break Dockerfile generation);
+  // `semantic` blocks are waivable via the host env override.
+  | { ok: false; reason: string; kind: 'structural' | 'semantic' }
+
+// Pure, side-effect-free validator for ONE docker.file.append entry. The newline
+// rejection stays in the zod schema (dockerfileLineSchema) so it fires on every
+// parse including the agent's own config-write guard; this adds the contextual
+// policy the schema can't express cheaply. Returns the first problem found.
+export function validateDockerfileAppendLine(line: string): AppendLineCheck {
+  const trimmed = line.trim()
+
+  if (trimmed === '') {
+    return { ok: false, reason: 'is empty or whitespace-only', kind: 'structural' }
+  }
+
+  // A trailing backslash is a line continuation: it would merge the generated
+  // ENTRYPOINT (spliced right after the append block) into this instruction.
+  if (/\\\s*$/.test(line)) {
+    return {
+      ok: false,
+      reason:
+        'ends with a line-continuation backslash, which would swallow the generated ENTRYPOINT; keep each entry self-contained',
+      kind: 'structural',
+    }
+  }
+
+  // Heredoc syntax spans multiple lines by definition and cannot work in a
+  // single spliced entry — it would consume the following generated lines.
+  if (/<<-?\s*['"]?\w/.test(trimmed)) {
+    return {
+      ok: false,
+      reason: 'uses heredoc syntax (<<EOF), which cannot be expressed as a single Dockerfile line',
+      kind: 'structural',
+    }
+  }
+
+  if (trimmed.startsWith('#')) {
+    // Parser directives (`# syntax=`, `# escape=`) only have meaning at the top
+    // of a Dockerfile; spliced before ENTRYPOINT they are at best inert and at
+    // worst confusing. Plain comments are fine.
+    if (/^#\s*(syntax|escape|check)\s*=/i.test(trimmed)) {
+      return {
+        ok: false,
+        reason: 'is a parser directive (# syntax=/# escape=), which is only valid at the top of a Dockerfile',
+        kind: 'structural',
+      }
+    }
+    return { ok: true }
+  }
+
+  const instruction = trimmed.split(/\s+/, 1)[0]?.toUpperCase() ?? ''
+
+  if (instruction === 'FROM') {
+    return {
+      ok: false,
+      reason: 'starts a new build stage (FROM), discarding everything TypeClaw layered before it',
+      kind: 'structural',
+    }
+  }
+  if (instruction === 'ENTRYPOINT' || instruction === 'CMD') {
+    return {
+      ok: false,
+      reason: `overrides the container ${instruction}, which TypeClaw owns (the entrypoint shim is appended right after this block)`,
+      kind: 'structural',
+    }
+  }
+  if (!ALLOWED_APPEND_INSTRUCTIONS.has(instruction)) {
+    // Reason is intentionally input-free: this string is forwarded verbatim into
+    // operator-facing warnings (classifyDockerfileAppend -> dockerfileWarnings),
+    // and the offending token is user-controlled — echoing it could leak a
+    // secret/token-like first word from a malformed line into start/doctor output.
+    return {
+      ok: false,
+      reason: 'does not begin with a recognized Dockerfile instruction',
+      kind: 'structural',
+    }
+  }
+
+  const lower = trimmed.toLowerCase()
+
+  // The actual incident: mutating TypeClaw's own entrypoint shim. This is never
+  // a supported customization surface — entrypoint changes belong in TypeClaw
+  // source, not in a build-time patch script.
+  if (lower.includes('typeclaw-entrypoint')) {
+    return {
+      ok: false,
+      reason:
+        'references the TypeClaw-owned entrypoint (typeclaw-entrypoint); patching it from docker.file.append is unsupported and brittle',
+      kind: 'semantic',
+    }
+  }
+
+  // Decode-an-opaque-blob-and-execute-it. A benign decode (encoding output,
+  // writing a file) or a bare `python3 -c "print(...)"` both pass; only decode
+  // PAIRED with a real exec sink — or piped into an interpreter — is blocked.
+  const hasDecode = DECODE_PRIMITIVES.some((p) => lower.includes(p))
+  const hasExec = EXEC_PRIMITIVES.some((p) => lower.includes(p)) || DECODE_PIPED_TO_INTERPRETER.test(lower)
+  if (hasDecode && hasExec) {
+    return {
+      ok: false,
+      reason:
+        'decodes an opaque payload and executes it (e.g. base64 + exec/eval), an obfuscated-code anti-pattern that has bricked builds',
+      kind: 'semantic',
+    }
+  }
+
+  for (const { test, note } of APPEND_WARN_PATTERNS) {
+    if (test.test(trimmed)) return { ok: true, warning: note }
+  }
+
+  return { ok: true }
+}
+
 function formatZodError(error: z.ZodError): string {
   return error.issues
     .map((issue) => {

package/src/container/start.ts

@@ -20,7 +20,7 @@ import {
   readInstalledTypeclawVersionFromAgent,
 } from '@/init/auto-upgrade'
 import { resolveBaseImageVersion } from '@/init/cli-version'
-import { buildDockerfile, DOCKERFILE } from '@/init/dockerfile'
+import { buildDockerfile, classifyDockerfileAppend, DOCKERFILE } from '@/init/dockerfile'
 import { ensureDepsInstalled, type EnsureDepsResult } from '@/init/ensure-deps'
 import { buildGitignore, GITIGNORE_FILE } from '@/init/gitignore'
 import { refreshPackageJson } from '@/init/packagejson'
@@ -148,6 +148,10 @@ export type StartResult =
       // registry. Non-fatal by design: a typo'd or unpublished plugin warns
       // instead of blocking the launch.
       skippedPlugins: string[]
+      // Non-fatal warnings from docker.file.append: unsafe lines stripped from
+      // the generated Dockerfile, plus warn-but-allow lines (curl|bash, remote
+      // ADD). Surfaced by the CLI so a stripped line is never a silent no-op.
+      dockerfileWarnings: string[]
     }
   | { ok: false; reason: string }
 
@@ -485,6 +489,7 @@ export async function start({
       alreadyRunning: false,
       autoUpgrade: upgrade,
       skippedPlugins: pluginReconcile.skipped,
+      dockerfileWarnings: dockerfileRefresh.warnings,
     }
   } catch (error) {
     return { ok: false, reason: error instanceof Error ? error.message : String(error) }
@@ -701,18 +706,24 @@ async function resolvePublishHost(exec: DockerExec): Promise<string> {
 // the cheapest correct signal: the build context for `docker build` is the
 // Dockerfile itself, so equal contents definitionally produce an equivalent
 // image.
-export async function refreshDockerfile(cwd: string, opts: { buildKit?: boolean } = {}): Promise<{ changed: boolean }> {
+export async function refreshDockerfile(
+  cwd: string,
+  opts: { buildKit?: boolean } = {},
+): Promise<{ changed: boolean; warnings: string[] }> {
   const cfg = await loadTypeclawConfig(cwd)
   const next = buildDockerfile(cfg.docker.file, {
     baseImageVersion: resolveBaseImageVersion(cwd),
     cjkFontsAuto: hostLocaleIsCjk(),
     buildKit: opts.buildKit,
   })
+  // Reuse the renderer's classifier so reported warnings match exactly what was
+  // stripped/kept in the Dockerfile above (single source of truth).
+  const { warnings } = classifyDockerfileAppend(cfg.docker.file.append)
   const path = join(cwd, DOCKERFILE)
   const prev = await readFile(path, 'utf8').catch(() => null)
-  if (prev === next) return { changed: false }
+  if (prev === next) return { changed: false, warnings }
   await writeFile(path, next)
-  return { changed: true }
+  return { changed: true, warnings }
 }
 
 // Builds the agent image with a seamless buildx->legacy fallback. The preferred
@@ -836,6 +847,7 @@ async function reportAlreadyRunning(exec: DockerExec, cwd: string, containerName
   }
   const tuiToken = await resolveTuiToken({ cwd, exec })
   const plan = await planStart({ cwd, hostPort, imageExists: true, forceBuild: false, tuiToken })
+  const { warnings: dockerfileWarnings } = classifyDockerfileAppend((await loadTypeclawConfig(cwd)).docker.file.append)
   return {
     ok: true,
     plan,
@@ -847,6 +859,7 @@ async function reportAlreadyRunning(exec: DockerExec, cwd: string, containerName
     alreadyRunning: true,
     autoUpgrade: { kind: 'skipped-already-running' },
     skippedPlugins: [],
+    dockerfileWarnings,
   }
 }
 

package/src/cron/consumer.ts

@@ -1,4 +1,5 @@
 import type { AgentSession } from '@/agent'
+import { applyTurnThinkingLevel } from '@/agent/attention-escalation'
 import { promptWithFallback, resolveFallbackChain } from '@/agent/model-fallback'
 import type { SessionOrigin } from '@/agent/session-origin'
 import { getConfig } from '@/config'
@@ -235,6 +236,12 @@ async function runPromptOnce(
       if (created.hooks && turnEvent !== undefined) {
         await created.hooks.runSessionTurnStart({ ...turnEvent, userPrompt: job.prompt, retrievalContext })
       }
+      // Cron sessions are created fresh per fallback attempt, so the live getter
+      // is still the creation-time default here — safe to read without a separate
+      // captured field. The test-fake path omits `.session`; skip it then.
+      if (created.session !== undefined) {
+        applyTurnThinkingLevel(created.session, job.prompt, created.session.thinkingLevel)
+      }
       // Bridge the CronSession wrapper into the AgentSession surface the
       // fallback helper expects:
       //   prompt    → CronSession.prompt (wrapper that calls AgentSession.prompt
@@ -338,16 +345,16 @@ async function runExec(job: ExecJob, cwd: string): Promise<void> {
   const proc = Bun.spawn({
     cmd: [cmd, ...args],
     cwd,
-    stdout: 'pipe',
+    stdout: 'ignore',
     stderr: 'pipe',
     env: {
       ...process.env,
       TYPECLAW_PARENT_ORIGIN_JSON: JSON.stringify(parentOrigin),
     },
   })
-  const code = await proc.exited
+  const stderrText = new Response(proc.stderr).text()
+  const [code, stderr] = await Promise.all([proc.exited, stderrText])
   if (code !== 0) {
-    const stderr = await new Response(proc.stderr).text()
     throw new Error(`exec job ${job.id} exited with code ${code}: ${stderr.trim() || 'no stderr'}`)
   }
 }

package/src/doctor/checks.ts

@@ -210,7 +210,19 @@ function configValid(): DoctorCheck {
     applies: (ctx) => ctx.hasAgentFolder,
     async run(ctx) {
       const result = validateConfig(ctx.cwd)
-      if (result.ok) return { status: 'ok', message: 'typeclaw.json valid; mounts accessible' }
+      if (result.ok) {
+        if (result.warnings && result.warnings.length > 0) {
+          return {
+            status: 'warning',
+            message: `typeclaw.json valid; ${result.warnings.length} docker.file.append warning(s):\n${result.warnings.join('\n')}`,
+            fix: {
+              description:
+                'Review the docker.file.append entries above; unsafe lines are stripped from the Dockerfile on start.',
+            },
+          }
+        }
+        return { status: 'ok', message: 'typeclaw.json valid; mounts accessible' }
+      }
       return {
         status: 'error',
         message: result.reason,

package/src/init/dockerfile.ts

@@ -1,3 +1,4 @@
+import { validateDockerfileAppendLine } from '@/config/config'
 import type { DockerfileConfig, DockerfileFeatureToggle } from '@/config/config'
 import {
   CLAUDE_CREDENTIALS_FILE_NAME,
@@ -358,9 +359,9 @@ set -eu
 # The persist root lives under /agent/.typeclaw/home/ (bind-mounted
 # from the agent folder via the -v <cwd>:/agent flag in start.ts).
 # Namespacing under .typeclaw/ keeps the agent's top-level layout clean and reserves
-# a system-owned subtree we can extend later (e.g. ~/.gemini/,
-# ~/.config/<tool>/) without colliding with user files. The directory
-# is gitignored by buildGitignore() so credentials never enter history.
+# a system-owned subtree we can extend later (e.g. ~/.gemini/) without
+# colliding with user files. The directory is gitignored by buildGitignore()
+# so credentials never enter history.
 #
 # Three invariants this function enforces:
 #
@@ -372,11 +373,11 @@ set -eu
 #    if a previous container life happened to write a real ~/.codex/
 #    dir before this code shipped.
 #
-# 2. We symlink the FILE, not the directory. Codex writes other state
-#    to ~/.codex/ over time (history.jsonl, log/, config.toml). Linking
-#    only auth.json keeps the persistence scope tight to credentials;
-#    history/logs stay ephemeral by design. Future credentials get
-#    added file-by-file here, not by widening to a directory link.
+# 2. We symlink credential FILES for tools whose config dirs are mostly
+#    scratch/history (Codex, Claude). We do not redirect global config
+#    locations such as XDG_CONFIG_HOME or ~/.config here because tools like
+#    git also read config from those paths; first-party bundles that need
+#    persistence should set their own app-specific env vars instead.
 #
 # 3. We mkdir -p the target's parent on every boot. /agent is bind-
 #    mounted, so the host-side path may exist or not depending on
@@ -1264,6 +1265,9 @@ ${fromAndHeavyLayers}
 
 ENV NODE_ENV=production
 
+# Persist first-party GWS config without changing global XDG/git config lookup.
+ENV GWS_CONFIG_HOME=/agent/workspace/.config/gws
+
 # Keep agent-messenger's fallback config dir inside workspace/ for any future
 # SDK fallback paths. TypeClaw's KakaoTalk adapter does not write there:
 # credentials live in secrets.json#channels.kakaotalk and container writes go
@@ -1697,10 +1701,57 @@ RUN ${aptCacheMount(buildKit)}apt-get update \\
 `
 }
 
+// Render-time enforcement is the security boundary: this is the sole bottleneck
+// where docker.file.append entries reach the generated Dockerfile, so unsafe
+// lines are STRIPPED here (never spliced into the build) rather than blocking
+// `typeclaw start`. docker.file.append is untrusted input even when the
+// in-container agent writes it — a bad line (e.g. the decode-and-exec footgun
+// that bricked a real build) becomes ineffective, not fatal. Validation
+// elsewhere only warns; this is what guarantees the line never runs.
 function renderCustomDockerfileLines(lines: string[]): string {
-  if (lines.length === 0) return ''
-  return `# Custom lines from typeclaw.json#docker.file.append.
-${lines.join('\n')}
+  const { kept, strippedCount } = classifyDockerfileAppend(lines)
+  if (kept.length === 0 && strippedCount === 0) return ''
+  // Durable, payload-free record so a stripped line isn't a silent no-op: the
+  // operator sees the Dockerfile itself note the count (full reasons surface as
+  // startup warnings). Never echo the stripped content — it may carry secrets.
+  const strippedNote =
+    strippedCount > 0
+      ? `# typeclaw stripped ${strippedCount} unsafe docker.file.append line(s); see startup warnings and typeclaw.json.
+`
+      : ''
+  if (kept.length === 0) return strippedNote ? `${strippedNote}\n` : ''
+  return `${strippedNote}# Custom lines from typeclaw.json#docker.file.append.
+${kept.join('\n')}
 
 `
 }
+
+export type DockerfileAppendClassification = {
+  kept: string[]
+  warnings: string[]
+  strippedCount: number
+}
+
+// Single source of truth for "what happens to each docker.file.append line",
+// reusing the config-layer classifier (validateDockerfileAppendLine). Both the
+// renderer (enforcement: drops unsafe lines) and refreshDockerfile (reporting:
+// surfaces warnings to the user) call this so the two never drift. Warn-but-
+// allow lines (curl|bash, remote ADD) are KEPT but produce a warning; structural
+// and semantic blocks are stripped with a warning.
+export function classifyDockerfileAppend(lines: string[]): DockerfileAppendClassification {
+  const kept: string[] = []
+  const warnings: string[] = []
+  let strippedCount = 0
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!
+    const check = validateDockerfileAppendLine(line)
+    if (!check.ok) {
+      strippedCount++
+      warnings.push(`docker.file.append[${i}] stripped — ${check.reason}`)
+      continue
+    }
+    if (check.warning) warnings.push(`docker.file.append[${i}] ${check.warning}`)
+    kept.push(line)
+  }
+  return { kept, warnings, strippedCount }
+}

package/src/server/command-runner.ts

@@ -5,6 +5,7 @@ import {
   type CreateSessionResult,
   type SessionOrigin,
 } from '@/agent'
+import { applyTurnThinkingLevel } from '@/agent/attention-escalation'
 import type { ChannelRouter } from '@/channels/router'
 import type { McpManager } from '@/mcp'
 import type { PermissionService } from '@/permissions'
@@ -431,6 +432,7 @@ export async function runPromptForCommand(args: {
       retrievalContext.results.length > 0
         ? `${renderTurnTimeAnchor()}\n\n${args.text}\n\n${retrievalContext.results}`
         : `${renderTurnTimeAnchor()}\n\n${args.text}`
+    applyTurnThinkingLevel(session, args.text, session.thinkingLevel)
     try {
       await session.prompt(turnText)
     } finally {

package/src/server/index.ts

@@ -8,6 +8,7 @@ import {
   type CreateSessionOptions,
   type CreateSessionResult,
 } from '@/agent'
+import { applyTurnThinkingLevel } from '@/agent/attention-escalation'
 import { runPluginDoctorChecks, runPluginDoctorFix } from '@/agent/doctor'
 import type { LiveSessionRegistry } from '@/agent/live-sessions'
 import type { LiveSubagentRegistry } from '@/agent/live-subagents'
@@ -174,6 +175,11 @@ type QueuedPrompt = {
 
 type SessionState = {
   session: AgentSession
+  // The session's creation-time thinking level, captured once. An escalated turn
+  // moves `session.thinkingLevel` to `high`, so neither turn-driving path (drain
+  // loop, no-stream fallback) can use the live getter as the reset target — both
+  // read this captured default instead.
+  turnThinkingDefault: AgentSession['thinkingLevel']
   sessionFileId: string
   origin: SessionOrigin
   sessionManager: { getSessionFile: () => string | undefined } | undefined
@@ -518,6 +524,7 @@ export function createServer({
 
             const state: SessionState = {
               session,
+              turnThinkingDefault: session.thinkingLevel,
               sessionFileId,
               origin,
               sessionManager,
@@ -782,6 +789,7 @@ export function createServer({
                 retrievalContext.results.length > 0
                   ? `${renderTurnTimeAnchor()}\n\n${msg.text}\n\n${retrievalContext.results}`
                   : `${renderTurnTimeAnchor()}\n\n${msg.text}`
+              applyTurnThinkingLevel(state.session, msg.text, state.turnThinkingDefault)
               await state.session.prompt(turnText)
               send(ws, doneMessage(state))
             } catch (err) {
@@ -1086,6 +1094,7 @@ async function drain(
           retrievalContext.results.length > 0
             ? `${renderTurnTimeAnchor()}\n\n${item.text}\n\n${retrievalContext.results}`
             : `${renderTurnTimeAnchor()}\n\n${item.text}`
+        applyTurnThinkingLevel(state.session, item.text, state.turnThinkingDefault)
         await state.session.prompt(turnText)
         send(ws, doneMessage(state))
       } catch (err) {