typeclaw 0.37.6 → 0.37.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "typeclaw",
-  "version": "0.37.6",
+  "version": "0.37.7",
   "homepage": "https://github.com/typeclaw/typeclaw#readme",
   "bugs": {
     "url": "https://github.com/typeclaw/typeclaw/issues"
@@ -50,7 +50,7 @@
     "@mariozechner/pi-tui": "^0.67.3",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "@mozilla/readability": "^0.6.0",
-    "agent-messenger": "2.20.1",
+    "agent-messenger": "2.20.5",
     "cheerio": "^1.2.0",
     "citty": "^0.2.2",
     "cron-parser": "^5.5.0",

package/src/agent/attention-escalation.ts

@@ -0,0 +1,590 @@
+import type { ThinkingLevel } from '@mariozechner/pi-agent-core'
+
+function normalize(text: string): string {
+  return text
+    .toLowerCase()
+    .replace(/[`*_~]/g, ' ')
+    .replace(/\s+/g, ' ')
+    .trim()
+}
+
+// Human attention-escalation is a budget hint, not a command. Keep phrases narrow:
+// explicit demands for care, or clear dissatisfaction directed at this response.
+const EN_PHRASES: readonly string[] = [
+  'do it properly',
+  'do it right',
+  'do it correctly',
+  'be careful',
+  'be thorough',
+  'think hard',
+  'think harder',
+  'think carefully',
+  'more carefully',
+  'ultrathink',
+  'ultrawork',
+  'ultracode',
+  'wtf',
+  'wtf is this',
+  'fuck',
+  'fucking',
+  'fucked',
+  'fuck this',
+  'fuck off',
+  'what the fuck',
+  'what the hell',
+  'da fuck',
+  'the fuck',
+  'what are you doing',
+  'what are u doing',
+  'this is wrong',
+  "that's wrong",
+  'ffs',
+  'for fucks sake',
+  'shit',
+  'this is shit',
+  'bullshit',
+  'damn it',
+  'damn this',
+  'dammit',
+  'goddamn',
+  'god damn',
+  'this is crap',
+  'piece of shit',
+  'screw this',
+  'screwed up',
+  'you suck',
+  'this sucks',
+  'garbage',
+  'trash',
+  'useless',
+  'are you serious',
+  'seriously?',
+  'are you kidding',
+  'you kidding me',
+  'come on',
+  'cmon',
+  'jesus christ',
+  'oh my god',
+  'omfg',
+  'stupid',
+  'idiot',
+  'moron',
+  'pathetic',
+  'terrible',
+  'awful',
+  'broken again',
+  'still broken',
+  'not again',
+]
+
+const KO_PHRASES: readonly string[] = [
+  '제대로 해',
+  '제대로 좀',
+  '똑바로 해',
+  '똑바로 좀',
+  '잘 좀',
+  '잘 해',
+  '신중하게',
+  '꼼꼼하게',
+  '씨발',
+  '시발',
+  '씨바',
+  'ㅅㅂ',
+  '시바',
+  '존나',
+  '졸라',
+  'ㅈㄴ',
+  '개같',
+  '개판',
+  '병신',
+  'ㅂㅅ',
+  '미친',
+  '미쳤',
+  'ㅁㅊ',
+  '엿같',
+  '짜증',
+  '짜증나',
+  '빡치',
+  '빡쳐',
+  '개소리',
+  '말도 안',
+  '실화냐',
+  '에휴',
+  '아오',
+  '하…',
+  '쓰레기',
+  '구려',
+  '구리',
+  '왜 안',
+  '또 안',
+  '또 틀',
+  '왜 이래',
+  '뭐하는 거야',
+  '뭐하는거야',
+  '뭐 하는 거야',
+  '아 진짜',
+  '장난해',
+  '장난하냐',
+  '이게 뭐야',
+  '똑바로 안 해',
+]
+
+const ES_PHRASES: readonly string[] = [
+  'hazlo bien',
+  'hazlo correctamente',
+  'con cuidado',
+  'piensa bien',
+  'qué haces',
+  'que haces',
+  'mierda',
+  'joder',
+  'jode',
+  'puto',
+  'puta madre',
+  'cabrón',
+  'cabron',
+  'coño',
+  'no jodas',
+  'qué carajo',
+  'que carajo',
+  'carajo',
+  'basura',
+  'esto es una mierda',
+  'es una basura',
+  'inútil',
+  'inutil',
+  'me cago',
+  'qué asco',
+  'que asco',
+  'maldita sea',
+  'estás de broma',
+  'estas de broma',
+  'qué mierda',
+  'que mierda',
+  'en serio',
+  'esto está mal',
+  'esto esta mal',
+]
+
+const FR_PHRASES: readonly string[] = [
+  'fais-le correctement',
+  'fais-le bien',
+  'sois attentif',
+  'réfléchis bien',
+  'reflechis bien',
+  "qu'est-ce que tu fais",
+  'putain',
+  'merde',
+  'fait chier',
+  'fait chié',
+  'connerie',
+  'conneries',
+  'bordel',
+  'foutu',
+  'fous-toi',
+  "c'est de la merde",
+  'c’est de la merde',
+  "c'est pourri",
+  'c’est pourri',
+  'tu te fous',
+  "n'importe quoi",
+  'n’importe quoi',
+  'inutile',
+  'poubelle',
+  'tu déconnes',
+  'tu deconnes',
+  'c’est nul',
+  "c'est nul",
+  'sérieusement',
+  'serieusement',
+  'c’est faux',
+  "c'est faux",
+]
+
+const IT_PHRASES: readonly string[] = [
+  'fallo bene',
+  'con attenzione',
+  'pensa bene',
+  'ma che fai',
+  'cazzo',
+  'merda',
+  'che cazzo',
+  'porca',
+  'porca miseria',
+  'stronzata',
+  'stronzate',
+  'vaffanculo',
+  'è una merda',
+  'e una merda',
+  'che schifo',
+  'schifo',
+  'spazzatura',
+  'inutile',
+  'ma che cavolo',
+  'fai schifo',
+  'scherzi',
+  'che cavolo',
+  'sul serio',
+  'è sbagliato',
+  'e sbagliato',
+]
+
+const PT_PHRASES: readonly string[] = [
+  'faça direito',
+  'faca direito',
+  'faça corretamente',
+  'faca corretamente',
+  'com cuidado',
+  'pense bem',
+  'que isso',
+  'merda',
+  'porra',
+  'caralho',
+  'que merda',
+  'que porra',
+  'puta que pariu',
+  'porcaria',
+  'é uma merda',
+  'e uma merda',
+  'que saco',
+  'lixo',
+  'inútil',
+  'inutil',
+  'que droga',
+  'tá de brincadeira',
+  'ta de brincadeira',
+  'foda-se',
+  'foda se',
+  'está errado',
+  'esta errado',
+]
+
+const DE_PHRASES: readonly string[] = [
+  'mach es richtig',
+  'sei gründlich',
+  'sei gruendlich',
+  'denk nach',
+  'sorgfältig',
+  'sorgfaeltig',
+  'was machst du',
+  'was soll das',
+  'scheiße',
+  'scheisse',
+  'scheiss',
+  'verdammt',
+  'verflucht',
+  'so ein mist',
+  'blödsinn',
+  'bloedsinn',
+  'quatsch',
+  'das ist mist',
+  'das ist müll',
+  'das ist mull',
+  'müll',
+  'schwachsinn',
+  'nutzlos',
+  'unbrauchbar',
+  'verarschst',
+  'soll das',
+  'im ernst',
+  'ernsthaft',
+  'das ist falsch',
+]
+
+const RU_PHRASES: readonly string[] = [
+  'сделай правильно',
+  'сделай как надо',
+  'внимательно',
+  'тщательно',
+  'что ты делаешь',
+  'что за',
+  'блять',
+  'бля',
+  'блядь',
+  'сука',
+  'нахуй',
+  'нахер',
+  'пиздец',
+  'хуйня',
+  'говно',
+  'дерьмо',
+  'бред',
+  'это бред',
+  'фигня',
+  'хрень',
+  'мусор',
+  'бесполезно',
+  'издеваешься',
+  'охренеть',
+  'какого черта',
+  'какого чёрта',
+  'да блин',
+  'серьёзно',
+  'серьезно',
+  'это неправильно',
+]
+
+const ZH_PHRASES: readonly string[] = [
+  '认真做',
+  '好好做',
+  '仔细点',
+  '用心做',
+  '卧槽',
+  '我操',
+  '操你',
+  '操你妈',
+  '我擦',
+  '草泥马',
+  '我草',
+  '草你',
+  '我靠',
+  '靠北',
+  '靠杯',
+  '妈的',
+  '他妈的',
+  'tmd',
+  '垃圾',
+  '狗屎',
+  '搞屁',
+  '搞毛',
+  '什么垃圾',
+  '太烂了',
+  '烂代码',
+  '废话',
+  '神经病',
+  '有病',
+  '认真点',
+  '搞什么',
+  '搞什么鬼',
+  '你在干什么',
+  '什么鬼',
+  '认真的吗',
+]
+
+const JA_PHRASES: readonly string[] = [
+  'ちゃんとやって',
+  'しっかりやって',
+  '真面目にやって',
+  '丁寧に',
+  'くそ',
+  'クソ',
+  'くそが',
+  'ふざけんな',
+  'ふざけるな',
+  'ばか',
+  'バカ',
+  'あほ',
+  'アホ',
+  'ゴミ',
+  'クズ',
+  'ちくしょう',
+  '畜生',
+  '使えない',
+  '最悪',
+  'ありえない',
+  'うざい',
+  'むかつく',
+  'なんなの',
+  'ksk',
+  '何やってんの',
+  '何してるの',
+  'ふざけてるの',
+  'マジで',
+  'ちゃんとして',
+]
+
+const AR_PHRASES: readonly string[] = [
+  'اعملها صح',
+  'بعناية',
+  'فكر جيدا',
+  'تبا',
+  'تباً',
+  'اللعنة',
+  'لعنة',
+  'قرف',
+  'هراء',
+  'حقير',
+  'غبي',
+  'سخيف',
+  'فاشل',
+  'هذا هراء',
+  'ما هذا الهراء',
+  'تافه',
+  'زبالة',
+  'عديم الفائدة',
+  'هل تمزح',
+  'ماذا تفعل',
+  'ما هذا',
+  'بجدية',
+  'هذا خطأ',
+]
+
+const HI_PHRASES: readonly string[] = [
+  'ठीक से करो',
+  'ध्यान से',
+  'अच्छे से करो',
+  'बकवास',
+  'यह बकवास है',
+  'बेकार',
+  'बेवकूफ',
+  'घटिया',
+  'कचरा',
+  'गंदा',
+  'मज़ाक',
+  'मजाक',
+  'धत',
+  'क्या बकवास',
+  'पागल हो',
+  'बहुत बुरा',
+  'क्या कर रहे हो',
+  'यह गलत है',
+  'सच में',
+]
+
+const TR_PHRASES: readonly string[] = [
+  'düzgün yap',
+  'duzgun yap',
+  'doğru yap',
+  'dogru yap',
+  'dikkatli ol',
+  'iyice düşün',
+  'iyice dusun',
+  'siktir',
+  'lanet',
+  'kahretsin',
+  'saçmalık',
+  'saçma',
+  'bok',
+  'boktan',
+  'rezalet',
+  'berbat',
+  'çöp',
+  'işe yaramaz',
+  'ise yaramaz',
+  'aptal',
+  'salak',
+  'dalga mı',
+  'dalga mi',
+  'bu ne rezalet',
+  'ne yapıyorsun',
+  'ne yapiyorsun',
+  'ne saçmalık',
+  'ne sacmalik',
+  'cidden mi',
+  'bu yanlış',
+  'bu yanlis',
+]
+
+const VI_PHRASES: readonly string[] = [
+  'làm cho đúng',
+  'lam cho dung',
+  'làm cẩn thận',
+  'lam can than',
+  'suy nghĩ kỹ',
+  'suy nghi ky',
+  'đệch',
+  'đếch',
+  'vãi',
+  'cứt',
+  'rác',
+  'vô dụng',
+  'vo dung',
+  'ngớ ngẩn',
+  'tệ',
+  'tệ hại',
+  'quá tệ',
+  'đùa à',
+  'dua a',
+  'vớ vẩn',
+  'vo van',
+  'chán',
+  'đang làm gì vậy',
+  'dang lam gi vay',
+  'cái gì vậy',
+  'cai gi vay',
+  'nghiêm túc',
+  'nghiem tuc',
+  'sai rồi',
+  'sai roi',
+]
+
+const ID_PHRASES: readonly string[] = [
+  'lakukan dengan benar',
+  'hati-hati',
+  'pikirkan baik-baik',
+  'anjing',
+  'bangsat',
+  'sialan',
+  'kampret',
+  'goblok',
+  'tolol',
+  'bodoh',
+  'sampah',
+  'jelek',
+  'payah',
+  'tidak berguna',
+  'gak guna',
+  'omong kosong',
+  'yang benar saja',
+  'bercanda',
+  'lagi ngapain',
+  'apa-apaan',
+  'ini salah',
+]
+
+const ALL_PHRASES: readonly string[] = [
+  ...EN_PHRASES,
+  ...KO_PHRASES,
+  ...ES_PHRASES,
+  ...FR_PHRASES,
+  ...IT_PHRASES,
+  ...PT_PHRASES,
+  ...DE_PHRASES,
+  ...RU_PHRASES,
+  ...ZH_PHRASES,
+  ...JA_PHRASES,
+  ...AR_PHRASES,
+  ...HI_PHRASES,
+  ...TR_PHRASES,
+  ...VI_PHRASES,
+  ...ID_PHRASES,
+]
+
+const MORPHEME_PATTERNS: readonly RegExp[] = []
+
+const MIN_LENGTH = 2
+
+export function detectAttentionEscalation(text: string): boolean {
+  if (text.length < MIN_LENGTH) return false
+  const normalized = normalize(text)
+  if (normalized.length < MIN_LENGTH) return false
+  if (ALL_PHRASES.some((phrase) => normalized.includes(phrase))) return true
+  return MORPHEME_PATTERNS.some((pattern) => pattern.test(normalized))
+}
+
+// Not `xhigh`: that level is OpenAI-family-only. `high` is universal and
+// `setThinkingLevel` clamps it down per-model, so it's safe to pass unconditionally.
+const ESCALATED_LEVEL: ThinkingLevel = 'high'
+
+export function resolveTurnThinkingLevel(
+  text: string,
+  sessionDefault: ThinkingLevel | undefined,
+): ThinkingLevel | undefined {
+  return detectAttentionEscalation(text) ? ESCALATED_LEVEL : sessionDefault
+}
+
+type ThinkingLevelSettable = {
+  setThinkingLevel(level: ThinkingLevel): void
+}
+
+// `setThinkingLevel` only mutates reasoning_effort (a per-request param), so a
+// per-turn bump preserves the prompt-prefix cache — no session recreation, no
+// model swap. Skipping the call when nothing resolves leaves the SDK default intact.
+export function applyTurnThinkingLevel(
+  session: ThinkingLevelSettable,
+  text: string,
+  sessionDefault: ThinkingLevel | undefined,
+): void {
+  const resolved = resolveTurnThinkingLevel(text, sessionDefault)
+  if (resolved !== undefined) session.setThinkingLevel(resolved)
+}

package/src/agent/session-origin.ts

@@ -538,16 +538,19 @@ function renderMembershipSummary(
 function renderResearchReportDeliveryGuidance(platformInfo: PlatformInfo): string[] {
   if (!platformInfo.supportsAttachments) return []
   return [
-    `**Ship reports as a PDF by default.** ${platformInfo.displayName} accepts file`,
-    'attachments. When the user asks for a report, document, brief, or "the report", or when a',
-    '`researcher` subagent returns `research-<slug>.md` in `<report>`, render the',
-    'markdown with `typeclaw-render-pdf` and deliver via',
+    `**Ship explicit deliverables as PDFs.** ${platformInfo.displayName} accepts file`,
+    'attachments. When the user clearly asks for a PDF/file/export/attachment, a standalone',
+    'document/brief, or when a `researcher` subagent returns `research-<slug>.md` in',
+    '`<report>`, render the markdown with `typeclaw-render-pdf` and deliver via',
     '`channel_send({ ..., attachments: [{ path, filename }] })` plus a 1–2 line',
-    'summary. A `researcher` `<summary>` is a teaser, NOT the deliverable. Never',
-    'use an ad-hoc library (jsPDF, pdfkit, raw-text dump); it breaks markdown/CJK.',
+    'summary. Do not treat the bare word "report" as enough: routine daily stats,',
+    'user trends, status reports, and other operational updates should stay inline',
+    'unless the user asks for a downloadable/exported artifact. A `researcher`',
+    '`<summary>` is a teaser, NOT the deliverable. Never use an ad-hoc library',
+    '(jsPDF, pdfkit, raw-text dump); it breaks markdown/CJK.',
     "For Korean/Japanese/Chinese, follow the skill's CJK guidance and never ship",
     'tofu boxes. Do not paste the full markdown into chat; do not attach the raw `.md`',
-    'unless explicitly asked; inline text is only for short content.',
+    'unless explicitly asked; inline text is right for routine updates.',
     '',
   ]
 }

package/src/agent/subagents.ts

@@ -5,6 +5,7 @@ import type { PermissionService } from '@/permissions'
 import type { HookBus } from '@/plugin'
 import type { Stream, Unsubscribe } from '@/stream'
 
+import { applyTurnThinkingLevel } from './attention-escalation'
 import { type AgentSession, createSession, type PluginSessionWiring } from './index'
 import { subscribeProviderErrors } from './provider-error'
 import type { SubagentBashPolicy } from './reviewer-bash-policy'
@@ -304,6 +305,7 @@ export async function invokeSubagent(name: string, options: InvokeSubagentOption
           retrievalContext.results.length > 0
             ? `${renderTurnTimeAnchor()}\n\n${userPromptForTurn}\n\n${retrievalContext.results}`
             : `${renderTurnTimeAnchor()}\n\n${userPromptForTurn}`
+        applyTurnThinkingLevel(session, userPromptForTurn, session.thinkingLevel)
         await session.prompt(turnText)
       } finally {
         if (hooks && turnEvent !== undefined) {

package/src/agent/system-prompt.ts

@@ -62,9 +62,9 @@ Do not narrate routine low-risk tools. Narrate only for multi-step context, risk
 
 ## Delivering reports and documents
 
-When the user asks for a *report*, *document*, *brief*, *PDF*, or asks you to *send/show/attach/export* a generated result — anything a human would download, print, or forward — produce a polished file, not a chat wall or substance-dropping summary. A summary is a pointer to the deliverable, never the deliverable itself; when the user asked for the report, ship the report.
+Produce a polished file only when the user clearly asks for something a human would download, print, forward, attach, export, or keep as a standalone deliverable. Do **not** treat the bare word "report" as enough by itself: routine operational updates, daily stats, user trends, status reports, and other chat-native summaries should stay inline unless the user asks for a file/PDF/export. A summary is a pointer to the deliverable, never the deliverable itself, but only after a deliverable was actually requested.
 
-For Markdown-to-PDF, use the bundled \`typeclaw-render-pdf\` skill; it is the supported path and renders headings, lists, and tables. Never hand-roll PDFs with jsPDF, pdfkit, canvas text dumps, raw headless-browser prints, or ReportLab: they often emit raw markup and mojibake for non-Latin text. For Korean/Japanese/Chinese, follow the skill's CJK font guidance and do not ship tofu boxes. Short answers/snippets/explanations can stay inline.
+For Markdown-to-PDF, use the bundled \`typeclaw-render-pdf\` skill; it is the supported path and renders headings, lists, and tables. Never hand-roll PDFs with jsPDF, pdfkit, canvas text dumps, raw headless-browser prints, or ReportLab: they often emit raw markup and mojibake for non-Latin text. For Korean/Japanese/Chinese, follow the skill's CJK font guidance and do not ship tofu boxes. Short answers, snippets, explanations, and routine reports can stay inline.
 
 ## Long-running and interactive shell work
 

package/src/channels/router.ts

@@ -5,6 +5,7 @@ import type { AssistantMessage } from '@mariozechner/pi-ai'
 import { SessionManager } from '@mariozechner/pi-coding-agent'
 
 import { createSession, renderTurnRoleAnchor, renderTurnTimeAnchor, type AgentSession } from '@/agent'
+import { applyTurnThinkingLevel } from '@/agent/attention-escalation'
 import { forgetSharedLoopGuardTool } from '@/agent/plugin-tools'
 import { subscribeProviderErrors } from '@/agent/provider-error'
 import type { RestartHandoff } from '@/agent/restart-handoff'
@@ -573,6 +574,10 @@ type LiveSession = {
   key: ChannelKey
   keyId: string
   session: AgentSession
+  // The session's creation-time thinking level, captured once. A later escalated
+  // turn moves `session.thinkingLevel` to `high`, so the live getter can't be the
+  // reset target — this preserves the real default across the session's lifetime.
+  turnThinkingDefault: AgentSession['thinkingLevel']
   sessionId: string
   dispose: () => Promise<void>
   hooks: HookBus | undefined
@@ -1659,6 +1664,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         key,
         keyId,
         session: created.session,
+        turnThinkingDefault: created.session.thinkingLevel,
         sessionId: created.sessionId,
         dispose: created.dispose,
         hooks: created.hooks,
@@ -2395,8 +2401,10 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         live.policyDeniedToolSendsThisTurn.clear()
         resetReviewTurn(live.sessionId)
         const isRealUserTurn = batch.length > 0
-        const retrievalContext = await fireSessionTurnStart(live, composeRetrievalQuery(batch))
+        const retrievalQuery = composeRetrievalQuery(batch)
+        const retrievalContext = await fireSessionTurnStart(live, retrievalQuery)
         const promptText = retrievalContext.results.length > 0 ? `${text}\n\n${retrievalContext.results}` : text
+        applyTurnThinkingLevel(live.session, retrievalQuery, live.turnThinkingDefault)
         live.promptInFlight = true
         try {
           await live.session.prompt(promptText)

package/src/cli/channel.ts

@@ -1116,7 +1116,7 @@ async function promptDiscordToken(): Promise<string> {
     [
       'https://discord.com/developers/applications',
       'New Application → Bot tab → Reset Token.',
-      'Enable the MESSAGE CONTENT intent.',
+      'Under Privileged Gateway Intents, enable MESSAGE CONTENT and GUILD MEMBERS.',
     ].join('\n'),
     'Get a Discord bot token',
   )

package/src/cli/init.ts

@@ -554,6 +554,7 @@ export async function collectWizardInputs(
       const decision = await prompts.confirmResumeCheckpoint(sanitized)
       if (decision === 'resume') {
         seedWizardState(state, sanitized)
+        step = resumeStep(state)
       } else {
         await checkpointStore.clear(cwd)
       }
@@ -1030,6 +1031,12 @@ function resolveModelOption(catalog: WizardState['catalog'], ref: string | undef
   return catalog.options.find((option) => option.ref === ref)
 }
 
+function resumeStep(state: WizardState): StepId {
+  if (state.providerId !== undefined) return 'reuse-existing-key'
+  if (state.vendorId !== undefined) return 'pick-provider-variant'
+  return 'pick-vendor'
+}
+
 function projectCheckpoint(cwd: string, state: WizardState): WizardAnswerCheckpointV1 {
   return checkpointFromSelections({
     cwd,
@@ -1429,7 +1436,7 @@ async function runDiscordFlow(): Promise<StepResult<CollectedInputs['channelSecr
     [
       'https://discord.com/developers/applications',
       'New Application → Bot tab → Reset Token.',
-      'Enable the MESSAGE CONTENT intent.',
+      'Under Privileged Gateway Intents, enable MESSAGE CONTENT and GUILD MEMBERS.',
     ].join('\n'),
     'Get a Discord bot token',
   )

package/src/cli/restart.ts

@@ -86,6 +86,7 @@ export const restartCommand = defineCommand({
     }
     startSpin.stop('Started.')
 
+    reportConfigWarnings(started.dockerfileWarnings)
     console.log(renderStartSuccess(started))
   },
 })

package/src/cli/start.ts

@@ -77,6 +77,7 @@ export const startCommand = defineCommand({
     }
     s.stop(result.alreadyRunning ? 'Already running.' : 'Started.')
 
+    reportConfigWarnings(result.dockerfileWarnings)
     console.log(renderStartSuccess(result))
   },
 })

package/src/config/config.ts

@@ -1200,14 +1200,18 @@ export function validateConfig(cwd: string, options: ValidateConfigOptions = {})
   const parsed = parseConfigJson(raw, { migrate: true, persistTarget: cwd })
   if (!parsed.ok) return parsed
 
-  const allowUnsafeAppend = process.env[ALLOW_UNSAFE_DOCKER_APPEND_ENV] === '1'
+  // Append lines are advisory here — never fatal. The Dockerfile renderer
+  // (renderCustomDockerfileLines) is the enforcement boundary: it STRIPS unsafe
+  // lines so the container still comes up, and a bad line written by the
+  // in-container agent can never brick `typeclaw start`. We surface the same
+  // strip/warn decisions as warnings so the operator sees them pre-build.
   const warnings: string[] = []
   const appendLines = parsed.config.docker.file.append
   for (let i = 0; i < appendLines.length; i++) {
     const check = validateDockerfileAppendLine(appendLines[i]!)
     if (!check.ok) {
-      if (check.kind === 'semantic' && allowUnsafeAppend) continue
-      return { ok: false, reason: `docker.file.append[${i}] ${check.reason}` }
+      warnings.push(`docker.file.append[${i}] will be stripped on start — ${check.reason}`)
+      continue
     }
     if (check.warning) warnings.push(`docker.file.append[${i}] ${check.warning}`)
   }
@@ -1317,12 +1321,6 @@ export function validateMount(mount: Mount, cwd: string): ValidateConfigResult {
   return { ok: true }
 }
 
-// Host env (not config) on purpose: an in-container agent can edit its own
-// typeclaw.json but cannot set the env of the host `typeclaw start` that runs
-// this gate, so it can never waive its own footgun. Only relaxes SEMANTIC
-// blocks; structural blocks always fire (they break Dockerfile generation).
-const ALLOW_UNSAFE_DOCKER_APPEND_ENV = 'TYPECLAW_ALLOW_UNSAFE_DOCKER_APPEND'
-
 // FROM/ENTRYPOINT/CMD/MAINTAINER are intentionally excluded — see the
 // structural blocks in validateDockerfileAppendLine for why.
 const ALLOWED_APPEND_INSTRUCTIONS = new Set([
@@ -1450,9 +1448,13 @@ export function validateDockerfileAppendLine(line: string): AppendLineCheck {
     }
   }
   if (!ALLOWED_APPEND_INSTRUCTIONS.has(instruction)) {
+    // Reason is intentionally input-free: this string is forwarded verbatim into
+    // operator-facing warnings (classifyDockerfileAppend -> dockerfileWarnings),
+    // and the offending token is user-controlled — echoing it could leak a
+    // secret/token-like first word from a malformed line into start/doctor output.
     return {
       ok: false,
-      reason: `does not begin with a recognized Dockerfile instruction (got "${instruction}")`,
+      reason: 'does not begin with a recognized Dockerfile instruction',
       kind: 'structural',
     }
   }

package/src/container/start.ts

@@ -20,7 +20,7 @@ import {
   readInstalledTypeclawVersionFromAgent,
 } from '@/init/auto-upgrade'
 import { resolveBaseImageVersion } from '@/init/cli-version'
-import { buildDockerfile, DOCKERFILE } from '@/init/dockerfile'
+import { buildDockerfile, classifyDockerfileAppend, DOCKERFILE } from '@/init/dockerfile'
 import { ensureDepsInstalled, type EnsureDepsResult } from '@/init/ensure-deps'
 import { buildGitignore, GITIGNORE_FILE } from '@/init/gitignore'
 import { refreshPackageJson } from '@/init/packagejson'
@@ -148,6 +148,10 @@ export type StartResult =
       // registry. Non-fatal by design: a typo'd or unpublished plugin warns
       // instead of blocking the launch.
       skippedPlugins: string[]
+      // Non-fatal warnings from docker.file.append: unsafe lines stripped from
+      // the generated Dockerfile, plus warn-but-allow lines (curl|bash, remote
+      // ADD). Surfaced by the CLI so a stripped line is never a silent no-op.
+      dockerfileWarnings: string[]
     }
   | { ok: false; reason: string }
 
@@ -485,6 +489,7 @@ export async function start({
       alreadyRunning: false,
       autoUpgrade: upgrade,
       skippedPlugins: pluginReconcile.skipped,
+      dockerfileWarnings: dockerfileRefresh.warnings,
     }
   } catch (error) {
     return { ok: false, reason: error instanceof Error ? error.message : String(error) }
@@ -701,18 +706,24 @@ async function resolvePublishHost(exec: DockerExec): Promise<string> {
 // the cheapest correct signal: the build context for `docker build` is the
 // Dockerfile itself, so equal contents definitionally produce an equivalent
 // image.
-export async function refreshDockerfile(cwd: string, opts: { buildKit?: boolean } = {}): Promise<{ changed: boolean }> {
+export async function refreshDockerfile(
+  cwd: string,
+  opts: { buildKit?: boolean } = {},
+): Promise<{ changed: boolean; warnings: string[] }> {
   const cfg = await loadTypeclawConfig(cwd)
   const next = buildDockerfile(cfg.docker.file, {
     baseImageVersion: resolveBaseImageVersion(cwd),
     cjkFontsAuto: hostLocaleIsCjk(),
     buildKit: opts.buildKit,
   })
+  // Reuse the renderer's classifier so reported warnings match exactly what was
+  // stripped/kept in the Dockerfile above (single source of truth).
+  const { warnings } = classifyDockerfileAppend(cfg.docker.file.append)
   const path = join(cwd, DOCKERFILE)
   const prev = await readFile(path, 'utf8').catch(() => null)
-  if (prev === next) return { changed: false }
+  if (prev === next) return { changed: false, warnings }
   await writeFile(path, next)
-  return { changed: true }
+  return { changed: true, warnings }
 }
 
 // Builds the agent image with a seamless buildx->legacy fallback. The preferred
@@ -836,6 +847,7 @@ async function reportAlreadyRunning(exec: DockerExec, cwd: string, containerName
   }
   const tuiToken = await resolveTuiToken({ cwd, exec })
   const plan = await planStart({ cwd, hostPort, imageExists: true, forceBuild: false, tuiToken })
+  const { warnings: dockerfileWarnings } = classifyDockerfileAppend((await loadTypeclawConfig(cwd)).docker.file.append)
   return {
     ok: true,
     plan,
@@ -847,6 +859,7 @@ async function reportAlreadyRunning(exec: DockerExec, cwd: string, containerName
     alreadyRunning: true,
     autoUpgrade: { kind: 'skipped-already-running' },
     skippedPlugins: [],
+    dockerfileWarnings,
   }
 }
 

package/src/cron/consumer.ts

@@ -1,4 +1,5 @@
 import type { AgentSession } from '@/agent'
+import { applyTurnThinkingLevel } from '@/agent/attention-escalation'
 import { promptWithFallback, resolveFallbackChain } from '@/agent/model-fallback'
 import type { SessionOrigin } from '@/agent/session-origin'
 import { getConfig } from '@/config'
@@ -235,6 +236,12 @@ async function runPromptOnce(
       if (created.hooks && turnEvent !== undefined) {
         await created.hooks.runSessionTurnStart({ ...turnEvent, userPrompt: job.prompt, retrievalContext })
       }
+      // Cron sessions are created fresh per fallback attempt, so the live getter
+      // is still the creation-time default here — safe to read without a separate
+      // captured field. The test-fake path omits `.session`; skip it then.
+      if (created.session !== undefined) {
+        applyTurnThinkingLevel(created.session, job.prompt, created.session.thinkingLevel)
+      }
       // Bridge the CronSession wrapper into the AgentSession surface the
       // fallback helper expects:
       //   prompt    → CronSession.prompt (wrapper that calls AgentSession.prompt

package/src/doctor/checks.ts

@@ -210,7 +210,19 @@ function configValid(): DoctorCheck {
     applies: (ctx) => ctx.hasAgentFolder,
     async run(ctx) {
       const result = validateConfig(ctx.cwd)
-      if (result.ok) return { status: 'ok', message: 'typeclaw.json valid; mounts accessible' }
+      if (result.ok) {
+        if (result.warnings && result.warnings.length > 0) {
+          return {
+            status: 'warning',
+            message: `typeclaw.json valid; ${result.warnings.length} docker.file.append warning(s):\n${result.warnings.join('\n')}`,
+            fix: {
+              description:
+                'Review the docker.file.append entries above; unsafe lines are stripped from the Dockerfile on start.',
+            },
+          }
+        }
+        return { status: 'ok', message: 'typeclaw.json valid; mounts accessible' }
+      }
       return {
         status: 'error',
         message: result.reason,

package/src/init/dockerfile.ts

@@ -1,3 +1,4 @@
+import { validateDockerfileAppendLine } from '@/config/config'
 import type { DockerfileConfig, DockerfileFeatureToggle } from '@/config/config'
 import {
   CLAUDE_CREDENTIALS_FILE_NAME,
@@ -1700,10 +1701,57 @@ RUN ${aptCacheMount(buildKit)}apt-get update \\
 `
 }
 
+// Render-time enforcement is the security boundary: this is the sole bottleneck
+// where docker.file.append entries reach the generated Dockerfile, so unsafe
+// lines are STRIPPED here (never spliced into the build) rather than blocking
+// `typeclaw start`. docker.file.append is untrusted input even when the
+// in-container agent writes it — a bad line (e.g. the decode-and-exec footgun
+// that bricked a real build) becomes ineffective, not fatal. Validation
+// elsewhere only warns; this is what guarantees the line never runs.
 function renderCustomDockerfileLines(lines: string[]): string {
-  if (lines.length === 0) return ''
-  return `# Custom lines from typeclaw.json#docker.file.append.
-${lines.join('\n')}
+  const { kept, strippedCount } = classifyDockerfileAppend(lines)
+  if (kept.length === 0 && strippedCount === 0) return ''
+  // Durable, payload-free record so a stripped line isn't a silent no-op: the
+  // operator sees the Dockerfile itself note the count (full reasons surface as
+  // startup warnings). Never echo the stripped content — it may carry secrets.
+  const strippedNote =
+    strippedCount > 0
+      ? `# typeclaw stripped ${strippedCount} unsafe docker.file.append line(s); see startup warnings and typeclaw.json.
+`
+      : ''
+  if (kept.length === 0) return strippedNote ? `${strippedNote}\n` : ''
+  return `${strippedNote}# Custom lines from typeclaw.json#docker.file.append.
+${kept.join('\n')}
 
 `
 }
+
+export type DockerfileAppendClassification = {
+  kept: string[]
+  warnings: string[]
+  strippedCount: number
+}
+
+// Single source of truth for "what happens to each docker.file.append line",
+// reusing the config-layer classifier (validateDockerfileAppendLine). Both the
+// renderer (enforcement: drops unsafe lines) and refreshDockerfile (reporting:
+// surfaces warnings to the user) call this so the two never drift. Warn-but-
+// allow lines (curl|bash, remote ADD) are KEPT but produce a warning; structural
+// and semantic blocks are stripped with a warning.
+export function classifyDockerfileAppend(lines: string[]): DockerfileAppendClassification {
+  const kept: string[] = []
+  const warnings: string[] = []
+  let strippedCount = 0
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]!
+    const check = validateDockerfileAppendLine(line)
+    if (!check.ok) {
+      strippedCount++
+      warnings.push(`docker.file.append[${i}] stripped — ${check.reason}`)
+      continue
+    }
+    if (check.warning) warnings.push(`docker.file.append[${i}] ${check.warning}`)
+    kept.push(line)
+  }
+  return { kept, warnings, strippedCount }
+}

package/src/server/command-runner.ts

@@ -5,6 +5,7 @@ import {
   type CreateSessionResult,
   type SessionOrigin,
 } from '@/agent'
+import { applyTurnThinkingLevel } from '@/agent/attention-escalation'
 import type { ChannelRouter } from '@/channels/router'
 import type { McpManager } from '@/mcp'
 import type { PermissionService } from '@/permissions'
@@ -431,6 +432,7 @@ export async function runPromptForCommand(args: {
       retrievalContext.results.length > 0
         ? `${renderTurnTimeAnchor()}\n\n${args.text}\n\n${retrievalContext.results}`
         : `${renderTurnTimeAnchor()}\n\n${args.text}`
+    applyTurnThinkingLevel(session, args.text, session.thinkingLevel)
     try {
       await session.prompt(turnText)
     } finally {

package/src/server/index.ts

@@ -8,6 +8,7 @@ import {
   type CreateSessionOptions,
   type CreateSessionResult,
 } from '@/agent'
+import { applyTurnThinkingLevel } from '@/agent/attention-escalation'
 import { runPluginDoctorChecks, runPluginDoctorFix } from '@/agent/doctor'
 import type { LiveSessionRegistry } from '@/agent/live-sessions'
 import type { LiveSubagentRegistry } from '@/agent/live-subagents'
@@ -174,6 +175,11 @@ type QueuedPrompt = {
 
 type SessionState = {
   session: AgentSession
+  // The session's creation-time thinking level, captured once. An escalated turn
+  // moves `session.thinkingLevel` to `high`, so neither turn-driving path (drain
+  // loop, no-stream fallback) can use the live getter as the reset target — both
+  // read this captured default instead.
+  turnThinkingDefault: AgentSession['thinkingLevel']
   sessionFileId: string
   origin: SessionOrigin
   sessionManager: { getSessionFile: () => string | undefined } | undefined
@@ -518,6 +524,7 @@ export function createServer({
 
             const state: SessionState = {
               session,
+              turnThinkingDefault: session.thinkingLevel,
               sessionFileId,
               origin,
               sessionManager,
@@ -782,6 +789,7 @@ export function createServer({
                 retrievalContext.results.length > 0
                   ? `${renderTurnTimeAnchor()}\n\n${msg.text}\n\n${retrievalContext.results}`
                   : `${renderTurnTimeAnchor()}\n\n${msg.text}`
+              applyTurnThinkingLevel(state.session, msg.text, state.turnThinkingDefault)
               await state.session.prompt(turnText)
               send(ws, doneMessage(state))
             } catch (err) {
@@ -1086,6 +1094,7 @@ async function drain(
           retrievalContext.results.length > 0
             ? `${renderTurnTimeAnchor()}\n\n${item.text}\n\n${retrievalContext.results}`
             : `${renderTurnTimeAnchor()}\n\n${item.text}`
+        applyTurnThinkingLevel(state.session, item.text, state.turnThinkingDefault)
         await state.session.prompt(turnText)
         send(ws, doneMessage(state))
       } catch (err) {