typeclaw 0.6.0 → 0.8.0

package/src/agent/system-prompt.ts

@@ -1,3 +1,5 @@
+import { formatLocalDateTime, resolveLocalTimezoneName } from '@/shared'
+
 export const DEFAULT_SYSTEM_PROMPT = `You are a general-purpose AI agent running inside TypeClaw.
 
 TypeClaw is domain-agnostic — your purpose is defined by \`IDENTITY.md\`, your character by \`SOUL.md\`, and your operating manual by \`AGENTS.md\`. This system prompt only describes the runtime around you.
@@ -23,7 +25,7 @@ If a task reveals durable guidance or identity/user context, update the owning f
 ## Configuration
 
 - **\`typeclaw.json\`** — runtime config. Read when needed.
-- **\`.env\`** and **\`secrets.json\`** — secrets (API keys, tokens, OAuth credentials). Gitignored. Never echo, log, or commit these values.
+- **\`secrets.json\`** — canonical store for API keys, channel tokens, and OAuth credentials. Gitignored. Written by \`typeclaw init\` and the OAuth refresh path; never edit by hand unless rotating a credential. \`.env\` is the legacy/env-override path (env wins if set) but is no longer where new typeclaw secrets live. Never echo, log, or commit either file's values.
 
 ## Execution bias
 
@@ -39,7 +41,7 @@ Your agent folder is a git repository.
 
 - Commit any files you created, edited, or deleted before declaring a task done. One logical change = one commit; split unrelated changes.
 - Use \`git add <paths>\` (not \`git add -A\`). Imperative commit messages ("Update SOUL.md to be less formal"); explain *why* in the body if non-obvious.
-- Never commit \`.env\`, \`secrets.json\`, or anything under \`workspace/\` — truly-ignored by design. \`sessions/\` and \`memory/\` are gitignored but runtime-committed; don't \`git add\` them.
+- Never commit \`secrets.json\`, \`.env\`, or anything under \`workspace/\` — truly-ignored by design. \`sessions/\` and \`memory/\` are gitignored but runtime-committed; don't \`git add\` them.
 - Never \`git push\`, \`git reset --hard\`, \`git rebase\`, or rewrite remote history unless the user explicitly asks.
 
 ## How to behave
@@ -68,7 +70,9 @@ The bundled \`scout\` subagent is its external counterpart — web research only
 
 When the user hands you a task that will take minutes (a multi-step browser session, a long build, a complex external operation), acknowledge in plain language ("Alright, running that in the background — I'll let you know when it's done"), spawn one subagent with \`run_in_background: true\`, then KEEP TALKING. Stay available for follow-ups, related questions, parallel small tasks. When the completion reminder lands, weave the result into your next reply naturally. If the conversation has gone idle, proactively message the user with the result rather than waiting.
 
-The bundled \`operator\` subagent is the right tool for this mode. It is write-capable (read, write, edit, bash with side effects) and runs on the default model. Use it for: browser sessions, multi-file refactors, deploys, anything that involves taking action on behalf of the user over multiple steps. The operator returns a structured final report (outcome, what changed, what was observed); surface it naturally rather than copy-pasting. Operator is gated by a separate permission (\`subagent.spawn.operator\`) so write-capable spawns are restricted to owner-tier and trusted-tier callers — if the gate denies, fall back to doing the work in your own session rather than reporting failure to the user.
+Before you run a tool chain that returns bulky intermediate output you won't need again — multiple \`webfetch\` calls, a \`websearch\` round you'll iterate on, a \`bash\` command that scrapes a site or dumps a large response, an \`agent-browser\` session, a \`claude\` (Claude Code) delegation driven through tmux, any "fetch N things and synthesize" loop — delegate it to a subagent. \`scout\` (for research) or \`operator\` (for actions with side effects) runs the noisy work in its own context window and returns a distilled summary; your session carries the *answer*, not the raw material you derived it from. This is about context economy, not latency: even a fast operation belongs in a subagent when the byproducts are large and disposable (three quick news searches across different outlets still dumps three SERPs and three article bodies into your context forever). The exception is exactly one call whose result you'll cite directly — one \`webfetch\` of a known URL, one \`websearch\` query whose top result is the answer. Two of either, or any "across multiple sources" framing, is delegation territory.
+
+The bundled \`operator\` subagent is the right tool for this mode. It is write-capable (read, write, edit, bash with side effects) and runs on the default model. Use it for: browser sessions, multi-file refactors, deploys, batch API calls, Claude Code delegations (the tmux driving loop, the multi-turn polling, the worktree teardown — all of it inside operator), anything that involves taking action on behalf of the user over multiple steps. The operator returns a structured final report (outcome, what changed, what was observed); surface it naturally rather than copy-pasting. Operator is gated by a separate permission (\`subagent.spawn.operator\`) so write-capable spawns are restricted to owner-tier and trusted-tier callers — if the gate denies, fall back to doing the work in your own session rather than reporting failure to the user.
 
 **Status queries**
 
@@ -115,6 +119,36 @@ export function renderRuntimeBlock(version: string): string {
 TypeClaw runtime version: ${version}.`
 }
 
+// Wall-clock anchor for the agent. Without this, models hallucinate the
+// current time (typically defaulting to a UTC-shaped guess from training
+// data), which surfaces as confidently-wrong replies like "it's 6am" when
+// the actual wall-clock is 15:11 +09:00. The container's clock is correct
+// — `-e TZ=<host-tz>` propagation makes `new Date()` resolve to host local
+// time — but the model never sees that value unless we put it in the
+// prompt.
+//
+// Positioned as the very last block of the system prompt (after memory)
+// because it changes on every session creation, which is more frequent
+// than any other section: memory changes per dreaming/memory-logger cycle,
+// gitNudge changes per session, but `now` changes per second. Pinning it
+// to the tail means every byte UP TO this block stays in the provider's
+// cache prefix across session resurrections, and only the trailing ~60
+// bytes invalidate.
+//
+// The model still needs to know this is a session-creation snapshot, not
+// a live clock: long-lived channel sessions can outlive the stamp by
+// hours, and the resource loader is not re-rendered per turn (see the
+// CreateSessionOptions doc at the top of src/agent/index.ts). The prose
+// names the snapshot semantics and tells the model how to get a fresh
+// reading when it matters (run `date` via bash).
+export function renderNowBlock(now: Date): string {
+  const iso = formatLocalDateTime(now)
+  const zone = resolveLocalTimezoneName()
+  return `## Now
+
+Session started at \`${iso}\` (${zone}). This is a session-creation snapshot, not a live clock — the value above does not advance during this session. If you need the current wall-clock time precisely (e.g. before scheduling a cron, replying with "it's 3pm", or computing a deadline), run \`date\` via bash instead of trusting this stamp; the container's timezone is set to the host's, so \`date\` returns the user's local time.`
+}
+
 // Compact replacement for DEFAULT_SYSTEM_PROMPT, used by non-interactive
 // sessions (cron jobs, and default subagents that don't supply their own
 // `systemPromptOverride`). The full prompt is ~2155 tokens of operator-facing
@@ -125,14 +159,14 @@ TypeClaw runtime version: ${version}.`
 // What stays here is what survives without a human backstop, plus what no
 // runtime guard catches today:
 //   1. Runtime identity — names TypeClaw so the model can self-report.
-//   2. .env redaction — the one safety rule that compounds silently if dropped.
+//   2. secrets.json/.env redaction — the one safety rule that compounds silently if dropped.
 //   3. Error/result honesty — the highest-risk drop. Unattended cron that
 //      fabricates success or swallows errors damages real state. The security
 //      plugin does not catch this.
 //   4. Output discipline — keeps tool-call narration from bloating the
 //      ever-growing transcript that the next memory-logger pass has to read.
 //   5. Filesystem hygiene — workspace boundary, MEMORY.md ownership, and
-//      runtime-managed paths (.env / sessions/ / memory/ / workspace/). The
+//      runtime-managed paths (secrets.json / .env / sessions/ / memory/ / workspace/). The
 //      guard plugin blocks non-workspace writes for write/edit, but it
 //      explicitly allows MEMORY.md writes and does not gate bash/git on the
 //      runtime-managed paths.
@@ -149,12 +183,12 @@ TypeClaw runtime version: ${version}.`
 // to maintain its agent folder over time, and conversational register matters.
 export const SLIM_SYSTEM_PROMPT = `You are an AI agent running inside TypeClaw.
 
-Never echo secrets from \`.env\` or \`secrets.json\`, or any credential you see in the environment. Never include them in tool calls, logs, or commit messages.
+Never echo secrets from \`secrets.json\` or \`.env\`, or any credential you see in the environment. Never include them in tool calls, logs, or commit messages.
 
 Never suppress errors to make things "work", and never fabricate results. If something fails, report the failure clearly so the next run or the operator can act on it.
 
 Do not narrate routine, low-risk tool calls — just call the tool. Do not over-explain what you did unless asked.
 
-Your free-write zone is \`workspace/\`. Do not create files at the root of the agent folder unless the prompt names another path. Do not edit \`MEMORY.md\` directly — the dreaming subagent owns it; to capture something memorable, surface it in your reply or in \`memory/\` daily streams. Never stage or commit \`.env\`, \`sessions/\`, \`memory/\`, or \`workspace/\` — those are runtime- or user-managed.
+Your free-write zone is \`workspace/\`. Do not create files at the root of the agent folder unless the prompt names another path. Do not edit \`MEMORY.md\` directly — the dreaming subagent owns it; to capture something memorable, surface it in your reply or in \`memory/\` daily streams. Never stage or commit \`secrets.json\`, \`.env\`, \`sessions/\`, \`memory/\`, or \`workspace/\` — those are runtime- or user-managed.
 
 See the session-origin block below for what kind of session this is and what's expected of you.`

package/src/channels/adapters/discord-bot-slash-commands.ts

@@ -0,0 +1,186 @@
+import type { DiscordGatewayInteractionEvent } from 'agent-messenger/discordbot'
+
+import type { ChannelKey } from '@/channels/types'
+
+const DISCORD_API_BASE = 'https://discord.com/api/v10'
+
+// CHAT_INPUT is the only Discord application-command type that maps to the
+// existing text-prefix command registry. USER (2) and MESSAGE (3) are
+// right-click context-menu surfaces with no /name args equivalent — we don't
+// register them and we drop their interactions.
+const APPLICATION_COMMAND_TYPE_CHAT_INPUT = 1
+
+// type 4 = CHANNEL_MESSAGE_WITH_SOURCE; flag 64 = EPHEMERAL (only the invoker
+// sees it). Ephemeral keeps /stop replies out of the channel transcript.
+// Discord drops the interaction with "This interaction failed" if we don't
+// ack within ~3 seconds.
+const INTERACTION_CALLBACK_TYPE_CHANNEL_MESSAGE_WITH_SOURCE = 4
+const INTERACTION_MESSAGE_FLAG_EPHEMERAL = 64
+export const DISCORD_INTERACTION_ACK_BUDGET_MS = 3000
+
+export type DiscordCommandDeclaration = {
+  name: string
+  description: string
+}
+
+export type RegisterCommandsArgs = {
+  token: string
+  applicationId: string
+  commands: readonly DiscordCommandDeclaration[]
+  fetchImpl?: typeof fetch
+}
+
+export type RegisterCommandsResult = { ok: true } | { ok: false; error: string }
+
+// Bulk-overwrite is idempotent — Discord replaces the entire registered set
+// with whatever the body declares, so re-running `typeclaw start` with the
+// same commands is a no-op server-side. Global (vs. per-guild) registration
+// avoids the bot-needs-to-know-its-guilds bootstrap, at the cost of
+// Discord's documented up-to-1-hour propagation for new commands. Text-
+// prefix /stop continues to work the entire time, so the propagation
+// window doesn't regress existing behavior.
+//
+// CAUTION: this PUT replaces ALL global commands on the application with the
+// declared list. Sharing the bot application with another integration that
+// also registers global commands would delete those commands. Don't share
+// the application; TypeClaw owns the application's command set.
+export async function registerCommands(args: RegisterCommandsArgs): Promise<RegisterCommandsResult> {
+  const fetchImpl = args.fetchImpl ?? fetch
+  const body = args.commands.map((cmd) => ({
+    name: cmd.name,
+    description: cmd.description,
+    type: APPLICATION_COMMAND_TYPE_CHAT_INPUT,
+  }))
+  try {
+    const res = await fetchImpl(`${DISCORD_API_BASE}/applications/${encodeURIComponent(args.applicationId)}/commands`, {
+      method: 'PUT',
+      headers: { Authorization: `Bot ${args.token}`, 'Content-Type': 'application/json' },
+      body: JSON.stringify(body),
+    })
+    if (!res.ok) {
+      const text = await res.text().catch(() => '')
+      return { ok: false, error: `http ${res.status}${text ? `: ${text.slice(0, 200)}` : ''}` }
+    }
+    return { ok: true }
+  } catch (err) {
+    return { ok: false, error: err instanceof Error ? err.message : String(err) }
+  }
+}
+
+export type ParsedSlashCommand = {
+  name: string
+  key: ChannelKey
+  invokerId: string
+  interactionId: string
+  interactionToken: string
+}
+
+export type ParseInteractionResult =
+  | { kind: 'parsed'; command: ParsedSlashCommand }
+  | { kind: 'ignore'; reason: 'not-application-command' | 'unknown-command' | 'no-invoker' | 'no-channel' }
+
+export function parseInteractionAsCommand(
+  event: DiscordGatewayInteractionEvent,
+  knownCommands: ReadonlySet<string>,
+): ParseInteractionResult {
+  const data = event.data as { name?: string; type?: number } | undefined
+  if (!data || data.type !== APPLICATION_COMMAND_TYPE_CHAT_INPUT) {
+    return { kind: 'ignore', reason: 'not-application-command' }
+  }
+  const name = typeof data.name === 'string' ? data.name.toLowerCase() : ''
+  if (name === '' || !knownCommands.has(name)) {
+    return { kind: 'ignore', reason: 'unknown-command' }
+  }
+  // Guild interactions carry the invoker in member.user.id; DM interactions
+  // carry it in user.id. Exactly one is present.
+  const member = event.member as { user?: { id?: string } } | undefined
+  const invokerId = member?.user?.id ?? event.user?.id ?? ''
+  if (invokerId === '') {
+    return { kind: 'ignore', reason: 'no-invoker' }
+  }
+  if (typeof event.channel_id !== 'string' || event.channel_id === '') {
+    return { kind: 'ignore', reason: 'no-channel' }
+  }
+  // Mirror discord-bot-classify: DM workspace is '@dm', threads are stored
+  // as their channel id in `chat` with `thread: null` (Discord treats threads
+  // as channels; interaction.channel_id is the thread id when the user
+  // invoked from a thread).
+  const workspace = typeof event.guild_id === 'string' && event.guild_id !== '' ? event.guild_id : '@dm'
+  return {
+    kind: 'parsed',
+    command: {
+      name,
+      key: { adapter: 'discord-bot', workspace, chat: event.channel_id, thread: null },
+      invokerId,
+      interactionId: event.id,
+      interactionToken: event.token,
+    },
+  }
+}
+
+// Content is required even when there's nothing to stop, because Discord
+// rejects empty CHANNEL_MESSAGE_WITH_SOURCE responses.
+export function buildInteractionAck(content: string): {
+  type: number
+  data: { content: string; flags: number }
+} {
+  return {
+    type: INTERACTION_CALLBACK_TYPE_CHANNEL_MESSAGE_WITH_SOURCE,
+    data: { content, flags: INTERACTION_MESSAGE_FLAG_EPHEMERAL },
+  }
+}
+
+export type AckInteractionArgs = {
+  interactionId: string
+  interactionToken: string
+  content: string
+  fetchImpl?: typeof fetch
+}
+
+export type AckInteractionResult = { ok: true } | { ok: false; error: string }
+
+// Interaction acks must NOT carry the bot token — the interaction token in
+// the URL is the only credential Discord expects on this endpoint, and
+// adding Authorization sometimes triggers a 401.
+//
+// Errors are scrubbed before being returned: a thrown network error from
+// fetch may include the full request URL (including the interaction token,
+// which is a short-lived credential) in its message string depending on
+// the runtime. We surface only the error class to avoid leaking the token
+// into logs.
+export async function ackInteraction(args: AckInteractionArgs): Promise<AckInteractionResult> {
+  const fetchImpl = args.fetchImpl ?? fetch
+  const body = buildInteractionAck(args.content)
+  try {
+    const res = await fetchImpl(
+      `${DISCORD_API_BASE}/interactions/${encodeURIComponent(args.interactionId)}/${encodeURIComponent(args.interactionToken)}/callback`,
+      {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(body),
+      },
+    )
+    if (!res.ok) {
+      const text = await res.text().catch(() => '')
+      return { ok: false, error: `http ${res.status}${text ? `: ${text.slice(0, 200)}` : ''}` }
+    }
+    return { ok: true }
+  } catch (err) {
+    return { ok: false, error: `network error: ${sanitizeErrorName(err)}` }
+  }
+}
+
+// Returns the error class name without the message, so callers can log the
+// failure mode without leaking URLs/tokens that some runtimes embed in
+// error.message (e.g. Node's "fetch failed: TypeError: fetch failed,
+// cause: Error: ... https://discord.com/api/v10/interactions/123/<token>/callback").
+function sanitizeErrorName(err: unknown): string {
+  if (err instanceof Error) return err.name
+  return typeof err === 'string' ? 'string error' : 'unknown error'
+}
+
+export function synthesizeCommandText(name: string): string {
+  return `/${name}`
+}
+
+export const DISCORD_SLASH_COMMAND_TYPE_CHAT_INPUT = APPLICATION_COMMAND_TYPE_CHAT_INPUT

package/src/channels/adapters/discord-bot.ts

@@ -1,5 +1,9 @@
 import { DiscordBotClient, DiscordBotListener } from 'agent-messenger/discordbot'
-import { DiscordIntent, type DiscordGatewayMessageCreateEvent } from 'agent-messenger/discordbot'
+import {
+  DiscordIntent,
+  type DiscordGatewayInteractionEvent,
+  type DiscordGatewayMessageCreateEvent,
+} from 'agent-messenger/discordbot'
 
 import {
   MEMBERSHIP_ENUMERATION_CAP,
@@ -26,6 +30,26 @@ import type {
 
 import { createDiscordChannelResolver } from './discord-bot-channel-resolver'
 import { classifyInbound, type InboundDropReason } from './discord-bot-classify'
+import {
+  ackInteraction,
+  parseInteractionAsCommand,
+  registerCommands,
+  type DiscordCommandDeclaration,
+} from './discord-bot-slash-commands'
+
+// One declared slash command per logical agent gesture. /stop maps to the
+// existing channel-command of the same name in the router. Adding new
+// commands here is the documented extension point: declare the entry here,
+// then add the matching handler in createChannelRouter's command registry.
+const SLASH_COMMANDS: readonly DiscordCommandDeclaration[] = [
+  { name: 'stop', description: 'Abort the current turn in this channel' },
+]
+const SLASH_COMMAND_NAMES: ReadonlySet<string> = new Set(SLASH_COMMANDS.map((c) => c.name))
+
+const STOP_REPLY_ABORTED = 'Stopped the current turn.'
+const STOP_REPLY_NO_LIVE_SESSION = 'Nothing to stop — no active turn in this channel.'
+const STOP_REPLY_FAILED = 'Could not stop the current turn (internal error).'
+const STOP_REPLY_PERMISSION_DENIED = 'You do not have permission to stop the current turn in this channel.'
 
 const DISCORD_API_BASE = 'https://discord.com/api/v10'
 
@@ -66,6 +90,10 @@ export type DiscordBotAdapterOptions = {
   configRef: () => ChannelAdapterConfig
   token: string
   logger?: DiscordBotAdapterLogger
+  // Injectable for tests so adapter integration tests can assert on the
+  // exact REST calls without monkey-patching globalThis.fetch. Production
+  // callers leave it undefined to use the global fetch.
+  fetchImpl?: typeof fetch
 }
 
 export type DiscordBotAdapter = {
@@ -433,9 +461,91 @@ export function createFetchAttachmentCallback(deps: {
   }
 }
 
+export type InteractionHandlerDeps = {
+  router: Pick<ChannelRouter, 'executeCommand'>
+  knownCommandNames: ReadonlySet<string>
+  logger: DiscordBotAdapterLogger
+  formatChannelTag: (workspace: string, chat: string) => Promise<string>
+  fetchImpl?: typeof fetch
+}
+
+export function createInteractionHandler(
+  deps: InteractionHandlerDeps,
+): (event: DiscordGatewayInteractionEvent) => Promise<void> {
+  const fetchImpl = deps.fetchImpl ?? fetch
+  return async (event) => {
+    try {
+      const parsed = parseInteractionAsCommand(event, deps.knownCommandNames)
+      if (parsed.kind === 'ignore') {
+        // 'not-application-command' is the common case (buttons, modals,
+        // autocomplete); emit at warn only when we dropped something we
+        // ostensibly handle.
+        if (parsed.reason !== 'not-application-command') {
+          deps.logger.warn(`[discord-bot] interaction id=${event.id} dropped reason=${parsed.reason}`)
+        }
+        return
+      }
+      const { command } = parsed
+
+      // Pre-ACK: emit ONE line with bare ids only (no formatChannelTag).
+      // Discord's 3s ack budget covers everything until the callback POST
+      // returns 2xx; name resolution involves two Discord REST calls that
+      // can blow the budget on a slow API minute. Decorative logging with
+      // resolved names happens AFTER the ack.
+      deps.logger.info(
+        `[discord-bot] interaction /${command.name} id=${event.id} invoker=${command.invokerId} guild=${command.key.workspace} channel=${command.key.chat}`,
+      )
+
+      const result = await deps.router.executeCommand(command.key, command.name, {
+        invokerId: command.invokerId,
+      })
+      const replyContent =
+        result.kind === 'handled'
+          ? STOP_REPLY_ABORTED
+          : result.kind === 'no-live-session'
+            ? STOP_REPLY_NO_LIVE_SESSION
+            : result.kind === 'permission-denied'
+              ? STOP_REPLY_PERMISSION_DENIED
+              : STOP_REPLY_FAILED
+
+      const ack = await ackInteraction({
+        interactionId: command.interactionId,
+        interactionToken: command.interactionToken,
+        content: replyContent,
+        fetchImpl,
+      })
+      if (!ack.ok) {
+        // Discord's interaction token is single-use per callback type and
+        // ~15min total; once we miss the 3s ack window the user sees
+        // "This interaction failed" in the UI. The abort still happened
+        // server-side — only the user-visible confirmation is lost.
+        deps.logger.warn(`[discord-bot] interaction /${command.name} ack failed: ${ack.error}`)
+      }
+
+      // Decorative post-ack logging: resolve channel/guild names now that
+      // the 3s budget is no longer a concern. Best-effort — if name
+      // resolution fails we already logged bare ids above.
+      try {
+        const inboundTag = await deps.formatChannelTag(command.key.workspace, command.key.chat)
+        deps.logger.info(`[discord-bot] interaction /${command.name} result=${result.kind} ${inboundTag}`)
+      } catch (err) {
+        deps.logger.info(
+          `[discord-bot] interaction /${command.name} result=${result.kind} (channel-tag resolution failed: ${describe(err)})`,
+        )
+      }
+    } catch (err) {
+      deps.logger.error(`[discord-bot] handleInteraction failed: ${describe(err)}`)
+    }
+  }
+}
+
+export const DISCORD_SLASH_COMMANDS = SLASH_COMMANDS
+export const DISCORD_SLASH_COMMAND_NAMES = SLASH_COMMAND_NAMES
+
 export function createDiscordBotAdapter(options: DiscordBotAdapterOptions): DiscordBotAdapter {
   const logger = options.logger ?? consoleLogger
   const client = new DiscordBotClient()
+  const fetchImpl = options.fetchImpl ?? fetch
   let listener: DiscordBotListener | null = null
   let botUserId: string | null = null
   let started = false
@@ -479,6 +589,28 @@ export function createDiscordBotAdapter(options: DiscordBotAdapterOptions): Disc
 
   const fetchAttachmentCallback = createFetchAttachmentCallback({ token: options.token, logger })
 
+  const interactionHandler = createInteractionHandler({
+    router: options.router,
+    knownCommandNames: SLASH_COMMAND_NAMES,
+    logger,
+    formatChannelTag,
+    fetchImpl,
+  })
+
+  const handleInteractionCreate = async (event: DiscordGatewayInteractionEvent): Promise<void> => {
+    inflightInbounds++
+    try {
+      await interactionHandler(event)
+    } finally {
+      inflightInbounds--
+      if (inflightInbounds === 0 && stopWaiters.length > 0) {
+        const waiters = stopWaiters
+        stopWaiters = []
+        for (const w of waiters) w()
+      }
+    }
+  }
+
   const handleMessageCreate = async (event: DiscordGatewayMessageCreateEvent): Promise<void> => {
     inflightInbounds++
     try {
@@ -530,6 +662,33 @@ export function createDiscordBotAdapter(options: DiscordBotAdapterOptions): Disc
       listener.on('connected', (info) => {
         botUserId = info.user.id
         logger.info(`[discord-bot] connected as ${info.user.username} (${info.user.id})`)
+        // For bots, the gateway's user.id IS the application id — the same
+        // value is required for both /me lookups and /applications/{id}/
+        // commands. Fire-and-forget registration so a slow Discord API
+        // call (or a 403 from missing applications.commands scope) doesn't
+        // block the listener from receiving messages. Text-prefix /stop
+        // keeps working regardless.
+        void registerCommands({
+          token: options.token,
+          applicationId: info.user.id,
+          commands: SLASH_COMMANDS,
+          fetchImpl,
+        }).then((result) => {
+          if (result.ok) {
+            logger.info(
+              `[discord-bot] slash commands registered (${SLASH_COMMANDS.map((c) => `/${c.name}`).join(' ')})`,
+            )
+          } else {
+            // 403 here is almost always missing applications.commands scope
+            // on the OAuth invite URL — operator-fixable, but the listener
+            // continues. Adding the hint inline so an operator doesn't have
+            // to grep docs to recognize the failure mode.
+            logger.warn(
+              `[discord-bot] slash command registration failed: ${result.error}` +
+                ' (if 403, re-invite the bot with the applications.commands scope)',
+            )
+          }
+        })
       })
       listener.on('disconnected', () => {
         logger.warn('[discord-bot] disconnected; SDK will reconnect with backoff')
@@ -540,6 +699,9 @@ export function createDiscordBotAdapter(options: DiscordBotAdapterOptions): Disc
       listener.on('message_create', (event) => {
         void handleMessageCreate(event)
       })
+      listener.on('interaction_create', (event) => {
+        void handleInteractionCreate(event)
+      })
 
       options.router.registerOutbound('discord-bot', outboundCallback)
       options.router.registerTyping('discord-bot', typingCallback)

package/src/channels/adapters/slack-bot-slash-commands.ts

@@ -0,0 +1,82 @@
+import type { SlackSocketModeSlashCommandArgs } from 'agent-messenger/slackbot'
+
+import type { ChannelKey } from '@/channels/types'
+
+// Slack channel ids: 'C' = public, 'G' = private/legacy multi-party DM,
+// 'D' = direct message. Slash-command payloads don't carry `channel_type`,
+// so we read the id prefix directly. The slack-bot inbound classifier uses
+// `event.channel_type === 'im'` for the same purpose, but that field isn't
+// in the slash-command body. Group DMs ('G' prefix) are NOT treated as DMs
+// here — they map to `workspace: team_id` like a regular channel, matching
+// how the inbound classifier handles MPIM messages (channel_type 'mpim'
+// is not 'im' and therefore falls through to the team workspace branch).
+const SLACK_DM_CHANNEL_PREFIXES: readonly string[] = ['D']
+
+export type ParsedSlackSlashCommand = {
+  name: string
+  key: ChannelKey
+  invokerId: string
+}
+
+export type ParseSlashCommandResult =
+  | { kind: 'parsed'; command: ParsedSlackSlashCommand }
+  | { kind: 'ignore'; reason: 'unknown-command' | 'no-invoker' | 'no-channel' | 'no-team' | 'malformed' }
+
+export function parseSlashCommand(
+  body: SlackSocketModeSlashCommandArgs['body'],
+  knownCommands: ReadonlySet<string>,
+): ParseSlashCommandResult {
+  if (typeof body.command !== 'string' || !body.command.startsWith('/')) {
+    return { kind: 'ignore', reason: 'malformed' }
+  }
+  const name = body.command.slice(1).toLowerCase()
+  if (name === '' || !knownCommands.has(name)) {
+    return { kind: 'ignore', reason: 'unknown-command' }
+  }
+  if (typeof body.user_id !== 'string' || body.user_id === '') {
+    return { kind: 'ignore', reason: 'no-invoker' }
+  }
+  if (typeof body.channel_id !== 'string' || body.channel_id === '') {
+    return { kind: 'ignore', reason: 'no-channel' }
+  }
+  // team_id is required for slash commands per Slack's API, but defensively
+  // refuse to construct a ChannelKey without it — otherwise the workspace
+  // field would collide with a real workspace id named '' downstream.
+  if (typeof body.team_id !== 'string' || body.team_id === '') {
+    return { kind: 'ignore', reason: 'no-team' }
+  }
+
+  const isDm = SLACK_DM_CHANNEL_PREFIXES.some((prefix) => body.channel_id.startsWith(prefix))
+  const workspace = isDm ? '@dm' : body.team_id
+
+  return {
+    kind: 'parsed',
+    command: {
+      name,
+      // thread is null because Slack slash commands cannot be invoked from
+      // inside a thread — Slack's compose box always targets the top-level
+      // channel. The router's executeCommand falls back to any live session
+      // in the same workspace+chat when an exact key match misses, so a
+      // thread-keyed live session still gets hit by a thread-less slash.
+      key: { adapter: 'slack-bot', workspace, chat: body.channel_id, thread: null },
+      invokerId: body.user_id,
+    },
+  }
+}
+
+export const SLACK_SLASH_REPLY_ABORTED = 'Stopped the current turn.'
+export const SLACK_SLASH_REPLY_NO_LIVE_SESSION = 'Nothing to stop — no active turn in this channel.'
+export const SLACK_SLASH_REPLY_FAILED = 'Could not stop the current turn (internal error).'
+export const SLACK_SLASH_REPLY_PERMISSION_DENIED =
+  'You do not have permission to stop the current turn in this channel.'
+export const SLACK_SLASH_REPLY_AMBIGUOUS =
+  'Multiple active turns in this channel. Reply `/stop` from inside the specific thread you want to stop.'
+
+// Slack's ack callback accepts an optional response payload that becomes
+// the user-visible reply. `response_type: 'ephemeral'` keeps the reply
+// visible only to the invoker (vs. 'in_channel' which posts to everyone).
+// Control gestures should stay ephemeral — same rationale as Discord's
+// EPHEMERAL flag on interaction callbacks.
+export function buildSlashAckPayload(text: string): { response_type: 'ephemeral'; text: string } {
+  return { response_type: 'ephemeral', text }
+}