typeclaw 0.8.0 → 0.9.0

package/src/bundled-plugins/memory/slug.ts

@@ -0,0 +1,59 @@
+import { createHash } from 'node:crypto'
+
+export const SLUG_REGEX = /^[a-z0-9][a-z0-9-]{0,63}$/
+
+export function isValidSlug(slug: string): boolean {
+  return SLUG_REGEX.test(slug)
+}
+
+export function headingToSlug(heading: string, existingSlugs: Set<string>): string {
+  let slug = normalizeHeading(heading)
+
+  if (slug.length === 0) {
+    slug = makeUntitledSlug(heading)
+  }
+
+  slug = slug.slice(0, 64)
+
+  slug = deduplicateSlug(slug, existingSlugs)
+
+  return slug
+}
+
+function normalizeHeading(heading: string): string {
+  let normalized = heading.normalize('NFD').replace(/[\u0300-\u036f]/g, '')
+
+  normalized = normalized
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '-')
+    .replace(/^-+|-+$/g, '')
+
+  return normalized
+}
+
+function makeUntitledSlug(heading: string): string {
+  const hash = createHash('sha256').update(heading).digest('hex').slice(0, 6)
+  return `untitled-${hash}`
+}
+
+function deduplicateSlug(slug: string, existingSlugs: Set<string>): string {
+  const lowerSlug = slug.toLowerCase()
+  let candidate = lowerSlug
+  let suffix = 2
+
+  while (isTaken(candidate, existingSlugs)) {
+    candidate = `${lowerSlug}-${suffix}`
+    suffix++
+  }
+
+  return candidate
+}
+
+function isTaken(candidate: string, existingSlugs: Set<string>): boolean {
+  for (const existing of existingSlugs) {
+    if (existing.toLowerCase() === candidate) {
+      return true
+    }
+  }
+  return false
+}

package/src/bundled-plugins/memory/stream-io.ts

@@ -1,7 +1,13 @@
-import { readFile, appendFile, writeFile, rename } from 'node:fs/promises'
+import { readFile, appendFile, readdir, writeFile, rename } from 'node:fs/promises'
+import { join } from 'node:path'
 
+import { getDreamedIds, loadDreamingState } from './dreaming-state'
+import { streamsDir } from './paths'
 import { parseEventLine, type StreamEvent } from './stream-events'
 
+const STREAM_FILE_PATTERN = /^\d{4}-\d{2}-\d{2}\.jsonl$/
+const STREAM_DATE_FROM_FILENAME = /^(\d{4}-\d{2}-\d{2})\.jsonl$/
+
 export async function readEvents(path: string): Promise<StreamEvent[]> {
   let raw: string
   try {
@@ -41,6 +47,109 @@ export async function writeEventsAtomic(path: string, events: readonly StreamEve
   await rename(tmp, path)
 }
 
+// Daily-stream directory for this agent. New layout is `memory/streams/`;
+// pre-migration agents kept them flat under `memory/`. `displayPrefix` is
+// the path string consumers render so the agent sees a stable identifier
+// regardless of which layout is on disk.
+export type StreamDirectory = {
+  dir: string
+  displayPrefix: 'memory' | 'memory/streams'
+  names: string[]
+}
+
+export async function listStreamFiles(agentDir: string): Promise<StreamDirectory | null> {
+  const streamsDirPath = streamsDir(agentDir)
+  try {
+    const names = await readdir(streamsDirPath)
+    return { dir: streamsDirPath, displayPrefix: 'memory/streams', names }
+  } catch (err) {
+    if (!isEnoent(err)) throw err
+  }
+
+  const legacyDir = join(agentDir, 'memory')
+  try {
+    const names = await readdir(legacyDir)
+    return { dir: legacyDir, displayPrefix: 'memory', names }
+  } catch (err) {
+    if (!isEnoent(err)) throw err
+    return null
+  }
+}
+
+// Per-file slice with dreamed events removed. `events` is whatever
+// `readEvents` returned for the file; `dreamedIds` is the day's slice from
+// `getDreamedIds(state, date)`. Returns the events the next consumer should
+// see — empty when every event has been dreamed.
+//
+// `legacy_prose` events pre-date the dreamed-id contract (they have no `id`)
+// and are always kept. Same rule as the injection-side filter; lifted here
+// so injection and search agree on what counts as undreamed.
+export function filterUndreamedEvents(events: StreamEvent[], dreamedIds: ReadonlySet<string>): StreamEvent[] {
+  if (dreamedIds.size === 0) return events
+  return events.filter((event) => {
+    if (event.type === 'legacy_prose') return true
+    return !dreamedIds.has(event.id)
+  })
+}
+
+// Raw events + per-day dreamed-id set, oldest day first. The dreamed filter
+// is applied per-day by `readAllUndreamedStreamDays` — keeping it separate
+// here lets callers that need unfiltered events read dreaming state once
+// rather than re-loading it for every day.
+export type StreamDay = {
+  date: string
+  path: string
+  name: string
+  events: StreamEvent[]
+  dreamedIds: ReadonlySet<string>
+}
+
+export async function readAllStreamDays(agentDir: string): Promise<StreamDay[]> {
+  const streamFiles = await listStreamFiles(agentDir)
+  if (streamFiles === null) return []
+
+  const { dir, displayPrefix, names } = streamFiles
+  const dated = names.filter((n) => STREAM_FILE_PATTERN.test(n)).sort()
+  const state = await loadDreamingState(agentDir)
+  return Promise.all(
+    dated.map(async (name): Promise<StreamDay> => {
+      const date = STREAM_DATE_FROM_FILENAME.exec(name)?.[1] ?? ''
+      const filePath = join(dir, name)
+      return {
+        date,
+        path: filePath,
+        name: `${displayPrefix}/${name}`,
+        events: await readEvents(filePath),
+        dreamedIds: getDreamedIds(state, date),
+      }
+    }),
+  )
+}
+
+// Convenience wrapper for consumers that just want undreamed events without
+// caring about filter ordering: pre-applies `filterUndreamedEvents` per day
+// and drops fully-dreamed days. The injection path uses `readAllStreamDays`
+// instead because it must order self-session and dreamed-id filters.
+export type UndreamedStreamDay = {
+  date: string
+  path: string
+  name: string
+  events: StreamEvent[]
+}
+
+export async function readAllUndreamedStreamDays(agentDir: string): Promise<UndreamedStreamDay[]> {
+  const days = await readAllStreamDays(agentDir)
+  return days.flatMap((day) => {
+    const undreamed = filterUndreamedEvents(day.events, day.dreamedIds)
+    if (undreamed.length === 0) return []
+    return [{ date: day.date, path: day.path, name: day.name, events: undreamed }]
+  })
+}
+
+function isEnoent(err: unknown): boolean {
+  return typeof err === 'object' && err !== null && 'code' in err && (err as { code: string }).code === 'ENOENT'
+}
+
 export async function countEvents(path: string): Promise<number> {
   let raw: string
   try {

package/src/bundled-plugins/memory/strength.ts

@@ -1,4 +1,4 @@
-// Strength signals for MEMORY.md topics, derived mechanically from citations.
+// Strength signals for topic shards, derived mechanically from citations.
 //
 // What "strength" means here is structural, not semantic — we measure how
 // many times and over how many distinct days a topic has been reinforced by
@@ -12,7 +12,7 @@
 // the dreaming subagent's prompt is gated on distinct-days, not count, for
 // exactly this reason — see the "spacing effect" note in the PR description.
 //
-// All numbers here are deterministic. The same MEMORY.md parsed against the
+// All numbers here are deterministic. The same topic text parsed against the
 // same `today` always yields the same TopicStrength list. There is no LLM
 // involvement at this layer; the subagent receives these numbers as ground
 // truth and uses them to decide what to merge or demote.
@@ -72,7 +72,7 @@ function pickLatestDate(dates: readonly string[]): string | null {
 // date as midnight UTC, so the difference is always an integer count of
 // 86_400_000ms windows regardless of timezone or DST. Returns 0 for invalid
 // inputs (treats the topic as "fresh" rather than throwing — defensive
-// because both inputs are produced by the runtime, but a corrupted MEMORY.md
+// because both inputs are produced by the runtime, but a corrupted topic-shard
 // citation date is the kind of thing we want to fail open on).
 function daysBetween(today: string, earlier: string): number {
   const todayMs = parseIsoDateUtc(today)

package/src/bundled-plugins/memory/topics.ts

@@ -1,10 +1,7 @@
-// Topic-aware parser for MEMORY.md. The dreaming subagent writes MEMORY.md as
-// a flat list of level-2 topic headings (`## <topic>`), each followed by a
-// conclusion paragraph and a `fragments:` bullet list of citations. The
-// citation parser in citations.ts is global (every citation in the file);
-// this module attributes citations to their owning topic so the dreaming
-// subagent can see per-topic strength signals (citation count, distinct
-// reinforcement days, recency) on its next run.
+// Topic-aware parser for the pre-shard root-memory migration and legacy strength
+// tests. Sharded runtime memory stores each topic as its own file under
+// memory/topics/, but the one-shot migrator still needs to split a legacy root
+// file into level-2 topic sections before writing shards.
 //
 // Format assumptions match what dreaming.ts's DREAMING_SYSTEM_PROMPT teaches:
 //   - First line is `# Memory` (an h1). Treated as a non-topic header.
@@ -17,9 +14,9 @@
 //     aggregation. parseCitations from citations.ts still picks them up if
 //     anything downstream needs the global view.
 //
-// The parser is intentionally permissive: it never throws on malformed
-// MEMORY.md. A subagent that writes a header with no body or a topic with no
-// citations still parses cleanly with an empty `citations` array. The
+// The parser is intentionally permissive: it never throws on malformed legacy
+// topic prose. A header with no body or a topic with no citations still parses
+// cleanly with an empty `citations` array. The
 // strength layer then treats those topics as "weak" — which is the right
 // behavior, since they ARE weak.
 
@@ -40,24 +37,81 @@ export type Topic = {
   citations: Citation[]
 }
 
+export type TopicWithBody = Topic & { body: string }
+
 const HEADING_LEVEL_2 = /^##\s+(.*)$/
+const HISTORICAL_BUCKET = /^historical observations$/i
+const BULLET_LINE = /^-\s+(.*)$/
+const LEADING_DATE = /^\d{4}-\d{2}-\d{2}:\s*/
+const CITATION_TAIL = /\s*—\s+memory\/.*$/
+
+function collectCitations(bodyText: string): Citation[] {
+  const grouped = parseCitations(bodyText)
+  const citations: Citation[] = []
+  for (const [date, ids] of grouped) {
+    for (const fragmentId of ids) citations.push({ date, fragmentId })
+  }
+  return citations
+}
 
-// Split MEMORY.md into ordered topics with their citations attached. Returns
+// Split legacy topic prose into ordered topics with their citations attached. Returns
 // an empty array when no `## ` heading appears.
 export function parseTopics(text: string): Topic[] {
   const lines = text.split('\n')
   const topics: Topic[] = []
   let current: { heading: string; body: string[] } | undefined
 
+  const flush = (): void => {
+    if (!current) return
+    const citations = collectCitations(current.body.join('\n'))
+    topics.push({ heading: current.heading, citations })
+  }
+
+  for (const line of lines) {
+    const match = HEADING_LEVEL_2.exec(line)
+    if (match) {
+      flush()
+      current = { heading: (match[1] ?? '').trim(), body: [] }
+      continue
+    }
+    if (current) current.body.push(line)
+  }
+  flush()
+
+  return topics
+}
+
+// Like parseTopics, but preserves the full body text of each topic. The
+// `## Historical observations` bucket is expanded into one entry per bullet.
+export function parseTopicsWithBodies(text: string): TopicWithBody[] {
+  const lines = text.split('\n')
+  const topics: TopicWithBody[] = []
+  let current: { heading: string; body: string[] } | undefined
+
   const flush = (): void => {
     if (!current) return
     const bodyText = current.body.join('\n')
-    const grouped = parseCitations(bodyText)
-    const citations: Citation[] = []
-    for (const [date, ids] of grouped) {
-      for (const fragmentId of ids) citations.push({ date, fragmentId })
+    if (HISTORICAL_BUCKET.test(current.heading)) {
+      let index = 0
+      for (const line of current.body) {
+        const bulletMatch = BULLET_LINE.exec(line)
+        if (!bulletMatch) continue
+        const bulletText = bulletMatch[1] ?? ''
+        let heading = bulletText.replace(LEADING_DATE, '').replace(CITATION_TAIL, '').trim()
+        const citations = collectCitations(bulletText)
+        if (!heading) {
+          heading = citations[0]?.date ?? `historical-${index}`
+        }
+        topics.push({ heading, body: bulletText, citations })
+        index++
+      }
+      return
     }
-    topics.push({ heading: current.heading, citations })
+    topics.push({
+      heading: current.heading,
+      body: bodyText,
+      citations: collectCitations(bodyText),
+    })
   }
 
   for (const line of lines) {

package/src/bundled-plugins/security/index.ts

@@ -2,6 +2,7 @@ import { definePlugin } from '@/plugin'
 
 import { HIGH_TIER_PER_GUARD_PERMISSIONS, SECURITY_PERMISSIONS, SEVERITY_PERMISSION } from './permissions'
 import type { SecurityPermission, SecuritySeverity } from './permissions'
+import { GUARD_CRON_PROMOTION_SEVERITY, checkCronPromotionGuard } from './policies/cron-promotion'
 import {
   GUARD_GIT_EXFIL_SEVERITY,
   GUARD_GIT_REMOTE_TAINTED_SEVERITY,
@@ -12,6 +13,7 @@ import {
 import { GUARD_OUTBOUND_SECRET_SEVERITY, checkOutboundSecretGuard } from './policies/outbound-secret-scan'
 import { applyPromptInjectionDefense } from './policies/prompt-injection'
 import { clearSessionTaints } from './policies/remote-taint-state'
+import { GUARD_ROLE_PROMOTION_SEVERITY, checkRolePromotionGuard } from './policies/role-promotion'
 import { GUARD_SECRET_EXFIL_BASH_SEVERITY, checkSecretExfilBashGuard } from './policies/secret-exfil-bash'
 import { GUARD_SECRET_EXFIL_READ_SEVERITY, checkSecretExfilReadGuard } from './policies/secret-exfil-read'
 import {
@@ -59,6 +61,10 @@ const BYPASS_ROLE_HINT = {
     'NOBODY has it by default — high tier requires per-call ack from every role, including owner.',
   [SECURITY_PERMISSIONS.bypassOutboundSecret]:
     'NOBODY has it by default — high tier requires per-call ack from every role, including owner. The audience-leak rule: even owner posting to a public channel must not silently include credentials.',
+  [SECURITY_PERMISSIONS.bypassRolePromotion]:
+    'NOBODY has it by default — high tier requires per-call ack from every role, including owner. The audience-leak rule generalizes to privilege escalation: even owner running from TUI must not silently rewrite the access-control table on behalf of a channel message.',
+  [SECURITY_PERMISSIONS.bypassCronPromotion]:
+    'NOBODY has it by default — high tier requires per-call ack from every role, including owner. Same shape as rolePromotion but deferred: a new cron job (or a changed scheduledByRole) is a privilege grant that fires at schedule-time, and the operator must not silently author one on behalf of a channel message.',
 } as const satisfies Record<PerGuardSecurityPermission, string>
 
 function withPermissionHint(
@@ -93,6 +99,24 @@ export default definePlugin({
         const canBypass = (severity: SecuritySeverity, perGuardPerm: string): boolean =>
           can(SEVERITY_PERMISSION[severity]) || can(perGuardPerm)
 
+        const rolePromotionResult = canBypass(GUARD_ROLE_PROMOTION_SEVERITY, SECURITY_PERMISSIONS.bypassRolePromotion)
+          ? undefined
+          : withPermissionHint(
+              await checkRolePromotionGuard({ tool: event.tool, args: event.args, agentDir: ctx.agentDir }),
+              SECURITY_PERMISSIONS.bypassRolePromotion,
+              GUARD_ROLE_PROMOTION_SEVERITY,
+            )
+        if (rolePromotionResult) return rolePromotionResult
+
+        const cronPromotionResult = canBypass(GUARD_CRON_PROMOTION_SEVERITY, SECURITY_PERMISSIONS.bypassCronPromotion)
+          ? undefined
+          : withPermissionHint(
+              await checkCronPromotionGuard({ tool: event.tool, args: event.args, agentDir: ctx.agentDir }),
+              SECURITY_PERMISSIONS.bypassCronPromotion,
+              GUARD_CRON_PROMOTION_SEVERITY,
+            )
+        if (cronPromotionResult) return cronPromotionResult
+
         // Taint-recording runs FIRST, independently of the gitExfil guard.
         // The gitRemoteTainted defense depends on it. We pass through
         // `permittedBypass` for actors who can skip gitExfil (via either the

package/src/bundled-plugins/security/permissions.ts

@@ -9,6 +9,8 @@ export const SECURITY_PERMISSIONS = {
   bypassSystemPromptLeak: 'security.bypass.systemPromptLeak',
   bypassOutboundSecret: 'security.bypass.outboundSecret',
   bypassGitRemoteTainted: 'security.bypass.gitRemoteTainted',
+  bypassRolePromotion: 'security.bypass.rolePromotion',
+  bypassCronPromotion: 'security.bypass.cronPromotion',
   // Severity-tier bypasses. Tiers classify guards on a two-axis policy:
   //   high   — bypass sends data to a third-party audience outside the
   //            operator's control loop (channel readers, remote git host).
@@ -45,4 +47,6 @@ export const HIGH_TIER_PER_GUARD_PERMISSIONS: readonly string[] = [
   SECURITY_PERMISSIONS.bypassGitRemoteTainted,
   SECURITY_PERMISSIONS.bypassOutboundSecret,
   SECURITY_PERMISSIONS.bypassSystemPromptLeak,
+  SECURITY_PERMISSIONS.bypassRolePromotion,
+  SECURITY_PERMISSIONS.bypassCronPromotion,
 ]