typeclaw 0.8.0 → 0.9.1

package/src/channels/adapters/slack-bot-classify.ts

@@ -6,33 +6,8 @@ import type { InboundMessage } from '@/channels/types'
 
 import { slackTsToMillis } from './slack-bot-time'
 
-// Upstream's `SlackSocketModeMessageEvent` carries `[key: string]: unknown`
-// for fields it does not type explicitly. Three of those untyped fields are
-// load-bearing for this adapter:
-//   - `parent_user_id`: set on every reply within a thread; identifies the
-//     author of the message the thread is rooted at. Used to decide whether
-//     a reply targets the bot, another human, or an unknown parent.
-//   - `client_msg_id`: client-generated UUID on user-authored messages,
-//     stable across Slack-side resends of the same gesture. Primary dedupe
-//     key for the "one user action surfaces as two events" case.
-//   - `files`: attachments delivered inline on the same message event (Slack
-//     does not fire a separate file_share for messages we receive).
-// Typing them here (rather than reading them via `as` casts at every call
-// site) keeps the classifier readable and makes it the single source of
-// truth for "what Slack actually sends" — anything else reading these
-// fields imports `SlackInboundMessageEvent` from this module.
-export type SlackInboundMessageEvent = SlackSocketModeMessageEvent & {
-  parent_user_id?: string
-  client_msg_id?: string
-  files?: SlackFile[]
-}
-
-// `app_mention` envelopes do not always carry `client_msg_id`, but typing
-// it keeps the promotion to a message-shaped event lossless if Slack
-// starts sending it. Same reasoning as `SlackInboundMessageEvent` above.
-export type SlackInboundAppMentionEvent = SlackSocketModeAppMentionEvent & {
-  client_msg_id?: string
-}
+export type SlackInboundMessageEvent = SlackSocketModeMessageEvent
+export type SlackInboundAppMentionEvent = SlackSocketModeAppMentionEvent
 
 export type InboundDropReason =
   | 'self_author' // event.user === botUserId; we never route our own messages back to ourselves

package/src/channels/index.ts

@@ -9,6 +9,11 @@ export {
   type CreateSessionForChannel,
 } from './router'
 export { createChannelsReloadable } from './reloadable'
+export {
+  createSubagentCompletionBridge,
+  type SubagentCompletionBridge,
+  type SubagentCompletionBridgeOptions,
+} from './subagent-completion-bridge'
 export {
   channelsSchema,
   ADAPTER_IDS,

package/src/channels/router.ts

@@ -6,6 +6,7 @@ import { SessionManager } from '@mariozechner/pi-coding-agent'
 import { createSession, type AgentSession } from '@/agent'
 import { subscribeProviderErrors } from '@/agent/provider-error'
 import type { ChannelParticipant, SessionOrigin } from '@/agent/session-origin'
+import { renderSubagentCompletionReminder } from '@/agent/subagent-completion-reminder'
 import { createCommandRegistry } from '@/commands'
 import { CORE_PERMISSIONS, type PermissionService } from '@/permissions'
 import type { HookBus } from '@/plugin'
@@ -254,6 +255,14 @@ type LiveSession = {
   currentTurnAuthorId: string | null
   currentTurnAuthorIds: Set<string>
   lastTurnAuthorIds: Set<string>
+  // Mirror of currentTurnAuthorId at end-of-turn (the LAST speaker of the
+  // prior batch), preserved across the drain finally-block which resets
+  // currentTurnAuthorId to null. Read by the reminder-only branch in
+  // drain() so a system-reminder wakeup carries the same author the prior
+  // turn's tool.before saw — matching "last speaker" semantics (not "first
+  // inserted into Set"), so a multi-author prior turn like alice→bob
+  // restores `bob`, the same identity normal turns would have used.
+  lastTurnAuthorId: string | null
   consecutiveAborts: number
   // Per-(chat:thread) count of bot messages sent without intervening user
   // input being rendered into the model's context. Reset at the top of each
@@ -261,6 +270,15 @@ type LiveSession = {
   // about to be shown to the model). channel_send reads this BEFORE calling
   // router.send so the hint reflects the position of the about-to-happen send
   // (n-th in a row), nudging the model to yield without forcing it to.
+  // Queue of `<system-reminder>...</system-reminder>` strings to prepend
+  // into the next turn's user-message body. Populated by
+  // `injectSubagentCompletionReminder` (and any future system-injected
+  // wakeups) so a backgrounded subagent's completion can wake a channel
+  // session that has no pending user inbounds. Drained at the top of
+  // every `drain()` iteration alongside the regular promptQueue batch;
+  // the drain loop's run condition checks BOTH queues so a system
+  // reminder alone is enough to trigger a turn.
+  pendingSystemReminders: string[]
   consecutiveSends: Map<string, number>
   // Per-(chat:thread) text of the last reserved bot send. Set
   // SYNCHRONOUSLY inside router.send before the outbound callback awaits,
@@ -387,6 +405,21 @@ export type ChannelRouter = {
   // slack-bot-classify.ts. Read live so a reload of `alias` propagates
   // to adapters without a restart.
   getSelfAliases: () => readonly string[]
+  // Inject a `<system-reminder>` block addressed to a live channel session
+  // identified by `parentSessionId`. The reminder is rendered into the
+  // next turn's user-message body and triggers a drain even if the
+  // promptQueue is empty. Returns `delivered` when a matching live
+  // session was found and the reminder was queued, `no-live-session`
+  // otherwise. Used by the subagent-completion bridge in
+  // src/run/index.ts; safe for tests to call directly via a fake router.
+  injectSubagentCompletionReminder: (args: {
+    parentSessionId: string
+    subagent: string
+    taskId: string
+    ok: boolean
+    durationMs: number
+    error?: string
+  }) => { kind: 'delivered'; keyId: string } | { kind: 'no-live-session' }
   stop: () => Promise<void>
   liveCount: () => number
   __testing?: {
@@ -396,6 +429,34 @@ export type ChannelRouter = {
     isTypingActive: (key: ChannelKey) => boolean
     stopTyping: (key: ChannelKey) => Promise<void>
     runIdleGc: () => Promise<void>
+    // Returns the seeded author state on the live session matching
+    // `key`, or undefined when no live session exists. Tests use this
+    // to pin the symmetric-seeding invariant between `lastTurnAuthorId`
+    // (string) and `lastTurnAuthorIds` (Set) at session creation —
+    // observable directly here rather than via a downstream sticky-
+    // credit grant test that would need to coordinate with multiple
+    // subsystems.
+    getLiveAuthorState: (key: ChannelKey) =>
+      | {
+          currentTurnAuthorId: string | null
+          currentTurnAuthorIds: readonly string[]
+          lastTurnAuthorId: string | null
+          lastTurnAuthorIds: readonly string[]
+        }
+      | undefined
+    // Returns a shallow copy of `live.originRef.current` for the live
+    // session matching `key`, or undefined when no live session exists.
+    // Exists so tests can assert on the per-turn origin that tool.before
+    // consumers would see — the origin is normally only observable
+    // indirectly via in-flight tool calls, which the fake session doesn't
+    // execute. The shallow copy detaches the top-level fields from
+    // `originRef` so a later turn replacing `originRef.current` doesn't
+    // change a captured assertion. Nested fields (`participants`,
+    // `membership`) are still shared by reference; in practice
+    // `updateParticipants` returns a fresh array rather than mutating in
+    // place, so observed snapshots are stable for the assertions tests
+    // make today. NOT a public router method.
+    getLiveOriginSnapshot: (key: ChannelKey) => SessionOrigin | undefined
   }
 }
 
@@ -800,6 +861,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         resolvedNames,
         originRef,
         promptQueue: [],
+        pendingSystemReminders: [],
         contextBuffer: [],
         draining: false,
         debounceTimer: null,
@@ -811,7 +873,18 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         firstUnprocessedAt: 0,
         currentTurnAuthorId: null,
         currentTurnAuthorIds: new Set(),
-        lastTurnAuthorIds: new Set(),
+        // `lastTurnAuthorId` (string, used for `lastInboundAuthorId` in
+        // origin) and `lastTurnAuthorIds` (Set, used by
+        // `grantStickyForReplyTargets` as the fallback when
+        // `currentTurnAuthorIds` is empty) are seeded TOGETHER from
+        // `triggeringAuthorId`. Seeding only the string would leave the
+        // Set empty for the cold-start reminder-only path, which is
+        // observable when the agent replies during that turn — `send()`
+        // would compute an empty `targetIds` and silently drop the
+        // sticky-credit grant for the seeded author. The two fields must
+        // stay in sync, so they are written in the same statement.
+        lastTurnAuthorIds: triggeringAuthorId !== undefined ? new Set([triggeringAuthorId]) : new Set(),
+        lastTurnAuthorId: triggeringAuthorId ?? null,
         consecutiveAborts: 0,
         consecutiveSends: new Map(),
         lastSentText: new Map(),
@@ -1026,12 +1099,13 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     }
   }
 
-  const fireSessionTurnStart = async (live: LiveSession): Promise<void> => {
+  const fireSessionTurnStart = async (live: LiveSession, userPrompt: string): Promise<void> => {
     if (!live.hooks) return
     try {
       await live.hooks.runSessionTurnStart({
         sessionId: live.sessionId,
         agentDir: options.agentDir,
+        userPrompt,
         origin: buildLiveOrigin(live),
       })
     } catch (err) {
@@ -1082,6 +1156,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     live.debounceTimer = null
     live.firstUnprocessedAt = 0
     live.promptQueue.length = 0
+    live.pendingSystemReminders.length = 0
     await stopTypingHeartbeat(live)
     try {
       await live.session.abort()
@@ -1095,7 +1170,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     if (live.draining || live.destroyed) return
     live.draining = true
     try {
-      while (live.promptQueue.length > 0 && !live.destroyed) {
+      while ((live.promptQueue.length > 0 || live.pendingSystemReminders.length > 0) && !live.destroyed) {
         live.typingTimedOut = false
         // Heartbeat must run during generation as well as during debounce.
         // Because new inbounds during a turn just push into promptQueue
@@ -1104,13 +1179,32 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         startTypingHeartbeat(live)
         const batch = live.promptQueue.splice(0, live.promptQueue.length)
         const observed = live.contextBuffer.splice(0, live.contextBuffer.length)
-        const text = composeTurnPrompt(observed, batch, { loopGuardActive: live.loopGuardActive })
+        const reminders = live.pendingSystemReminders.splice(0, live.pendingSystemReminders.length)
+        const text = composeTurnPrompt(observed, batch, {
+          loopGuardActive: live.loopGuardActive,
+          systemReminders: reminders,
+        })
 
-        live.currentTurnAuthorId = batch.length > 0 ? batch[batch.length - 1]!.authorId : null
-        live.currentTurnAuthorIds = new Set(batch.map((m) => m.authorId))
         if (batch.length > 0) {
+          live.currentTurnAuthorId = batch[batch.length - 1]!.authorId
+          live.currentTurnAuthorIds = new Set(batch.map((m) => m.authorId))
           live.consecutiveSends.clear()
           live.lastSentText.clear()
+        } else if (live.lastTurnAuthorId !== null) {
+          // Reminder-only turn (batch.length === 0, reminders.length > 0):
+          // restore the author identity from the prior turn so author-
+          // scoped role resolution still works on this turn. The drain
+          // finally-block clears `currentTurnAuthorId` between turns, so a
+          // reminder arriving while the session is idle would otherwise
+          // strip `lastInboundAuthorId` from the tool.before origin and
+          // demote roles like `slack:T0/C0 author:U_OWNER` to whichever
+          // non-author rule matches — silently breaking the channel_reply
+          // that the reminder is asking the agent to send. `lastTurnAuthorId`
+          // tracks the LAST speaker of the prior batch (matching normal-
+          // turn `batch[batch.length - 1]!.authorId` semantics) so a multi-
+          // author prior turn like alice→bob restores `bob`, not alice.
+          live.currentTurnAuthorId = live.lastTurnAuthorId
+          live.currentTurnAuthorIds = new Set(live.lastTurnAuthorIds)
         }
 
         // Update the live origin holder so this turn's tool.before events
@@ -1127,7 +1221,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         logger.info(`[channels] ${live.keyId} prompting batch=${batch.length} text_len=${text.length}`)
         const promptStart = now()
         const successfulSendsBeforePrompt = live.successfulChannelSends
-        await fireSessionTurnStart(live)
+        await fireSessionTurnStart(live, text)
         try {
           await live.session.prompt(text)
           await validateChannelTurn(live, successfulSendsBeforePrompt)
@@ -1142,6 +1236,9 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         }
         await fireSessionIdle(live)
         live.lastTurnAuthorIds = new Set(live.currentTurnAuthorIds)
+        if (live.currentTurnAuthorId !== null) {
+          live.lastTurnAuthorId = live.currentTurnAuthorId
+        }
       }
     } finally {
       live.draining = false
@@ -1645,8 +1742,9 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     const assistantText = latestAssistantText(live.session)
     if (assistantText === null) return
 
-    if (isNoReplySignal(assistantText)) {
-      logger.info(`[channels] ${live.keyId} no_reply`)
+    if (endsWithNoReplySignal(assistantText)) {
+      const leakedReasoning = !isNoReplySignal(assistantText)
+      logger.info(`[channels] ${live.keyId} no_reply${leakedReasoning ? ' (with_leaked_reasoning)' : ''}`)
       return
     }
 
@@ -1657,6 +1755,11 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       return
     }
 
+    if (isLikelyKimiChannelToolLeak(assistantText)) {
+      logger.warn(`[channels] ${live.keyId}: suppressed kimi_tool_call_leak text_len=${assistantText.length}`)
+      return
+    }
+
     logger.warn(
       `[channels] ${live.keyId}: recovering assistant_text_without_channel_tool text_len=${assistantText.length}`,
     )
@@ -1743,6 +1846,14 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
       if (live.destroyed) continue
       if (live.draining) continue
       if (live.promptQueue.length > 0) continue
+      // pendingSystemReminders is checked alongside promptQueue because both
+      // represent pending work that drain() will process. Today's only
+      // populator (injectSubagentCompletionReminder) also fires drain()
+      // synchronously, which sets draining=true and shadows this guard via
+      // the line above — but the guard exists to keep the invariant honest
+      // for any future caller that queues a reminder without immediately
+      // waking the drain loop.
+      if (live.pendingSystemReminders.length > 0) continue
       if (t - live.lastInboundAt <= SESSION_IDLE_MS) continue
       victims.push(live)
     }
@@ -1812,6 +1923,45 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     return { kind: 'unknown-command', name: lowered }
   }
 
+  const injectSubagentCompletionReminder = (args: {
+    parentSessionId: string
+    subagent: string
+    taskId: string
+    ok: boolean
+    durationMs: number
+    error?: string
+  }): { kind: 'delivered'; keyId: string } | { kind: 'no-live-session' } => {
+    for (const live of liveSessions.values()) {
+      if (live.destroyed) continue
+      if (live.sessionId !== args.parentSessionId) continue
+      const text = renderSubagentCompletionReminder({
+        subagent: args.subagent,
+        taskId: args.taskId,
+        ok: args.ok,
+        durationMs: args.durationMs,
+        ...(args.error !== undefined ? { error: args.error } : {}),
+        channel: true,
+      })
+      live.pendingSystemReminders.push(text)
+      logger.info(`[channels] ${live.keyId}: subagent-completion reminder queued task=${args.taskId} ok=${args.ok}`)
+      // Wake the drain loop. If a turn is already in flight, the wakeup is
+      // a no-op because drain() will pick up the reminder on its next
+      // iteration (it now gates on promptQueue OR pendingSystemReminders).
+      // If the session is idle, fire drain() immediately rather than going
+      // through the debounce path — the reminder is not a user inbound,
+      // so the "coalesce nearby inbounds" rationale for debouncing does
+      // not apply. Mirrors the TUI path's `idle ? 'interrupt' : 'queue'`
+      // semantics: the channel router doesn't have a `delivery: interrupt`
+      // mechanism (no in-flight abort during a turn), but firing drain()
+      // immediately is the equivalent for an idle session.
+      if (!live.draining) {
+        void drain(live)
+      }
+      return { kind: 'delivered', keyId: live.keyId }
+    }
+    return { kind: 'no-live-session' }
+  }
+
   return {
     route,
     send,
@@ -1833,6 +1983,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     fetchAttachment,
     executeCommand,
     getSelfAliases: computeSelfAliases,
+    injectSubagentCompletionReminder,
     stop,
     liveCount: () => liveSessions.size,
     __testing: {
@@ -1876,6 +2027,22 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         await stopTypingHeartbeat(live)
       },
       runIdleGc,
+      getLiveOriginSnapshot: (key: ChannelKey) => {
+        const live = liveSessions.get(channelKeyId(key))
+        const origin = live?.originRef.current
+        if (origin === undefined) return undefined
+        return { ...origin }
+      },
+      getLiveAuthorState: (key: ChannelKey) => {
+        const live = liveSessions.get(channelKeyId(key))
+        if (live === undefined) return undefined
+        return {
+          currentTurnAuthorId: live.currentTurnAuthorId,
+          currentTurnAuthorIds: Array.from(live.currentTurnAuthorIds),
+          lastTurnAuthorId: live.lastTurnAuthorId,
+          lastTurnAuthorIds: Array.from(live.lastTurnAuthorIds),
+        }
+      },
     },
   }
 }
@@ -1883,27 +2050,50 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
 function composeTurnPrompt(
   observed: readonly ObservedInbound[],
   batch: readonly QueuedInbound[],
-  state: { loopGuardActive: boolean } = { loopGuardActive: false },
+  state: { loopGuardActive: boolean; systemReminders?: readonly string[] } = { loopGuardActive: false },
 ): string {
   const parts: string[] = []
+  // System reminders (subagent-completion wakeups today) lead the turn body
+  // because they are typically what triggered the drain — when the prompt
+  // queue is empty and the only thing in this iteration is a reminder, the
+  // model needs to see the reminder before any optional context. The
+  // reminder block is self-fenced by its <system-reminder> tags, so no
+  // extra framing is needed and the model already learns this shape from
+  // the TUI path; channel sessions see the same tags.
+  if (state.systemReminders && state.systemReminders.length > 0) {
+    for (const reminder of state.systemReminders) {
+      parts.push(reminder)
+    }
+    parts.push('')
+  }
   // Loop-guard notice lives in the user-turn text (recomposed every drain)
   // rather than in the system prompt so it does not invalidate the
   // prompt-prefix cache. The cached prefix covers system + tools + earlier
   // turns; the current user-turn suffix is non-cacheable by design, so
   // adding a section here is cache-neutral.
   //
-  // SYSTEM MESSAGE convention: any runtime-injected block in the user turn
-  // that is NOT from a chat participant must use the
-  // `**[SYSTEM MESSAGE — not from a human]**` framing fenced by horizontal
-  // rules (`---`). This is structurally distinct from the H2 sections used
-  // for actual conversation content (`## Recent context`,
+  // SYSTEM MESSAGE convention: any runtime-injected block in the user
+  // turn that is NOT from a chat participant MUST use the
+  // `**[SYSTEM MESSAGE — not from a human]**` framing fenced by
+  // horizontal rules (`---`) — the loop-guard block below is the
+  // canonical example. This is structurally distinct from the H2
+  // sections used for actual conversation content (`## Recent context`,
   // `## Current message`). Without the fencing, models — especially
   // persona-rich ones like Kimi — read the heading as a human-authored
   // instruction and reply to it ("알겠습니다, 대화 여기까지 할게요"). The
-  // bracketed marker plus the explicit "Do not acknowledge or reply to this
-  // notice" line is the trust boundary that prevents this. New runtime
-  // notices (rate-limit, schema-mismatch, abort signals, etc.) MUST follow
-  // this same convention so models learn the pattern.
+  // bracketed marker plus the explicit "Do not acknowledge or reply to
+  // this notice" line is the trust boundary that prevents this. New
+  // runtime notices (rate-limit, schema-mismatch, abort signals, etc.)
+  // MUST follow this convention.
+  //
+  // ONE narrow exception exists: subagent-completion reminders use
+  // `<system-reminder>...</system-reminder>` tags (prepended above) for
+  // parity with the TUI path's identical tagging (see
+  // `renderSubagentCompletionReminder` in
+  // `src/agent/subagent-completion-reminder.ts`) so the model sees the
+  // same shape across origins. The exception is scoped to that single
+  // case: do NOT extend it to new notice types. Anything that is not
+  // a true subagent-style completion ping uses framing 1.
   if (state.loopGuardActive) {
     parts.push(
       '---',
@@ -1930,10 +2120,23 @@ function composeTurnPrompt(
       parts.push(formatAuthorLine(o.ts, o.authorId, o.authorName, o.authorIsBot, o.text))
     }
     parts.push('')
-    parts.push(batch.length === 1 ? '## Current message (addressed to you)' : '## Current messages (addressed to you)')
   }
-  for (const b of batch) {
-    parts.push(formatAuthorLine(b.ts, b.authorId, b.authorName, b.authorIsBot, b.text))
+  // Only emit the `## Current message(s)` header when there is at least one
+  // queued inbound to live under it. A reminder-only wakeup (subagent
+  // completion firing while the prompt queue is empty) used to print the
+  // header with zero lines underneath; persona-rich models read the empty
+  // header as "there must be a current message addressed to me" and
+  // hallucinated content to reply to. The header is now batch-gated; the
+  // reminder block above and any observed context still render normally.
+  if (batch.length > 0) {
+    if (observed.length > 0) {
+      parts.push(
+        batch.length === 1 ? '## Current message (addressed to you)' : '## Current messages (addressed to you)',
+      )
+    }
+    for (const b of batch) {
+      parts.push(formatAuthorLine(b.ts, b.authorId, b.authorName, b.authorIsBot, b.text))
+    }
   }
   return parts.join('\n')
 }
@@ -2133,6 +2336,45 @@ export function isNoReplySignal(text: string): boolean {
   return false
 }
 
+// Looser sibling of isNoReplySignal, used ONLY by validateChannelTurn's
+// recovery path. Catches leaked-reasoning turns where the model produced
+// prose and then ended with the silent-turn token, e.g.
+//   "The user is laughing. ... I'll end with NO_REPLY.NO_REPLY"
+// Today those fall through to recovery and the entire reasoning paragraph
+// gets posted to the channel — the worst-possible outcome, since the leaked
+// prose is itself an admission that the model intended to stay silent.
+//
+// NOT shared with channel_send / channel_reply misuse guards: those need
+// strict literal match so a legitimate message like "set NO_REPLY=true in
+// the env" isn't rejected as a misuse of the silent-turn signal. Recovery
+// is a different question — by the time we get here the model already
+// failed to call the tool, and "ends in NO_REPLY" is strong evidence of
+// intent to stay silent, not of intent to send those bytes.
+//
+// Matches (returns true):
+//   "NO_REPLY"                        (strict)
+//   "(NO_REPLY)"                      (strict, parenthesized)
+//   "... I'll end with NO_REPLY"      (trailing token after whitespace)
+//   "... end with NO_REPLY."          (+ sentence punctuation)
+//   "... end with NO_REPLY.NO_REPLY"  (model-doubled terminator, glued)
+//   "... and stop. (NO_REPLY)"        (parenthesized at end)
+// Does not match (returns false):
+//   "NO_REPLY means do nothing"       (token at start, prose after)
+//   "the env var is NO_REPLY_MODE"    (substring, not whole token)
+//   "no reply needed"                 (case-sensitive on purpose)
+export function endsWithNoReplySignal(text: string): boolean {
+  if (isNoReplySignal(text)) return true
+  const trimmed = text.trim()
+  if (trimmed === '') return false
+  // Strip trailing sentence punctuation / closing brackets / whitespace, then
+  // check the last whitespace-or-punctuation-separated token. The leading
+  // boundary in the regex (`[\s.!?([]`) treats `.NO_REPLY` as a separate
+  // token from the preceding sentence, which covers the model-doubled
+  // `...NO_REPLY.NO_REPLY` shape.
+  const tail = trimmed.replace(/[.!?)\]\s]+$/, '')
+  return /(?:^|[\s.!?([])\(?NO_REPLY\)?$/.test(tail)
+}
+
 // Detects the upstream "empty response" debug sentinel: when the LLM ends a
 // turn with only a `thinking` block, some provider SDK paths (observed
 // against claude-opus-4-5 via pi-ai) fabricate a single text block whose
@@ -2158,6 +2400,62 @@ export function isUpstreamEmptyResponseSentinel(text: string): boolean {
   return trimmed.includes("'stop_reason'")
 }
 
+// Detects any Kimi-family tool-call delimiter token. Kimi-family deployments
+// emit tool calls inline in their native chat template using these tokens:
+//
+//   <|tool_calls_section_begin|>
+//     <|tool_call_begin|>functions.<name>:<idx><|tool_call_argument_begin|>{...}<|tool_call_end|>
+//   <|tool_calls_section_end|>
+//
+// (Source: https://github.com/MoonshotAI/Kimi-K2/blob/1b4022b/docs/tool_call_guidance.md;
+// the documented set is exactly five tokens — the section begin/end markers,
+// the per-call begin/end markers, and the argument-begin separator. There is
+// no `<|tool_call_argument_end|>`: arguments terminate at `<|tool_call_end|>`.)
+//
+// Production inference servers are expected to parse this format server-side
+// and translate it into OpenAI-shaped `choice.delta.tool_calls`. When the
+// translation breaks (observed against Fireworks' `kimi-k2p6-turbo` router on
+// 2026-05-24; vLLM had a similar class of leak fixed in
+// https://github.com/vllm-project/vllm/pull/38579), the raw tokens flow
+// through `choice.delta.content` instead. pi-ai's `openai-completions`
+// provider is vendor-neutral and has no Kimi-specific parser, so they land
+// verbatim in the assistant message's text content with `stopReason: 'stop'`.
+//
+// Used as a defense-in-depth check at the `channel_send` / `channel_reply`
+// tool boundary so a model that somehow passes raw delimiter text as the
+// message body is denied. NOT used directly by the recovery path in
+// `validateChannelTurn` — see `isLikelyKimiChannelToolLeak` below.
+const KIMI_TOOL_DELIMITER_RE = /<\|tool_calls_section_(?:begin|end)\|>|<\|tool_call_(?:begin|end|argument_begin)\|>/
+
+export function containsKimiToolDelimiter(text: string): boolean {
+  return KIMI_TOOL_DELIMITER_RE.test(text)
+}
+
+// Narrower predicate used by `validateChannelTurn` to decide whether to
+// suppress recovery of assistant text. Requires BOTH:
+//   (1) at least one Kimi tool-call delimiter token, AND
+//   (2) a recognizable channel-tool-call identifier (`channel_reply:N` or
+//       `channel_send:N`, with or without the `functions.` prefix).
+//
+// The two-signal rule narrows the false-positive surface to "the model was
+// trying to call a channel tool and the upstream parser failed". Bare-text
+// discussion of the Kimi protocol — e.g. the agent answering "explain Kimi's
+// tool-call format" with documentation-style prose containing `<|tool_call_begin|>`
+// — does NOT trigger suppression and reaches the user normally. The leak shape
+// observed in production (`channel_reply:0<|tool_call_argument_begin|>{...}<|tool_calls_section_end|>`)
+// satisfies both conditions trivially.
+//
+// The tool-name regex deliberately stays loose on the index suffix
+// (`channel_reply:0` / `channel_reply:1` / `channel_send:0` / ...): every
+// observed leak uses the canonical `functions.<name>:<idx>` shape, but partial
+// parsers may strip the `functions.` prefix before the leak surfaces.
+const KIMI_CHANNEL_TOOL_ID_RE = /(?:functions\.)?channel_(?:reply|send):\d+/
+
+export function isLikelyKimiChannelToolLeak(text: string): boolean {
+  if (!containsKimiToolDelimiter(text)) return false
+  return KIMI_CHANNEL_TOOL_ID_RE.test(text)
+}
+
 function describe(err: unknown): string {
   return err instanceof Error ? err.message : String(err)
 }

package/src/channels/subagent-completion-bridge.ts

@@ -0,0 +1,84 @@
+import { parseSubagentCompletedPayload } from '@/agent/subagent-completion-reminder'
+import type { Stream } from '@/stream'
+
+import type { ChannelRouter } from './router'
+
+export type SubagentCompletionBridgeLogger = {
+  info: (msg: string) => void
+  warn: (msg: string) => void
+}
+
+export type SubagentCompletionBridgeOptions = {
+  stream: Stream
+  router: Pick<ChannelRouter, 'injectSubagentCompletionReminder'>
+  logger?: SubagentCompletionBridgeLogger
+}
+
+export type SubagentCompletionBridge = {
+  stop: () => void
+}
+
+const consoleLogger: SubagentCompletionBridgeLogger = {
+  info: (msg) => console.log(msg),
+  warn: (msg) => console.warn(msg),
+}
+
+// Bridges `subagent.completed` broadcasts on the in-process Stream into a
+// channel router call so the channel session that spawned the subagent
+// gets woken up with a `<system-reminder>` when the subagent finishes.
+//
+// Two-bridges-for-two-surfaces design (matches the TUI side at
+// src/server/index.ts `routeSubagentCompletionReminder`):
+//
+//   - TUI sessions: the WS server subscribes to broadcasts on the same
+//     stream and re-publishes the reminder as `target: { kind: 'session' }`
+//     so the per-session drain loop in the server picks it up. Lookup is
+//     by sessionId (which is `state.sessionFileId`).
+//
+//   - Channel sessions: this bridge subscribes and calls
+//     `router.injectSubagentCompletionReminder` because the channel router
+//     owns its own per-key drain loop and doesn't use the stream's
+//     session-keyed target.
+//
+// `parentSessionId` matching is the same on both sides: when a channel
+// session spawns a subagent via `spawn_subagent`, the tool captures
+// `sessionManager.getSessionId()` and publishes it as the broadcast's
+// `parentSessionId`. That id is exactly what the router stores on each
+// `LiveSession`, so the lookup is O(N) over live sessions with N small
+// (one per active conversation).
+//
+// On `no-live-session`, we silently drop. Three observable paths reach
+// this branch in production:
+//
+//   - The parent session was GC'd by the idle-eviction tick
+//     (SESSION_IDLE_MS) while the subagent was running.
+//   - The parent session rolled over (SESSION_FRESHNESS_TTL_MS) when a
+//     new inbound arrived during a long-running subagent — the channel
+//     conversation continues on the new sessionId, but the broadcast
+//     still carries the old one.
+//   - The parent was a TUI session (the TUI bridge in
+//     src/server/index.ts handles it).
+//
+// The right fix for the first two paths is for the broadcast to carry
+// the channel-key coordinate `{ adapter, workspace, chat, thread }` so
+// the bridge can fall back to "any live session for the same channel
+// key" when the exact sessionId no longer matches. That requires
+// extending the broadcast payload (consumed by TUI and channel paths)
+// and gating spawn_subagent to capture the origin coordinates — both
+// non-trivial. Deferred until we see this drop pattern in production
+// logs; the info log line below makes the case diagnosable from logs
+// alone.
+export function createSubagentCompletionBridge(options: SubagentCompletionBridgeOptions): SubagentCompletionBridge {
+  const logger = options.logger ?? consoleLogger
+  const unsubscribe = options.stream.subscribe({ target: { kind: 'broadcast' } }, (msg) => {
+    const parsed = parseSubagentCompletedPayload(msg.payload)
+    if (parsed === null) return
+    const result = options.router.injectSubagentCompletionReminder(parsed)
+    if (result.kind === 'no-live-session') {
+      logger.info(
+        `[channels] subagent-completion reminder dropped: no live session for parentSessionId=${parsed.parentSessionId} task=${parsed.taskId}`,
+      )
+    }
+  })
+  return { stop: unsubscribe }
+}

package/src/cli/builtins.ts

@@ -12,6 +12,7 @@ export const BUILTIN_COMMAND_NAMES = [
   'status',
   'reload',
   'logs',
+  'inspect',
   'shell',
   'compose',
   'channel',