typeclaw 0.8.0 → 0.9.1

package/src/agent/tools/channel-reply.ts

@@ -1,10 +1,16 @@
 import { Type } from '@mariozechner/pi-ai'
 import { defineTool } from '@mariozechner/pi-coding-agent'
 
-import { isNoReplySignal, isUpstreamEmptyResponseSentinel, type ChannelRouter } from '@/channels/router'
+import {
+  containsKimiToolDelimiter,
+  isNoReplySignal,
+  isUpstreamEmptyResponseSentinel,
+  type ChannelRouter,
+} from '@/channels/router'
 import type { AdapterId } from '@/channels/schema'
 
 import { type ChannelToolLogger, consoleChannelLogger, formatChannelToolFailure } from './channel-log'
+import { fenceRuntimeNotice } from './runtime-notice'
 
 export type ChannelReplyOrigin = {
   adapter: AdapterId
@@ -98,6 +104,15 @@ export function createChannelReplyTool({
         }
       }
 
+      const kimiLeakError = kimiToolCallLeakError(text)
+      if (kimiLeakError) {
+        logger.warn(formatChannelToolFailure('channel_reply', kimiLeakError))
+        return {
+          content: [{ type: 'text' as const, text: `channel_reply denied: ${kimiLeakError}` }],
+          details: { ok: false, error: kimiLeakError },
+        }
+      }
+
       const result = await router.send({
         adapter: origin.adapter,
         workspace: origin.workspace,
@@ -148,14 +163,24 @@ export function createChannelReplyTool({
             }),
           )
         : ''
+      const body = hint ? `${baseText}${hint}` : baseText
       return {
-        content: [{ type: 'text' as const, text: hint ? `${baseText} — ${hint}` : baseText }],
+        content: [{ type: 'text' as const, text: `${TOOL_RESULT_PREFIX}${body}` }],
         details,
       }
     },
   })
 }
 
+// Tool results reach the model as USER-role messages (OpenAI / Anthropic
+// tool-API contract — the engine cannot tag them as system). Without this
+// marker a persona-rich model reads its own echo as a fresh user inbound
+// and replies to itself. Observed in production: Kimi K2 on KakaoTalk
+// re-invoked after a successful send saw only the echo as new context
+// and hallucinated a goodbye trigger from it. Mirrored verbatim in
+// channel-send.ts so both tools share one greppable marker.
+export const TOOL_RESULT_PREFIX = '[system: tool result, not a user message] '
+
 export const ECHO_MAX_CHARS = 500
 
 export function renderEcho(text: string): string {
@@ -211,12 +236,27 @@ function upstreamEmptyResponseSentinelError(text: string | undefined): string {
   )
 }
 
+function kimiToolCallLeakError(text: string | undefined): string {
+  if (text === undefined) return ''
+  if (!containsKimiToolDelimiter(text)) return ''
+  return (
+    'refusing to forward raw provider tool-call control tokens; these are chat-template ' +
+    'delimiters that should have been parsed into a real tool call upstream. ' +
+    'Re-issue the intended channel reply as plain user-visible text only.'
+  )
+}
+
 // Mirror of the same hint used by channel_send. Kept identical so the model
-// sees the same yield signal regardless of which tool it picked.
+// sees the same yield signal regardless of which tool it picked. The body
+// is wrapped via `fenceRuntimeNotice` (in `./runtime-notice`) so persona-rich
+// models cannot read the trailing prose as a chat instruction and reply to
+// it in-character. See that helper's comment for the failure mode that
+// motivated the framing.
 function consecutiveSendHint(countAfterSend: number): string {
   if (countAfterSend <= 1) return ''
-  if (countAfterSend === 2) {
-    return 'this is your 2nd consecutive message in this conversation; continue only if the reply genuinely needs splitting.'
-  }
-  return `${countAfterSend}th consecutive message with no user reply; end your turn now unless the user explicitly asked for a multi-step response.`
+  const body =
+    countAfterSend === 2
+      ? 'this is your 2nd consecutive message in this conversation; continue only if the reply genuinely needs splitting.'
+      : `${countAfterSend}th consecutive message with no user reply; end your turn now unless the user explicitly asked for a multi-step response.`
+  return fenceRuntimeNotice(body)
 }

package/src/agent/tools/channel-send.ts

@@ -1,11 +1,17 @@
 import { Type } from '@mariozechner/pi-ai'
 import { defineTool } from '@mariozechner/pi-coding-agent'
 
-import { isNoReplySignal, isUpstreamEmptyResponseSentinel, type ChannelRouter } from '@/channels/router'
+import {
+  containsKimiToolDelimiter,
+  isNoReplySignal,
+  isUpstreamEmptyResponseSentinel,
+  type ChannelRouter,
+} from '@/channels/router'
 import { ADAPTER_IDS, type AdapterId } from '@/channels/schema'
 
 import { type ChannelToolLogger, consoleChannelLogger, formatChannelToolFailure } from './channel-log'
-import { renderOutboundEcho } from './channel-reply'
+import { renderOutboundEcho, TOOL_RESULT_PREFIX } from './channel-reply'
+import { fenceRuntimeNotice } from './runtime-notice'
 
 export type ChannelSendOrigin = {
   adapter: AdapterId
@@ -121,6 +127,15 @@ export function createChannelSendTool({ router, origin, logger = consoleChannelL
         }
       }
 
+      const kimiLeakError = kimiToolCallLeakError(bodyText)
+      if (kimiLeakError) {
+        logger.warn(formatChannelToolFailure('channel_send', kimiLeakError))
+        return {
+          content: [{ type: 'text' as const, text: `channel_send denied: ${kimiLeakError}` }],
+          details: { ok: false, error: kimiLeakError },
+        }
+      }
+
       const result = await router.send({
         adapter,
         workspace: params.workspace,
@@ -163,9 +178,9 @@ export function createChannelSendTool({ router, origin, logger = consoleChannelL
         })
         if (threadMismatch) hints.push(threadMismatch)
       }
-      const responseText = hints.length > 0 ? `${baseText} — ${hints.join(' ')}` : baseText
+      const body = hints.length > 0 ? `${baseText}${hints.join('')}` : baseText
       return {
-        content: [{ type: 'text' as const, text: responseText }],
+        content: [{ type: 'text' as const, text: `${TOOL_RESULT_PREFIX}${body}` }],
         details,
       }
     },
@@ -181,6 +196,11 @@ export function createChannelSendTool({ router, origin, logger = consoleChannelL
 //
 // Only fires when the origin had a thread to begin with — channel-root
 // sessions can't have a "missing thread" problem.
+//
+// Body is fenced via `fenceRuntimeNotice` for the same reason the
+// consecutive-send hint is — see that helper's comment for the failure
+// mode (Kimi-K2.x reading trailing tool-result prose as a chat instruction
+// and replying to it in-character).
 function threadMismatchHint(
   origin: ChannelSendOrigin | undefined,
   sent: { adapter: AdapterId; workspace: string; chat: string; thread: string | undefined },
@@ -191,10 +211,10 @@ function threadMismatchHint(
   if (origin.adapter !== sent.adapter) return ''
   if (origin.workspace !== sent.workspace) return ''
   if (origin.chat !== sent.chat) return ''
-  return (
+  return fenceRuntimeNotice(
     `note: this session's origin thread is ${JSON.stringify(origin.thread)} but you posted to channel root. ` +
-    `if breaking out of the thread was intentional, ignore this; otherwise prefer \`channel_reply\` ` +
-    `or pass \`thread: ${JSON.stringify(origin.thread)}\` on your next channel_send.`
+      `if breaking out of the thread was intentional, ignore this; otherwise prefer \`channel_reply\` ` +
+      `or pass \`thread: ${JSON.stringify(origin.thread)}\` on your next channel_send.`,
   )
 }
 
@@ -233,16 +253,28 @@ function upstreamEmptyResponseSentinelError(text: string | undefined): string {
   )
 }
 
+function kimiToolCallLeakError(text: string | undefined): string {
+  if (text === undefined) return ''
+  if (!containsKimiToolDelimiter(text)) return ''
+  return (
+    'refusing to forward raw provider tool-call control tokens; these are chat-template ' +
+    'delimiters that should have been parsed into a real tool call upstream. ' +
+    'Re-issue the intended channel send as plain user-visible text only.'
+  )
+}
+
 // Returns a behavioral hint to nudge the model toward yielding when it has
 // been the only voice in the conversation for several messages. The router
 // increments its counter AFTER router.send returns, so a count of 1 means
 // "this is the second consecutive bot message in this chat:thread" — which
 // is the first count where a hint is warranted. Empty string at count <= 1
 // preserves the original tool-result text for the common single-reply case.
+// Mirror of channel-reply.ts; body wrapped via `fenceRuntimeNotice`.
 function consecutiveSendHint(countAfterSend: number): string {
   if (countAfterSend <= 1) return ''
-  if (countAfterSend === 2) {
-    return 'this is your 2nd consecutive message in this conversation; continue only if the reply genuinely needs splitting.'
-  }
-  return `${countAfterSend}th consecutive message with no user reply; end your turn now unless the user explicitly asked for a multi-step response.`
+  const body =
+    countAfterSend === 2
+      ? 'this is your 2nd consecutive message in this conversation; continue only if the reply genuinely needs splitting.'
+      : `${countAfterSend}th consecutive message with no user reply; end your turn now unless the user explicitly asked for a multi-step response.`
+  return fenceRuntimeNotice(body)
 }

package/src/agent/tools/runtime-notice.ts

@@ -0,0 +1,41 @@
+// Wraps a runtime-emitted notice body in canonical SYSTEM MESSAGE framing so
+// persona-rich models cannot read the prose as a chat instruction from a
+// human and respond to it in-character.
+//
+// The failure mode this exists to prevent: tool results reach the model as
+// USER-role messages (provider tool-call contract — engines cannot tag them
+// as system). The `TOOL_RESULT_PREFIX` already marks each result's leading
+// position, but trailing natural-language hints (the consecutive-send nudge
+// is the canonical case) still parse as conversational prose, and Kimi-K2.x
+// has been observed in production responding to those hints in-character —
+// an apology directly addressed at the human ("sorry for talking so much,
+// I'll be quieter next time") when the only stimulus in the prompt was the
+// router's "Nth consecutive message; end your turn now" hint. Four
+// consecutive in-character replies to fenced-prose runtime hints in a
+// single drain iteration is the observed shape.
+//
+// Framing convention is the same shape `composeTurnPrompt` uses for the
+// loop-guard block in `router.ts` — bracketed marker, fence rules, and
+// explicit "Do not acknowledge or reply to this notice" closer. The
+// loop-guard block has been in production against Kimi for months without
+// the misread we observed on the consecutive-send hint, which is why we
+// reuse the exact same shape here.
+//
+// Applied unconditionally (not model-gated): the cost is ~40 tokens per
+// hint emission, paid only on consecutive sends (where the hint is already
+// firing), and the framing is safe for every model — well-behaved models
+// read it and move on. Gating by model family would have required a
+// traits table for one defense and would still need extending the moment
+// a second model family exhibited the same misread, so we accept the
+// universal cost in exchange for never having to remember to add a new
+// family to a list.
+export function fenceRuntimeNotice(body: string): string {
+  return (
+    '\n\n---\n' +
+    '**[SYSTEM MESSAGE — not from a human]**\n\n' +
+    body +
+    '\n\nThis is an automated signal from the channel router, not a message ' +
+    'from anyone in the chat. **Do not acknowledge or reply to this notice.**\n' +
+    '---'
+  )
+}

package/src/bundled-plugins/explorer/explorer.ts

@@ -9,7 +9,7 @@ You are STRICTLY PROHIBITED from:
 - Creating, modifying, or deleting files
 - Using bash for: mkdir, touch, rm, cp, mv, git add, git commit, npm install, pip install, or any write operation
 - Starting long-running background processes
-- Writing to MEMORY.md, sessions/, workspace/, or any other runtime-managed path
+- Writing to memory/topics/, memory/streams/, sessions/, workspace/, or any other runtime-managed path
 - Spawning further subagents — you are at the end of the delegation chain
 
 Your role is EXCLUSIVELY to search and analyze existing local state.
@@ -32,7 +32,7 @@ The agent folder is mounted at \`/agent\` inside the container. Search the narro
 
 1. **Codebase** — \`/agent/\` root and subdirs (excluding the runtime-managed paths below). Source files, docs, identity files (\`IDENTITY.md\`, \`SOUL.md\`, \`USER.md\`, \`AGENTS.md\`).
 2. **Sessions** — \`/agent/sessions/*.jsonl\` — conversation transcripts. Each line is a JSON event (user message, tool call, tool result, assistant message). Filename pattern \`\${ISO_TIMESTAMP}_\${UUID}.jsonl\`. \`grep\` works directly on the JSONL.
-3. **Memory** — \`/agent/MEMORY.md\` (long-term consolidated memory) and \`/agent/memory/yyyy-MM-dd.jsonl\` (daily fragment streams written by the memory-logger subagent). \`memory/.dreaming-state.json\` tracks the dreaming watermark. Do NOT edit any of these — they are runtime-owned.
+3. **Memory** — \`/agent/memory/topics/*.md\` (long-term topic shards) and \`/agent/memory/streams/yyyy-MM-dd.jsonl\` (daily fragment streams written by the memory-logger subagent). \`memory/.dreaming-state.json\` tracks the dreaming watermark. Do NOT edit any of these — they are runtime-owned.
 4. **Muscle-memory skills** — \`/agent/memory/skills/<name>/SKILL.md\` — procedures the dreaming subagent distilled from repeated work.
 5. **User-installed skills** — \`/agent/.agents/skills/<name>/SKILL.md\` — hand-authored or downloaded skills.
 6. **Workspace** — \`/agent/workspace/\` — the agent's free-write zone. Drafts, scratch work, generated artifacts.

package/src/bundled-plugins/guard/index.ts

@@ -2,6 +2,7 @@ import { definePlugin } from '@/plugin'
 
 import {
   checkManagedConfigGuard,
+  checkMemoryTopicsDeleteGuard,
   checkNonWorkspaceWriteGuard,
   checkSkillAuthoringGuard,
   checkUncommittedChangesAdvice,
@@ -23,7 +24,19 @@ export default definePlugin({
           agentDir: ctx.agentDir,
         })
         if (skillResult) return skillResult
-        return checkNonWorkspaceWriteGuard({ tool: event.tool, args: event.args, agentDir: ctx.agentDir })
+        const memoryTopicsDeleteResult = checkMemoryTopicsDeleteGuard({
+          tool: event.tool,
+          args: event.args,
+          agentDir: ctx.agentDir,
+          origin: event.origin,
+        })
+        if (memoryTopicsDeleteResult) return memoryTopicsDeleteResult
+        return checkNonWorkspaceWriteGuard({
+          tool: event.tool,
+          args: event.args,
+          agentDir: ctx.agentDir,
+          origin: event.origin,
+        })
       },
       'tool.after': async (event, ctx) => {
         await checkUncommittedChangesAdvice({

package/src/bundled-plugins/guard/policies/managed-config.ts

@@ -39,19 +39,31 @@ export async function checkManagedConfigGuard(options: {
   }
 }
 
+// Oracle PR #305 findings #5 and #6: identity-based managed-file
+// detection. The earlier shape compared `basename(realpath(target))` to
+// the managed-file list, which missed two attacks: (5) a symlink at
+// agent root `typeclaw.json -> workspace/tc.json` realpathed to a name
+// outside the managed list, and (6) on case-insensitive filesystems,
+// `TYPECLAW.JSON` addresses the same file as `typeclaw.json` but
+// basename string-equality missed the casing variant.
+//
+// New shape: for each managed-file name, compute the canonical agent-
+// root path and compare against the target. We accept if EITHER the
+// lexical paths match OR they realpath to the same file. Branch (a)
+// covers symlinks and case-aliased filesystems; branch (b) keeps the
+// canonical lexical name authoritative even before the file exists
+// (first-init writes).
 async function resolveManagedTarget(agentDir: string, targetPath: string): Promise<{ file: ManagedFile } | undefined> {
   const resolvedAgentDir = path.resolve(agentDir)
-  const realAgentDir = await resolveRealIntendedPath(resolvedAgentDir)
-  const realTargetPath = await resolveRealIntendedPath(targetPath)
-
-  if (path.dirname(realTargetPath) !== realAgentDir) return undefined
-
-  const basename = path.basename(realTargetPath)
-  return isManagedFile(basename) ? { file: basename } : undefined
-}
-
-function isManagedFile(basename: string): basename is ManagedFile {
-  return MANAGED_FILES.has(basename as ManagedFile)
+  const resolvedTarget = path.resolve(targetPath)
+  for (const file of MANAGED_FILES) {
+    const canonical = path.join(resolvedAgentDir, file)
+    if (canonical === resolvedTarget) return { file }
+    const realCanonical = await resolveRealIntendedPath(canonical)
+    const realTarget = await resolveRealIntendedPath(resolvedTarget)
+    if (realCanonical === realTarget) return { file }
+  }
+  return undefined
 }
 
 function validateManagedContent(file: ManagedFile, content: string): { ok: true } | { ok: false; reason: string } {
@@ -81,6 +93,20 @@ async function intendedContent(
     return blockReason(tool, targetPath, 'edit calls must include an edits array')
   }
 
+  // Oracle PR #305 finding #4: refuse multi-edit on managed files to
+  // avoid simulator-vs-pi divergence. The canonical workflow for
+  // typeclaw.json / cron.json is read + modify in memory + write the
+  // whole file back; multi-edit is not required and the divergence
+  // would let an attacker validate a different final file here than
+  // the one pi actually writes.
+  if (edits.length > 1) {
+    return blockReason(
+      tool,
+      targetPath,
+      'multi-edit calls on managed files are refused — use `write` with full content instead',
+    )
+  }
+
   let content: string
   try {
     content = await readFile(targetPath, 'utf8')
@@ -100,10 +126,14 @@ async function intendedContent(
     if (oldText.length === 0) {
       return blockReason(tool, targetPath, 'edit oldText must not be empty')
     }
-    if (!content.includes(oldText)) {
+    const firstIdx = content.indexOf(oldText)
+    if (firstIdx === -1) {
       return blockReason(tool, targetPath, 'edit oldText was not found in existing file')
     }
-    content = content.replace(oldText, newText)
+    if (content.indexOf(oldText, firstIdx + 1) !== -1) {
+      return blockReason(tool, targetPath, 'edit oldText is not unique in the existing file')
+    }
+    content = content.slice(0, firstIdx) + newText + content.slice(firstIdx + oldText.length)
   }
   return { content }
 }

package/src/bundled-plugins/guard/policies/memory-retrieval-cache-write.ts

@@ -0,0 +1,37 @@
+import path from 'node:path'
+
+import type { SessionOrigin } from '@/agent/session-origin'
+import type { SecuritySeverity } from '@/bundled-plugins/security/permissions'
+
+export const GUARD_MEMORY_RETRIEVAL_CACHE_WRITE = 'memoryRetrievalCacheWrite'
+export const GUARD_MEMORY_RETRIEVAL_CACHE_WRITE_SEVERITY: SecuritySeverity = 'low'
+
+const SESSION_ID_REGEX = /^[A-Za-z0-9._-]{1,128}$/
+
+export async function isMemoryRetrievalCacheWriteAllowed(options: {
+  tool: string
+  args: Record<string, unknown>
+  agentDir: string
+  origin?: SessionOrigin
+}): Promise<boolean> {
+  const { tool, args, agentDir, origin } = options
+  if (tool !== 'write') return false
+  if (origin?.kind !== 'subagent' || origin.subagent !== 'memory-retrieval') return false
+
+  const rawPath = args.path
+  if (typeof rawPath !== 'string') return false
+
+  const targetPath = path.resolve(agentDir, rawPath)
+  const expectedDir = path.resolve(agentDir, 'memory', '.retrieval-cache')
+  const relative = path.relative(expectedDir, targetPath)
+  if (relative === '' || relative.startsWith('..') || path.isAbsolute(relative)) return false
+
+  const parts = relative.split(path.sep).filter(Boolean)
+  if (parts.length !== 1) return false
+
+  const fileName = parts[0]!
+  if (!fileName.endsWith('.md')) return false
+
+  const sessionId = fileName.slice(0, -3)
+  return SESSION_ID_REGEX.test(sessionId)
+}

package/src/bundled-plugins/guard/policies/memory-topics-delete.ts

@@ -0,0 +1,67 @@
+import path from 'node:path'
+
+import type { SessionOrigin } from '@/agent/session-origin'
+import { SLUG_REGEX } from '@/bundled-plugins/memory/slug'
+import type { SecuritySeverity } from '@/bundled-plugins/security/permissions'
+
+import type { GuardBlock } from '../policy'
+
+export const GUARD_MEMORY_TOPICS_DELETE = 'memoryTopicsDelete'
+
+export const GUARD_MEMORY_TOPICS_DELETE_SEVERITY: SecuritySeverity = 'medium'
+
+export function checkMemoryTopicsDeleteGuard(options: {
+  tool: string
+  args: Record<string, unknown>
+  agentDir: string
+  origin?: SessionOrigin
+}): GuardBlock | undefined {
+  const { tool, args, agentDir, origin } = options
+
+  if (tool !== 'delete_topic_shard') return undefined
+
+  const rawPath = args.path
+  if (typeof rawPath !== 'string') {
+    return block(tool, 'path argument must be a string')
+  }
+
+  if (origin?.kind !== 'subagent' || origin.subagent !== 'dreaming') {
+    return block(tool, 'only the dreaming subagent may delete topic shards')
+  }
+
+  if (rawPath.includes('\\')) {
+    return block(tool, 'path must use POSIX separators under memory/topics/')
+  }
+
+  const targetPath = path.resolve(agentDir, rawPath)
+  const topicsDir = path.resolve(agentDir, 'memory', 'topics')
+  const relative = path.relative(topicsDir, targetPath)
+
+  if (relative === '' || relative.startsWith('..') || path.isAbsolute(relative)) {
+    return block(tool, `path must be a direct child of memory/topics/: ${targetPath}`)
+  }
+
+  const parts = relative.split(path.sep).filter(Boolean)
+  if (parts.length !== 1) {
+    return block(tool, `path must be a single .md file inside memory/topics/: ${targetPath}`)
+  }
+
+  const fileName = parts[0]!
+  if (!fileName.endsWith('.md')) {
+    return block(tool, `path must be a single .md file inside memory/topics/: ${targetPath}`)
+  }
+
+  const slug = fileName.slice(0, -3)
+  if (!SLUG_REGEX.test(slug)) {
+    return block(tool, `slug must match ${SLUG_REGEX}: ${slug}`)
+  }
+
+  return undefined
+}
+
+function block(tool: string, reason: string): GuardBlock {
+  return {
+    block: true,
+    reason: `Guard \`${GUARD_MEMORY_TOPICS_DELETE}\` blocked ${tool}: ${reason}.`,
+  }
+}

package/src/bundled-plugins/guard/policies/memory-topics-write.ts

@@ -0,0 +1,33 @@
+import path from 'node:path'
+
+import type { SessionOrigin } from '@/agent/session-origin'
+import { SLUG_REGEX } from '@/bundled-plugins/memory/slug'
+
+export async function isMemoryTopicsWriteAllowed(options: {
+  tool: string
+  args: Record<string, unknown>
+  agentDir: string
+  origin?: SessionOrigin
+}): Promise<boolean> {
+  if (options.tool !== 'write') return false
+
+  const { origin } = options
+  if (!origin || origin.kind !== 'subagent' || origin.subagent !== 'dreaming') return false
+
+  const rawPath = options.args.path
+  if (typeof rawPath !== 'string') return false
+
+  const target = path.resolve(options.agentDir, rawPath)
+  const expectedDir = path.resolve(options.agentDir, 'memory', 'topics')
+  const rel = path.relative(expectedDir, target)
+  if (rel === '' || rel.startsWith('..') || path.isAbsolute(rel)) return false
+
+  const parts = rel.split(path.sep).filter(Boolean)
+  const fileName = parts[0]
+  if (parts.length !== 1 || !fileName || !fileName.endsWith('.md')) return false
+
+  const slug = fileName.slice(0, -3)
+  if (!SLUG_REGEX.test(slug)) return false
+
+  return true
+}

package/src/bundled-plugins/guard/policies/non-workspace-write.ts

@@ -1,7 +1,11 @@
 import { realpath } from 'node:fs/promises'
 import path from 'node:path'
 
+import type { SessionOrigin } from '@/agent/session-origin'
+
 import { ACKNOWLEDGE_GUARDS, type GuardBlock, isGuardAcknowledged } from '../policy'
+import { isMemoryRetrievalCacheWriteAllowed } from './memory-retrieval-cache-write'
+import { isMemoryTopicsWriteAllowed } from './memory-topics-write'
 import { isSkillAuthoringAllowed } from './skill-authoring'
 
 export const GUARD_NON_WORKSPACE_WRITE = 'nonWorkspaceWrite'
@@ -9,7 +13,6 @@ export const GUARD_NON_WORKSPACE_WRITE = 'nonWorkspaceWrite'
 const AGENT_ROOT_WRITE_ALLOWLIST = new Set([
   'AGENTS.md',
   'IDENTITY.md',
-  'MEMORY.md',
   'SOUL.md',
   'USER.md',
   'cron.json',
@@ -28,8 +31,9 @@ export async function checkNonWorkspaceWriteGuard(options: {
   tool: string
   args: Record<string, unknown>
   agentDir: string
+  origin?: SessionOrigin
 }): Promise<GuardBlock | undefined> {
-  const { tool, args, agentDir } = options
+  const { tool, args, agentDir, origin } = options
   if (tool !== 'write' && tool !== 'edit') return undefined
 
   const rawPath = args.path
@@ -42,6 +46,8 @@ export async function checkNonWorkspaceWriteGuard(options: {
     resolveRealIntendedPath(workspacePath),
   ])
   if (await isSkillAuthoringAllowed({ tool, args, agentDir })) return undefined
+  if (await isMemoryRetrievalCacheWriteAllowed({ tool, args, agentDir, origin })) return undefined
+  if (await isMemoryTopicsWriteAllowed({ tool, args, agentDir, origin })) return undefined
   if (await isAllowedAgentRootWrite(agentDir, targetPath, realTargetPath)) return undefined
   if (isInside(realWorkspacePath, realTargetPath)) return undefined
   if (isGuardAcknowledged(args, GUARD_NON_WORKSPACE_WRITE)) return undefined

package/src/bundled-plugins/guard/policy.ts

@@ -16,4 +16,11 @@ export {
   checkSkillAuthoringGuard,
   isSkillAuthoringAllowed,
 } from './policies/skill-authoring'
+export { GUARD_MEMORY_TOPICS_DELETE, checkMemoryTopicsDeleteGuard } from './policies/memory-topics-delete'
+export {
+  GUARD_MEMORY_RETRIEVAL_CACHE_WRITE,
+  GUARD_MEMORY_RETRIEVAL_CACHE_WRITE_SEVERITY,
+  isMemoryRetrievalCacheWriteAllowed,
+} from './policies/memory-retrieval-cache-write'
+export { isMemoryTopicsWriteAllowed } from './policies/memory-topics-write'
 export { GUARD_UNCOMMITTED_CHANGES, checkUncommittedChangesAdvice } from './policies/uncommitted-changes'