typeclaw 0.9.2 → 0.10.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "typeclaw",
-  "version": "0.9.2",
+  "version": "0.10.0",
   "homepage": "https://github.com/typeclaw/typeclaw#readme",
   "bugs": {
     "url": "https://github.com/typeclaw/typeclaw/issues"
@@ -46,7 +46,7 @@
     "@mariozechner/pi-coding-agent": "^0.67.3",
     "@mariozechner/pi-tui": "^0.67.3",
     "@mozilla/readability": "^0.6.0",
-    "agent-messenger": "2.17.0",
+    "agent-messenger": "2.18.0",
     "cheerio": "^1.2.0",
     "citty": "^0.2.2",
     "cron-parser": "^5.5.0",

package/src/agent/index.ts

@@ -8,7 +8,7 @@ import type { AgentSession, ToolDefinition } from '@mariozechner/pi-coding-agent
 import { loadMemory } from '@/bundled-plugins/memory/load-memory'
 import type { ChannelRouter } from '@/channels/router'
 import { getConfig, resolveModel, resolveProfile } from '@/config'
-import { providerForModelRef, type KnownModelRef } from '@/config/providers'
+import { defaultThinkingLevelForRef, providerForModelRef, type KnownModelRef } from '@/config/providers'
 import type { PermissionService } from '@/permissions'
 import type {
   BuiltinToolRef,
@@ -341,6 +341,7 @@ export async function createSessionWithDispose(options: CreateSessionOptions = {
       : customToolsPreBudget
 
   const model = resolveModel(activeRef)
+  const thinkingLevel = defaultThinkingLevelForRef(activeRef)
   const { session } = await createAgentSession({
     model,
     sessionManager,
@@ -350,6 +351,7 @@ export async function createSessionWithDispose(options: CreateSessionOptions = {
     resourceLoader,
     ...(tools ? { tools } : {}),
     customTools,
+    ...(thinkingLevel ? { thinkingLevel } : {}),
   })
 
   // Re-narrow the active tool set after `createAgentSession`. pi 0.67.3's
@@ -890,12 +892,12 @@ function resolveRoleContext(
 ): SessionRoleContext | undefined {
   if (permissions === undefined) return undefined
   const described = permissions.describe(origin)
-  // TUI normally resolves to `owner` via the built-in `owner.match = [tui]`
-  // entry, and we skip the role block in that case to save tokens on every
-  // interactive session. But user-declared roles can match TUI first (the
-  // resolver is first-match-wins in declaration order), so a non-owner TUI
-  // role is possible and the agent needs to see it. The "TUI is always owner"
-  // shorthand in docs is the common case, not an invariant.
+  // TUI resolves to `owner` because the built-in `owner.match = [tui]` is
+  // walked first under severity-then-declaration ordering AND is always
+  // appended (not replaced) by user-declared `roles.owner.match[]`. We skip
+  // the role block in that case to save tokens on every interactive
+  // session. The guard remains here as defense-in-depth in case a future
+  // change ever makes TUI resolve to something other than owner.
   if (origin.kind === 'tui' && described.role === 'owner') return undefined
   return described
 }

package/src/bundled-plugins/security/index.ts

@@ -49,22 +49,23 @@ type PerGuardSecurityPermission = Exclude<
 // not a silent fallback.
 const BYPASS_ROLE_HINT = {
   [SECURITY_PERMISSIONS.bypassSecretExfilBash]:
-    'only owner has it by default (medium tier; trusted does NOT carry this — operators can grant `security.bypass.secretExfilBash` explicitly in roles.trusted.permissions[] if they want the pre-PR ergonomics back)',
+    'owner and trusted have it by default (medium tier); member and guest do not. Operators can grant `security.bypass.secretExfilBash` explicitly in roles.<role>.permissions[] to widen.',
   [SECURITY_PERMISSIONS.bypassGitExfil]:
-    'NOBODY has it by default — high tier requires per-call ack from every role, including owner. Operators can grant `security.bypass.gitExfil` explicitly in roles.<role>.permissions[] to re-open the auto-bypass for one role.',
+    'owner and trusted have it by default (medium tier); member and guest do not. The audience-leak surface for git lives in `gitRemoteTainted` (high tier, owner-only) — pushing to an attacker-retargeted remote is still blocked for trusted by the two-step taint defense.',
   [SECURITY_PERMISSIONS.bypassGitRemoteTainted]:
-    'NOBODY has it by default — high tier requires per-call ack from every role. Even an operator-granted `security.bypass.gitExfil` does NOT bypass this second-step taint check (the recorder still fires for the first step, so the push is still gated).',
-  [SECURITY_PERMISSIONS.bypassSecretExfilRead]: 'only owner has it by default (medium tier)',
-  [SECURITY_PERMISSIONS.bypassSsrf]: 'only owner has it by default (medium tier)',
-  [SECURITY_PERMISSIONS.bypassSessionSearchSecrets]: 'only owner has it by default (medium tier)',
-  [SECURITY_PERMISSIONS.bypassSystemPromptLeak]:
-    'NOBODY has it by default — high tier requires per-call ack from every role, including owner.',
+    'only owner has it by default (high tier). The two-step taint defense (recorder + checker) still fires whenever the actor lacks `security.bypass.gitRemoteTainted`, including across owner-granted gitExfil bypasses.',
+  [SECURITY_PERMISSIONS.bypassSecretExfilRead]:
+    'owner and trusted have it by default (medium tier); member and guest do not.',
+  [SECURITY_PERMISSIONS.bypassSsrf]: 'owner and trusted have it by default (medium tier); member and guest do not.',
+  [SECURITY_PERMISSIONS.bypassSessionSearchSecrets]:
+    'owner and trusted have it by default (medium tier); member and guest do not.',
+  [SECURITY_PERMISSIONS.bypassSystemPromptLeak]: 'only owner has it by default (high tier).',
   [SECURITY_PERMISSIONS.bypassOutboundSecret]:
-    'NOBODY has it by default — high tier requires per-call ack from every role, including owner. The audience-leak rule: even owner posting to a public channel must not silently include credentials.',
+    'only owner has it by default (high tier). The audience-leak risk: an owner-permissioned channel author can silently include credentials in outbound messages. Operators who match owner to a channel author should narrow that match or remove owner from `roles.owner.permissions[]` for those origins.',
   [SECURITY_PERMISSIONS.bypassRolePromotion]:
-    'NOBODY has it by default — high tier requires per-call ack from every role, including owner. The audience-leak rule generalizes to privilege escalation: even owner running from TUI must not silently rewrite the access-control table on behalf of a channel message.',
+    'owner and trusted have it by default (medium tier); member and guest do not. The privilege-escalation defense for trusted now depends on operator review of `typeclaw.json` backup commits — `roles` is restart-required, so the operator has wall-clock time to revert before the new role table takes effect. Operators who do not review can re-tighten by replacing `roles.trusted.permissions[]` with an explicit list that omits `security.bypass.medium`.',
   [SECURITY_PERMISSIONS.bypassCronPromotion]:
-    'NOBODY has it by default — high tier requires per-call ack from every role, including owner. Same shape as rolePromotion but deferred: a new cron job (or a changed scheduledByRole) is a privilege grant that fires at schedule-time, and the operator must not silently author one on behalf of a channel message.',
+    'owner and trusted have it by default (medium tier); member and guest do not. Same shape as rolePromotion but deferred: a new cron job (or a changed scheduledByRole) fires at schedule-time as the stamped role. The operator-review window between write and execution is the trusted-tier defense.',
 } as const satisfies Record<PerGuardSecurityPermission, string>
 
 function withPermissionHint(
@@ -83,12 +84,13 @@ function withPermissionHint(
 
 export default definePlugin({
   permissions: Object.values(SECURITY_PERMISSIONS),
-  // High-tier per-guard strings AND the `security.bypass.high` tier
-  // string itself are excluded from the owner-wildcard expansion. Owner
-  // still has the wildcard sentinel (so future low/medium plugin-
-  // contributed bypasses keep auto-flowing to owner), but audience-leak
-  // guards require either per-call ack or an explicit operator grant.
-  ownerWildcardExclusions: [...HIGH_TIER_PER_GUARD_PERMISSIONS, SECURITY_PERMISSIONS.bypassHigh],
+  // No wildcard exclusions: owner bypasses every security tier by default
+  // under the role-tower model. `BUILTIN_ROLES.owner.permissions` carries
+  // `security.bypass.{low,medium,high}` explicitly; the wildcard sentinel
+  // additionally fans out to every per-guard string (including high-tier
+  // ones). The owner-in-public-channel defense now lives in
+  // `roles.owner.match[]` discipline, not in the language defaults.
+  ownerWildcardExclusions: [],
   plugin: async (ctx) => ({
     hooks: {
       'session.prompt': async (event) => {

package/src/bundled-plugins/security/permissions.ts

@@ -37,16 +37,17 @@ export const SEVERITY_PERMISSION: Record<SecuritySeverity, string> = {
   high: SECURITY_PERMISSIONS.bypassHigh,
 }
 
-// Per-guard permission strings whose guards are classified `high`. The
-// owner-wildcard expander excludes these so the wildcard sentinel does
-// not auto-grant high-tier bypass to owner. Operators who explicitly
-// want to re-open a high-tier bypass for owner (or any role) can still
-// add the per-guard string to that role's `permissions[]` by hand.
+// Per-guard permission strings whose guards are classified `high`.
+// Plumbed through to the owner-wildcard expander's `ownerWildcardExclusions`
+// parameter at boot; the bundled security plugin currently passes `[]` so
+// owner DOES auto-bypass every high-tier per-guard string, but third-party
+// plugins (or a future tightening of the bundled defaults) can use this
+// constant to exclude high-tier strings from the wildcard expansion.
+// Keep this list in sync with the `'high'` classifications in
+// `policies/*.ts` — the drift-guard test in `permissions.test.ts` will
+// fail if a guard's severity constant disagrees with its membership here.
 export const HIGH_TIER_PER_GUARD_PERMISSIONS: readonly string[] = [
-  SECURITY_PERMISSIONS.bypassGitExfil,
   SECURITY_PERMISSIONS.bypassGitRemoteTainted,
   SECURITY_PERMISSIONS.bypassOutboundSecret,
   SECURITY_PERMISSIONS.bypassSystemPromptLeak,
-  SECURITY_PERMISSIONS.bypassRolePromotion,
-  SECURITY_PERMISSIONS.bypassCronPromotion,
 ]

package/src/bundled-plugins/security/policies/cron-promotion.ts

@@ -7,8 +7,23 @@ import type { SecuritySeverity } from '../permissions'
 import { ACKNOWLEDGE_GUARDS, type SecurityBlock, isGuardAcknowledged } from '../policy'
 
 export const GUARD_CRON_PROMOTION = 'cronPromotion'
-// Classified `high` (audience-leak axis, adapted — same reasoning as
-// `rolePromotion`).
+// Classified `medium` (silent-attack axis). Originally `high`; reclassified
+// for the same reason as `rolePromotion`: the deferred-execution surface
+// is still operator-reviewable before the job fires. `cron.json` is
+// force-committed by the auto-backup plugin, the change appears in
+// `git log` and backup commits, and the cron consumer dispatches by
+// schedule — there is wall-clock time between the privileged write and
+// the privileged execution during which the operator can revert or
+// disable. Bypass produces operator-reviewable state, not direct
+// audience-leak.
+//
+// Net effect on the role-tower model: owner and trusted both bypass
+// without ack; member and guest still get blocked. The defense for
+// trusted depends on backup-commit review discipline — same tradeoff
+// as `rolePromotion`. Operators who want to keep this at high for
+// trusted can subtract: replace `roles.trusted.permissions[]` with an
+// explicit list that omits `security.bypass.medium`, then add narrower
+// per-guard medium grants as needed.
 //
 // Cron is the deferred-execution sibling of `roles`. Every cron job
 // carries a `scheduledByRole` field that the runtime stamps into the
@@ -17,12 +32,14 @@ export const GUARD_CRON_PROMOTION = 'cronPromotion'
 // table"). The `parseCronFile` boot gate rejects entries without
 // `scheduledByRole`, but it accepts any role name the file declares.
 //
-// Concrete breach pattern: a `member`-role agent that can `write`
-// `cron.json` authors a brand-new job with `"scheduledByRole": "owner"`
-// and a prompt that does whatever the agent's tool surface allows when
-// running as owner. The cron consumer fires it on schedule; the firing
-// session resolves to `owner` because that role name exists in the role
-// table. The agent has laundered itself into owner via the schedule.
+// Concrete breach pattern blocked at `medium`: a `member`-role agent
+// that can `write` `cron.json` authors a brand-new job with
+// `"scheduledByRole": "owner"` and a prompt that does whatever the
+// agent's tool surface allows when running as owner. The cron consumer
+// fires it on schedule; the firing session resolves to `owner` because
+// that role name exists in the role table. The agent has laundered
+// itself into owner via the schedule. This guard blocks the first step
+// — member does not carry `bypass.medium`.
 //
 // Same two-step shape as `gitRemoteTainted`: "do a privileged write
 // now, run the privileged thing later." This guard blocks the first
@@ -66,7 +83,7 @@ export const GUARD_CRON_PROMOTION = 'cronPromotion'
 // is treated as new and flagged. The only false positive is "operator
 // authored a fresh `cron.json` with privileged jobs," which they
 // acknowledge in the same call.
-export const GUARD_CRON_PROMOTION_SEVERITY: SecuritySeverity = 'high'
+export const GUARD_CRON_PROMOTION_SEVERITY: SecuritySeverity = 'medium'
 
 export type CronPromotionFinding =
   | { kind: 'job-added'; id: string; scheduledByRole: string }

package/src/bundled-plugins/security/policies/git-exfil.ts

@@ -3,24 +3,32 @@ import { ACKNOWLEDGE_GUARDS, type SecurityBlock, isGuardAcknowledged } from '../
 import { getRemoteTaint, recordRemoteTaint } from './remote-taint-state'
 
 export const GUARD_GIT_EXFIL = 'gitExfil'
-// Classified `high` (audience-leak axis): `git push` sends every tracked
-// file to a remote git host. The host (GitHub/GitLab/attacker-controlled
-// box) is a third-party audience outside the operator's control loop.
-// Even a private remote owned by an attacker is now outside the
-// perimeter. No role auto-bypasses high — owner pushing from TUI must ack
-// each push. The historical per-guard string `security.bypass.gitExfil`
-// remains valid as an explicit grant for operators who knowingly want to
-// re-open the auto-bypass (see SKILL.md must-not-do guidance).
-export const GUARD_GIT_EXFIL_SEVERITY: SecuritySeverity = 'high'
+// Classified `medium` (silent-attack axis). Originally `high`; reclassified
+// because the actual audience-leak surface for `git push` lives in
+// `gitRemoteTainted`, not here. A `git push` to a CLEAN, operator-configured
+// remote is not audience-leak — the audience (the remote git host) was
+// chosen by the operator and is inside their perimeter. The breach pattern
+// PR #134 was written for (re-point origin to attacker URL, then push) is
+// gated by `gitRemoteTainted` (still high). The recorder-vs-checker split
+// is what makes this reclassification safe: the recorder fires for any
+// actor who can run a `git remote set-url` (per-guard bypass OR the
+// medium-tier permission via the OR check), so trusted's first-step
+// set-url still records taint and the second-step push still gets caught
+// by `gitRemoteTainted` even though trusted no longer needs to ack the
+// push itself. Net effect: trusted users can push to remotes the operator
+// configured without per-call acks, but cannot retarget-and-push.
+export const GUARD_GIT_EXFIL_SEVERITY: SecuritySeverity = 'medium'
 export const GUARD_GIT_REMOTE_TAINTED = 'gitRemoteTainted'
-// Classified `high` (audience-leak axis): same path as gitExfil, second
-// step. A push after a mid-session `git remote set-url` to an
+// Classified `high` (audience-leak axis): the actual audience-leak gate
+// for git. A push after a mid-session `git remote set-url` to an
 // attacker-controlled URL is exactly the breach pattern that motivated
-// the entire security plugin per PR #134. The recorder-vs-checker split
+// the entire security plugin per PR #134. Stays high regardless of how
+// `gitExfil` is classified — the two are independent per-guard strings
+// AND independent tier classifications. The recorder-vs-checker split
 // (see comment on recordGitRemoteTaintIfAny below) is still load-bearing:
-// the recorder fires for anyone who can run the underlying command (ack
-// or the per-guard `bypassGitExfil` grant), so even if an operator
-// explicitly grants `bypassGitExfil` to a role, the second-step taint
+// the recorder fires for anyone who can run the underlying `set-url`
+// command (ack, per-guard `bypassGitExfil`, OR the medium-tier permission
+// — which now includes trusted by default), so the second-step taint
 // check still fires on the eventual push.
 export const GUARD_GIT_REMOTE_TAINTED_SEVERITY: SecuritySeverity = 'high'
 

package/src/bundled-plugins/security/policies/role-promotion.ts

@@ -8,25 +8,32 @@ import type { SecuritySeverity } from '../permissions'
 import { ACKNOWLEDGE_GUARDS, type SecurityBlock, isGuardAcknowledged } from '../policy'
 
 export const GUARD_ROLE_PROMOTION = 'rolePromotion'
-// Classified `high` (audience-leak axis, adapted).
+// Classified `medium` (silent-attack axis). Originally `high`; reclassified
+// because the privilege escalation does NOT take effect until the operator
+// reloads or restarts — `roles` is `restart-required` in FIELD_EFFECTS, and
+// even the `match`-only path that's classified `applied` writes through
+// `typeclaw.json` which is force-committed by the auto-backup plugin on
+// idle. The operator sees the file change in `git log`, in `typeclaw reload`
+// output, and in their backup commits BEFORE the new role mapping takes
+// effect. There is an operator-visible step between bypass and breach,
+// which puts this guard squarely on the medium axis: bypass produces
+// attacker-favorable state in operator-reviewable surface, not direct
+// audience-leak.
 //
-// Role promotion is privilege escalation: the agent rewrites
-// `typeclaw.json#roles` so a previously-unprivileged actor now resolves
-// to a privileged role. The breach pattern: a `member`-role speaker in a
-// chat asks "give me permission" / "promote me to admin"; the agent
-// edits typeclaw.json with what looks like a routine config change; the
-// schema is valid, the managedConfig guard passes, nonWorkspaceWrite
-// allowlists typeclaw.json — and on next reload the speaker resolves to
-// `owner` with full bypasses.
+// Net effect on the role-tower model: owner and trusted both bypass without
+// ack; member and guest still get blocked. The defense for trusted now
+// depends on operator config-review discipline — if backup commits are
+// reviewed and `typeclaw reload` output is read before applying, a
+// trusted-laundered role promotion is caught before it fires. Operators
+// who do not review can re-tighten by adding `security.bypass.rolePromotion`
+// to `trusted.permissions[]` as an explicit subtraction (replace the
+// default tier grant with a narrower list) — see typeclaw-permissions skill.
 //
-// This is the same audience-leak shape as gitExfil and outboundSecret:
-// the "audience" here is the future-self of the access-control table,
-// which is outside the operator's per-call control loop. Even an `owner`
-// operating from TUI must not silently rewrite the role table based on
-// a channel message — the canonical owner-in-public-channel attack
-// generalizes from "post credentials" to "promote the asker". No role
-// auto-bypasses; per-call ack or an explicit `security.bypass.rolePromotion`
-// grant is required.
+// Breach pattern blocked at `medium`: a `member`-role speaker in a chat
+// asks "promote me to admin"; the agent edits typeclaw.json; the change is
+// schema-valid, managedConfig accepts it, nonWorkspaceWrite allowlists
+// typeclaw.json — but this guard still blocks because member does not
+// carry `bypass.medium` by default.
 //
 // What counts as a promotion (any of):
 //   1. A role's `permissions[]` gained an entry.
@@ -58,7 +65,7 @@ export const GUARD_ROLE_PROMOTION = 'rolePromotion'
 //     agent cannot start a claim, only consume one whose code the
 //     operator already broadcast. That makes the bypass intentionally
 //     out-of-band — do not extend this guard to cover it.
-export const GUARD_ROLE_PROMOTION_SEVERITY: SecuritySeverity = 'high'
+export const GUARD_ROLE_PROMOTION_SEVERITY: SecuritySeverity = 'medium'
 
 export type RolePromotionFinding = {
   role: string

package/src/channels/router.ts

@@ -29,7 +29,11 @@ import {
   saveChannelSessions,
   type ChannelSessionRecord,
 } from './persistence'
-import type { ChannelAdapterConfig } from './schema'
+import {
+  DEFAULT_QUOTED_REPLY_QUEUE_DELAY_MS,
+  QUOTED_REPLY_EXCERPT_MAX_CHARS,
+  type ChannelAdapterConfig,
+} from './schema'
 import type {
   ChannelHistoryMessage,
   ChannelKey,
@@ -302,6 +306,15 @@ type LiveSession = {
   // future hard cap without picking a threshold out of thin air.
   sendTimestamps: Map<string, number[]>
   successfulChannelSends: number
+  // Captured by drain() at batch dequeue; read+cleared by send() on the
+  // first tool-source send of the turn. The anchor decision (delay
+  // threshold + intervening-observed check) is evaluated at SEND time
+  // against this snapshot — not at drain time — because the relevant
+  // signal is how long the user waited from inbound to seeing the reply
+  // land, which only the send-side clock knows. Cleared after first
+  // consumption so multi-part replies anchor only on chunk 1. A new
+  // batch overwrites unconditionally.
+  pendingQuoteCandidate: QuoteAnchorCandidate | null
   // Loop-guard state. See PEER_BOT_TURNS_WINDOW_MS / MAX_* constants
   // above. Updated in route() on every engaged peer-bot inbound, reset on
   // any human inbound. The two axes (window ring buffer + since-human
@@ -913,6 +926,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
         lastSentText: new Map(),
         sendTimestamps: new Map(),
         successfulChannelSends: 0,
+        pendingQuoteCandidate: null,
         recentEngagedPeerBotTurns: [],
         consecutiveEngagedPeerBotTurns: 0,
         loopGuardActive: false,
@@ -1213,6 +1227,7 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
           live.currentTurnAuthorIds = new Set(batch.map((m) => m.authorId))
           live.consecutiveSends.clear()
           live.lastSentText.clear()
+          live.pendingQuoteCandidate = captureQuoteCandidate(batch, observed)
         } else if (live.lastTurnAuthorId !== null) {
           // Reminder-only turn (batch.length === 0, reminders.length > 0):
           // restore the author identity from the prior turn so author-
@@ -1340,10 +1355,13 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
 
     // Role-claim intercept runs BEFORE the channel.respond gate so the
     // operator can bootstrap permissions on a fresh agent that has no
-    // role match rules yet. Cheap pre-check: only DMs whose text contains
-    // a `claim-` prefix can be claim attempts, and only when a handler
+    // role match rules yet. Cheap pre-check: any inbound whose text
+    // contains a `claim-` prefix is a candidate, and only when a handler
     // is registered. Everything else falls straight through to the gate.
-    if (claimHandler !== undefined && event.isDm && extractClaimCode(event.text) !== null) {
+    // Claims are accepted from any chat (DM, group, thread) because the
+    // resulting match rule is platform-wide + author-scoped — see
+    // src/role-claim/match-rule.ts.
+    if (claimHandler !== undefined && extractClaimCode(event.text) !== null) {
       const outcome = await claimHandler({
         adapter: event.adapter,
         workspace: event.workspace,
@@ -1692,6 +1710,21 @@ export function createChannelRouter(options: CreateChannelRouterOptions): Channe
     })
     const live = liveSessions.get(keyId)
     const sendKey = consecutiveSendKey(msg.chat, msg.thread)
+    // Tool-source sends consume the captured quote candidate exactly
+    // once per turn — the decision (delay threshold + intervening-
+    // observed check) runs HERE against the live clock so the relevant
+    // signal is real wall-time between inbound and reply landing, not
+    // drain-vs-send timing artifacts. System sources (recovery, role-
+    // claim) skip so they can't accidentally swallow the candidate
+    // before the model's own first reply lands. Even when the decision
+    // returns null (delay below threshold, nothing intervened), the
+    // candidate is cleared — a multi-part reply that crosses the
+    // threshold mid-flight must not retroactively anchor chunk 2.
+    if (live && source === 'tool' && live.pendingQuoteCandidate !== null) {
+      const anchor = decideQuoteAnchor(live.pendingQuoteCandidate, now(), options.configForAdapter(msg.adapter))
+      if (anchor !== null) msg = { ...msg, text: prependQuoteAnchor(msg.text ?? '', anchor) }
+      live.pendingQuoteCandidate = null
+    }
     const text = normalizeSendText(msg.text)
 
     // Central enforcement. Tool-initiated sends are subject to two policies:
@@ -2229,6 +2262,95 @@ function formatAuthorLine(
   return `${stamp}<@${authorId}> (${authorName})${tag}: ${text}`
 }
 
+export type QuoteAnchorSource = {
+  authorName: string
+  text: string
+}
+
+// Renders the single-line `> @name: excerpt` blockquote prepended to
+// outbound replies when the router decides the reply needs an anchor.
+// Collapses newlines to spaces so a multi-line user message renders on
+// one quoted line (markdown blockquote semantics: a blank line ends the
+// quote, and `> foo\nbar` would split the quote and the reply); strips
+// existing leading `>` so a quote-of-a-quote stays single-level. Empty
+// inbound text (mention-only inbounds like `<@bot>`) falls back to a
+// generic marker so the user still sees "the bot saw your ping".
+export function renderQuoteAnchor(source: QuoteAnchorSource): string {
+  const collapsed = source.text
+    .replace(/\s+/g, ' ')
+    .replace(/^>+\s*/, '')
+    .trim()
+  const excerpt =
+    collapsed === ''
+      ? '(no text)'
+      : collapsed.length > QUOTED_REPLY_EXCERPT_MAX_CHARS
+        ? `${collapsed.slice(0, QUOTED_REPLY_EXCERPT_MAX_CHARS - 1)}…`
+        : collapsed
+  return `> @${source.authorName}: ${excerpt}`
+}
+
+export function prependQuoteAnchor(replyText: string, source: QuoteAnchorSource): string {
+  const anchor = renderQuoteAnchor(source)
+  if (replyText === '') return anchor
+  return `${anchor}\n${replyText}`
+}
+
+type QuoteAnchorBatchEntry = {
+  text: string
+  authorName: string
+  authorIsBot: boolean
+  receivedAt: number
+}
+
+type QuoteAnchorObservedEntry = {
+  receivedAt: number
+}
+
+export type QuoteAnchorCandidate = {
+  source: QuoteAnchorSource
+  primaryReceivedAt: number
+  hadInterveningObserved: boolean
+}
+
+// Snapshot the primary inbound + observed-buffer state at drain time so
+// the send-side decision has the data it needs without holding a
+// reference to the batch arrays. Returns null when there's nothing
+// anchorable (empty batch, primary is a bot).
+export function captureQuoteCandidate(
+  batch: readonly QuoteAnchorBatchEntry[],
+  observed: readonly QuoteAnchorObservedEntry[],
+): QuoteAnchorCandidate | null {
+  if (batch.length === 0) return null
+  const primary = batch[batch.length - 1]!
+  if (primary.authorIsBot) return null
+  const hadInterveningObserved = observed.some((o) => o.receivedAt >= primary.receivedAt)
+  return {
+    source: { authorName: primary.authorName, text: primary.text },
+    primaryReceivedAt: primary.receivedAt,
+    hadInterveningObserved,
+  }
+}
+
+// Send-time decision: given a captured candidate and the current clock,
+// returns the source to anchor against or null. Skips when:
+//   - quotedReply is disabled in config
+//   - delay is under threshold AND no observed messages came between
+//     primary inbound and now (the "felt instantaneous" path)
+// A null candidate (no batch yet, or batch was bot-only) always skips.
+export function decideQuoteAnchor(
+  candidate: QuoteAnchorCandidate | null,
+  nowMs: number,
+  adapterConfig: ChannelAdapterConfig | undefined,
+): QuoteAnchorSource | null {
+  if (candidate === null) return null
+  const config = adapterConfig?.quotedReply
+  if (config !== undefined && config.enabled === false) return null
+  const threshold = config?.queueDelayMs ?? DEFAULT_QUOTED_REPLY_QUEUE_DELAY_MS
+  const delay = nowMs - candidate.primaryReceivedAt
+  if (delay < threshold && !candidate.hadInterveningObserved) return null
+  return candidate.source
+}
+
 type Sliced = { kind: 'message'; message: ChannelHistoryMessage } | { kind: 'elision'; elidedCount: number }
 
 export function sliceHeadTail(messages: readonly ChannelHistoryMessage[], head: number, tail: number): Sliced[] {

package/src/channels/schema.ts

@@ -87,6 +87,26 @@ const historySchema = z
     },
   })
 
+// When the agent's first send of a turn lands ≥ this many ms after the
+// inbound was received, OR there were intervening observed messages
+// between the inbound and the reply, the router prepends a `> @author:
+// ...` blockquote line referencing the inbound so the user can see which
+// message the reply is anchored to even after the channel has scrolled.
+// 10s is the empirical "felt instantaneous" ceiling — anything faster
+// reads as real-time and needs no anchor.
+export const DEFAULT_QUOTED_REPLY_QUEUE_DELAY_MS = 10_000
+
+// Long enough to disambiguate; short enough that a multi-paragraph user
+// message doesn't visually dominate the reply.
+export const QUOTED_REPLY_EXCERPT_MAX_CHARS = 100
+
+const quotedReplySchema = z
+  .object({
+    enabled: z.boolean().default(true),
+    queueDelayMs: z.number().int().min(0).default(DEFAULT_QUOTED_REPLY_QUEUE_DELAY_MS),
+  })
+  .default({ enabled: true, queueDelayMs: DEFAULT_QUOTED_REPLY_QUEUE_DELAY_MS })
+
 // Deliberately non-strict: a stale on-disk file may still carry the
 // legacy `allow` field (`migrateLegacyConfigShape` lifts it into
 // `roles.member.match[]` on load, but a between-reload window can
@@ -97,6 +117,7 @@ const adapterSchema = z.object({
   engagement: engagementSchema,
   history: historySchema,
   enabled: z.boolean().default(true),
+  quotedReply: quotedReplySchema.optional(),
 })
 
 export const DEFAULT_GITHUB_EVENT_ALLOWLIST = [

package/src/cli/cron.ts

@@ -38,7 +38,7 @@ const listSub = defineCommand({
     }
 
     let url: string | undefined = args.url
-    if (url === undefined) {
+    if (url === undefined && process.env.TYPECLAW_CONTAINER_NAME === undefined) {
       const precheck = await requireContainerRunning({ cwd })
       if (!precheck.ok) {
         console.error(errorLine(precheck.reason))