typeclaw 0.9.2 → 0.11.0

package/src/init/index.ts

@@ -21,7 +21,7 @@ import { resolveBaseImageVersion, resolveScaffoldVersion } from './cli-version'
 import { buildDockerfile, DOCKERFILE } from './dockerfile'
 import { installGithubWebhooksEagerly, type EagerGithubWebhookInstallResult } from './github-webhook-install'
 import { buildGitignore, GITIGNORE_FILE } from './gitignore'
-import { HATCHING_PROMPT } from './hatching'
+import { buildHatchingPrompt } from './hatching'
 import type { OAuthLoginRunner, OAuthLoginResult } from './oauth-login'
 import { GITKEEP_FILE, PACKAGES_DIR } from './paths'
 import { type InstallResult, type InstallRunner, runBunInstall } from './run-bun-install'
@@ -33,6 +33,8 @@ export { formatEagerGithubWebhookInstallResult, installGithubWebhooksEagerly } f
 
 export { GITKEEP_FILE, PACKAGES_DIR } from './paths'
 
+export { appendOrReplaceEnvKey, hasEnvKey, readEnvFile } from './env-file'
+
 const CONFIG_FILE = 'typeclaw.json'
 const CRON_FILE = 'cron.json'
 const PACKAGE_FILE = 'package.json'
@@ -78,13 +80,24 @@ export type KakaotalkAuthResult = { ok: true } | { ok: false; reason: string }
 export type GithubInitCredentials = {
   webhookSecret: string
   tunnelProvider: GithubTunnelProvider
+  // Set when `tunnelProvider === 'external'`. The user-supplied https URL
+  // that GitHub POSTs to and that lands in `channels.github.webhookUrl`.
   webhookUrl?: string
   webhookPort?: number
+  // Set when `tunnelProvider === 'cloudflare-named'`. The Public Hostname
+  // configured in the Cloudflare dashboard; also used as the webhook URL for
+  // eager registration (GitHub POSTs through the named tunnel to the in-
+  // container webhook server). Kept distinct from `webhookUrl` so the
+  // wizard's branching stays readable and the resulting `tunnels[].hostname`
+  // ends up in the right field rather than being smuggled through
+  // `externalUrl`.
+  hostname?: string
+  tokenEnv?: string
   repos: string[]
   auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string; installationId?: number }
 }
 
-export type GithubTunnelProvider = 'cloudflare-quick' | 'external' | 'none'
+export type GithubTunnelProvider = 'cloudflare-quick' | 'cloudflare-named' | 'external' | 'none'
 
 export type InitStepEvent =
   | { step: 'preflight'; phase: 'start' }
@@ -414,9 +427,10 @@ export async function defaultRunHatching({
       await runClaim({ url, configuredChannels })
     }
 
+    const typeclawJsonContent = await readTypeclawJsonRaw(cwd)
     const tui = tuiFactory({
       url: buildTuiUrl(hostPort, launch.tuiToken),
-      initialPrompt: HATCHING_PROMPT,
+      initialPrompt: buildHatchingPrompt(typeclawJsonContent !== undefined ? { typeclawJsonContent } : undefined),
     })
     await tui.run()
     return { ok: true }
@@ -425,6 +439,17 @@ export async function defaultRunHatching({
   }
 }
 
+// Read the raw bytes of `typeclaw.json` to inline into the hatching prompt.
+// Returns `undefined` on any failure so the agent falls back to reading the
+// file itself — hatching must not abort just because we couldn't pre-fetch.
+async function readTypeclawJsonRaw(cwd: string): Promise<string | undefined> {
+  try {
+    return await readFile(join(cwd, CONFIG_FILE), 'utf8')
+  } catch {
+    return undefined
+  }
+}
+
 export type ClaimRunner = (options: { url: string; configuredChannels: readonly ChannelKind[] }) => Promise<void>
 
 const defaultRunClaim: ClaimRunner = async ({ url, configuredChannels }) => {
@@ -785,6 +810,37 @@ export async function readExistingProviderApiKey(root: string, providerId: Known
   return new SecretsBackend(join(root, 'secrets.json')).tryReadProviderApiKeySync(providerId)
 }
 
+// Detects whether the requested provider has usable OAuth credentials already
+// written to `secrets.json#providers.<oauthProviderId>`. Used by the init
+// wizard's auto-resume path: when the user picks an OAuth-capable provider
+// and credentials already exist on disk from a prior partial run, skip the
+// browser login entirely instead of dragging them through a second OAuth
+// flow.
+//
+// Mirrors `readExistingProviderApiKey`'s contract — returns `false` when:
+//   - The provider has no OAuth support (`oauthProviderId === null`)
+//   - The file doesn't exist
+//   - The slot exists but has the wrong shape (api-key instead of oauth, or
+//     missing access_token)
+//   - The token is empty / whitespace
+//
+// We do NOT validate the token's freshness here. A stale access_token still
+// counts as "exists" — pi-ai's secrets store handles refresh on first use,
+// and surfacing an "expired token" check at init-time would require a
+// network call we'd rather not run during a wizard. The runtime will fall
+// back to OAuth login on use if refresh fails; that's a separate UX path.
+export async function hasExistingOAuthCredentials(root: string, providerId: KnownProviderId): Promise<boolean> {
+  const provider = KNOWN_PROVIDERS[providerId]
+  if (provider.oauthProviderId === null) return false
+  const backend = new SecretsBackend(join(root, 'secrets.json'))
+  const providers = backend.tryReadProvidersSync()
+  const credential = providers[provider.oauthProviderId]
+  if (credential === undefined) return false
+  if (credential.type !== 'oauth') return false
+  const accessToken = (credential as { access_token?: unknown }).access_token
+  return typeof accessToken === 'string' && accessToken.trim().length > 0
+}
+
 // Detects whether the requested channel already has usable credentials in
 // `secrets.json#channels`, so the init wizard can offer to reuse them
 // instead of re-prompting for tokens. Mirrors `readExistingProviderApiKey`:
@@ -937,6 +993,8 @@ export type AddChannelOptions = {
       tunnelProvider: GithubTunnelProvider
       webhookUrl?: string
       webhookPort?: number
+      hostname?: string
+      tokenEnv?: string
       repos: string[]
       auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string; installationId?: number }
       fetchImpl?: typeof fetch
@@ -1000,11 +1058,18 @@ async function maybeInstallGithubWebhooks(
   options: Extract<AddChannelOptions, { channel: 'github' }>,
   emit: (event: AddChannelStepEvent) => void,
 ): Promise<void> {
-  if (options.webhookUrl === undefined) return
+  // For `external` and `cloudflare-named` we know the public URL up front
+  // (user-supplied `webhookUrl` or dashboard-configured `hostname`), so we
+  // can register the webhook on GitHub's side eagerly. For `cloudflare-quick`
+  // the URL only exists once cloudflared has emitted it on stderr inside the
+  // container, which hasn't happened yet at host-stage init/channel-add
+  // time — registration is deferred to the adapter's first `start()`.
+  const eagerUrl = resolveEagerWebhookUrl(options)
+  if (eagerUrl === undefined) return
   if (options.repos.length === 0) return
   emit({ step: 'github-webhooks', phase: 'start' })
   const result = await installGithubWebhooksEagerly({
-    webhookUrl: options.webhookUrl,
+    webhookUrl: eagerUrl,
     webhookSecret: options.webhookSecret,
     repos: options.repos,
     auth: options.auth,
@@ -1014,6 +1079,12 @@ async function maybeInstallGithubWebhooks(
   emit({ step: 'github-webhooks', phase: 'done', result })
 }
 
+function resolveEagerWebhookUrl(options: Extract<AddChannelOptions, { channel: 'github' }>): string | undefined {
+  if (options.tunnelProvider === 'external') return options.webhookUrl
+  if (options.tunnelProvider === 'cloudflare-named') return options.hostname
+  return undefined
+}
+
 function channelSecretsFromOptions(options: AddChannelOptions): ChannelSecrets {
   switch (options.channel) {
     case 'discord-bot':
@@ -1112,24 +1183,20 @@ function mergeGithubTunnelConfig(
   if (options.tunnelProvider === 'external' && options.webhookUrl === undefined) {
     throw new Error('GitHub external tunnel requires webhookUrl')
   }
+  if (options.tunnelProvider === 'cloudflare-named') {
+    if (options.hostname === undefined || options.hostname.trim() === '') {
+      throw new Error('GitHub cloudflare-named tunnel requires hostname')
+    }
+    if (options.tokenEnv === undefined || options.tokenEnv.trim() === '') {
+      throw new Error('GitHub cloudflare-named tunnel requires tokenEnv')
+    }
+  }
 
   const existingTunnels = Array.isArray(parsed.tunnels) ? parsed.tunnels : []
-  const tunnel =
-    options.tunnelProvider === 'external'
-      ? {
-          name: 'github-webhook',
-          provider: 'external',
-          externalUrl: options.webhookUrl,
-          for: { kind: 'channel', name: 'github' },
-        }
-      : {
-          name: 'github-webhook',
-          provider: 'cloudflare-quick',
-          for: { kind: 'channel', name: 'github' },
-        }
+  const tunnel = buildGithubTunnelEntry(options)
   parsed.tunnels = [...existingTunnels, tunnel]
 
-  if (options.tunnelProvider === 'cloudflare-quick') {
+  if (options.tunnelProvider === 'cloudflare-quick' || options.tunnelProvider === 'cloudflare-named') {
     const docker = isObjectRecord(parsed.docker) ? { ...parsed.docker } : {}
     const file = isObjectRecord(docker.file) ? { ...docker.file } : {}
     file.cloudflared = true
@@ -1138,6 +1205,34 @@ function mergeGithubTunnelConfig(
   }
 }
 
+function buildGithubTunnelEntry(options: Extract<AddChannelOptions, { channel: 'github' }>): Record<string, unknown> {
+  switch (options.tunnelProvider) {
+    case 'external':
+      return {
+        name: 'github-webhook',
+        provider: 'external',
+        externalUrl: options.webhookUrl,
+        for: { kind: 'channel', name: 'github' },
+      }
+    case 'cloudflare-quick':
+      return {
+        name: 'github-webhook',
+        provider: 'cloudflare-quick',
+        for: { kind: 'channel', name: 'github' },
+      }
+    case 'cloudflare-named':
+      return {
+        name: 'github-webhook',
+        provider: 'cloudflare-named',
+        for: { kind: 'channel', name: 'github' },
+        hostname: options.hostname,
+        tokenEnv: options.tokenEnv,
+      }
+    case 'none':
+      throw new Error('buildGithubTunnelEntry called with tunnelProvider=none')
+  }
+}
+
 // Init-side counterpart of runAddChannel's github branch. Same three writes
 // (typeclaw.json#channels.github, secrets.json#channels.github, roles.member
 // .match[]) but with overwrite semantics on the secrets/config side so a
@@ -1376,21 +1471,23 @@ export async function setChannelSecrets(
   })
 }
 
-// Discriminated union of what GitHub credentials the user wants to rotate.
-// The three secrets (PAT/private-key, webhook secret) rotate independently,
+// Discriminated union of what GitHub credentials the user wants to update.
+// The three secrets (PAT/private-key, webhook secret) update independently,
 // so the CLI lets the user pick which one(s) to touch in a single call.
-// `auth.type` must match the existing on-disk auth type — flipping between
-// PAT and App auth is a structural change, not a credential rotation, and
-// belongs in a future `channel migrate-auth` or hand-edit of secrets.json.
+// `auth.type` may differ from the on-disk auth type — switching between PAT
+// and App auth replaces the entire auth block (no field carryover from the
+// previous auth type, since the two shapes share no fields beyond `type`).
 export type GithubCredentialPatch = {
   webhookSecret?: string
   auth?: { type: 'pat'; pat: string } | { type: 'app'; privateKey: string; appId?: number; installationId?: number }
 }
 
-// Rotate one or more credential fields on an already-configured GitHub
+// Update one or more credential fields on an already-configured GitHub
 // channel. Like setChannelSecrets, refuses when secrets.json has no
-// existing github entry. Additionally refuses when the requested auth.type
-// doesn't match the on-disk type — see `GithubCredentialPatch` above.
+// existing github entry. Supports both same-type rotation (preserves env
+// bindings, carries appId/installationId forward when not supplied) and
+// auth-type switching (replaces the entire auth block — see
+// `GithubCredentialPatch` above).
 export async function setGithubSecrets(cwd: string, patch: GithubCredentialPatch): Promise<SetChannelTokensResult> {
   if (!existsSync(join(cwd, CONFIG_FILE))) {
     return {
@@ -1416,27 +1513,22 @@ export async function setGithubSecrets(cwd: string, patch: GithubCredentialPatch
     if (patch.auth !== undefined) {
       const existingAuth = block.auth
       const existingAuthType = readGithubAuthTypeFromObject(existingAuth)
-      if (existingAuthType !== patch.auth.type) {
-        return {
-          result: {
-            ok: false,
-            reason: `github auth type mismatch: secrets.json currently uses "${existingAuthType ?? 'unknown'}" auth, but you tried to rotate a "${patch.auth.type}" credential. Edit secrets.json by hand to migrate between PAT and App auth.`,
-          },
-        }
-      }
+      const isSameType = existingAuthType === patch.auth.type
       if (patch.auth.type === 'pat') {
-        const previousToken = isObjectRecord(existingAuth) ? (existingAuth as { token?: unknown }).token : undefined
+        const previousToken =
+          isSameType && isObjectRecord(existingAuth) ? (existingAuth as { token?: unknown }).token : undefined
         block.auth = { type: 'pat', token: rotatedSecret(previousToken, patch.auth.pat) }
       } else {
-        const existingApp = isObjectRecord(existingAuth) ? (existingAuth as Record<string, unknown>) : {}
+        const existingApp = isSameType && isObjectRecord(existingAuth) ? (existingAuth as Record<string, unknown>) : {}
         const appId = patch.auth.appId ?? (existingApp.appId as number | undefined)
         const installationId = patch.auth.installationId ?? (existingApp.installationId as number | undefined)
         if (typeof appId !== 'number') {
           return {
             result: {
               ok: false,
-              reason:
-                'github App auth requires appId, but it is missing from secrets.json. Re-run `typeclaw channel add github` to re-establish the App auth block.',
+              reason: isSameType
+                ? 'github App auth requires appId, but it is missing from secrets.json. Re-run `typeclaw channel add github` to re-establish the App auth block.'
+                : 'github App auth requires appId when switching from PAT to App auth.',
             },
           }
         }

package/src/init/validate-api-key.ts

@@ -60,6 +60,23 @@ export async function validateApiKey(
       return { kind: 'skipped', reason: 'network-error', detail: 'unexpected response shape' }
     }
     if (res.status === 401 || res.status === 403) {
+      // Fireworks issues two key classes that probe the same /v1/models
+      // endpoint differently:
+      //   * Standard keys (fw_...)  → 200 with the models list
+      //   * Fire Pass keys (fpk_...) → 403 with {"error":{"code":"FORBIDDEN",
+      //     "message":"Fire Pass API keys are not authorized for this route."}}
+      // The 403 *proves* authentication succeeded — the route is just out of
+      // scope for the key. Fire Pass keys do work at chat-completions, which
+      // is exactly the surface typeclaw needs (the only Fireworks model wired
+      // here is the Fire Pass router `kimi-k2p6-turbo`). Treating that 403
+      // as `rejected` is the bug; recognize the marker and accept the key.
+      // Genuinely bad keys still come back as 401 UNAUTHORIZED, untouched.
+      if (providerId === 'fireworks' && res.status === 403) {
+        const body = await readCapped(res, MAX_BODY_BYTES)
+        if (body !== null && isFireworksFirePassForbidden(body)) {
+          return { kind: 'ok' }
+        }
+      }
       return { kind: 'rejected', status: res.status }
     }
     return { kind: 'skipped', reason: 'network-error', detail: `HTTP ${res.status}` }
@@ -74,6 +91,20 @@ export async function validateApiKey(
 
 const MAX_BODY_BYTES = 4096
 
+function isFireworksFirePassForbidden(body: string): boolean {
+  try {
+    const parsed = JSON.parse(body) as { error?: { code?: unknown; message?: unknown } }
+    const err = parsed.error
+    if (!err || typeof err !== 'object') return false
+    if (err.code === 'FORBIDDEN' && typeof err.message === 'string' && err.message.includes('Fire Pass')) {
+      return true
+    }
+    return false
+  } catch {
+    return false
+  }
+}
+
 async function isModelsListShape(res: Response): Promise<boolean> {
   const text = await readCapped(res, MAX_BODY_BYTES)
   if (text === null) return false

package/src/inspect/index.ts

@@ -16,6 +16,8 @@ export { replayJsonl } from './replay'
 export { streamLive } from './live'
 export { parseDuration, parseFilter } from './types'
 export type { InspectCategory, InspectEvent, InspectFilter } from './types'
+export { runInspectLoop } from './loop'
+export type { RunInspectLoopOptions } from './loop'
 
 export type RunInspectOptions = {
   agentDir: string
@@ -29,9 +31,17 @@ export type RunInspectOptions = {
   stderr: (line: string) => void
   liveSource?: LiveSourceFactory
   signal?: AbortSignal
+  // Aborting escSignal (and only escSignal) returns escToPicker=true so a
+  // caller-side loop can re-open the picker; signal still means process exit.
+  escSignal?: AbortSignal
+  liveHint?: string
 }
 
-export type SelectSession = (sessions: SessionSummary[]) => Promise<SessionSummary | null>
+export type SelectSessionOptions = {
+  initialSessionId?: string
+}
+
+export type SelectSession = (sessions: SessionSummary[], opts?: SelectSessionOptions) => Promise<SessionSummary | null>
 
 export type LiveSourceFactory = (opts: {
   sessionId: string
@@ -40,7 +50,9 @@ export type LiveSourceFactory = (opts: {
   onSubscribed?: (sessionLive: boolean) => void
 }) => AsyncIterable<InspectEvent>
 
-export type RunInspectResult = { ok: true; exitCode: 0 } | { ok: false; exitCode: number; reason: string }
+export type RunInspectResult =
+  | { ok: true; exitCode: 0; escToPicker?: boolean }
+  | { ok: false; exitCode: number; reason: string }
 
 export async function runInspect(opts: RunInspectOptions): Promise<RunInspectResult> {
   const filterResult = parseFilter(opts.filter)
@@ -59,7 +71,7 @@ export async function runInspect(opts: RunInspectOptions): Promise<RunInspectRes
   const summary = await chooseSession(opts, sessionsDir, sinceMs)
   if (!summary.ok) return summary
 
-  await streamSession({
+  const streamResult = await streamSession({
     summary: summary.summary,
     filter,
     sinceMs,
@@ -69,7 +81,10 @@ export async function runInspect(opts: RunInspectOptions): Promise<RunInspectRes
     stderr: opts.stderr,
     ...(opts.liveSource !== undefined ? { liveSource: opts.liveSource } : {}),
     ...(opts.signal !== undefined ? { signal: opts.signal } : {}),
+    ...(opts.escSignal !== undefined ? { escSignal: opts.escSignal } : {}),
+    ...(opts.liveHint !== undefined ? { liveHint: opts.liveHint } : {}),
   })
+  if (streamResult.escToPicker) return { ok: true, exitCode: 0, escToPicker: true }
   return { ok: true, exitCode: 0 }
 }
 
@@ -132,7 +147,9 @@ async function streamSession(opts: {
   stderr: (line: string) => void
   liveSource?: LiveSourceFactory
   signal?: AbortSignal
-}): Promise<void> {
+  escSignal?: AbortSignal
+  liveHint?: string
+}): Promise<{ escToPicker: boolean }> {
   if (!opts.json) writeHeader(opts.summary, opts.color, opts.stdout)
   const emit = (event: InspectEvent): void => {
     if (opts.sinceMs !== undefined && event.ts > 0 && event.ts < opts.sinceMs) return
@@ -144,20 +161,26 @@ async function streamSession(opts: {
     }
   }
 
+  const escAborted = (): boolean => opts.escSignal?.aborted === true
+
   for await (const event of replayJsonl(opts.summary.sessionFile, { onWarn: opts.stderr })) {
+    if (escAborted()) return { escToPicker: true }
     emit(event)
   }
 
   if (opts.liveSource === undefined) {
     if (!opts.json) opts.stdout('─── end of transcript ───')
-    return
+    return { escToPicker: escAborted() }
   }
 
+  if (escAborted()) return { escToPicker: true }
+
+  const combinedSignal = combineSignals(opts.signal, opts.escSignal)
   let sessionLive = false
   const liveIter = opts.liveSource({
     sessionId: opts.summary.sessionId,
     ...(opts.sinceMs !== undefined ? { sinceMs: opts.sinceMs } : {}),
-    ...(opts.signal !== undefined ? { signal: opts.signal } : {}),
+    ...(combinedSignal !== undefined ? { signal: combinedSignal } : {}),
     onSubscribed: (live) => {
       sessionLive = live
     },
@@ -170,6 +193,9 @@ async function streamSession(opts: {
         opts.stdout(
           divider(opts.color, sessionLive ? '─── live ───' : '─── live (session not in registry; broadcasts only) ───'),
         )
+        if (opts.liveHint !== undefined && opts.liveHint !== '') {
+          opts.stdout(divider(opts.color, opts.liveHint))
+        }
         liveAnnounced = true
       }
       emit(event)
@@ -178,6 +204,21 @@ async function streamSession(opts: {
     opts.stderr(`live tail ended: ${err instanceof Error ? err.message : String(err)}`)
   }
   if (!opts.json) opts.stdout('─── end of transcript ───')
+  return { escToPicker: escAborted() && opts.signal?.aborted !== true }
+}
+
+function combineSignals(a: AbortSignal | undefined, b: AbortSignal | undefined): AbortSignal | undefined {
+  if (a === undefined) return b
+  if (b === undefined) return a
+  if (a.aborted) return a
+  if (b.aborted) return b
+  const ctrl = new AbortController()
+  const onAbort = (): void => {
+    ctrl.abort()
+  }
+  a.addEventListener('abort', onAbort, { once: true })
+  b.addEventListener('abort', onAbort, { once: true })
+  return ctrl.signal
 }
 
 function divider(color: boolean, text: string): string {

package/src/inspect/loop.ts

@@ -0,0 +1,31 @@
+import { runInspect, type RunInspectOptions, type RunInspectResult } from './index'
+
+export type RunInspectLoopOptions = Omit<RunInspectOptions, 'escSignal'> & {
+  newEscSignal: () => AbortSignal
+}
+
+export async function runInspectLoop(opts: RunInspectLoopOptions): Promise<RunInspectResult> {
+  let sessionArg = opts.sessionIdOrPrefix
+  // Remember the last session the user picked from the interactive picker so
+  // an ESC-back-to-picker re-opens with that row pre-selected. The picker
+  // receives this through the `initialSessionId` hint on its second arg.
+  let lastPickedId: string | undefined
+  const wrappedSelectSession: typeof opts.selectSession = async (sessions, selectOpts) => {
+    const hint = selectOpts?.initialSessionId ?? lastPickedId
+    const picked = await opts.selectSession(sessions, hint !== undefined ? { initialSessionId: hint } : {})
+    if (picked !== null) lastPickedId = picked.sessionId
+    return picked
+  }
+
+  while (true) {
+    const escSignal = opts.newEscSignal()
+    const callOpts: RunInspectOptions = { ...opts, escSignal, selectSession: wrappedSelectSession }
+    if (sessionArg !== undefined) callOpts.sessionIdOrPrefix = sessionArg
+    else delete (callOpts as { sessionIdOrPrefix?: string }).sessionIdOrPrefix
+
+    const result = await runInspect(callOpts)
+    if (!result.ok) return result
+    if (result.escToPicker !== true) return result
+    sessionArg = undefined
+  }
+}

package/src/inspect/replay.ts

@@ -66,7 +66,7 @@ function* eventsFromEntry(
   if (!isMessageEntry(entry)) return
   const message = entry.message
   const role = message.role
-  const ts = numberOr(readField(message, 'timestamp'), 0)
+  const ts = entryTimestampMs(entry, message)
   if (role === 'user') {
     const text = readTextContent(message.content)
     if (text !== null) yield { cat: 'user', ts, text }
@@ -219,6 +219,20 @@ function readUsage(value: unknown): {
   }
 }
 
+function entryTimestampMs(
+  entry: { type: 'message'; message: { role: string; [k: string]: unknown } },
+  message: { role: string; [k: string]: unknown },
+): number {
+  return timestampMs(readField(entry, 'timestamp')) ?? timestampMs(readField(message, 'timestamp')) ?? 0
+}
+
+function timestampMs(value: unknown): number | null {
+  if (typeof value === 'number' && Number.isFinite(value)) return value
+  if (typeof value !== 'string' || value === '') return null
+  const parsed = Date.parse(value)
+  return Number.isFinite(parsed) ? parsed : null
+}
+
 function* readThinkingEvents(content: unknown, ts: number): Iterable<InspectEvent> {
   if (!Array.isArray(content)) return
   for (const block of content) {

package/src/permissions/builtins.ts

@@ -29,21 +29,27 @@ export type BuiltinRoleSpec = {
   readonly permissions: readonly string[]
 }
 
-// Owner carries low + medium tier strings explicitly AND the wildcard
-// sentinel. The sentinel expands to plugin-contributed `security.bypass.*`
-// strings minus the security plugin's `ownerWildcardExclusions` (today:
-// `security.bypass.high` plus high-tier per-guard strings). Net effect:
-// owner auto-bypasses every low- and medium-tier guard, and high-tier
-// guards require per-call ack from owner too (the audience-leak rule —
-// owner-in-public-channel must not silently post credentials).
+// Role-to-tier defaults form a strict tower:
+//   owner   → bypass.low + bypass.medium + bypass.high
+//   trusted → bypass.low + bypass.medium
+//   member  → bypass.low
+//   guest   → no bypass
 //
-// Trusted carries only `security.bypass.low`. Trusted does NOT carry the
-// pre-PR per-guard grants (`bypassSecretExfilBash`, `bypassGitExfil`):
-// those guards are medium/high under the audience-leak axis and per-guard
-// grants would re-introduce exactly the bypass holes the tier system
-// exists to prevent. Operators who want the pre-PR ergonomics can add the
-// per-guard strings explicitly to `roles.trusted.permissions[]` in
-// typeclaw.json — that path stays alive forever.
+// `canBypass` in the bundled security plugin checks the specific tier
+// string for the guard's severity, so each role must carry every tier
+// string at or below its cap (tiers do not cascade implicitly).
+//
+// Owner also carries the wildcard sentinel: the sentinel expands to every
+// plugin-contributed `security.bypass.*` string minus
+// `ownerWildcardExclusions`. The bundled security plugin no longer excludes
+// high-tier strings (owner is meant to bypass them by default under this
+// model), so the sentinel covers per-guard high-tier strings too.
+//
+// Tradeoff: this gives owner audience-leak bypass without per-call ack.
+// The owner-in-public-channel risk is now load-bearing on the operator
+// scoping `roles.owner.match[]` tightly. Default match is TUI-only, where
+// a human is present; configs that widen owner to a channel author should
+// understand they have re-opened audience-leak for that author.
 export const BUILTIN_ROLES: Readonly<Record<BuiltinRoleName, BuiltinRoleSpec>> = {
   owner: {
     match: [{ kind: 'tui' }],
@@ -57,6 +63,7 @@ export const BUILTIN_ROLES: Readonly<Record<BuiltinRoleName, BuiltinRoleSpec>> =
       CORE_PERMISSIONS.subagentSpawnOperator,
       'security.bypass.low',
       'security.bypass.medium',
+      'security.bypass.high',
       OWNER_SECURITY_WILDCARD,
     ],
   },
@@ -70,6 +77,7 @@ export const BUILTIN_ROLES: Readonly<Record<BuiltinRoleName, BuiltinRoleSpec>> =
       CORE_PERMISSIONS.subagentOutput,
       CORE_PERMISSIONS.subagentSpawnOperator,
       'security.bypass.low',
+      'security.bypass.medium',
     ],
   },
   member: {
@@ -79,6 +87,7 @@ export const BUILTIN_ROLES: Readonly<Record<BuiltinRoleName, BuiltinRoleSpec>> =
       CORE_PERMISSIONS.subagentSpawn,
       CORE_PERMISSIONS.subagentCancel,
       CORE_PERMISSIONS.subagentOutput,
+      'security.bypass.low',
     ],
   },
   guest: {
@@ -88,13 +97,12 @@ export const BUILTIN_ROLES: Readonly<Record<BuiltinRoleName, BuiltinRoleSpec>> =
 }
 
 // Expands the owner wildcard sentinel against plugin-contributed
-// `security.bypass.*` strings. `wildcardExclusions` is an optional set of
-// permission strings the sentinel must NOT expand to — used by the
-// bundled security plugin to exclude `security.bypass.high` AND the
-// per-guard strings for high-tier guards, so the wildcard does not
-// auto-grant audience-leak bypass to owner. Explicit operator grants of
-// those strings in `roles.owner.permissions[]` still take effect (they
-// flow through the non-sentinel branch).
+// `security.bypass.*` strings. `wildcardExclusions` lets plugins opt
+// specific strings OUT of the wildcard expansion. The bundled security
+// plugin no longer excludes any high-tier strings — owner bypasses every
+// security tier by default under the current role-tower model. The
+// parameter is preserved for third-party plugins that want a different
+// shape (e.g. a future audit-only plugin that never auto-flows to owner).
 export function expandOwnerWildcard(
   ownerPermissions: readonly string[],
   pluginContributed: readonly string[],