merge: catch up with upstream main

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

container/Dockerfile

@@ -7,6 +7,7 @@ FROM node:22-slim
 RUN apt-get update && apt-get install -y \
     chromium \
     fonts-liberation \
+    fonts-noto-cjk \
     fonts-noto-color-emoji \
     libgbm1 \
     libnss3 \
@@ -54,14 +55,14 @@ RUN mkdir -p /workspace/group /workspace/global /workspace/extra /workspace/ipc/
 # Container input (prompt, group info) is passed via stdin JSON.
 # Credentials are injected by the host's credential proxy — never passed here.
 # Follow-up messages arrive via IPC files in /workspace/ipc/input/
-# Apple Container only supports directory mounts (VirtioFS), so .env cannot be
-# shadowed with a host-side /dev/null file mount. Instead the entrypoint starts
-# as root, uses mount --bind to shadow .env, then drops to the host user via setpriv.
-RUN printf '#!/bin/bash\nset -e\n\n# Shadow .env so the agent cannot read host secrets (requires root)\nif [ "$(id -u)" = "0" ] && [ -f /workspace/project/.env ]; then\n  mount --bind /dev/null /workspace/project/.env\nfi\n\n# Compile agent-runner\ncd /app && npx tsc --outDir /tmp/dist 2>&1 >&2\nln -s /app/node_modules /tmp/dist/node_modules\nchmod -R a-w /tmp/dist\n\n# Capture stdin (secrets JSON) to temp file\ncat > /tmp/input.json\n\n# Drop privileges if running as root (main-group containers)\nif [ "$(id -u)" = "0" ] && [ -n "$RUN_UID" ]; then\n  chown "$RUN_UID:$RUN_GID" /tmp/input.json /tmp/dist\n  exec setpriv --reuid="$RUN_UID" --regid="$RUN_GID" --clear-groups -- node /tmp/dist/index.js < /tmp/input.json\nfi\n\nexec node /tmp/dist/index.js < /tmp/input.json\n' > /app/entrypoint.sh && chmod +x /app/entrypoint.sh
+RUN printf '#!/bin/bash\nset -e\ncd /app && npx tsc --outDir /tmp/dist 2>&1 >&2\nln -s /app/node_modules /tmp/dist/node_modules\nchmod -R a-w /tmp/dist\ncat > /tmp/input.json\nnode /tmp/dist/index.js < /tmp/input.json\n' > /app/entrypoint.sh && chmod +x /app/entrypoint.sh
 
 # Set ownership to node user (non-root) for writable directories
 RUN chown -R node:node /workspace && chmod 777 /home/node
 
+# Switch to non-root user (required for --dangerously-skip-permissions)
+USER node
+
 # Set working directory to group workspace
 WORKDIR /workspace/group
 

container/build.sh

@@ -8,7 +8,7 @@ cd "$SCRIPT_DIR"
 
 IMAGE_NAME="nanoclaw-agent"
 TAG="${1:-latest}"
-CONTAINER_RUNTIME="${CONTAINER_RUNTIME:-container}"
+CONTAINER_RUNTIME="${CONTAINER_RUNTIME:-docker}"
 
 echo "Building NanoClaw agent container image..."
 echo "Image: ${IMAGE_NAME}:${TAG}"

src/config.ts

@@ -51,10 +51,6 @@ export const CONTAINER_MAX_OUTPUT_SIZE = parseInt(
   process.env.CONTAINER_MAX_OUTPUT_SIZE || '10485760',
   10,
 ); // 10MB default
-export const CREDENTIAL_PROXY_PORT = parseInt(
-  process.env.CREDENTIAL_PROXY_PORT || '3001',
-  10,
-);
 export const ONECLI_URL =
   process.env.ONECLI_URL || envConfig.ONECLI_URL || 'http://localhost:10254';
 export const MAX_MESSAGES_PER_PROMPT = Math.max(

src/container-runner.test.ts

@@ -11,10 +11,10 @@ vi.mock('./config.js', () => ({
   CONTAINER_IMAGE: 'nanoclaw-agent:latest',
   CONTAINER_MAX_OUTPUT_SIZE: 10485760,
   CONTAINER_TIMEOUT: 1800000, // 30min
-  CREDENTIAL_PROXY_PORT: 3001,
   DATA_DIR: '/tmp/nanoclaw-test-data',
   GROUPS_DIR: '/tmp/nanoclaw-test-groups',
   IDLE_TIMEOUT: 1800000, // 30min
+  ONECLI_URL: 'http://localhost:10254',
   TIMEZONE: 'America/Los_Angeles',
 }));
 
@@ -53,16 +53,21 @@ vi.mock('./mount-security.js', () => ({
 
 // Mock container-runtime
 vi.mock('./container-runtime.js', () => ({
-  CONTAINER_RUNTIME_BIN: 'container',
-  CONTAINER_HOST_GATEWAY: 'host.docker.internal',
+  CONTAINER_RUNTIME_BIN: 'docker',
   hostGatewayArgs: () => [],
   readonlyMountArgs: (h: string, c: string) => ['-v', `${h}:${c}:ro`],
   stopContainer: vi.fn(),
 }));
 
-// Mock credential-proxy
-vi.mock('./credential-proxy.js', () => ({
-  detectAuthMode: vi.fn(() => 'api-key'),
+// Mock OneCLI SDK
+vi.mock('@onecli-sh/sdk', () => ({
+  OneCLI: class {
+    applyContainerConfig = vi.fn().mockResolvedValue(true);
+    createAgent = vi.fn().mockResolvedValue({ id: 'test' });
+    ensureAgent = vi
+      .fn()
+      .mockResolvedValue({ name: 'test', identifier: 'test', created: true });
+  },
 }));
 
 // Create a controllable fake ChildProcess

src/container-runner.ts

@@ -10,25 +10,26 @@ import {
   CONTAINER_IMAGE,
   CONTAINER_MAX_OUTPUT_SIZE,
   CONTAINER_TIMEOUT,
-  CREDENTIAL_PROXY_PORT,
   DATA_DIR,
   GROUPS_DIR,
   IDLE_TIMEOUT,
+  ONECLI_URL,
   TIMEZONE,
 } from './config.js';
 import { resolveGroupFolderPath, resolveGroupIpcPath } from './group-folder.js';
 import { logger } from './logger.js';
 import {
-  CONTAINER_HOST_GATEWAY,
   CONTAINER_RUNTIME_BIN,
   hostGatewayArgs,
   readonlyMountArgs,
   stopContainer,
 } from './container-runtime.js';
-import { detectAuthMode } from './credential-proxy.js';
+import { OneCLI } from '@onecli-sh/sdk';
 import { validateAdditionalMounts } from './mount-security.js';
 import { RegisteredGroup } from './types.js';
 
+const onecli = new OneCLI({ url: ONECLI_URL });
+
 // Sentinel markers for robust output parsing (must match agent-runner)
 const OUTPUT_START_MARKER = '---NANOCLAW_OUTPUT_START---';
 const OUTPUT_END_MARKER = '---NANOCLAW_OUTPUT_END---';
@@ -77,8 +78,16 @@ function buildVolumeMounts(
       readonly: true,
     });
 
-    // .env shadowing is handled inside the container entrypoint via mount --bind
-    // (Apple Container only supports directory mounts, not file mounts like /dev/null)
+    // Shadow .env so the agent cannot read secrets from the mounted project root.
+    // Credentials are injected by the OneCLI gateway, never exposed to containers.
+    const envFile = path.join(projectRoot, '.env');
+    if (fs.existsSync(envFile)) {
+      mounts.push({
+        hostPath: '/dev/null',
+        containerPath: '/workspace/project/.env',
+        readonly: true,
+      });
+    }
 
     // Main also gets its group folder as the working directory
     mounts.push({
@@ -214,31 +223,29 @@ function buildVolumeMounts(
   return mounts;
 }
 
-function buildContainerArgs(
+async function buildContainerArgs(
   mounts: VolumeMount[],
   containerName: string,
-  isMain: boolean,
-): string[] {
+  agentIdentifier?: string,
+): Promise<string[]> {
   const args: string[] = ['run', '-i', '--rm', '--name', containerName];
 
   // Pass host timezone so container's local time matches the user's
   args.push('-e', `TZ=${TIMEZONE}`);
 
-  // Route API traffic through the credential proxy (containers never see real secrets)
-  args.push(
-    '-e',
-    `ANTHROPIC_BASE_URL=http://${CONTAINER_HOST_GATEWAY}:${CREDENTIAL_PROXY_PORT}`,
-  );
-
-  // Mirror the host's auth method with a placeholder value.
-  // API key mode: SDK sends x-api-key, proxy replaces with real key.
-  // OAuth mode:   SDK exchanges placeholder token for temp API key,
-  //               proxy injects real OAuth token on that exchange request.
-  const authMode = detectAuthMode();
-  if (authMode === 'api-key') {
-    args.push('-e', 'ANTHROPIC_API_KEY=placeholder');
+  // OneCLI gateway handles credential injection — containers never see real secrets.
+  // The gateway intercepts HTTPS traffic and injects API keys or OAuth tokens.
+  const onecliApplied = await onecli.applyContainerConfig(args, {
+    addHostMapping: false, // Nanoclaw already handles host gateway
+    agent: agentIdentifier,
+  });
+  if (onecliApplied) {
+    logger.info({ containerName }, 'OneCLI gateway config applied');
   } else {
-    args.push('-e', 'CLAUDE_CODE_OAUTH_TOKEN=placeholder');
+    logger.warn(
+      { containerName },
+      'OneCLI gateway not reachable — container will have no credentials',
+    );
   }
 
   // Runtime-specific args for host gateway resolution
@@ -250,14 +257,7 @@ function buildContainerArgs(
   const hostUid = process.getuid?.();
   const hostGid = process.getgid?.();
   if (hostUid != null && hostUid !== 0 && hostUid !== 1000) {
-    if (isMain) {
-      // Main containers start as root so the entrypoint can mount --bind
-      // to shadow .env. Privileges are dropped via setpriv in entrypoint.sh.
-      args.push('-e', `RUN_UID=${hostUid}`);
-      args.push('-e', `RUN_GID=${hostGid}`);
-    } else {
-      args.push('--user', `${hostUid}:${hostGid}`);
-    }
+    args.push('--user', `${hostUid}:${hostGid}`);
     args.push('-e', 'HOME=/home/node');
   }
 
@@ -288,7 +288,15 @@ export async function runContainerAgent(
   const mounts = buildVolumeMounts(group, input.isMain);
   const safeName = group.folder.replace(/[^a-zA-Z0-9-]/g, '-');
   const containerName = `nanoclaw-${safeName}-${Date.now()}`;
-  const containerArgs = buildContainerArgs(mounts, containerName, input.isMain);
+  // Main group uses the default OneCLI agent; others use their own agent.
+  const agentIdentifier = input.isMain
+    ? undefined
+    : group.folder.toLowerCase().replace(/_/g, '-');
+  const containerArgs = await buildContainerArgs(
+    mounts,
+    containerName,
+    agentIdentifier,
+  );
 
   logger.debug(
     {

src/container-runtime.test.ts

@@ -32,12 +32,9 @@ beforeEach(() => {
 // --- Pure functions ---
 
 describe('readonlyMountArgs', () => {
-  it('returns --mount flag with type=bind and readonly', () => {
+  it('returns -v flag with :ro suffix', () => {
     const args = readonlyMountArgs('/host/path', '/container/path');
-    expect(args).toEqual([
-      '--mount',
-      'type=bind,source=/host/path,target=/container/path,readonly',
-    ]);
+    expect(args).toEqual(['-v', '/host/path:/container/path:ro']);
   });
 });
 
@@ -45,18 +42,14 @@ describe('stopContainer', () => {
   it('calls docker stop for valid container names', () => {
     stopContainer('nanoclaw-test-123');
     expect(mockExecSync).toHaveBeenCalledWith(
-      `${CONTAINER_RUNTIME_BIN} stop nanoclaw-test-123`,
+      `${CONTAINER_RUNTIME_BIN} stop -t 1 nanoclaw-test-123`,
       { stdio: 'pipe' },
     );
   });
 
   it('rejects names with shell metacharacters', () => {
-    expect(() => stopContainer('foo; rm -rf /')).toThrow(
-      'Invalid container name',
-    );
-    expect(() => stopContainer('foo$(whoami)')).toThrow(
-      'Invalid container name',
-    );
+    expect(() => stopContainer('foo; rm -rf /')).toThrow('Invalid container name');
+    expect(() => stopContainer('foo$(whoami)')).toThrow('Invalid container name');
     expect(() => stopContainer('foo`id`')).toThrow('Invalid container name');
     expect(mockExecSync).not.toHaveBeenCalled();
   });
@@ -71,37 +64,18 @@ describe('ensureContainerRuntimeRunning', () => {
     ensureContainerRuntimeRunning();
 
     expect(mockExecSync).toHaveBeenCalledTimes(1);
-    expect(mockExecSync).toHaveBeenCalledWith(
-      `${CONTAINER_RUNTIME_BIN} system status`,
-      { stdio: 'pipe' },
-    );
+    expect(mockExecSync).toHaveBeenCalledWith(`${CONTAINER_RUNTIME_BIN} info`, {
+      stdio: 'pipe',
+      timeout: 10000,
+    });
     expect(logger.debug).toHaveBeenCalledWith(
       'Container runtime already running',
     );
   });
 
-  it('auto-starts when system status fails', () => {
-    // First call (system status) fails
+  it('throws when docker info fails', () => {
     mockExecSync.mockImplementationOnce(() => {
-      throw new Error('not running');
-    });
-    // Second call (system start) succeeds
-    mockExecSync.mockReturnValueOnce('');
-
-    ensureContainerRuntimeRunning();
-
-    expect(mockExecSync).toHaveBeenCalledTimes(2);
-    expect(mockExecSync).toHaveBeenNthCalledWith(
-      2,
-      `${CONTAINER_RUNTIME_BIN} system start`,
-      { stdio: 'pipe', timeout: 30000 },
-    );
-    expect(logger.info).toHaveBeenCalledWith('Container runtime started');
-  });
-
-  it('throws when both status and start fail', () => {
-    mockExecSync.mockImplementation(() => {
-      throw new Error('failed');
+      throw new Error('Cannot connect to the Docker daemon');
     });
 
     expect(() => ensureContainerRuntimeRunning()).toThrow(
@@ -114,40 +88,36 @@ describe('ensureContainerRuntimeRunning', () => {
 // --- cleanupOrphans ---
 
 describe('cleanupOrphans', () => {
-  it('stops orphaned nanoclaw containers from JSON output', () => {
-    // Apple Container ls returns JSON
-    const lsOutput = JSON.stringify([
-      { status: 'running', configuration: { id: 'nanoclaw-group1-111' } },
-      { status: 'stopped', configuration: { id: 'nanoclaw-group2-222' } },
-      { status: 'running', configuration: { id: 'nanoclaw-group3-333' } },
-      { status: 'running', configuration: { id: 'other-container' } },
-    ]);
-    mockExecSync.mockReturnValueOnce(lsOutput);
+  it('stops orphaned nanoclaw containers', () => {
+    // docker ps returns container names, one per line
+    mockExecSync.mockReturnValueOnce(
+      'nanoclaw-group1-111\nnanoclaw-group2-222\n',
+    );
     // stop calls succeed
     mockExecSync.mockReturnValue('');
 
     cleanupOrphans();
 
-    // ls + 2 stop calls (only running nanoclaw- containers)
+    // ps + 2 stop calls
     expect(mockExecSync).toHaveBeenCalledTimes(3);
     expect(mockExecSync).toHaveBeenNthCalledWith(
       2,
-      `${CONTAINER_RUNTIME_BIN} stop nanoclaw-group1-111`,
+      `${CONTAINER_RUNTIME_BIN} stop -t 1 nanoclaw-group1-111`,
       { stdio: 'pipe' },
     );
     expect(mockExecSync).toHaveBeenNthCalledWith(
       3,
-      `${CONTAINER_RUNTIME_BIN} stop nanoclaw-group3-333`,
+      `${CONTAINER_RUNTIME_BIN} stop -t 1 nanoclaw-group2-222`,
       { stdio: 'pipe' },
     );
     expect(logger.info).toHaveBeenCalledWith(
-      { count: 2, names: ['nanoclaw-group1-111', 'nanoclaw-group3-333'] },
+      { count: 2, names: ['nanoclaw-group1-111', 'nanoclaw-group2-222'] },
       'Stopped orphaned containers',
     );
   });
 
   it('does nothing when no orphans exist', () => {
-    mockExecSync.mockReturnValueOnce('[]');
+    mockExecSync.mockReturnValueOnce('');
 
     cleanupOrphans();
 
@@ -155,9 +125,9 @@ describe('cleanupOrphans', () => {
     expect(logger.info).not.toHaveBeenCalled();
   });
 
-  it('warns and continues when ls fails', () => {
+  it('warns and continues when ps fails', () => {
     mockExecSync.mockImplementationOnce(() => {
-      throw new Error('container not available');
+      throw new Error('docker not available');
     });
 
     cleanupOrphans(); // should not throw
@@ -169,11 +139,7 @@ describe('cleanupOrphans', () => {
   });
 
   it('continues stopping remaining containers when one stop fails', () => {
-    const lsOutput = JSON.stringify([
-      { status: 'running', configuration: { id: 'nanoclaw-a-1' } },
-      { status: 'running', configuration: { id: 'nanoclaw-b-2' } },
-    ]);
-    mockExecSync.mockReturnValueOnce(lsOutput);
+    mockExecSync.mockReturnValueOnce('nanoclaw-a-1\nnanoclaw-b-2\n');
     // First stop fails
     mockExecSync.mockImplementationOnce(() => {
       throw new Error('already stopped');

src/container-runtime.ts

@@ -3,46 +3,12 @@
  * All runtime-specific logic lives here so swapping runtimes means changing one file.
  */
 import { execSync } from 'child_process';
-import fs from 'fs';
 import os from 'os';
 
 import { logger } from './logger.js';
 
 /** The container runtime binary name. */
-export const CONTAINER_RUNTIME_BIN = 'container';
-
-/**
- * IP address containers use to reach the host machine.
- * Apple Container VMs use a bridge network (192.168.64.x); the host is at the gateway.
- * Detected from the bridge0 interface, falling back to 192.168.64.1.
- */
-export const CONTAINER_HOST_GATEWAY = detectHostGateway();
-
-function detectHostGateway(): string {
-  // Apple Container on macOS: containers reach the host via the bridge network gateway
-  const ifaces = os.networkInterfaces();
-  const bridge = ifaces['bridge100'] || ifaces['bridge0'];
-  if (bridge) {
-    const ipv4 = bridge.find((a) => a.family === 'IPv4');
-    if (ipv4) return ipv4.address;
-  }
-  // Fallback: Apple Container's default gateway
-  return '192.168.64.1';
-}
-
-/**
- * Address the credential proxy binds to.
- * Must be set via CREDENTIAL_PROXY_HOST in .env — there is no safe default
- * for Apple Container because bridge100 only exists while containers run,
- * but the proxy must start before any container.
- * The /convert-to-apple-container skill sets this during setup.
- */
-export const PROXY_BIND_HOST = process.env.CREDENTIAL_PROXY_HOST;
-if (!PROXY_BIND_HOST) {
-  throw new Error(
-    'CREDENTIAL_PROXY_HOST is not set in .env. Run /convert-to-apple-container to configure.',
-  );
-}
+export const CONTAINER_RUNTIME_BIN = 'docker';
 
 /** CLI args needed for the container to resolve the host gateway. */
 export function hostGatewayArgs(): string[] {
@@ -58,10 +24,7 @@ export function readonlyMountArgs(
   hostPath: string,
   containerPath: string,
 ): string[] {
-  return [
-    '--mount',
-    `type=bind,source=${hostPath},target=${containerPath},readonly`,
-  ];
+  return ['-v', `${hostPath}:${containerPath}:ro`];
 }
 
 /** Stop a container by name. Uses execFileSync to avoid shell injection. */
@@ -69,68 +32,57 @@ export function stopContainer(name: string): void {
   if (!/^[a-zA-Z0-9][a-zA-Z0-9_.-]*$/.test(name)) {
     throw new Error(`Invalid container name: ${name}`);
   }
-  execSync(`${CONTAINER_RUNTIME_BIN} stop ${name}`, { stdio: 'pipe' });
+  execSync(`${CONTAINER_RUNTIME_BIN} stop -t 1 ${name}`, { stdio: 'pipe' });
 }
 
 /** Ensure the container runtime is running, starting it if needed. */
 export function ensureContainerRuntimeRunning(): void {
   try {
-    execSync(`${CONTAINER_RUNTIME_BIN} system status`, { stdio: 'pipe' });
+    execSync(`${CONTAINER_RUNTIME_BIN} info`, {
+      stdio: 'pipe',
+      timeout: 10000,
+    });
     logger.debug('Container runtime already running');
-  } catch {
-    logger.info('Starting container runtime...');
-    try {
-      execSync(`${CONTAINER_RUNTIME_BIN} system start`, {
-        stdio: 'pipe',
-        timeout: 30000,
-      });
-      logger.info('Container runtime started');
-    } catch (err) {
-      logger.error({ err }, 'Failed to start container runtime');
-      console.error(
-        '\n╔════════════════════════════════════════════════════════════════╗',
-      );
-      console.error(
-        '║  FATAL: Container runtime failed to start                      ║',
-      );
-      console.error(
-        '║                                                                ║',
-      );
-      console.error(
-        '║  Agents cannot run without a container runtime. To fix:        ║',
-      );
-      console.error(
-        '║  1. Ensure Apple Container is installed                        ║',
-      );
-      console.error(
-        '║  2. Run: container system start                                ║',
-      );
-      console.error(
-        '║  3. Restart NanoClaw                                           ║',
-      );
-      console.error(
-        '╚════════════════════════════════════════════════════════════════╝\n',
-      );
-      throw new Error('Container runtime is required but failed to start');
-    }
+  } catch (err) {
+    logger.error({ err }, 'Failed to reach container runtime');
+    console.error(
+      '\n╔════════════════════════════════════════════════════════════════╗',
+    );
+    console.error(
+      '║  FATAL: Container runtime failed to start                      ║',
+    );
+    console.error(
+      '║                                                                ║',
+    );
+    console.error(
+      '║  Agents cannot run without a container runtime. To fix:        ║',
+    );
+    console.error(
+      '║  1. Ensure Docker is installed and running                     ║',
+    );
+    console.error(
+      '║  2. Run: docker info                                           ║',
+    );
+    console.error(
+      '║  3. Restart NanoClaw                                           ║',
+    );
+    console.error(
+      '╚════════════════════════════════════════════════════════════════╝\n',
+    );
+    throw new Error('Container runtime is required but failed to start', {
+      cause: err,
+    });
   }
 }
 
 /** Kill orphaned NanoClaw containers from previous runs. */
 export function cleanupOrphans(): void {
   try {
-    const output = execSync(`${CONTAINER_RUNTIME_BIN} ls --format json`, {
-      stdio: ['pipe', 'pipe', 'pipe'],
-      encoding: 'utf-8',
-    });
-    const containers: { status: string; configuration: { id: string } }[] =
-      JSON.parse(output || '[]');
-    const orphans = containers
-      .filter(
-        (c) =>
-          c.status === 'running' && c.configuration.id.startsWith('nanoclaw-'),
-      )
-      .map((c) => c.configuration.id);
+    const output = execSync(
+      `${CONTAINER_RUNTIME_BIN} ps --filter name=nanoclaw- --format '{{.Names}}'`,
+      { stdio: ['pipe', 'pipe', 'pipe'], encoding: 'utf-8' },
+    );
+    const orphans = output.trim().split('\n').filter(Boolean);
     for (const name of orphans) {
       try {
         stopContainer(name);

src/credential-proxy.test.ts

@@ -1,192 +0,0 @@
-import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
-import http from 'http';
-import type { AddressInfo } from 'net';
-
-const mockEnv: Record<string, string> = {};
-vi.mock('./env.js', () => ({
-  readEnvFile: vi.fn(() => ({ ...mockEnv })),
-}));
-
-vi.mock('./logger.js', () => ({
-  logger: { info: vi.fn(), error: vi.fn(), debug: vi.fn(), warn: vi.fn() },
-}));
-
-import { startCredentialProxy } from './credential-proxy.js';
-
-function makeRequest(
-  port: number,
-  options: http.RequestOptions,
-  body = '',
-): Promise<{
-  statusCode: number;
-  body: string;
-  headers: http.IncomingHttpHeaders;
-}> {
-  return new Promise((resolve, reject) => {
-    const req = http.request(
-      { ...options, hostname: '127.0.0.1', port },
-      (res) => {
-        const chunks: Buffer[] = [];
-        res.on('data', (c) => chunks.push(c));
-        res.on('end', () => {
-          resolve({
-            statusCode: res.statusCode!,
-            body: Buffer.concat(chunks).toString(),
-            headers: res.headers,
-          });
-        });
-      },
-    );
-    req.on('error', reject);
-    req.write(body);
-    req.end();
-  });
-}
-
-describe('credential-proxy', () => {
-  let proxyServer: http.Server;
-  let upstreamServer: http.Server;
-  let proxyPort: number;
-  let upstreamPort: number;
-  let lastUpstreamHeaders: http.IncomingHttpHeaders;
-
-  beforeEach(async () => {
-    lastUpstreamHeaders = {};
-
-    upstreamServer = http.createServer((req, res) => {
-      lastUpstreamHeaders = { ...req.headers };
-      res.writeHead(200, { 'content-type': 'application/json' });
-      res.end(JSON.stringify({ ok: true }));
-    });
-    await new Promise<void>((resolve) =>
-      upstreamServer.listen(0, '127.0.0.1', resolve),
-    );
-    upstreamPort = (upstreamServer.address() as AddressInfo).port;
-  });
-
-  afterEach(async () => {
-    await new Promise<void>((r) => proxyServer?.close(() => r()));
-    await new Promise<void>((r) => upstreamServer?.close(() => r()));
-    for (const key of Object.keys(mockEnv)) delete mockEnv[key];
-  });
-
-  async function startProxy(env: Record<string, string>): Promise<number> {
-    Object.assign(mockEnv, env, {
-      ANTHROPIC_BASE_URL: `http://127.0.0.1:${upstreamPort}`,
-    });
-    proxyServer = await startCredentialProxy(0);
-    return (proxyServer.address() as AddressInfo).port;
-  }
-
-  it('API-key mode injects x-api-key and strips placeholder', async () => {
-    proxyPort = await startProxy({ ANTHROPIC_API_KEY: 'sk-ant-real-key' });
-
-    await makeRequest(
-      proxyPort,
-      {
-        method: 'POST',
-        path: '/v1/messages',
-        headers: {
-          'content-type': 'application/json',
-          'x-api-key': 'placeholder',
-        },
-      },
-      '{}',
-    );
-
-    expect(lastUpstreamHeaders['x-api-key']).toBe('sk-ant-real-key');
-  });
-
-  it('OAuth mode replaces Authorization when container sends one', async () => {
-    proxyPort = await startProxy({
-      CLAUDE_CODE_OAUTH_TOKEN: 'real-oauth-token',
-    });
-
-    await makeRequest(
-      proxyPort,
-      {
-        method: 'POST',
-        path: '/api/oauth/claude_cli/create_api_key',
-        headers: {
-          'content-type': 'application/json',
-          authorization: 'Bearer placeholder',
-        },
-      },
-      '{}',
-    );
-
-    expect(lastUpstreamHeaders['authorization']).toBe(
-      'Bearer real-oauth-token',
-    );
-  });
-
-  it('OAuth mode does not inject Authorization when container omits it', async () => {
-    proxyPort = await startProxy({
-      CLAUDE_CODE_OAUTH_TOKEN: 'real-oauth-token',
-    });
-
-    // Post-exchange: container uses x-api-key only, no Authorization header
-    await makeRequest(
-      proxyPort,
-      {
-        method: 'POST',
-        path: '/v1/messages',
-        headers: {
-          'content-type': 'application/json',
-          'x-api-key': 'temp-key-from-exchange',
-        },
-      },
-      '{}',
-    );
-
-    expect(lastUpstreamHeaders['x-api-key']).toBe('temp-key-from-exchange');
-    expect(lastUpstreamHeaders['authorization']).toBeUndefined();
-  });
-
-  it('strips hop-by-hop headers', async () => {
-    proxyPort = await startProxy({ ANTHROPIC_API_KEY: 'sk-ant-real-key' });
-
-    await makeRequest(
-      proxyPort,
-      {
-        method: 'POST',
-        path: '/v1/messages',
-        headers: {
-          'content-type': 'application/json',
-          connection: 'keep-alive',
-          'keep-alive': 'timeout=5',
-          'transfer-encoding': 'chunked',
-        },
-      },
-      '{}',
-    );
-
-    // Proxy strips client hop-by-hop headers. Node's HTTP client may re-add
-    // its own Connection header (standard HTTP/1.1 behavior), but the client's
-    // custom keep-alive and transfer-encoding must not be forwarded.
-    expect(lastUpstreamHeaders['keep-alive']).toBeUndefined();
-    expect(lastUpstreamHeaders['transfer-encoding']).toBeUndefined();
-  });
-
-  it('returns 502 when upstream is unreachable', async () => {
-    Object.assign(mockEnv, {
-      ANTHROPIC_API_KEY: 'sk-ant-real-key',
-      ANTHROPIC_BASE_URL: 'http://127.0.0.1:59999',
-    });
-    proxyServer = await startCredentialProxy(0);
-    proxyPort = (proxyServer.address() as AddressInfo).port;
-
-    const res = await makeRequest(
-      proxyPort,
-      {
-        method: 'POST',
-        path: '/v1/messages',
-        headers: { 'content-type': 'application/json' },
-      },
-      '{}',
-    );
-
-    expect(res.statusCode).toBe(502);
-    expect(res.body).toBe('Bad Gateway');
-  });
-});

src/credential-proxy.ts

@@ -1,125 +0,0 @@
-/**
- * Credential proxy for container isolation.
- * Containers connect here instead of directly to the Anthropic API.
- * The proxy injects real credentials so containers never see them.
- *
- * Two auth modes:
- *   API key:  Proxy injects x-api-key on every request.
- *   OAuth:    Container CLI exchanges its placeholder token for a temp
- *             API key via /api/oauth/claude_cli/create_api_key.
- *             Proxy injects real OAuth token on that exchange request;
- *             subsequent requests carry the temp key which is valid as-is.
- */
-import { createServer, Server } from 'http';
-import { request as httpsRequest } from 'https';
-import { request as httpRequest, RequestOptions } from 'http';
-
-import { readEnvFile } from './env.js';
-import { logger } from './logger.js';
-
-export type AuthMode = 'api-key' | 'oauth';
-
-export interface ProxyConfig {
-  authMode: AuthMode;
-}
-
-export function startCredentialProxy(
-  port: number,
-  host = '127.0.0.1',
-): Promise<Server> {
-  const secrets = readEnvFile([
-    'ANTHROPIC_API_KEY',
-    'CLAUDE_CODE_OAUTH_TOKEN',
-    'ANTHROPIC_AUTH_TOKEN',
-    'ANTHROPIC_BASE_URL',
-  ]);
-
-  const authMode: AuthMode = secrets.ANTHROPIC_API_KEY ? 'api-key' : 'oauth';
-  const oauthToken =
-    secrets.CLAUDE_CODE_OAUTH_TOKEN || secrets.ANTHROPIC_AUTH_TOKEN;
-
-  const upstreamUrl = new URL(
-    secrets.ANTHROPIC_BASE_URL || 'https://api.anthropic.com',
-  );
-  const isHttps = upstreamUrl.protocol === 'https:';
-  const makeRequest = isHttps ? httpsRequest : httpRequest;
-
-  return new Promise((resolve, reject) => {
-    const server = createServer((req, res) => {
-      const chunks: Buffer[] = [];
-      req.on('data', (c) => chunks.push(c));
-      req.on('end', () => {
-        const body = Buffer.concat(chunks);
-        const headers: Record<string, string | number | string[] | undefined> =
-          {
-            ...(req.headers as Record<string, string>),
-            host: upstreamUrl.host,
-            'content-length': body.length,
-          };
-
-        // Strip hop-by-hop headers that must not be forwarded by proxies
-        delete headers['connection'];
-        delete headers['keep-alive'];
-        delete headers['transfer-encoding'];
-
-        if (authMode === 'api-key') {
-          // API key mode: inject x-api-key on every request
-          delete headers['x-api-key'];
-          headers['x-api-key'] = secrets.ANTHROPIC_API_KEY;
-        } else {
-          // OAuth mode: replace placeholder Bearer token with the real one
-          // only when the container actually sends an Authorization header
-          // (exchange request + auth probes). Post-exchange requests use
-          // x-api-key only, so they pass through without token injection.
-          if (headers['authorization']) {
-            delete headers['authorization'];
-            if (oauthToken) {
-              headers['authorization'] = `Bearer ${oauthToken}`;
-            }
-          }
-        }
-
-        const upstream = makeRequest(
-          {
-            hostname: upstreamUrl.hostname,
-            port: upstreamUrl.port || (isHttps ? 443 : 80),
-            path: req.url,
-            method: req.method,
-            headers,
-          } as RequestOptions,
-          (upRes) => {
-            res.writeHead(upRes.statusCode!, upRes.headers);
-            upRes.pipe(res);
-          },
-        );
-
-        upstream.on('error', (err) => {
-          logger.error(
-            { err, url: req.url },
-            'Credential proxy upstream error',
-          );
-          if (!res.headersSent) {
-            res.writeHead(502);
-            res.end('Bad Gateway');
-          }
-        });
-
-        upstream.write(body);
-        upstream.end();
-      });
-    });
-
-    server.listen(port, host, () => {
-      logger.info({ port, host, authMode }, 'Credential proxy started');
-      resolve(server);
-    });
-
-    server.on('error', reject);
-  });
-}
-
-/** Detect which auth mode the host is configured for. */
-export function detectAuthMode(): AuthMode {
-  const secrets = readEnvFile(['ANTHROPIC_API_KEY']);
-  return secrets.ANTHROPIC_API_KEY ? 'api-key' : 'oauth';
-}

src/formatting.test.ts

@@ -11,6 +11,7 @@ import {
   formatOutbound,
   stripInternalTags,
 } from './router.js';
+import { parseTextStyles, parseSignalStyles } from './text-styles.js';
 import { NewMessage } from './types.js';
 
 function makeMsg(overrides: Partial<NewMessage> = {}): NewMessage {
@@ -292,3 +293,259 @@ describe('trigger gating (requiresTrigger interaction)', () => {
     expect(shouldProcess(false, false, undefined, msgs)).toBe(true);
   });
 });
+
+// --- parseTextStyles ---
+
+describe('parseTextStyles — passthrough channels', () => {
+  it('passes text through unchanged on discord', () => {
+    const md = '**bold** and *italic* and [link](https://example.com)';
+    expect(parseTextStyles(md, 'discord')).toBe(md);
+  });
+
+  it('passes text through unchanged on signal (signal uses parseSignalStyles)', () => {
+    const md = '**bold** and *italic* and [link](https://example.com)';
+    expect(parseTextStyles(md, 'signal')).toBe(md);
+  });
+});
+
+describe('parseTextStyles — bold', () => {
+  it('converts **bold** to *bold* on whatsapp', () => {
+    expect(parseTextStyles('**hello**', 'whatsapp')).toBe('*hello*');
+  });
+
+  it('converts **bold** to *bold* on telegram', () => {
+    expect(parseTextStyles('say **this** now', 'telegram')).toBe(
+      'say *this* now',
+    );
+  });
+
+  it('converts **bold** to *bold* on slack', () => {
+    expect(parseTextStyles('**hello**', 'slack')).toBe('*hello*');
+  });
+
+  it('does not convert a lone * as bold', () => {
+    expect(parseTextStyles('a * b * c', 'whatsapp')).toBe('a * b * c');
+  });
+});
+
+describe('parseTextStyles — italic', () => {
+  it('converts *italic* to _italic_ on whatsapp', () => {
+    expect(parseTextStyles('say *this* now', 'whatsapp')).toBe(
+      'say _this_ now',
+    );
+  });
+
+  it('converts *italic* to _italic_ on telegram', () => {
+    expect(parseTextStyles('*italic*', 'telegram')).toBe('_italic_');
+  });
+
+  it('bold-before-italic: **bold** *italic* → *bold* _italic_', () => {
+    expect(parseTextStyles('**bold** *italic*', 'whatsapp')).toBe(
+      '*bold* _italic_',
+    );
+  });
+});
+
+describe('parseTextStyles — headings', () => {
+  it('converts # heading on whatsapp', () => {
+    expect(parseTextStyles('# Top', 'whatsapp')).toBe('*Top*');
+  });
+
+  it('converts ## heading on telegram', () => {
+    expect(parseTextStyles('## Hello World', 'telegram')).toBe('*Hello World*');
+  });
+
+  it('converts ### heading on telegram', () => {
+    expect(parseTextStyles('### Section', 'telegram')).toBe('*Section*');
+  });
+
+  it('only converts headings at line start', () => {
+    const input = 'not a ## heading in middle';
+    expect(parseTextStyles(input, 'whatsapp')).toBe(input);
+  });
+});
+
+describe('parseTextStyles — links', () => {
+  it('converts [text](url) to text (url) on whatsapp', () => {
+    expect(parseTextStyles('[Link](https://example.com)', 'whatsapp')).toBe(
+      'Link (https://example.com)',
+    );
+  });
+
+  it('converts [text](url) to text (url) on telegram', () => {
+    expect(parseTextStyles('[Link](https://example.com)', 'telegram')).toBe(
+      'Link (https://example.com)',
+    );
+  });
+
+  it('converts [text](url) to <url|text> on slack', () => {
+    expect(parseTextStyles('[Click here](https://example.com)', 'slack')).toBe(
+      '<https://example.com|Click here>',
+    );
+  });
+});
+
+describe('parseTextStyles — horizontal rules', () => {
+  it('strips --- on telegram', () => {
+    expect(parseTextStyles('above\n---\nbelow', 'telegram')).toBe(
+      'above\n\nbelow',
+    );
+  });
+
+  it('strips *** on whatsapp', () => {
+    expect(parseTextStyles('above\n***\nbelow', 'whatsapp')).toBe(
+      'above\n\nbelow',
+    );
+  });
+});
+
+describe('parseTextStyles — code block protection', () => {
+  it('does not transform **bold** inside fenced code block', () => {
+    const input = '```\n**not bold**\n```';
+    expect(parseTextStyles(input, 'whatsapp')).toBe(input);
+  });
+
+  it('does not transform *italic* inside inline code', () => {
+    const input = 'use `*star*` literally';
+    expect(parseTextStyles(input, 'telegram')).toBe(input);
+  });
+
+  it('transforms text outside code blocks but not inside', () => {
+    const input = '**bold** and `*code*` and *italic*';
+    expect(parseTextStyles(input, 'whatsapp')).toBe(
+      '*bold* and `*code*` and _italic_',
+    );
+  });
+
+  it('transforms text outside fenced block but not inside', () => {
+    const input = '**bold**\n```\n**raw**\n```\n*italic*';
+    expect(parseTextStyles(input, 'telegram')).toBe(
+      '*bold*\n```\n**raw**\n```\n_italic_',
+    );
+  });
+});
+
+// --- parseSignalStyles ---
+
+describe('parseSignalStyles — basic styles', () => {
+  it('extracts BOLD from **text**', () => {
+    const { text, textStyle } = parseSignalStyles('**hello**');
+    expect(text).toBe('hello');
+    expect(textStyle).toEqual([{ style: 'BOLD', start: 0, length: 5 }]);
+  });
+
+  it('extracts ITALIC from *text*', () => {
+    const { text, textStyle } = parseSignalStyles('*hello*');
+    expect(text).toBe('hello');
+    expect(textStyle).toEqual([{ style: 'ITALIC', start: 0, length: 5 }]);
+  });
+
+  it('extracts ITALIC from _text_', () => {
+    const { text, textStyle } = parseSignalStyles('_hello_');
+    expect(text).toBe('hello');
+    expect(textStyle).toEqual([{ style: 'ITALIC', start: 0, length: 5 }]);
+  });
+
+  it('extracts STRIKETHROUGH from ~~text~~', () => {
+    const { text, textStyle } = parseSignalStyles('~~hello~~');
+    expect(text).toBe('hello');
+    expect(textStyle).toEqual([
+      { style: 'STRIKETHROUGH', start: 0, length: 5 },
+    ]);
+  });
+
+  it('extracts MONOSPACE from `inline code`', () => {
+    const { text, textStyle } = parseSignalStyles('`code`');
+    expect(text).toBe('code');
+    expect(textStyle).toEqual([{ style: 'MONOSPACE', start: 0, length: 4 }]);
+  });
+
+  it('extracts BOLD from ## heading and strips marker', () => {
+    const { text, textStyle } = parseSignalStyles('## Hello World');
+    expect(text).toBe('Hello World');
+    expect(textStyle).toEqual([{ style: 'BOLD', start: 0, length: 11 }]);
+  });
+
+  it('no styles for plain text', () => {
+    const { text, textStyle } = parseSignalStyles('just plain text');
+    expect(text).toBe('just plain text');
+    expect(textStyle).toHaveLength(0);
+  });
+});
+
+describe('parseSignalStyles — mixed content', () => {
+  it('correctly offsets styles in mixed text', () => {
+    const { text, textStyle } = parseSignalStyles('say **hi** now');
+    expect(text).toBe('say hi now');
+    expect(textStyle).toEqual([{ style: 'BOLD', start: 4, length: 2 }]);
+  });
+
+  it('handles multiple styles with correct offsets', () => {
+    const { text, textStyle } = parseSignalStyles('**bold** and *italic*');
+    expect(text).toBe('bold and italic');
+    expect(textStyle[0]).toEqual({ style: 'BOLD', start: 0, length: 4 });
+    expect(textStyle[1]).toEqual({ style: 'ITALIC', start: 9, length: 6 });
+  });
+
+  it('strips link markers, no style applied', () => {
+    const { text, textStyle } = parseSignalStyles(
+      '[Click here](https://example.com)',
+    );
+    expect(text).toBe('Click here (https://example.com)');
+    expect(textStyle).toHaveLength(0);
+  });
+
+  it('strips horizontal rules', () => {
+    const { text, textStyle } = parseSignalStyles('above\n---\nbelow');
+    expect(text).toBe('above\nbelow');
+    expect(textStyle).toHaveLength(0);
+  });
+});
+
+describe('parseSignalStyles — code block protection', () => {
+  it('protects fenced code block content with MONOSPACE', () => {
+    const input = '```\n**not bold**\n```';
+    const { text, textStyle } = parseSignalStyles(input);
+    expect(text).toBe('**not bold**');
+    expect(textStyle).toEqual([{ style: 'MONOSPACE', start: 0, length: 12 }]);
+  });
+
+  it('styles outside block are still processed', () => {
+    const input = '**bold**\n```\nraw code\n```';
+    const { text, textStyle } = parseSignalStyles(input);
+    expect(text).toContain('bold');
+    expect(text).toContain('raw code');
+    const boldStyle = textStyle.find((s) => s.style === 'BOLD');
+    const codeStyle = textStyle.find((s) => s.style === 'MONOSPACE');
+    expect(boldStyle).toBeDefined();
+    expect(codeStyle).toBeDefined();
+  });
+});
+
+describe('parseSignalStyles — snake_case guard', () => {
+  it('does not italicise underscores in snake_case', () => {
+    const { text, textStyle } = parseSignalStyles('use snake_case_here');
+    expect(text).toBe('use snake_case_here');
+    expect(textStyle).toHaveLength(0);
+  });
+});
+
+describe('formatOutbound — channel-aware', () => {
+  it('applies parseTextStyles when channel is provided', () => {
+    expect(formatOutbound('**bold**', 'whatsapp')).toBe('*bold*');
+  });
+
+  it('returns plain stripped text when no channel provided', () => {
+    expect(formatOutbound('**bold**')).toBe('**bold**');
+  });
+
+  it('strips internal tags then applies channel formatting', () => {
+    expect(
+      formatOutbound('<internal>thinking</internal>**done**', 'telegram'),
+    ).toBe('*done*');
+  });
+
+  it('signal channel is passthrough — raw markdown preserved for parseSignalStyles', () => {
+    expect(formatOutbound('**bold**', 'signal')).toBe('**bold**');
+  });
+});

src/index.ts

@@ -49,6 +49,7 @@ import { GroupQueue } from './group-queue.js';
 import { resolveGroupFolderPath } from './group-folder.js';
 import { startIpcWatcher } from './ipc.js';
 import { findChannel, formatMessages, formatOutbound } from './router.js';
+import { ChannelType } from './text-styles.js';
 import {
   restoreRemoteControl,
   startRemoteControl,
@@ -686,14 +687,16 @@ async function main(): Promise<void> {
         logger.warn({ jid }, 'No channel owns JID, cannot send message');
         return;
       }
-      const text = formatOutbound(rawText);
+      const text = formatOutbound(rawText, channel.name as ChannelType);
       if (text) await channel.sendMessage(jid, text);
     },
   });
   startIpcWatcher({
-    sendMessage: (jid, text) => {
+    sendMessage: (jid, rawText) => {
       const channel = findChannel(channels, jid);
       if (!channel) throw new Error(`No channel for JID: ${jid}`);
+      const text = formatOutbound(rawText, channel.name as ChannelType);
+      if (!text) return Promise.resolve();
       return channel.sendMessage(jid, text);
     },
     registeredGroups: () => registeredGroups,

src/router.ts

@@ -1,5 +1,6 @@
 import { Channel, NewMessage } from './types.js';
 import { formatLocalTime } from './timezone.js';
+import { parseTextStyles, ChannelType } from './text-styles.js';
 
 export function escapeXml(s: string): string {
   if (!s) return '';
@@ -28,10 +29,10 @@ export function stripInternalTags(text: string): string {
   return text.replace(/<internal>[\s\S]*?<\/internal>/g, '').trim();
 }
 
-export function formatOutbound(rawText: string): string {
+export function formatOutbound(rawText: string, channel?: ChannelType): string {
   const text = stripInternalTags(rawText);
   if (!text) return '';
-  return text;
+  return channel ? parseTextStyles(text, channel) : text;
 }
 
 export function routeOutbound(

src/text-styles.ts

@@ -0,0 +1,337 @@
+/**
+ * parseTextStyles — convert Claude's Markdown output to channel-native formatting.
+ *
+ * Claude outputs standard Markdown. Each channel has its own text style syntax:
+ *   - Signal:             passthrough (SignalChannel handles rich text styles natively
+ *                         via the signal-cli JSON-RPC textStyle param — see parseSignalStyles)
+ *   - WhatsApp / Telegram: *bold*, _italic_, no headings, plain links
+ *   - Slack:              *bold*, _italic_, <url|text> links
+ *   - Discord:            passthrough (already Markdown)
+ *
+ * Code blocks (fenced and inline) are NEVER transformed by marker substitution.
+ */
+
+export type ChannelType =
+  | 'signal'
+  | 'whatsapp'
+  | 'telegram'
+  | 'slack'
+  | 'discord';
+
+/** Transform Markdown text for the target channel's native format. */
+export function parseTextStyles(text: string, channel: ChannelType): string {
+  if (!text) return text;
+
+  // Discord and Signal are passthrough — no marker substitution.
+  // Discord is already Markdown; Signal uses parseSignalStyles() for rich text.
+  if (channel === 'discord' || channel === 'signal') return text;
+
+  // Split into protected (code) and unprotected regions, transform only the latter.
+  const segments = splitProtectedRegions(text);
+  return segments
+    .map(({ content, protected: isProtected }) =>
+      isProtected ? content : transformSegment(content, channel),
+    )
+    .join('');
+}
+
+// ---------------------------------------------------------------------------
+// Signal rich-text formatting
+// ---------------------------------------------------------------------------
+
+export interface SignalTextStyle {
+  /** One of Signal's supported text styles. */
+  style: 'BOLD' | 'ITALIC' | 'STRIKETHROUGH' | 'MONOSPACE' | 'SPOILER';
+  /** Start position in the final message string, in UTF-16 code units. */
+  start: number;
+  /** Length of the styled range, in UTF-16 code units. */
+  length: number;
+}
+
+/**
+ * Parse Claude's Markdown into a plain string + Signal textStyle ranges.
+ *
+ * The returned `text` has all markdown markers stripped.  The `textStyle`
+ * array uses UTF-16 code-unit offsets (JavaScript's native string indexing),
+ * matching what signal-cli's JSON-RPC `send.textStyle` param expects.
+ *
+ * Supported patterns:
+ *   **bold**          → BOLD
+ *   *italic*          → ITALIC
+ *   _italic_          → ITALIC
+ *   ~~strike~~        → STRIKETHROUGH
+ *   `inline code`     → MONOSPACE
+ *   ```code block```  → MONOSPACE
+ *   ## Heading        → BOLD (markers stripped)
+ *   [text](url)       → "text (url)"  (no style)
+ *   ---               → removed
+ */
+export function parseSignalStyles(rawText: string): {
+  text: string;
+  textStyle: SignalTextStyle[];
+} {
+  const textStyle: SignalTextStyle[] = [];
+  let out = '';
+  let i = 0;
+  const s = rawText;
+  const n = s.length;
+
+  function addStyle(
+    style: SignalTextStyle['style'],
+    startOut: number,
+    endOut: number,
+  ): void {
+    const length = endOut - startOut;
+    if (length > 0) textStyle.push({ style, start: startOut, length });
+  }
+
+  while (i < n) {
+    // ── Fenced code block  ```[lang]\n...\n``` ──────────────────────────
+    if (s[i] === '`' && s[i + 1] === '`' && s[i + 2] === '`') {
+      const langNl = s.indexOf('\n', i + 3);
+      if (langNl !== -1) {
+        // Find closing ``` on its own line
+        const closeAt = s.indexOf('\n```', langNl);
+        if (closeAt !== -1) {
+          const content = s.slice(langNl + 1, closeAt);
+          const startOut = out.length;
+          out += content;
+          addStyle('MONOSPACE', startOut, out.length);
+          // Advance past \n``` + optional trailing newline
+          const afterClose = s.indexOf('\n', closeAt + 4);
+          i = afterClose !== -1 ? afterClose + 1 : n;
+          continue;
+        }
+      }
+      // Malformed fence — copy literally
+      out += s[i];
+      i++;
+      continue;
+    }
+
+    // ── Inline code  `text` ────────────────────────────────────────────
+    if (s[i] === '`') {
+      const end = s.indexOf('`', i + 1);
+      const nl = s.indexOf('\n', i + 1);
+      if (end !== -1 && (nl === -1 || end < nl)) {
+        const content = s.slice(i + 1, end);
+        const startOut = out.length;
+        out += content;
+        addStyle('MONOSPACE', startOut, out.length);
+        i = end + 1;
+        continue;
+      }
+    }
+
+    // ── Bold  **text** ─────────────────────────────────────────────────
+    if (s[i] === '*' && s[i + 1] === '*' && s[i + 2] && s[i + 2] !== ' ') {
+      const end = s.indexOf('**', i + 2);
+      if (end !== -1 && s[end - 1] !== ' ') {
+        const content = s.slice(i + 2, end);
+        const startOut = out.length;
+        out += content;
+        addStyle('BOLD', startOut, out.length);
+        i = end + 2;
+        continue;
+      }
+    }
+
+    // ── Strikethrough  ~~text~~ ────────────────────────────────────────
+    if (s[i] === '~' && s[i + 1] === '~' && s[i + 2] && s[i + 2] !== ' ') {
+      const end = s.indexOf('~~', i + 2);
+      if (end !== -1) {
+        const content = s.slice(i + 2, end);
+        const startOut = out.length;
+        out += content;
+        addStyle('STRIKETHROUGH', startOut, out.length);
+        i = end + 2;
+        continue;
+      }
+    }
+
+    // ── Italic  *text*  (single star, not part of **) ─────────────────
+    if (
+      s[i] === '*' &&
+      s[i + 1] !== '*' &&
+      s[i + 1] !== ' ' &&
+      s[i + 1] !== undefined
+    ) {
+      const end = findClosingStar(s, i + 1);
+      if (end !== -1) {
+        const content = s.slice(i + 1, end);
+        const startOut = out.length;
+        out += content;
+        addStyle('ITALIC', startOut, out.length);
+        i = end + 1;
+        continue;
+      }
+    }
+
+    // ── Italic  _text_  (only at word boundaries) ──────────────────────
+    if (s[i] === '_' && s[i + 1] !== '_' && s[i + 1] !== ' ' && s[i + 1]) {
+      // Guard against snake_case: only treat as italic when preceded by a
+      // non-word character (or start of string).
+      const prevChar = i > 0 ? s[i - 1] : '';
+      if (!/\w/.test(prevChar)) {
+        const end = findClosingUnderscore(s, i + 1);
+        if (end !== -1) {
+          const content = s.slice(i + 1, end);
+          const startOut = out.length;
+          out += content;
+          addStyle('ITALIC', startOut, out.length);
+          i = end + 1;
+          continue;
+        }
+      }
+    }
+
+    // ── ATX Heading  ## text → text (as BOLD) ─────────────────────────
+    if ((i === 0 || s[i - 1] === '\n') && s[i] === '#') {
+      let j = i;
+      while (j < n && s[j] === '#') j++;
+      if (j < n && s[j] === ' ') {
+        const lineEnd = s.indexOf('\n', j + 1);
+        const headingText =
+          lineEnd !== -1 ? s.slice(j + 1, lineEnd) : s.slice(j + 1);
+        const startOut = out.length;
+        out += headingText;
+        addStyle('BOLD', startOut, out.length);
+        if (lineEnd !== -1) {
+          out += '\n';
+          i = lineEnd + 1;
+        } else i = n;
+        continue;
+      }
+    }
+
+    // ── Links  [text](url) → text (url) ───────────────────────────────
+    if (s[i] === '[') {
+      const closeBracket = s.indexOf(']', i + 1);
+      if (closeBracket !== -1 && s[closeBracket + 1] === '(') {
+        const closeParen = s.indexOf(')', closeBracket + 2);
+        if (closeParen !== -1) {
+          const linkText = s.slice(i + 1, closeBracket);
+          const url = s.slice(closeBracket + 2, closeParen);
+          out += `${linkText} (${url})`;
+          i = closeParen + 1;
+          continue;
+        }
+      }
+    }
+
+    // ── Horizontal rule  --- / *** / ___ ──────────────────────────────
+    if (i === 0 || s[i - 1] === '\n') {
+      const hrMatch = /^(-{3,}|\*{3,}|_{3,}) *(\n|$)/.exec(s.slice(i));
+      if (hrMatch) {
+        i += hrMatch[0].length;
+        continue;
+      }
+    }
+
+    // ── Default: copy character, preserving surrogate pairs ───────────
+    const code = s.charCodeAt(i);
+    if (code >= 0xd800 && code <= 0xdbff && i + 1 < n) {
+      out += s[i] + s[i + 1];
+      i += 2;
+    } else {
+      out += s[i];
+      i++;
+    }
+  }
+
+  return { text: out, textStyle };
+}
+
+// ---------------------------------------------------------------------------
+// Helpers for parseSignalStyles
+// ---------------------------------------------------------------------------
+
+/** Find the position of a closing single `*` that isn't part of `**`. */
+function findClosingStar(s: string, from: number): number {
+  for (let i = from; i < s.length; i++) {
+    if (s[i] === '\n') return -1; // italics don't span lines
+    if (s[i] === '*' && s[i + 1] !== '*' && s[i - 1] !== ' ') return i;
+  }
+  return -1;
+}
+
+/** Find the closing `_` that isn't part of `__` and is at a word boundary. */
+function findClosingUnderscore(s: string, from: number): number {
+  for (let i = from; i < s.length; i++) {
+    if (s[i] === '\n') return -1;
+    if (s[i] === '_' && s[i + 1] !== '_' && !/\w/.test(s[i + 1] ?? '')) {
+      return i;
+    }
+  }
+  return -1;
+}
+
+// ---------------------------------------------------------------------------
+// Marker-substitution helpers (WhatsApp / Telegram / Slack)
+// ---------------------------------------------------------------------------
+
+interface Segment {
+  content: string;
+  protected: boolean;
+}
+
+/**
+ * Split text into alternating unprotected/protected segments.
+ * Protected = fenced code blocks (```...```) and inline code (`...`).
+ */
+function splitProtectedRegions(text: string): Segment[] {
+  const segments: Segment[] = [];
+  const CODE_PATTERN = /```[\s\S]*?```|`[^`\n]+`/g;
+
+  let lastIndex = 0;
+  let match: RegExpExecArray | null;
+
+  while ((match = CODE_PATTERN.exec(text)) !== null) {
+    if (match.index > lastIndex) {
+      segments.push({
+        content: text.slice(lastIndex, match.index),
+        protected: false,
+      });
+    }
+    segments.push({ content: match[0], protected: true });
+    lastIndex = match.index + match[0].length;
+  }
+
+  if (lastIndex < text.length) {
+    segments.push({ content: text.slice(lastIndex), protected: false });
+  }
+
+  return segments.length > 0 ? segments : [{ content: text, protected: false }];
+}
+
+/** Apply marker-substitution transformations to a non-code segment. */
+function transformSegment(text: string, channel: ChannelType): string {
+  let t = text;
+
+  // Order matters: italic before bold.
+  // The italic regex won't match **bold** (it requires the char after the opening *
+  // to be a non-* non-space), so running italic first is safe.  If we ran bold
+  // first (**bold** → *bold*), the italic step would immediately re-convert *bold*
+  // to _bold_, producing wrong output.
+
+  // 1. Italic: *text* → _text_ (whatsapp/telegram/slack use _)
+  t = t.replace(/(?<!\*)\*(?=[^\s*])([^*\n]+?)(?<=[^\s*])\*(?!\*)/g, '_$1_');
+
+  // 2. Bold: **text** → *text* (whatsapp/telegram/slack use single *)
+  t = t.replace(/\*\*(?=[^\s*])([^*]+?)(?<=[^\s*])\*\*/g, '*$1*');
+
+  // 3. Headings: ## Title → *Title* (any level, line-start only)
+  t = t.replace(/^#{1,6}\s+(.+)$/gm, '*$1*');
+
+  // 4. Links
+  if (channel === 'slack') {
+    t = t.replace(/\[([^\]]+)\]\(([^)]+)\)/g, '<$2|$1>');
+  } else {
+    t = t.replace(/\[([^\]]+)\]\(([^)]+)\)/g, '$1 ($2)');
+  }
+
+  // 5. Horizontal rules: strip them
+  t = t.replace(/^(-{3,}|\*{3,}|_{3,})$/gm, '');
+
+  return t;
+}