☕ chore: fix all Biome lint errors, base on dev branch

[Copilot]

bun run lint (Biome) was failing with 14 errors across the codebase. This branch is rebased onto dev (which introduced Biome + CI lint job) and resolves all blocking errors.

Auto-fixed (74 files)

• Template literals over string concatenation (useTemplate)
• Unused imports/variables
• Node.js import protocol (useNodejsImportProtocol)
• General formatting

Manual fixes

noImplicitAnyLet — added explicit type annotations to untyped let declarations:

// packages/delegation/src/compat.ts
let provider: Provider;

// packages/delegation/src/runner.ts
let response: LLMResponse;

// src/web/src/server.ts (×7)
let body: unknown;

noAssignInExpressions — refactored assignment-in-condition while loops in packages/shield/src/parser.ts:

// Before
while ((match = codeBlockRegex.exec(content)) !== null) { ... }

// After
let match = codeBlockRegex.exec(content);
while (match !== null) {
  ...
  match = codeBlockRegex.exec(content);
}

noMisleadingCharacterClass — suppressed with biome-ignore on intentional emoji Unicode range regex in packages/compactor/src/rules.ts (combining chars are required for ZWJ/variation selector matching).

noControlCharactersInRegex — suppressed with biome-ignore on ANSI escape stripping regex in src/web/tests/server.test.ts.

useIterableCallbackReturn — changed implicit-return arrow to block body in packages/heartware/tests/soul-generator.test.ts.

Security fix

Resolved incomplete regex sanitization (js/incomplete-sanitization) in packages/shield/src/matcher.ts — the wildcard path regex was only escaping . and *, leaving other metacharacters unescaped in user-controlled input:

// Before: only escapes . and *
const regex = new RegExp(`^${expected.replace(/\./g, '\\.').replace(/\*/g, '[^.]+')}$`);

// After: escapes all regex metacharacters, then restores * as wildcard
const escaped = expected.replace(/[\\^$.*+?()[\]{}|]/g, '\\$&').replace(/\\\*/g, '[^.]+');
const regex = new RegExp(`^${escaped}$`);

Original prompt

Fix all the bun lint errors and usue the dev branch as the base code and PR sent to dev branch not main branch.

[Chronological Review: The conversation began with the user requesting to fix all errors in bun lint using biome and to create a pull request (PR) to the dev branch. The user then expressed concerns about the impact of GitHub Actions and rulesets on changelog modifications. They questioned whether it was appropriate to make changes directly to the main branch and noted that the PR still used old workflows despite Commit Lint being part of CI. The user acknowledged that the latest changes were still in the dev branch and mentioned moving the codebase to dev in the PR.]

[Intent Mapping:

1. "Fix all the bun lint errors and PR it to dev branch." - User wants to resolve linting issues and submit changes.
2. "Delegate to cloud agent." - User wants to assign the task to an automated agent.
3. "Will that affect it?" - User is concerned about the changelog modification process due to GitHub Actions rules.
4. "Is this the correct approach?" - User seeks validation on making changelog changes directly to the main branch.
5. "Commit Lint is now part of CI right?" - User is questioning the workflow consistency in the PR process.
6. "Noted." - User acknowledges the state of the dev branch.
7. "However that PR I move the code base to dev." - User indicates they have moved the codebase to the dev branch.]

[Technical Inventory:

• Tools: GitHub Actions, Bun Lint, Biome
• Concepts: Pull Requests, CI/CD workflows, changelog management, linting errors, branch rulesets.]

[Code Archaeology:

• No specific files or code changes were detailed in the conversation, but the focus was on resolving linting issues and managing changelog updates.]

[Progress Assessment:

• Completed Tasks: User has moved the codebase to the dev branch.
• Partially Complete Work: Fixing bun lint errors and creating a PR is pending. User is also seeking clarity on changelog modifications.]

[Context Validation: All critical information for continuation is captured, including user concerns about workflows and changelog management.]

[Recent Commands Analysis:

• Last Agent Commands: User requested to fix bun lint errors and delegate tasks to the cloud agent.
• Tool Results Summary: No specific tool results were provided, but the user is focused on resolving linting issues and managing changelog updates.
• Pre-Summary State: The agent was actively addressing user concerns about workflows and changelog modifications when the token budget was exceeded.
• Operation Context: The commands executed were directly related to the user's goals of fixing code issues and ensuring proper workflow management.]

1. Conversation Overview: - Primary Objectives: - "Fix all the bun lint errors and PR it to dev branch." - "Will that affect it?" - Concerns about changelog modifications. - "Is this the correct approach?" - Validation on changelog changes. - Session Context: The conversation focused on fixing linting errors, managing changelog updates, and ensuring proper CI workflows. - User Intent Evolution: The user transitioned from requesting fixes to expressing concerns about workflows and changelog management.

2. Technical Foundation:

• Bun Lint: A tool for identifying and fixing linting errors in code.
• Biome: A tool mentioned for linting purposes.
• GitHub Actions: Used for CI/CD processes and managing workflows.

3. Codebase Status:

• No specific files were detailed, but the focus was on resolving linting issues and managing changelog updates.

4. Problem Resolution:

• Issues Encountered: Concerns about the impact of GitHub Actions rules on changelog modifications.
• Solutions Implemented: User has moved the codebase to the dev branch.
• Debugging Context: Ongoing discussions about workflow consistency and changelog management.

5. Progress Tracking:

• Completed Tasks: User has moved the codebase to the dev branch.
• Partially Complete Work: Fixing bun lint errors and creating a PR is still pending.

6. Active Work State:

• Current Focus: Fixing bun lint errors and managing changelog updates.
• Recent Context: User expressed concerns about workflows and changelog modifications.
• Immediate Context: User was addressing the state of the dev branch and PR workflows.

7. Recent Operations:

• Last Agent Commands: User requested to fix bun lint errors and delegate tasks to the cloud agent.
• Tool Results Summary: No specific results were provided, but the focus remains on resolving linting issues.
• Pre-Summary State: The agent was addressing user concerns about workflows and changelog modifications.
• Operation Context: The commands executed were aimed at fixing code issues and ensuring proper workflow management.

8. Continuation Plan:

• [Pending Task 1]: Fix all bun lint errors and create a PR to the dev branch.
• [Pending Task 2]: Validate the approach to changelog modifications in relation to GitHub Actions rule...

Created from VS Code.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

📦 Package Build Flow — Monorepo Build

🔀 Pull Request Build — Pre-release package for testing PR changes

Package	Version	Status	Install
@tinyclaw/plugins	2.0.0-patch.ac44432	✅ Published	npm i @tinyclaw/plugins@2.0.0-patch.ac44432
@tinyclaw/types	2.0.0-patch.ac44432	✅ Published	npm i @tinyclaw/types@2.0.0-patch.ac44432
tinyclaw	2.0.0-patch.ac44432	✅ Published	npm i tinyclaw@2.0.0-patch.ac44432
@tinyclaw/plugin-channel-discord	2.0.0-patch.ac44432	✅ Published	npm i @tinyclaw/plugin-channel-discord@2.0.0-patch.ac44432
@tinyclaw/plugin-channel-friends	2.0.0-patch.ac44432	✅ Published	npm i @tinyclaw/plugin-channel-friends@2.0.0-patch.ac44432
@tinyclaw/plugin-provider-openai	2.0.0-patch.ac44432	✅ Published	npm i @tinyclaw/plugin-provider-openai@2.0.0-patch.ac44432

📥 Quick Install (changed packages)

npm i @tinyclaw/types@2.0.0-patch.ac44432 @tinyclaw/plugins@2.0.0-patch.ac44432 @tinyclaw/plugin-channel-discord@2.0.0-patch.ac44432 @tinyclaw/plugin-channel-friends@2.0.0-patch.ac44432 @tinyclaw/plugin-provider-openai@2.0.0-patch.ac44432 tinyclaw@2.0.0-patch.ac44432

---

This package was built automatically by the Package Build Flow action.

[Copilot]

Pull request overview

This PR rebases onto dev and resolves Biome (bun run lint) failures across the repository, primarily via automated formatting/import fixes plus a few manual refactors and targeted lint suppressions.

Changes:

• Replace bare Node.js stdlib imports (fs, path, crypto, etc.) with node: protocol equivalents and clean up unused imports/vars.
• Refactor lint-triggering patterns (e.g., assignment-in-condition loops, implicit any in let declarations) and adjust tests/code formatting.
• Fix wildcard-path regex escaping in packages/shield/src/matcher.ts and add a couple of biome-ignore suppressions for intentional regex patterns.

Reviewed changes

Copilot reviewed 74 out of 74 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
src/web/vite.config.ts	Use node:path import protocol.
src/web/tests/server.test.ts	Adjust ANSI stripping regex + minor test variable changes.
src/web/tests/security-db.test.ts	Template literals + optional chaining adjustment in assertion.
src/web/tests/main.test.ts	Remove unused test hooks/imports.
src/web/src/server.ts	Use node: stdlib imports; add explicit unknown typing for request bodies; rename unused catch vars.
src/web/src/security-db.ts	Use node: stdlib imports.
src/landing/vite.config.ts	Use node:path import protocol.
src/cli/tests/ui/banner.test.ts	Remove unused jest import from bun:test usage.
src/cli/tests/purge.test.ts	Use node: stdlib imports.
src/cli/tests/config.test.ts	Use node:path import protocol.
src/cli/tests/commands/start.test.ts	Remove unused jest import; minor numeric NaN check tweak.
src/cli/tests/commands/setup.test.ts	Remove unused jest import; NaN check + small boolean simplifications.
src/cli/tests/commands/backup.test.ts	Convert string concatenations to template literals.
src/cli/tests/cli-router.test.ts	Use node:path import protocol.
src/cli/src/ui/banner.ts	Convert concatenations to template literals.
src/cli/src/supervisor.ts	Use node:child_process import protocol.
src/cli/src/index.ts	Convert concatenations to template literals.
src/cli/src/commands/start.ts	Use node: stdlib imports; adjust unused types/vars; minor optional-call change.
src/cli/src/commands/setup.ts	Use node: stdlib imports; convert concatenations to template literals.
src/cli/src/commands/setup-web.ts	Use node: stdlib imports.
src/cli/src/commands/seed.ts	Use node: stdlib imports.
src/cli/src/commands/purge.ts	Use node: stdlib imports; convert concatenations to template literals.
src/cli/src/commands/config.ts	Convert concatenations to template literals.
src/cli/src/commands/backup.ts	Use node: dynamic imports; convert concatenations to template literals; minor null-safe trim.
plugins/channel/plugin-channel-friends/src/tools.ts	Prefer Number.isNaN.
plugins/channel/plugin-channel-friends/src/server.ts	Optional chaining on Map access in SSE push client management.
plugins/channel/plugin-channel-friends/src/index.ts	Use node: stdlib imports.
plugins/channel/plugin-channel-discord/tests/index.test.ts	Optional-call when invoking plugin pairing tools.
packages/shield/tests/parser.test.ts	Replace non-null assertions with optional chaining in expectations.
packages/shield/src/parser.ts	Refactor regex exec loop to avoid assignment-in-condition; prefer Number.isNaN.
packages/shield/src/matcher.ts	Harden wildcard path regex escaping; template literals for domain suffix matching.
packages/shell/tests/executor.test.ts	Use node: stdlib imports.
packages/shell/src/permissions.ts	Template literals in string/regex construction.
packages/sandbox/src/index.ts	Use node: stdlib imports.
packages/nudge/tests/nudge.test.ts	Remove unused mock import; optional chaining on handler list.
packages/memory/tests/memory-engine.test.ts	Use node: stdlib imports; replace non-null assertions with optional chaining in expectations.
packages/matcher/tests/matcher.test.ts	Replace non-null assertions with optional chaining in expectations.
packages/learning/src/index.ts	Use node: stdlib imports; rename unused params/catch vars.
packages/intercom/tests/intercom.test.ts	Replace non-null assertions with optional chaining in expectations.
packages/intercom/src/index.ts	Rename unused sequence var (still unused).
packages/heartware/tests/soul-generator.test.ts	Use node: stdlib imports; adjust forEach callback body.
packages/heartware/tests/meta.test.ts	Use node: stdlib imports; update require to node:fs.
packages/heartware/src/tools.ts	Rename unused catch vars.
packages/heartware/src/soul-traits.ts	Remove unused type import.
packages/heartware/src/soul-generator.ts	Use node:crypto import protocol.
packages/heartware/src/sandbox.ts	Use node:path import protocol.
packages/heartware/src/meta.ts	Use node: stdlib imports; template literal for truncation marker.
packages/heartware/src/manager.ts	Use node: stdlib imports; rename unused catch vars.
packages/heartware/src/loader.ts	Remove unused import; rename unused catch vars.
packages/heartware/src/backup.ts	Use node: stdlib imports; rename unused catch vars.
packages/heartware/src/audit.ts	Use node: stdlib imports; template literals for log lines; rename unused catch vars.
packages/delegation/tests/*	Replace non-null assertions with optional chaining in expectations; node: stdlib imports where applicable.
packages/delegation/src/types.ts	Remove unused type import.
packages/delegation/src/tools.ts	Remove/rename unused imports/constants/functions to satisfy lint.
packages/delegation/src/templates.ts	Remove unused type import.
packages/delegation/src/runner.ts	Add explicit LLMResponse typing; rename unused function.
packages/delegation/src/orientation.ts	Template literal for truncation.
packages/delegation/src/lifecycle.ts	Remove unused type imports.
packages/delegation/src/compat.ts	Add explicit Provider typing for previously implicit any.
packages/delegation/src/background.ts	Remove unused type imports.
packages/core/tests/update-checker.test.ts	Use node: stdlib imports; replace non-null assertions with optional chaining in expectations.
packages/core/src/update-checker.ts	Prefer Number.isNaN.
packages/core/src/loop.ts	Remove unused type import; rename unused locals.
packages/core/src/database.ts	Use node: stdlib imports; rename unused locals; template literal concat tweak.
packages/config/src/tools.ts	Prefer Number.isNaN.
packages/compactor/tests/compactor.test.ts	Use node: stdlib imports; replace non-null assertions with optional chaining in expectations.
packages/compactor/src/rules.ts	Add Biome ignore for intentional emoji regex; template literals.
packages/compactor/src/optimizer.ts	Rename unused regex constant; template literal concat tweak.
packages/compactor/src/dictionary.ts	Template literal concat tweak.

[Copilot]

These prepared statements are created (executing db.prepare) but never used. Besides being dead code, this adds unnecessary work during DB initialization. Either remove them or integrate them into the database API methods that need access-count updates / pruning.

[Copilot]

Inside the if (channel.sendToUser && channel.channelPrefix) guard, calling channel.sendToUser?.(...) is redundant and can hide unexpected state changes by silently doing nothing. Prefer calling the function directly after the guard so outbound sends fail loudly if the invariant is broken.

[Copilot]

In the primary-provider block, the configured primary fields (providers.primary.*) are fetched but not used to determine which plugin provider becomes primary. This can result in the primary-provider setting not being applied as intended (and a non-matching plugin provider being selected). Please wire the selection logic to the configured primary provider id/config, or remove these unused reads if primary-provider selection is intentionally not supported yet.

[Copilot]

createHybridMatcher() is called and stored, but the matcher instance is never used. This is extra startup work and can confuse readers about how matching is performed. Either wire the matcher into the routing/decision path, or remove the initialization entirely.

[Copilot]

This test asserts cookieMatch is non-null, but then uses optional chaining when building sessionCookie, which can produce tinyclaw_session=undefined if the expectation behavior ever changes (and it also weakens type intent). Prefer an explicit guard (e.g., throw if null) and then use the captured group directly.

[Copilot]

After ensuring a Set exists for username, using optional chaining on pushClients.get(username)?.add(...) can mask invariant breaks (the push client would silently not be tracked). Prefer storing the set in a local variable after initialization and adding to it deterministically.

[Copilot]

The comment says the sequence counter provides stable ordering when timestamps collide, but the incremented value (_seq) isn’t stored on the event or used anywhere. Either include the sequence on IntercomMessage and use it where ordering matters, or remove the counter/comment to avoid misleading behavior.

[github-actions]

🔥 Container Build Complete - Patch Build

Build Status: ✅ Success
Flow Type: patch
Description: Hotfix for production

---

📦 Pull Image

Docker Hub: docker pull warengonzaga/tinyclaw:patch-ac44432

GHCR: docker pull ghcr.io/warengonzaga/tinyclaw:patch-ac44432

---

📋 Build Details

Property	Value
Flow Type	patch
Commit	872cedc
Registry	Docker Hub + GHCR

🏷️ Image Tags

• warengonzaga/tinyclaw:patch-ac44432
• ghcr.io/warengonzaga/tinyclaw:patch-ac44432

---

🔍 Testing Your Changes

1. Pull the image using one of the commands above
2. Run the container with your test configuration
3. Verify the changes work as expected
4. Report any issues in this PR

---

🚀 Quick Start

# Pull and run the container
Docker Hub: docker pull warengonzaga/tinyclaw:patch-ac44432
docker run <your-options> <image>

---

---

🔒 Security Scan Results

📋 Pre-Build Security Checks

✅ Source Code Scan: 0 vulnerabilities found
✅ Dockerfile Scan: 0 misconfigurations found

🐳 Container Image Vulnerabilities

Severity	Count
Total	0

📊 Detailed Security Reports

View detailed vulnerability reports in the GitHub Security tab.

---

_{🤖 Powered by Container Build Flow Action v1.2.0
💻 with ❤️ by Waren Gonzaga under WG Technology Labs, and Him 🙏}