switchroom 0.10.0 → 0.11.0

package/dist/cli/switchroom.js

@@ -22860,6 +22860,7 @@ function generateCompose(opts) {
   }
   for (const c of authConsumers) {
     lines.push(`  auth-broker-${c.name}-sock:`);
+    lines.push(`    name: auth-broker-${c.name}-sock`);
   }
   lines.push("");
   return lines.join(`
@@ -25660,17 +25661,22 @@ function checkHindsightConsumer(config, opts) {
 ` + "then run `switchroom apply` to bind the per-consumer socket."
     };
   }
-  const socketProbe = opts?.socketProbe ?? ((p) => existsSync22(p));
-  const home2 = process.env.HOME ?? "";
-  const dockerVolPath = `/var/lib/docker/volumes/switchroom_auth-broker-hindsight-sock/_data/sock`;
-  const altVolPath = join17(home2, ".local", "share", "docker", "volumes", "switchroom_auth-broker-hindsight-sock", "_data", "sock");
-  const present = socketProbe(dockerVolPath) || socketProbe(altVolPath);
-  if (!present) {
+  const probe2 = opts?.socketProbe ?? probeAuthBrokerSocket;
+  const state = probe2(entry.name);
+  if (state === "unreachable") {
+    return {
+      name: "hindsight consumer",
+      status: "warn",
+      detail: `auth.consumers[hindsight] -> ${entry.account} (uid ${entry.uid ?? 0}); ` + `couldn't query auth-broker container (not running / docker unavailable)`,
+      fix: "Check `auth-broker: service health` row above; if the broker is " + "down, `switchroom apply` will bring it back and bind the socket."
+    };
+  }
+  if (state === "missing") {
     return {
       name: "hindsight consumer",
       status: "warn",
-      detail: `auth.consumers[hindsight] -> ${entry.account} (uid ${entry.uid ?? 0}); ` + `socket not yet bound on disk`,
-      fix: "Run `switchroom apply` to bring up the auth-broker singleton " + "and bind the per-consumer socket. The hindsight container will " + "fetch credentials from it via `get-credentials` at boot."
+      detail: `auth.consumers[hindsight] -> ${entry.account} (uid ${entry.uid ?? 0}); ` + `auth-broker is running but socket not bound at /run/switchroom/auth-broker/${entry.name}/sock`,
+      fix: "Run `switchroom apply` to refresh compose and rebind per-consumer sockets."
     };
   }
   return {
@@ -25679,6 +25685,17 @@ function checkHindsightConsumer(config, opts) {
     detail: `auth.consumers[hindsight] -> ${entry.account} (uid ${entry.uid ?? 0})`
   };
 }
+function probeAuthBrokerSocket(consumerName) {
+  const containerPath = `/run/switchroom/auth-broker/${consumerName}/sock`;
+  const r = spawnSync3("docker", ["exec", "switchroom-auth-broker", "test", "-S", containerPath], { stdio: "pipe", timeout: 3000 });
+  if (r.error || r.status === null)
+    return "unreachable";
+  if (r.status === 0)
+    return "present";
+  if (r.status >= 125)
+    return "unreachable";
+  return "missing";
+}
 async function checkHindsight(config) {
   const memoryBackend = config.memory?.backend;
   if (memoryBackend !== "hindsight") {
@@ -27911,14 +27928,14 @@ var init_oauth = __esm(() => {
 
 // src/drive/grants.ts
 function scopeFor(target, action) {
-  const writePrefix = action === "write" ? "write:" : "";
+  const actionPrefix = action === "read" ? "" : `${action}:`;
   switch (target.kind) {
     case "all":
-      return `doc:gdrive:${writePrefix}**`;
+      return `doc:gdrive:${actionPrefix}**`;
     case "folder":
-      return `doc:gdrive:${writePrefix}folder/${target.folder_id}/**`;
+      return `doc:gdrive:${actionPrefix}folder/${target.folder_id}/**`;
     case "doc":
-      return `doc:gdrive:${writePrefix}${target.doc_id}`;
+      return `doc:gdrive:${actionPrefix}${target.doc_id}`;
   }
 }
 
@@ -45296,8 +45313,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.10.0";
-var COMMIT_SHA = "a0ee1201";
+var VERSION = "0.11.0";
+var COMMIT_SHA = "abff20c7";
 
 // src/cli/deprecated.ts
 init_source();
@@ -47207,6 +47224,7 @@ Don't wait for a slash command. Don't ask permission. Memory work is table stake
 }
 var DOCKER_TELEGRAM_PLUGIN_PATH = "/opt/switchroom/telegram-plugin";
 var DOCKER_HOOKS_PATH = `${DOCKER_TELEGRAM_PLUGIN_PATH}/hooks`;
+var DOCKER_BUNDLED_HOOKS_PATH = "/opt/switchroom/hooks";
 var DOCKER_BIN_PATH = "/opt/switchroom/bin";
 var DOCKER_CONFIG_PATH = "/state/config/switchroom.yaml";
 function scaffoldAgent(name, agentConfigRaw, agentsDir, telegramConfig, switchroomConfig, userIdOverride, switchroomConfigPath) {
@@ -47735,6 +47753,16 @@ function buildSettingsHooksBlock(p) {
         }
       ]
     },
+    {
+      matcher: "^mcp__google-workspace__",
+      hooks: [
+        {
+          type: "command",
+          command: wrap("hook:drive-write-pretool", `node "${join8(DOCKER_BUNDLED_HOOKS_PATH, "drive-write-pretool.mjs")}"`),
+          timeout: 5 * 60 + 30
+        }
+      ]
+    },
     {
       hooks: [
         {
@@ -47757,7 +47785,7 @@ function buildSettingsHooksBlock(p) {
       ]
     },
     {
-      matcher: ".*",
+      matcher: "^(Edit|MultiEdit|Write|NotebookEdit|Bash|mcp__.*)$",
       hooks: [
         {
           type: "command",
@@ -64973,6 +65001,8 @@ var HINDSIGHT_DEFAULT_MAX_OBSERVATIONS_PER_SCOPE = 1000;
 var HINDSIGHT_CONSUMER_NAME = "hindsight";
 var HINDSIGHT_DEFAULT_UID = 11000;
 var HINDSIGHT_IMAGE = "ghcr.io/switchroom/switchroom-hindsight:latest";
+var HINDSIGHT_DEFAULT_MODEL = "claude-sonnet-4-6";
+var HINDSIGHT_DEFAULT_MCP_STATELESS = true;
 var HINDSIGHT_BROKER_SOCK_VOLUME = `auth-broker-${HINDSIGHT_CONSUMER_NAME}-sock`;
 function isPortFree(port) {
   return new Promise((resolve28) => {
@@ -65040,7 +65070,11 @@ function startHindsight(ports) {
     "-e",
     `HINDSIGHT_API_MAX_OBSERVATIONS_PER_SCOPE=${HINDSIGHT_DEFAULT_MAX_OBSERVATIONS_PER_SCOPE}`,
     "-e",
-    "HINDSIGHT_API_LLM_PROVIDER=claude-code"
+    "HINDSIGHT_API_LLM_PROVIDER=claude-code",
+    "-e",
+    `HINDSIGHT_API_LLM_MODEL=${HINDSIGHT_DEFAULT_MODEL}`,
+    "-e",
+    `HINDSIGHT_API_MCP_STATELESS=${HINDSIGHT_DEFAULT_MCP_STATELESS}`
   ];
   const args = [
     "run",
@@ -65058,7 +65092,7 @@ function startHindsight(ports) {
     "-v",
     `${HINDSIGHT_BROKER_SOCK_VOLUME}:/run/switchroom/auth-broker`,
     "--tmpfs",
-    "/run/claude-creds:rw,mode=0700",
+    `/run/claude-creds:rw,mode=0700,uid=${HINDSIGHT_DEFAULT_UID},gid=${HINDSIGHT_DEFAULT_UID}`,
     ...envArgs,
     HINDSIGHT_IMAGE
   ];
@@ -65093,11 +65127,13 @@ function generateHindsightComposeSnippet() {
     "    environment:",
     `      - HINDSIGHT_API_MAX_OBSERVATIONS_PER_SCOPE=${HINDSIGHT_DEFAULT_MAX_OBSERVATIONS_PER_SCOPE}`,
     "      - HINDSIGHT_API_LLM_PROVIDER=claude-code",
+    `      - HINDSIGHT_API_LLM_MODEL=${HINDSIGHT_DEFAULT_MODEL}`,
+    `      - HINDSIGHT_API_MCP_STATELESS=${HINDSIGHT_DEFAULT_MCP_STATELESS}`,
     "    volumes:",
     "      - switchroom-hindsight-data:/home/hindsight/.pg0",
     `      - ${HINDSIGHT_BROKER_SOCK_VOLUME}:/run/switchroom/auth-broker`,
     "    tmpfs:",
-    "      - /run/claude-creds:rw,mode=0700",
+    `      - /run/claude-creds:rw,mode=0700,uid=${HINDSIGHT_DEFAULT_UID},gid=${HINDSIGHT_DEFAULT_UID}`,
     "    restart: unless-stopped",
     "",
     "volumes:",
@@ -72574,10 +72610,109 @@ function registerMigrateCommand(program3) {
 // src/cli/hostd.ts
 init_source();
 init_helpers();
-import { existsSync as existsSync65, mkdirSync as mkdirSync35, readdirSync as readdirSync26, writeFileSync as writeFileSync31, statSync as statSync26, copyFileSync as copyFileSync11 } from "node:fs";
+import { existsSync as existsSync65, mkdirSync as mkdirSync35, readdirSync as readdirSync26, readFileSync as readFileSync57, writeFileSync as writeFileSync31, statSync as statSync26, copyFileSync as copyFileSync11 } from "node:fs";
+import { homedir as homedir28 } from "node:os";
+import { join as join54 } from "node:path";
+import { spawnSync as spawnSync9 } from "node:child_process";
+
+// src/host-control/audit-reader.ts
 import { homedir as homedir27 } from "node:os";
 import { join as join53 } from "node:path";
-import { spawnSync as spawnSync9 } from "node:child_process";
+function defaultAuditLogPath2(home2 = homedir27()) {
+  return join53(home2, ".switchroom", "host-control-audit.log");
+}
+function parseAuditLine2(line) {
+  const trimmed = line.trim();
+  if (trimmed.length === 0)
+    return null;
+  let obj;
+  try {
+    obj = JSON.parse(trimmed);
+  } catch {
+    return null;
+  }
+  if (typeof obj !== "object" || obj === null)
+    return null;
+  const o = obj;
+  if (typeof o.ts !== "string" || typeof o.op !== "string")
+    return null;
+  if (typeof o.request_id !== "string" || typeof o.result !== "string")
+    return null;
+  if (typeof o.duration_ms !== "number")
+    return null;
+  const callerRaw = o.caller;
+  let caller;
+  if (callerRaw && callerRaw.kind === "agent" && typeof callerRaw.name === "string") {
+    caller = { kind: "agent", name: callerRaw.name };
+  } else if (callerRaw && callerRaw.kind === "operator") {
+    caller = { kind: "operator" };
+  } else {
+    return null;
+  }
+  const exit_code = o.exit_code === null || typeof o.exit_code === "number" ? o.exit_code : null;
+  const entry = {
+    ts: o.ts,
+    op: o.op,
+    caller,
+    request_id: o.request_id,
+    result: o.result,
+    exit_code,
+    duration_ms: o.duration_ms
+  };
+  if (typeof o.error === "string")
+    entry.error = o.error;
+  return entry;
+}
+function filterEntries(entries, filters) {
+  return entries.filter((e) => {
+    if (filters.agent != null) {
+      if (e.caller.kind !== "agent")
+        return false;
+      if (e.caller.name !== filters.agent)
+        return false;
+    }
+    if (filters.op != null && e.op !== filters.op)
+      return false;
+    if (filters.errorOnly) {
+      if (e.result !== "error" && e.result !== "denied")
+        return false;
+    }
+    return true;
+  });
+}
+function readAndFilter(raw, filters, limit) {
+  const lines = raw.split(`
+`);
+  const parsed = [];
+  for (const line of lines) {
+    const e = parseAuditLine2(line);
+    if (e != null)
+      parsed.push(e);
+  }
+  const filtered = filterEntries(parsed, filters);
+  return filtered.slice(-Math.max(1, limit));
+}
+function shortCaller(caller) {
+  return caller.kind === "agent" ? caller.name : "operator";
+}
+function shortTs(ts) {
+  return ts.replace("T", " ").replace(/\.\d+Z$/, "").slice(0, 19);
+}
+function formatForCli(entries) {
+  const out = [];
+  for (const e of entries) {
+    const ts = shortTs(e.ts).padEnd(20);
+    const caller = shortCaller(e.caller).padEnd(15);
+    const op = e.op.padEnd(16);
+    const result = e.result.padEnd(10);
+    const exit = e.exit_code == null ? "  -" : String(e.exit_code).padStart(3);
+    const ms = `${e.duration_ms}ms`.padStart(8);
+    out.push(`${ts} ${caller} ${op} ${result} ${exit} ${ms}`);
+  }
+  return out;
+}
+
+// src/cli/hostd.ts
 var DEFAULT_IMAGE_TAG = "latest";
 var HOSTD_COMPOSE_PROJECT = "switchroom-hostd";
 function renderHostdComposeFile(opts) {
@@ -72660,10 +72795,10 @@ networks:
 `;
 }
 function hostdDir() {
-  return join53(homedir27(), ".switchroom", "hostd");
+  return join54(homedir28(), ".switchroom", "hostd");
 }
 function hostdComposePath() {
-  return join53(hostdDir(), "docker-compose.yml");
+  return join54(hostdDir(), "docker-compose.yml");
 }
 function backupExistingCompose() {
   const p = hostdComposePath();
@@ -72702,7 +72837,7 @@ async function doInstall(opts, program3) {
   const composePath = hostdComposePath();
   mkdirSync35(dir, { recursive: true });
   const yaml = renderHostdComposeFile({
-    hostHome: homedir27(),
+    hostHome: homedir28(),
     imageTag: opts.tag ?? DEFAULT_IMAGE_TAG
   });
   if (opts.dryRun) {
@@ -72770,7 +72905,7 @@ function doStatus() {
       for (const name of readdirSync26(dir)) {
         if (name === "docker-compose.yml" || name.startsWith("docker-compose.yml."))
           continue;
-        const sockPath = join53(dir, name, "sock");
+        const sockPath = join54(dir, name, "sock");
         if (existsSync65(sockPath)) {
           const st = statSync26(sockPath);
           if ((st.mode & 61440) === 49152) {
@@ -72812,6 +72947,48 @@ function registerHostdCommand(program3) {
   }));
   hostd.command("status").description("Show daemon state and bound sockets").action(() => doStatus());
   hostd.command("uninstall").description("Stop the hostd container. Leaves the compose file in place for re-install.").action(() => doUninstall());
+  hostd.command("audit").description("Tail and filter the hostd audit log (privileged-verb call history)").option("--tail <n>", "Number of matching entries to show (default: 50)", "50").option("--agent <name>", "Filter to a specific caller agent").option("--op <verb>", "Filter to a specific hostd verb (e.g. update_apply, agent_restart)").option("--error", "Show only failed (error/denied) entries").option("--path <file>", "Override audit log path (for debugging)").action((opts) => {
+    const logPath = opts.path ?? defaultAuditLogPath2();
+    if (!existsSync65(logPath)) {
+      console.error(source_default.yellow(`Audit log not found at ${logPath}.`) + source_default.gray(`
+The log is created when hostd handles its first privileged-verb request.`));
+      return;
+    }
+    const raw = readFileSync57(logPath, "utf-8");
+    const limit = Math.max(1, parseInt(opts.tail ?? "50", 10) || 50);
+    const filters = {
+      agent: opts.agent,
+      op: opts.op,
+      errorOnly: !!opts.error
+    };
+    const entries = readAndFilter(raw, filters, limit);
+    if (entries.length === 0) {
+      const parts = [];
+      if (opts.agent)
+        parts.push(`agent=${opts.agent}`);
+      if (opts.op)
+        parts.push(`op=${opts.op}`);
+      if (opts.error)
+        parts.push("errors-only");
+      const desc = parts.length > 0 ? ` matching ${parts.join(", ")}` : "";
+      console.log(source_default.dim(`No hostd audit entries${desc}.`));
+      return;
+    }
+    const header = "ts".padEnd(20) + " " + "caller".padEnd(15) + " " + "op".padEnd(16) + " " + "result".padEnd(10) + " " + "exit".padStart(3) + " " + "dur".padStart(8);
+    console.log(source_default.dim(header));
+    console.log(source_default.dim("\u2500".repeat(header.length)));
+    for (const line of formatForCli(entries)) {
+      if (line.includes(" error ") || line.includes(" denied ")) {
+        console.log(source_default.red(line));
+      } else if (line.includes(" started ")) {
+        console.log(source_default.yellow(line));
+      } else {
+        console.log(line);
+      }
+    }
+    console.log();
+    console.log(source_default.dim(`${entries.length} entr${entries.length === 1 ? "y" : "ies"} shown` + (entries.length === limit ? ` (--tail ${limit})` : "") + `  \u00b7  log: ${logPath}`));
+  });
 }
 
 // src/cli/index.ts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.10.0",
+  "version": "0.11.0",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/telegram-plugin/admin-commands/dispatch.test.ts

@@ -41,7 +41,7 @@ describe('parseCommandName', () => {
 
 describe('ADMIN_COMMAND_NAMES', () => {
   it('contains the fleet-management admin commands', () => {
-    const required = ['agents', 'logs', 'restart', 'update', 'reconcile', 'stop', 'agentstart', 'grant', 'dangerous', 'permissions', 'vault']
+    const required = ['agents', 'logs', 'restart', 'update', 'reconcile', 'stop', 'agentstart', 'grant', 'dangerous', 'permissions', 'vault', 'audit']
     for (const cmd of required) {
       expect(ADMIN_COMMAND_NAMES.has(cmd)).toBe(true)
     }

package/telegram-plugin/admin-commands/index.ts

@@ -61,6 +61,8 @@ export const ADMIN_COMMAND_NAMES = new Set<string>([
   // Per-agent ops that read shared fleet state via the switchroom CLI
   'memory',
   'topics',
+  // Observability of privileged-verb history
+  'audit',
 ])
 
 /**