switchroom 0.12.14 → 0.12.16

package/dist/cli/switchroom.js

@@ -21409,7 +21409,7 @@ function stripWireFields(entry) {
     files: entry.files
   };
 }
-var MAX_FRAME_BYTES, GetRequestSchema, PutRequestSchema, ListRequestSchema, MintGrantRequestSchema, ListGrantsRequestSchema, RevokeGrantRequestSchema, StatusRequestSchema, LockRequestSchema, PreflightAccessRequestSchema, OkPreflightAccessResponseSchema, ApprovalRequestRequestSchema, ApprovalLookupRequestSchema, ApprovalConsumeRequestSchema, ApprovalRevokeRequestSchema, ApprovalListRequestSchema, ApprovalDecisionModeSchema, ApprovalRecordRequestSchema, RequestSchema, VaultEntrySchema, ErrorCode, OkEntryResponseSchema, OkKeysResponseSchema, BrokerStatus, OkStatusResponseSchema, OkLockResponseSchema, OkPutResponseSchema, OkMintGrantResponseSchema, GrantMetaSchema, OkListGrantsResponseSchema, OkRevokeGrantResponseSchema, OkApprovalRequestResponseSchema, ApprovalDecisionMetaSchema, OkApprovalLookupResponseSchema, OkApprovalConsumeResponseSchema, OkApprovalRevokeResponseSchema, OkApprovalListResponseSchema, OkApprovalRecordResponseSchema, ErrorResponseSchema, ResponseSchema;
+var MAX_FRAME_BYTES, GetRequestSchema, PutRequestSchema, ListRequestSchema, MintGrantRequestSchema, ListGrantsRequestSchema, RevokeGrantRequestSchema, StatusRequestSchema, LockRequestSchema, PreflightAccessRequestSchema, OkPreflightAccessResponseSchema, ApprovalRequestRequestSchema, ApprovalLookupRequestSchema, ApprovalConsumeRequestSchema, ApprovalRevokeRequestSchema, ApprovalListRequestSchema, ApprovalDecisionModeSchema, ApprovalRecordRequestSchema, ApprovalConsumeRecordRequestSchema, RequestSchema, VaultEntrySchema, ErrorCode, OkEntryResponseSchema, OkKeysResponseSchema, BrokerStatus, OkStatusResponseSchema, OkLockResponseSchema, OkPutResponseSchema, OkMintGrantResponseSchema, GrantMetaSchema, OkListGrantsResponseSchema, OkRevokeGrantResponseSchema, OkApprovalRequestResponseSchema, ApprovalDecisionMetaSchema, OkApprovalLookupResponseSchema, OkApprovalConsumeResponseSchema, OkApprovalRevokeResponseSchema, OkApprovalListResponseSchema, OkApprovalRecordResponseSchema, OkApprovalConsumeRecordResponseSchema, ErrorResponseSchema, ResponseSchema;
 var init_protocol = __esm(() => {
   init_zod();
   MAX_FRAME_BYTES = 64 * 1024;
@@ -21537,6 +21537,15 @@ var init_protocol = __esm(() => {
     granted_by_user_id: exports_external.number().int(),
     ttl_ms: exports_external.number().int().positive().nullable().optional()
   });
+  ApprovalConsumeRecordRequestSchema = exports_external.object({
+    v: exports_external.literal(1),
+    op: exports_external.literal("approval_consume_record"),
+    request_id: exports_external.string().regex(/^[0-9a-f]{32}$/),
+    decision: ApprovalDecisionModeSchema,
+    approver_set: exports_external.array(exports_external.string()),
+    granted_by_user_id: exports_external.number().int(),
+    ttl_ms: exports_external.number().int().positive().nullable().optional()
+  });
   RequestSchema = exports_external.discriminatedUnion("op", [
     GetRequestSchema,
     PutRequestSchema,
@@ -21552,7 +21561,8 @@ var init_protocol = __esm(() => {
     ApprovalConsumeRequestSchema,
     ApprovalRevokeRequestSchema,
     ApprovalListRequestSchema,
-    ApprovalRecordRequestSchema
+    ApprovalRecordRequestSchema,
+    ApprovalConsumeRecordRequestSchema
   ]);
   VaultEntrySchema = exports_external.union([
     exports_external.object({ kind: exports_external.literal("string"), value: exports_external.string() }),
@@ -21674,6 +21684,15 @@ var init_protocol = __esm(() => {
     ok: exports_external.literal(true),
     decision_id: exports_external.string()
   });
+  OkApprovalConsumeRecordResponseSchema = exports_external.object({
+    ok: exports_external.literal(true),
+    consumed: exports_external.boolean(),
+    decision_id: exports_external.string().optional(),
+    agent_unit: exports_external.string().optional(),
+    scope: exports_external.string().optional(),
+    action: exports_external.string().optional(),
+    why: exports_external.string().nullable().optional()
+  });
   ErrorResponseSchema = exports_external.object({
     ok: exports_external.literal(false),
     code: ErrorCode,
@@ -21695,6 +21714,7 @@ var init_protocol = __esm(() => {
     OkApprovalRevokeResponseSchema,
     OkApprovalListResponseSchema,
     OkApprovalRecordResponseSchema,
+    OkApprovalConsumeRecordResponseSchema,
     ErrorResponseSchema
   ]);
 });
@@ -28282,12 +28302,240 @@ function runHostdChecks(config, deps = {}) {
 var HOSTD_CONTAINER = "switchroom-hostd", HOSTD_DRIFT_HOURS = 2;
 var init_doctor_hostd = () => {};
 
+// src/cli/doctor-secret-access.ts
+import {
+  accessSync,
+  constants as fsConstants4,
+  existsSync as existsSync46,
+  realpathSync as realpathSync4,
+  statSync as statSync20
+} from "node:fs";
+import { userInfo, homedir as homedir20 } from "node:os";
+import { join as join38 } from "node:path";
+function resolveVaultPath2(config) {
+  return config.vault?.path ? config.vault.path.replace(/^~/, process.env.HOME ?? "") : resolveStatePath("vault.enc");
+}
+function defaultStatVault(path4) {
+  if (!existsSync46(path4)) {
+    return { exists: false, readable: false, uid: -1, mode: 0, realPath: path4 };
+  }
+  let real = path4;
+  try {
+    real = realpathSync4(path4);
+  } catch {}
+  let uid = -1;
+  let mode = 0;
+  try {
+    const s = statSync20(real);
+    uid = s.uid;
+    mode = s.mode & 511;
+  } catch {
+    return { exists: true, readable: false, uid, mode, realPath: real };
+  }
+  let readable = false;
+  try {
+    accessSync(real, fsConstants4.R_OK);
+    readable = true;
+  } catch {
+    readable = false;
+  }
+  return { exists: true, readable, uid, mode, realPath: real };
+}
+function collectVaultRefs2(value, out) {
+  if (typeof value === "string") {
+    if (value.startsWith("vault:")) {
+      const key = value.slice("vault:".length).split("#")[0].trim();
+      if (key)
+        out.add(key);
+    }
+    return;
+  }
+  if (Array.isArray(value)) {
+    for (const v of value)
+      collectVaultRefs2(v, out);
+    return;
+  }
+  if (value && typeof value === "object") {
+    for (const v of Object.values(value)) {
+      collectVaultRefs2(v, out);
+    }
+  }
+}
+function collectNeeds(resolved) {
+  const cronKeys = new Set;
+  for (const entry of resolved.schedule ?? []) {
+    for (const s of entry.secrets ?? [])
+      cronKeys.add(s);
+  }
+  const refKeys = new Set;
+  collectVaultRefs2(resolved, refKeys);
+  return { needed: new Set([...cronKeys, ...refKeys]), cronKeys };
+}
+function keyGap(key, isCron, exists, acl, scope) {
+  const isGoogleSlot = key.startsWith("google:");
+  if (!isGoogleSlot && !exists)
+    return `'${key}' missing from the vault`;
+  if (isCron && !acl.allow) {
+    return `'${key}' (cron) \u2014 no static ACL grants read (${acl.reason})`;
+  }
+  if (!scope.allow) {
+    return `'${key}' \u2014 per-key scope denies read (${scope.reason})`;
+  }
+  return null;
+}
+async function defaultPreflight(socketPath, agent, keys) {
+  const r = await rpcRaw({ v: 1, op: "preflight_access", agent, keys }, { socket: socketPath, timeoutMs: 5000 });
+  if (r.kind === "unreachable")
+    return { kind: "unreachable", msg: r.msg };
+  const resp = r.resp;
+  if (resp.ok === true && resp.op === "preflight_access") {
+    return {
+      kind: "ok",
+      results: resp.results
+    };
+  }
+  if (resp.ok === false && resp.code === "LOCKED")
+    return { kind: "locked" };
+  return {
+    kind: "unreachable",
+    msg: resp.ok === false ? `broker error ${resp.code}: ${resp.msg}` : "unexpected broker response"
+  };
+}
+async function runSecretAccessChecks(config, deps = {}) {
+  const results = [];
+  const vaultPath = deps.vaultPath ?? resolveVaultPath2(config);
+  const statVault = deps.statVault ?? defaultStatVault;
+  const selfUid = deps.selfUid ?? (typeof process.getuid === "function" ? process.getuid() : -1);
+  let selfUser = deps.selfUser;
+  if (selfUser === undefined) {
+    try {
+      selfUser = userInfo().username;
+    } catch {
+      selfUser = "<you>";
+    }
+  }
+  const vf = statVault(vaultPath);
+  if (!vf.exists) {
+    results.push({
+      name: "vault: operator readable",
+      status: "ok",
+      detail: `vault file not present at ${vaultPath} \u2014 see the Vault section`
+    });
+  } else if (!vf.readable) {
+    results.push({
+      name: "vault: operator readable",
+      status: "fail",
+      detail: `${vf.realPath} is owned by uid ${vf.uid} (mode 0${vf.mode.toString(8)}) \u2014 ` + `the operator (uid ${selfUid} ${selfUser}) cannot read it, so every ` + `\`switchroom vault \u2026\` fails. The broker still works (CAP_DAC_READ_SEARCH), ` + `which masks this until you touch the vault directly.`,
+      fix: `sudo chown ${selfUser}:${selfUser} ${vf.realPath}`
+    });
+  } else {
+    results.push({
+      name: "vault: operator readable",
+      status: "ok",
+      detail: `operator can read ${vf.realPath}`
+    });
+  }
+  const pushAgentResult = (name, total, gaps) => {
+    results.push(gaps.length === 0 ? {
+      name: `secret access: ${name}`,
+      status: "ok",
+      detail: `${total} secret(s): all present + ACL ok`
+    } : {
+      name: `secret access: ${name}`,
+      status: "fail",
+      detail: `${gaps.length}/${total} unreachable \u2014 ${gaps.join("; ")}`,
+      fix: "`switchroom vault set <key>` for missing keys; " + "`switchroom vault set <key> --allow " + name + "` to grant this agent read access"
+    });
+  };
+  const passphrase = deps.passphrase ?? process.env.SWITCHROOM_VAULT_PASSPHRASE;
+  if (!passphrase) {
+    const sock = deps.brokerOperatorSocket ?? join38(homedir20(), ".switchroom", "broker-operator", "sock");
+    const preflight = deps.preflight ?? ((a, k) => defaultPreflight(sock, a, k));
+    for (const name of Object.keys(config.agents ?? {})) {
+      const resolved = resolveAgentConfig(config.defaults, config.profiles, config.agents[name]);
+      const { needed, cronKeys } = collectNeeds(resolved);
+      if (needed.size === 0) {
+        results.push({
+          name: `secret access: ${name}`,
+          status: "ok",
+          detail: "no declared vault secrets"
+        });
+        continue;
+      }
+      const out = await preflight(name, [...needed].sort());
+      if (out.kind === "unreachable" || out.kind === "locked") {
+        results.push({
+          name: "agent secret access",
+          status: "skip",
+          detail: out.kind === "locked" ? "vault-broker is locked \u2014 cron-secret existence/ACL unverified (re-run after it unlocks; it auto-unlocks on boot)" : `vault-broker operator socket unreachable (${out.msg}) and SWITCHROOM_VAULT_PASSPHRASE unset \u2014 cron-secret existence/ACL unverified`,
+          fix: "Ensure the broker operator socket (~/.switchroom/broker-operator/sock) is bound, or export SWITCHROOM_VAULT_PASSPHRASE and re-run `switchroom doctor`"
+        });
+        return results;
+      }
+      const byKey = new Map(out.results.map((r) => [r.key, r]));
+      const gaps = [];
+      for (const key of [...needed].sort()) {
+        const r = byKey.get(key);
+        if (r === undefined) {
+          gaps.push(`'${key}' \u2014 broker returned no result`);
+          continue;
+        }
+        const g = keyGap(key, cronKeys.has(key), r.exists, { allow: r.acl_ok, reason: r.acl_reason }, { allow: r.scope_ok, reason: r.scope_reason });
+        if (g)
+          gaps.push(g);
+      }
+      pushAgentResult(name, needed.size, gaps);
+    }
+    return results;
+  }
+  let entries;
+  try {
+    entries = (deps.openVault ?? openVault)(passphrase, vaultPath);
+  } catch (err) {
+    results.push({
+      name: "agent secret access",
+      status: vf.readable ? "fail" : "warn",
+      detail: `cannot open the vault: ${err.message}`,
+      fix: vf.readable ? "SWITCHROOM_VAULT_PASSPHRASE may be wrong, or the vault is corrupt" : "fix the vault file ownership above first (operator cannot read it)"
+    });
+    return results;
+  }
+  for (const name of Object.keys(config.agents ?? {})) {
+    const resolved = resolveAgentConfig(config.defaults, config.profiles, config.agents[name]);
+    const { needed, cronKeys } = collectNeeds(resolved);
+    if (needed.size === 0) {
+      results.push({
+        name: `secret access: ${name}`,
+        status: "ok",
+        detail: "no declared vault secrets"
+      });
+      continue;
+    }
+    const gaps = [];
+    for (const key of [...needed].sort()) {
+      const g = keyGap(key, cronKeys.has(key), key in entries, checkAclByAgent(config, name, key), checkEntryScope(entries[key]?.scope, name));
+      if (g)
+        gaps.push(g);
+    }
+    pushAgentResult(name, needed.size, gaps);
+  }
+  return results;
+}
+var init_doctor_secret_access = __esm(() => {
+  init_paths();
+  init_merge();
+  init_vault();
+  init_acl();
+  init_client();
+});
+
 // src/cli/doctor-drive.ts
 import {
   existsSync as realExistsSync,
   readFileSync as realReadFileSync
 } from "node:fs";
-import { join as join38, resolve as resolve28 } from "node:path";
+import { join as join39, resolve as resolve28 } from "node:path";
+import { homedir as homedir21 } from "node:os";
 function resolveDeps(config, deps) {
   let agentsDir = deps.agentsDir;
   if (agentsDir === undefined) {
@@ -28410,8 +28658,8 @@ function checkScaffoldWiring(config, driveAgents, d) {
       });
       continue;
     }
-    const mcpPath = join38(agentDir, ".mcp.json");
-    const claudeJsonPath = join38(agentDir, ".claude", ".claude.json");
+    const mcpPath = join39(agentDir, ".mcp.json");
+    const claudeJsonPath = join39(agentDir, ".claude", ".claude.json");
     const mcpRead = readJson(d, mcpPath);
     const trustRead = readJson(d, claudeJsonPath);
     if (mcpRead.kind === "unreadable" || trustRead.kind === "unreadable") {
@@ -28495,16 +28743,78 @@ function runDriveChecks(config, deps = {}) {
   const results = [];
   const matrix = checkConfigMatrix(config);
   results.push(...matrix);
-  const driveAgents = Object.keys(config.agents ?? {}).filter((name) => {
+  const driveAgents = computeDriveAgents(config);
+  results.push(...checkOAuthClient(config, driveAgents.length > 0));
+  results.push(...checkScaffoldWiring(config, driveAgents, d));
+  return results;
+}
+function computeDriveAgents(config) {
+  const accounts = config.google_accounts;
+  return Object.keys(config.agents ?? {}).filter((name) => {
     const acct = agentAccount(config, name);
     return !!acct && !!accounts?.[acct] && (accounts[acct].enabled_for ?? []).includes(name);
   });
-  results.push(...checkOAuthClient(config, driveAgents.length > 0));
-  results.push(...checkScaffoldWiring(config, driveAgents, d));
+}
+async function runDriveBrokerReachabilityChecks(config, deps = {}) {
+  const driveAgents = computeDriveAgents(config);
+  if (driveAgents.length === 0)
+    return [];
+  const gw = config.google_workspace;
+  const idKey = vaultRefKey(gw?.google_client_id);
+  const secretKey = vaultRefKey(gw?.google_client_secret);
+  const vaultKeys = [idKey, secretKey].filter((k) => k !== null);
+  if (vaultKeys.length === 0) {
+    return [
+      {
+        name: "drive: OAuth client broker-reachable",
+        status: "ok",
+        detail: "client credential is a literal (not a vault: ref) \u2014 the launcher reads it from config; no broker grant needed"
+      }
+    ];
+  }
+  const sock = deps.brokerOperatorSocket ?? join39(homedir21(), ".switchroom", "broker-operator", "sock");
+  const preflight = deps.preflight ?? ((a, k) => defaultPreflight(sock, a, k));
+  const results = [];
+  for (const agent of driveAgents) {
+    const outcome = await preflight(agent, vaultKeys);
+    if (outcome.kind === "locked") {
+      results.push({
+        name: `drive: ${agent} client-cred broker-reachable`,
+        status: "skip",
+        detail: "vault-broker is locked \u2014 cannot verify; the fleet's launchers/crons are dead while locked anyway (not a Drive-specific fault)"
+      });
+      continue;
+    }
+    if (outcome.kind === "unreachable") {
+      results.push({
+        name: `drive: ${agent} client-cred broker-reachable`,
+        status: "skip",
+        detail: `broker operator socket unreachable (${outcome.msg}) \u2014 cannot verify; not a false fail`
+      });
+      continue;
+    }
+    const denied = outcome.results.filter((r) => !r.acl_ok);
+    if (denied.length === 0) {
+      results.push({
+        name: `drive: ${agent} client-cred broker-reachable`,
+        status: "ok",
+        detail: `vault-broker will serve the OAuth client credential (${vaultKeys.join(", ")}) to '${agent}'`
+      });
+      continue;
+    }
+    const d0 = denied[0];
+    results.push({
+      name: `drive: ${agent} client-cred broker-reachable`,
+      status: "fail",
+      detail: `vault-broker DENIES '${agent}' the OAuth client key '${d0.key}' (${d0.acl_reason ?? "no ACL grant"}) \u2014 the gdrive MCP launcher exits before spawning and Drive silently never works for this agent`,
+      fix: `confirm '${agent}' is in google_accounts[<account>].enabled_for[] and has agents.${agent}.google_workspace.account set (v0.12.14+ broker grants the client credential off that gate automatically); then ensure the broker is running the v0.12.14+ image`
+    });
+  }
   return results;
 }
 var init_doctor_drive = __esm(() => {
   init_loader();
+  init_doctor_secret_access();
 });
 
 // src/cli/doctor-credentials-migration.ts
@@ -28513,11 +28823,11 @@ import {
   readdirSync as realReaddirSync,
   statSync as realStatSync
 } from "node:fs";
-import { homedir as homedir20 } from "node:os";
-import { join as join39 } from "node:path";
+import { homedir as homedir22 } from "node:os";
+import { join as join40 } from "node:path";
 function runCredentialsMigrationChecks(config, deps = {}) {
-  const credDir = deps.credentialsDir ?? join39(homedir20(), ".switchroom", "credentials");
-  const existsSync46 = deps.existsSync ?? ((p) => realExistsSync2(p));
+  const credDir = deps.credentialsDir ?? join40(homedir22(), ".switchroom", "credentials");
+  const existsSync47 = deps.existsSync ?? ((p) => realExistsSync2(p));
   const readdirSync17 = deps.readdirSync ?? ((p) => realReaddirSync(p));
   const isDirectory = deps.isDirectory ?? ((p) => {
     try {
@@ -28526,7 +28836,7 @@ function runCredentialsMigrationChecks(config, deps = {}) {
       return false;
     }
   });
-  if (!existsSync46(credDir))
+  if (!existsSync47(credDir))
     return [];
   const agentNames = new Set(Object.keys(config.agents ?? {}));
   let entries;
@@ -28544,7 +28854,7 @@ function runCredentialsMigrationChecks(config, deps = {}) {
   const flat = [];
   const perAgentDirs = [];
   for (const e of entries) {
-    const full = join39(credDir, e);
+    const full = join40(credDir, e);
     if (isDirectory(full) && agentNames.has(e)) {
       perAgentDirs.push(e);
     } else {
@@ -28571,233 +28881,6 @@ function runCredentialsMigrationChecks(config, deps = {}) {
 }
 var init_doctor_credentials_migration = () => {};
 
-// src/cli/doctor-secret-access.ts
-import {
-  accessSync,
-  constants as fsConstants4,
-  existsSync as existsSync46,
-  realpathSync as realpathSync4,
-  statSync as statSync20
-} from "node:fs";
-import { userInfo, homedir as homedir21 } from "node:os";
-import { join as join40 } from "node:path";
-function resolveVaultPath2(config) {
-  return config.vault?.path ? config.vault.path.replace(/^~/, process.env.HOME ?? "") : resolveStatePath("vault.enc");
-}
-function defaultStatVault(path4) {
-  if (!existsSync46(path4)) {
-    return { exists: false, readable: false, uid: -1, mode: 0, realPath: path4 };
-  }
-  let real = path4;
-  try {
-    real = realpathSync4(path4);
-  } catch {}
-  let uid = -1;
-  let mode = 0;
-  try {
-    const s = statSync20(real);
-    uid = s.uid;
-    mode = s.mode & 511;
-  } catch {
-    return { exists: true, readable: false, uid, mode, realPath: real };
-  }
-  let readable = false;
-  try {
-    accessSync(real, fsConstants4.R_OK);
-    readable = true;
-  } catch {
-    readable = false;
-  }
-  return { exists: true, readable, uid, mode, realPath: real };
-}
-function collectVaultRefs2(value, out) {
-  if (typeof value === "string") {
-    if (value.startsWith("vault:")) {
-      const key = value.slice("vault:".length).split("#")[0].trim();
-      if (key)
-        out.add(key);
-    }
-    return;
-  }
-  if (Array.isArray(value)) {
-    for (const v of value)
-      collectVaultRefs2(v, out);
-    return;
-  }
-  if (value && typeof value === "object") {
-    for (const v of Object.values(value)) {
-      collectVaultRefs2(v, out);
-    }
-  }
-}
-function collectNeeds(resolved) {
-  const cronKeys = new Set;
-  for (const entry of resolved.schedule ?? []) {
-    for (const s of entry.secrets ?? [])
-      cronKeys.add(s);
-  }
-  const refKeys = new Set;
-  collectVaultRefs2(resolved, refKeys);
-  return { needed: new Set([...cronKeys, ...refKeys]), cronKeys };
-}
-function keyGap(key, isCron, exists, acl, scope) {
-  const isGoogleSlot = key.startsWith("google:");
-  if (!isGoogleSlot && !exists)
-    return `'${key}' missing from the vault`;
-  if (isCron && !acl.allow) {
-    return `'${key}' (cron) \u2014 no static ACL grants read (${acl.reason})`;
-  }
-  if (!scope.allow) {
-    return `'${key}' \u2014 per-key scope denies read (${scope.reason})`;
-  }
-  return null;
-}
-async function defaultPreflight(socketPath, agent, keys) {
-  const r = await rpcRaw({ v: 1, op: "preflight_access", agent, keys }, { socket: socketPath, timeoutMs: 5000 });
-  if (r.kind === "unreachable")
-    return { kind: "unreachable", msg: r.msg };
-  const resp = r.resp;
-  if (resp.ok === true && resp.op === "preflight_access") {
-    return {
-      kind: "ok",
-      results: resp.results
-    };
-  }
-  if (resp.ok === false && resp.code === "LOCKED")
-    return { kind: "locked" };
-  return {
-    kind: "unreachable",
-    msg: resp.ok === false ? `broker error ${resp.code}: ${resp.msg}` : "unexpected broker response"
-  };
-}
-async function runSecretAccessChecks(config, deps = {}) {
-  const results = [];
-  const vaultPath = deps.vaultPath ?? resolveVaultPath2(config);
-  const statVault = deps.statVault ?? defaultStatVault;
-  const selfUid = deps.selfUid ?? (typeof process.getuid === "function" ? process.getuid() : -1);
-  let selfUser = deps.selfUser;
-  if (selfUser === undefined) {
-    try {
-      selfUser = userInfo().username;
-    } catch {
-      selfUser = "<you>";
-    }
-  }
-  const vf = statVault(vaultPath);
-  if (!vf.exists) {
-    results.push({
-      name: "vault: operator readable",
-      status: "ok",
-      detail: `vault file not present at ${vaultPath} \u2014 see the Vault section`
-    });
-  } else if (!vf.readable) {
-    results.push({
-      name: "vault: operator readable",
-      status: "fail",
-      detail: `${vf.realPath} is owned by uid ${vf.uid} (mode 0${vf.mode.toString(8)}) \u2014 ` + `the operator (uid ${selfUid} ${selfUser}) cannot read it, so every ` + `\`switchroom vault \u2026\` fails. The broker still works (CAP_DAC_READ_SEARCH), ` + `which masks this until you touch the vault directly.`,
-      fix: `sudo chown ${selfUser}:${selfUser} ${vf.realPath}`
-    });
-  } else {
-    results.push({
-      name: "vault: operator readable",
-      status: "ok",
-      detail: `operator can read ${vf.realPath}`
-    });
-  }
-  const pushAgentResult = (name, total, gaps) => {
-    results.push(gaps.length === 0 ? {
-      name: `secret access: ${name}`,
-      status: "ok",
-      detail: `${total} secret(s): all present + ACL ok`
-    } : {
-      name: `secret access: ${name}`,
-      status: "fail",
-      detail: `${gaps.length}/${total} unreachable \u2014 ${gaps.join("; ")}`,
-      fix: "`switchroom vault set <key>` for missing keys; " + "`switchroom vault set <key> --allow " + name + "` to grant this agent read access"
-    });
-  };
-  const passphrase = deps.passphrase ?? process.env.SWITCHROOM_VAULT_PASSPHRASE;
-  if (!passphrase) {
-    const sock = deps.brokerOperatorSocket ?? join40(homedir21(), ".switchroom", "broker-operator", "sock");
-    const preflight = deps.preflight ?? ((a, k) => defaultPreflight(sock, a, k));
-    for (const name of Object.keys(config.agents ?? {})) {
-      const resolved = resolveAgentConfig(config.defaults, config.profiles, config.agents[name]);
-      const { needed, cronKeys } = collectNeeds(resolved);
-      if (needed.size === 0) {
-        results.push({
-          name: `secret access: ${name}`,
-          status: "ok",
-          detail: "no declared vault secrets"
-        });
-        continue;
-      }
-      const out = await preflight(name, [...needed].sort());
-      if (out.kind === "unreachable" || out.kind === "locked") {
-        results.push({
-          name: "agent secret access",
-          status: "skip",
-          detail: out.kind === "locked" ? "vault-broker is locked \u2014 cron-secret existence/ACL unverified (re-run after it unlocks; it auto-unlocks on boot)" : `vault-broker operator socket unreachable (${out.msg}) and SWITCHROOM_VAULT_PASSPHRASE unset \u2014 cron-secret existence/ACL unverified`,
-          fix: "Ensure the broker operator socket (~/.switchroom/broker-operator/sock) is bound, or export SWITCHROOM_VAULT_PASSPHRASE and re-run `switchroom doctor`"
-        });
-        return results;
-      }
-      const byKey = new Map(out.results.map((r) => [r.key, r]));
-      const gaps = [];
-      for (const key of [...needed].sort()) {
-        const r = byKey.get(key);
-        if (r === undefined) {
-          gaps.push(`'${key}' \u2014 broker returned no result`);
-          continue;
-        }
-        const g = keyGap(key, cronKeys.has(key), r.exists, { allow: r.acl_ok, reason: r.acl_reason }, { allow: r.scope_ok, reason: r.scope_reason });
-        if (g)
-          gaps.push(g);
-      }
-      pushAgentResult(name, needed.size, gaps);
-    }
-    return results;
-  }
-  let entries;
-  try {
-    entries = (deps.openVault ?? openVault)(passphrase, vaultPath);
-  } catch (err) {
-    results.push({
-      name: "agent secret access",
-      status: vf.readable ? "fail" : "warn",
-      detail: `cannot open the vault: ${err.message}`,
-      fix: vf.readable ? "SWITCHROOM_VAULT_PASSPHRASE may be wrong, or the vault is corrupt" : "fix the vault file ownership above first (operator cannot read it)"
-    });
-    return results;
-  }
-  for (const name of Object.keys(config.agents ?? {})) {
-    const resolved = resolveAgentConfig(config.defaults, config.profiles, config.agents[name]);
-    const { needed, cronKeys } = collectNeeds(resolved);
-    if (needed.size === 0) {
-      results.push({
-        name: `secret access: ${name}`,
-        status: "ok",
-        detail: "no declared vault secrets"
-      });
-      continue;
-    }
-    const gaps = [];
-    for (const key of [...needed].sort()) {
-      const g = keyGap(key, cronKeys.has(key), key in entries, checkAclByAgent(config, name, key), checkEntryScope(entries[key]?.scope, name));
-      if (g)
-        gaps.push(g);
-    }
-    pushAgentResult(name, needed.size, gaps);
-  }
-  return results;
-}
-var init_doctor_secret_access = __esm(() => {
-  init_paths();
-  init_merge();
-  init_vault();
-  init_acl();
-  init_client();
-});
-
 // src/cli/doctor-inlined-secrets.ts
 import { readFileSync as fsReadFileSync } from "node:fs";
 function isSecretShapedKey(key) {
@@ -28894,7 +28977,7 @@ var init_doctor_inlined_secrets = __esm(() => {
 
 // src/cli/doctor-audit-integrity.ts
 import { readFileSync as fsReadFileSync2 } from "node:fs";
-import { homedir as homedir22 } from "node:os";
+import { homedir as homedir23 } from "node:os";
 import { join as join41 } from "node:path";
 function rootWrittenLogs(home2) {
   return [
@@ -28906,7 +28989,7 @@ function rootWrittenLogs(home2) {
   ];
 }
 function runAuditIntegrityChecks(deps = {}) {
-  const home2 = deps.homeDir ?? homedir22();
+  const home2 = deps.homeDir ?? homedir23();
   const read = deps.readFileSync ?? ((p) => fsReadFileSync2(p, "utf8"));
   const results = [];
   for (const { label, path: path4 } of rootWrittenLogs(home2)) {
@@ -29183,13 +29266,13 @@ var init_client4 = __esm(() => {
 
 // src/cli/doctor-agent-smoke.ts
 import { existsSync as existsSync47 } from "node:fs";
-import { homedir as homedir23 } from "node:os";
+import { homedir as homedir24 } from "node:os";
 import { join as join42 } from "node:path";
 import { randomUUID as randomUUID4 } from "node:crypto";
 async function runAgentSmokeChecks(config, deps = {}) {
   if (deps.fast)
     return [];
-  const home2 = deps.homeDir ?? homedir23();
+  const home2 = deps.homeDir ?? homedir24();
   const sock = deps.operatorSockPath ?? join42(home2, ".switchroom", "hostd", "operator", "sock");
   if (!deps.hostdRequestImpl && !existsSync47(sock)) {
     return [
@@ -30809,7 +30892,13 @@ function registerDoctorCommand(program3) {
         title: "Agent liveness (in-agent via hostd)",
         results: await runAgentSmokeChecks(config, { fast: opts.fast })
       },
-      { title: "Google Drive", results: runDriveChecks(config) },
+      {
+        title: "Google Drive",
+        results: [
+          ...runDriveChecks(config),
+          ...await runDriveBrokerReachabilityChecks(config)
+        ]
+      },
       { title: "MFF Skill", results: await checkMff(passphrase, vaultPath, config) }
     ];
     const cwd = process.cwd();
@@ -47153,8 +47242,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.12.14";
-var COMMIT_SHA = "db6d87d6";
+var VERSION = "0.12.16";
+var COMMIT_SHA = "b30ce83a";
 
 // src/cli/agent.ts
 init_source();
@@ -69125,8 +69214,8 @@ init_lifecycle();
 import { cpSync as cpSync2, existsSync as existsSync49, mkdirSync as mkdirSync27, readFileSync as readFileSync45, realpathSync as realpathSync5, rmSync as rmSync12, statSync as statSync22 } from "node:fs";
 import { spawnSync as spawnSync8 } from "node:child_process";
 import { join as join44, dirname as dirname13, resolve as resolve30 } from "node:path";
-import { homedir as homedir24 } from "node:os";
-var DEFAULT_COMPOSE_PATH = join44(homedir24(), ".switchroom", "compose", "docker-compose.yml");
+import { homedir as homedir25 } from "node:os";
+var DEFAULT_COMPOSE_PATH = join44(homedir25(), ".switchroom", "compose", "docker-compose.yml");
 function runningFromSwitchroomCheckout(scriptPath) {
   let dir = dirname13(scriptPath);
   for (let i = 0;i < 12; i++) {
@@ -69263,7 +69352,7 @@ function planUpdate(opts) {
         return;
       }
       const source = resolve30(import.meta.dirname, "../../skills");
-      const dest = join44(homedir24(), ".switchroom", "skills", "_bundled");
+      const dest = join44(homedir25(), ".switchroom", "skills", "_bundled");
       if (!existsSync49(source)) {
         process.stderr.write(`switchroom update: sync-bundled-skills \u2014 CLI bundle has no adjacent skills/ at ${source}; skipping.
 `);
@@ -70666,7 +70755,7 @@ function relTime(deltaMs) {
 // src/cli/deps.ts
 init_source();
 import { existsSync as existsSync54 } from "node:fs";
-import { homedir as homedir27 } from "node:os";
+import { homedir as homedir28 } from "node:os";
 import { join as join49, resolve as resolve34 } from "node:path";
 
 // src/deps/python.ts
@@ -70679,7 +70768,7 @@ import {
   writeFileSync as writeFileSync26
 } from "node:fs";
 import { dirname as dirname15, join as join47 } from "node:path";
-import { homedir as homedir25 } from "node:os";
+import { homedir as homedir26 } from "node:os";
 import { execFileSync as execFileSync14 } from "node:child_process";
 
 class PythonEnvError extends Error {
@@ -70691,7 +70780,7 @@ class PythonEnvError extends Error {
   }
 }
 function defaultPythonCacheRoot() {
-  return join47(homedir25(), ".switchroom", "deps", "python");
+  return join47(homedir26(), ".switchroom", "deps", "python");
 }
 function hashFile(path4) {
   return createHash9("sha256").update(readFileSync48(path4)).digest("hex");
@@ -70767,7 +70856,7 @@ import {
   writeFileSync as writeFileSync27
 } from "node:fs";
 import { dirname as dirname16, join as join48 } from "node:path";
-import { homedir as homedir26 } from "node:os";
+import { homedir as homedir27 } from "node:os";
 import { execFileSync as execFileSync15 } from "node:child_process";
 
 class NodeEnvError extends Error {
@@ -70790,7 +70879,7 @@ var LOCKFILES_FOR = {
   npm: ["package-lock.json"]
 };
 function defaultNodeCacheRoot() {
-  return join48(homedir26(), ".switchroom", "deps", "node");
+  return join48(homedir27(), ".switchroom", "deps", "node");
 }
 function hashDepInputs(packageJsonPath) {
   const sourceDir = dirname16(packageJsonPath);
@@ -70874,7 +70963,7 @@ function ensureNodeEnv(opts) {
 
 // src/cli/deps.ts
 function builtinSkillsRoot() {
-  return resolve34(homedir27(), ".switchroom/skills/_bundled");
+  return resolve34(homedir28(), ".switchroom/skills/_bundled");
 }
 function registerDepsCommand(program3) {
   const deps = program3.command("deps").description("Manage cached per-skill dependency environments");
@@ -72184,7 +72273,7 @@ init_source();
 import { execFileSync as execFileSync16 } from "node:child_process";
 import { closeSync as closeSync11, mkdirSync as mkdirSync32, openSync as openSync11, existsSync as existsSync59, unlinkSync as unlinkSync12 } from "node:fs";
 import { join as join53, resolve as resolve39 } from "node:path";
-import { homedir as homedir29 } from "node:os";
+import { homedir as homedir30 } from "node:os";
 import { randomBytes as randomBytes11 } from "node:crypto";
 
 // src/worktree/registry.ts
@@ -72198,9 +72287,9 @@ import {
   renameSync as renameSync11
 } from "node:fs";
 import { join as join52, resolve as resolve38 } from "node:path";
-import { homedir as homedir28 } from "node:os";
+import { homedir as homedir29 } from "node:os";
 function registryDir() {
-  return resolve38(process.env.SWITCHROOM_WORKTREE_DIR ?? join52(homedir28(), ".switchroom", "worktrees"));
+  return resolve38(process.env.SWITCHROOM_WORKTREE_DIR ?? join52(homedir29(), ".switchroom", "worktrees"));
 }
 function recordPath(id) {
   return join52(registryDir(), `${id}.json`);
@@ -72281,7 +72370,7 @@ function acquireRepoLock(repoPath) {
 }
 var DEFAULT_CONCURRENCY = 5;
 function worktreesBaseDir() {
-  return resolve39(process.env.SWITCHROOM_WORKTREE_BASE ?? join53(homedir29(), ".switchroom", "worktree-checkouts"));
+  return resolve39(process.env.SWITCHROOM_WORKTREE_BASE ?? join53(homedir30(), ".switchroom", "worktree-checkouts"));
 }
 function shortId() {
   return randomBytes11(4).toString("hex");
@@ -72303,7 +72392,7 @@ function resolveRepoPath(repo, codeRepos) {
 }
 function expandHome(p) {
   if (p.startsWith("~/"))
-    return join53(homedir29(), p.slice(2));
+    return join53(homedir30(), p.slice(2));
   return p;
 }
 async function claimWorktree(input, codeRepos) {
@@ -73258,7 +73347,7 @@ agents:
 // src/cli/apply.ts
 init_resolver();
 import { dirname as dirname19, join as join58, resolve as resolve41 } from "node:path";
-import { homedir as homedir31 } from "node:os";
+import { homedir as homedir32 } from "node:os";
 import { execFileSync as execFileSync19 } from "node:child_process";
 init_vault();
 init_loader();
@@ -73559,7 +73648,7 @@ var EMBEDDED_EXAMPLES = {
   switchroom: switchroom_default,
   minimal: minimal_default
 };
-var DEFAULT_COMPOSE_PATH2 = join58(homedir31(), ".switchroom", "compose", "docker-compose.yml");
+var DEFAULT_COMPOSE_PATH2 = join58(homedir32(), ".switchroom", "compose", "docker-compose.yml");
 var COMPOSE_PROJECT2 = "switchroom";
 function resolveVaultBindMountDir(homeDir, ctx) {
   const isCustomPath = ctx.migrationKind === "custom-path-skipped";
@@ -73595,7 +73684,7 @@ function hasVaultRefs(value) {
   return false;
 }
 async function ensureHostMountSources(config) {
-  const home2 = homedir31();
+  const home2 = homedir32();
   const dirs = [
     join58(home2, ".switchroom", "approvals"),
     join58(home2, ".switchroom", "scheduler"),
@@ -73691,7 +73780,7 @@ function detectAndReportLegacyGdriveSlots(vaultPath) {
 `));
   }
 }
-function writeInstallTypeCache(homeDir = homedir31()) {
+function writeInstallTypeCache(homeDir = homedir32()) {
   const ctx = detectInstallType();
   const dir = join58(homeDir, ".switchroom");
   const out = join58(dir, "install-type.json");
@@ -73801,7 +73890,7 @@ Applying switchroom config...
   }
   const vaultPathConfigured = config.vault?.path;
   const customVaultPath = vaultPathConfigured ? resolvePath(vaultPathConfigured) : undefined;
-  const migrationResult = migrateVaultLayout(homedir31(), {
+  const migrationResult = migrateVaultLayout(homedir32(), {
     customVaultPath
   });
   switch (migrationResult.kind) {
@@ -73827,7 +73916,7 @@ Applying switchroom config...
       writeErr(formatDivergentRecoveryMessage(migrationResult.details));
       process.exit(4);
   }
-  const postMigrationInspect = inspectVaultLayout(homedir31());
+  const postMigrationInspect = inspectVaultLayout(homedir32());
   const acceptable = [
     "no-vault",
     "already-migrated",
@@ -73842,7 +73931,7 @@ Applying switchroom config...
 `));
     process.exit(5);
   }
-  const vaultDir = resolveVaultBindMountDir(homedir31(), {
+  const vaultDir = resolveVaultBindMountDir(homedir32(), {
     migrationKind: migrationResult.kind,
     customVaultPath
   });
@@ -73872,7 +73961,7 @@ Applying switchroom config...
     imageTag: composeImageTag,
     buildMode: options.buildLocal ? "local" : "pull",
     buildContext: options.buildContext,
-    homeDir: homedir31(),
+    homeDir: homedir32(),
     switchroomConfigPath,
     operatorUid
   });
@@ -73892,7 +73981,7 @@ Wrote `) + composePath + source_default.gray(` (${composeBytes} bytes)
   writeOut(source_default.gray(`  (If pull returns 401, login to ghcr.io first: see docs/operators/install.md#ghcr-auth)
 `));
   if (process.geteuid?.() === 0 && operatorUid !== undefined) {
-    const restored = restoreOperatorOwnership(homedir31(), operatorUid);
+    const restored = restoreOperatorOwnership(homedir32(), operatorUid);
     if (restored.length > 0) {
       writeOut(source_default.gray(`  Restored operator ownership of ${restored.length} ~/.switchroom path(s)
 `));
@@ -74143,7 +74232,7 @@ function runRedactStdin() {
 // src/cli/status-ask.ts
 import { readFileSync as readFileSync54, existsSync as existsSync66, readdirSync as readdirSync24 } from "node:fs";
 import { join as join59 } from "node:path";
-import { homedir as homedir32 } from "node:os";
+import { homedir as homedir33 } from "node:os";
 
 // src/status-ask/report.ts
 function parseJsonl(content) {
@@ -74478,7 +74567,7 @@ function resolveSources(explicitPath) {
     const config = loadConfig();
     agentsDir = resolveAgentsDir(config);
   } catch {
-    agentsDir = join59(homedir32(), ".switchroom", "agents");
+    agentsDir = join59(homedir33(), ".switchroom", "agents");
   }
   if (!existsSync66(agentsDir))
     return [];
@@ -74513,14 +74602,14 @@ function inferAgentFromPath(p) {
 // src/cli/agent-config.ts
 init_helpers();
 import { join as join60 } from "node:path";
-import { homedir as homedir33 } from "node:os";
+import { homedir as homedir34 } from "node:os";
 import {
   existsSync as existsSync67,
   mkdirSync as mkdirSync36,
   appendFileSync as appendFileSync3,
   readFileSync as readFileSync55
 } from "node:fs";
-var AUDIT_ROOT = join60(homedir33(), ".switchroom", "audit");
+var AUDIT_ROOT = join60(homedir34(), ".switchroom", "audit");
 function auditPathFor(agent) {
   return join60(AUDIT_ROOT, agent, "agent-config.jsonl");
 }
@@ -76041,7 +76130,7 @@ function registerMigrateCommand(program3) {
 init_source();
 init_helpers();
 import { existsSync as existsSync74, mkdirSync as mkdirSync39, readdirSync as readdirSync28, readFileSync as readFileSync61, writeFileSync as writeFileSync34, statSync as statSync28, copyFileSync as copyFileSync12 } from "node:fs";
-import { homedir as homedir34 } from "node:os";
+import { homedir as homedir35 } from "node:os";
 import { join as join65 } from "node:path";
 import { spawnSync as spawnSync11 } from "node:child_process";
 init_audit_reader();
@@ -76133,7 +76222,7 @@ networks:
 `;
 }
 function hostdDir() {
-  return join65(homedir34(), ".switchroom", "hostd");
+  return join65(homedir35(), ".switchroom", "hostd");
 }
 function hostdComposePath() {
   return join65(hostdDir(), "docker-compose.yml");
@@ -76175,7 +76264,7 @@ async function doInstall(opts, program3) {
   const composePath = hostdComposePath();
   mkdirSync39(dir, { recursive: true });
   const yaml = renderHostdComposeFile({
-    hostHome: homedir34(),
+    hostHome: homedir35(),
     imageTag: opts.tag ?? DEFAULT_IMAGE_TAG,
     operatorUid: resolveOperatorUid()
   });