switchroom 0.13.5 → 0.13.8

package/dist/host-control/main.js

@@ -14040,6 +14040,10 @@ var QuotaConfigSchema = exports_external.object({
 var HostControlConfigSchema = exports_external.object({
   enabled: exports_external.boolean().default(true).describe("Whether the host-control daemon is in use. Default: true (since " + "RFC C Phase 2 default-flip — the gateway's /restart, /new, /reset, " + "and /update apply slash-commands all dispatch through hostd, and " + "without it those verbs fail on docker-mode installs because the " + "agent container has no docker binary/socket). " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` — " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C §5.1. " + "Set enabled: false only on legacy systemd-mode installs that " + "still rely on the in-container `spawnSwitchroomDetached` " + "shellout (removal is tracked as RFC C Phase 3).")
 });
+var HostdConfigSchema = exports_external.object({
+  config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit §3). Default false — the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),
+  config_edit_rate_per_hour: exports_external.number().int().min(1).max(20).default(3).describe("Per-requesting-agent rate cap for `config_propose_edit` cards " + "(RFC admin-agent-config-edit §5). Default 3 cards/hour; min 1, " + "max 20. Implemented as a sqlite token bucket in PR 1c; the " + "field is wired here in PR 1a so operators can pin it before the " + "limiter is live. Above the cap, the verb returns " + "`E_RATE_LIMITED` without raising a card.")
+});
 var SwitchroomConfigSchema = exports_external.object({
   switchroom: exports_external.object({
     version: exports_external.literal(1).describe("Config schema version"),
@@ -14066,6 +14070,7 @@ var SwitchroomConfigSchema = exports_external.object({
   google_workspace: GoogleWorkspaceConfigSchema.describe("RFC G canonical key. Top-level Google Workspace configuration — " + "OAuth client credentials, approver allowlist, and tier knob (`core` " + "| `extended` | `complete`, default `core`). Mutually exclusive with " + "`drive:` at the top level (loader fails fast if both are set)."),
   quota: QuotaConfigSchema.optional().describe("Optional weekly/monthly USD spend budgets rendered in the session " + "greeting. Usage is read from ccusage at runtime; no network calls."),
   host_control: HostControlConfigSchema.default({}).describe("Host-control daemon configuration. Defaults to enabled=true since " + "RFC C Phase 2 (docs/rfcs/host-control-daemon.md). Omit the block " + "to accept defaults; set `enabled: false` only on legacy systemd-" + "mode installs (removal tracked as RFC C Phase 3)."),
+  hostd: HostdConfigSchema.default({}).describe("hostd verb-level knobs (RFC admin-agent-config-edit). Distinct " + "from `host_control:` which governs whether the daemon runs at " + "all. Currently scopes the opt-in flag and rate cap for the new " + "`config_propose_edit` verb (PR 1a — disabled by default)."),
   google_accounts: exports_external.record(exports_external.string().regex(/^[^@\s:]+@[^@\s:]+\.[^@\s:]+$/, {
     message: "Account key must be a Google account email like 'alice@example.com' (colons not allowed)"
   }).transform((v) => v.trim().toLowerCase()), exports_external.object({
@@ -14689,17 +14694,17 @@ var BIND_MOUNT_EXACT_SOURCE_DENY = new Set(["/var/run/docker.sock"]);
 
 // src/host-control/server.ts
 import { createServer } from "node:net";
-import { spawn, spawnSync } from "node:child_process";
+import { spawn, spawnSync as spawnSync2 } from "node:child_process";
 import { mkdir, chmod, chown, unlink, appendFile } from "node:fs/promises";
 import {
   readdirSync as readdirSync2,
-  existsSync as existsSync5,
-  readFileSync as readFileSync3,
-  writeFileSync,
+  existsSync as existsSync6,
+  readFileSync as readFileSync4,
+  writeFileSync as writeFileSync2,
   renameSync,
   mkdirSync
 } from "node:fs";
-import { join as join2, dirname as dirname2, resolve as resolve5 } from "node:path";
+import { join as join3, dirname as dirname2, resolve as resolve5 } from "node:path";
 
 // src/host-control/protocol.ts
 var MAX_FRAME_BYTES = 64 * 1024;
@@ -14794,6 +14799,15 @@ var AgentSmokeRequestSchema = exports_external.object({
     deep: exports_external.boolean().optional()
   })
 });
+var ConfigProposeEditRequestSchema = exports_external.object({
+  ...RequestEnvelope,
+  op: exports_external.literal("config_propose_edit"),
+  args: exports_external.object({
+    unified_diff: exports_external.string().min(1).max(MAX_FRAME_BYTES - 1024),
+    reason: exports_external.string().min(1).max(500),
+    target_path: exports_external.literal("/state/config/switchroom.yaml")
+  })
+});
 var RequestSchema = exports_external.discriminatedUnion("op", [
   AgentRestartRequestSchema,
   UpgradeStatusRequestSchema,
@@ -14806,7 +14820,8 @@ var RequestSchema = exports_external.discriminatedUnion("op", [
   AgentLogsRequestSchema,
   AgentExecRequestSchema,
   DoctorRequestSchema,
-  AgentSmokeRequestSchema
+  AgentSmokeRequestSchema,
+  ConfigProposeEditRequestSchema
 ]);
 var ResultSchema = exports_external.enum(["started", "completed", "denied", "error"]);
 var ResponseEnvelope = {
@@ -15283,12 +15298,351 @@ function detectInstallType() {
   }
 }
 
+// src/host-control/config-edit-validator.ts
+import { mkdtempSync, writeFileSync, rmSync, existsSync as existsSync5, readFileSync as readFileSync3 } from "node:fs";
+import { tmpdir } from "node:os";
+import { join as join2, isAbsolute as isAbsolute2, normalize } from "node:path";
+import { spawnSync } from "node:child_process";
+var MAX_PATCH_BYTES = 1024 * 1024;
+function isTargetPathHeader(headerPath, targetBasename) {
+  if (headerPath === "/dev/null")
+    return false;
+  let p = headerPath;
+  if (p.startsWith("a/") || p.startsWith("b/"))
+    p = p.slice(2);
+  if (isAbsolute2(p))
+    return false;
+  if (p.includes(".."))
+    return false;
+  const norm = normalize(p);
+  if (norm.includes("..") || isAbsolute2(norm))
+    return false;
+  return norm === targetBasename;
+}
+function validateShape(unifiedDiff, targetPath) {
+  const byteLen = Buffer.byteLength(unifiedDiff, "utf8");
+  if (byteLen > MAX_PATCH_BYTES) {
+    return {
+      ok: false,
+      code: "E_PATCH_INVALID_SHAPE",
+      detail: `patch exceeds ${MAX_PATCH_BYTES}-byte cap (${byteLen} bytes)`
+    };
+  }
+  if (unifiedDiff.includes("\r")) {
+    return {
+      ok: false,
+      code: "E_PATCH_INVALID_SHAPE",
+      detail: "patch must be LF-only (no CRLF / CR)"
+    };
+  }
+  const lines = unifiedDiff.split(`
+`);
+  const minusHeaders = [];
+  const plusHeaders = [];
+  let hunkCount = 0;
+  for (const ln of lines) {
+    if (ln.startsWith("--- "))
+      minusHeaders.push(ln.slice(4).trim());
+    else if (ln.startsWith("+++ "))
+      plusHeaders.push(ln.slice(4).trim());
+    else if (ln.startsWith("@@"))
+      hunkCount++;
+  }
+  if (minusHeaders.length === 0 || plusHeaders.length === 0) {
+    return {
+      ok: false,
+      code: "E_PATCH_INVALID_SHAPE",
+      detail: "patch missing `---`/`+++` headers"
+    };
+  }
+  if (hunkCount === 0) {
+    return {
+      ok: false,
+      code: "E_PATCH_INVALID_SHAPE",
+      detail: "patch contains no hunks"
+    };
+  }
+  if (minusHeaders.length > 1 || plusHeaders.length > 1) {
+    return {
+      ok: false,
+      code: "E_PATCH_INVALID_SHAPE",
+      detail: "multi-file diff not allowed; single-file only"
+    };
+  }
+  const targetBasename = targetPath.split("/").pop() ?? targetPath;
+  for (const h of [...minusHeaders, ...plusHeaders]) {
+    const path2 = h.split("\t")[0].trim();
+    if (!isTargetPathHeader(path2, targetBasename)) {
+      return {
+        ok: false,
+        code: "E_PATCH_INVALID_SHAPE",
+        detail: `header path "${path2}" does not match target "${targetBasename}"`
+      };
+    }
+  }
+  return null;
+}
+function applyPatch(unifiedDiff, configPath, gitBin) {
+  if (!existsSync5(configPath)) {
+    return {
+      ok: false,
+      code: "E_PATCH_APPLY_FAILED",
+      detail: `target config not found at ${configPath}`
+    };
+  }
+  const liveContent = readFileSync3(configPath, "utf8");
+  const scratchDir = mkdtempSync(join2(tmpdir(), "config-propose-edit-"));
+  try {
+    const basename = configPath.split("/").pop() ?? "switchroom.yaml";
+    const scratchFile = join2(scratchDir, basename);
+    writeFileSync(scratchFile, liveContent);
+    const patchFile = join2(scratchDir, "proposal.patch");
+    writeFileSync(patchFile, unifiedDiff);
+    const bin = gitBin ?? "git";
+    const baseArgs = [
+      "apply",
+      "--whitespace=nowarn",
+      "--recount",
+      "--unidiff-zero"
+    ];
+    const checkP1 = spawnSync(bin, [...baseArgs.slice(0, 1), "--check", ...baseArgs.slice(1), "-p1", patchFile], { cwd: scratchDir, encoding: "utf8", timeout: 1e4 });
+    let pStrip = "-p1";
+    if (checkP1.status !== 0) {
+      const checkP0 = spawnSync(bin, [...baseArgs.slice(0, 1), "--check", ...baseArgs.slice(1), "-p0", patchFile], { cwd: scratchDir, encoding: "utf8", timeout: 1e4 });
+      if (checkP0.status !== 0) {
+        const stderr = (checkP1.stderr || "") + (checkP0.stderr || "");
+        return {
+          ok: false,
+          code: "E_PATCH_APPLY_FAILED",
+          detail: `git apply --check failed: ${stderr.trim().slice(0, 500)}`
+        };
+      }
+      pStrip = "-p0";
+    }
+    const real = spawnSync(bin, [...baseArgs, pStrip, patchFile], { cwd: scratchDir, encoding: "utf8", timeout: 1e4 });
+    if (real.status !== 0) {
+      return {
+        ok: false,
+        code: "E_PATCH_APPLY_FAILED",
+        detail: `git apply failed: ${(real.stderr || "").trim().slice(0, 500)}`
+      };
+    }
+    const after = readFileSync3(scratchFile, "utf8");
+    return { ok: true, after };
+  } finally {
+    rmSync(scratchDir, { recursive: true, force: true });
+  }
+}
+function failsafeParse(source) {
+  let doc;
+  try {
+    doc = $parseDocument(source, { merge: false, strict: true });
+  } catch (err) {
+    return {
+      ok: false,
+      code: "E_YAML_UNSAFE_CONSTRUCT",
+      detail: `YAML parse error: ${err.message}`
+    };
+  }
+  if (doc.errors && doc.errors.length > 0) {
+    return {
+      ok: false,
+      code: "E_YAML_UNSAFE_CONSTRUCT",
+      detail: `YAML parse error: ${doc.errors[0].message}`
+    };
+  }
+  let rejection = null;
+  $visit(doc, (_key, node, _path) => {
+    if (rejection)
+      return $visit.BREAK;
+    if ($isAlias(node)) {
+      rejection = {
+        ok: false,
+        code: "E_YAML_UNSAFE_CONSTRUCT",
+        detail: "YAML aliases (`*name`) are not allowed"
+      };
+      return $visit.BREAK;
+    }
+    if ($isNode(node)) {
+      if (node.anchor) {
+        rejection = {
+          ok: false,
+          code: "E_YAML_UNSAFE_CONSTRUCT",
+          detail: `YAML anchors (\`&${node.anchor}\`) are not allowed`
+        };
+        return $visit.BREAK;
+      }
+      const tag = node.tag;
+      if (typeof tag === "string" && tag.startsWith("!")) {
+        rejection = {
+          ok: false,
+          code: "E_YAML_UNSAFE_CONSTRUCT",
+          detail: `YAML explicit tags (\`${tag}\`) are not allowed`
+        };
+        return $visit.BREAK;
+      }
+    }
+    if ($isPair(node)) {
+      const k = node.key;
+      if ($isScalar(k) && k.value === "<<") {
+        rejection = {
+          ok: false,
+          code: "E_YAML_UNSAFE_CONSTRUCT",
+          detail: "YAML merge keys (`<<:`) are not allowed"
+        };
+        return $visit.BREAK;
+      }
+    }
+    return;
+  });
+  if (rejection)
+    return rejection;
+  if (/(^|\n)\s*<<\s*:/.test(source)) {
+    return {
+      ok: false,
+      code: "E_YAML_UNSAFE_CONSTRUCT",
+      detail: "YAML merge keys (`<<:`) are not allowed"
+    };
+  }
+  const tagMatch = source.match(/(^|\s)!![A-Za-z_][\w/.\-:]*/);
+  if (tagMatch) {
+    return {
+      ok: false,
+      code: "E_YAML_UNSAFE_CONSTRUCT",
+      detail: `YAML explicit tags (\`${tagMatch[0].trim()}\`) are not allowed`
+    };
+  }
+  return { ok: true, doc, data: doc.toJS() };
+}
+function schemaValidate(data) {
+  const result = SwitchroomConfigSchema.safeParse(data);
+  if (result.success)
+    return null;
+  const issue = result.error.issues[0];
+  const where = issue?.path.join(".") || "(root)";
+  return {
+    ok: false,
+    code: "E_SCHEMA_INVALID",
+    detail: `schema validation failed at ${where}: ${issue?.message ?? "unknown"}`
+  };
+}
+function collectStrings(root, out, prefix = "") {
+  if (root === null || root === undefined)
+    return;
+  if (typeof root === "string") {
+    out.set(prefix || "(root)", root);
+    return;
+  }
+  if (Array.isArray(root)) {
+    for (let i = 0;i < root.length; i++) {
+      collectStrings(root[i], out, `${prefix}[${i}]`);
+    }
+    return;
+  }
+  if (typeof root === "object") {
+    for (const [k, v] of Object.entries(root)) {
+      const p = prefix ? `${prefix}.${k}` : k;
+      collectStrings(v, out, p);
+    }
+  }
+}
+var SECRET_PREFIX_PATTERNS = [
+  { name: "openai-key", re: /^sk-[A-Za-z0-9_\-]{20,}$/ },
+  { name: "anthropic-key", re: /^sk-ant-[A-Za-z0-9_\-]{20,}$/ },
+  { name: "github-pat", re: /^ghp_[A-Za-z0-9]{20,}$/ },
+  { name: "github-fine-grained", re: /^github_pat_[A-Za-z0-9_]{20,}$/ },
+  { name: "slack-bot", re: /^xoxb-[A-Za-z0-9\-]{10,}$/ },
+  { name: "slack-user", re: /^xoxp-[A-Za-z0-9\-]{10,}$/ },
+  { name: "google-api", re: /^AIza[A-Za-z0-9_\-]{30,}$/ },
+  { name: "aws-access-key", re: /^AKIA[A-Z0-9]{16,}$/ }
+];
+var CREDENTIAL_FIELD_RE = /(^|[._\-])(secret|token|password|api[_\-]?key|bot[_\-]?token|client[_\-]?secret|credential)s?($|[._\-])/i;
+var VAULT_REF_RE = /^vault:[A-Za-z0-9_\-]+(\/[A-Za-z0-9_\-]+)*$/;
+function masked(s) {
+  if (s.length <= 8)
+    return "***";
+  return `${s.slice(0, 3)}...${s.slice(-3)}`;
+}
+function secretLeakGuard(before, after) {
+  const beforeStrings = new Map;
+  const afterStrings = new Map;
+  collectStrings(before, beforeStrings);
+  collectStrings(after, afterStrings);
+  for (const [path2, val] of beforeStrings) {
+    if (!VAULT_REF_RE.test(val))
+      continue;
+    if (!afterStrings.has(path2))
+      continue;
+    const newVal = afterStrings.get(path2);
+    if (!VAULT_REF_RE.test(newVal)) {
+      return {
+        ok: false,
+        code: "E_SECRET_LEAK_DETECTED",
+        detail: `field "${path2}" was a vault reference (${val}) but the ` + `proposed change replaces it with a literal value ` + `(${masked(newVal)}); inlining a secret is not allowed`
+      };
+    }
+  }
+  for (const [path2, val] of afterStrings) {
+    if (VAULT_REF_RE.test(val))
+      continue;
+    if (beforeStrings.get(path2) === val)
+      continue;
+    for (const { name, re } of SECRET_PREFIX_PATTERNS) {
+      if (re.test(val)) {
+        return {
+          ok: false,
+          code: "E_SECRET_LEAK_DETECTED",
+          detail: `field "${path2}" contains a literal ${name}-shaped value ` + `(${masked(val)}); use a vault:<key> reference instead`
+        };
+      }
+    }
+    if (CREDENTIAL_FIELD_RE.test(path2)) {
+      if (val.length >= 40 && /^[A-Za-z0-9+/=_\-]+$/.test(val)) {
+        return {
+          ok: false,
+          code: "E_SECRET_LEAK_DETECTED",
+          detail: `field "${path2}" is credential-named and the proposed ` + `value (${masked(val)}) looks like a literal secret; ` + `use a vault:<key> reference instead`
+        };
+      }
+    }
+  }
+  return null;
+}
+function validateConfigEdit(opts) {
+  const shapeErr = validateShape(opts.unifiedDiff, opts.targetPath);
+  if (shapeErr)
+    return shapeErr;
+  const applied = applyPatch(opts.unifiedDiff, opts.configPath, opts.gitBin);
+  if (!("ok" in applied) || applied.ok !== true) {
+    return applied;
+  }
+  const parsedAfter = failsafeParse(applied.after);
+  if (!("ok" in parsedAfter) || parsedAfter.ok !== true) {
+    return parsedAfter;
+  }
+  const schemaErr = schemaValidate(parsedAfter.data);
+  if (schemaErr)
+    return schemaErr;
+  let beforeData = {};
+  try {
+    const beforeRaw = existsSync5(opts.configPath) ? readFileSync3(opts.configPath, "utf8") : "";
+    const beforeDoc = $parseDocument(beforeRaw, { merge: false, strict: false });
+    beforeData = beforeDoc.toJS();
+  } catch {
+    beforeData = {};
+  }
+  const leakErr = secretLeakGuard(beforeData, parsedAfter.data);
+  if (leakErr)
+    return leakErr;
+  return { ok: true };
+}
+
 // src/host-control/server.ts
 function resolveDigests(imageRefs) {
   const out = new Map;
   for (const ref of imageRefs) {
     try {
-      const r = spawnSync("docker", ["inspect", "--format={{index .RepoDigests 0}}", ref], { encoding: "utf-8", timeout: 5000 });
+      const r = spawnSync2("docker", ["inspect", "--format={{index .RepoDigests 0}}", ref], { encoding: "utf-8", timeout: 5000 });
       if (r.status !== 0)
         continue;
       const trimmed = (r.stdout ?? "").trim();
@@ -15306,11 +15660,11 @@ function resolveDigests(imageRefs) {
   return out;
 }
 function readCachedInstallType(bindRoot) {
-  const cacheDir = join2(bindRoot, ".switchroom");
-  const cachePath = join2(cacheDir, "install-type.json");
-  if (existsSync5(cachePath)) {
+  const cacheDir = join3(bindRoot, ".switchroom");
+  const cachePath = join3(cacheDir, "install-type.json");
+  if (existsSync6(cachePath)) {
     try {
-      const raw = readFileSync3(cachePath, "utf-8");
+      const raw = readFileSync4(cachePath, "utf-8");
       const parsed = JSON.parse(raw);
       if (parsed && typeof parsed.install_type === "string" && typeof parsed.detected_at === "string") {
         return parsed;
@@ -15329,7 +15683,7 @@ function readCachedInstallType(bindRoot) {
   try {
     mkdirSync(cacheDir, { recursive: true });
     const tmp = `${cachePath}.tmp`;
-    writeFileSync(tmp, JSON.stringify(payload, null, 2), { mode: 420 });
+    writeFileSync2(tmp, JSON.stringify(payload, null, 2), { mode: 420 });
     renameSync(tmp, cachePath);
   } catch {}
   return payload;
@@ -15350,7 +15704,7 @@ class HostdServer {
     this.opts = opts;
   }
   async start() {
-    const hostdDir = join2(this.opts.homeDir, ".switchroom", "hostd");
+    const hostdDir = join3(this.opts.homeDir, ".switchroom", "hostd");
     await mkdir(hostdDir, { recursive: true });
     await chmod(hostdDir, 493).catch(() => {
       return;
@@ -15361,13 +15715,13 @@ class HostdServer {
     }
     try {
       for (const name of agentNames) {
-        const dir = join2(hostdDir, name);
-        const sockPath = join2(dir, "sock");
+        const dir = join3(hostdDir, name);
+        const sockPath = join3(dir, "sock");
         await mkdir(dir, { recursive: true });
         await chmod(dir, 493).catch(() => {
           return;
         });
-        if (existsSync5(sockPath))
+        if (existsSync6(sockPath))
           await unlink(sockPath).catch(() => {
             return;
           });
@@ -15398,13 +15752,13 @@ class HostdServer {
           process.stderr.write(`hostd: SWITCHROOM_HOSTD_OPERATOR_UID='${opUidStr}' is not a positive integer; skipping operator listener
 `);
         } else {
-          const dir = join2(hostdDir, "operator");
-          const sockPath = join2(dir, "sock");
+          const dir = join3(hostdDir, "operator");
+          const sockPath = join3(dir, "sock");
           await mkdir(dir, { recursive: true });
           await chmod(dir, 493).catch(() => {
             return;
           });
-          if (existsSync5(sockPath))
+          if (existsSync6(sockPath))
             await unlink(sockPath).catch(() => {
               return;
             });
@@ -15561,6 +15915,9 @@ class HostdServer {
         case "agent_smoke":
           resp = await this.handleAgentSmoke(req, started);
           break;
+        case "config_propose_edit":
+          resp = this.handleConfigProposeEdit(req, started);
+          break;
       }
     } catch (err) {
       resp = errorResponse(req.request_id, `hostd dispatch failed: ${err.message}`, Date.now() - started);
@@ -15608,6 +15965,8 @@ class HostdServer {
         return callerAdmin ? null : `${req.op} cross-agent requires admin: true on caller "${caller.name}"`;
       case "doctor":
         return callerAdmin ? null : `doctor requires admin: true on caller "${caller.name}"`;
+      case "config_propose_edit":
+        return callerAdmin ? null : `config_propose_edit requires admin: true on caller "${caller.name}"`;
     }
   }
   async handleAgentRestart(req, caller, started) {
@@ -15687,10 +16046,10 @@ class HostdServer {
   missingApplyAssets() {
     const root = this.opts.applyAssetsRoot ?? resolve5(import.meta.dirname, "../..");
     return [
-      join2(root, "profiles"),
-      join2(root, "profiles", "default"),
-      join2(root, "vendor", "hindsight-memory")
-    ].filter((p) => !existsSync5(p));
+      join3(root, "profiles"),
+      join3(root, "profiles", "default"),
+      join3(root, "vendor", "hindsight-memory")
+    ].filter((p) => !existsSync6(p));
   }
   applyAssetPreflight(request_id, started) {
     const missing = this.missingApplyAssets();
@@ -15854,6 +16213,22 @@ class HostdServer {
       stderr_tail: tail(res.stderr)
     };
   }
+  handleConfigProposeEdit(req, started) {
+    const enabled = this.opts.config.hostd?.config_edit_enabled === true;
+    if (!enabled) {
+      return errorResponse(req.request_id, "E_CONFIG_EDIT_DISABLED: config_propose_edit is disabled; " + "operator must set hostd.config_edit_enabled=true in " + "switchroom.yaml to opt in", Date.now() - started);
+    }
+    const configPath = this.opts.configPath ?? req.args.target_path;
+    const verdict = validateConfigEdit({
+      configPath,
+      targetPath: req.args.target_path,
+      unifiedDiff: req.args.unified_diff
+    });
+    if (!verdict.ok) {
+      return errorResponse(req.request_id, `${verdict.code}: ${verdict.detail}`, Date.now() - started);
+    }
+    return errorResponse(req.request_id, "E_NOT_IMPLEMENTED_APPLY_PATH: validation passed (apply path " + "not yet implemented — pending PR 1c)", Date.now() - started);
+  }
   async handleAgentSmoke(req, started) {
     const container = `switchroom-${req.args.name}`;
     const respond = (containerState, probes2) => ({
@@ -15959,10 +16334,10 @@ class HostdServer {
     if (this.opts.imageRefsForDigests)
       return this.opts.imageRefsForDigests();
     try {
-      const composePath = join2(this.opts.bindRoot ?? this.opts.homeDir, ".switchroom", "compose", "docker-compose.yml");
-      if (!existsSync5(composePath))
+      const composePath = join3(this.opts.bindRoot ?? this.opts.homeDir, ".switchroom", "compose", "docker-compose.yml");
+      if (!existsSync6(composePath))
         return [];
-      const r = spawnSync("docker", [
+      const r = spawnSync2("docker", [
         "compose",
         "-p",
         "switchroom",
@@ -16044,7 +16419,7 @@ class HostdServer {
     }
   }
   auditLogPath() {
-    return this.opts.auditLogPath ?? join2(this.opts.homeDir, ".switchroom", "host-control-audit.log");
+    return this.opts.auditLogPath ?? join3(this.opts.homeDir, ".switchroom", "host-control-audit.log");
   }
   appendAuditRow(row) {
     const path2 = this.auditLogPath();

package/dist/vault/approvals/kernel-server.js

@@ -10948,7 +10948,7 @@ var init_dist = __esm(() => {
 });
 
 // src/config/schema.ts
-var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, HostControlConfigSchema, SwitchroomConfigSchema;
+var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, HostControlConfigSchema, HostdConfigSchema, SwitchroomConfigSchema;
 var init_schema = __esm(() => {
   init_zod();
   CodeRepoEntrySchema = exports_external.object({
@@ -11299,6 +11299,10 @@ var init_schema = __esm(() => {
   HostControlConfigSchema = exports_external.object({
     enabled: exports_external.boolean().default(true).describe("Whether the host-control daemon is in use. Default: true (since " + "RFC C Phase 2 default-flip — the gateway's /restart, /new, /reset, " + "and /update apply slash-commands all dispatch through hostd, and " + "without it those verbs fail on docker-mode installs because the " + "agent container has no docker binary/socket). " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` — " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C §5.1. " + "Set enabled: false only on legacy systemd-mode installs that " + "still rely on the in-container `spawnSwitchroomDetached` " + "shellout (removal is tracked as RFC C Phase 3).")
   });
+  HostdConfigSchema = exports_external.object({
+    config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit §3). Default false — the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),
+    config_edit_rate_per_hour: exports_external.number().int().min(1).max(20).default(3).describe("Per-requesting-agent rate cap for `config_propose_edit` cards " + "(RFC admin-agent-config-edit §5). Default 3 cards/hour; min 1, " + "max 20. Implemented as a sqlite token bucket in PR 1c; the " + "field is wired here in PR 1a so operators can pin it before the " + "limiter is live. Above the cap, the verb returns " + "`E_RATE_LIMITED` without raising a card.")
+  });
   SwitchroomConfigSchema = exports_external.object({
     switchroom: exports_external.object({
       version: exports_external.literal(1).describe("Config schema version"),
@@ -11325,6 +11329,7 @@ var init_schema = __esm(() => {
     google_workspace: GoogleWorkspaceConfigSchema.describe("RFC G canonical key. Top-level Google Workspace configuration — " + "OAuth client credentials, approver allowlist, and tier knob (`core` " + "| `extended` | `complete`, default `core`). Mutually exclusive with " + "`drive:` at the top level (loader fails fast if both are set)."),
     quota: QuotaConfigSchema.optional().describe("Optional weekly/monthly USD spend budgets rendered in the session " + "greeting. Usage is read from ccusage at runtime; no network calls."),
     host_control: HostControlConfigSchema.default({}).describe("Host-control daemon configuration. Defaults to enabled=true since " + "RFC C Phase 2 (docs/rfcs/host-control-daemon.md). Omit the block " + "to accept defaults; set `enabled: false` only on legacy systemd-" + "mode installs (removal tracked as RFC C Phase 3)."),
+    hostd: HostdConfigSchema.default({}).describe("hostd verb-level knobs (RFC admin-agent-config-edit). Distinct " + "from `host_control:` which governs whether the daemon runs at " + "all. Currently scopes the opt-in flag and rate cap for the new " + "`config_propose_edit` verb (PR 1a — disabled by default)."),
     google_accounts: exports_external.record(exports_external.string().regex(/^[^@\s:]+@[^@\s:]+\.[^@\s:]+$/, {
       message: "Account key must be a Google account email like 'alice@example.com' (colons not allowed)"
     }).transform((v) => v.trim().toLowerCase()), exports_external.object({

package/dist/vault/broker/server.js

@@ -10948,7 +10948,7 @@ var init_zod = __esm(() => {
 });
 
 // src/config/schema.ts
-var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, HostControlConfigSchema, SwitchroomConfigSchema;
+var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, HostControlConfigSchema, HostdConfigSchema, SwitchroomConfigSchema;
 var init_schema = __esm(() => {
   init_zod();
   CodeRepoEntrySchema = exports_external.object({
@@ -11299,6 +11299,10 @@ var init_schema = __esm(() => {
   HostControlConfigSchema = exports_external.object({
     enabled: exports_external.boolean().default(true).describe("Whether the host-control daemon is in use. Default: true (since " + "RFC C Phase 2 default-flip — the gateway's /restart, /new, /reset, " + "and /update apply slash-commands all dispatch through hostd, and " + "without it those verbs fail on docker-mode installs because the " + "agent container has no docker binary/socket). " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` — " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C §5.1. " + "Set enabled: false only on legacy systemd-mode installs that " + "still rely on the in-container `spawnSwitchroomDetached` " + "shellout (removal is tracked as RFC C Phase 3).")
   });
+  HostdConfigSchema = exports_external.object({
+    config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit §3). Default false — the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),
+    config_edit_rate_per_hour: exports_external.number().int().min(1).max(20).default(3).describe("Per-requesting-agent rate cap for `config_propose_edit` cards " + "(RFC admin-agent-config-edit §5). Default 3 cards/hour; min 1, " + "max 20. Implemented as a sqlite token bucket in PR 1c; the " + "field is wired here in PR 1a so operators can pin it before the " + "limiter is live. Above the cap, the verb returns " + "`E_RATE_LIMITED` without raising a card.")
+  });
   SwitchroomConfigSchema = exports_external.object({
     switchroom: exports_external.object({
       version: exports_external.literal(1).describe("Config schema version"),
@@ -11325,6 +11329,7 @@ var init_schema = __esm(() => {
     google_workspace: GoogleWorkspaceConfigSchema.describe("RFC G canonical key. Top-level Google Workspace configuration — " + "OAuth client credentials, approver allowlist, and tier knob (`core` " + "| `extended` | `complete`, default `core`). Mutually exclusive with " + "`drive:` at the top level (loader fails fast if both are set)."),
     quota: QuotaConfigSchema.optional().describe("Optional weekly/monthly USD spend budgets rendered in the session " + "greeting. Usage is read from ccusage at runtime; no network calls."),
     host_control: HostControlConfigSchema.default({}).describe("Host-control daemon configuration. Defaults to enabled=true since " + "RFC C Phase 2 (docs/rfcs/host-control-daemon.md). Omit the block " + "to accept defaults; set `enabled: false` only on legacy systemd-" + "mode installs (removal tracked as RFC C Phase 3)."),
+    hostd: HostdConfigSchema.default({}).describe("hostd verb-level knobs (RFC admin-agent-config-edit). Distinct " + "from `host_control:` which governs whether the daemon runs at " + "all. Currently scopes the opt-in flag and rate cap for the new " + "`config_propose_edit` verb (PR 1a — disabled by default)."),
     google_accounts: exports_external.record(exports_external.string().regex(/^[^@\s:]+@[^@\s:]+\.[^@\s:]+$/, {
       message: "Account key must be a Google account email like 'alice@example.com' (colons not allowed)"
     }).transform((v) => v.trim().toLowerCase()), exports_external.object({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.13.5",
+  "version": "0.13.8",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {