switchroom 0.13.53 → 0.13.55

package/dist/agent-scheduler/index.js

@@ -10997,7 +10997,8 @@ var AgentMemorySchema = exports_external.object({
   recall: exports_external.object({
     max_memories: exports_external.number().int().min(0).optional().describe("Cap on the number of memories injected into the prompt by " + "auto-recall, regardless of token budget. Plugin default is 12. " + "0 disables the cap (all memories Hindsight returns are injected)."),
     cache_ttl_secs: exports_external.number().int().min(0).optional().describe("Per-session recall cache TTL in seconds. When > 0, identical " + "(prompt, bank) within the same session reuse the cached recall " + "result instead of round-tripping to Hindsight. 0 disables. " + "Default is 600 (10 min) for switchroom-managed agents."),
-    min_overlap: exports_external.number().min(0).max(1).optional().describe("Minimum Jaccard token overlap [0.0–1.0] between the user " + "prompt and a memory's text for the memory to be injected. " + "Drops low-relevance matches before the count cap so weak hits " + "don't fill the slot on real queries. 0.0 disables (default — " + "current behaviour). Try 0.10–0.20 to start; observe the " + "`overlap_dropped` field via `switchroom memory recall-log`.")
+    min_overlap: exports_external.number().min(0).max(1).optional().describe("Minimum Jaccard token overlap [0.0–1.0] between the user " + "prompt and a memory's text for the memory to be injected. " + "Drops low-relevance matches before the count cap so weak hits " + "don't fill the slot on real queries. 0.0 disables (default — " + "current behaviour). Try 0.10–0.20 to start; observe the " + "`overlap_dropped` field via `switchroom memory recall-log`."),
+    topic_filter_mode: exports_external.enum(["soft-preamble", "hard-filter"]).optional().describe("Supergroup-mode cross-topic memory behaviour. Default " + "(unset) → soft-preamble: recall returns memories from all " + "topics, and a 'Current topic: …' preamble tells the model " + "to self-scope. hard-filter: drop any recalled memory whose " + "metadata.thread_id differs from the active inbound's topic. " + "Flip to hard-filter when the recall_log shows binding " + "failures (model surfacing the right memory but applying " + "it to the wrong topic).")
   }).optional().describe("Auto-recall tuning knobs")
 }).optional();
 var HookEntrySchema = exports_external.object({
@@ -11140,6 +11141,16 @@ var MicrosoftWorkspaceConfigSchema = exports_external.object({
   authority: exports_external.string().url().optional().describe("Microsoft authority endpoint. Defaults to " + "'https://login.microsoftonline.com/common' which accepts both " + "personal MSA and work/school tenants. Override only for " + "single-tenant deployments."),
   org_mode: exports_external.boolean().optional().describe("Opt-in to Teams + SharePoint surfaces (RFC §6.4). When true, " + "the v1 scope set adds Sites.ReadWrite.All AND the launcher " + "spawns softeria with --org-mode. Defaults to false — personal " + "MSA + standard work surfaces only. Flipping for an existing " + "consented account requires re-running 'auth microsoft account " + "add --replace' to consent the additional scope.")
 }).optional();
+var NotionWorkspaceConfigSchema = exports_external.object({
+  vault_key: exports_external.string().min(1).default("notion/integration-token").describe("Vault key holding the Notion internal-integration token. Default " + "`notion/integration-token`. Override only for non-standard vault " + "layouts. The broker's --allow ACL on this key is the authoritative " + "list of which agents may receive the token."),
+  databases: exports_external.record(exports_external.string().regex(/^[a-z0-9][a-z0-9_-]{0,62}$/, {
+    message: "notion_workspace.databases friendly names must match " + "/^[a-z0-9][a-z0-9_-]{0,62}$/ — lowercase letters, digits, " + "hyphens, underscores. Got: '%s'."
+  }), exports_external.string().regex(/^[0-9a-fA-F]{8}-?[0-9a-fA-F]{4}-?[0-9a-fA-F]{4}-?[0-9a-fA-F]{4}-?[0-9a-fA-F]{12}$/, {
+    message: "notion_workspace.databases values must be Notion database " + "UUIDs (32 hex characters, optional dashes)."
+  })).default({}).describe("Friendly-name → Notion database UUID map. Operator-managed; agents " + "reference databases by friendly name only — they never see or type " + "UUIDs. Populate via `switchroom notion list-dbs` (PR 4) after " + "vault-putting the integration token and sharing DBs with the " + "integration in Notion's UI."),
+  mcp_version: exports_external.string().min(1).optional().describe("Optional pin for the upstream `@notionhq/notion-mcp-server` npm " + "package version. Default is the build-time `NOTION_MCP_PINNED_VERSION` " + "constant. Override only when reproducing operator-specific bugs."),
+  rate_limit_rps: exports_external.number().int().positive().max(10).optional().describe("Optional global rate-limit budget in requests per second across all " + "switchroom agents sharing this integration token. Defaults to 3 " + "(Notion's documented public-API limit). Lower it if you also use " + "the integration token from outside switchroom and need to share " + "budget. Higher than 10 is rejected — if you think you need it, " + "your usage probably needs a workspace-tier upgrade with Notion.")
+}).optional();
 var AgentGoogleWorkspaceConfigSchema = exports_external.object({
   account: exports_external.string().regex(/^[^@\s:]+@[^@\s:]+\.[^@\s:]+$/, {
     message: "google_workspace.account must be a Google account email like " + "'alice@example.com' (colons not allowed)"
@@ -11153,6 +11164,13 @@ var AgentMicrosoftWorkspaceConfigSchema = exports_external.object({
   }).transform((v) => v.trim().toLowerCase()).optional().describe("RFC #1873: the Microsoft account this agent uses for the M365 MCP. " + "Must be a key in top-level `microsoft_accounts:` with this agent " + "listed in its `enabled_for[]`. Read by the auth-broker " + "(get-credentials, provider=microsoft) and by the scaffold to " + "decide whether to emit the `ms-365` MCP entry. Normalized to " + "lowercase so it matches the microsoft_accounts key (which is " + "also normalized)."),
   org_mode: exports_external.boolean().optional().describe("Per-agent org_mode override (RFC #1873 §6.4). When set, replaces " + "the top-level microsoft_workspace.org_mode for this agent. " + "Defaults to top-level value (which defaults to false).")
 }).optional();
+var AgentNotionWorkspaceConfigSchema = exports_external.object({
+  databases: exports_external.array(exports_external.string().regex(/^[a-z0-9][a-z0-9_-]{0,62}$/, {
+    message: "notion_workspace.databases entries must be friendly names " + "matching /^[a-z0-9][a-z0-9_-]{0,62}$/ — these must appear as " + "keys in top-level notion_workspace.databases."
+  })).min(1, {
+    message: "notion_workspace.databases must list at least one friendly " + "name. An empty list rejects every Notion tool call — if you " + "want to remove this agent's Notion access, delete the entire " + "notion_workspace block instead."
+  }).optional().describe("Optional per-agent allowlist of database friendly names this " + "agent may read/write. Each name must exist as a key in top-level " + "notion_workspace.databases. Omit the field (or leave it undefined) " + "to grant access to every DB the upstream integration can see — " + "appropriate for an admin/orchestrator agent. Set the list to " + "narrow access for specialist agents.")
+}).optional();
 var ReactionsSchema = exports_external.object({
   enabled: exports_external.boolean().optional().describe("Master switch for the reaction-trigger path. When false, " + "reactions are still persisted via recordReaction but never " + "dispatched to the agent as synthetic inbound turns. Default true."),
   trigger_emojis: exports_external.array(exports_external.string()).optional().describe("Emoji allowlist that triggers a synthetic inbound when reacted " + "to a bot message. Default ['\uD83D\uDC4E', '❌', '\uD83D\uDC4D', '✅']. Cascade " + "mode: REPLACE (not union) — setting this at a layer replaces " + "lower layers entirely, so an operator can narrow to [] to " + "disable triggering without flipping `enabled`."),
@@ -11289,6 +11307,7 @@ var AgentSchema = exports_external.object({
   drive: AgentGoogleWorkspaceConfigSchema.describe("RFC D legacy key — use `google_workspace:` instead. Per-agent " + "google_workspace overrides (currently approvers + tier). When set, " + "replaces the top-level approvers list for this agent. " + "google_client_id/secret are not per-agent — they live at the top level."),
   google_workspace: AgentGoogleWorkspaceConfigSchema.describe("RFC G canonical key. Per-agent Google Workspace overrides — currently " + "approvers (replaces, does not extend the top-level list) and tier " + "(`core` | `extended` | `complete`, replaces top-level default). " + "google_client_id/secret are not per-agent — they live at the top level. " + "Mutually exclusive with `drive:` on the same agent (loader fails fast " + "if both are set)."),
   microsoft_workspace: AgentMicrosoftWorkspaceConfigSchema.describe("RFC #1873 (Microsoft 365 integration). Per-agent Microsoft Workspace " + "override — pins the Microsoft account this agent reads via the " + "auth-broker (must be a key in top-level `microsoft_accounts:` with " + "this agent in its `enabled_for[]`) and optionally overrides org_mode. " + "microsoft_client_id/secret are not per-agent."),
+  notion_workspace: AgentNotionWorkspaceConfigSchema.describe("RFC docs/rfcs/notion-integration.md. Per-agent Notion access. " + "Presence opts the agent IN (launcher scaffolded, MCP entry emitted, " + "broker grants the integration token). Optional `databases:` filter " + "narrows which DBs this agent may read/write — names must resolve in " + "top-level notion_workspace.databases. Absence opts the agent OUT."),
   repos: exports_external.record(exports_external.string().regex(/^[a-z0-9][a-z0-9-]*$/, "Repo slug must be kebab-case ASCII: start with a lowercase letter or digit, contain only lowercase letters, digits, and hyphens"), exports_external.object({
     url: exports_external.string().min(1).describe("Git remote URL for the repo (e.g. 'git@github.com:org/repo.git' or " + "'https://github.com/org/repo.git'). Used verbatim for git clone."),
     branch_default: exports_external.string().optional().describe("Default branch to track (defaults to the remote's HEAD, typically 'main'). " + "The per-agent branch 'agent/<agentName>/main' fast-forwards to this branch " + "when the worktree is clean on session start.")
@@ -11412,6 +11431,7 @@ var SwitchroomConfigSchema = exports_external.object({
   drive: GoogleWorkspaceConfigSchema.describe("RFC D legacy key — use `google_workspace:` instead. Optional Google " + "Workspace onboarding configuration. When set, supplies Google OAuth " + "client credentials, the approver allowlist for `switchroom drive " + "connect`, and the optional tier knob. Env vars " + "(SWITCHROOM_GOOGLE_CLIENT_ID, SWITCHROOM_GOOGLE_CLIENT_SECRET, " + "SWITCHROOM_APPROVER_USER_ID) take precedence over this block when " + "set, preserving back-compat with the env-only flow shipped in #766."),
   google_workspace: GoogleWorkspaceConfigSchema.describe("RFC G canonical key. Top-level Google Workspace configuration — " + "OAuth client credentials, approver allowlist, and tier knob (`core` " + "| `extended` | `complete`, default `core`). Mutually exclusive with " + "`drive:` at the top level (loader fails fast if both are set)."),
   microsoft_workspace: MicrosoftWorkspaceConfigSchema.describe("RFC #1873 (Microsoft 365 integration). Top-level Microsoft Workspace " + "configuration — OAuth client credentials (Entra app), authority " + "endpoint (defaults to /common for personal MSA + work), and the " + "org_mode opt-in for Teams/SharePoint surfaces. Block is optional; " + "when omitted the broker does not register the Microsoft provider."),
+  notion_workspace: NotionWorkspaceConfigSchema.describe("RFC docs/rfcs/notion-integration.md. Top-level Notion integration " + "config — vault key for the integration token, friendly-name → " + "database UUID map, optional MCP-package version pin, and optional " + "global rate-limit override (default 3 rps, Notion's documented " + "public-API limit). Block is optional; when omitted no agent gets a " + "Notion MCP entry regardless of per-agent config."),
   quota: QuotaConfigSchema.optional().describe("Optional weekly/monthly USD spend budgets rendered in the session " + "greeting. Usage is read from ccusage at runtime; no network calls."),
   host_control: HostControlConfigSchema.default({}).describe("Host-control daemon configuration. Defaults to enabled=true since " + "RFC C Phase 2 (docs/rfcs/host-control-daemon.md). Omit the block " + "to accept defaults; set `enabled: false` only on legacy systemd-" + "mode installs (removal tracked as RFC C Phase 3)."),
   hostd: HostdConfigSchema.default({}).describe("hostd verb-level knobs (RFC admin-agent-config-edit). Distinct " + "from `host_control:` which governs whether the daemon runs at " + "all. Currently scopes the opt-in flag and rate cap for the new " + "`config_propose_edit` verb (PR 1a — disabled by default)."),
@@ -11907,6 +11927,34 @@ function mergeAgentConfig(defaultsIn, agentIn) {
   mergeAgentConfig.notifiedWorkerIsolationMove = false;
 })(mergeAgentConfig ||= {});
 
+// src/config/notion-workspace-acl.ts
+function validateNotionWorkspaceConfig(config) {
+  const issues = [];
+  const dbMap = config.notion_workspace?.databases ?? {};
+  const known = new Set(Object.keys(dbMap));
+  for (const [agentName, agentRaw] of Object.entries(config.agents ?? {})) {
+    if (!agentRaw)
+      continue;
+    const dbFilter = agentRaw.notion_workspace?.databases;
+    if (dbFilter === undefined)
+      continue;
+    if (dbFilter.length === 0) {
+      issues.push(`  agents.${agentName}.notion_workspace.databases is an empty ` + `list. Delete the entire notion_workspace block to remove Notion ` + `access, or list at least one database friendly name.`);
+      continue;
+    }
+    if (config.notion_workspace === undefined) {
+      issues.push(`  agents.${agentName}.notion_workspace is set but the top-level ` + `notion_workspace block is missing. Configure the integration ` + `globally first (vault_key + databases map), then grant per-agent ` + `access.`);
+      continue;
+    }
+    for (const name of dbFilter) {
+      if (!known.has(name)) {
+        issues.push(`  agents.${agentName}.notion_workspace.databases references ` + `unknown database "${name}". Add it to top-level ` + `notion_workspace.databases (run \`switchroom notion list-dbs\` ` + `to see the UUIDs the integration can read), or remove the ` + `reference.`);
+      }
+    }
+  }
+  return issues;
+}
+
 // src/config/loader.ts
 class ConfigError extends Error {
   details;
@@ -12026,6 +12074,10 @@ function loadConfig(configPath) {
   }
   applyAgentOverlays(config);
   validateAllCronTopicAliases(config, filePath);
+  const notionIssues = validateNotionWorkspaceConfig(config);
+  if (notionIssues.length > 0) {
+    throw new ConfigError(`Invalid notion_workspace configuration in ${filePath}`, notionIssues);
+  }
   return config;
 }
 function validateAllCronTopicAliases(config, filePath) {

package/dist/auth-broker/index.js

@@ -10997,7 +10997,8 @@ var AgentMemorySchema = exports_external.object({
   recall: exports_external.object({
     max_memories: exports_external.number().int().min(0).optional().describe("Cap on the number of memories injected into the prompt by " + "auto-recall, regardless of token budget. Plugin default is 12. " + "0 disables the cap (all memories Hindsight returns are injected)."),
     cache_ttl_secs: exports_external.number().int().min(0).optional().describe("Per-session recall cache TTL in seconds. When > 0, identical " + "(prompt, bank) within the same session reuse the cached recall " + "result instead of round-tripping to Hindsight. 0 disables. " + "Default is 600 (10 min) for switchroom-managed agents."),
-    min_overlap: exports_external.number().min(0).max(1).optional().describe("Minimum Jaccard token overlap [0.0–1.0] between the user " + "prompt and a memory's text for the memory to be injected. " + "Drops low-relevance matches before the count cap so weak hits " + "don't fill the slot on real queries. 0.0 disables (default — " + "current behaviour). Try 0.10–0.20 to start; observe the " + "`overlap_dropped` field via `switchroom memory recall-log`.")
+    min_overlap: exports_external.number().min(0).max(1).optional().describe("Minimum Jaccard token overlap [0.0–1.0] between the user " + "prompt and a memory's text for the memory to be injected. " + "Drops low-relevance matches before the count cap so weak hits " + "don't fill the slot on real queries. 0.0 disables (default — " + "current behaviour). Try 0.10–0.20 to start; observe the " + "`overlap_dropped` field via `switchroom memory recall-log`."),
+    topic_filter_mode: exports_external.enum(["soft-preamble", "hard-filter"]).optional().describe("Supergroup-mode cross-topic memory behaviour. Default " + "(unset) → soft-preamble: recall returns memories from all " + "topics, and a 'Current topic: …' preamble tells the model " + "to self-scope. hard-filter: drop any recalled memory whose " + "metadata.thread_id differs from the active inbound's topic. " + "Flip to hard-filter when the recall_log shows binding " + "failures (model surfacing the right memory but applying " + "it to the wrong topic).")
   }).optional().describe("Auto-recall tuning knobs")
 }).optional();
 var HookEntrySchema = exports_external.object({
@@ -11140,6 +11141,16 @@ var MicrosoftWorkspaceConfigSchema = exports_external.object({
   authority: exports_external.string().url().optional().describe("Microsoft authority endpoint. Defaults to " + "'https://login.microsoftonline.com/common' which accepts both " + "personal MSA and work/school tenants. Override only for " + "single-tenant deployments."),
   org_mode: exports_external.boolean().optional().describe("Opt-in to Teams + SharePoint surfaces (RFC §6.4). When true, " + "the v1 scope set adds Sites.ReadWrite.All AND the launcher " + "spawns softeria with --org-mode. Defaults to false — personal " + "MSA + standard work surfaces only. Flipping for an existing " + "consented account requires re-running 'auth microsoft account " + "add --replace' to consent the additional scope.")
 }).optional();
+var NotionWorkspaceConfigSchema = exports_external.object({
+  vault_key: exports_external.string().min(1).default("notion/integration-token").describe("Vault key holding the Notion internal-integration token. Default " + "`notion/integration-token`. Override only for non-standard vault " + "layouts. The broker's --allow ACL on this key is the authoritative " + "list of which agents may receive the token."),
+  databases: exports_external.record(exports_external.string().regex(/^[a-z0-9][a-z0-9_-]{0,62}$/, {
+    message: "notion_workspace.databases friendly names must match " + "/^[a-z0-9][a-z0-9_-]{0,62}$/ — lowercase letters, digits, " + "hyphens, underscores. Got: '%s'."
+  }), exports_external.string().regex(/^[0-9a-fA-F]{8}-?[0-9a-fA-F]{4}-?[0-9a-fA-F]{4}-?[0-9a-fA-F]{4}-?[0-9a-fA-F]{12}$/, {
+    message: "notion_workspace.databases values must be Notion database " + "UUIDs (32 hex characters, optional dashes)."
+  })).default({}).describe("Friendly-name → Notion database UUID map. Operator-managed; agents " + "reference databases by friendly name only — they never see or type " + "UUIDs. Populate via `switchroom notion list-dbs` (PR 4) after " + "vault-putting the integration token and sharing DBs with the " + "integration in Notion's UI."),
+  mcp_version: exports_external.string().min(1).optional().describe("Optional pin for the upstream `@notionhq/notion-mcp-server` npm " + "package version. Default is the build-time `NOTION_MCP_PINNED_VERSION` " + "constant. Override only when reproducing operator-specific bugs."),
+  rate_limit_rps: exports_external.number().int().positive().max(10).optional().describe("Optional global rate-limit budget in requests per second across all " + "switchroom agents sharing this integration token. Defaults to 3 " + "(Notion's documented public-API limit). Lower it if you also use " + "the integration token from outside switchroom and need to share " + "budget. Higher than 10 is rejected — if you think you need it, " + "your usage probably needs a workspace-tier upgrade with Notion.")
+}).optional();
 var AgentGoogleWorkspaceConfigSchema = exports_external.object({
   account: exports_external.string().regex(/^[^@\s:]+@[^@\s:]+\.[^@\s:]+$/, {
     message: "google_workspace.account must be a Google account email like " + "'alice@example.com' (colons not allowed)"
@@ -11153,6 +11164,13 @@ var AgentMicrosoftWorkspaceConfigSchema = exports_external.object({
   }).transform((v) => v.trim().toLowerCase()).optional().describe("RFC #1873: the Microsoft account this agent uses for the M365 MCP. " + "Must be a key in top-level `microsoft_accounts:` with this agent " + "listed in its `enabled_for[]`. Read by the auth-broker " + "(get-credentials, provider=microsoft) and by the scaffold to " + "decide whether to emit the `ms-365` MCP entry. Normalized to " + "lowercase so it matches the microsoft_accounts key (which is " + "also normalized)."),
   org_mode: exports_external.boolean().optional().describe("Per-agent org_mode override (RFC #1873 §6.4). When set, replaces " + "the top-level microsoft_workspace.org_mode for this agent. " + "Defaults to top-level value (which defaults to false).")
 }).optional();
+var AgentNotionWorkspaceConfigSchema = exports_external.object({
+  databases: exports_external.array(exports_external.string().regex(/^[a-z0-9][a-z0-9_-]{0,62}$/, {
+    message: "notion_workspace.databases entries must be friendly names " + "matching /^[a-z0-9][a-z0-9_-]{0,62}$/ — these must appear as " + "keys in top-level notion_workspace.databases."
+  })).min(1, {
+    message: "notion_workspace.databases must list at least one friendly " + "name. An empty list rejects every Notion tool call — if you " + "want to remove this agent's Notion access, delete the entire " + "notion_workspace block instead."
+  }).optional().describe("Optional per-agent allowlist of database friendly names this " + "agent may read/write. Each name must exist as a key in top-level " + "notion_workspace.databases. Omit the field (or leave it undefined) " + "to grant access to every DB the upstream integration can see — " + "appropriate for an admin/orchestrator agent. Set the list to " + "narrow access for specialist agents.")
+}).optional();
 var ReactionsSchema = exports_external.object({
   enabled: exports_external.boolean().optional().describe("Master switch for the reaction-trigger path. When false, " + "reactions are still persisted via recordReaction but never " + "dispatched to the agent as synthetic inbound turns. Default true."),
   trigger_emojis: exports_external.array(exports_external.string()).optional().describe("Emoji allowlist that triggers a synthetic inbound when reacted " + "to a bot message. Default ['\uD83D\uDC4E', '❌', '\uD83D\uDC4D', '✅']. Cascade " + "mode: REPLACE (not union) — setting this at a layer replaces " + "lower layers entirely, so an operator can narrow to [] to " + "disable triggering without flipping `enabled`."),
@@ -11289,6 +11307,7 @@ var AgentSchema = exports_external.object({
   drive: AgentGoogleWorkspaceConfigSchema.describe("RFC D legacy key — use `google_workspace:` instead. Per-agent " + "google_workspace overrides (currently approvers + tier). When set, " + "replaces the top-level approvers list for this agent. " + "google_client_id/secret are not per-agent — they live at the top level."),
   google_workspace: AgentGoogleWorkspaceConfigSchema.describe("RFC G canonical key. Per-agent Google Workspace overrides — currently " + "approvers (replaces, does not extend the top-level list) and tier " + "(`core` | `extended` | `complete`, replaces top-level default). " + "google_client_id/secret are not per-agent — they live at the top level. " + "Mutually exclusive with `drive:` on the same agent (loader fails fast " + "if both are set)."),
   microsoft_workspace: AgentMicrosoftWorkspaceConfigSchema.describe("RFC #1873 (Microsoft 365 integration). Per-agent Microsoft Workspace " + "override — pins the Microsoft account this agent reads via the " + "auth-broker (must be a key in top-level `microsoft_accounts:` with " + "this agent in its `enabled_for[]`) and optionally overrides org_mode. " + "microsoft_client_id/secret are not per-agent."),
+  notion_workspace: AgentNotionWorkspaceConfigSchema.describe("RFC docs/rfcs/notion-integration.md. Per-agent Notion access. " + "Presence opts the agent IN (launcher scaffolded, MCP entry emitted, " + "broker grants the integration token). Optional `databases:` filter " + "narrows which DBs this agent may read/write — names must resolve in " + "top-level notion_workspace.databases. Absence opts the agent OUT."),
   repos: exports_external.record(exports_external.string().regex(/^[a-z0-9][a-z0-9-]*$/, "Repo slug must be kebab-case ASCII: start with a lowercase letter or digit, contain only lowercase letters, digits, and hyphens"), exports_external.object({
     url: exports_external.string().min(1).describe("Git remote URL for the repo (e.g. 'git@github.com:org/repo.git' or " + "'https://github.com/org/repo.git'). Used verbatim for git clone."),
     branch_default: exports_external.string().optional().describe("Default branch to track (defaults to the remote's HEAD, typically 'main'). " + "The per-agent branch 'agent/<agentName>/main' fast-forwards to this branch " + "when the worktree is clean on session start.")
@@ -11412,6 +11431,7 @@ var SwitchroomConfigSchema = exports_external.object({
   drive: GoogleWorkspaceConfigSchema.describe("RFC D legacy key — use `google_workspace:` instead. Optional Google " + "Workspace onboarding configuration. When set, supplies Google OAuth " + "client credentials, the approver allowlist for `switchroom drive " + "connect`, and the optional tier knob. Env vars " + "(SWITCHROOM_GOOGLE_CLIENT_ID, SWITCHROOM_GOOGLE_CLIENT_SECRET, " + "SWITCHROOM_APPROVER_USER_ID) take precedence over this block when " + "set, preserving back-compat with the env-only flow shipped in #766."),
   google_workspace: GoogleWorkspaceConfigSchema.describe("RFC G canonical key. Top-level Google Workspace configuration — " + "OAuth client credentials, approver allowlist, and tier knob (`core` " + "| `extended` | `complete`, default `core`). Mutually exclusive with " + "`drive:` at the top level (loader fails fast if both are set)."),
   microsoft_workspace: MicrosoftWorkspaceConfigSchema.describe("RFC #1873 (Microsoft 365 integration). Top-level Microsoft Workspace " + "configuration — OAuth client credentials (Entra app), authority " + "endpoint (defaults to /common for personal MSA + work), and the " + "org_mode opt-in for Teams/SharePoint surfaces. Block is optional; " + "when omitted the broker does not register the Microsoft provider."),
+  notion_workspace: NotionWorkspaceConfigSchema.describe("RFC docs/rfcs/notion-integration.md. Top-level Notion integration " + "config — vault key for the integration token, friendly-name → " + "database UUID map, optional MCP-package version pin, and optional " + "global rate-limit override (default 3 rps, Notion's documented " + "public-API limit). Block is optional; when omitted no agent gets a " + "Notion MCP entry regardless of per-agent config."),
   quota: QuotaConfigSchema.optional().describe("Optional weekly/monthly USD spend budgets rendered in the session " + "greeting. Usage is read from ccusage at runtime; no network calls."),
   host_control: HostControlConfigSchema.default({}).describe("Host-control daemon configuration. Defaults to enabled=true since " + "RFC C Phase 2 (docs/rfcs/host-control-daemon.md). Omit the block " + "to accept defaults; set `enabled: false` only on legacy systemd-" + "mode installs (removal tracked as RFC C Phase 3)."),
   hostd: HostdConfigSchema.default({}).describe("hostd verb-level knobs (RFC admin-agent-config-edit). Distinct " + "from `host_control:` which governs whether the daemon runs at " + "all. Currently scopes the opt-in flag and rate cap for the new " + "`config_propose_edit` verb (PR 1a — disabled by default)."),
@@ -11907,6 +11927,34 @@ function mergeAgentConfig(defaultsIn, agentIn) {
   mergeAgentConfig.notifiedWorkerIsolationMove = false;
 })(mergeAgentConfig ||= {});
 
+// src/config/notion-workspace-acl.ts
+function validateNotionWorkspaceConfig(config) {
+  const issues = [];
+  const dbMap = config.notion_workspace?.databases ?? {};
+  const known = new Set(Object.keys(dbMap));
+  for (const [agentName, agentRaw] of Object.entries(config.agents ?? {})) {
+    if (!agentRaw)
+      continue;
+    const dbFilter = agentRaw.notion_workspace?.databases;
+    if (dbFilter === undefined)
+      continue;
+    if (dbFilter.length === 0) {
+      issues.push(`  agents.${agentName}.notion_workspace.databases is an empty ` + `list. Delete the entire notion_workspace block to remove Notion ` + `access, or list at least one database friendly name.`);
+      continue;
+    }
+    if (config.notion_workspace === undefined) {
+      issues.push(`  agents.${agentName}.notion_workspace is set but the top-level ` + `notion_workspace block is missing. Configure the integration ` + `globally first (vault_key + databases map), then grant per-agent ` + `access.`);
+      continue;
+    }
+    for (const name of dbFilter) {
+      if (!known.has(name)) {
+        issues.push(`  agents.${agentName}.notion_workspace.databases references ` + `unknown database "${name}". Add it to top-level ` + `notion_workspace.databases (run \`switchroom notion list-dbs\` ` + `to see the UUIDs the integration can read), or remove the ` + `reference.`);
+      }
+    }
+  }
+  return issues;
+}
+
 // src/config/loader.ts
 class ConfigError extends Error {
   details;
@@ -12026,6 +12074,10 @@ function loadConfig(configPath) {
   }
   applyAgentOverlays(config);
   validateAllCronTopicAliases(config, filePath);
+  const notionIssues = validateNotionWorkspaceConfig(config);
+  if (notionIssues.length > 0) {
+    throw new ConfigError(`Invalid notion_workspace configuration in ${filePath}`, notionIssues);
+  }
   return config;
 }
 function validateAllCronTopicAliases(config, filePath) {

package/dist/cli/ms-365-write-pretool.mjs

@@ -0,0 +1,259 @@
+import { createRequire } from "node:module";
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
+
+// src/cli/ms-365-write-pretool.ts
+import { readFileSync } from "node:fs";
+import { createConnection } from "node:net";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { randomBytes } from "node:crypto";
+var HOOK_TIMEOUT_MS = 5 * 60 * 1000;
+var KERNEL_POLL_INTERVAL_MS = 2000;
+var IPC_CONNECT_TIMEOUT_MS = 3000;
+var IPC_REPLY_TIMEOUT_MS = 1e4;
+var KERNEL_RPC_TIMEOUT_MS = 3000;
+var GATEWAY_SOCKET = process.env.SWITCHROOM_GATEWAY_SOCKET ?? (process.env.TELEGRAM_STATE_DIR !== undefined ? join(process.env.TELEGRAM_STATE_DIR, "gateway.sock") : join(homedir(), ".claude", "channels", "telegram", "gateway.sock"));
+var KERNEL_SOCKET = process.env.SWITCHROOM_KERNEL_SOCKET ?? "/run/switchroom/kernel/sock";
+var TOOL_PREFIX = "mcp__ms-365__";
+var GATED_MS365_WRITE_TOOLS = new Set([
+  "upload-file-content",
+  "create-upload-session",
+  "create-event",
+  "update-event",
+  "delete-event",
+  "update-message",
+  "delete-message"
+]);
+function isGatedMs365Tool(toolName) {
+  if (!toolName.startsWith(TOOL_PREFIX))
+    return false;
+  return GATED_MS365_WRITE_TOOLS.has(toolName.slice(TOOL_PREFIX.length));
+}
+function readStdin() {
+  try {
+    return readFileSync(0, "utf8");
+  } catch {
+    return "";
+  }
+}
+function parseHookInput() {
+  const raw = readStdin();
+  if (!raw)
+    return null;
+  try {
+    const obj = JSON.parse(raw);
+    return obj && typeof obj === "object" ? obj : null;
+  } catch {
+    return null;
+  }
+}
+function extractMs365Preview(toolName, toolInput) {
+  const o = toolInput && typeof toolInput === "object" ? toolInput : {};
+  let itemId = "(new)";
+  for (const k of ["itemId", "item_id", "id", "driveItemId", "eventId", "messageId", "message_id"]) {
+    if (typeof o[k] === "string" && o[k].length > 0) {
+      itemId = o[k];
+      break;
+    }
+  }
+  let itemDisplayName = "(unknown)";
+  for (const k of ["name", "fileName", "file_name", "displayName", "subject", "title"]) {
+    if (typeof o[k] === "string" && o[k].length > 0) {
+      itemDisplayName = o[k];
+      break;
+    }
+  }
+  let deepLink;
+  for (const k of ["webUrl", "web_url", "url", "link"]) {
+    if (typeof o[k] === "string" && o[k].startsWith("http")) {
+      deepLink = o[k];
+      break;
+    }
+  }
+  let sizeBytesAfter;
+  for (const k of ["contentSize", "content_size", "fileSize", "size"]) {
+    if (typeof o[k] === "number" && Number.isFinite(o[k])) {
+      sizeBytesAfter = o[k];
+      break;
+    }
+  }
+  if (sizeBytesAfter === undefined && typeof o.content === "string") {
+    const len = o.content.length;
+    sizeBytesAfter = Math.floor(len * 3 / 4);
+  }
+  return { itemId, itemDisplayName, deepLink, sizeBytesAfter };
+}
+async function sendGatewayRequest(socket, payload, matchType, correlationId) {
+  return new Promise((resolve) => {
+    const conn = createConnection(socket);
+    let buf = "";
+    const cleanup = () => {
+      try {
+        conn.destroy();
+      } catch {}
+    };
+    const replyTimer = setTimeout(() => {
+      cleanup();
+      resolve({ ok: false, reason: "gateway reply timeout" });
+    }, IPC_REPLY_TIMEOUT_MS);
+    const connectTimer = setTimeout(() => {
+      cleanup();
+      resolve({ ok: false, reason: "gateway connect timeout" });
+    }, IPC_CONNECT_TIMEOUT_MS);
+    conn.once("error", (err) => {
+      clearTimeout(replyTimer);
+      clearTimeout(connectTimer);
+      resolve({ ok: false, reason: `gateway: ${err.message}` });
+    });
+    conn.once("connect", () => {
+      clearTimeout(connectTimer);
+      conn.write(JSON.stringify(payload) + `
+`);
+    });
+    conn.on("data", (chunk) => {
+      buf += chunk.toString("utf8");
+      while (true) {
+        const lineEnd = buf.indexOf(`
+`);
+        if (lineEnd === -1)
+          break;
+        const line = buf.slice(0, lineEnd);
+        buf = buf.slice(lineEnd + 1);
+        try {
+          const parsed = JSON.parse(line);
+          if (parsed?.type === matchType && parsed?.correlationId === correlationId) {
+            clearTimeout(replyTimer);
+            cleanup();
+            resolve({ ok: true, value: parsed });
+            return;
+          }
+        } catch {}
+      }
+    });
+  });
+}
+async function rpcKernel(payload) {
+  return new Promise((resolve) => {
+    const conn = createConnection(KERNEL_SOCKET);
+    let buf = "";
+    const cleanup = () => {
+      try {
+        conn.destroy();
+      } catch {}
+    };
+    const timer = setTimeout(() => {
+      cleanup();
+      resolve({ ok: false, reason: "kernel rpc timeout" });
+    }, KERNEL_RPC_TIMEOUT_MS);
+    conn.once("error", (err) => {
+      clearTimeout(timer);
+      resolve({ ok: false, reason: `kernel: ${err.message}` });
+    });
+    conn.once("connect", () => {
+      conn.write(JSON.stringify(payload) + `
+`);
+    });
+    conn.on("data", (chunk) => {
+      buf += chunk.toString("utf8");
+      const lineEnd = buf.indexOf(`
+`);
+      if (lineEnd === -1)
+        return;
+      const line = buf.slice(0, lineEnd);
+      clearTimeout(timer);
+      cleanup();
+      try {
+        resolve({ ok: true, value: JSON.parse(line) });
+      } catch (err) {
+        resolve({ ok: false, reason: `kernel parse: ${String(err)}` });
+      }
+    });
+  });
+}
+async function approvalLookup(agentUnit, scope, approverSet) {
+  const res = await rpcKernel({
+    v: 1,
+    op: "approval_lookup",
+    agent_unit: agentUnit,
+    scope,
+    action: "write",
+    current_approver_set: approverSet
+  });
+  if (!res.ok)
+    return null;
+  return res.value;
+}
+function fail(reason) {
+  process.stdout.write(JSON.stringify({
+    decision: "block",
+    reason: `ms-365 write blocked: ${reason}`
+  }));
+  process.exit(0);
+}
+function allow() {
+  process.exit(0);
+}
+async function main() {
+  const input = parseHookInput();
+  if (!input)
+    fail("malformed stdin");
+  const toolName = input.tool_name;
+  if (typeof toolName !== "string" || !isGatedMs365Tool(toolName)) {
+    allow();
+  }
+  const agentName = process.env.SWITCHROOM_AGENT_NAME;
+  if (!agentName) {
+    allow();
+  }
+  const accountEmail = process.env.SWITCHROOM_MICROSOFT_ACCOUNT ?? "(unknown)";
+  const extract = extractMs365Preview(toolName, input.tool_input);
+  const preview = {
+    agentName,
+    toolName,
+    itemId: extract.itemId,
+    itemDisplayName: extract.itemDisplayName,
+    accountEmail,
+    deepLink: extract.deepLink,
+    sizeBytesAfter: extract.sizeBytesAfter
+  };
+  const correlationId = randomBytes(16).toString("hex");
+  const requestResult = await sendGatewayRequest(GATEWAY_SOCKET, {
+    type: "request_ms365_approval",
+    correlationId,
+    agentName,
+    preview,
+    ttlMs: HOOK_TIMEOUT_MS
+  }, "ms365_approval_posted", correlationId);
+  if (!requestResult.ok)
+    fail(requestResult.reason);
+  const response = requestResult.value;
+  if (!response.ok || !response.requestId) {
+    fail(response.reason ?? "gateway returned ok=false");
+  }
+  const deadline = response.expiresAtMs ?? Date.now() + HOOK_TIMEOUT_MS;
+  const scope = `ms-365:write:${preview.itemId}`;
+  while (Date.now() < deadline) {
+    await new Promise((r) => setTimeout(r, KERNEL_POLL_INTERVAL_MS));
+    const lookup = await approvalLookup(agentName, scope, []);
+    if (!lookup)
+      continue;
+    const state = lookup.state;
+    if (state === "granted")
+      allow();
+    if (state === "denied" || state === "drift_revoked" || state === "expired") {
+      fail(`operator ${state}`);
+    }
+  }
+  fail("approval timed out");
+}
+if (__require.main == __require.module) {
+  main().catch((err) => {
+    const m = err instanceof Error ? err.message : String(err);
+    fail(`hook error: ${m}`);
+  });
+}
+export {
+  isGatedMs365Tool,
+  extractMs365Preview,
+  GATED_MS365_WRITE_TOOLS
+};