switchroom 0.14.11 → 0.14.13

package/dist/agent-scheduler/index.js

@@ -11406,6 +11406,9 @@ var HostControlConfigSchema = exports_external.object({
   enabled: exports_external.boolean().default(true).describe("Whether the host-control daemon is in use. Default: true (since " + "RFC C Phase 2 default-flip — the gateway's /restart, /new, /reset, " + "and /update apply slash-commands all dispatch through hostd, and " + "without it those verbs fail on docker-mode installs because the " + "agent container has no docker binary/socket). " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` — " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C §5.1. " + "Set enabled: false only on legacy systemd-mode installs that " + "still rely on the in-container `spawnSwitchroomDetached` " + "shellout (removal is tracked as RFC C Phase 3)."),
   auto_release_check: AutoReleaseCheckSchema.default({}).describe("Pull-based release-triggered fleet restart (#1743). hostd polls " + "the remote release tag on a fixed interval and applies + " + "restarts the fleet (graceful) when a new release is detected. " + "Opt-in: default enabled=false.")
 });
+var WebServiceConfigSchema = exports_external.object({
+  managed: exports_external.boolean().default(false).describe("Whether `switchroom update` refreshes the web-service container " + "(dashboard + GitHub-webhook receiver) via `switchroom webd " + "install`. Default: false — existing installs run the web server " + "as the legacy `switchroom-web.service` systemd unit and must not " + "be surprised by a container takeover of host loopback 127.0.0.1:" + "8080 mid-update. Set true ONLY after cutting over to the " + "container (stop+disable the systemd unit, `switchroom webd " + "install`). The container runs in its own compose project " + "(`switchroom-web`), separate from the agent fleet, with " + "network_mode: host so it keeps owning loopback:8080 for the " + "cloudflared tunnel + tailscale serve consumers.")
+});
 var HostdConfigSchema = exports_external.object({
   config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit §3). Default false — the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),
   config_edit_rate_per_hour: exports_external.number().int().min(1).max(20).default(3).describe("Per-requesting-agent rate cap for `config_propose_edit` cards " + "(RFC admin-agent-config-edit §5). Default 3 cards/hour; min 1, " + "max 20. Implemented as a sqlite token bucket in PR 1c; the " + "field is wired here in PR 1a so operators can pin it before the " + "limiter is live. Above the cap, the verb returns " + "`E_RATE_LIMITED` without raising a card.")
@@ -11439,6 +11442,7 @@ var SwitchroomConfigSchema = exports_external.object({
   quota: QuotaConfigSchema.optional().describe("Optional weekly/monthly USD spend budgets rendered in the session " + "greeting. Usage is read from ccusage at runtime; no network calls."),
   host_control: HostControlConfigSchema.default({}).describe("Host-control daemon configuration. Defaults to enabled=true since " + "RFC C Phase 2 (docs/rfcs/host-control-daemon.md). Omit the block " + "to accept defaults; set `enabled: false` only on legacy systemd-" + "mode installs (removal tracked as RFC C Phase 3)."),
   hostd: HostdConfigSchema.default({}).describe("hostd verb-level knobs (RFC admin-agent-config-edit). Distinct " + "from `host_control:` which governs whether the daemon runs at " + "all. Currently scopes the opt-in flag and rate cap for the new " + "`config_propose_edit` verb (PR 1a — disabled by default)."),
+  web_service: WebServiceConfigSchema.default({}).describe("Web-service container (dashboard + GitHub-webhook receiver) config. " + "Defaults to managed=false so existing systemd-mode installs are " + "untouched. Set managed: true after cutting over to the " + "`switchroom-web` container — then `switchroom update` keeps it " + "refreshed. See `switchroom webd install`."),
   google_accounts: exports_external.record(exports_external.string().regex(/^[^@\s:]+@[^@\s:]+\.[^@\s:]+$/, {
     message: "Account key must be a Google account email like 'alice@example.com' (colons not allowed)"
   }).transform((v) => v.trim().toLowerCase()), exports_external.object({

package/dist/auth-broker/index.js

@@ -11406,6 +11406,9 @@ var HostControlConfigSchema = exports_external.object({
   enabled: exports_external.boolean().default(true).describe("Whether the host-control daemon is in use. Default: true (since " + "RFC C Phase 2 default-flip — the gateway's /restart, /new, /reset, " + "and /update apply slash-commands all dispatch through hostd, and " + "without it those verbs fail on docker-mode installs because the " + "agent container has no docker binary/socket). " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` — " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C §5.1. " + "Set enabled: false only on legacy systemd-mode installs that " + "still rely on the in-container `spawnSwitchroomDetached` " + "shellout (removal is tracked as RFC C Phase 3)."),
   auto_release_check: AutoReleaseCheckSchema.default({}).describe("Pull-based release-triggered fleet restart (#1743). hostd polls " + "the remote release tag on a fixed interval and applies + " + "restarts the fleet (graceful) when a new release is detected. " + "Opt-in: default enabled=false.")
 });
+var WebServiceConfigSchema = exports_external.object({
+  managed: exports_external.boolean().default(false).describe("Whether `switchroom update` refreshes the web-service container " + "(dashboard + GitHub-webhook receiver) via `switchroom webd " + "install`. Default: false — existing installs run the web server " + "as the legacy `switchroom-web.service` systemd unit and must not " + "be surprised by a container takeover of host loopback 127.0.0.1:" + "8080 mid-update. Set true ONLY after cutting over to the " + "container (stop+disable the systemd unit, `switchroom webd " + "install`). The container runs in its own compose project " + "(`switchroom-web`), separate from the agent fleet, with " + "network_mode: host so it keeps owning loopback:8080 for the " + "cloudflared tunnel + tailscale serve consumers.")
+});
 var HostdConfigSchema = exports_external.object({
   config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit §3). Default false — the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),
   config_edit_rate_per_hour: exports_external.number().int().min(1).max(20).default(3).describe("Per-requesting-agent rate cap for `config_propose_edit` cards " + "(RFC admin-agent-config-edit §5). Default 3 cards/hour; min 1, " + "max 20. Implemented as a sqlite token bucket in PR 1c; the " + "field is wired here in PR 1a so operators can pin it before the " + "limiter is live. Above the cap, the verb returns " + "`E_RATE_LIMITED` without raising a card.")
@@ -11439,6 +11442,7 @@ var SwitchroomConfigSchema = exports_external.object({
   quota: QuotaConfigSchema.optional().describe("Optional weekly/monthly USD spend budgets rendered in the session " + "greeting. Usage is read from ccusage at runtime; no network calls."),
   host_control: HostControlConfigSchema.default({}).describe("Host-control daemon configuration. Defaults to enabled=true since " + "RFC C Phase 2 (docs/rfcs/host-control-daemon.md). Omit the block " + "to accept defaults; set `enabled: false` only on legacy systemd-" + "mode installs (removal tracked as RFC C Phase 3)."),
   hostd: HostdConfigSchema.default({}).describe("hostd verb-level knobs (RFC admin-agent-config-edit). Distinct " + "from `host_control:` which governs whether the daemon runs at " + "all. Currently scopes the opt-in flag and rate cap for the new " + "`config_propose_edit` verb (PR 1a — disabled by default)."),
+  web_service: WebServiceConfigSchema.default({}).describe("Web-service container (dashboard + GitHub-webhook receiver) config. " + "Defaults to managed=false so existing systemd-mode installs are " + "untouched. Set managed: true after cutting over to the " + "`switchroom-web` container — then `switchroom update` keeps it " + "refreshed. See `switchroom webd install`."),
   google_accounts: exports_external.record(exports_external.string().regex(/^[^@\s:]+@[^@\s:]+\.[^@\s:]+$/, {
     message: "Account key must be a Google account email like 'alice@example.com' (colons not allowed)"
   }).transform((v) => v.trim().toLowerCase()), exports_external.object({

package/dist/cli/notion-write-pretool.mjs

@@ -12153,6 +12153,9 @@ var HostControlConfigSchema = exports_external.object({
   enabled: exports_external.boolean().default(true).describe("Whether the host-control daemon is in use. Default: true (since " + "RFC C Phase 2 default-flip \u2014 the gateway's /restart, /new, /reset, " + "and /update apply slash-commands all dispatch through hostd, and " + "without it those verbs fail on docker-mode installs because the " + "agent container has no docker binary/socket). " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` \u2014 " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C \u00a75.1. " + "Set enabled: false only on legacy systemd-mode installs that " + "still rely on the in-container `spawnSwitchroomDetached` " + "shellout (removal is tracked as RFC C Phase 3)."),
   auto_release_check: AutoReleaseCheckSchema.default({}).describe("Pull-based release-triggered fleet restart (#1743). hostd polls " + "the remote release tag on a fixed interval and applies + " + "restarts the fleet (graceful) when a new release is detected. " + "Opt-in: default enabled=false.")
 });
+var WebServiceConfigSchema = exports_external.object({
+  managed: exports_external.boolean().default(false).describe("Whether `switchroom update` refreshes the web-service container " + "(dashboard + GitHub-webhook receiver) via `switchroom webd " + "install`. Default: false \u2014 existing installs run the web server " + "as the legacy `switchroom-web.service` systemd unit and must not " + "be surprised by a container takeover of host loopback 127.0.0.1:" + "8080 mid-update. Set true ONLY after cutting over to the " + "container (stop+disable the systemd unit, `switchroom webd " + "install`). The container runs in its own compose project " + "(`switchroom-web`), separate from the agent fleet, with " + "network_mode: host so it keeps owning loopback:8080 for the " + "cloudflared tunnel + tailscale serve consumers.")
+});
 var HostdConfigSchema = exports_external.object({
   config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit \u00a73). Default false \u2014 the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),
   config_edit_rate_per_hour: exports_external.number().int().min(1).max(20).default(3).describe("Per-requesting-agent rate cap for `config_propose_edit` cards " + "(RFC admin-agent-config-edit \u00a75). Default 3 cards/hour; min 1, " + "max 20. Implemented as a sqlite token bucket in PR 1c; the " + "field is wired here in PR 1a so operators can pin it before the " + "limiter is live. Above the cap, the verb returns " + "`E_RATE_LIMITED` without raising a card.")
@@ -12186,6 +12189,7 @@ var SwitchroomConfigSchema = exports_external.object({
   quota: QuotaConfigSchema.optional().describe("Optional weekly/monthly USD spend budgets rendered in the session " + "greeting. Usage is read from ccusage at runtime; no network calls."),
   host_control: HostControlConfigSchema.default({}).describe("Host-control daemon configuration. Defaults to enabled=true since " + "RFC C Phase 2 (docs/rfcs/host-control-daemon.md). Omit the block " + "to accept defaults; set `enabled: false` only on legacy systemd-" + "mode installs (removal tracked as RFC C Phase 3)."),
   hostd: HostdConfigSchema.default({}).describe("hostd verb-level knobs (RFC admin-agent-config-edit). Distinct " + "from `host_control:` which governs whether the daemon runs at " + "all. Currently scopes the opt-in flag and rate cap for the new " + "`config_propose_edit` verb (PR 1a \u2014 disabled by default)."),
+  web_service: WebServiceConfigSchema.default({}).describe("Web-service container (dashboard + GitHub-webhook receiver) config. " + "Defaults to managed=false so existing systemd-mode installs are " + "untouched. Set managed: true after cutting over to the " + "`switchroom-web` container \u2014 then `switchroom update` keeps it " + "refreshed. See `switchroom webd install`."),
   google_accounts: exports_external.record(exports_external.string().regex(/^[^@\s:]+@[^@\s:]+\.[^@\s:]+$/, {
     message: "Account key must be a Google account email like 'alice@example.com' (colons not allowed)"
   }).transform((v) => v.trim().toLowerCase()), exports_external.object({

package/dist/cli/switchroom.js

@@ -13520,7 +13520,7 @@ var init_zod = __esm(() => {
 });
 
 // src/config/schema.ts
-var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, MicrosoftWorkspaceConfigSchema, NotionWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, AgentMicrosoftWorkspaceConfigSchema, AgentNotionWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, DEFAULT_PROFILE = "default", AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, AutoReleaseCheckSchema, HostControlConfigSchema, HostdConfigSchema, SwitchroomConfigSchema;
+var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, MicrosoftWorkspaceConfigSchema, NotionWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, AgentMicrosoftWorkspaceConfigSchema, AgentNotionWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, DEFAULT_PROFILE = "default", AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, AutoReleaseCheckSchema, HostControlConfigSchema, WebServiceConfigSchema, HostdConfigSchema, SwitchroomConfigSchema;
 var init_schema = __esm(() => {
   init_zod();
   CodeRepoEntrySchema = exports_external.object({
@@ -13970,6 +13970,9 @@ var init_schema = __esm(() => {
     enabled: exports_external.boolean().default(true).describe("Whether the host-control daemon is in use. Default: true (since " + "RFC C Phase 2 default-flip \u2014 the gateway's /restart, /new, /reset, " + "and /update apply slash-commands all dispatch through hostd, and " + "without it those verbs fail on docker-mode installs because the " + "agent container has no docker binary/socket). " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` \u2014 " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C \u00a75.1. " + "Set enabled: false only on legacy systemd-mode installs that " + "still rely on the in-container `spawnSwitchroomDetached` " + "shellout (removal is tracked as RFC C Phase 3)."),
     auto_release_check: AutoReleaseCheckSchema.default({}).describe("Pull-based release-triggered fleet restart (#1743). hostd polls " + "the remote release tag on a fixed interval and applies + " + "restarts the fleet (graceful) when a new release is detected. " + "Opt-in: default enabled=false.")
   });
+  WebServiceConfigSchema = exports_external.object({
+    managed: exports_external.boolean().default(false).describe("Whether `switchroom update` refreshes the web-service container " + "(dashboard + GitHub-webhook receiver) via `switchroom webd " + "install`. Default: false \u2014 existing installs run the web server " + "as the legacy `switchroom-web.service` systemd unit and must not " + "be surprised by a container takeover of host loopback 127.0.0.1:" + "8080 mid-update. Set true ONLY after cutting over to the " + "container (stop+disable the systemd unit, `switchroom webd " + "install`). The container runs in its own compose project " + "(`switchroom-web`), separate from the agent fleet, with " + "network_mode: host so it keeps owning loopback:8080 for the " + "cloudflared tunnel + tailscale serve consumers.")
+  });
   HostdConfigSchema = exports_external.object({
     config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit \u00a73). Default false \u2014 the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),
     config_edit_rate_per_hour: exports_external.number().int().min(1).max(20).default(3).describe("Per-requesting-agent rate cap for `config_propose_edit` cards " + "(RFC admin-agent-config-edit \u00a75). Default 3 cards/hour; min 1, " + "max 20. Implemented as a sqlite token bucket in PR 1c; the " + "field is wired here in PR 1a so operators can pin it before the " + "limiter is live. Above the cap, the verb returns " + "`E_RATE_LIMITED` without raising a card.")
@@ -14003,6 +14006,7 @@ var init_schema = __esm(() => {
     quota: QuotaConfigSchema.optional().describe("Optional weekly/monthly USD spend budgets rendered in the session " + "greeting. Usage is read from ccusage at runtime; no network calls."),
     host_control: HostControlConfigSchema.default({}).describe("Host-control daemon configuration. Defaults to enabled=true since " + "RFC C Phase 2 (docs/rfcs/host-control-daemon.md). Omit the block " + "to accept defaults; set `enabled: false` only on legacy systemd-" + "mode installs (removal tracked as RFC C Phase 3)."),
     hostd: HostdConfigSchema.default({}).describe("hostd verb-level knobs (RFC admin-agent-config-edit). Distinct " + "from `host_control:` which governs whether the daemon runs at " + "all. Currently scopes the opt-in flag and rate cap for the new " + "`config_propose_edit` verb (PR 1a \u2014 disabled by default)."),
+    web_service: WebServiceConfigSchema.default({}).describe("Web-service container (dashboard + GitHub-webhook receiver) config. " + "Defaults to managed=false so existing systemd-mode installs are " + "untouched. Set managed: true after cutting over to the " + "`switchroom-web` container \u2014 then `switchroom update` keeps it " + "refreshed. See `switchroom webd install`."),
     google_accounts: exports_external.record(exports_external.string().regex(/^[^@\s:]+@[^@\s:]+\.[^@\s:]+$/, {
       message: "Account key must be a Google account email like 'alice@example.com' (colons not allowed)"
     }).transform((v) => v.trim().toLowerCase()), exports_external.object({
@@ -23441,9 +23445,9 @@ function emitAgentService(lines, a, imageTag, buildMode, buildContext, homePrefi
     if (existsSync14(`${hostHomeForChecks}/.switchroom/host-control-audit.log`)) {
       lines.push(`      - ${homePrefix}/.switchroom/host-control-audit.log:/state/agent/home/.switchroom/host-control-audit.log:ro`);
     }
-    if (hostControlEnabled && existsSync14(`${hostHomeForChecks}/.switchroom/hostd/${a.name}`)) {
-      lines.push(`      - ${homePrefix}/.switchroom/hostd/${a.name}:/run/switchroom/hostd/${a.name}`);
-    }
+  }
+  if (hostControlEnabled && existsSync14(`${hostHomeForChecks}/.switchroom/hostd/${a.name}`)) {
+    lines.push(`      - ${homePrefix}/.switchroom/hostd/${a.name}:/run/switchroom/hostd/${a.name}`);
   }
   if (a.bindMounts.length > 0) {
     if (!a.admin) {
@@ -49409,8 +49413,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.14.11";
-var COMMIT_SHA = "89d93911";
+var VERSION = "0.14.13";
+var COMMIT_SHA = "240594e9";
 
 // src/cli/agent.ts
 init_source();
@@ -73207,6 +73211,26 @@ function planUpdate(opts) {
         throw new Error("switchroom hostd install failed");
     }
   });
+  let webServiceManaged;
+  if (typeof opts.webServiceManaged === "boolean") {
+    webServiceManaged = opts.webServiceManaged;
+  } else {
+    try {
+      webServiceManaged = loadConfig().web_service?.managed === true;
+    } catch {
+      webServiceManaged = false;
+    }
+  }
+  steps.push({
+    name: "refresh-web",
+    description: "switchroom webd install \u2014 pull latest web-service image + recreate the dashboard/webhook container (separate compose project)",
+    skipReason: !webServiceManaged ? "web_service.managed is not true \u2014 web container not in use (legacy systemd unit)" : opts.skipImages ? "--skip-images flag set" : undefined,
+    run: () => {
+      const r = runner(process.execPath, [scriptPath, "webd", "install"]);
+      if (r.status !== 0)
+        throw new Error("switchroom webd install failed");
+    }
+  });
   steps.push({
     name: "sync-bundled-skills",
     description: "Sync shipped skills/ to ~/.switchroom/skills/_bundled/ (host-stable pool dir).",
@@ -82042,7 +82066,7 @@ services:
       - no-new-privileges:true
     volumes:
       # Bind-mounts the entire ~/.switchroom dir so the daemon can:
-      #   - create ~/.switchroom/hostd/<agent>/sock per admin agent
+      #   - create ~/.switchroom/hostd/<agent>/sock per agent
       #   - append to ~/.switchroom/host-control-audit.log
       - ${hostHome}/.switchroom:/host-home/.switchroom:rw
       # ~/.switchroom/switchroom.yaml is a symlink on many operator
@@ -82119,10 +82143,10 @@ async function doInstall(opts, program3) {
 
 ` + "Continuing anyway \u2014 the install completes (image-pinned compose file written), but `docker compose up` will fail-fast."));
   }
-  const adminAgents = Object.entries(cfg.agents ?? {}).filter(([, a]) => a?.admin === true).map(([name]) => name);
-  if (adminAgents.length === 0) {
-    console.error(source_default.yellow(`No admin-flagged agents in switchroom.yaml. The daemon binds one socket per admin agent \u2014 with none, it will exit on startup.
-` + "Set `admin: true` on at least one agent (typically the test runner or a dedicated operator agent)."));
+  const allAgents = Object.keys(cfg.agents ?? {});
+  if (allAgents.length === 0) {
+    console.error(source_default.yellow(`No agents in switchroom.yaml. The daemon binds one socket per agent \u2014 with none, it will exit on startup.
+` + "Add at least one agent before installing hostd."));
   }
   const dir = hostdDir();
   const composePath = hostdComposePath();
@@ -82143,7 +82167,9 @@ async function doInstall(opts, program3) {
     console.log(source_default.dim(`  Backed up existing compose to ${bak}`));
   writeFileSync39(composePath, yaml, "utf8");
   console.log(source_default.green(`  \u2713 Wrote ${composePath}`));
-  console.log(source_default.dim(`    admin agents: ${adminAgents.length === 0 ? "(none)" : adminAgents.join(", ")}`));
+  const adminAgents = Object.entries(cfg.agents ?? {}).filter(([, a]) => a?.admin === true).map(([name]) => name);
+  console.log(source_default.dim(`    agents served (one socket each): ${allAgents.length === 0 ? "(none)" : allAgents.join(", ")}`));
+  console.log(source_default.dim(`    admin agents (full config-edit verbs): ${adminAgents.length === 0 ? "(none)" : adminAgents.join(", ")}`));
   console.log(source_default.dim(`    Pulling ghcr.io/switchroom/switchroom-hostd:${opts.tag ?? DEFAULT_IMAGE_TAG}\u2026`));
   const pull = runDocker(["compose", "-p", HOSTD_COMPOSE_PROJECT, "-f", composePath, "pull"]);
   if (!pull.ok) {
@@ -82285,6 +82311,222 @@ The log is created when hostd handles its first privileged-verb request.`));
   });
 }
 
+// src/cli/webd.ts
+init_source();
+init_helpers();
+import { existsSync as existsSync84, mkdirSync as mkdirSync47, writeFileSync as writeFileSync40, copyFileSync as copyFileSync13 } from "node:fs";
+import { homedir as homedir47 } from "node:os";
+import { join as join80 } from "node:path";
+import { spawnSync as spawnSync14 } from "node:child_process";
+var DEFAULT_IMAGE_TAG2 = "latest";
+var WEB_COMPOSE_PROJECT = "switchroom-web";
+function renderWebComposeFile(opts) {
+  const { hostHome, imageTag, operatorUid } = opts;
+  return `# AUTO-GENERATED by \`switchroom webd install\` \u2014 do not hand-edit.
+# Edits land at \`switchroom webd install\` time; backed up to
+# docker-compose.yml.bak-<ts> on overwrite.
+#
+# Separate compose project (\`switchroom-web\`) from the agent fleet
+# (\`switchroom\`) so \`compose up -d --remove-orphans\` against the fleet
+# cannot recreate this container mid-request. Same isolation contract
+# as switchroom-hostd.
+
+services:
+  web:
+    image: ghcr.io/switchroom/switchroom-web:${imageTag}
+    container_name: switchroom-web
+    restart: unless-stopped
+    # The server MUST own host loopback 127.0.0.1:8080 \u2014 the cloudflared
+    # tunnel (GitHub webhooks) and \`tailscale serve\` (dashboard) both
+    # reach it there, and the dashboard CSRF gate trusts the
+    # Tailscale-User-Login header only when the request arrives on
+    # loopback (PR #1380). Host networking makes the container's
+    # 127.0.0.1 the host loopback, so both keep working unchanged.
+    network_mode: host
+    # The webhook.sock forward is peercred-gated by each agent's gateway
+    # to {agent uid, SWITCHROOM_WEBHOOK_RECEIVER_UID = operator uid}.
+    # Run as any other uid \u2192 every forward is 503'd. Operator uid also
+    # owns ~/.switchroom so config/secret reads work.
+    user: "${operatorUid}:${operatorUid}"
+    # tini (image ENTRYPOINT) forwards SIGTERM to the bun process on
+    # \`docker stop\`; Bun.serve shuts its listener within the grace
+    # window. 15s mirrors hostd.
+    stop_grace_period: 15s
+    cap_drop:
+      - ALL
+    # Deliberately NO cap_add \u2014 the web server never chowns sockets or
+    # shells out to docker. Minimal surface for the one internet-facing
+    # component.
+    security_opt:
+      - no-new-privileges:true
+    volumes:
+      # The receiver reads operator-owned files under ~/.switchroom:
+      #   - webhook-secrets.json (per-source HMAC secrets)
+      #   - webhook-edge-secret (Cloudflare edge lock, Phase 2)
+      #   - web-token (dashboard auth)
+      # and forwards verified events to per-agent webhook.sock at
+      #   ~/.switchroom/agents/<agent>/telegram/webhook.sock
+      # so it needs the whole tree read-write (the sock connect is a
+      # write-side operation on the agent dir).
+      - ${hostHome}/.switchroom:/host-home/.switchroom:rw
+      # ~/.switchroom/switchroom.yaml is a symlink on many operator
+      # setups (into a separate config repo). Mounting the file directly
+      # forces docker to follow the symlink at mount time and bind the
+      # underlying file. The dashboard only READS the config, so :ro.
+      # Mirrors how the agent + hostd containers expose the config at
+      # /state/config/switchroom.yaml.
+      - ${hostHome}/.switchroom/switchroom.yaml:/state/config/switchroom.yaml:ro
+      # No docker socket is mounted \u2014 the web server never touches docker.
+    environment:
+      # The CLI resolves homedir() for ~/.switchroom paths; pin it to
+      # /host-home (bind-mounted to the operator's home) so the paths
+      # the server reads/writes match the host paths the agent fleet
+      # binds (~/.switchroom/agents/<agent>/telegram/webhook.sock, \u2026).
+      HOME: /host-home
+      # Read the same config the agent fleet's compose generator did.
+      SWITCHROOM_CONFIG: /state/config/switchroom.yaml
+      # PATH must include /usr/local/bin for the switchroom shim.
+      PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+    # network_mode: host means no custom network is attached; the
+    # container shares the host network namespace directly.
+
+# Healthcheck deferred \u2014 the server has no /healthz endpoint yet and a
+# probe that hits the dashboard route would need the web-token. For now,
+# \`switchroom webd status\` is the operator surface and the server's
+# stderr lands in \`docker logs switchroom-web\`.
+`;
+}
+function webdDir() {
+  return join80(homedir47(), ".switchroom", "web");
+}
+function webdComposePath() {
+  return join80(webdDir(), "docker-compose.yml");
+}
+function backupExistingCompose2() {
+  const p = webdComposePath();
+  if (!existsSync84(p))
+    return null;
+  const ts = new Date().toISOString().replace(/[:.]/g, "-");
+  const bak = `${p}.bak-${ts}`;
+  copyFileSync13(p, bak);
+  return bak;
+}
+function runDocker2(args) {
+  const r = spawnSync14("docker", args, { encoding: "utf8" });
+  return {
+    ok: r.status === 0,
+    stdout: r.stdout ?? "",
+    stderr: r.stderr ?? ""
+  };
+}
+async function doInstall2(opts) {
+  const operatorUid = resolveOperatorUid();
+  if (operatorUid === undefined) {
+    console.error(source_default.red(`Could not resolve the operator uid (no SUDO_UID and getuid() is 0 or unavailable).
+` + `The web container must run as the operator uid so its webhook forwards pass
+` + "each agent gateway's peercred ACL. Run `switchroom webd install` as the\n" + "operator user (not root), or under `sudo` from the operator's shell."));
+    process.exit(1);
+  }
+  const dir = webdDir();
+  const composePath = webdComposePath();
+  mkdirSync47(dir, { recursive: true });
+  const yaml = renderWebComposeFile({
+    hostHome: homedir47(),
+    imageTag: opts.tag ?? DEFAULT_IMAGE_TAG2,
+    operatorUid
+  });
+  if (opts.dryRun) {
+    console.log(source_default.dim(`# Would write: ${composePath}`));
+    console.log(yaml);
+    console.log(source_default.dim(`# Would run: docker compose -p ${WEB_COMPOSE_PROJECT} -f ${composePath} up -d`));
+    return;
+  }
+  const bak = backupExistingCompose2();
+  if (bak)
+    console.log(source_default.dim(`  Backed up existing compose to ${bak}`));
+  writeFileSync40(composePath, yaml, "utf8");
+  console.log(source_default.green(`  \u2713 Wrote ${composePath}`));
+  console.log(source_default.dim(`    running as uid ${operatorUid} (operator), network_mode: host`));
+  console.log(source_default.dim(`    Pulling ghcr.io/switchroom/switchroom-web:${opts.tag ?? DEFAULT_IMAGE_TAG2}\u2026`));
+  const pull = runDocker2(["compose", "-p", WEB_COMPOSE_PROJECT, "-f", composePath, "pull"]);
+  if (!pull.ok) {
+    console.error(source_default.red(`  pull failed:
+${pull.stderr}`));
+    console.error(source_default.yellow(`  Hint: \`ghcr.io/switchroom/switchroom-web:${opts.tag ?? DEFAULT_IMAGE_TAG2}\` may not be published yet.
+` + `  Check the docker-images workflow run and verify the tag at:
+` + `      https://github.com/switchroom/switchroom/pkgs/container/switchroom-web`));
+    process.exit(1);
+  }
+  console.log(source_default.dim(`    Bringing up web service\u2026`));
+  const up = runDocker2(["compose", "-p", WEB_COMPOSE_PROJECT, "-f", composePath, "up", "-d"]);
+  if (!up.ok) {
+    console.error(source_default.red(`  up failed:
+${up.stderr}`));
+    process.exit(1);
+  }
+  console.log(source_default.green(`  \u2713 Web service running (project: ${WEB_COMPOSE_PROJECT})`));
+  console.log(source_default.dim(`    Logs: docker logs switchroom-web --tail 50`));
+  console.log(source_default.dim(`    Verify: switchroom webd status`));
+  console.log(source_default.yellow(`    NOTE: the switchroom-web.service systemd unit (if still installed) also
+` + `    binds 127.0.0.1:8080. Stop it before this container can claim the port:
+` + `        systemctl --user stop switchroom-web.service
+` + `        systemctl --user disable switchroom-web.service`));
+}
+function doStatus2() {
+  const composeYml = webdComposePath();
+  console.log(source_default.bold("switchroom-web"));
+  console.log("");
+  if (!existsSync84(composeYml)) {
+    console.log(source_default.yellow("  compose:    not installed"));
+    console.log(source_default.dim("              run `switchroom webd install` to set up."));
+    return;
+  }
+  console.log(source_default.green(`  compose:    ${composeYml}`));
+  const ps = runDocker2([
+    "compose",
+    "-p",
+    WEB_COMPOSE_PROJECT,
+    "-f",
+    composeYml,
+    "ps",
+    "--format",
+    "{{.Name}} {{.Status}} {{.Image}}"
+  ]);
+  if (!ps.ok || !ps.stdout.trim()) {
+    console.log(source_default.yellow("  container:  not running"));
+  } else {
+    console.log(source_default.green(`  container:  ${ps.stdout.trim()}`));
+  }
+}
+function doUninstall2() {
+  const composeYml = webdComposePath();
+  if (!existsSync84(composeYml)) {
+    console.log(source_default.yellow("  No web-service install detected (no compose file at this path)."));
+    return;
+  }
+  console.log(source_default.dim(`  Stopping ${WEB_COMPOSE_PROJECT}\u2026`));
+  const down = runDocker2(["compose", "-p", WEB_COMPOSE_PROJECT, "-f", composeYml, "down"]);
+  if (!down.ok) {
+    console.error(source_default.red(`  down failed:
+${down.stderr}`));
+    process.exit(1);
+  }
+  console.log(source_default.green("  \u2713 Web service stopped"));
+  console.log(source_default.dim(`    Compose file left in place at ${composeYml}`));
+  console.log(source_default.dim(`    To re-enable: switchroom webd install`));
+  console.log(source_default.yellow(`    If you cut over from the systemd unit, re-enable it to restore the
+` + `    dashboard + webhook receiver:
+` + `        systemctl --user enable --now switchroom-web.service`));
+}
+function registerWebdCommand(program3) {
+  const webd = program3.command("webd").description("Manage switchroom-web, the dashboard + GitHub-webhook receiver container");
+  webd.command("install").description("Install or refresh the web container (writes ~/.switchroom/web/docker-compose.yml + docker compose up -d)").option("--tag <tag>", "Image tag (default: latest)", DEFAULT_IMAGE_TAG2).option("--dry-run", "Print the compose file and the docker commands without writing or running anything").action(withConfigError(async (opts) => {
+    await doInstall2(opts);
+  }));
+  webd.command("status").description("Show web-service container state").action(() => doStatus2());
+  webd.command("uninstall").description("Stop the web container. Leaves the compose file in place for re-install.").action(() => doUninstall2());
+}
+
 // src/cli/index.ts
 installGlobalErrorHandlers();
 var program3 = new Command().name("switchroom").description("Multi-agent orchestrator for Claude Code. One Telegram group, many specialized agents.").version(VERSION).option("-c, --config <path>", "Path to switchroom.yaml config file").hook("preAction", async (_thisCommand, actionCommand) => {
@@ -82333,6 +82575,7 @@ registerSkillSearchCommand(program3);
 registerAgentConfigMcpCommand(program3);
 registerHostdMcpCommand(program3);
 registerHostdCommand(program3);
+registerWebdCommand(program3);
 
 // bin/switchroom.ts
 program3.parse();

package/dist/host-control/main.js

@@ -14141,6 +14141,9 @@ var HostControlConfigSchema = exports_external.object({
   enabled: exports_external.boolean().default(true).describe("Whether the host-control daemon is in use. Default: true (since " + "RFC C Phase 2 default-flip — the gateway's /restart, /new, /reset, " + "and /update apply slash-commands all dispatch through hostd, and " + "without it those verbs fail on docker-mode installs because the " + "agent container has no docker binary/socket). " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` — " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C §5.1. " + "Set enabled: false only on legacy systemd-mode installs that " + "still rely on the in-container `spawnSwitchroomDetached` " + "shellout (removal is tracked as RFC C Phase 3)."),
   auto_release_check: AutoReleaseCheckSchema.default({}).describe("Pull-based release-triggered fleet restart (#1743). hostd polls " + "the remote release tag on a fixed interval and applies + " + "restarts the fleet (graceful) when a new release is detected. " + "Opt-in: default enabled=false.")
 });
+var WebServiceConfigSchema = exports_external.object({
+  managed: exports_external.boolean().default(false).describe("Whether `switchroom update` refreshes the web-service container " + "(dashboard + GitHub-webhook receiver) via `switchroom webd " + "install`. Default: false — existing installs run the web server " + "as the legacy `switchroom-web.service` systemd unit and must not " + "be surprised by a container takeover of host loopback 127.0.0.1:" + "8080 mid-update. Set true ONLY after cutting over to the " + "container (stop+disable the systemd unit, `switchroom webd " + "install`). The container runs in its own compose project " + "(`switchroom-web`), separate from the agent fleet, with " + "network_mode: host so it keeps owning loopback:8080 for the " + "cloudflared tunnel + tailscale serve consumers.")
+});
 var HostdConfigSchema = exports_external.object({
   config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit §3). Default false — the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),
   config_edit_rate_per_hour: exports_external.number().int().min(1).max(20).default(3).describe("Per-requesting-agent rate cap for `config_propose_edit` cards " + "(RFC admin-agent-config-edit §5). Default 3 cards/hour; min 1, " + "max 20. Implemented as a sqlite token bucket in PR 1c; the " + "field is wired here in PR 1a so operators can pin it before the " + "limiter is live. Above the cap, the verb returns " + "`E_RATE_LIMITED` without raising a card.")
@@ -14174,6 +14177,7 @@ var SwitchroomConfigSchema = exports_external.object({
   quota: QuotaConfigSchema.optional().describe("Optional weekly/monthly USD spend budgets rendered in the session " + "greeting. Usage is read from ccusage at runtime; no network calls."),
   host_control: HostControlConfigSchema.default({}).describe("Host-control daemon configuration. Defaults to enabled=true since " + "RFC C Phase 2 (docs/rfcs/host-control-daemon.md). Omit the block " + "to accept defaults; set `enabled: false` only on legacy systemd-" + "mode installs (removal tracked as RFC C Phase 3)."),
   hostd: HostdConfigSchema.default({}).describe("hostd verb-level knobs (RFC admin-agent-config-edit). Distinct " + "from `host_control:` which governs whether the daemon runs at " + "all. Currently scopes the opt-in flag and rate cap for the new " + "`config_propose_edit` verb (PR 1a — disabled by default)."),
+  web_service: WebServiceConfigSchema.default({}).describe("Web-service container (dashboard + GitHub-webhook receiver) config. " + "Defaults to managed=false so existing systemd-mode installs are " + "untouched. Set managed: true after cutting over to the " + "`switchroom-web` container — then `switchroom update` keeps it " + "refreshed. See `switchroom webd install`."),
   google_accounts: exports_external.record(exports_external.string().regex(/^[^@\s:]+@[^@\s:]+\.[^@\s:]+$/, {
     message: "Account key must be a Google account email like 'alice@example.com' (colons not allowed)"
   }).transform((v) => v.trim().toLowerCase()), exports_external.object({
@@ -20188,6 +20192,7 @@ import { mkdtempSync, writeFileSync as writeFileSync2, rmSync, existsSync as exi
 import { tmpdir } from "node:os";
 import { join as join2, isAbsolute as isAbsolute2, normalize } from "node:path";
 import { spawnSync } from "node:child_process";
+import { isDeepStrictEqual } from "node:util";
 var MAX_PATCH_BYTES = 1024 * 1024;
 var UNLOCK_CARD_YAML_ALLOWLIST = new Set([
   "hostd.config_edit_enabled"
@@ -20524,6 +20529,68 @@ function validateConfigEdit(opts) {
     return leakErr;
   return { ok: true, postApplyContent: applied.after };
 }
+function assertSelfScopedAllowEdit(beforeContent, afterContent, caller) {
+  let before;
+  let after;
+  try {
+    before = toObject($parseDocument(beforeContent, { merge: false, strict: false }).toJS());
+    after = toObject($parseDocument(afterContent, { merge: false, strict: false }).toJS());
+  } catch (e) {
+    return { ok: false, detail: `self-scope: config did not parse (${e.message})` };
+  }
+  const beforeAllow = readCallerAllow(before, caller);
+  const afterAllow = readCallerAllow(after, caller);
+  for (const rule of beforeAllow) {
+    if (!afterAllow.includes(rule)) {
+      return {
+        ok: false,
+        detail: `self-scope: edit removes existing allow rule "${rule}" from agents.${caller}.tools.allow`
+      };
+    }
+  }
+  const beforeStripped = stripCallerAllow(before, caller);
+  const afterStripped = stripCallerAllow(after, caller);
+  if (!isDeepStrictEqual(beforeStripped, afterStripped)) {
+    return {
+      ok: false,
+      detail: `self-scope: edit changes config outside agents.${caller}.tools.allow ` + `(a non-admin agent may only widen its own allow-list)`
+    };
+  }
+  return { ok: true };
+}
+function toObject(v) {
+  return v && typeof v === "object" && !Array.isArray(v) ? v : {};
+}
+function readCallerAllow(cfg, caller) {
+  const agents = cfg.agents;
+  if (!agents || typeof agents !== "object")
+    return [];
+  const agent = agents[caller];
+  if (!agent || typeof agent !== "object")
+    return [];
+  const tools = agent.tools;
+  if (!tools || typeof tools !== "object")
+    return [];
+  const allow = tools.allow;
+  return Array.isArray(allow) ? allow.filter((x) => typeof x === "string") : [];
+}
+function stripCallerAllow(cfg, caller) {
+  const clone = structuredClone(cfg);
+  const agents = clone.agents;
+  if (!agents || typeof agents !== "object")
+    return clone;
+  const agent = agents[caller];
+  if (!agent || typeof agent !== "object")
+    return clone;
+  const tools = agent.tools;
+  if (!tools || typeof tools !== "object")
+    return clone;
+  delete tools.allow;
+  if (Object.keys(tools).length === 0) {
+    delete agent.tools;
+  }
+  return clone;
+}
 
 // src/host-control/server.ts
 function resolveDigests(imageRefs) {
@@ -20873,7 +20940,7 @@ class HostdServer {
       case "doctor":
         return callerAdmin ? null : `doctor requires admin: true on caller "${caller.name}"`;
       case "config_propose_edit":
-        return callerAdmin ? null : `config_propose_edit requires admin: true on caller "${caller.name}"`;
+        return null;
     }
   }
   async handleAgentRestart(req, caller, started) {
@@ -21134,6 +21201,18 @@ class HostdServer {
     if (!verdict.ok) {
       return err(verdict.code, verdict.detail).fixBadInput("unified_diff").op("config_propose_edit").caller(caller.kind === "agent" ? "agent" : "operator").agentName(caller.kind === "agent" ? caller.name : undefined).build(req.request_id, Date.now() - started);
     }
+    if (caller.kind === "agent" && this.opts.config.agents[caller.name]?.admin !== true) {
+      let beforeContent;
+      try {
+        beforeContent = readFileSync5(configPath, "utf-8");
+      } catch {
+        beforeContent = "";
+      }
+      const scope = assertSelfScopedAllowEdit(beforeContent, verdict.postApplyContent, caller.name);
+      if (!scope.ok) {
+        return err("E_NOT_SELF_SCOPED", scope.detail).why("non-admin agents may only add rules to their own " + "agents.<self>.tools.allow via config_propose_edit").fixBadInput("unified_diff").op("config_propose_edit").caller("agent").agentName(caller.name).asDenied().build(req.request_id, Date.now() - started);
+      }
+    }
     if (!this.opts.approvalGateway) {
       return err("E_NO_APPROVAL_GATEWAY", "validation passed but hostd was started without an approval-gateway wiring; the operator build is missing the telegram-plugin link").fixOperatorAction("infra", [
         "ensure hostd was launched with --approval-gateway / telegram-plugin link"
@@ -21922,13 +22001,12 @@ async function main() {
     process.exit(2);
   }
   const agentUids = {};
-  for (const [name, agent] of Object.entries(config.agents)) {
-    if (agent.admin === true) {
-      agentUids[name] = allocateAgentUid(name);
-    }
+  for (const name of Object.keys(config.agents)) {
+    agentUids[name] = allocateAgentUid(name);
   }
   if (Object.keys(agentUids).length === 0) {
-    process.stderr.write("hostd: no admin-flagged agents — nothing to serve. Set `admin: true` on at least one agent.\n");
+    process.stderr.write(`hostd: no agents configured — nothing to serve.
+`);
     process.exit(2);
   }
   const agentsDir = process.env.SWITCHROOM_AGENTS_DIR ?? join4(homedir3(), ".switchroom", "agents");

package/dist/vault/approvals/kernel-server.js

@@ -11271,7 +11271,7 @@ var init_dist = __esm(() => {
 });
 
 // src/config/schema.ts
-var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, MicrosoftWorkspaceConfigSchema, NotionWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, AgentMicrosoftWorkspaceConfigSchema, AgentNotionWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, AutoReleaseCheckSchema, HostControlConfigSchema, HostdConfigSchema, SwitchroomConfigSchema;
+var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, MicrosoftWorkspaceConfigSchema, NotionWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, AgentMicrosoftWorkspaceConfigSchema, AgentNotionWorkspaceConfigSchema, ReactionsSchema, ReleaseBlock, NetworkIsolationSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, AutoReleaseCheckSchema, HostControlConfigSchema, WebServiceConfigSchema, HostdConfigSchema, SwitchroomConfigSchema;
 var init_schema = __esm(() => {
   init_zod();
   CodeRepoEntrySchema = exports_external.object({
@@ -11721,6 +11721,9 @@ var init_schema = __esm(() => {
     enabled: exports_external.boolean().default(true).describe("Whether the host-control daemon is in use. Default: true (since " + "RFC C Phase 2 default-flip — the gateway's /restart, /new, /reset, " + "and /update apply slash-commands all dispatch through hostd, and " + "without it those verbs fail on docker-mode installs because the " + "agent container has no docker binary/socket). " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` — " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C §5.1. " + "Set enabled: false only on legacy systemd-mode installs that " + "still rely on the in-container `spawnSwitchroomDetached` " + "shellout (removal is tracked as RFC C Phase 3)."),
     auto_release_check: AutoReleaseCheckSchema.default({}).describe("Pull-based release-triggered fleet restart (#1743). hostd polls " + "the remote release tag on a fixed interval and applies + " + "restarts the fleet (graceful) when a new release is detected. " + "Opt-in: default enabled=false.")
   });
+  WebServiceConfigSchema = exports_external.object({
+    managed: exports_external.boolean().default(false).describe("Whether `switchroom update` refreshes the web-service container " + "(dashboard + GitHub-webhook receiver) via `switchroom webd " + "install`. Default: false — existing installs run the web server " + "as the legacy `switchroom-web.service` systemd unit and must not " + "be surprised by a container takeover of host loopback 127.0.0.1:" + "8080 mid-update. Set true ONLY after cutting over to the " + "container (stop+disable the systemd unit, `switchroom webd " + "install`). The container runs in its own compose project " + "(`switchroom-web`), separate from the agent fleet, with " + "network_mode: host so it keeps owning loopback:8080 for the " + "cloudflared tunnel + tailscale serve consumers.")
+  });
   HostdConfigSchema = exports_external.object({
     config_edit_enabled: exports_external.boolean().default(false).describe("Opt-in toggle for the `config_propose_edit` hostd verb (RFC " + "admin-agent-config-edit §3). Default false — the verb returns " + "`E_CONFIG_EDIT_DISABLED` until the operator explicitly flips " + "this to true. When true (and once PR 1c lands the apply path), " + "admin agents can propose unified-diff patches against " + "`/state/config/switchroom.yaml`, gated by an operator approval " + "card in the primary chat. Same trust posture as `update_apply` " + "and `agent_restart`: the human-in-the-loop tap is the security " + "boundary, not the agent's judgement."),
     config_edit_rate_per_hour: exports_external.number().int().min(1).max(20).default(3).describe("Per-requesting-agent rate cap for `config_propose_edit` cards " + "(RFC admin-agent-config-edit §5). Default 3 cards/hour; min 1, " + "max 20. Implemented as a sqlite token bucket in PR 1c; the " + "field is wired here in PR 1a so operators can pin it before the " + "limiter is live. Above the cap, the verb returns " + "`E_RATE_LIMITED` without raising a card.")
@@ -11754,6 +11757,7 @@ var init_schema = __esm(() => {
     quota: QuotaConfigSchema.optional().describe("Optional weekly/monthly USD spend budgets rendered in the session " + "greeting. Usage is read from ccusage at runtime; no network calls."),
     host_control: HostControlConfigSchema.default({}).describe("Host-control daemon configuration. Defaults to enabled=true since " + "RFC C Phase 2 (docs/rfcs/host-control-daemon.md). Omit the block " + "to accept defaults; set `enabled: false` only on legacy systemd-" + "mode installs (removal tracked as RFC C Phase 3)."),
     hostd: HostdConfigSchema.default({}).describe("hostd verb-level knobs (RFC admin-agent-config-edit). Distinct " + "from `host_control:` which governs whether the daemon runs at " + "all. Currently scopes the opt-in flag and rate cap for the new " + "`config_propose_edit` verb (PR 1a — disabled by default)."),
+    web_service: WebServiceConfigSchema.default({}).describe("Web-service container (dashboard + GitHub-webhook receiver) config. " + "Defaults to managed=false so existing systemd-mode installs are " + "untouched. Set managed: true after cutting over to the " + "`switchroom-web` container — then `switchroom update` keeps it " + "refreshed. See `switchroom webd install`."),
     google_accounts: exports_external.record(exports_external.string().regex(/^[^@\s:]+@[^@\s:]+\.[^@\s:]+$/, {
       message: "Account key must be a Google account email like 'alice@example.com' (colons not allowed)"
     }).transform((v) => v.trim().toLowerCase()), exports_external.object({