switchroom 0.14.12 → 0.14.14

package/dist/cli/switchroom.js

@@ -23445,9 +23445,9 @@ function emitAgentService(lines, a, imageTag, buildMode, buildContext, homePrefi
     if (existsSync14(`${hostHomeForChecks}/.switchroom/host-control-audit.log`)) {
       lines.push(`      - ${homePrefix}/.switchroom/host-control-audit.log:/state/agent/home/.switchroom/host-control-audit.log:ro`);
     }
-    if (hostControlEnabled && existsSync14(`${hostHomeForChecks}/.switchroom/hostd/${a.name}`)) {
-      lines.push(`      - ${homePrefix}/.switchroom/hostd/${a.name}:/run/switchroom/hostd/${a.name}`);
-    }
+  }
+  if (hostControlEnabled && existsSync14(`${hostHomeForChecks}/.switchroom/hostd/${a.name}`)) {
+    lines.push(`      - ${homePrefix}/.switchroom/hostd/${a.name}:/run/switchroom/hostd/${a.name}`);
   }
   if (a.bindMounts.length > 0) {
     if (!a.admin) {
@@ -49413,8 +49413,8 @@ var {
 } = import__.default;
 
 // src/build-info.ts
-var VERSION = "0.14.12";
-var COMMIT_SHA = "a6cc0835";
+var VERSION = "0.14.14";
+var COMMIT_SHA = "502cc8ee";
 
 // src/cli/agent.ts
 init_source();
@@ -82066,7 +82066,7 @@ services:
       - no-new-privileges:true
     volumes:
       # Bind-mounts the entire ~/.switchroom dir so the daemon can:
-      #   - create ~/.switchroom/hostd/<agent>/sock per admin agent
+      #   - create ~/.switchroom/hostd/<agent>/sock per agent
       #   - append to ~/.switchroom/host-control-audit.log
       - ${hostHome}/.switchroom:/host-home/.switchroom:rw
       # ~/.switchroom/switchroom.yaml is a symlink on many operator
@@ -82143,10 +82143,10 @@ async function doInstall(opts, program3) {
 
 ` + "Continuing anyway \u2014 the install completes (image-pinned compose file written), but `docker compose up` will fail-fast."));
   }
-  const adminAgents = Object.entries(cfg.agents ?? {}).filter(([, a]) => a?.admin === true).map(([name]) => name);
-  if (adminAgents.length === 0) {
-    console.error(source_default.yellow(`No admin-flagged agents in switchroom.yaml. The daemon binds one socket per admin agent \u2014 with none, it will exit on startup.
-` + "Set `admin: true` on at least one agent (typically the test runner or a dedicated operator agent)."));
+  const allAgents = Object.keys(cfg.agents ?? {});
+  if (allAgents.length === 0) {
+    console.error(source_default.yellow(`No agents in switchroom.yaml. The daemon binds one socket per agent \u2014 with none, it will exit on startup.
+` + "Add at least one agent before installing hostd."));
   }
   const dir = hostdDir();
   const composePath = hostdComposePath();
@@ -82167,7 +82167,9 @@ async function doInstall(opts, program3) {
     console.log(source_default.dim(`  Backed up existing compose to ${bak}`));
   writeFileSync39(composePath, yaml, "utf8");
   console.log(source_default.green(`  \u2713 Wrote ${composePath}`));
-  console.log(source_default.dim(`    admin agents: ${adminAgents.length === 0 ? "(none)" : adminAgents.join(", ")}`));
+  const adminAgents = Object.entries(cfg.agents ?? {}).filter(([, a]) => a?.admin === true).map(([name]) => name);
+  console.log(source_default.dim(`    agents served (one socket each): ${allAgents.length === 0 ? "(none)" : allAgents.join(", ")}`));
+  console.log(source_default.dim(`    admin agents (full config-edit verbs): ${adminAgents.length === 0 ? "(none)" : adminAgents.join(", ")}`));
   console.log(source_default.dim(`    Pulling ghcr.io/switchroom/switchroom-hostd:${opts.tag ?? DEFAULT_IMAGE_TAG}\u2026`));
   const pull = runDocker(["compose", "-p", HOSTD_COMPOSE_PROJECT, "-f", composePath, "pull"]);
   if (!pull.ok) {

package/dist/host-control/main.js

@@ -20192,6 +20192,7 @@ import { mkdtempSync, writeFileSync as writeFileSync2, rmSync, existsSync as exi
 import { tmpdir } from "node:os";
 import { join as join2, isAbsolute as isAbsolute2, normalize } from "node:path";
 import { spawnSync } from "node:child_process";
+import { isDeepStrictEqual } from "node:util";
 var MAX_PATCH_BYTES = 1024 * 1024;
 var UNLOCK_CARD_YAML_ALLOWLIST = new Set([
   "hostd.config_edit_enabled"
@@ -20528,6 +20529,68 @@ function validateConfigEdit(opts) {
     return leakErr;
   return { ok: true, postApplyContent: applied.after };
 }
+function assertSelfScopedAllowEdit(beforeContent, afterContent, caller) {
+  let before;
+  let after;
+  try {
+    before = toObject($parseDocument(beforeContent, { merge: false, strict: false }).toJS());
+    after = toObject($parseDocument(afterContent, { merge: false, strict: false }).toJS());
+  } catch (e) {
+    return { ok: false, detail: `self-scope: config did not parse (${e.message})` };
+  }
+  const beforeAllow = readCallerAllow(before, caller);
+  const afterAllow = readCallerAllow(after, caller);
+  for (const rule of beforeAllow) {
+    if (!afterAllow.includes(rule)) {
+      return {
+        ok: false,
+        detail: `self-scope: edit removes existing allow rule "${rule}" from agents.${caller}.tools.allow`
+      };
+    }
+  }
+  const beforeStripped = stripCallerAllow(before, caller);
+  const afterStripped = stripCallerAllow(after, caller);
+  if (!isDeepStrictEqual(beforeStripped, afterStripped)) {
+    return {
+      ok: false,
+      detail: `self-scope: edit changes config outside agents.${caller}.tools.allow ` + `(a non-admin agent may only widen its own allow-list)`
+    };
+  }
+  return { ok: true };
+}
+function toObject(v) {
+  return v && typeof v === "object" && !Array.isArray(v) ? v : {};
+}
+function readCallerAllow(cfg, caller) {
+  const agents = cfg.agents;
+  if (!agents || typeof agents !== "object")
+    return [];
+  const agent = agents[caller];
+  if (!agent || typeof agent !== "object")
+    return [];
+  const tools = agent.tools;
+  if (!tools || typeof tools !== "object")
+    return [];
+  const allow = tools.allow;
+  return Array.isArray(allow) ? allow.filter((x) => typeof x === "string") : [];
+}
+function stripCallerAllow(cfg, caller) {
+  const clone = structuredClone(cfg);
+  const agents = clone.agents;
+  if (!agents || typeof agents !== "object")
+    return clone;
+  const agent = agents[caller];
+  if (!agent || typeof agent !== "object")
+    return clone;
+  const tools = agent.tools;
+  if (!tools || typeof tools !== "object")
+    return clone;
+  delete tools.allow;
+  if (Object.keys(tools).length === 0) {
+    delete agent.tools;
+  }
+  return clone;
+}
 
 // src/host-control/server.ts
 function resolveDigests(imageRefs) {
@@ -20877,7 +20940,7 @@ class HostdServer {
       case "doctor":
         return callerAdmin ? null : `doctor requires admin: true on caller "${caller.name}"`;
       case "config_propose_edit":
-        return callerAdmin ? null : `config_propose_edit requires admin: true on caller "${caller.name}"`;
+        return null;
     }
   }
   async handleAgentRestart(req, caller, started) {
@@ -21138,6 +21201,18 @@ class HostdServer {
     if (!verdict.ok) {
       return err(verdict.code, verdict.detail).fixBadInput("unified_diff").op("config_propose_edit").caller(caller.kind === "agent" ? "agent" : "operator").agentName(caller.kind === "agent" ? caller.name : undefined).build(req.request_id, Date.now() - started);
     }
+    if (caller.kind === "agent" && this.opts.config.agents[caller.name]?.admin !== true) {
+      let beforeContent;
+      try {
+        beforeContent = readFileSync5(configPath, "utf-8");
+      } catch {
+        beforeContent = "";
+      }
+      const scope = assertSelfScopedAllowEdit(beforeContent, verdict.postApplyContent, caller.name);
+      if (!scope.ok) {
+        return err("E_NOT_SELF_SCOPED", scope.detail).why("non-admin agents may only add rules to their own " + "agents.<self>.tools.allow via config_propose_edit").fixBadInput("unified_diff").op("config_propose_edit").caller("agent").agentName(caller.name).asDenied().build(req.request_id, Date.now() - started);
+      }
+    }
     if (!this.opts.approvalGateway) {
       return err("E_NO_APPROVAL_GATEWAY", "validation passed but hostd was started without an approval-gateway wiring; the operator build is missing the telegram-plugin link").fixOperatorAction("infra", [
         "ensure hostd was launched with --approval-gateway / telegram-plugin link"
@@ -21926,13 +22001,12 @@ async function main() {
     process.exit(2);
   }
   const agentUids = {};
-  for (const [name, agent] of Object.entries(config.agents)) {
-    if (agent.admin === true) {
-      agentUids[name] = allocateAgentUid(name);
-    }
+  for (const name of Object.keys(config.agents)) {
+    agentUids[name] = allocateAgentUid(name);
   }
   if (Object.keys(agentUids).length === 0) {
-    process.stderr.write("hostd: no admin-flagged agents — nothing to serve. Set `admin: true` on at least one agent.\n");
+    process.stderr.write(`hostd: no agents configured — nothing to serve.
+`);
     process.exit(2);
   }
   const agentsDir = process.env.SWITCHROOM_AGENTS_DIR ?? join4(homedir3(), ".switchroom", "agents");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "switchroom",
-  "version": "0.14.12",
+  "version": "0.14.14",
   "description": "Run Claude Code 24/7 on your Claude Pro/Max subscription over Telegram. Open-source alternative to OpenClaw and NanoClaw — no API keys.",
   "type": "module",
   "bin": {

package/profiles/_base/start.sh.hbs

@@ -26,6 +26,21 @@
 # `src/agents/lifecycle.ts:attachAgent` expect — the contract is the
 # same one v0.6 systemd has always honored, just enforced inside the
 # container instead of by the host's user systemd manager.
+
+{{#if handoffEnabled}}
+# The telegram-plugin gateway reads SWITCHROOM_HANDOFF_SHOW_LINE to
+# decide whether to prepend the visible "↩️ Picked up where we left
+# off …" line on the first reply after a restart. It MUST be exported
+# *before* the gateway is forked in the docker preamble below (and
+# before the tmux re-exec), otherwise the gateway — the sole consumer —
+# never inherits it and session_continuity.show_handoff_line:false
+# silently no-ops on every docker agent. Living here, ahead of the
+# runtime branch, covers docker (both the outer fork pass and the inner
+# tmux pass) and the v0.6 non-docker path in one place. Gated on
+# handoffEnabled so a handoff-disabled agent emits no handoff env at all.
+export SWITCHROOM_HANDOFF_SHOW_LINE={{#if handoffShowLine}}true{{else}}false{{/if}}
+{{/if}}
+
 if [ "$SWITCHROOM_RUNTIME" = "docker" ] && [ -z "$SWITCHROOM_DOCKER_TMUX_INNER" ]; then
   # Hoist TELEGRAM_STATE_DIR up here so the gateway daemon (forked
   # below) finds gateway.sock / gateway.pid.json / history.db at the
@@ -510,9 +525,8 @@ if [ ! -s "$HANDOFF_FILE" ]; then
     timeout 5 handoff-briefing.sh 2>/dev/null || true
   fi
 fi
-# Telegram plugin reads this to decide whether to prepend the visible
-# "↩️ Picked up where we left off — <topic>" line on the first reply.
-export SWITCHROOM_HANDOFF_SHOW_LINE={{#if handoffShowLine}}true{{else}}false{{/if}}
+# SWITCHROOM_HANDOFF_SHOW_LINE is exported near the top of this script
+# (ahead of the docker preamble) so the gateway sidecar inherits it.
 APPEND_PROMPT={{#if systemPromptAppendShellQuoted}}{{{systemPromptAppendShellQuoted}}}{{else}}""{{/if}}
 # Inject .handoff-briefing.md first (assembled from live sources), then
 # .handoff.md (raw transcript tail from the Stop hook). If both

package/telegram-plugin/dist/bridge/bridge.js

@@ -24446,6 +24446,40 @@ function createIpcClient(options) {
 
 // permission-rule.ts
 import { basename as basename2 } from "node:path";
+var FILE_TOOLS = new Set([
+  "Edit",
+  "Write",
+  "MultiEdit",
+  "NotebookEdit",
+  "Read"
+]);
+var BROAD_ONLY_TOOLS = new Set([
+  "Glob",
+  "Grep",
+  "WebFetch",
+  "WebSearch",
+  "Task",
+  "Agent",
+  "TodoWrite",
+  "ExitPlanMode"
+]);
+function resolveSkillName(input) {
+  return readString(input, "skill") ?? readString(input, "skill_name") ?? readString(input, "skillName") ?? readString(input, "name") ?? skillBasenameFromPath(input);
+}
+function filePathFrom(input) {
+  if (!input)
+    return null;
+  return readString(input, "file_path") ?? readString(input, "notebook_path");
+}
+function bashFirstToken(command) {
+  const m = /^\s*([^\s|&;<>()`$]+)/.exec(command);
+  if (!m)
+    return null;
+  const tok = m[1];
+  if (tok.includes(".."))
+    return null;
+  return /^[A-Za-z0-9._\-\/]+$/.test(tok) ? tok : null;
+}
 function parseInput(raw) {
   if (!raw || typeof raw !== "string")
     return null;
@@ -24474,16 +24508,35 @@ function skillBasenameFromPath(input) {
 function matchesAllowRule(rule, toolName, inputPreview) {
   if (!rule || !toolName)
     return false;
-  const skillMatch = /^Skill\(([^)]+)\)$/.exec(rule);
-  if (skillMatch) {
-    if (toolName !== "Skill")
+  if (rule.endsWith("__*") && rule.startsWith("mcp__")) {
+    const prefix = rule.slice(0, -1);
+    return toolName.startsWith(prefix);
+  }
+  const scoped = /^([A-Za-z]+)\((.+)\)$/.exec(rule);
+  if (scoped) {
+    const ruleTool = scoped[1];
+    const arg = scoped[2];
+    if (ruleTool !== toolName)
       return false;
-    const ruleSkill = skillMatch[1];
     const input = parseInput(inputPreview);
-    if (!input)
-      return false;
-    const reqSkill = readString(input, "skill") ?? readString(input, "skill_name") ?? readString(input, "skillName") ?? readString(input, "name") ?? skillBasenameFromPath(input);
-    return reqSkill === ruleSkill;
+    if (ruleTool === "Skill") {
+      if (!input)
+        return false;
+      return resolveSkillName(input) === arg;
+    }
+    if (ruleTool === "Bash") {
+      const cmd = input ? readString(input, "command") : null;
+      if (!cmd)
+        return false;
+      const m = /^([^:]+):\*$/.exec(arg);
+      if (!m)
+        return false;
+      return bashFirstToken(cmd) === m[1];
+    }
+    if (FILE_TOOLS.has(ruleTool)) {
+      return filePathFrom(input) === arg;
+    }
+    return false;
   }
   return rule === toolName;
 }